Re: mail sent via sendmail is queued and delayed for approx. 300 seconds
Hi Viktor, thank you for the script I will run it asap on the server. Meanwhile I think the problem is the following: I'm running a smtp_proxy_filter on localhost:10024 as described in http://postfix.cs.utah.edu/SMTPD_PROXY_README.html smtp inet n - n - - smtpd -o smtpd_proxy_filter=localhost:10024 -o smtpd_proxy_options=speed_adjust -o smtp_send_xforward_command=yes and it seems that smtp is trying to initiate a tls handshake with this proxy which does not support tls, leading to the timeout of 300s. Is there an option to prevent the attempt to initiate a tls I've set in main.cf: smtp_use_tls = yes smtpd_use_tls = yes smtpd_tls_security_level = may smtp_tls_security_level = may smtp_tls_loglevel = 3 smtpd_tls_loglevel = 3 and here is the log: mail() on [/data/development/phpmail/mail.php:9]: To: dietrich.streif...@googlemail.com -- Headers: From: nore...@.de Reply-To: s...@.de X-Mailer: PHP/5.4.16 Mar 3 09:26:47 node1 postfix/pickup[20765]: 5392C35E3D9: uid=0 from= Mar 3 09:26:47 node1 postsrsd[29345]: srs_forward: rewritten as Mar 3 09:26:47 node1 postfix/cleanup[29344]: 5392C35E3D9: message-id=<20160303082647.5392c35e...@..de> Mar 3 09:26:47 node1 opendkim[11665]: 5392C35E3D9: DKIM-Signature field added (s=default, d=.de) Mar 3 09:26:47 node1 postfix/qmgr[20766]: 5392C35E3D9: from=, size=449, nrcpt=1 (queue active) Mar 3 09:26:47 node1 postfix/smtp[29350]: initializing the client-side TLS engine Mar 3 09:26:47 node1 postfix/smtpd[29351]: initializing the server-side TLS engine Mar 3 09:26:47 node1 postfix/smtpd[29351]: connect from unknown[127.0.0.1] Mar 3 09:26:47 node1 dovecot: auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth Mar 3 09:26:47 node1 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so Mar 3 09:26:47 node1 dovecot: auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so Mar 3 09:26:47 node1 dovecot: auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat Mar 3 09:26:47 node1 dovecot: auth: Debug: passwd-file /etc/dovecot/master-users: Read 1 users in 0 secs Mar 3 09:26:47 node1 dovecot: auth: Debug: auth client connected (pid=0) Mar 3 09:26:47 node1 postfix/smtpd[29351]: setting up TLS connection from unknown[127.0.0.1] Mar 3 09:26:47 node1 postfix/smtp[29350]: setting up TLS connection to localhost[127.0.0.1]:10024 Mar 3 09:26:47 node1 postfix/smtpd[29351]: unknown[127.0.0.1]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDC3-SHA:!KRB5-DE5:!CBC3-SHA" Mar 3 09:26:47 node1 postfix/smtp[29350]: localhost[127.0.0.1]:10024: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Mar 3 09:26:47 node1 postfix/smtp[29350]: looking for session smtp-proxy:127.0.0.1:10024:..de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 in smtp cache Mar 3 09:26:47 node1 postfix/tlsmgr[21697]: lookup smtp session id=smtp-proxy:127.0.0.1:10024:..de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 Mar 3 09:26:47 node1 postfix/smtpd[29351]: SSL_accept:before/accept initialization Mar 3 09:26:47 node1 postfix/smtpd[29351]: read from 7F9653755DD0 [7F965375B3B0] (11 bytes => -1 (0x)) Mar 3 09:26:47 node1 postfix/smtp[29350]: SSL_connect:before/connect initialization Mar 3 09:26:47 node1 postfix/smtp[29350]: write to 7FAD076983A0 [7FAD07699B70] (299 bytes => 299 (0x12B)) Mar 3 09:26:47 node1 postfix/smtp[29350]: 16 03 01 01 26 01 00 01|22 03 03 56 d7 f5 47 a8 &... "..V..G. Mar 3 09:26:47 node1 postfix/smtp[29350]: 0010 db 3c f0 af 6b f0 4c 3d|07 58 36 71 f7 52 fb a5 .<..k.L= .X6q.R.. Mar 3 09:26:47 node1 postfix/smtp[29350]: 0020 71 ba 43 a9 81 85 87 62|cf b0 e1 00 00 b8 c0 19 q.Cb Mar 3 09:26:47 node1 postfix/smtp[29350]: 0030 00 a7 00 6d 00 3a 00 89|c0 30 c0 2c c0 28 c0 24 ...m.:.. .0.,.