On Fri, Nov 07, 2014 at 07:58:03AM +0100, DTNX Postmaster wrote:
> Anyway, do you have an example of a legitimate need for SNI, one that
> cannot be addressed by using a multi-domain certificate, adding extra
> IP addresses and splitting it that way, or using Victor's port example?
I think the
I have the explanation -- I should've looked into the tcpdump output
more closely.
Viktor Dukhovni wrote the following on 05.11.2014 16:30:
> On Wed, Nov 05, 2014 at 01:27:49PM +0100, Tobias Reckhard wrote:
>> It looks as though mail01.i-sec.tuv.com dropped the connection, though I
>> see no indic
On 07 Nov 2014, at 07:28, Peter wrote:
>> and it is smart do it that way
>>
>> other than for webservers you have not different contents for different
>> hostnames but mandatory user authentication - so why waste time and
>> money dealing with different hostnames and certificates?
>
> I underst
Am 07.11.2014 um 07:44 schrieb li...@rhsoft.net:
Am 07.11.2014 um 07:28 schrieb Peter:
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
and it is smart do it that way
other than for webservers you have not different contents for different
hostnames but mandatory user authentication - so why wa
Am 07.11.2014 um 07:28 schrieb Peter:
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
and it is smart do it that way
other than for webservers you have not different contents for different
hostnames but mandatory user authentication - so why waste time and
money dealing with different hostname
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
> and it is smart do it that way
>
> other than for webservers you have not different contents for different
> hostnames but mandatory user authentication - so why waste time and
> money dealing with different hostnames and certificates?
I understan
On 07 Nov 2014, at 01:13, Sven Köhler wrote:
> Am 07.11.2014 um 01:54 schrieb Viktor Dukhovni:
>> There are at present no plans for server-side SNI support in Postfix.
>
> It's disappointing to hear that.
>
>> OpenSSL does not even implement server-side SNI completely correctly
>> as yet.
>
>
Am 07.11.2014 um 02:52 schrieb Peter:
On 11/07/2014 11:35 AM, Sven Köhler wrote:
I don't have the option to buy one IP per hostname that I want to
support. As we all know, IPv4 addresses are expensive as they are not
many of them left.
The current best practice method in dealing with this is
On 07 Nov 2014, at 04:02, Peter wrote:
>> Mind you, hosting of submission servers across organizational
>> boundaries, typically means rather unnatural sharing of private
>> keys, while hosting within a single organization, is perhaps poor
>> planning, since a single MSA hostname could have been
On 11/07/2014 02:50 PM, Viktor Dukhovni wrote:
> I think SNI-based virtual hosting stinks, and I'd hate to encourage
> its use. Particularly for MX hosts it is FAR more sensible to just
> use a fixed MX hostname for multiple domains.
It's pointless for MX hosts because they don't validate the cer
On 11/6/2014 4:37 PM, terrygalant.li...@fastest.cc wrote:
> Noel
>
> On Thu, Nov 6, 2014, at 02:25 PM, Noel Jones wrote:
> ...
>> The above deprecated syntax assumes "check_sender_access
>> hash:/path/to/reject_senders" Don't leave out the
>> "check_sender_access" part.
>
> Yep. Bad cut and past
On 11/07/2014 11:35 AM, Sven Köhler wrote:
> I don't have the option to buy one IP per hostname that I want to
> support. As we all know, IPv4 addresses are expensive as they are not
> many of them left.
The current best practice method in dealing with this is is you just
have one hostname for sub
On Fri, Nov 07, 2014 at 02:13:17AM +0200, Sven K?hler wrote:
> Just out of interest: do you know a link that explains the details of
> how OpenSSL is broken?
>
> I'm running Apache with mod_ssl and SNI seems to work fine.
The problems are somewhat subtle, and may not be seen in simpler
cases. H
On Thu, Nov 06, 2014 at 08:37:14PM -0500, Wietse Venema wrote:
> Postfix gets the client-specified servername with SSL_get_servername(),
> and then it uses the SSL_CTX for that servername.
