tlsmgr high io load because of session cache
Hello,
I had a very high I/O load on process tlsmgr because the smtp_scache and
smtpd_scache files are written to often (smtp_scache.db ~70mb) .
data_directory = /var/lib/postfix
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
moving /var/lib/postfix to a tmpfs filesystem solved my problem for now,
but i am looking for a better solution.
I noticed that postfix also supports memcache as lookup table
(http://www.postfix.org/DATABASE_README.html)
is this also supported for smtp_tls_session_cache_database ? Can anyone
show me a config example?
Thanks!
Matthias Schneider
Re: Release date of Postfix 3.0?
Patrik B?t: > Hello! > > Is there a set release date for Postfix 3.0, or is it released when its > "done"? Yes. Wietse
question about mail aliases
Hi all, New to the list, have some basic knowledge of Postfix itself. For a mailserver I work on I need to implement a change which changes how certain aliases are handled. The mailserver uses aliases to send mail to specific groups of users. I need to make certain that certain combinations of aliases are dropped or are sent to a moderator. I have searched the internet but could not find anything about this. Can somebody help me out with this ? Is there a plugin available, or maybe a regular expression to handle this ? best regards, Andy
Re: question about mail aliases
Am 14.11.2014 um 14:01 schrieb Andy Kannberg: New to the list, have some basic knowledge of Postfix itself. For a mailserver I work on I need to implement a change which changes how certain aliases are handled. The mailserver uses aliases to send mail to specific groups of users. I need to make certain that certain combinations of aliases are dropped or are sent to a moderator. I have searched the internet but could not find anything about this. Can somebody help me out with this ? Is there a plugin available, or maybe a regular expression to handle this? what you seek is a mailing list manager and not just a MTA with ordinary aliases http://en.wikipedia.org/wiki/Electronic_mailing_list
Re: question about mail aliases
On Fri, 14 Nov 2014 14:01:46 +0100 Andy Kannberg wrote: > For a mailserver I work on I need to implement a change which changes > how certain aliases are handled. > The mailserver uses aliases to send mail to specific groups of users. > I need to make certain that certain combinations of aliases are > dropped or are sent to a moderator. I have searched the internet but > could not find anything about this. Can somebody help me out with > this ? Is there a plugin available, or maybe a regular expression to > handle this ? > Use list managers for that purpose... http://www.postfix.org/addon.html#lists
Re: bcc depending upon content type
Hi Am 12.11.2014 um 16:04 schrieb Wietse Venema: I'm considering a design for BCC support in header/body_checks that works in two stages: - The first stage happens while an email message is received: build a list of recipients in header/body_checks BCC actions, suppressing duplicates on-the-fly. - The second stage happens after the complete message and envelope are stored: add the BCC recipients to the queue file. The header/body_checks syntax would look like this: /pattern/ BCC u...@example.com /pattern/ BCC u...@example.com NOTIFY=none ORCPT=u...@example.net (for consistency, BCC recipients with NOTIFY and ORCPT attributes should also be supported in access maps, sender_bcc_maps, recipient_bcc_maps, and always_bcc) if i understand that correctly it would mean "smtp_header_checks" could have a rule like below, so if the milter added a [SPAM] prefix to the subject a copy of the (via smtp-transport) outgoing message could go to "spamfil...@example.com" for analyze and manual bayes training? /^Subject: \[SPAM\].*/ BCC spamfil...@example.com that would be *great*
Re: bcc depending upon content type
li...@rhsoft.net: > Am 12.11.2014 um 16:04 schrieb Wietse Venema: > > I'm considering a design for BCC support in header/body_checks > > that works in two stages: > > > > - The first stage happens while an email message is received: build > >a list of recipients in header/body_checks BCC actions, suppressing > >duplicates on-the-fly. > > > > - The second stage happens after the complete message and envelope > >are stored: add the BCC recipients to the queue file. > > > > The header/body_checks syntax would look like this: > > > > /pattern/ BCC u...@example.com > > /pattern/ BCC u...@example.com NOTIFY=none ORCPT=u...@example.net > > > > (for consistency, BCC recipients with NOTIFY and ORCPT attributes > > should also be supported in access maps, sender_bcc_maps, > > recipient_bcc_maps, and always_bcc) > > if i understand that correctly it would mean "smtp_header_checks" could > have a rule like below, so if the milter added a [SPAM] prefix to the > subject a copy of the (via smtp-transport) outgoing message could go to > "spamfil...@example.com" for analyze and manual bayes training? > > /^Subject: \[SPAM\].*/ BCC spamfil...@example.com > > that would be *great* The above is for RECEIVING mail. For example it could be used in header_checks while receiving mail from a spam filter, or in milter_header_checks while receiving header updates from a Milter. Doing this while DELIVERING mail is fundamentally wrong: changing a Postfix queue file is forbidden once the message is queued. The only allowed changes are in-place updates that flag a record as "completed". Wietse
Re: question about mail aliases
Hi, Thanks for pointing this out. My fault, should've mentioned that in my first mail, but mailing lists are not an option in the eyes of the mailserver owners. Also, it is more about automating whether or not a set of aliases should be send to a moderator. I found that it is possible to use scripts in the aliases file: http://serverfault.com/questions/206477/processing-incoming-emails-with-python Anyone have experience with that wrt to what I need ? cheers, Andy 2014-11-14 14:14 GMT+01:00 Koko Wijatmoko : > On Fri, 14 Nov 2014 14:01:46 +0100 > Andy Kannberg wrote: > > > For a mailserver I work on I need to implement a change which changes > > how certain aliases are handled. > > The mailserver uses aliases to send mail to specific groups of users. > > I need to make certain that certain combinations of aliases are > > dropped or are sent to a moderator. I have searched the internet but > > could not find anything about this. Can somebody help me out with > > this ? Is there a plugin available, or maybe a regular expression to > > handle this ? > > > Use list managers for that purpose... > http://www.postfix.org/addon.html#lists >
Re: bcc depending upon content type
Am 14.11.2014 um 15:48 schrieb Wietse Venema: li...@rhsoft.net: Am 12.11.2014 um 16:04 schrieb Wietse Venema: I'm considering a design for BCC support in header/body_checks that works in two stages: - The first stage happens while an email message is received: build a list of recipients in header/body_checks BCC actions, suppressing duplicates on-the-fly. - The second stage happens after the complete message and envelope are stored: add the BCC recipients to the queue file. The header/body_checks syntax would look like this: /pattern/ BCC u...@example.com /pattern/ BCC u...@example.com NOTIFY=none ORCPT=u...@example.net (for consistency, BCC recipients with NOTIFY and ORCPT attributes should also be supported in access maps, sender_bcc_maps, recipient_bcc_maps, and always_bcc) if i understand that correctly it would mean "smtp_header_checks" could have a rule like below, so if the milter added a [SPAM] prefix to the subject a copy of the (via smtp-transport) outgoing message could go to "spamfil...@example.com" for analyze and manual bayes training? /^Subject: \[SPAM\].*/ BCC spamfil...@example.com that would be *great* The above is for RECEIVING mail. For example it could be used in header_checks while receiving mail from a spam filter, or in milter_header_checks while receiving header updates from a Milter. Doing this while DELIVERING mail is fundamentally wrong: changing a Postfix queue file is forbidden once the message is queued. The only allowed changes are in-place updates that flag a record as "completed" thanks for making clear so the rule goes unchanged to "header_checks" on all smtp-destinations instead just on the central MX, also *great* and only missing the view domains with a outside ms-exchange final-destination is that planned only for postfix 3.0 or also considered for a 2.11 point-release? thank you!