(.$ Mar 3 09:26:47 node1 postfix/smtp[29350]: 0040 c0 14 c0 0a 00 a3 00 9f|00 6b 00 6a 00 39 00 38 .k.j.9.8 Mar 3 09:26:47 node1 postfix/smtp[29350]: 0050 00 88 00 87 c0 32 c0 2e|c0 2a c0 26 c0 0f c0 05 .2.. .*.& Mar 3 09:26:47 node1 postfix/smtp[29350]: 0060 00 9d 00 3d 00 35 00 84|c0 18 00 a6 00 6c 00 34 ...=.5.. .l.4 Mar 3 09:26:47 node1 postfix/smtp[29350]: 0070 c0 17 00 9b 00 46 00 1b|c0 2f c0 2b c0 27 c0 23 .F.. ./.+.'.# Mar 3 09:26:47 node1 postfix/smtp[29350]: 0080 c0 13 c0 09 00 a2 00 9e|00 67 00 40 00 33 00 32 .g.@.3.2 Mar 3 09:26:47 node1 postfix/smtp[29350]: 0090 c0 12 c0 08 00 9a 00 99|00 45 00 44 00 16 00 13 .E.D Mar 3 09:26:47 node1 postfix/smtp[29350]: 00a0 c0 31 c0 2d c0 29 c0 25|c0 0e c0 04 c0 0d c0 03 .1.-.).% Mar 3 09:26:47 node1 postfix/smtp[29350]: 00b0 00 9c 00 3c 00 2f 00 96|00 41 00 0a 00 07 c0 16 ...<./.. .A.. Mar 3 09:26:47 node1 postfix/smt
SOLVED: Re: mail sent via sendmail is queued and delayed for approx. 300 seconds
And here is the solution: I had to explicitely tell the smtp proxy to NOT use tls by specifying -o smtpd_use_tls=no -o smtp_use_tls=no -o smtpd_tls_security_level=none -o smtp_tls_security_level=none where it seems that simply setting smtpd_use_tls and smtp_use_tls to no was not enough! The additional smtp_tls_security_level set to "none" was also necessary Thank you for your patience and help! Regards Dietrich
Re: SOLVED: Re: mail sent via sendmail is queued and delayed for approx. 300 seconds
On 2016-03-03 11:31, Dietrich Streifert wrote: And here is the solution: I had to explicitely tell the smtp proxy to NOT use tls by specifying -o smtpd_use_tls=no -o smtp_use_tls=no -o smtpd_tls_security_level=none -o smtp_tls_security_level=none where it seems that simply setting smtpd_use_tls and smtp_use_tls to no was not enough! The additional smtp_tls_security_level set to "none" was also necessary The options smtpd/smtp_use_tls are obsolete and smtpd/smtp_tls_security_level should be used instead. You can remove the smtpd/smtp_use_tls option from both main.cf and master.cf and it should be good Take a look at the documentation From http://www.postfix.org/postconf.5.html#smtp_tls_security_level - smtp_tls_security_level The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. - From http://www.postfix.org/postconf.5.html#smtpd_tls_security_level - smtpd_tls_security_level The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with "smtpd_tls_wrappermode = yes". - Thank you for your patience and help! Regards Dietrich -- Christian Kivalo
Upgrade postfix 2.11 to 3.1
Dear all, with postfix 3.1 some settings have changed and I'm not sure if I have to touch my config. I only see the following messages: Mar 3 11:51:54 server postfix[75578]: Postfix is running with backwards-compatible default settings Mar 3 11:51:54 server postfix[75578]: See http://www.postfix.org/COMPATIBILITY_README.html for details Mar 3 11:51:54 server postfix[75578]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" Mar 3 11:51:54 server postfix/postfix-script[75584]: refreshing the Postfix mail system Mar 3 11:51:54 server postfix/master[3613]: reload -- version 2.11.7, configuration /usr/local/etc/postfix Does this mean, I do not have to modify anything in the config? Regarding the page http://www.postfix.org/COMPATIBILITY_README.html postfix would log explicit lines if I have to touch anything. Would this log line immediately be logged or only if a mail is delivered? Thanks Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook
question concerning : 250 mail queued ...