I think SNI-based virtual hosting stinks, and I'd hate to encourage
its use. Particularly for MX hosts it i
Peter:
> On 11/07/2014 01:28 PM, Wietse Venema wrote:
> > What stops us from implementing SNI? Looking at some on-line
> > posts, this involes one SSL_CTX per certificate and one call-back
> > that looks up the desired server name with SSL_get_servername()
> > and that sets the corresponding contex
On 11/07/2014 01:28 PM, Wietse Venema wrote:
> What stops us from implementing SNI? Looking at some on-line
> posts, this involes one SSL_CTX per certificate and one call-back
> that looks up the desired server name with SSL_get_servername()
> and that sets the corresponding context with SSL_set_SS
Viktor Dukhovni:
> There are at present no plans for server-side SNI support in Postfix.
> OpenSSL does not even implement server-side SNI completely correctly
> as yet.
What stops us from implementing SNI? Looking at some on-line
posts, this involes one SSL_CTX per certificate and one call-back
t
Am 07.11.2014 um 01:54 schrieb Viktor Dukhovni:
> There are at present no plans for server-side SNI support in Postfix.
It's disappointing to hear that.
> OpenSSL does not even implement server-side SNI completely correctly
> as yet.
Just out of interest: do you know a link that explains the det
On Fri, Nov 07, 2014 at 12:35:01AM +0200, Sven K?hler wrote:
> I'd like to use Thunderbird (which seems to support SNI) together with
> Postfix on port 587 (submission only) and I'd like Postfix to choose
> from several (below 10) certificates based on the indicated server name.
>
> I don't have
On 06 Nov 2014, at 23:35, Sven Köhler wrote:
> Hi,
>
> does PostFix support TLS SNI (server name indication) now? I have found
> some discussion, mostly saying that it might be implemented, but there
> were several issues:
>
> 1) Mail clients don't seems to support it.
> 2) Other MTAs don't see
Noel
On Thu, Nov 6, 2014, at 02:25 PM, Noel Jones wrote:
...
> The above deprecated syntax assumes "check_sender_access
> hash:/path/to/reject_senders" Don't leave out the
> "check_sender_access" part.
Yep. Bad cut and paste on my part, sorry. It's in there.
> > @domain2.com
Hi,
does PostFix support TLS SNI (server name indication) now? I have found
some discussion, mostly saying that it might be implemented, but there
were several issues:
1) Mail clients don't seems to support it.
2) Other MTAs don't seem to support it.
3) There are no standards concerning SNI for M
On 11/6/2014 4:10 PM, terrygalant.li...@fastest.cc wrote:
> Hi,
>
> I've added a sender restriction
>
> postconf -n
> ...
> smtpd_sender_restrictions = hash:/path/to/reject_senders,
> check_sender_access ...
> ...
>
The above deprecated syntax a
Hi,
I've added a sender restriction
postconf -n
...
smtpd_sender_restrictions = hash:/path/to/reject_senders,
check_sender_access ...
...
It's convenient for early rejection of lists of senders, and seems to work as
expected for,
Hi everyone,
Is there a way to configure postfix to receive emails for users and
domains that match a particular pattern? According to the
documentation, a virtual domain map can use a regexp, but I haven't
found anything for virtual users. I'm looking to receive emails for
any address that is o
Wietse:
>You might be able to cobble together something with header_checks
>and such, but the solution falls apart when a requirement changes.
Mike Ray:
> I understand that header_checks can't be checked together, but do
> you all think it reasonable to have a header_check for that specific
> addr
>- Original Message -
>From: "Wietse Venema"
>To: "Postfix users"
>Sent: Thursday, November 6, 2014 1:26:29 PM
>Subject: Re: best approach to filtering one specific case?
>
>Mike Ray:
>> The basic condition I'm trying to deal with is a message that has
>> a certain subject *and* is destin
Mike Ray:
> The basic condition I'm trying to deal with is a message that has
> a certain subject *and* is destined for a particular address.
Hi, I wrote Postfix. Postfix does not do combinations of headers
and other stuff. Such things are supposed to be "outsourced" to
external filters such as
Am 06.11.2014 um 19:56 schrieb Mike Ray:
The basic condition I'm trying to deal with is a message that has a certain
subject *and* is destined for a particular address
not possible with native postfix
you can stop to dig in the docs
Hello all-
New to Postfix, inexperienced in mail system setups, foolishly volunteered to
tackle upgrading mail servers at work and now stuck up the creek without a
paddle.
