[pfx] tls_high_cipherlist parameter
Hello Postfix's documentation for the tls_high_cipherlist parameter states to see the output of the command 'postconf -d' to see the default setting. Sadly, the documentation lacks specificness, and the output spit out about 500 lines, so I am not sure what I am suppose to be looking at. I found the parameter mentioned on one of the lines. I was expecting to see a list of ciphers, such as AES-256 ectetera, but I don't see any mention of a type of cipher, so I'm not sure if looking at the line for the tls_high_cipherlist parameter is what I am suppose to be looking at. Could anyone confirm if that is what I am suppose to be looking at and if I am correct in what I was expecting? Thanks Sincerely, Kolusion ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls_high_cipherlist parameter
On Mon, 1 May 2023, Kolusion K via Postfix-users wrote: Hello Postfix's documentation for the tls_high_cipherlist parameter states to see the output of the command 'postconf -d' to see the default setting. Sadly, the documentation lacks specificness, and the output spit out about 500 lines, so I am not sure what I am suppose to be looking at. postconf -d will print all the (default) settings, you can use grep to filter the specific line you're looking for. I found the parameter mentioned on one of the lines. I was expecting to see a list of ciphers, such as AES-256 ectetera, but I don't see any mention of a type of cipher, so I'm not sure if looking at the line for the tls_high_cipherlist parameter is what I am suppose to be looking at. postfix uses openssl, and if you had read the manual you would have seen something like: * tls_high_cipherlist (default: see "postconf -d" output) The OpenSSL cipherlist for "high" grade ciphers. [...] so you should then look at your openssl configuration (which may or may not be whatever default your distribution is using). $ man 1 ciphers will take you further. Could anyone confirm if that is what I am suppose to be looking at and if I am correct in what I was expecting? Only you can know what you were expecting, and hence what you are supposed to be looking at. Good luck.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] smtp_tls_verify_cert_match parameter
Hello Regarding the smtp_tls_verify_cert_match parameter, is the configuration 'dot-nexthop' more stringent than 'nexthop'? Thank you Sincerely, Kolusion ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Painful Postfix
On Mon, 1 May 2023, Kolusion K via Postfix-users wrote: When I open a raw socket to the remote server on port 25 using telnet, I am able to connect and see the server announce itself, so, it is reasonable to assume that Postfix is doing the same and timing out during the SMTP transaction because Postfix is not having a problem sending mail to other servers. I don't think you even know what a raw socket is. You seem to imply that doing "telnet 25" is "opening a raw socket", which only makes your statement of the problem more unclear. I think it has been made abundantly clear that postfix is not at fault here, but whatever (intricate and/or erroneous) networking setup you have. A reasonable person does not assume their software is always telling the truth. The postfix log is telling you the truth. A reasonable person reads the logs and acts accordingly. Your problem is with your networking, so look at the relevant logs and/or check the incoming/outgoing packets (Viktor and others have already and repeatedly stated that tcpdump would allow you to identify the problem). Good luck. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtp_tls_verify_cert_match parameter