Hi, I have a mysql table where an email aliase maps to a list of email adresses. The table is updated with address info just before an email is sent to the list alias name. Can I be sure that when the “250 mail queue for delivery …” is received from The postfix MTA then all address information is in the queue and it is OK to Overwrite with a list of new adresses ? Regards Peter Sørensen/University of Southern Denmark Email: mas...@sdu.dk
how to configure smtp process to use all the destination (s) in one go
Hello! I need to configure Postfix (version , latest on debian jessie/stable) and in turn its smtp client in a manner that *for specific sources* it send all the message in one go, expliciting *all* the recpipients also in the smtp dialog with the remote server. On other words, if i have a message such as: From: selected_address@local.domain To: recipient1@domain, recipient2@otherdomain cc: recipient3@anotherdomain i need the resulting transaction to the next server (which i identify with a table) receive a transaction roughly as EHLO localserver. MAIL FROM: selected_address@local.domain RCPT TO: recipient1@domain RCPT TO: recipient2@otherdomain RCPT TO: recipient3@anotherdomain DATA Anyone can point me to the relevant configuration? after perusing *all* the documentation and google search i cannot seem to find a solution. Ref. I need to talk to an RFC6109-enabled host so i need to respect the 3.1.1 requirement on said RFC. For all other requirement i have a solution and currently my system works as expected only if the handled message has only one recipient. Andrea
Re: how to configure smtp process to use all the destination (s) in one go
On Thursday 03 March 2016 13:09:42 Andrea Borghi wrote: excue me, i forgot. Using Postfix 2.11.3-1 as distributed with debian jessie (stable) Andrea
Re: question concerning : 250 mail queued ...
Peter S?rensen: > Hi, > > I have a mysql table where an email aliase maps to a list of email adresses. > The table is updated with address info just before an email is sent to the > list alias name. > > Can I be sure that when the ?250 mail queue for delivery ?? is received from > The postfix MTA then all address information is in the queue and it is OK to > Overwrite with a list of new adresses ? "250 Ok" means that the mail is queued. Postfix also uses lookup tables to decide where to deliver mail: http://www.postfix.org/ADDRESS_REWRITING_README.html Changing those tables can affect how Postfix delivers mail. Wietse
Re: how to configure smtp process to use all the destination (s) in one go
Andrea Borghi: > Hello! > > I need to configure Postfix (version , latest on debian jessie/stable) and > in > turn its smtp client in a manner that *for specific sources* it send all the > message in one go, expliciting *all* the recpipients also in the smtp dialog > with the remote server. > > On other words, if i have a message such as: > > From: selected_address@local.domain > To: recipient1@domain, recipient2@otherdomain > cc: recipient3@anotherdomain Use transport_maps: see "man 5 transport". selected_address@local.domain smtp:upstream-host recipient1@domain smtp:upstream-host recipient2@otherdomain smtp:upstream-host and so on. Postfix groups recipients by next-hop destination (here: smtp:upstream-host), subject to smtp_destination_recipient_limit. Wietse
Re: Upgrade postfix 2.11 to 3.1
Matthias Fechner: > Does this mean, I do not have to modify anything in the config? > Regarding the page http://www.postfix.org/COMPATIBILITY_README.html > postfix would log explicit lines if I have to touch anything. If you don't want those lines to be logged, set the parameter (relayhost, or whatever it is that needs to be kept), and set "compatibility_level = 2".