Re: bcc depending upon content type
> is that planned only for postfix 3.0 or also considered for a 2.11 > point-release? New features do not appear in the stable release. Wietse
Re: tlsmgr high io load because of session cache
Matthias Schneider:
> Hello,
>
> I had a very high I/O load on process tlsmgr because the smtp_scache and
> smtpd_scache files are written to often (smtp_scache.db ~70mb) .
>
> data_directory = /var/lib/postfix
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> moving /var/lib/postfix to a tmpfs filesystem solved my problem for now,
> but i am looking for a better solution.
> I noticed that postfix also supports memcache as lookup table
> (http://www.postfix.org/DATABASE_README.html)
> is this also supported for smtp_tls_session_cache_database ? Can anyone
> show me a config example?
memcache should work just fine. Specify memcache:/configfile instead
of btree:/pathname. The contents of the configfile are documented
in memcache_table(5). There is no need to change the default ttl
of 3600 seconds.
In main.cf, set smtpd_tls_session_cache_timeout=0 and
smtp_tls_session_cache_timeout=0. Expiration is done in the memcache
server.
Wietse
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 10:10:52AM -0500, Wietse Venema wrote:
> Matthias Schneider:
> > Hello,
> >
> > I had a very high I/O load on process tlsmgr because the smtp_scache and
> > smtpd_scache files are written to often (smtp_scache.db ~70mb) .
> >
> > data_directory = /var/lib/postfix
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> >
> > moving /var/lib/postfix to a tmpfs filesystem solved my problem for now,
> > but i am looking for a better solution.
> > I noticed that postfix also supports memcache as lookup table
> > (http://www.postfix.org/DATABASE_README.html)
> > is this also supported for smtp_tls_session_cache_database ? Can anyone
> > show me a config example?
>
> memcache should work just fine. Specify memcache:/configfile instead
> of btree:/pathname. The contents of the configfile are documented
> in memcache_table(5). There is no need to change the default ttl
> of 3600 seconds.
>
> In main.cf, set smtpd_tls_session_cache_timeout=0 and
> smtp_tls_session_cache_timeout=0. Expiration is done in the memcache
> server.
IMPORTANT NOTE: Setting the timeout to zero, disables session
caching in the SMTP server. Short lifetimes also bound the session
validity at the SSL library layer, this is NOT just a database
timeout).
1. Just disable the disk based SMTP server session cache,
# Only issue session tickets, let the client do the
# caching
#
smtpd_tls_session_cache_database =
This requires Postfix >= 2.10 and OpenSSL >= 1.0.0. You
might find that entirely solves the problem.
2. You can reduce the session cache lifetime on the client, which
should reduce the file size.
smtpd_tls_session_cache_
3. DO NOT use TCP to offload the SMTP session cache to remote
memcache servers. The session cache contains sensitive session
master keys that would enable an attacker to decrypt your TLSs
traffic. When have some time, I'll add code to tlsmgr(8) to
encrypt cache entries before storing them into the database
and to decrypt them when they are read back. Using the same
key rollover code as for SMTP server session ticket keys.
--
Viktor.
Re: Release date of Postfix 3.0?
On Fri, Nov 14, 2014 at 06:53:31AM -0500, Wietse Venema wrote: > > Is there a set release date for Postfix 3.0, or is it released when its > > "done"? > > Yes. On January 15th each year Wietse sets a counter for the following year's release to zero. Each day after that he rolls a 6 sided dice, and adds the value to the running total. When the total reaches 1278, a new release is cut. :-) -- Viktor.
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 10:10:52AM -0500, Wietse Venema wrote:
Matthias Schneider:
Hello,
I had a very high I/O load on process tlsmgr because the smtp_scache and
smtpd_scache files are written to often (smtp_scache.db ~70mb) .
data_directory = /var/lib/postfix
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
moving /var/lib/postfix to a tmpfs filesystem solved my problem for now,
but i am looking for a better solution.
I noticed that postfix also supports memcache as lookup table
(http://www.postfix.org/DATABASE_README.html)
is this also supported for smtp_tls_session_cache_database ? Can anyone
show me a config example?
memcache should work just fine. Specify memcache:/configfile instead
of btree:/pathname. The contents of the configfile are documented
in memcache_table(5). There is no need to change the default ttl
of 3600 seconds.
In main.cf, set smtpd_tls_session_cache_timeout=0 and
smtp_tls_session_cache_timeout=0. Expiration is done in the memcache
server.
IMPORTANT NOTE: Setting the timeout to zero, disables session
caching in the SMTP server. Short lifetimes also bound the session
validity at the SSL library layer, this is NOT just a database
timeout).
1. Just disable the disk based SMTP server session cache,
# Only issue session tickets, let the client do the
# caching
#
smtpd_tls_session_cache_database =
This requires Postfix >= 2.10 and OpenSSL >= 1.0.0. You
might find that entirely solves the problem.
2. You can reduce the session cache lifetime on the client, which
should reduce the file size.
smtpd_tls_session_cache_
3. DO NOT use TCP to offload the SMTP session cache to remote
memcache servers. The session cache contains sensitive session
master keys that would enable an attacker to decrypt your TLSs
traffic. When have some time, I'll add code to tlsmgr(8) to
encrypt cache entries before storing them into the database
and to decrypt them when they are read back. Using the same
key rollover code as for SMTP server session ticket keys.
