Re: Next Dumb question - mynetworks

[John]

I think I am asking the wrong question.

What would be the effects of setting /mynetworks/ to 127.0.0.1/8 and 
::1/128? I assume that I would need these in order to allow 
inter-process communication on the server.


Could I remove the /permit_mynetworks/ stanza in my restriction classes 
in main?
I suspect that I would need to keep them in master, or could I remove 
them here as well?


Bearing in mind that we want to restrict our users to authenticated 
submission access only.


--
John Allen
KLaM
--
Perfection of means and confusion of ends seem to characterize our age.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Next Dumb question - mynetworks

[li...@rhsoft.net]

Am 15.02.2015 um 13:37 schrieb John:

I think I am asking the wrong question.

What would be the effects of setting /mynetworks/ to 127.0.0.1/8 and
::1/128? I assume that I would need these in order to allow
inter-process communication on the server.

Could I remove the /permit_mynetworks/ stanza in my restriction classes
in main?
I suspect that I would need to keep them in master, or could I remove
them here as well?

Bearing in mind that we want to restrict our users to authenticated
submission access only


you don't need "permit_mynetworks" anywhere by definition until you want 
to override restrictions based on, well, mynetworks


our inbound spamfilter as example don't use it at all with the exception 
that "mynetworks" contains the LAN netmask to bypass postscreen implicit


postscreen_access_list (default: permit_mynetworks)

detecting encryption for outgoing mail

[John]

A couple of the  servers I support are medical offices, and for patient 
confidentiality reasons they need to send email out encrypted.
After a lot of discussion they have come to the conclusion that in order 
to avoid accidentally sending confidential data unencrypted, all email 
must be encrypted.
What they would like is a filter on outgoing email that checks for 
encryption and refuses anything not encrypted. They need to err on the 
side of caution.


So far Google has not been my friend.

Does anybody know of a way of enforcing encryption, or detecting 
unencrypted email.


--
John Allen
KLaM
--
Support bacteria. There are the only culture some people have.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Problem compiling 3.0 on Solaris 11 with solaris studio cc

[Wietse Venema]

pe...@ixp.jp:
> On Feb/12.11:28:57, Wietse Venema wrote:
> > Jean-Christophe Delaye:
> > > "milter.c", line 546: non-constant initializer involving a cast
>  
> > 545 static ATTR_OVER_TIME time_table[] = {
> > 546 7 + VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0,
> > ...
> > And mail_params.h has:
> > #define VAR_MILT_CONN_TIME  "milter_connect_timeout"
> > #define DEF_MILT_CONN_TIME  "30s"
> > You may try if "VAR_MILT_CONN_TIME + 7" works better.
> 
>   Indeed this works here. Putting quotes around the expression is
>   sufficient to placate 12.4, although this results in this
>   appearing in libmilter.a

DON'T DO THAT. Putting quotes around the expression is totally
incorrect.

Given the definition

#define VAR_MILT_CONN_TIME  "milter_connect_timeout"

the expression

7 + VAR_MILT_CONN_TIME

expands into

7 + "milter_connect_timeout"

A correct compiler will evaluate this as

"connect_timeout"

With a buggy compiler, this form may work:

545 static ATTR_OVER_TIME time_table[] = {
546 &(VAR_MILT_CONN_TIME[7]), DEF_MILT_CONN_TIME, 0, 1, 0,
...

But I would not be surprised when the compiler mis-handles this as
well, because both forms do the same thing: take the address of
the 8th octet in a byte array.

Wietse

Re: detecting encryption for outgoing mail

[Mauricio Tavares]

On Sun, Feb 15, 2015 at 9:12 AM, John  wrote:
> A couple of the  servers I support are medical offices, and for patient
> confidentiality reasons they need to send email out encrypted.
> After a lot of discussion they have come to the conclusion that in order to
> avoid accidentally sending confidential data unencrypted, all email must be
> encrypted.
> What they would like is a filter on outgoing email that checks for
> encryption and refuses anything not encrypted. They need to err on the side
> of caution.
>
> So far Google has not been my friend.
>
> Does anybody know of a way of enforcing encryption, or detecting unencrypted
> email.
>
  Stupid question: is the entire email supposed to be encrypted or
just part of it ("Hi Bubba. Please see attached an encrypted doc
containing an update.")? Also, which encryption did they settle down
on?

