TLS configuration questions

2012-11-06 Thread Ori Bani 
Using:

smtpd_tls_security_level = may

(so only want opportunistic encryption, no cert validation, etc) the
TLS_README suggests that it's best to just leave blank

smtpd_tls_cert_file
smtpd_tls_key_file
smtp_tls_CAfile/path

Question: so then does Postfix use some kind of internally generated
self-signed cert?  If that's true, I'm a little confused why the
TLS_README's quick and dirty section advises to create a cert and
configure it in Postfix.

Is opportunistic encryption really just a matter of turning the
security_level to "may" and that's it?

PS - In this scenario, does it help to use
smtpd_tls_session_cache_database or not?

Re: Removing Amavis as a filter

2012-11-06 Thread weber 


As next your users Cry for iPads. Then you remove their Windows 
Workstations?


ok, i would have a look "WHY" Amavis rejects these PDF's. If there are 
bad macros
in it, you should be lucky that these pdfs dont get opened by your 
users.


I guess Amavis uses Clamav in you Setup, right?
Most PDF's or Office Documents here got rejected cause "OLE2" Scan was 
enabled in Clamav.
thats okay. Users can ask the sender, why he uses macros in the 
document and if he is trustful

they can open it.(not if he says he dont put macros in it)

next, why you setup amavis to reject these documents?
better way would be to "quarantine" them and to get a mail with 
warning, if you are the admin.

if all things okay, you can "release" the mail to the user.

i cant recommend to remove amavis only while users are yelling.

btw, yelling users here get a load of pepper spray. they can talk in a 
normal way to the admin.

its not a occupy party.

marko

from sunny hamburg





Am 2012-11-05 18:38, schrieb The Doctor:

All right.

Amavis is beginning to anny me as a plugin:

Big reason many a legit PDF is getting rejected and customers are 
yelling

loud in stereo!!

What must I do to remove Amavis from the postfix sequence without 
disrupting

Postfix itself?

--
Member - Liberal International  This is doc...@nl2k.ab.ca Ici
doc...@nl2k.ab.ca
God,Queen and country!Never Satan President Republic!Beware
AntiChrist rising!
http://www.fullyfollow.me/rootnl2k
USA petition to dissolve the Republic and vote to disoolve it in
November 2012

Re: Can we send mails from a single IP in multiple instances.

2012-11-06 Thread Naval saini 
Hello wietse,
This is working fine. Now i have to do one more thing which is "i used to
send mails from a php application.when i send mails from php application to
server using sasl authentication. I use multiple or different-2  from
address in php application for a single sasl user Now by using sender
dependent relaying i am not able to relay through specific host. Means i
can use anything in from address or for *unknown sender* but known *sasl
user* can we relaying through specific server. "
Thanks

On Sat, Nov 3, 2012 at 5:51 PM, Wietse Venema  wrote:

> Naval saini:
> > No i don't require this one i am already using smtp bind address . I need
> > to explain my scenario again.
> > I have a main postfix for mail submission to outbound instances and 4
> > postfix-outbound mail instances which deliver mails on public domain.
> Now i
> > have created 3 sasl user for main postfix instance which accepts mails
> from
> > php application and the work of  main postfix instance is to relay mails
> > from 4 outbound instance. Now i want that when 3 sasl user's of main
> > postfix instance submit mail to main postfix instance than each user must
> > send all mails from only a single instance every time or in other words
> one
> > sasl user should send all out bound mails from a single outbound
> instance.
> > thanks
>
> http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps
>
> Wietse
>

Re: Can we send mails from a single IP in multiple instances.

2012-11-06 Thread Wietse Venema 
Wietse:
> > http://www.postfix.org/postconf.5.html#sender_dependent_relayhost_maps

Naval saini:
> Hello wietse,
> This is working fine. Now i have to do one more thing which is "i used to
> send mails from a php application.when i send mails from php application to
> server using sasl authentication. I use multiple or different-2  from
> address in php application for a single sasl user Now by using sender
> dependent relaying i am not able to relay through specific host. Means i
> can use anything in from address or for *unknown sender* but known *sasl
> user* can we relaying through specific server. "

Postfix has no sasl-dependent routing. If you allow your customers
to choose any sender address without any limitation, then I don't
think that I should be helping you.

Wietse

Re: TLS configuration questions

2012-11-06 Thread Viktor Dukhovni 
On Tue, Nov 06, 2012 at 01:06:22AM -0800, Ori Bani wrote:

> smtpd_tls_security_level = may
> 
> (so only want opportunistic encryption, no cert validation, etc) the
> TLS_README suggests that it's best to just leave blank
> 
> smtpd_tls_cert_file
> smtpd_tls_key_file

Can you site the specific text? I don't recall making that advice?
To run without a certificate (only for dedicated MTAs not facing
the public 'Net) you need to explicitly set "smtpd_tls_cert_file
= none".

> smtp_tls_CAfile

As for this, you typically don't need it and can leave it blank.

> Question: so then does Postfix use some kind of internally generated
> self-signed cert?

No, with "smtpd_tls_cert_file = none" it will only offer anonymous
ciphers.

>  If that's true, I'm a little confused why the
> TLS_README's quick and dirty section advises to create a cert and
> configure it in Postfix.

Many TLS clients (sadly) don't support anonymous ciphers even though
they do opportunistic TLS and will happily send unencrypted or
without to a self-signed (pointless) cert.

> 
> Is opportunistic encryption really just a matter of turning the
> security_level to "may" and that's it?
> 
> PS - In this scenario, does it help to use
> smtpd_tls_session_cache_database or not?

Session caching is useful with or without authentication. Resumed
sessions avoid CPU-intensive public-key and Diffie-Hellman computations.