Hello Viktor,
since my server is more smtp client than smtpd i have to tune the
smtp_tls_session_cache_database setting, do you recommend to set
smtp_tls_session_cache_database to empty or using a memcache server for
performance increase?
I am running the latest postfix 2.11.3 version and openssl >1.0.1
I'll use Unix socket or ::1 for security.
Thank you!
Matthias
Re: Release date of Postfix 3.0?
On Nov 14, 2014, at 9:54 AM, Viktor Dukhovni wrote: > On Fri, Nov 14, 2014 at 06:53:31AM -0500, Wietse Venema wrote: > >>> Is there a set release date for Postfix 3.0, or is it released when its >>> "done"? >> >> Yes. > > On January 15th each year Wietse sets a counter for the following > year's release to zero. Each day after that he rolls a 6 sided > dice, and adds the value to the running total. When the total > reaches 1278, a new release is cut. :-) > > -- > Viktor. > So around August?
Re: Release date of Postfix 3.0?
Edgar Pettijohn:
> So around August?
Have a look at http://www.postfix.org/announcements.html, and see
when Postfix 2.{7-11}.0 were released.
Wietse
Re: Release date of Postfix 3.0?
On Fri, Nov 14, 2014 at 10:26:29AM -0600, Edgar Pettijohn wrote: > > On January 15th each year Wietse sets a counter for the following > > year's release to zero. Each day after that he rolls a 6 sided > > dice, and adds the value to the running total. When the total > > reaches 1278, a new release is cut. :-) > > So around August? [ Off topic alert, move along... ] Your arithmetic is different than mine. $ echo "2k 1278 3.5 / p" | dc 365.14 Your task is to compute the variance, it is easy to compute the variance of total after 365 days. I have not thought about how to correctly compute the variance of the number of days needed to reach a target total. A naive order of magnitude guess is to take the variance of the expected total after 365 days and divice by the mean increment per day. That gives a guestimated standard deviation of ~sqrt(365 * 35/12)/3.5 or 9.5 days. Replace the dice with a coin toss, how does that change the standard deviation? :-) -- Viktor.
Re: Release date of Postfix 3.0?
On Nov 14, 2014, at 10:54 AM, Viktor Dukhovni wrote: > On Fri, Nov 14, 2014 at 10:26:29AM -0600, Edgar Pettijohn wrote: > >>> On January 15th each year Wietse sets a counter for the following >>> year's release to zero. Each day after that he rolls a 6 sided >>> dice, and adds the value to the running total. When the total >>> reaches 1278, a new release is cut. :-) >> >> So around August? > > [ Off topic alert, move along... ] > > Your arithmetic is different than mine. > >$ echo "2k 1278 3.5 / p" | dc >365.14 > > Your task is to compute the variance, it is easy to compute the > variance of total after 365 days. I have not thought about how to > correctly compute the variance of the number of days needed to > reach a target total. A naive order of magnitude guess is to take > the variance of the expected total after 365 days and divice by > the mean increment per day. That gives a guestimated standard > deviation of ~sqrt(365 * 35/12)/3.5 or 9.5 days. Replace the dice > with a coin toss, how does that change the standard deviation? :-) > > -- > Viktor. > It would be a minimum of 213 days which is around august or a maximum of 3 1/2 years which would be around august. Plus there are probably unwritten rules. For all we know he re-rolls all 3's.
Two nodes Postfix cluster
Hi. I am planning the installation of a two nodes Postfix cluster, with virtual users on MySQL and SpamAssassin, ClamAV and Dovecot. I am thinking about the best way to sync them and so create the cluster. The two nodes are running on two different virtual machine (on different physical nodes of course), so I have the following possibilities to sync them: - directly sync the virtual machines between nodes (using gluster on the physical hosts) - sync the storage of the nodes (using gluster on the Postifx nodes) What strategy could you suggest me in your experience? Thank you very much! Bye
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 05:22:34PM +0100, Matthias Schneider wrote: > Hello Viktor, > > since my server is more smtp client than smtpd i have to tune the > smtp_tls_session_cache_database setting, do you recommend to set > smtp_tls_session_cache_database to empty or using a memcache server for > performance increase? Your real problem is that you're sending *a lot* to some servers that promise session caching, but fail to actually cache sessions. If that's the vast majority of your client connecions, you can indeed simply disable TLS session caching. Otherwise, you can configure a clone SMTP transport with: nocache unix ... smtp -o smtp_tls_session_cache_database= and route mail for certain nexthop domains via that transport. Do determine which domains support TLS session caching, you can use posttls-finger (included with 2.11.3 source, make sure to build with -DUSE_TLS): $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache gmail.com posttls-finger: looking for session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 in memory cache posttls-finger: save session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 to memory cache posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: Reconnecting after 2 seconds posttls-finger: looking for session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 in memory cache posttls-finger: reloaded session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 from memory cache posttls-finger: gmail-smtp-in.l.google.com[173.194.68.26]:25: Reusing old session posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: Maximum reconnect count reached. $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache postfix.org posttls-finger: looking for session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A in memory cache posttls-finger: save session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A to memory cache posttls-finger: Anonymous TLS connection established to mail.cloud9.net[168.100.1.7]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Server is anonymous posttls-finger: Reconnecting after 2 seconds posttls-finger: looking for session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A in memory cache posttls-finger: reloaded session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A from memory cache posttls-finger: mail.cloud9.net[168.100.1.7]:25: Reusing old session posttls-finger: Anonymous TLS connection established to mail.cloud9.net[168.100.1.7]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Maximum reconnect count reached. So gmail.com and postfix.org offer and actually reuses sessions, On the other hand, storing hotmail, AOL or Yahoo sessions is just a waste of I/O, since they are rarely if ever reusable. $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache hotmail.com posttls-finger: looking for session [207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934 in memory cache posttls-finger: save session [207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934 to memory cache posttls-finger: Untrusted TLS connection established to mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) posttls-finger: Reconnecting after 2 seconds posttls-finger: looking for session [207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E in memory cache posttls-finger: save session [207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E to memory cache posttls-finger: Untrusted TLS connection established to mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) posttls-finger: Maximum reconnect count reached. $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache aol.com posttls-finger: looking for session [64.12.91.196]:25&3A40B308D4D0C919F0578116E0DFF7530391F4D4118A674626484D27CD0BE2B0 in memory cache posttls-finger: save session [64.12.91.196]:25&3A40B308D4D0C919F0578116E0DFF7530391F4D4118A674626484D27CD0BE2B0 to memory cache posttls-finger: Anonymous TLS connection established to mailin-03.mx.aol.com[64.12.91.196]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Server is anonymous posttls-finger: Reconnecting after 2 seconds posttls-finger