The question is wrong. One is not "more-stringent" than the other, they just check for different things. As TLS is not mandatory for SMTP over the general internet, it's availability is patchy at best. For the servers that do provide STARTTLS and a certificate, what's actually on the certificate is anyone's guess. As the certificate is most likely self-signed, it's contents are pretty irrelevant anyway. That is why the general advice is do not INSIST on ssl on the big bad internet. You will almost certainly find that most of your mail will not be delivered. That said, the only real use case for certificate validation is when you _know_ (by pre-arrangement) that the server you are talking to supports TLS. And if you already know it supports TLS, you can find out what is on the server's certificate and choose the appropriate test. If you're not sure choose both. Suppose you are sending mail to example.com, and nexthop is assigned "example.com", then.. If the certificate says SAN: DNS:mailserver.example.com, then you'll want the "dot-nexthop" test. If the certificate says SAN: DNS:example.com, then you'll want the "nexthop" test. If you're not sure, it's relatively safe to list both tests. just be careful with the "hostname" test. If the hostname comes from a non-DNSSEC MX lookup, it should not be "trusted". regards.. On 1/05/2023 7:02 pm, Kolusion K via Postfix-users wrote: Hello Regarding the smtp_tls_verify_cert_match parameter, is the configuration 'dot-nexthop' more stringent than 'nexthop'? Thank you Sincerely, Kolusion ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org -- This email has been checked for viruses by AVG antivirus software. www.avg.com___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] E-mail delivery problem
Hello I e-mailed the mailing list earlier on about this problem, but now I am on my computer and I have gone over my e-mail server and VPS with a fine comb and confirmed everything looks good. So, I have a problem with e-mail delivery where I can receive e-mail from some people but not others, likewise, I can send e-mail to someone people but not others- the connection times out when Postfix tries to deliver e-mail and e-mail gets deferred. Now I have included configuration details of my e-mail server and VPS. Perhaps someone might see something wrong that I can't see. This is the configuration of my e-mail server and VPS, which the e-mail server uses for a source of internet access over a PPTP virtual network tunnel... E-mail server enp0s3 interface IP address: 192.168.1.2 E-mail server ppp0 interface IP address: 192.168.2.2 VPS enp6s18 interface IP address: 1.2.3.4 E-mail server ufw raw rules: ### tuple ### allow gre any 192.168.1.2 any 1.2.3.4 in_enp0s3 -A ufw-user-input -i enp0s3 -p gre -d 192.168.1.2 -s 1.2.3.4 -j ACCEPT ### tuple ### allow tcp 25 192.168.2.2 any 0.0.0.0/0 in_ppp0 -A ufw-user-input -i ppp0 -p tcp -d 192.168.2.2 --dport 25 -j ACCEPT VPS ufw raw rules: ### tuple ### allow tcp 1723 1.2.3.4 any 0.0.0.0/0 in_enp6s18 -A ufw-user-input -i enp6s18 -p tcp -d 1.2.3.4 --dport 1723 -j ACCEPT ### tuple ### allow gre any 1.2.3.4 any 0.0.0.0/0 in_enp6s18 -A ufw-user-input -i enp6s18 -p gre -d 1.2.3.4 -j ACCEPT ### tuple ### route:allow tcp 25 192.168.2.2 any 0.0.0.0/0 in_enp6s18 -A ufw-user-forward -i enp6s18 -p tcp -d 192.168.2.2 --dport 25 -j ACCEPT ### tuple ### route:allow tcp 25 0.0.0.0/0 any 192.168.2.2 in_ppp0 -A ufw-user-forward -i ppp0 -p tcp --dport 25 -s 192.168.2.2 -j ACCEPT VPS iptables commands at boot: iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT --to 192.168.2.2 iptables -t nat -A PREROUTING -d 192.168.2.2 -p tcp --dport 25 -j DNAT --to 1.2.3.4 What could be causing my e-mail delivery problem? Sincerely, Kolusion ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: E-mail problem
Kolusion K via Postfix-users: > Hello > > > So I have a problem sending and receiving e-mail from some people. > > The problem I have sending e-mail to some people is that Postfix > says the connection times out when attempting to connect to the > server. > > This is my setup: > [amazing complexity] > > The strange thing is, when I Telnet on port 25 on the VPS to the > e-mail servers Postfix can't connect to from my e-mail server, I > can connect to them. > > What could be causing Postfix being able to send e-mail to some > servers but not others, and some people being able to e-mail me > but not others? Assuming that you did the telnet tests from the *same host or container or VM* that also runs Postfix: Speculation: - The telnet command uses a different source IP address than Postfix. A tcpdump recording would reveal that. - The telnet command ran as root, whereas the Postfix SMTP client runs as non-root, resulting in different behavior in your netwotrk stack. A tcpdump recording would reveal that. Hint: make a tcpdump recording. As root: tcpdump -s 0 -w /file/name -i interface-name dst port 25 You'll have to experiment a bit to figure out which interface to look at; it may be differfent for the telnet and Postfix cases. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: E-mail problem