Recently setup some new mail servers running postfix and using
amavis-spamassassin-clamav to do AS/AV. I've used mostly de
Lars Heide:
> But lets disregard POODLE for the moment, does postfix handle
> "inappropriate fallback" errors in any way, or does it also fall
> back to unencrypted traffic?
If you configure "mandatory" TLS, Postfix will not use plaintext.
Otherwise, Postfix will use plaintext when the server does
On 1 Nov 2014, at 6:30, Tiemo Kieft wrote:
[...]
Personally I think that the most likely explanation is that Google
does
not have enough history of the IP address. The more (genuine) mail
you
send from an IP address, and the longer you do it for, the less
likely
the email will be classed as s
On Thu, Nov 06, 2014 at 03:08:47PM +0100, Lars Heide wrote:
> does anybody know how postfix handles a detected MITM attack based on
> POODLE?
POODLE, SSL 3.0 and more generally the "TLS_FALLBACK_SCSV" have
nothing to do with how Postfix handles TLS errors. There is not,
need not, and will not be
On 30 Oct 2014, at 6:20, Den wrote:
li...@rhsoft.net wrote
Am 30.10.2014 um 11:00 schrieb Den:
Noel Jones-2 wrote
On 10/29/2014 7:04 AM, Den wrote:
How do I make the SMTP Greetings Banner to display the remote
client's
IP
and server's name in Postfix 2.9.6?
[...]
what do you gain with
The specific POODLE attack is only an example that applies to
web-connections, referencing it is therefore misleading, but the
underlying flaw affects all SSLv3 traffic AFAIK.
The paper by google ( https://www.openssl.org/~bodo/ssl-poodle.pdf ) states:
"we discuss how attackers can [..] break the
Am 06.11.2014 um 15:08 schrieb Lars Heide:
does anybody know how postfix handles a detected MITM attack based on
POODLE?
it don't need to - read how it works and than imagine how it should be
possible to inject and execute javascript into the connection in case of
SMTP
Hi,
does anybody know how postfix handles a detected MITM attack based on
POODLE?
With the advent of the POODLE vulnerability, the implementation of
TLS_FALLBACK_SCSV in OpenSSL happened in order to mitigate MITM.
In case that an inappropriate fallback is detected, the SSL library
throws an erro
Should have thought before writing :-)
Changed the quries on the backends to
<<
query = SELECT CONCAT('lmtp:[',backend,']:24') AS transport FROM mailbox
WHERE username = '%u@%d' AND active=1 AND backend != '192.168.50.42'
>>
activated dovecot-lmtp on all backends.
That works as it should :-)
to
Hello list
I have a postfix setup with a frontend and two backend servers. The
problem is that one user has forward (ex forwards to his mailbox and to
another one). The problem is that one mailbox is on backend1 and the
other (expanded from alias) is on backend2. Now I thought okay I add a
transp
jayesh shinde:
> Hi ,
>
> I have live mail archival server and now created the backup of the same.
>
> For this I am taking bcc copy from mailserver on which
> postfix-2.10.0-1.el6.x86_64 running
>
> recipient_bcc_maps = pcre:/etc/postfix/bcc_maps
> [root@jayesh ~]# cat /etc/postfix/bcc_maps
Hi ,
I have live mail archival server and now created the backup of the same.
For this I am taking bcc copy from mailserver on which
postfix-2.10.0-1.el6.x86_64 running
recipient_bcc_maps = pcre:/etc/postfix/bcc_maps
[root@jayesh ~]# cat /etc/postfix/bcc_maps
/^(.*)@(.*)$/ $1!$2...@archive
Hello,
I am setting up an email server using postfix.
I use an internal domain for internal mails, and address rewriting for
outgoing emails. In main.cf, the parameter
smtp_generic_maps = hash:/etc/postfix/generic
and a file "generic" with lines like this:
user@mycompany.localextern_u...@m
On Nov 2, 2014, at 12:32 PM, li...@rhsoft.net wrote:
> Am 02.11.2014 um 21:19 schrieb Wietse Venema:
>> Wietse:
>>> Wondering if the list manager has croaked.
>> Nope, it's a quiet day
>
> typical admin reaction: "what no mail for 2 hours - look if something is
> down" - sorry for not having any
43 matches
Mail list logo