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 05:22:34PM +0100, Matthias Schneider wrote: Hello Viktor, since my server is more smtp client than smtpd i have to tune the smtp_tls_session_cache_database setting, do you recommend to set smtp_tls_session_cache_database to empty or using a memcache server for performance increase? Your real problem is that you're sending *a lot* to some servers that promise session caching, but fail to actually cache sessions. If that's the vast majority of your client connecions, you can indeed simply disable TLS session caching. Otherwise, you can configure a clone SMTP transport with: nocache unix ... smtp -o smtp_tls_session_cache_database= and route mail for certain nexthop domains via that transport. Do determine which domains support TLS session caching, you can use posttls-finger (included with 2.11.3 source, make sure to build with -DUSE_TLS): $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache gmail.com posttls-finger: looking for session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 in memory cache posttls-finger: save session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 to memory cache posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: Reconnecting after 2 seconds posttls-finger: looking for session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 in memory cache posttls-finger: reloaded session [173.194.68.26]:25&02EBBDE489A3B055A64609B3919EC8E59AF25682182DD7E82D4BAF3FDF388585 from memory cache posttls-finger: gmail-smtp-in.l.google.com[173.194.68.26]:25: Reusing old session posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[173.194.68.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: Maximum reconnect count reached. $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache postfix.org posttls-finger: looking for session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A in memory cache posttls-finger: save session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A to memory cache posttls-finger: Anonymous TLS connection established to mail.cloud9.net[168.100.1.7]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Server is anonymous posttls-finger: Reconnecting after 2 seconds posttls-finger: looking for session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A in memory cache posttls-finger: reloaded session [168.100.1.7]:25&6BED8D59EAC9E109BE27219B31481DBD79420A11FF7FFD9BF75E55B7E80DE14A from memory cache posttls-finger: mail.cloud9.net[168.100.1.7]:25: Reusing old session posttls-finger: Anonymous TLS connection established to mail.cloud9.net[168.100.1.7]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Maximum reconnect count reached. So gmail.com and postfix.org offer and actually reuses sessions, On the other hand, storing hotmail, AOL or Yahoo sessions is just a waste of I/O, since they are rarely if ever reusable. $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache hotmail.com posttls-finger: looking for session [207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934 in memory cache posttls-finger: save session [207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934 to memory cache posttls-finger: Untrusted TLS connection established to mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) posttls-finger: Reconnecting after 2 seconds posttls-finger: looking for session [207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E in memory cache posttls-finger: save session [207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E to memory cache posttls-finger: Untrusted TLS connection established to mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) posttls-finger: Maximum reconnect count reached. $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache aol.com posttls-finger: looking for session [64.12.91.196]:25&3A40B308D4D0C919F0578116E0DFF7530391F4D4118A674626484D27CD0BE2B0 in memory cache posttls-finger: save session [64.12.91.196]:25&3A40B308D4D0C919F0578116E0DFF7530391F4D4118A674626484D27CD0BE2B0 to memory cache posttls-finger: Anonymous TLS connection established to mailin-03.mx.aol.com[64.12.91.196]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Server is anonymous posttls-finger: Reconnecting after 2
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 05:20:14PM +, Viktor Dukhovni wrote: > So gmail.com and postfix.org offer and actually reuses sessions, On the > other hand, storing hotmail, AOL or Yahoo sessions is just a waste > of I/O, since they are rarely if ever reusable. > > $ posttls-finger -c -r 2 -m 1 -lmay -Lsummary,cache hotmail.com > posttls-finger: looking for session > [207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934 > in memory cache > posttls-finger: save session > [207.46.8.199]:25&B3615E5BC0C51EF280EB79AC8C2D83BB5062B2BE73D21E5CD2AE6E5577D99934 > to memory cache > posttls-finger: Reconnecting after 2 seconds > posttls-finger: looking for session > [207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E > in memory cache > posttls-finger: save session > [207.46.8.199]:25&7364A28B331EC120944E55777F8A2AF16784CDC5840C1BA6EF5FE028C66F993E > to memory cache > posttls-finger: Untrusted TLS connection established to > mx4.hotmail.com[207.46.8.199]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 > (256/256 bits) Note that the cache lookup key is different for the second connection. To work with split caches for hosts behind load-balancers, Postfix includes the server name from the remote EHLO response in the lookup key, that way a small number of hosts behind a single IP address each get their own cache entry. This does not work very well when the load-balancer front-ends hundreds or thousands of hosts, you almost rarely connect to the same host again, while caching lots of discrete sessions. The gmail "cloud" has a fixed EHLO server name: posttls-finger: < 250-mx.google.com at your service which works well with Postfix, because they have a unified session cache with session tickets and shared keys across the cloud. While consecutive hotmail connections (to the same IP) may yield: posttls-finger: < 250-BAY004-MC2F21.hotmail.com (3.20.0.138) Hello [192.0.2.1] posttls-finger: < 250-BAY004-MC2F35.hotmail.com (3.20.0.138) Hello [192.0.2.1] which results in a different cache slot. I'd have to write new code to determine whether suppressing the EHLO response session lookup key "salt" would lead to better cache utilization for the various large "cloud provider" domains. Determining this dynamically, would require keeping some statistics on cache re-use by IP, and switching from salted to unsalted to off, if cache re-use is sufficiently poor. The code for that would require some care. Not promising anything any time soon. -- Viktor.