Re: how to configure smtp process to use all the destination (s) in one go
On Thursday 03 March 2016 13:22:51 Wietse Venema wrote: > > I need to configure Postfix (version , latest on debian jessie/stable) > > and in turn its smtp client in a manner that *for specific sources* it > > send all the message in one go, expliciting *all* the recpipients also > > in the smtp dialog with the remote server. > > Use transport_maps: see "man 5 transport". > > selected_address@local.domain smtp:upstream-host > recipient1@domain smtp:upstream-host > recipient2@otherdomainsmtp:upstream-host sadly i cannot because the destinations are not predetermined. All i can use as a key is the sender, which i already use with the sender_realy map to force a specific next-hop server (the rfc6109-enabled one) along with the smtp_sasl_password_maps and the smtp_sender_dependent_authentication = yes in order to use the correct identitication to the next-hop host. perhaps i can use the output of the sender_dependent_relayhost selection as a key to select a trasport and then specify the grouping as you suggest as wilcard in *that* transport ? Andrea
Re: SOLVED: Re: mail sent via sendmail is queued and delayed for approx. 300 seconds
Thank you Christian for clarifying this. It seems that the obsoleted parameters survived somehow several migrations since ancient times Regards Dietrich Am 03.03.2016 um 12:01 schrieb Christian Kivalo: On 2016-03-03 11:31, Dietrich Streifert wrote: And here is the solution: I had to explicitely tell the smtp proxy to NOT use tls by specifying -o smtpd_use_tls=no -o smtp_use_tls=no -o smtpd_tls_security_level=none -o smtp_tls_security_level=none where it seems that simply setting smtpd_use_tls and smtp_use_tls to no was not enough! The additional smtp_tls_security_level set to "none" was also necessary The options smtpd/smtp_use_tls are obsolete and smtpd/smtp_tls_security_level should be used instead. You can remove the smtpd/smtp_use_tls option from both main.cf and master.cf and it should be good Take a look at the documentation From http://www.postfix.org/postconf.5.html#smtp_tls_security_level - smtp_tls_security_level The default SMTP TLS security level for the Postfix SMTP client; when a non-empty value is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. - From http://www.postfix.org/postconf.5.html#smtpd_tls_security_level - smtpd_tls_security_level The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with "smtpd_tls_wrappermode = yes". - Thank you for your patience and help! Regards Dietrich
Mysql Lookup table
Hi, Would it be possible to make a query from 2 tables in the mysql lookup Specifying this in additional_conditions ? Regards Peter Sørensen/University of Southern Denmark email: mas...@sdu.dk
Re: Mysql Lookup table
it all depends on the 'mysql lookup file' you're using. This one with 'select_field' and 'additional_conditions' is somehow very little flexible. But there's other format which can also be used and, you'll see, is MUCH more flexible, allowing you to really specify your query and, inside that, do whatever you want. [root@mail postfix]# cat virtual-alias-maps-mysql.cf user = username password = password dbname = correio hosts = localhost query = SELECT endereco FROM aliases WHERE alias='%s' AND ativa=1 [root@mail postfix]# Em 03/03/16 10:34, Peter Sørensen escreveu: Hi, Would it be possible to make a query from 2 tables in the mysql lookup Specifying this in additional_conditions ? -- Atenciosamente / Sincerily, Leonardo Rodrigues Solutti Tecnologia http://www.solutti.com.br Minha armadilha de SPAM, NÃO mandem email gertru...@solutti.com.br My SPAMTRAP, do not email it
Re: Postfix - accept all mail
On 2 Mar 2016, at 12:29, Peter wrote: I am getting "Recipient address rejected: User unknown in local recipient table" all the time, even though I have "local_recipient_maps =" (empty) in my main.cf. Despite having these facts in one sentence, you don't see the direct relationship? Quoting a relevant bit from the postconf(5) man page: Details are described in the LOCAL_RECIPIENT_README file Since your description of your existing config is vague & incomplete, it is hard to have any idea what (if any) small change might fix your setup. There are at least 3 grand patterns for doing what you want to do involving ultimate delivery by procmail, and it is unlikely that anyone will have the time+skill+generosity to devise a whole config for you here, which is roughly what you're asking for. The last section of the DEBUG_README file describes in detail the ideal strategy to get effective help on this mailing list.
