Block a domain via smtpd_sender_restrictions ?

[Frank Bonnet]

Hello

is it possible to block all a domain using smtpd_sender_restrictions ?

@spammers.com DISCARD



Thank you

Re: virtual_alias_maps map lookup problem

[Muzaffer Tolga Özses]

On 12/12/2012 02:01 AM, Wietse Venema wrote:

Muzaffer:

virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

..

Dec 12 01:11:27 kartagis postfix/trivial-rewrite[24213]: warning: connect
to mysql server 127.0.0.1: Access denied for user 'pfuser'@'127.0.0.1'
(using password: YES)

Fix your mysql server.

Wietse
The problem was fixed. I had to replace 127.0.0.1 with localhost in 
mysql_virtual_* files.


Thanks again,
Muzaffer

Re: Block a domain via smtpd_sender_restrictions ?

[Muzaffer Tolga Özses]

On 12/12/2012 11:39 AM, Frank Bonnet wrote:

Hello

is it possible to block all a domain using smtpd_sender_restrictions ?

@spammers.com DISCARD



Thank you


Read http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

Muzaffer,

Re: {?} Re: TNEF

[post...@netorbit.it]

On 10/12/2012 16:09, The Doctor wrote:

On Mon, Dec 10, 2012 at 02:59:25PM +, Duane Hill wrote:

On Monday, 10 December, 2012 at 14:49:47 UTC, doc...@doctor.nl2k.ab.ca 
confabulated:


Direct Question:
How can postfix used TNEF without an external agent
such as Amavis or MailSCanner?
There's YTNEF Filter, which runs as Content Filter which transforms the 
"winmail.dat" file to regular attachments.

http://www.viraj.org/ytnef_smtpd/

It's Python code. You may just need to hack it a little bit to handle 
weird chars in referred file name attachments.
The code creates the final attachment file name (and temp file name too) 
out of the original one, but some chars should be escaped (or better 
trimmed out) in order to be used in a UNIX/shell environment.

Re: test only. do not read.

[Pau Amma]

On Tue, December 11, 2012 8:16 pm, Noel Jones wrote:
> On 12/11/2012 2:02 PM, Gary Baribault wrote:
>> Oh no!! Your curiosity got me to read it too .. countdown has
>> started to armageddon, 10 days and counting!!
>>
> Somehow, Armageddon seems wrong for the Mayan end-of-time.
> https://www.youtube.com/watch?v=KFlaaa8fGoE

Armageddon outta dis thread now.

Re: reject_rbl_client syntax problem: fatal: RBL reply error: missing "]" character

[Stan Hoeppner]

On 12/11/2012 2:03 AM, martijn.list wrote:

> I guess in practice hardly no one will use it in this form but since I'm
> working on a web gui on which users can enter some RBL syntax I had to
> check what formats are accepted or not.

Then you need to read the RFC here:
http://tools.ietf.org/html/rfc5782

For startes, only 127/8 is allowed in DNSxL replies.  127.0.0.1 is NOT
allowed.  You may also want to put a help box on the screen with the
Posttfix documentation for reject_rbl_client, or a more average person
digestible version of it.  I assume this is a control panel for paying
customers, who are usually not the most technical types.

-- 
Stan

Re: reject_rbl_client syntax problem: fatal: RBL reply error: missing "]" character

[martijn.list]

On 12/12/2012 01:00 PM, Stan Hoeppner wrote:

On 12/11/2012 2:03 AM, martijn.list wrote:


I guess in practice hardly no one will use it in this form but since I'm
working on a web gui on which users can enter some RBL syntax I had to
check what formats are accepted or not.


Then you need to read the RFC here:
http://tools.ietf.org/html/rfc5782

For startes, only 127/8 is allowed in DNSxL replies.  127.0.0.1 is NOT
allowed.  You may also want to put a help box on the screen with the
Posttfix documentation for reject_rbl_client, or a more average person
digestible version of it.  I assume this is a control panel for paying
customers, who are usually not the most technical types.




rfc5782 says:

There is no widely used convention for mapping sublist names to bits
or values, beyond the convention that all A values SHOULD be in the
127.0.0.0/8 range to prevent unwanted network traffic if the value is
erroneously used as an IP address.

A should is not a must and a convention is a convention :)



Anyway whether or not using anything other than 127/8 is beside the point.