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 06:41:52PM +0100, Matthias Schneider wrote: > It would be great if there would be some kind of TLS debugging to log > successful and not successful TLS session reusing. The present TLS log levels are too coarse. You'd get the data in question at log level 2, but so much other logging along with it, that your system performance would degrade considerably under logging I/O pressure. So for now, you'll need to tune by hand for a few large receiving domains. As for hotmail, it seems unlikely that "unsalted" sessions would work better, they don't support session tickets: posttls-finger: SSL_connect:before/connect initialization posttls-finger: SSL_connect:SSLv2/v3 write client hello A posttls-finger: SSL_connect:SSLv3 read server hello A posttls-finger: SSL_connect:SSLv3 read server certificate A posttls-finger: SSL_connect:SSLv3 read server key exchange A posttls-finger: SSL_connect:SSLv3 read server done A posttls-finger: SSL_connect:SSLv3 write client key exchange A posttls-finger: SSL_connect:SSLv3 write change cipher spec A posttls-finger: SSL_connect:SSLv3 write finished A posttls-finger: SSL_connect:SSLv3 flush data posttls-finger: SSL_connect:SSLv3 read finished A so are unlikely to have a unified cross-server cache. Compare with: posttls-finger: SSL_connect:before/connect initialization posttls-finger: SSL_connect:SSLv2/v3 write client hello A posttls-finger: SSL_connect:SSLv3 read server hello A posttls-finger: SSL_connect:SSLv3 read server certificate A posttls-finger: SSL_connect:SSLv3 read server key exchange A posttls-finger: SSL_connect:SSLv3 read server done A posttls-finger: SSL_connect:SSLv3 write client key exchange A posttls-finger: SSL_connect:SSLv3 write change cipher spec A posttls-finger: SSL_connect:SSLv3 write finished A posttls-finger: SSL_connect:SSLv3 flush data -> posttls-finger: SSL_connect:SSLv3 read server session ticket A posttls-finger: SSL_connect:SSLv3 read finished A for Gmail (these messages are from "posttls-finger -Ldebug"). -- Viktor.
Re: Two nodes Postfix cluster
Am 14.11.2014 um 18:18 schrieb shacky: > Hi. > > I am planning the installation of a two nodes Postfix cluster, with > virtual users on MySQL and SpamAssassin, ClamAV and Dovecot. > > I am thinking about the best way to sync them and so create the cluster. > > The two nodes are running on two different virtual machine (on > different physical nodes of course), so I have the following > possibilities to sync them: > > - directly sync the virtual machines between nodes (using gluster on > the physical hosts) > - sync the storage of the nodes (using gluster on the Postifx nodes) > > What strategy could you suggest me in your experience? > > Thank you very much! > Bye > This is mostly a question what using as dovecot storage, the postfix spamassassin clamav setup should be easy ( ok cluster sql is another story too ) , so you might start study dovecot archive and wiki Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Two nodes Postfix cluster
shacky:
> Hi.
>
> I am planning the installation of a two nodes Postfix cluster, with
> virtual users on MySQL and SpamAssassin, ClamAV and Dovecot.
>
> I am thinking about the best way to sync them and so create the cluster.
>
> The two nodes are running on two different virtual machine (on
> different physical nodes of course), so I have the following
> possibilities to sync them:
>
> - directly sync the virtual machines between nodes (using gluster on
> the physical hosts)
> - sync the storage of the nodes (using gluster on the Postifx nodes)
>
> What strategy could you suggest me in your experience?
Run Postfix on a client (physical or virtual) machine that mounts
{config,data,queue}_directory from a file server. When a client
machine dies, fire up a spare machine that takes over.
The Postfix {config,data,queue}_directory cannot be shared. This
will not change.
Wietse
Re: tlsmgr high io load because of session cache
On Fri, Nov 14, 2014 at 05:58:04PM +, Viktor Dukhovni wrote: > So for now, you'll need to tune by hand for a few large receiving > domains. As for hotmail, it seems unlikely that "unsalted" sessions > would work better, they don't support session tickets: > > posttls-finger: SSL_connect:before/connect initialization > posttls-finger: SSL_connect:SSLv2/v3 write client hello A > posttls-finger: SSL_connect:SSLv3 read server hello A > posttls-finger: SSL_connect:SSLv3 read server certificate A > posttls-finger: SSL_connect:SSLv3 read server key exchange A > posttls-finger: SSL_connect:SSLv3 read server done A > posttls-finger: SSL_connect:SSLv3 write client key exchange A > posttls-finger: SSL_connect:SSLv3 write change cipher spec A > posttls-finger: SSL_connect:SSLv3 write finished A > posttls-finger: SSL_connect:SSLv3 flush data > posttls-finger: SSL_connect:SSLv3 read finished A > > so are unlikely to have a unified cross-server cache. Compare with: The situation may be more promising for Yahoo: posttls-finger: SSL_connect:before/connect initialization posttls-finger: SSL_connect:SSLv2/v3 write client hello A posttls-finger: SSL_connect:SSLv3 read server hello A posttls-finger: SSL_connect:SSLv3 read server certificate A posttls-finger: SSL_connect:SSLv3 read server key exchange A posttls-finger: SSL_connect:SSLv3 read server done A posttls-finger: SSL_connect:SSLv3 write client key exchange A posttls-finger: SSL_connect:SSLv3 write change cipher spec A posttls-finger: SSL_connect:SSLv3 write finished A posttls-finger: SSL_connect:SSLv3 flush data posttls-finger: SSL_connect:SSLv3 read server session ticket A posttls-finger: SSL_connect:SSLv3 read finished A Here session reuse would perhaps work better without the "salt", but I don't have command-line code at hand to find out. (However, you could test witp smtp_reply_filter): http://www.postfix.org/postconf.5.html#smtp_reply_filter Suitable PCRE table: /^(250-mta)\d+(\.mail\..*\.yahoo\.com[ \t\r\n].*)/ $1-N$2 Bash example: $ postmap -q \ "$(printf "250-mta1377.mail.ne1.yahoo.com\r\n250-PIPELINING\r\n250-SIZE 41943040\r\n250 8BITMIME\r\n")" \ pcre:<(echo '/^(250-mta)\d+(\.mail\..*\.yahoo\.com[ \t\r\n].*)/ $1-N$2') 250-mta-N.mail.ne1.yahoo.com 250-PIPELINING 250-SIZE 41943040 250 8BITMIME That would lead to a lot fewer cache entries for Yahoo, whether they end up re-used or not. One per data-centre, rather than one per MTA. A similar mapping for the hotmail MTA names, could also reduce I/O load by re-cycling a smaller number of cache entries, rather than constantly writing new ones. -- Viktor.