-- 
Viktor.

Re: TLS configuration questions

2012-11-06 Thread Ori Bani 
On Tue, Nov 6, 2012 at 8:37 AM, Viktor Dukhovni
 wrote:
> On Tue, Nov 06, 2012 at 01:06:22AM -0800, Ori Bani wrote:
>
>> smtpd_tls_security_level = may
>>
>> (so only want opportunistic encryption, no cert validation, etc) the
>> TLS_README suggests that it's best to just leave blank
>>
>> smtpd_tls_cert_file
>> smtpd_tls_key_file
>
> Can you site the specific text? I don't recall making that advice?
> To run without a certificate (only for dedicated MTAs not facing
> the public 'Net) you need to explicitly set "smtpd_tls_cert_file
> = none".

This section:

> Client-side certificate and private key configuration
>
> Do not configure Postfix SMTP client certificates unless you must present 
> client
> TLS certificates to one or more servers. Client certificates are not usually 
> needed,
> and can cause problems in configurations that work well without them. The
> recommended setting is to let the defaults stand:

This text also repeats in postconf(5)

Based on your reply, I must be misunderstanding the context (or the
meaning of "must" here).  Thanks for your help.

Re: TLS configuration questions

2012-11-06 Thread Ori Bani 
>> smtp_tls_CAfile
>
> As for this, you typically don't need it and can leave it blank.

Same goes for smtp_tls_CApath I presume

Thanks again

Re: TLS configuration questions

2012-11-06 Thread Viktor Dukhovni 
On Tue, Nov 06, 2012 at 09:08:02AM -0800, Ori Bani wrote:

> >> (so only want opportunistic encryption, no cert validation, etc) the
> >> TLS_README suggests that it's best to just leave blank
> >>
> >> smtpd_tls_cert_file
> >> smtpd_tls_key_file
> >
> > Can you site the specific text? I don't recall making that advice?
> > To run without a certificate (only for dedicated MTAs not facing
> > the public 'Net) you need to explicitly set "smtpd_tls_cert_file
> > = none".
> 
> This section:
> 
> > Client-side certificate and private key configuration
> >
> > Do not configure Postfix SMTP client certificates unless you
> > must present client TLS certificates to one or more servers.
> > Client certificates are not usually needed,
> > and can cause problems in configurations that work well without them. The
> > recommended setting is to let the defaults stand:
> 
> This text also repeats in postconf(5)

This text is about CLIENT certificates, that is:

smtp_tls_cert_file
smtp_tls_key_file

You're making a concerted effort to confuse these with SERVER certificates,
that is:

smtpd_tls_cert_file
smtpd_tls_key_file

> Based on your reply, I must be misunderstanding the context (or the
> meaning of "must" here).  Thanks for your help.

No, you're missing the point that client certificates are not
server certificates.

-- 
Viktor.

Re: TLS configuration questions

2012-11-06 Thread Ori Bani 
> This text is about CLIENT certificates, that is:
>
> smtp_tls_cert_file
> smtp_tls_key_file
>
> You're making a concerted effort

Why do you say something like this?

> to confuse these with SERVER certificates,
> that is:
>
> smtpd_tls_cert_file
> smtpd_tls_key_file
>
>> Based on your reply, I must be misunderstanding the context (or the
>> meaning of "must" here).  Thanks for your help.
>
> No, you're missing the point that client certificates are not
> server certificates.

You're right, I did, sorry for the noise.

Simple mailing list

2012-11-06 Thread Jeremy Bowen 
Hi all

I have a virtual alias which currently forwards to a list of email
addresses however this is getting unwieldy. (This is one address
amongst a bunch of other virtual aliases on multiple virtual domains).
virtual_alias_maps = hash:/etc/postfix/virtual
eg.
/etc/postfix/virtual contains:
   mylist@mydomain address1, address2, address3 etc...

I would like to setup a REALLY simple mailing list and don't want to go
down the mailman route. Ideally I would like to supply a simple text
file containing a list of email addresses which I could reference
somehow. This text file could be edited by someone with limited skill,
either on the server, or uploaded by FTP/scp, and used by Postfix.

Is this even possible or am I going about this the wrong way ?
Thanks in advance.

J

Re: Simple mailing list

2012-11-06 Thread Patrick Ben Koetter 
* Jeremy Bowen :
> Hi all
> 
> I have a virtual alias which currently forwards to a list of email
> addresses however this is getting unwieldy. (This is one address
> amongst a bunch of other virtual aliases on multiple virtual domains).
> virtual_alias_maps = hash:/etc/postfix/virtual
> eg.
> /etc/postfix/virtual contains:
>mylist@mydomain address1, address2, address3 etc...
> 
> I would like to setup a REALLY simple mailing list and don't want to go
> down the mailman route. Ideally I would like to supply a simple text
> file containing a list of email addresses which I could reference
> somehow. This text file could be edited by someone with limited skill,
> either on the server, or uploaded by FTP/scp, and used by Postfix.
> 
> Is this even possible or am I going about this the wrong way ?

Use . Use it with caution. ;)

p@rick

-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

mail alias

2012-11-06 Thread Ramesh 


Hi All,

I would like to know how to block mail to alias from external networks and 
allow from trusted domain. 

presently we have alias a...@xyz.com will redirect to all employee's.

allow:     u...@xyz.com to a...@xyz.com
block:     u...@anydomain.com    to a...@xyz.com




Appreciate suggestions.

Thanks and Regards,
Ramesh

Re: mail alias

2012-11-06 Thread Nikolaos Milas 

On 7/11/2012 8:07 πμ, Ramesh wrote:


to block mail to alias from external n


Hi,

See: http://www.postfix.org/RESTRICTION_CLASS_README.html

Regards,
Nick