According to http://www.postfix.org/postconf.5.html#reject_rbl_client

reject_rbl_client rbl_domain=d.d.d.d

is a valid syntax. This was what I tested, nothing more nothing less. 
The Postfix main config parser didn't like the first "d" to be placed 
within square brackets even though the documentation says this should be 
possible, again whether or not you should do this is beside the (my) 
point. Wietse created a patch for this a few days back (12/10/2012).


Using anything other than 127/8 is discouraged and probably never tested 
by anyone. However the implementation was not in line with the 
documentation or vice versa :)


Kind regards,

Martijn Brinkers

--
DJIGZO email encryption

Block ip address on ratelimit

[Ram]

Our client's postfix servers are being frequently getting attacks using 
compromised accounts
In most cases it seems the spammer simply uses a phished 
username/password , sends a whole lot of 419ers until we manually change 
the password , but the damage is already done



Implementing ratelimits is not really helping because ultimately the 
mail will go through after the anvil time.
Since the legitimate users are extremely low email users , I can safely 
block "anyone" permanently who sends more than 1 mail in 10s with zero FP's




How can I do this ?


Thanks
Ram

Re: Block ip address on ratelimit

[Dominik George]

Hi,

look at postfwd.

Cheers,
Nik



Ram  schrieb:

>Our client's postfix servers are being frequently getting attacks using
>
>compromised accounts
>In most cases it seems the spammer simply uses a phished 
>username/password , sends a whole lot of 419ers until we manually
>change 
>the password , but the damage is already done
>
>
>Implementing ratelimits is not really helping because ultimately the 
>mail will go through after the anvil time.
>Since the legitimate users are extremely low email users , I can safely
>
>block "anyone" permanently who sends more than 1 mail in 10s with zero
>FP's
>
>
>
>How can I do this ?
>
>
>Thanks
>Ram

Re: Block ip address on ratelimit

[lconrad]

On Wednesday 12/12/2012 at 8:48 am, Ram  wrote:
Our client's postfix servers are being frequently getting attacks 
using compromised accounts
In most cases it seems the spammer simply uses a phished 
username/password , sends a whole lot of 419ers until we manually 
change the password , but the damage is already done



Implementing ratelimits is not really helping because ultimately the 
mail will go through after the anvil time.
Since the legitimate users are extremely low email users , I can 
safely block "anyone" permanently who sends more than 1 mail in 10s 
with zero FP's


How can I do this ?
I use postfwd  policy service for its sender-rate-limiting for both in 
and out.


When a sender reaches a limit, postfwd passes HOLD action back to 
postfix, and monit sends an alert email that hold queue is x size.


If a legit sender, I add them to postfwd sender whitelist.

If spammer,  I change the cracked account's password and delete the 
HOLDed spam.  Several times, we have found find several 100K msgs in 
HOLD queue.


postfwd has many other very useful envelope-filtering features.

Len

Re: Block a domain via smtpd_sender_restrictions ?

[Benny Pedersen]

Frank Bonnet skrev den 12-12-2012 10:39:

is it possible to block all a domain using smtpd_sender_restrictions 
?

@spammers.com DISCARD


remove @

if its a subdomain its .example.org DISCARD

its just that this helps other spammers use your domain as sender, with 
exspands the problem

Re: Block a domain via smtpd_sender_restrictions ?

[/dev/rob0]

On Wed, Dec 12, 2012 at 10:39:23AM +0100, Frank Bonnet wrote:
> is it possible to block all a domain using 
> smtpd_sender_restrictions ?
> 
> @spammers.com DISCARD

First, why/who do you want to block? Almost all spam is sent with 
forged sender addresses, not the actual spammer's address. Blocking 
by sender address runs a risk of blocking a real sender. And to the 
point for you as admin: it does not scale well. Any single spam run 
might consist of thousands of sender addresses and domains.

Second, there is no need to limit this to smtpd_sender_restrictions.
It might be easier to maintain in smtpd_recipient_restrictions.

http://www.postfix.org/SMTPD_ACCESS_README.html

Third, why discard? Why not reject? Discarding mail based on sender 
addresses is reckless. Furthermore it wastes bandwidth and time; just 
DTRT and reject it.

Fourth, please do not use real Internet domains in examples. There 
are example.{com,net,org,...} for that.