Re: Two nodes Postfix cluster
Am 14.11.2014 um 18:18 schrieb shacky: I am planning the installation of a two nodes Postfix cluster, with virtual users on MySQL and SpamAssassin, ClamAV and Dovecot. I am thinking about the best way to sync them and so create the cluster. The two nodes are running on two different virtual machine (on different physical nodes of course), so I have the following possibilities to sync them: - directly sync the virtual machines between nodes (using gluster on the physical hosts) - sync the storage of the nodes (using gluster on the Postifx nodes) What strategy could you suggest me in your experience? in case of mysql configuration postfix is not your problem, you can have one as mysql-master and the other as read-only-slave easily you can have 90% of the configs in mysql and so rarely a need to sync the other static config files in case of spamassassin - well, sa-update run on both nodes, the bayes database if it is systemwide -> rsync and the same for config files below /etc/mail/ what becomes more interesting is the message storage meaning the final destination for delivered mail (IMAP/POP3) which is outside postfix scope and belongs to the dovecot list how large is your mailflow? we go the other direction with one single postfix instance running SpamAssassin and Clamav besides postsrenn and a transport-table to the final destionations hwich are in fact own postfix/dbmail machines with different users (that all on top of a VMware HA setup with two physical nodes fro failover) with postscreen and it's rbl feature and wise ptr/helo-checks the load on the MX is normally a no-brainer because SpamAssassin hardly faces more than 5-10% of all delivery attempts - i see no load difference between days with 5000 or 10 spam attemts
Configuring MSA in postfix
Hello, Can you please tell me how to configure MSA with postfix. I want to create all local user in MSA. local user's mail will be delivered in MSA and out going mail will be forwarded to another mail gateway. That mail gateway will have two instances. On instance will accept only mail from MSA and will forward all outgoing mail. Another instance will receive all incoming mail destined to our corporate domain. Can you please guide me how to do this. Regards. Tuhin. BD. Dhaka.
Re: Configuring MSA in postfix
Alamgir Shamim: > Hello, > > Can you please tell me how to configure MSA with postfix. I want to > create all local user in MSA. local user's mail will be delivered in > MSA and out going mail will be forwarded to another mail gateway. That > mail gateway will have two instances. On instance will accept only > mail from MSA and will forward all outgoing mail. Another instance > will receive all incoming mail destined to our corporate domain. Can > you please guide me how to do this. MSA = mail submission agent, i.e. the program that injects an email message into the email infrastructure. In today's world that is usually an end-user machine (or mobile device) that runs a mail client program. To receive mail from an MSA, Postfix can be configured to provide the submission (and legacy smtps) service; see the master.cf file for examples that are usually commented out. If the host must provide no MX service, you comment out the "smtp" service in master.cf. To receive mail from an MTA (Postfix as an MX host), Postfix is configured by default to provide the smtp service; see master.cf. In this case you would leave the submission and legacy smtps services commened out. Wietse
Testing DANE-enabled smtp client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I configured my mailserver to use DANE for outbound mail whenever possible, but I am having a hard time in verifying that this actually works. When I use posttls-finger from the machine, it indicates "Verified TLS connection established" when i point to a few mxen that are known to have TLSA records available (because they were announced here). However, this does not test postfix itself. One notable difference between posttls-finger and postfix (as described in the documentation) is that postfix would only use the TLSA record for deciding on a "verified" connection when the resolver is running on localhost, while posttls-finger also accepts dnssec data from a remote resolver (I run unbound in a different VM on the same piece of hardware). My guess is that I would actually need to send a mail to someone that has TLSA records published in order to test my postfix setup, and then check the local logs. Am I wrong in understanding the docs, or is there actually a difference in the restrictions on resolver usage between posttls-finger and postfix. If so, would it be useful to keep these in sync, or add a switch to posttls-finger to enforce this behaviour for testing purposes? Finally, does anybody have an email sinkhole available on a DANE enabled server where I can send some test messages?:) Kind regards, Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUZm2AAAoJEJPfMZ19VO/1L6cQAJkfg2GEifxL1dKJuU2xawxI FY4RM+SeisK9PkpgOvizgDFjAvUOGnFH0m32BR7euG93jhLL4L87LBSnTE1MxXsh emE6HDUdz4e9iCs55AD0MHbSQQvjStAoIlzBG2h92cKZSZpBBL/29HjgRI2w0iia fUlx/7F8xq+Z41wH+Tq5GbMue23uHd5f2qiqZZyQTkgYTi8e5neamGaOY1xYH7Ab rFv+CeJKfiA6PU9aUDX4X2d66uX+NDc5YfUr2w9X54TEXi0tH5o3CJ+Svgq1z+b/ 5RB8UTu6BXHCpGAkrl3GrYt89IqjZJg1FzJwUrxqeHSP3waSTABtkdpPdhDBS2td ox5ybFo7KFJMM6pNVe9sQGmQxI744OA6D95oqF42yQE4+NV5NCNMRAgegLlR4l2U MfPd/NxHK3SE+bCUTjht+Z3hYvph5wEo7LMpHayeXKNuzUSASczbWO1HJQ2WCSif 5SWV0tPzaaksZ7O4NFqCnmY6ZDnu/RgEXvNz0Rdf4S6UHdkRQf/VsHv76/vLxbEp a3Ybgv1ykAUc8wfOgx0TQaXcoZQjJTtG5+dvIgX26r1PL0Qd04/suGQh1QU/zcxl 8TA8SL6UtJDkQwJYgWPUzr/zS1TP9GMxYW27ZGMhPtDOE4+QY+jTYF0MdzYRRJs/ Yb1LUBESAixqjXBUg/h0 =UUw1 -END PGP SIGNATURE-
Re: Two nodes Postfix cluster
* shacky : > Hi. > > I am planning the installation of a two nodes Postfix cluster, with > virtual users on MySQL and SpamAssassin, ClamAV and Dovecot. > > I am thinking about the best way to sync them and so create the cluster. > > The two nodes are running on two different virtual machine (on > different physical nodes of course), so I have the following > possibilities to sync them: > > - directly sync the virtual machines between nodes (using gluster on > the physical hosts) > - sync the storage of the nodes (using gluster on the Postifx nodes) You cannot sync the queues, but you can make sure no mail gets lost. Use crosswise DRBD to write the other hosts queues to the other nodes Secondary DRBD device. In case of failure remount the DRBD as Primary on the remaining node and start a second Postfix instance that has been configured to work with this queue. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Testing DANE-enabled smtp client