Kolusion K: > Ok, I did what you asked and I got this: > > reading from file dump.txt, link-type LINUX_SLL (Linux cooked v1) > 23:11:23.019120 IP 192.168.2.2.40415 > 47.246.137.47.smtp: Flags [S], seq > 3300139944, win 65280, options [mss 1360,sackOK,TS val 912070706 ecr > 0,nop,wscale 7], length 0 > 23:11:24.037250 IP 192.168.2.2.40415 > 47.246.137.47.smtp: Flags [S], seq > 3300139944, win 65280, options [mss 1360,sackOK,TS val 912071724 ecr > 0,nop,wscale 7], length 0 > 23:11:26.054636 IP 192.168.2.2.40415 > 47.246.137.47.smtp: Flags [S], seq > 3300139944, win 65280, options [mss 1360,sackOK,TS val 912073742 ecr > 0,nop,wscale 7], length 0 > 23:11:30.158588 IP 192.168.2.2.40415 > 47.246.137.47.smtp: Flags [S], seq > 3300139944, win 65280, options [mss 1360,sackOK,TS val 912077846 ecr > 0,nop,wscale 7], length 0 > 23:11:38.333669 IP 192.168.2.2.40415 > 47.246.137.47.smtp: Flags [S], seq > 3300139944, win 65280, options [mss 1360,sackOK,TS val 912086021 ecr > 0,nop,wscale 7], length 0 Presumably this is Postfix trying to connect. The TCP/IP stack sends SYN packets - from source IP address 192.168.2.2 (chosen by Postfix or by TCP/IP stack) - from source port 40415 (chosen by TCP/IP stack) - to destination IP address 47.246.137.47 port 25 (both chosen by Postfix) and times out because the TCP/IP stack receives no SYN+ACK response. What is the result when you connect to the same host using telnet? You may be to specify a different '-i' option in the tdpcump command. > 23:11:53.050567 IP 192.168.2.2.41905 > cz-clare.com.smtp: Flags [S], seq > 3744182035, win 65280, options [mss 1360,sackOK,TS val 2086976875 ecr > 0,nop,wscale 7], length 0 > ...etc... Same problem, with source IP address 192.168.2.2 and port 41905. > 23:12:23.115056 IP 192.168.2.2.45487 > 47.246.99.195.smtp: Flags [S], seq > 757318789, win 65280, options [mss 1360,sackOK,TS val 2582719398 ecr > 0,nop,wscale 7], length 0 > ...etc... Same problem, with source IP address 192.168.2.2 and 45487. A recording for a successful telnet connection would be illustrative. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: E-mail delivery problem
On 01.05.23 14:24, Kolusion K via Postfix-users wrote: E-mail server enp0s3 interface IP address: 192.168.1.2 E-mail server ppp0 interface IP address: 192.168.2.2 VPS enp6s18 interface IP address: 1.2.3.4 What could be causing my e-mail delivery problem? your firewall rules show nopthing speciall. did you configure inet_interfaces or smtp_bind_adress in your postfix config? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls_high_cipherlist parameter
On Mon, May 01, 2023 at 11:01:56AM +0200, Bernardo Reino via Postfix-users wrote: > > Sadly, the documentation lacks specificness, and the output spit out about > > 500 lines, so I am not sure what I am suppose to be looking at. > > postconf -d will print all the (default) settings, you can use grep to filter > the specific line you're looking for. No need for grep (output for Postfix 3.8): $ postconf -d tls_high_cipherlist tls_high_cipherlist = aNULL:-aNULL:HIGH:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:@STRENGTH or, $ postconf -dhx tls_high_cipherlist aNULL:-aNULL:HIGH:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:@STRENGTH which then makes it possible to, for example, list the ciphers that could be used when TLS 1.2 is negotiated): $ openssl ciphers -v -tls1_2 -s "$(postconf -dhx tls_high_cipherlist)" ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ... However, the advice in the documentation to NOT tinker with the "tls_*_cipherlist" settings should not be taken lightly. A common rookie mistake is to cut/paste a cipherlist recommended in some random HOWTO, and