Finally, see "EMAIL ADDRESS PATTERNS" in the access(5) manual.

http://www.postfix.org/access.5.html
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Block ip address on ratelimit

[/dev/rob0]

On Wed, Dec 12, 2012 at 08:18:34PM +0530, Ram wrote:
> Our client's postfix servers are being frequently getting attacks
> using compromised accounts
> In most cases it seems the spammer simply uses a phished
> username/password , sends a whole lot of 419ers until we manually
> change the password , but the damage is already done
> 
> Implementing ratelimits is not really helping because ultimately
> the mail will go through after the anvil time.

Rate limits help a great deal if you use the right tool for the job; 
anvil(8) is not the right tool. As others suggested, postfwd is 
capable of this. Another choice is policyd.

> Since the legitimate users are extremely low email users , I
> can safely block "anyone" permanently who sends more than 1
> mail in 10s with zero FP's
> 
> How can I do this ?

I would check the SASL credentials, and when used in excess of your 
chosen time limit, reject or hold anything from that SASL user until 
manually reviewed. The choice of reject or hold depends on local 
considerations: do you want phone calls from a frustrated real user 
who inadvertently triggered the limit somehow? Do you want forensic 
evidence of the malware?
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Gmail stop support self signed SSL

[J Gao]

Hi, all,

My question may be OT but I'd like ask here so please forgive me.

I have a mail server use postfix/courier and few of our users report 
having problem if they use Gmail to retrieve emails from my server. I 
googled and it seems Gmail is tighten up its security. The are people 
have the same problem:

http://productforums.google.com/forum/#!topic/gmail/uPP9EsiY1rA

So I am looking for a solution now. Questions I'm having are:
1. How much cost me to purchase a trusted SSL just for the POP3/SMTP 
server?

2. Any recommendation for where to purchase?


Thanks for help.

Gao

--

Re: Gmail stop support self signed SSL

[Wietse Venema]

J Gao:
> Hi, all,
> 
> My question may be OT but I'd like ask here so please forgive me.
> 
> I have a mail server use postfix/courier and few of our users report 
> having problem if they use Gmail to retrieve emails from my server. I 

That would be a question for the COURIER mailing list.
Postfix has no POP/IMAP support.

Wietse

Re: Gmail stop support self signed SSL

[Noel Jones]

On 12/12/2012 12:44 PM, J Gao wrote:
> Hi, all,
> 
> My question may be OT but I'd like ask here so please forgive me.
> 
> I have a mail server use postfix/courier and few of our users report
> having problem if they use Gmail to retrieve emails from my server.
> I googled and it seems Gmail is tighten up its security. The are
> people have the same problem:
> http://productforums.google.com/forum/#!topic/gmail/uPP9EsiY1rA
> 
> So I am looking for a solution now. Questions I'm having are:
> 1. How much cost me to purchase a trusted SSL just for the POP3/SMTP
> server?
> 2. Any recommendation for where to purchase?
> 
> 
> Thanks for help.
> 
> Gao
> 


Any of the inexpensive SSL certificates should work fine.  Look on
google for providers.  I've used rapidsslonline, but there's
probably 50 other firms selling certificates for less than $20/year.

Make sure you get a "server" certificate, not a "personal"
certificate.  A "Linux/Apache" certificate should work fine for any
*nix service such as IMAP or SMTP, and you can reuse the same
certificate for all services on the same server.



  -- Noel Jones

Re: Gmail stop support self signed SSL

[Javier Henderson]

On Wed, Dec 12, 2012 at 1:44 PM, J Gao  wrote:

> Hi, all,
>
> My question may be OT but I'd like ask here so please forgive me.
>
> I have a mail server use postfix/courier and few of our users report
> having problem if they use Gmail to retrieve emails from my server. I
> googled and it seems Gmail is tighten up its security. The are people have
> the same problem:
> http://productforums.google.**com/forum/#!topic/gmail/**uPP9EsiY1rA
>
> So I am looking for a solution now. Questions I'm having are:
> 1. How much cost me to purchase a trusted SSL just for the POP3/SMTP
> server?
> 2. Any recommendation for where to purchase?


I've been using the free certs from http://www.startssl.com/ for a while
without any problems.