* Tom Hendrikx : > I configured my mailserver to use DANE for outbound mail whenever > possible, but I am having a hard time in verifying that this actually > works. > > When I use posttls-finger from the machine, it indicates "Verified TLS > connection established" when i point to a few mxen that are known to > have TLSA records available (because they were announced here). > However, this does not test postfix itself. > > One notable difference between posttls-finger and postfix (as > described in the documentation) is that postfix would only use the > TLSA record for deciding on a "verified" connection when the resolver > is running on localhost, while posttls-finger also accepts dnssec data > from a remote resolver (I run unbound in a different VM on the same > piece of hardware). > > My guess is that I would actually need to send a mail to someone that > has TLSA records published in order to test my postfix setup, and then > check the local logs. > > Am I wrong in understanding the docs, or is there actually a > difference in the restrictions on resolver usage between > posttls-finger and postfix. If so, would it be useful to keep these in > sync, or add a switch to posttls-finger to enforce this behaviour for > testing purposes? > > Finally, does anybody have an email sinkhole available on a DANE > enabled server where I can send some test messages?:) e...@sys4.de is a DNSSEC-enabled echo service. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Testing DANE-enabled smtp client
Tom Hendrikx: -- Start of PGP signed section. > Hi, > > I configured my mailserver to use DANE for outbound mail whenever > possible, but I am having a hard time in verifying that this actually > works. > > When I use posttls-finger from the machine, it indicates "Verified TLS > connection established" when i point to a few mxen that are known to > have TLSA records available (because they were announced here). > However, this does not test postfix itself. Try: "sendmail -bv u...@example.com" > One notable difference between posttls-finger and postfix (as > described in the documentation) is that postfix would only use the > TLSA record for deciding on a "verified" connection when the resolver > is running on localhost, while posttls-finger also accepts dnssec data > from a remote resolver (I run unbound in a different VM on the same > piece of hardware). Postfix does not parse /etc/resolv.conf. There is no reason why Postfix can't receive responses from a remote DNSSEC-validating resolver. It is however not a good idea to go out over a network with untrusted machines. Wietse
Re: Testing DANE-enabled smtp client
On Fri, Nov 14, 2014 at 10:01:02PM +0100, Tom Hendrikx wrote: > One notable difference between posttls-finger and postfix (as > described in the documentation) is that postfix would only use the > TLSA record for deciding on a "verified" connection when the resolver > is running on localhost, while posttls-finger also accepts dnssec data > from a remote resolver (I run unbound in a different VM on the same > piece of hardware). Postfix will use (and wisely or otherwise trust) whatever resolver is in /etc/resolv.conf. If that's remote, and subject to MiTM attacks, that your problem. If you have a secure IPsec tunnel to a trusted resolver, feel free to use it. You can even use remote resolvers over untrusted networks, and expose yourself to active attacks. > My guess is that I would actually need to send a mail to someone that > has TLSA records published in order to test my postfix setup, and then > check the local logs. The posttls-finger and Postfix code exercise very similar verification logic. You can use "sendmail -bv" to test without actually delivering the mail. /usr/sbin/sendmail -bv postmas...@example.net then check the logs. > Am I wrong in understanding the docs, or is there actually a > difference in the restrictions on resolver usage between > posttls-finger and postfix. If so, would it be useful to keep these in > sync, or add a switch to posttls-finger to enforce this behaviour for > testing purposes? There is no difference. Both use the same DNS library in the same way. > Finally, does anybody have an email sinkhole available on a DANE > enabled server where I can send some test messages?:) The "sendmail -bv" command probes a server without sending mail. -- Viktor.
Re: patch: smpd insert DSN request (Update)
wietse: A. Schulze: wietse: /^(RCPT\s+TO:<.*>.*\s+NOTIFY=.*)/ $1 /^(RCPT\s+TO:<.*>.*)/ $1 NOTIFY=SUCCESS,DELAY,FAILURE the regex above don't match on 'RCPT TO: ' ( SPACE after colon ) That is invalid syntax. What software (other than home-grown scripts) sends commands like that? Android-4.4.2 Mail Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 220 mail.example.org ESMTP Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: EHLO [192.0.2.25] Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-mail.example.org Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-PIPELINING Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-SIZE 4000 Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-STARTTLS Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-ENHANCEDSTATUSCODES Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-8BITMIME Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-DSN Nov 12 17:45:33 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250 SMTPUTF8 Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: STARTTLS Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 220 2.0.0 Ready to start TLS Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-mail.example.org Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-PIPELINING Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-SIZE 0815 Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-AUTH PLAIN Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-ENHANCEDSTATUSCODES Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-8BITMIME Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250-DSN Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250 SMTPUTF8 Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: AUTH PLAIN * Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 235 2.7.0 Authentication successful Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: RSET Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250 2.0.0 Ok Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: MAIL FROM: Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250 2.1.0 Ok Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: RCPT TO: Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250 2.1.5 Ok Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: < unknown[192.0.2.25]: DATA Nov 12 17:45:34 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 354 End data with . Nov 12 17:45:35 mail.example.org postfix/cleanup[17907]: 3jdBdV53xYzDfk: message-id=<@email.android.com> Nov 12 17:45:35 mail.example.org postfix/qmgr[17839]: 3jdBdV53xYzDfk: from=, size=, nrcpt=1 (queue active) Nov 12 17:45:35 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 250 2.0.0 Ok: queued as 3jdBdV53xYzDfk Nov 12 17:50:35 mail.example.org postfix/smtpd[17904]: > unknown[192.0.2.25]: 421 4.4.2 mail.example.org Error: timeout exceeded, servertime=Nov 12 17:50:35, client=192.0.2.25 funny to note: once android mail has a tcp session esteblished it hold the session open until timeout