assume that using that particular cipherlist will improve "security". The various HOWTO's that recommend an explicit list of concrete ciphers are all wrong, and their notion of "security" maps poorly onto opportunistic TLS. I repeat: DO NOT tinker with the "tls_*_cipherlist" parameters, they're for emergency use only, in case many years after initial release some new surprise vulnerability makes it necessary to fine-tune the list. If that should some day happen, we'll update the documentation and post a message to the list. For now, let the defaults stand. If some test you run against your server tells you that your server uses insecure cipher settings, and you haven't changed the Postfix defaults, the problem is a misguided test, not incorrect settings. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls_high_cipherlist parameter
On 2023-05-01 at 04:45:37 UTC-0400 (Mon, 1 May 2023 10:45:37 +0200) Kolusion K via Postfix-users is rumored to have said: Hello Postfix's documentation for the tls_high_cipherlist parameter states to see the output of the command 'postconf -d' to see the default setting. Sadly, the documentation lacks specificness, and the output spit out about 500 lines, so I am not sure what I am suppose to be looking at. The man page for postconf(8) very clearly and fully explains how to display a single parameter. The man page for postconf(5) explains what tls_high_cipherlist is, and there is also an in-depth README in the Postfix documentation for TLS configuration. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Future Date:
I've been getting a lot of spam with Date: headers containing future dates, typically 1 year. I don't find any header checks that would look for this type of message. Have I over looked it? In the meantime I've implemented a script and procmail rule to examine my messages. But that is post-delivery and per-user. Jon ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Future Date:
On 5/1/2023 2:41 PM, Jon LaBadie via Postfix-users wrote: I've been getting a lot of spam with Date: headers containing future dates, typically 1 year. I don't find any header checks that would look for this type of message. Have I over looked it? In the meantime I've implemented a script and procmail rule to examine my messages. But that is post-delivery and per-user. Jon While header_checks are perfectly capable of matching a fixed date string, there is no built-in logic for "today + X days". Setting a fixed date-based header check, for example a rule rejecting all mail containing "2024", is just a land mine waiting to disrupt mail in the future. Leave date checking to mail parsers that are made for that job, or find some other feature of the message to block on. -- Noel Jones ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Future Date:
Jon LaBadie via Postfix-users: > > I've been getting a lot of spam with Date: headers > containing future dates, typically 1 year. > > I don't find any header checks that would look for > this type of message. Have I over looked it? > > In the meantime I've implemented a script and procmail > rule to examine my messages. But that is post-delivery > and per-user. Postfix built-ins typically block mail based on a single indicator (a well-known signature). A sledgehammer approach. Dates and other indicators are typically handled by a scoring system such as as SpamAssassin and the like. They plug into Postfix via the (before queue) Milter protocol. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Future Date:
On Mon, May 01, 2023 at 03:41:37PM -0400, Jon LaBadie via Postfix-users wrote:
> I've been getting a lot of spam with Date: headers
> containing future dates, typically 1 year.
>
> I don't find any header checks that would look for
> this type of message. Have I over looked it?
>
> In the meantime I've implemented a script and procmail
> rule to examine my messages. But that is post-delivery
> and per-user.
I have a Python milter that defers some future-dated messages.
...
def __init__(self):
self.__id = Milter.uniqueID()
self.__ipname = None
self.__ip = None
self.__port = None
self.__from = None
self.__now = time.time()
...