-jav

Re: Gmail stop support self signed SSL

[J Gao]

On 12-12-12 11:54 AM, Javier Henderson wrote:




On Wed, Dec 12, 2012 at 1:44 PM, J Gao mailto:j...@veecall.com>> wrote:

Hi, all,

My question may be OT but I'd like ask here so please forgive me.

I have a mail server use postfix/courier and few of our users report
having problem if they use Gmail to retrieve emails from my server.
I googled and it seems Gmail is tighten up its security. The are
people have the same problem:
http://productforums.google.__com/forum/#!topic/gmail/__uPP9EsiY1rA


So I am looking for a solution now. Questions I'm having are:
1. How much cost me to purchase a trusted SSL just for the POP3/SMTP
server?
2. Any recommendation for where to purchase?


I've been using the free certs from http://www.startssl.com/ for a while
without any problems.

-jav


Thanks for the help! I'll start to try with the free one.

Gao

--

Re: Gmail stop support self signed SSL

[Benny Pedersen]

J Gao skrev den 12-12-2012 19:44:


http://productforums.google.com/forum/#!topic/gmail/uPP9EsiY1rA


did you google free certs ?

start point is http://www.cacert.org/

self signed have always being a bad idear, free signers is accepted if 
you can get google to use cacert public root certs


i just dropped cacert since it have not the cacert root in eg 
firefox/thunderbird


but ssl works better then selfsigned problems

Re: Gmail stop support self signed SSL

[J Gao]

On 12-12-12 12:12 PM, Benny Pedersen wrote:

J Gao skrev den 12-12-2012 19:44:


http://productforums.google.com/forum/#!topic/gmail/uPP9EsiY1rA


did you google free certs ?

start point is http://www.cacert.org/

self signed have always being a bad idear, free signers is accepted if
you can get google to use cacert public root certs

i just dropped cacert since it have not the cacert root in eg
firefox/thunderbird

but ssl works better then selfsigned problems







I searched here:
https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&single=true&gid=1&output=html

cacert.org is not on the list.

startssl.com is listed. So i'm going to try this. Just registered an 
account and have to wait for final approve.


Gao

--

Re: Change headers in outgoing email

[Benny Pedersen]

Ali Jawad skrev den 12-12-2012 21:10:


How can I change this ?


is /etc/hosts correct ?

what is your login shell telling ?

does it show unknown ?

order in /etc/hosts is important that fqdn must be first listed after 
each ip


# incorrect
127.0.0.1 localhost localhost.localdomain

# correct
127.0.0.1 localhost.localdomain localhost

# other ips here to help daemons startup before bind/named is running
  

when this is in place postfix will follow, just like apache :=)

remove mydomain/myorigin in main.cf if postconf -d shows correct now

Re: Change headers in outgoing email

[Ali Jawad]

Hi Benny
Thank you for the prompt reply, basically I want it to show information
other than what is in the hosts file, I do have postfix with 7 instances
and I want each instance to show it's own IP, instead it is showing the
hostname in /etc/hosts
Regards

On Wed, Dec 12, 2012 at 10:30 PM, Benny Pedersen  wrote:

> order in /etc/hosts is important that fqdn must be first listed after each
> ip
>

Re: Change headers in outgoing email

[Benny Pedersen]

Ali Jawad skrev den 12-12-2012 21:35:


Thank you for the prompt reply, basically I want it to show
information other than what is in the hosts file,


why ?


I do have postfix with 7 instances and I want each instance to
show it's own IP, instead it is showing the hostname in /etc/hosts


do you have 7 wan-ips on this server ?

if not, forget it :)

each instanse will use hostname it binds to, so all wan hostname must 
be defined in /etc/hosts, and overwride in master.cf is still possible 
with one instance, this works for incomming, but was the question for 
outgoing smtp ?


more then one instance is only needed for outgoing

PS: no need to send cc to me privately aslong i am still here

Ubuntu Upgrade broke my TLS

[Tony Nelson]

I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 
2.9.1-4.  The postfix server sits behind my firewall, in front of my corporate 
Exchange servers.

After the upgrade I found that my exchange servers would/could no longer send 
mail.  I got the following error:

Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from 
NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]

A bit of googling pointed me to TLS issues.  After trying several things, I 
commented out my TLS configuration parameters, and sure enough all of the mail 
flowed out of my Exchange servers, so the problem is definitely TLS related.