Re: Testing DANE-enabled smtp client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 14-11-14 22:27, Viktor Dukhovni wrote: > On Fri, Nov 14, 2014 at 10:01:02PM +0100, Tom Hendrikx wrote: > >> One notable difference between posttls-finger and postfix (as >> described in the documentation) is that postfix would only use >> the TLSA record for deciding on a "verified" connection when the >> resolver is running on localhost, while posttls-finger also >> accepts dnssec data from a remote resolver (I run unbound in a >> different VM on the same piece of hardware). > > Postfix will use (and wisely or otherwise trust) whatever resolver > is in /etc/resolv.conf. If that's remote, and subject to MiTM > attacks, that your problem. If you have a secure IPsec tunnel to a > trusted resolver, feel free to use it. You can even use remote > resolvers over untrusted networks, and expose yourself to active > attacks. > >> My guess is that I would actually need to send a mail to someone >> that has TLSA records published in order to test my postfix >> setup, and then check the local logs. > > The posttls-finger and Postfix code exercise very similar > verification logic. You can use "sendmail -bv" to test without > actually delivering the mail. > > /usr/sbin/sendmail -bv postmas...@example.net > > then check the logs. > >> Am I wrong in understanding the docs, or is there actually a >> difference in the restrictions on resolver usage between >> posttls-finger and postfix. If so, would it be useful to keep >> these in sync, or add a switch to posttls-finger to enforce this >> behaviour for testing purposes? > > There is no difference. Both use the same DNS library in the same > way. > >> Finally, does anybody have an email sinkhole available on a DANE >> enabled server where I can send some test messages?:) > > The "sendmail -bv" command probes a server without sending mail. > Thanks for the quick responses. That indeed works: Nov 14 22:55:56 hostname postfix-out/smtp[11505]: Verified TLS connection established to mail.sys4.de[2001:1578:400:111::7]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Nov 14 22:55:57 hostname postfix-out/smtp[11505]: 66FCB8049: to=, relay=mail.sys4.de[2001:1578:400:111::7]:25, delay=0.83, delays=0.16/0.05/0.17/0.45, dsn=2.1.5, status=deliverable (250 2.1.5 Ok) Regards, Tom -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJUZnrwAAoJEJPfMZ19VO/1vgEP/jYQG5iQfKWMxZgiYRJZ3y8R QnkkuUJLEJsa6u+JeEYoPZG3iNcL3nUrCG7F6WE8sirFWHFDQ/I/iL3lTyUw9xM0 I3ysvS8iQo9i5fgb6ixix+3zzPFGlh5eKiqHpdwpG9PeZgUcd0AGEj+4UUqbh4ty VvNEk1Xfz7cCxenByurJFNzYIuWNq53VuSgVQu+Oaia0RqFmGW/Pm+YV2e3YGIN8 fu3HKEjZPlXDq7L17KeNfFUDkLoWk4rDWXZoYb/7yGV7JQzrpJwuTzTGMp602FUJ 0zUsOaK/PowymqlMpBrlcvdOdfJ+7hrtAPCN5VcHAT3VxUkUutw3pD/J2a7fB0qJ UnW3En4CyYu+Si0xb1hGAh2sYFg8FllaJbkIjHnkWf5aLOdTmhuYoEbHk2QXNz8l g3CY9oMwc3oxyMVt8UJnC7DV1XMYQZcKAyPCDO1azAem8mrbfwx1vLorR78a6CX3 lAlDtGeurTq12Kwz4sSg89sybnfI5yo/R8Tiq/t/5el/Hsk1Tyig0LwQwUDpb4JE Lxvj8pY+rdOPjOypiIZy9wCEseTBBdXarw3ulJo2Yk3hmmxwA1xW4pFdJDqRw/0k OuS9BnKku9OdAV/5MGY6rcASlkmWnfZ6WIDjCtHzUeSEmZuabsRV91TSTKqAmFaw 9XgJqCX6QZRw+N5H53dL =X3Z2 -END PGP SIGNATURE-
Re: Testing DANE-enabled smtp client
On Fri, Nov 14, 2014 at 10:58:08PM +0100, Tom Hendrikx wrote: > Nov 14 22:55:56 hostname postfix-out/smtp[11505]: Verified TLS > connection established to mail.sys4.de[2001:1578:400:111::7]:25: TLSv1 > with cipher ECDHE-RSA-AES256-SHA (256/256 bits) > Nov 14 22:55:57 hostname postfix-out/smtp[11505]: 66FCB8049: > to=, relay=mail.sys4.de[2001:1578:400:111::7]:25, > delay=0.83, delays=0.16/0.05/0.17/0.45, dsn=2.1.5, status=deliverable > (250 2.1.5 Ok) Do keep in mind that if your /etc/resolv.conf does in fact list remote DNS caches, the reported security can be illusory. Run a local unbound listening on 127.0.0.1, list only that in /etc/resolv.conf, and don't let DHCP or other automation replace this with some remote nameserver. -- Viktor.
Re: Configuring MSA in postfix
> On Nov 14, 2014, at 14.47, Wietse Venema wrote: > > Alamgir Shamim: >> Hello, >> >> Can you please tell me how to configure MSA with postfix. I want to >> create all local user in MSA. local user's mail will be delivered in >> MSA and out going mail will be forwarded to another mail gateway. That >> mail gateway will have two instances. On instance will accept only >> mail from MSA and will forward all outgoing mail. Another instance >> will receive all incoming mail destined to our corporate domain. Can >> you please guide me how to do this. > > MSA = mail submission agent, i.e. the program that injects an email > message into the email infrastructure. In today's world that is > usually an end-user machine (or mobile device) that runs a mail > client program. i'd always understood an msa to be a mail server listening on e.g. port 587, accepting connections from end user software [mua]: https://en.wikipedia.org/wiki/Mail_submission_agent ben
Re: Configuring MSA in postfix
b...@bitrate.net: > > > On Nov 14, 2014, at 14.47, Wietse Venema wrote: > > > > Alamgir Shamim: > >> Hello, > >> > >> Can you please tell me how to configure MSA with postfix. I want to > >> create all local user in MSA. local user's mail will be delivered in > >> MSA and out going mail will be forwarded to another mail gateway. That > >> mail gateway will have two instances. On instance will accept only > >> mail from MSA and will forward all outgoing mail. Another instance > >> will receive all incoming mail destined to our corporate domain. Can > >> you please guide me how to do this. > > > > MSA = mail submission agent, i.e. the program that injects an email > > message into the email infrastructure. In today's world that is > > usually an end-user machine (or mobile device) that runs a mail > > client program. > > i'd always understood an msa to be a mail server listening on e.g. port 587, > accepting connections from end user software [mua]: > > https://en.wikipedia.org/wiki/Mail_submission_agent I stand corrected. The MUA injects the mesage into the infrastructure (mail user agent). Wietse
Re: invalid SMTP syntax: Android-4.4.2 Mail
On Fri, Nov 14, 2014, A. Schulze wrote: > Android-4.4.2 Mail If you have a chance, can you contact the developers and ask them to fix it? > unknown[192.0.2.25]: MAIL FROM: > unknown[192.0.2.25]: RCPT TO: RFC 5321 explicitly lists this error (for those who have trouble understanding RFC 821 or RFC 2821): Since it has been a common source of errors, it is worth noting that spaces are not permitted on either side of the colon following FROM in the MAIL command or TO in the RCPT command. The syntax is exactly as given above.
