Re: OT: Sender header vs DKIM

[Dominic Raferd]

On Fri, 26 Oct 2018 at 07:58, Richard James Salts 
wrote:

> On Friday, 26 October 2018 12:53:48 AM AEDT Scott Kitterman wrote:
> > On October 25, 2018 10:56:53 PM UTC, Richard James Salts
>  wrote:
> > >Hi all,
> > >
> > >This is offtopic in regards to postfix but I bring it up because of the
> > >last
> > >few emails I've sent to the postfix mailing list.
> > >
> > >I was originally signing all the headers mentioned in rfc6376 section
> > >5.4,
> > >whether they existed or not and mails to postfix mailing list failed
> > >because of
> > >the added List-* headers. I fixed that up so that it will only sign
> > >those
> > >headers when they exist. I now oversign only the From, Sender,
> > >Reply-to,
> > >Subject, Date, Message-id, To, CC, MIME-Version, Content-Type, Content-
> > >Transfer-Encoding, Content-ID, Content-Description,
> > >Content-Disposition, In-
> > >Reply-To and References.
> > >
> > >This is still leading to the postfix mailing list failing DKIM once
> > >it's added
> > >a Sender header for owner-postfix-us...@postfix.org. Should I stop
> > >oversigning
> > >the Sender header? rfc5322 says the Sender header is unique if it
> > >exists so if
> > >there was a sender header would the postfix maling list strip it and
> > >add it's
> > >own? Should majordomo at russian-caravan be adding a Resent-From or
> > >Resent-
> > >Sender instead of Sender in order to prevent breaking the DKIM
> > >signatures for
> > >final recipients of people who include a signed Sender header?
> > >
> > >Your thoughts and opinions on this would be welcomed.
> >
> > I think you are making are poor assumption that the RFC 6376 should sign
> > header fields are at related to should over sign.
> >
> > I've never before heard of anyone over signing anything except From.  I
> > wouldn't over sign anything else.  Section 8.15 discusses this.  As
> you're
> > discovering, over application of this mitigation brings it's own pain.
>
> I was basing the oversigning on discussion at https://noxxi.de/research/
> breaking-dkim-on-purpose-and-by-chance.html
> 
> where they reused and manipulated
> existing dkim signed emails to send "valid" bogus emails. It does mention
> that
> the Sender header should be signed, but I'm not sure how useful it is in
> practise or whether it needs to be oversigned.
>

I too have just found this article. But signing Sender will inevitably
break DKIM for mails going through this mailing list. IMO (please correct
me if wrong) the critical things for DKIM are:
- don't use the l= (lower case L) tag when signing
- don't use a 512-bit length key
- sign whatever headers you like, but oversign the From header
- use DMARC with p=reject

With these protections I don't think it is feasible for a third party to
spoof emails from your domain, except to recipients who don't apply DMARC
(assuming that neither your DNS records nor your mailserver(s) have been
hacked, and that the recipient's DNS is working correctly). Signed headers
that are not oversigned could be modified in transit (by adding fake
headers) but I don't see this as an effective attack vector and I am more
concerned that legitimate alteration of some headers upon relaying might
lead to email blocking (as OP has indeed found).

Re: how set postfix server as non-functional

[Poliman - Serwis]

2018-10-25 15:28 GMT+02:00 Matus UHLAR - fantomas :

> On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote:
>>>
 Hi. I heard that having a non-functional server as the primary MX is a
 well-known trick to reduce the amount of incoming spam, as most software
 used by spammers will only ever try the highest-priority MX. How to do
 this?

>>>
> On 25/10/18 07:33, Viktor Dukhovni wrote:
>>
>>> No.  This is a myth, and reduces the reliability and performance
>>> of legitimate email delivery.  Use a decent RBL, postscreen(8) may
>>> help to reduce the load on the server and keep smtpd(8) more available
>>> for legitimate email.
>>>
>>
> On 25.10.18 10:55, Allen Coates wrote:
>
>> Yesterday, my Postscreen blocked 92 percent of incoming connection
>> attempts:-
>>
>
> this is not related to the subject of discussion, is it?
>
> There are some anti-spam projects which offer MXes for your use.
>> You set one up with the LOWEST prioity (your "MX of last resort"); If a
>> message reaches it, the MX will collect stats
>> and then return a TEMPFAIL.
>>
>
> but that is the opposite - you provide the lowest MX, not the primary.
>
> Legitimate mail would not be affected as a retry will be forced, though you
>> may want to find out what the project does with the stats they collect.
>>
>
> I have already encountered case where the mailserver got blacklisted,
> because one domain only had two MX-es - primary and the blacklisting one.
>
> Thus, you only should "donate" your MX to such anti-spam projects when you
> are 100% sure you have enough of backup MX servers with different uplinks.
>
> yes, such projects should test that, too.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
>