> --
> John Allen
> KLaM
> --
> Support bacteria. There are the only culture some people have.
>

Re: Next Dumb question - mynetworks - so now I think I know

[John]

Set /mynetworks/ to 127.0.01/8and ::1,removed /permit_mynetworks/ from 
relay and recipient restrictions, but had to add to relay_restriction in 
amavis setup in master.


everything seems to work.

--
John Allen
KLaM
--
definition: Camel, a horse designed by a committee.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: detecting encryption for outgoing mail

[John]

On 2/15/2015 9:40 AM, Mauricio Tavares wrote:

On Sun, Feb 15, 2015 at 9:12 AM, John  wrote:

A couple of the  servers I support are medical offices, and for patient
confidentiality reasons they need to send email out encrypted.
After a lot of discussion they have come to the conclusion that in order to
avoid accidentally sending confidential data unencrypted, all email must be
encrypted.
What they would like is a filter on outgoing email that checks for
encryption and refuses anything not encrypted. They need to err on the side
of caution.

So far Google has not been my friend.

Does anybody know of a way of enforcing encryption, or detecting unencrypted
email.


   Stupid question: is the entire email supposed to be encrypted or
just part of it ("Hi Bubba. Please see attached an encrypted doc
containing an update.")? Also, which encryption did they settle down
on?


--
John Allen
KLaM
--
Support bacteria. There are the only culture some people have.


Why is this a stupid question?
All email sent must be encrypted, they plan on using SMIME mainly 
because it is more common than PGP. The MUAs are a mixture of Outlook 
and Thunderbird.


There is some discussion as to whether there will be a distinction 
between support staff, care givers and practitioners. Support staff 
don't generally have access to sensitive patient data so might be able 
to use a common cert. care givers and practitioners might share certs 
based upon their "circle of care" all of this is still being discussed.


--
John Allen
KLaM
--
How many of you believe in telekinesis? Raise my hand...



smime.p7s
Description: S/MIME Cryptographic Signature

postfix message sent/received hook

[Sherman Boyd]

Hello.  I'm working on a little ARM server that runs Postfix.  On incoming
or outgoing email I want to trigger an animation on an attached ring of
LEDs.  My first attempt was to follow the approach here (content filter
re-injecting with sendmail) :

http://blog.thecodingmachine.com/content/triggering-php-script-when-your-postfix-server-receives-mail

*master.cf :*

lights unix   -  n   n   -   -   pipe
  flags=F user=lights argv=/opt/lights/recvhook.js ${sender} ${size}
${recipient}
587   inet   n  -   -   -   -   smtpd
  -o syslog_name=postfix/lights -o content_filter=lights:dummy


*main.cf :*

milter_macro_daemon_name=ORIGINATING


It works, but I've noticed some ugly side effects.  Bounce messages are
screwy, for one.  What method should I use that will have minimal effect on
postfix operations?


Best regards,

Sherman Boyd

Re: Local delivery continues after code 550

[Mats Luspa]

Hello!

I've now added your logging code.

That code confirms that it's problems to read socket according to  
logging below ("inside mail_command_client" is my own logging added to  
confirm that I used the correct binary. Thank you for your efforts  
again):


2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
inside mail_command_client
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
read private/bounce socket: Permission denied
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
inside mail_command_client
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
read private/defer socket: Permission denied
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
6D78614224: defer service failure
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
inside mail_command_client
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
read public/flush socket: Permission denied
2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
6D78614224: flush service failure


Quoting Wietse Venema :


Mats Luspa:


Yes, apparmor is used. But I'm not an expert in configuring apparmor.
But maybe something there is preventing the linux-container to read
some part of the file system that affects postfix.

I must check it.