Re: Mysql Lookup table
What do the two tables look like? Can you use a SQL 'JOIN' or 'LEFT JOIN'? What is the 'WHERE' criteria? Bill On 3/3/2016 8:34 AM, Peter Sørensen wrote: Hi, Would it be possible to make a query from 2 tables in the mysql lookup Specifying this in additional_conditions ? Regards Peter Sørensen/University of Southern Denmark email: mas...@sdu.dk
Re: how to configure smtp process to use all the destination (s) in one go
Andrea Borghi: > On Thursday 03 March 2016 13:22:51 Wietse Venema wrote: > > > I need to configure Postfix (version , latest on debian jessie/stable) > > > and in turn its smtp client in a manner that *for specific sources* it > > > send all the message in one go, expliciting *all* the recpipients also > > > in the smtp dialog with the remote server. > > > > Use transport_maps: see "man 5 transport". > > > > selected_address@local.domain smtp:upstream-host > > recipient1@domain smtp:upstream-host > > recipient2@otherdomain smtp:upstream-host > > sadly i cannot because the destinations are not predetermined. > > All i can use as a key is the sender, which i already use with the > sender_realy map to force a specific next-hop server (the rfc6109-enabled > one) > along with the smtp_sasl_password_maps and the > smtp_sender_dependent_authentication = yes in order to use the correct > identitication to the next-hop host. Then, use sender_dependent_relayhost: sender_dependent_relayhost_maps (default: empty) A sender-dependent override for the global relayhost parameter setting. The tables are searched by the envelope sender address and @domain. This way, Postfix still groups deliveries by method (smtp) and relayhost. Wietse
Re: Mitigating DROWN
Viktor Dukhovni wrote on 3/1/2016 11:16 AM: # Suggested, not strictly needed: # smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2 smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 I noticed your exclude list seems a bit more conservative than others (SSLLabs, digicert for example). Would you recommend also excluding aNULL ciphers? For reference, digicert provides the following information about available ciphers when your recommendations are followed on an up to date RHEL6 server and postfix 2.11.7: TLS 1.2, TLS 1.1, TLS 1.0 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA [insecure] TLS_ECDH_anon_WITH_AES_128_CBC_SHA [insecure] TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA [insecure] TLS_ECDH_anon_WITH_RC4_128_SHA [insecure] TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_DH_anon_WITH_AES_256_GCM_SHA384 [insecure] TLS_DH_anon_WITH_AES_128_GCM_SHA256 [insecure] TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA [insecure] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA256 [insecure] TLS_DH_anon_WITH_AES_128_CBC_SHA256 [insecure] TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA [insecure] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA [insecure] TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA [insecure] TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA [insecure] TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA [insecure] Including aNULL in the exclude list removes the _anon_ ciphers from the server's available ciphers.
Re: Mitigating DROWN
Is the following reasonable and/or acceptable, and a better question -
will it work?
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, IDEA, 3DES, MD5, SRP, PSK, aDSS,
kECDHe, kECDhr, kDHd, kDHr, SEED, IDEA, RC2, RC5
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = no
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
*/smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers/**/
/**/smtpd_tls_protocols = $smtp_tls_protocols/**/
/**/smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols/*
smtpd_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtpd_tls_key_file = /root/ssl/private/$mydomain.mail.key
smtpd_tls_received_header = yes
On 2016-03-03 12:34 AM, Viktor Dukhovni wrote:
On Wed, Mar 02, 2016 at 10:22:12PM -0700, Richard B. Pyne wrote:
I've added all but the forward secrecy part on my email server running
postfix 2.10.1 (the latest in the CentOS7 repository), and
test.drownattack.com still reports vulnerability on port 25. Any help will
be greatly appreciated.