So generally speaking - I should check postscreen, use a decent RBL and
keep smtpd more available for legitimate email. How set decent RBL in
Postfix and which are decent? What means/how to do "keep smtpd more
available for legitimate email"?
I have one more question which is more less related with main thread. I
would like to know can I block port 25 on firewall? I read that this port
is used to communication between servers. Honestly, I don't got it. I would
open 110, 143, 587, 465, 993, 995 and block 25.

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: TLSv1.2 only for auth connection

[Thomas Bourdon]

That's what I do, it works perfectly.
Thanks.

Le 25.10.2018 19:39, Wietse Venema a écrit :

Thomas Bourdon:

Hi,

First of all, I apologize for my bad english.

I use postfix-3.3.1 and openssl-1.0.2.

Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2
minimum is set for submission/starttls.

My goal : All auth connections must be done with tlsv1.2 minimum. 
Others

connections can be done with tlsv1.0 minimum.

If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from
mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum. But 
I

want to allow auth connections from users of my smtp/imap server with
tlsv1.2 minimum.

I already set up tlsv1.2 minimum for submission/starttls. I thought
about disable auth connection using 465 port but I don't want to force
my users to strictly use starttls.

Is there a way to allow tlsv1.0 minimum for unauth connection and 
allow

tlsv1.2 minimum for auth connection on port 465 ?


Usually, AUTH is done on the submission or smtps ports, and non-AUTH
on port 25. If you want different TLS policies for different inbound
SMTP connections, you can specify different settings in master.cf.

Wietse


--
Thomas Bourdon

Re: how set postfix server as non-functional

[Matus UHLAR - fantomas]

On 26.10.18 09:27, Poliman - Serwis wrote:

So generally speaking - I should check postscreen, use a decent RBL and
keep smtpd more available for legitimate email. How set decent RBL in
Postfix and which are decent? 


I believe googling for RBLs, especially mailing lists' archives may help to
find out. I use spamhaus, sorbs and spamcop, plus dnswl with postscreen.


What means/how to do "keep smtpd more available for legitimate email"?


It means that postscreen will take care of blocking spambots, so smtpd
doesn't have to.


I have one more question which is more less related with main thread. I
would like to know can I block port 25 on firewall?


not if you want to send and receive mail.

blocking port 25 is common at service providers, where customers aren't able
to spam throiugh port 25 (outgoing SMTP) or run mail server (incoming SMTP).

While the latter is usually a businness issue - if you want to run
mailserver, you must pay for static IP (static IP is technically good
requirement) and for potential handling of spam reports 
- the former is simple and logical prevention of spam from end-users.

end-users are not supposed to contact mail servers

However, if you are not a service provider, don't simply block 25, if you
want to send/receive mail.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

Thank you Wietse, supporters and contributors for Postfix

[Stefan Bauer]

We just noticed once again, that postfix is so well designed in a way, that
often we did not even think of "corner cases" that are already handled by
default in a way, that is in most cases exactly how is should be setup.

Just picking a random setup - relaying mails to external relayhosts by
sender domain but having the option to define individual transport ways.
This is awesome to give the user/administrator a way to do a very fine
grained mail routing.

We're a "small" postfix uers (< 100.000 mails / month) but are very happy
with postfix.

Thank you.