Meanwhile, I have added logging to the mail_command_client() function
so that it logs why the bounce request is deferred.

Wietse

---  
/var/tmp/postfix-3.1-20150208/src/global/mail_command_client.c	2014-12-14  
13:22:05.0 -0500

+++ ./mail_command_client.c 2015-02-14 20:37:34.0 -0500
@@ -52,6 +52,7 @@
 /* Utility library. */

 #include 
+#include 

 /* Global library. */

@@ -67,16 +68,26 @@

 /*
  * Talk a little protocol with the specified service.
+ *
+ * This function is used for non-critical services where it is  
OK to back

+ * off after the first error. Log what communication stage failed, to
+ * facilitate trouble analysis.
  */
-if ((stream = mail_connect(class, name, BLOCKING)) == 0)
+if ((stream = mail_connect(class, name, BLOCKING)) == 0) {
+   msg_warn("connect to %s/%s: %m", class, name);
return (-1);
+}
 va_start(ap, name);
 status = attr_vprint(stream, ATTR_FLAG_NONE, ap);
 va_end(ap);
-if (status != 0
-   || attr_scan(stream, ATTR_FLAG_STRICT,
-RECV_ATTR_INT(MAIL_ATTR_STATUS, &status), 0) != 1)
+if (status != 0) {
+   msg_warn("write %s: %m", VSTREAM_PATH(stream));
status = -1;
+} else if (attr_scan(stream, ATTR_FLAG_STRICT,
+RECV_ATTR_INT(MAIL_ATTR_STATUS, &status), 0) != 1) {
+   msg_warn("read %s: %m", VSTREAM_PATH(stream));
+   status = -1;
+}
 (void) vstream_fclose(stream);
 return (status);
 }

Re: postfix message sent/received hook

[Viktor Dukhovni]

On Sun, Feb 15, 2015 at 09:29:50AM -0700, Sherman Boyd wrote:

> Hello.  I'm working on a little ARM server that runs Postfix.  On incoming
> or outgoing email I want to trigger an animation on an attached ring of
> LEDs.  My first attempt was to follow the approach here (content filter
> re-injecting with sendmail) :

* Define "incoming" mail.
* Define "outgoing" mail.

Mail enters Postfix from multiple sources:

* From outside via SMTP.
* From local processes via sendmail(1).
* Internally generated bounce and postmaster notices 
* Internally generated probes via verify(8)
* Indirect delivery of aliases in local(8)

Mail leaves Postfix via:

* Delivery to remote machines via SMTP.
* Delivery to a mailstore via LMTP
* Delivery to a local mbox file or maildir via local(8) or virtual(8).
* Delivery to commands via command aliases(5), mailbox_command settings
  or pipe(8) transports.
* Circular file via discard(8).

Which of these various events do you want to blink the lights?
Presumably this is intended to be a low-volume deployment, otherwise
the lights will just flicker imperceptibly.

-- 
Viktor.

Re: Local delivery continues after code 550

[Wietse Venema]

Mats Luspa:
> Hello!
> 
> I've now added your logging code.
> 
> That code confirms that it's problems to read socket according to  
> logging below ("inside mail_command_client" is my own logging added to  
> confirm that I used the correct binary. Thank you for your efforts  
> again):
> 
> 2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
> inside mail_command_client
> 2015-02-15T17:51:31+02:00 outgoingmail-3 postfix/smtp[10831]: warning:  
> read private/bounce socket: Permission denied

Excellent. We narrowed down the problem to the VSTREAM_GETC() call,
established why the call failed, and I added logging in so that
this will be easier to diagnose in the future.

With a system that grew from a few tens of thousands of lines of
code, and with calls nested a dozen levels deep, it isn't always
obvious who is responsible for logging the details of an error.

Wietse

Re: Local delivery continues after code 550

[Viktor Dukhovni]

On Sun, Feb 15, 2015 at 02:08:58PM -0500, Wietse Venema wrote:

> Excellent. We narrowed down the problem to the VSTREAM_GETC() call,
> established why the call failed, and I added logging in so that
> this will be easier to diagnose in the future.