...
def header(self, name, hval):
"""header callback gets called for each header
"""
if config.debug:
print("%s: %s" % (name, hval))
lc = name.lower()
# ...
if ... selection criteria ... :
if lc == "date":
tm = email.utils.parsedate_tz(hval)
if tm is not None:
try:
t = email.utils.mktime_tz(tm)
dt = t - self.__now
if config.debug:
print("Then %f, now %f, delta %f" % (t, self.__now,
dt))
if ... no extenuating circumstances ...:
floor = -... allowance for clock drift ...
else:
floor = ... minimum delay penalty ...
if dt > floor:
self.setreply("454", xcode="4.7.0", msg="No thanks")
return Milter.TEMPFAIL
except Exception as _: pass
return Milter.CONTINUE
Some messages have to arrive some time after the implied date, some can
arrive a short time before, and some are not restricted at all. No
message is refused if the remote MTA is willing to retry long enough.
The logic is narrowly targetted at a particular pattern of abuse.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postscreen and checking proper operation
Hi, I have postscreen implemented on postfix-3.7.3 on fedora37, and not sure I understand if it's working properly. Sometimes I see the postscreen/dnsblog combination ending with a simple DISCONNECT. In this case, it met the 8-point threshold to be rejected, but appears to only received a DISCONNECT: May 1 20:57:53 petra postfix-226/postscreen[1104961]: CONNECT from [95.214.27.139]:50021 to [5.196.7.226]:25 May 1 20:57:53 petra postfix-226/postscreen[1104961]: PREGREET 11 after 0.01 from [95.214.27.139]:50021: EHLO User\r\n May 1 20:57:53 petra postfix-226/dnsblog[1105023]: addr 95.214.27.139 listed by domain bl.mailspike.net as 127.0.0.2 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.4 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.2 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.9 May 1 20:57:53 petra postfix-226/dnsblog[1105024]: addr 95.214.27.139 listed by domain score.senderscore.com as 127.0.4.6 May 1 20:57:53 petra postfix-226/dnsblog[1105025]: addr 95.214.27.139 listed by domain sip-sip24.mykey.invaluement.com as 127.0.0.2 May 1 20:57:53 petra postfix-226/postscreen[1104961]: DNSBL rank 23 for [95.214.27.139]:50021 May 1 20:57:54 petra postfix-226/postscreen[1104961]: DISCONNECT [95.214.27.139]:50021 while other times I do see there is a NOQUEUE/reject involved: May 1 20:13:15 petra postfix-226/postscreen[1095132]: CONNECT from [185.146.23.43]:46126 to [5.196.7.226]:25 May 1 20:13:15 petra postfix-226/dnsblog[1095229]: addr 185.146.23.43 listed by domain score.senderscore.com as 127.0.4.89 May 1 20:13:15 petra postfix-226/dnsblog[1095233]: addr 185.146.23.43 listed by domain bb.barracudacentral.org as 127.0.0.2 May 1 20:13:15 petra postfix-226/dnsblog[1095232]: addr 185.146.23.43 listed by domain sip-sip24.mykey.invaluement.com as 127.0.0.2 May 1 20:13:21 petra postfix-226/postscreen[1095132]: DNSBL rank 13 for [185.146.23.43]:46124 May 1 20:13:21 petra postfix-226/postscreen[1095132]: NOQUEUE: reject: RCPT from [185.146.23.43]:46124: 550 5.7.1 Service unavailable; client [185.146.23.43] blocked using DNS Blocklist (invaluement); from=< simon...@server.sito-wp.com>, to=, proto=ESMTP, helo= What am I misunderstanding? Here is my postscreen config: postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 score.senderscore.com=127.0.4.[0..19]*5 score.senderscore.com =127.0.4.[20..29]*4 score.senderscore.com=127.0.4.[30..49]*3 score.senderscore.com =127.0.4.[50..59]*2 score.senderscore.com=127.0.4.[60..69]*1 score.senderscore.com =127.0.4.[70..79]*-1 score.senderscore.com=127.0.4.[80..89]*-2 score.senderscore.com =127.0.4.[90..100]*-3 bb.barracudacentral.org*7 mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 mykey.zen.dq.spamhaus.net=127.0.0.3*4 sip-sip24.mykey.invaluement.com =127.0.0.2*8 ubl.unsubscore.com=127.0.0.2*1 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org =127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 8 postscreen_greet_action = enforce ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