Stefan

Re: how set postfix server as non-functional

[Poliman - Serwis]

2018-10-26 10:01 GMT+02:00 Matus UHLAR - fantomas :

> On 26.10.18 09:27, Poliman - Serwis wrote:
>
>> So generally speaking - I should check postscreen, use a decent RBL and
>> keep smtpd more available for legitimate email. How set decent RBL in
>> Postfix and which are decent?
>>
>
> I believe googling for RBLs, especially mailing lists' archives may help to
> find out. I use spamhaus, sorbs and spamcop, plus dnswl with postscreen.
>
> What means/how to do "keep smtpd more available for legitimate email"?
>>
>
> It means that postscreen will take care of blocking spambots, so smtpd
> doesn't have to.
>
> I have one more question which is more less related with main thread. I
>> would like to know can I block port 25 on firewall?
>>
>
> not if you want to send and receive mail.
>
> blocking port 25 is common at service providers, where customers aren't
> able
> to spam throiugh port 25 (outgoing SMTP) or run mail server (incoming
> SMTP).
>
> While the latter is usually a businness issue - if you want to run
> mailserver, you must pay for static IP (static IP is technically good
> requirement) and for potential handling of spam reports - the former is
> simple and logical prevention of spam from end-users.
> end-users are not supposed to contact mail servers
>
> However, if you are not a service provider, don't simply block 25, if you
> want to send/receive mail.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "Where do you want to go to die?" [Microsoft]
>

Thank you for answer. I have static IP - I bought VPS from OVH. I have
there configured few domains with mailboxes. On the server are services
like www, ftp, mail. So, if I understood well, I should block port 25.

-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

Re: how set postfix server as non-functional

[B. Reino]

On 2018-10-26 14:36, Poliman - Serwis wrote:

Thank you for answer. I have static IP - I bought VPS from OVH. I have 
there
configured few domains with mailboxes. On the server are services like 
www,

ftp, mail. So, if I understood well, I should block port 25.


Maybe you can go back one step and explain why you think you need to 
block port 25?


I mean, if you want to be able to receive e-mails you need to allow 
incoming connections on port 25. If you want to send e-mails from your 
server then you need outgoing connections on port 25.


Or did I misunderstand you?

Re: Thank you Wietse, supporters and contributors for Postfix

[Wietse Venema]

Stefan Bauer:
> We just noticed once again, that postfix is so well designed in a way, that
> often we did not even think of "corner cases" that are already handled by
> default in a way, that is in most cases exactly how is should be setup.
> 
> Just picking a random setup - relaying mails to external relayhosts by
> sender domain but having the option to define individual transport ways.
> This is awesome to give the user/administrator a way to do a very fine
> grained mail routing.
> 
> We're a "small" postfix uers (< 100.000 mails / month) but are very happy
> with postfix.
> 
> Thank you.

And thank you for using Postfix.

Wietse

Re: Mailer-Daemon Domain Part

[Wietse Venema]

McFly86:
> Hi,
> 
> I'm not sure if i got myself confused but here is what I'd like/have to
> achieve:
> 
> If an internal user is sending an email and postfix receives a bounce, the
> Mailer-daemon should have the hostname as domain part. I know that I can use
> $myhostname to set $myorigin for that.
> 
> But I'm not sure if that affects anything that postfix may send to external
> recipients. (that should continue to use $mydomain).
> 
> Thanks for clarification

Why do you think that users will see the difference?

Wietse

Re: how set postfix server as non-functional

[Durga Prasad Malyala]

Hi,
Advertising a primary mx and blocking port 25 for it under the assumption
that spammers won't try the secondary mx is wrong.
In fact spammers target secondary mx more than primary mx since it is a
fact that everyone spends more time on securing and tuning the primary
server.
We maintain many servers and the fact is we get more spam attempts on all
the secondary mx servers.

Rgds
DP

On Fri, Oct 26, 2018, 18:33 B. Reino  On 2018-10-26 14:36, Poliman - Serwis wrote:
>
> > Thank you for answer. I have static IP - I bought VPS from OVH. I have
> > there
> > configured few domains with mailboxes. On the server are services like
> > www,
> > ftp, mail. So, if I understood well, I should block port 25.
>
> Maybe you can go back one step and explain why you think you need to
> block port 25?
>
> I mean, if you want to be able to receive e-mails you need to allow
> incoming connections on port 25. If you want to send e-mails from your
> server then you need outgoing connections on port 25.
>
> Or did I misunderstand you?
>