Should there be an explicit flush after the attr_vprint()? Otherwise,
write errors will instead be reported as read errors after attr_scan()
fails to flush the output buffer...

-- 
Viktor.

Re: detecting encryption for outgoing mail

[LuKreme]

> On 15 Feb 2015, at 07:56 , John  wrote:
> 
> On 2/15/2015 9:40 AM, Mauricio Tavares wrote:
>> On Sun, Feb 15, 2015 at 9:12 AM, John  wrote:
>>> A couple of the  servers I support are medical offices, and for patient
>>> confidentiality reasons they need to send email out encrypted.
>>> After a lot of discussion they have come to the conclusion that in order to
>>> avoid accidentally sending confidential data unencrypted, all email must be
>>> encrypted.
>>> What they would like is a filter on outgoing email that checks for
>>> encryption and refuses anything not encrypted. They need to err on the side
>>> of caution.
>>> 
>>> So far Google has not been my friend.
>>> 
>>> Does anybody know of a way of enforcing encryption, or detecting unencrypted
>>> email.
>>> 
>>   Stupid question: is the entire email supposed to be encrypted or
>> just part of it ("Hi Bubba. Please see attached an encrypted doc
>> containing an update.")? Also, which encryption did they settle down
>> on?

> Why is this a stupid question?

Not your question. Mauricio was asking a question he prefaced with “stupid 
question:“

> All email sent must be encrypted, they plan on using SMIME mainly because it 
> is more common than PGP. The MUAs are a mixture of Outlook and Thunderbird.

I’d assume there would be something in the headers to indicate the message was 
encrypted. Probably some sort of milter running on your submission port would 
be able to check this?

Might even already be in mime-defang?

-- 
'They were myths and they were real,' he said loudly. 'Both a wave and a
particle.' --Guards! Guards!

Re: Local delivery continues after code 550

[Wietse Venema]

Viktor Dukhovni:
> On Sun, Feb 15, 2015 at 02:08:58PM -0500, Wietse Venema wrote:
> 
> > Excellent. We narrowed down the problem to the VSTREAM_GETC() call,
> > established why the call failed, and I added logging in so that
> > this will be easier to diagnose in the future.
> 
> Should there be an explicit flush after the attr_vprint()? Otherwise,
> write errors will instead be reported as read errors after attr_scan()
> fails to flush the output buffer...

Given that cyles are finite, we cannot achieve perfection in every
respect. What do we optimize for?

Wietse

Re: Local delivery continues after code 550

[Viktor Dukhovni]

On Sun, Feb 15, 2015 at 03:44:45PM -0500, Wietse Venema wrote:

> Viktor Dukhovni:
> > On Sun, Feb 15, 2015 at 02:08:58PM -0500, Wietse Venema wrote:
> > 
> > > Excellent. We narrowed down the problem to the VSTREAM_GETC() call,
> > > established why the call failed, and I added logging in so that
> > > this will be easier to diagnose in the future.
> > 
> > Should there be an explicit flush after the attr_vprint()? Otherwise,
> > write errors will instead be reported as read errors after attr_scan()
> > fails to flush the output buffer...
> 
> Given that cyles are finite, we cannot achieve perfection in every
> respect. What do we optimize for?

That's the question really.  I am not sure the warnings for such
rare kernel bugs are worth the trouble at all, but if we're bothering
to do them, I'm somewhat inclined to report reasonably accurate
symtoms.  Otherwise, just rely on strace and the like to tell the
complete story.

-- 
Viktor.