The data at that site is cached from prior scans:
https://test.drownattack.com/
This tool uses data collected during February 2016. It does
not immediately update as servers patch.
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr,
SEED, IDEA, RC2
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
These look good.
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = EXPORT, LOW, MD5, SEED, IDEA, RC2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
As do these. You're all set. But also upgrade to either of OpenSSL
1.0.2g or 1.0.1s, or whatever your O/S ships for backported fixes.
Consider removing any of the above that happen to be default settings
for your Postfix version as reported by "postconf -d".
Re: Mitigating DROWN
Viktor, Am 01.03.2016 um 18:16 Uhr schrieb Viktor Dukhovni: Some of the servers that expose TLS to cross-protocol DROWN attacks via SSLv2 are MTAs running Postfix. If you're using an older Postfix release (released prior to July 20 2015), or you've explicitly configured TLS settings that may have enabled SSLv2, please update your configuration as suggested below: what is the oldest version of posfix (and openssl) needed to fix the problem by this configurations changes? Marc
Re: Upgrade postfix 2.11 to 3.1
I hate to bug you gurus, but can you guys mention which config file parameters go in, that is main or master. I simply don't know postfix that well, and RTFMing requires knowing which document to read. I've been hesitant to upgrade to postfix 3 given that everything is working on 2.11, but the handwriting is on the wall. I gather you just do the upgrade and see what breaks? Sent from my BlackBerry 10 smartphone. Original Message From: Wietse Venema Sent: Thursday, March 3, 2016 4:26 AM To: Postfix users Reply To: Postfix users Subject: Re: Upgrade postfix 2.11 to 3.1 Matthias Fechner: > Does this mean, I do not have to modify anything in the config? > Regarding the page http://www.postfix.org/COMPATIBILITY_README.html > postfix would log explicit lines if I have to touch anything. If you don't want those lines to be logged, set the parameter (relayhost, or whatever it is that needs to be kept), and set "compatibility_level = 2".
main.cf and postfix reload
Hello everybody... i have added a line like this: recipient_bcc_maps = hash:/etc/postfix/recipient_bcc to my main,.cf file and postfix has suddenly started trying to use it!! i did NOT execute a "postfix" reload" !!! is this normal?? Thanks! David.
Re: main.cf and postfix reload
On 3/3/2016 11:07 AM, Pedro David Marco wrote: > Hello everybody... > > i have added a line like this: > > > recipient_bcc_maps = hash:/etc/postfix/recipient_bcc > > > to my main,.cf file and postfix has suddenly started trying to use it!! > > i did NOT execute a "postfix" reload" !!! is this normal?? > > Thanks! > > David. > Most of the postfix processes exit and restart periodically as part of normal operation. When a process restarts it will read the current settings from main.cf and master.cf. http://www.postfix.org/OVERVIEW.html http://www.postfix.org/postconf.5.html#max_use http://www.postfix.org/postconf.5.html#max_idle So yes, this is normal. -- Noel Jones
Re: Upgrade postfix 2.11 to 3.1