These are my commented out TLS parameters:

# TLS parameters
# smtp_tls_security_level = may
# smtpd_tls_security_level = may
# smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt
# smtpd_tls_key_file = /etc/ssl/private/starpoint.key
# smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
# smtpd_tls_loglevel = 2
# smtpd_use_tls=yes
# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

The certificate I am using for the TLS on the Postfix server is a wildcard 
certificate for starpoint.com from GoDaddy.
The certificate that Exchange uses is a specific certificate for 
exchange.starpoint.com, also from GoDaddy.

I think it's in my best interest to get TLS operational again.  I've re-read 
http://www.postfix.org/TLS_README.html again and nothing is jumping out at me.

What is my best next step to solve this problem.

Thank you very much for any advice.

Tony Nelson
Starpoint Solutions




Since 1982, Starpoint Solutions has been a trusted source of human capital and 
solutions. We are committed to our clients, employees, environment, community 
and social concerns. We foster an inclusive culture based on trust, respect, 
honesty and solid performance. Learn more about Starpoint and our social 
responsibility at http://www.starpoint.com/social_responsibility


This email message from Starpoint Solutions LLC is for the sole use of the 
intended recipient(s) and may contain confidential and privileged information. 
Any unauthorized review, use, disclosure or distribution is prohibited. If you 
are not the intended recipient, please contact the sender by reply email and 
destroy all copies of the original message. Opinions, conclusions and other 
information in this message that do not relate to the official business of 
Starpoint Solutions shall be understood as neither given nor endorsed by it.

Re: Ubuntu Upgrade broke my TLS

[Will]

On 12/12/12 18:05, Tony Nelson wrote:
I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded 
Postfix to 2.9.1-4.  The postfix server sits behind my firewall, in 
front of my corporate Exchange servers.


After the upgrade I found that my exchange servers would/could no 
longer send mail.  I got the following error:


Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO 
from NY-HUBT02.WIN.STARPOINT.COM 
[192.168.43.19]


A bit of googling pointed me to TLS issues.  After trying several 
things, I commented out my TLS configuration parameters, and sure 
enough all of the mail flowed out of my Exchange servers, so the 
problem is definitely TLS related.


These are my commented out TLS parameters:

# TLS parameters
# smtp_tls_security_level = may
# smtpd_tls_security_level = may
# smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt
# smtpd_tls_key_file = /etc/ssl/private/starpoint.key
# smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
# smtpd_tls_loglevel = 2
# smtpd_use_tls=yes
# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

The certificate I am using for the TLS on the Postfix server is a 
wildcard certificate for starpoint.com  from 
GoDaddy.
The certificate that Exchange uses is a specific certificate for 
exchange.starpoint.com , also from GoDaddy.


I think it's in my best interest to get TLS operational again.  I've 
re-read http://www.postfix.org/TLS_README.html again and nothing is 
jumping out at me.


What is my best next step to solve this problem.

Thank you very much for any advice.

Tony Nelson
Starpoint Solutions




Since 1982, Starpoint Solutions has been a trusted source of human 
capital and solutions. We are committed to our clients, employees, 
environment, community and social concerns. We foster an inclusive 
culture based on trust, respect, honesty and solid performance. Learn 
more about Starpoint and our social responsibility at 
http://www.starpoint.com/social_responsibility



This email message from Starpoint Solutions LLC is for the sole use of 
the intended recipient(s) and may contain confidential and privileged 
information. Any unauthorized review, use, disclosure or distribution 
is prohibited. If you are not the intended recipient, please contact 
the sender by reply email and destroy all copies of the original 
message. Opinions, conclusions and other information in this message 
that do not relate to the official business of Starpoint Solutions 
shall be understood as neither given nor endorsed by it.
Changing smtpd_tls_loglevel to 3 might provide more useful debugging 
output, which could help you find any issues between Exchange and Postfix.


-Will

Re: Ubuntu Upgrade broke my TLS

[Scott Kitterman]

On Wednesday, December 12, 2012 07:05:51 PM Tony Nelson wrote:
> I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix
> to 2.9.1-4.  The postfix server sits behind my firewall, in front of my
> corporate Exchange servers.
> 
> After the upgrade I found that my exchange servers would/could no longer
> send mail.  I got the following error:
> 
> Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from
> NY-HUBT02.WIN.STARPOINT.COM[192.168.43.
> 19]
> 
> A bit of googling pointed me to TLS issues.  After trying several things, I
> commented out my TLS configuration parameters, and sure enough all of the
> mail flowed out of my Exchange servers, so the problem is definitely TLS
> related.