Re: Local delivery continues after code 550

[Wietse Venema]

Viktor Dukhovni:
> On Sun, Feb 15, 2015 at 03:44:45PM -0500, Wietse Venema wrote:
> 
> > Viktor Dukhovni:
> > > On Sun, Feb 15, 2015 at 02:08:58PM -0500, Wietse Venema wrote:
> > > 
> > > > Excellent. We narrowed down the problem to the VSTREAM_GETC() call,
> > > > established why the call failed, and I added logging in so that
> > > > this will be easier to diagnose in the future.
> > > 
> > > Should there be an explicit flush after the attr_vprint()? Otherwise,
> > > write errors will instead be reported as read errors after attr_scan()
> > > fails to flush the output buffer...
> > 
> > Given that cyles are finite, we cannot achieve perfection in every
> > respect. What do we optimize for?
> 
> That's the question really.  I am not sure the warnings for such
> rare kernel bugs are worth the trouble at all, but if we're bothering
> to do them, I'm somewhat inclined to report reasonably accurate
> symtoms.  Otherwise, just rely on strace and the like to tell the
> complete story.

It's the the 90%-10% rule (sometimes called 80%-20%).

The problem was a total lack of "errno" logging.  That has now been
addressed. The 90% result (at 10% of the effort) is better than
keeping the people in total darkness and telling them to run strace
on unfamiliar code.

Instead of adding redundant "flush" calls to make error logging
perfectly accurate, the effort is better spent addressing the
larger problem that some errors are detected but not logged
with the errno and the name of the target.

Wietse

Re: postfix message sent/received hook

[Noel Jones]

On 2/15/2015 10:29 AM, Sherman Boyd wrote:
> Hello.  I'm working on a little ARM server that runs Postfix.  On
> incoming or outgoing email I want to trigger an animation on an
> attached ring of LEDs.  My first attempt was to follow the approach
> here (content filter re-injecting with sendmail) :
> 

Cool.

I would suggest using a log scraper to trigger your scripts.  That
will give you maximum flexibility with minimal postfix impact.

I think fail2ban would be a great tool to use for this.



   -- Noel Jones

Re: postfix message sent/received hook

[Sherman Boyd]

>  * Define "incoming" mail.
>  * Define "outgoing" mail.

Incoming: from outside via SMTP
Outgoing: to outside via SMTP

Best regards,

Sherman Boyd


On Sun, Feb 15, 2015 at 10:10 AM, Viktor Dukhovni <
postfix-us...@dukhovni.org> wrote:

> On Sun, Feb 15, 2015 at 09:29:50AM -0700, Sherman Boyd wrote:
>
> > Hello.  I'm working on a little ARM server that runs Postfix.  On
> incoming
> > or outgoing email I want to trigger an animation on an attached ring of
> > LEDs.  My first attempt was to follow the approach here (content filter
> > re-injecting with sendmail) :
>
> * Define "incoming" mail.
> * Define "outgoing" mail.
>
> Mail enters Postfix from multiple sources:
>
> * From outside via SMTP.
> * From local processes via sendmail(1).
> * Internally generated bounce and postmaster notices
> * Internally generated probes via verify(8)
> * Indirect delivery of aliases in local(8)
>
> Mail leaves Postfix via:
>
> * Delivery to remote machines via SMTP.
> * Delivery to a mailstore via LMTP
> * Delivery to a local mbox file or maildir via local(8) or virtual(8).
> * Delivery to commands via command aliases(5), mailbox_command settings
>   or pipe(8) transports.
> * Circular file via discard(8).
>
> Which of these various events do you want to blink the lights?
> Presumably this is intended to be a low-volume deployment, otherwise
> the lights will just flicker imperceptibly.
>
> --
> Viktor.
>

Re: postfix message sent/received hook

[Viktor Dukhovni]

On Sun, Feb 15, 2015 at 09:03:17PM -0700, Sherman Boyd wrote:

> >  * Define "incoming" mail.
> >  * Define "outgoing" mail.
> 
> Incoming: from outside via SMTP

At what point in processing to you want the ligths to blink?

* Beginning of mail transaction?
* Queue file creation?
* Complete Message accepted into the incoming queue?
* Message moved to the active queue?
* Message delivery to each group of recipients?
* Message delivered for all recipients and deleted from the queue?

> Outgoing: to outside via SMTP

Similar questions...

The lifecycle of an email message is not a single event.  If you
just want server "activity" blinking lights, hook the syslog server
to trigger the lights when Postfix logs something (does not really
matter what).

-- 
Viktor.