On Mon, May 25, 2015 at 12:21:18AM +, Viktor Dukhovni wrote:
> On Mon, May 25, 2015 at 01:28:09AM +0200, furio ercolessi wrote:
>
> > Now, I would like to add the XCLIENT facility to do some
> > antispam testing on B, using the original IPs that
> > connected to A. So I put A's IP address in
On Sun, May 24, 2015 at 06:16:42PM +0200, Tim Kuijsten wrote:
> Since I'm running postfix with LibreSSL, some clients encrypt the connection
> using ECDHE-RSA-CHACHA20-POLY1305. Now I'm used to seeing headers like
> "using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)" . But
> the
On Sun, May 24, 2015 at 09:22:44PM +0200, Yannik Sembritzki wrote:
> The default of syslog_name is
> ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name}
> (atleast
> on ubuntu).
>
> Is it possible to somehow use something like "-o
> syslog_name=${syslog_name}-submission" to
On Mon, May 25, 2015 at 01:28:09AM +0200, furio ercolessi wrote:
> Now, I would like to add the XCLIENT facility to do some
> antispam testing on B, using the original IPs that
> connected to A. So I put A's IP address in
> smtpd_authorized_xclient_hosts in the B's config,
> and verified that B
On Sun, May 24, 2015 at 08:00:30PM +0200, DTNX Postmaster wrote:
> Assuming you are talking about the MSA (submission) and not MTA to MTA
> traffic, you can cover the vast majority of the scenarios with the
> following cipher selection string;
>
> EECDH+AES128:EECDH+AES256:EDH+AES128+SHA:RSA+AE
Dear group,
I have a system A forwarding a mail flow - that it
receives being the MX for some domains - to a system B using
SASL and TLS on port 587. Both systems are running
Postfix 2.9.6 (coming packaged with Debian Wheezy).
Postscreen is not used. Everything works flawlessly.
Now, I would l
Hi Noel,
> If you have postfix listening on several ports and want to know
> which port the client connected to, you can set a different syslog
> name to differentiate them in the logs. For example, it's common to
> set ' -o syslog_name=postfix/submission' on the port 587 submission
> listener.
I
On 24 May 2015, at 18:09, CSS wrote:
>>> I thought I saw that listed on this forum earlier this year.
>>
>> Don't believe all the nonsense posted on the Internet.
>
> Related to the previous paragraph, I know that when I fiddle with
> SSL settings on a web server, I can easily dig up informatio
Since I'm running postfix with LibreSSL, some clients encrypt the
connection using ECDHE-RSA-CHACHA20-POLY1305. Now I'm used to seeing
headers like "using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256
(128/128 bits)" . But these ChaCha20 headers look like "using TLSv1.2
with cipher ECDHE-RSA-
On May 24, 2015, at 9:28 AM, Viktor Dukhovni wrote:
> On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote:
>
>>> smtpd_tls_protocols = !SSLv2, !SSLv3
>>> smtp_tls_protocols = !SSLv2, !SSLv3
>>
>> Wouldn't the following be more secure:
>>
>> smtpd_tls_protocols=!SSLv2, !SSLv3,
On Sat, May 23, 2015 at 08:01:15AM -0700, Grant wrote:
> Currently I have the following in main.cf:
>
> smtp_tls_exclude_ciphers = aNULL
> smtpd_tls_exclude_ciphers = aNULL
This is unnecessary.
> According to weakdh.org/sysadmin.html, I should have this:
Some clueless people post cargo-cult no
On Sun, May 24, 2015 at 06:38:50AM -0400, Postfix User wrote:
> > smtpd_tls_protocols = !SSLv2, !SSLv3
> > smtp_tls_protocols = !SSLv2, !SSLv3
>
> Wouldn't the following be more secure:
>
> smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1,
On 5/24/2015 5:38 AM, Postfix User wrote:
> On Sat, 23 May 2015 12:13:33 -0500, Noel Jones stated:
>
>> # Avoid obsolete protocol versions
>> #
>> smtpd_tls_protocols = !SSLv2, !SSLv3
>> smtp_tls_protocols = !SSLv2, !SSLv3
>
> Wouldn't the following be more secure:
>
> smtpd_
According to you SPF, you are allowing any host (A record in the DNS) to
send messages.
I think you should limit your Domain to your genuine email servers only, and
not allow any server in your farm to send messages while clients (other
domains) include your SPF.
However, I'm a bit confused why ser
We have some customers that use their gmail account for SMTP, but on port 587
and not port 25. So I don't think it will cause any problem. If it cause any
problem I can enable smtp to port 25 for specific customers.
just out of curiosity: wouldn't this also block legitimate users who use a
third party mailserver on port 25?
Am 24. Mai 2015 13:23:01 MESZ, schrieb Christos Chatzaras :
>Thank you everyone for the replies. I think I found the problem. The
>spambot (uploaded by hacked websites) does direct conne
Thank you everyone for the replies. I think I found the problem. The spambot
(uploaded by hacked websites) does direct connections to port 25 to other mail
providers. That's why I don't see any logs for outgoing e-mails but I get
backscatter from hotmail and other providers. I will try to use th
On 24.05.2015 13:10, Christos Chatzaras wrote:
> What I try to find out is how spam is sent out if only users that
> authenticate can send e-mail and when no user e-mail accounts credentials are
> hacked.
>
Instead of searching for mails sent to the address sir...@hotmail.com, I
would rather se
Are you entirely sure that no user credentials are hacked? Note that a
dictionary-attacked or bruteforced password is undetectable, and could have
happened months ago. Eg, a bot could have cracked the password, saved it
into a database, and then the owner of that bot sold the accounts to a
spam
What I try to find out is how spam is sent out if only users that authenticate
can send e-mail and when no user e-mail accounts credentials are hacked.
Aaah, then its a bit worser problem.
Are all your customers from a specific country?
Then you can add a geoIP block to your firewall so customers can only send
email from their country.
Else:
My suggestion is then that you open up a web interface (I guess you already
have a web interface where y
On 24.05.2015 13:01, Christos Chatzaras wrote:
> I do shared hosting, so users should be able to use any ISP to connect.
Filter outgoing mail with a spam scanner before they leave your server.
If it is detected as Spam, just reject it with an according message.
Michael
I do shared hosting, so users should be able to use any ISP to connect.
postconf -Mf :
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_clie
I suspect any of your authenticated users are compromised, eg that a
dictionary-attacking or brute-forcing bot managed to figure out the password
for one of your accounts. I had authentication enabled on my server once,
and you know, the logs were HUGE with 'bots' trying to authenticate with
On Sat, 23 May 2015 12:13:33 -0500, Noel Jones stated:
> # Avoid obsolete protocol versions
> #
> smtpd_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_protocols = !SSLv2, !SSLv3
Wouldn't the following be more secure:
smtpd_tls_protocols=!SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_t
Μy server with IP 178.63.64.86 is blacklisted at http://cbl.abuseat.org for
stealrat spambot. My mail server is configured to send only e-mail from
authenticated users. Also local users (from shell) can't send e-mail and also
mail() php function is disabled too. I got this e-mail from hotmail (
26 matches
Mail list logo