Re-enable package updates (they are enabled by default).  If you had them 
enabled, you would have postfix 2.9.3-2~12.04.4.  IIRC, there were changes in 
postfix 2.9.2 or 3 to integrate better with openssl 1.0.1, which Ubuntu 12.04 
also ships.

Scott K

Re: Ubuntu Upgrade broke my TLS

[Tony Nelson]

On Dec 12, 2012, at 7:10 PM, Will wrote:


On 12/12/12 18:05, Tony Nelson wrote:
I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 
2.9.1-4.  The postfix server sits behind my firewall, in front of my corporate 
Exchange servers.

After the upgrade I found that my exchange servers would/could no longer send 
mail.  I got the following error:

Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from 
NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]

A bit of googling pointed me to TLS issues.  After trying several things, I 
commented out my TLS configuration parameters, and sure enough all of the mail 
flowed out of my Exchange servers, so the problem is definitely TLS related.

These are my commented out TLS parameters:

# TLS parameters
# smtp_tls_security_level = may
# smtpd_tls_security_level = may
# smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt
# smtpd_tls_key_file = /etc/ssl/private/starpoint.key
# smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
# smtpd_tls_loglevel = 2
# smtpd_use_tls=yes
# smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

The certificate I am using for the TLS on the Postfix server is a wildcard 
certificate for starpoint.com from GoDaddy.
The certificate that Exchange uses is a specific certificate for 
exchange.starpoint.com, also from GoDaddy.

I think it's in my best interest to get TLS operational again.  I've re-read 
http://www.postfix.org/TLS_README.html again and nothing is jumping out at me.

What is my best next step to solve this problem.

Thank you very much for any advice.

Tony Nelson
Starpoint Solutions

Changing smtpd_tls_loglevel to 3 might provide more useful debugging output, 
which could help you find any issues between Exchange and Postfix.

-Will

Thanks for the suggestion.  I'm going to paste the result here, but I don't see 
anything helpful.  Right after an anonymous connection is made, the connection 
is dropped.

Thank you very much for the help.

root@mail:/var/log# cat /tmp/t
Dec 12 19:21:13 mail postfix/smtpd[4660]: connect from 
NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]
Dec 12 19:21:13 mail postfix/smtpd[4660]: setting up TLS connection from 
NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]
Dec 12 19:21:13 mail postfix/smtpd[4660]: 
NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]: 
TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:before/accept 
initialization
Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF10] 
(11 bytes => -1 (0x))
Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF10] 
(11 bytes => 11 (0xB))
Dec 12 19:21:13 mail postfix/smtpd[4660]:  16 03 01 00 68 01 00 00|64 03 01 
h... d..
Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF1E] 
(98 bytes => 98 (0x62))
Dec 12 19:21:13 mail postfix/smtpd[4660]:  50 c9 1f 71 79 91 a0 59|57 55 30 
a6 32 a9 fa d2  P..qy..Y WU0.2...
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 5a ac 9b f5 a7 7f e6 0c|37 58 42 
cc 9d 4b f8 7a  Z... 7XB..K.z
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0020 20 5a 3f f3 e5 79 b7 89|7e cf b9 
e3 87 11 21 5a   Z?..y.. ~.!Z
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0030 f7 24 f0 17 1d b7 4d ad|e7 40 31 
85 bf cd bf 5a  .$M. .@1Z
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0040 f3 00 16 00 04 00 05 00|0a 00 09 
00 64 00 62 00   d.b.
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0050 03 00 06 00 13 00 12 00|63 01 00 
00 05 ff 01 00   c...
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0060 01   
.
Dec 12 19:21:13 mail postfix/smtpd[4660]: 0061 - 
Dec 12 19:21:13 mail postfix/smtpd[4660]: 
ny-hubt02.win.starpoint.com[192.168.43.19]: 
looking up session 
5A3FF3E579B7897ECFB9E38711215AF724F0171DB74DADE7403185BFCDBF5AF3&s=192.168.39.36:smtp
 in smtpd cache
Dec 12 19:21:13 mail postfix/smtpd[4660]: 
ny-hubt02.win.starpoint.com[192.168.43.19]: 
reloaded session 
5A3FF3E579B7897ECFB9E38711215AF724F0171DB74DADE7403185BFCDBF5AF3&s=192.168.39.36:smtp
 from smtpd cache
Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 read client hello A
Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write server hello A
Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write change cipher 
spec A
Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write finished A
Dec 12 19:21:13 mail postfix/smtpd[4660]: write to 7FC3AA00E840 [7FC3AA021C10] 
(129 bytes => 129 (0x81))
Dec 12 19:21:13 mail postfix/smtpd[4660]:  16 03 01 00 5