Matthias Fechner: > Does this mean, I do not have to modify anything in the config? > Regarding the page http://www.postfix.org/COMPATIBILITY_README.html > postfix would log explicit lines if I have to touch anything. Wietse: > If you don't want those lines to be logged, set the parameter > (relayhost, or whatever it is that needs to be kept), and set > "compatibility_level = 2". yahoogro...@lazygranch.xyz: > I hate to bug you gurus, but can you guys mention which config > file parameters go in, that is main or master. I simply don't know > postfix that well, and RTFMing requires knowing which document to > read. These parameters go in main.cf, see COMPATIBILITY_README for instructions. > I've been hesitant to upgrade to postfix 3 given that everything > is working on 2.11, but the handwriting is on the wall. I gather > you just do the upgrade and see what breaks? Nothing is supposed to break. Postfix is unlike some projects that don't give a damn about breaking other people's system. I added the compatibility level stuff so that you get to choose. Wietse
Re: main.cf and postfix reload
Thanks a lot Noel!! what you say makes sense but then i should have seen some "reload" or "restart" messages in the log, right?? but there was not any indication! :-( Thanks! David. On Thu, 3/3/16, Noel Jones wrote: Subject: Re: main.cf and postfix reload To: postfix-users@postfix.org Date: Thursday, March 3, 2016, 6:29 PM On 3/3/2016 11:07 AM, Pedro David Marco wrote: > Hello everybody... > > i have added a line like this: > > > recipient_bcc_maps = hash:/etc/postfix/recipient_bcc > > > to my main,.cf file and postfix has suddenly started trying to use it!! > > i did NOT execute a "postfix" reload" !!! is this normal?? > > Thanks! > > David. > Most of the postfix processes exit and restart periodically as part of normal operation. When a process restarts it will read the current settings from main.cf and master.cf. http://www.postfix.org/OVERVIEW.html http://www.postfix.org/postconf.5.html#max_use http://www.postfix.org/postconf.5.html#max_idle So yes, this is normal. -- Noel Jones
Re: Mitigating DROWN
On Thu, Mar 03, 2016 at 09:03:55AM -0600, Blake Hudson wrote: > Viktor Dukhovni wrote on 3/1/2016 11:16 AM: > ># Suggested, not strictly needed: > ># > >smtpd_tls_exclude_ciphers = > > EXPORT, LOW, MD5, SEED, IDEA, RC2 > >smtp_tls_exclude_ciphers = > > EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2 > > > > I noticed your exclude list seems a bit more conservative than others > (SSLLabs, digicert for example). Would you recommend also excluding aNULL > ciphers? No. Postfix does that automatically, when authentication is used. For (typically also opportunistic) unauthenticated encryption there is little point in disabling aNULL, and some forensic advantage in doing so. http://tools.ietf.org/html/rfc7672#section-8.2 > Including aNULL in the exclude list removes the _anon_ ciphers from the > server's available ciphers. For little gain. Clients that want to authenticate the server will not use aNULL ciphersuites. Many of the (Postfix) ones that don't authenticate, will use aNULL and the server's log will reflect this in the ciphersuite name (ADH-... or AECDH-...). -- Viktor.
Re: Mitigating DROWN
On Thu, Mar 03, 2016 at 05:14:30PM +0100, Marc Patermann wrote: > Am 01.03.2016 um 18:16 Uhr schrieb Viktor Dukhovni: > > >Some of the servers that expose TLS to cross-protocol DROWN attacks > >via SSLv2 are MTAs running Postfix. If you're using an older > >Postfix release (released prior to July 20 2015), or you've explicitly > >configured TLS settings that may have enabled SSLv2, please update > >your configuration as suggested below: > > what is the oldest version of posfix (and openssl) needed to fix the problem > by this configurations changes? Postfix 2.6 and later, with the recommended settings is sufficient, but it is recommended that you also deploy OpenSSL 1.0.1s or 1.0.2g, or your O/S vendor's "equivalent" update. It is sadly common to selectively backport fixes without changing the version number, so look for updates that address the DROWN-related CVEs: CVE-2016-0800, CVE-2016-0703, CVE-2015-3197. -- Viktor.