Re: Ubuntu Upgrade broke my TLS

[Tony Nelson]

On Dec 12, 2012, at 7:20 PM, Scott Kitterman wrote:

> On Wednesday, December 12, 2012 07:05:51 PM Tony Nelson wrote:
>> I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix
>> to 2.9.1-4.  The postfix server sits behind my firewall, in front of my
>> corporate Exchange servers.
>>
>> After the upgrade I found that my exchange servers would/could no longer
>> send mail.  I got the following error:
>>
>> Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from
>> NY-HUBT02.WIN.STARPOINT.COM[192.168.43.
>> 19]
>>
>> A bit of googling pointed me to TLS issues.  After trying several things, I
>> commented out my TLS configuration parameters, and sure enough all of the
>> mail flowed out of my Exchange servers, so the problem is definitely TLS
>> related.
>
> Re-enable package updates (they are enabled by default).  If you had them
> enabled, you would have postfix 2.9.3-2~12.04.4.  IIRC, there were changes in
> postfix 2.9.2 or 3 to integrate better with openssl 1.0.1, which Ubuntu 12.04
> also ships.
>
> Scott K


Scott, you hit the nail on the head.

It appears that my upgrade didn't go so well.  After running apt-get 
update/upgrade I ended up upgrading some 250+ packages, including Postfix.  I 
now have 2.9.3-2~12.04.4 as you suggested and TLS has started working again.

Thank everyone very much for their time.

Tony Nelson
Starpoint Solutions


Since 1982, Starpoint Solutions has been a trusted source of human capital and 
solutions. We are committed to our clients, employees, environment, community 
and social concerns.  We foster an inclusive culture based on trust, respect, 
honesty and solid performance. Learn more about Starpoint and our social 
responsibility at http://www.starpoint.com/social_responsibility

This email message from Starpoint Solutions LLC is for the sole use of  the 
intended recipient(s) and may contain confidential and privileged  information. 
 Any unauthorized review, use, disclosure or distribution is prohibited.  If 
you are not the intended recipient, please contact the sender by reply email 
and destroy all copies of the original message.  Opinions, conclusions and 
other information in this message that do not relate to the official business 
of Starpoint Solutions shall be understood as neither given nor endorsed by it.

Re: Ubuntu Upgrade broke my TLS

[Stan Hoeppner]

On 12/12/2012 6:05 PM, Tony Nelson wrote:

> I think it's in my best interest to get TLS operational again.

So, you encrypt the transmission from the internal corporate groupware
server to the gateway server via a private network that you completely
control.  But then you relay the same message over the public internet
in plain text.

There seems to be a flaw in your logic, in your threat assessment.  Your
stated posture makes it seem you are more worried about malicious packet
sniffing inside your perimeter than outside.

-- 
Stan

Re: Ubuntu Upgrade broke my TLS

[Reindl Harald]

Am 13.12.2012 07:26, schrieb Stan Hoeppner:
> On 12/12/2012 6:05 PM, Tony Nelson wrote:
> 
>> I think it's in my best interest to get TLS operational again.
> 
> So, you encrypt the transmission from the internal corporate groupware
> server to the gateway server via a private network that you completely
> control.  But then you relay the same message over the public internet
> in plain text.
> 
> There seems to be a flaw in your logic, in your threat assessment.  Your
> stated posture makes it seem you are more worried about malicious packet
> sniffing inside your perimeter than outside

which is reality in the real life

there is MUCH more danger that someone connects to your
LAN than somebody is able to do the same at ISP level



signature.asc
Description: OpenPGP digital signature