Re: main.cf and postfix reload
On 3/3/2016 12:06 PM, Pedro David Marco wrote: > Thanks a lot Noel!! > > what you say makes sense but then i should have seen some "reload" or > "restart" messages in the log, right?? but there was not any indication! :-( > > Thanks! The replacing of old processes with new processes during normal operation is rarely of concern and not explicitly logged. You can identify a new process by a change in the process ID recorded in the log. -- Noel Jones
Re: main.cf and postfix reload
Makes sense.. Thanks a lot Noel, i owe you a beer! :-) David. On Thu, 3/3/16, Noel Jones wrote: Subject: Re: main.cf and postfix reload To: postfix-users@postfix.org Date: Thursday, March 3, 2016, 7:38 PM On 3/3/2016 12:06 PM, Pedro David Marco wrote: > Thanks a lot Noel!! > > what you say makes sense but then i should have seen some "reload" or "restart" messages in the log, right?? but there was not any indication! :-( > > Thanks! The replacing of old processes with new processes during normal operation is rarely of concern and not explicitly logged. You can identify a new process by a change in the process ID recorded in the log. -- Noel Jones
Re: SOLVED: Re: mail sent via sendmail is queued and delayed for approx. 300 seconds
On Thu, Mar 03, 2016 at 11:31:50AM +0100, Dietrich Streifert wrote: > And here is the solution: > > I had to explicitely tell the smtp proxy to NOT use tls by specifying > > -o smtpd_use_tls=no > -o smtp_use_tls=no > -o smtpd_tls_security_level=none > -o smtp_tls_security_level=none You're much confused about this being a "proxy" issue. There is no TLS-client code in the Postfix SMTP server, therefore with smtpd_proxy_filter TLS is never used. TLS is used with content_filters, you must have a content_filter transport that send email through a transparent proxy. The place to disable TLS is in the pre-filter smtp transport and/or the re-inject SMTP server. You did the latter, but the reason this solves the problem is unrelated to smtpd_proxy_filter. On Thu, Mar 03, 2016 at 09:41:07AM +0100, Dietrich Streifert wrote: > I'm running a smtp_proxy_filter on localhost:10024 as described in > http://postfix.cs.utah.edu/SMTPD_PROXY_README.html > > smtp inet n - n - - smtpd > -o smtpd_proxy_filter=localhost:10024 > -o smtpd_proxy_options=speed_adjust > -o smtp_send_xforward_command=yes This will never use TLS. You must have a content_filter in place. > smtp_tls_loglevel = 3 > smtpd_tls_loglevel = 3 This level of logging just obscures what's important with low-level noise, revert back to "1". > rewritten as > Mar 3 09:26:47 node1 postfix/cleanup[29344]: 5392C35E3D9: > message-id=<20160303082647.5392c35e...@..de> > Mar 3 09:26:47 node1 opendkim[11665]: 5392C35E3D9: DKIM-Signature field > added (s=default, d=.de) > Mar 3 09:26:47 node1 postfix/qmgr[20766]: 5392C35E3D9: > from=, size=449, nrcpt=1 (queue > active) Messages enter the queue *after* processing via smtpd_proxy_filter, not before. > Mar 3 09:26:47 node1 postfix/smtp[29350]: initializing the client-side TLS > Mar 3 09:26:47 node1 postfix/smtp[29350]: setting up TLS connection to > localhost[127.0.0.1]:10024 This is an TLS client connection from the smtp(8) SMTP client, not the smtpd(8) SMTP server, you must have a content_filter defined or a "FILTER" direction in some access(5) file. -- Viktor.
Re: Upgrade postfix 2.11 to 3.1
The upgrade to 3.1 was uneventful. I noticed you don't need to select an option for Dovecot. Nice work. As an FYI, I ran the online DROWN test without blocking SSLv2 but using the updated openssl. No DROWN issue detected. Apologies for the top post due to use of a smartphone. Original Message From: Wietse Venema Sent: Thursday, March 3, 2016 9:58 AM To: Postfix users Reply To: Postfix users Cc: Wietse Venema; u...@porcupine.org Subject: Re: Upgrade postfix 2.11 to 3.1 Matthias Fechner: > Does this mean, I do not have to modify anything in the config? > Regarding the page http://www.postfix.org/COMPATIBILITY_README.html > postfix would log explicit lines if I have to touch anything. Wietse: > If you don't want those lines to be logged, set the parameter > (relayhost, or whatever it is that needs to be kept), and set > "compatibility_level = 2". yahoogro...@lazygranch.xyz: > I hate to bug you gurus, but can you guys mention which config > file parameters go in, that is main or master. I simply don't know > postfix that well, and RTFMing requires knowing which document to > read. These parameters go in main.cf, see COMPATIBILITY_README for instructions. > I've been hesitant to upgrade to postfix 3 given that everything > is working on 2.11, but the handwriting is on the wall. I gather > you just do the upgrade and see what breaks? Nothing is supposed to break. Postfix is unlike some projects that don't give a damn about breaking other people's system. I added the compatibility level stuff so that you get to choose. Wietse
