Re: encrypt incoming emails with my public gpg key

2015-06-02 Thread Sebastian Nielsen
Thats why its important to define which security goal your setup has. If you really want to PGP-encrypt your mails at receive, you can do it with Ciphermail: https://www.ciphermail.com/ Ciphermail is implemented as a SMTP proxy, so you just feed postfix's smtp-client into ciphermail and then h

Re: need input on user .forward file format

2015-06-02 Thread Wietse Venema
> Jun 1 11:00:21 thismachine postfix/local[31382]: 7668220035F: > to=, relay=local, delay=0.08, > delays=0.06/0.01/0/0, dsn=2.0.0, status=sent (forwarded as 8374A20020A) > Jun 1 11:00:21 thismachine postfix/smtp[31351]: 8374A20020A: > to=, orig_to=, > relay=master...@domain.com:25, delay=0.06

Re: What are the advantages of banning-by-extension in Postfix versus Amavis?

2015-06-02 Thread Noel Jones
On 6/2/2015 6:43 PM, ts yrtrt wrote: > I'm moving off of shared hosting to a VPS and am building up a > Postfix server for it. > > I read through the docs on layers of security & protection against > spam, viruses, and garbage in general. > > I decided to deploy postscreen + sender & recipient he

What are the advantages of banning-by-extension in Postfix versus Amavis?

2015-06-02 Thread ts yrtrt
I'm moving off of shared hosting to a VPS and am building up a Postfix server for it. I read through the docs on layers of security & protection against spam, viruses, and garbage in general. I decided to deploy postscreen + sender & recipient header checks + DKIM signing/verification, ClamAV & S

Re: encrypt incoming emails with my public gpg key

2015-06-02 Thread Thomas Keller
On 2015-06-03 01:16, Sebastian Nielsen wrote: > If you only are worried by backups or other copies that might come in > the wrong hands, and not someone directly accessing the server, I would > suggest setting up a encrypted storage in the server. Since VPS/VM in > many times give you root access,

Re: encrypt incoming emails with my public gpg key

2015-06-02 Thread Sebastian Nielsen
I would suggest using Ciphermail / Djigzo for this. But I think you are solving your problem in a very incorrect way. Since the hosting company do have access to the VM, they could easy listen on the memory before the mail is encrypted, just after it has been decrypted by the TLS handler. If

Re: LMTP delivery failover

2015-06-02 Thread Quanah Gibson-Mount
--On Tuesday, June 02, 2015 5:26 PM -0400 Wietse Venema wrote: Quanah Gibson-Mount: --On Tuesday, March 17, 2015 12:00 PM -0700 Quanah Gibson-Mount wrote: > Hi Viktor, > > We've been able to start testing this patch. So far, it is working as > expected. It has continued to hold up throug

Re: need input on user .forward file format

2015-06-02 Thread Sharon Stahl
Hello Everyone, Thank you for your help. It appears that the problem was my myorigin setting. When it was changed from myorigin = $mydomain to myorigin = $myhostname ..the .forward file worked as expected. If I am deluding myself that this is the answer to my problem and that I have not cau

encrypt incoming emails with my public gpg key

2015-06-02 Thread Thomas Keller
Hello, my Postfix server is running as a VM in a hosted (untrusted) environment. In theory, the data on the server (i.e. my emails) could be on some backup tape, or copies could be lying around in the datacenter. Some of my emails are encrypted (people send me encrypted emails) but most are not.

Re: need input on user .forward file format

2015-06-02 Thread Sharon Stahl
On 06/02/2015 11:42 AM, Daniele Nicolodi wrote: On 02/06/15 22:45, Sharon Stahl wrote: My problem is that when the .forward file only has just "username", "thismachine" does not check the aliases file to see that it is the machine that keeps mail for that user. It adds @domain to the name and s

Re: need input on user .forward file format

2015-06-02 Thread Daniele Nicolodi
On 02/06/15 22:45, Sharon Stahl wrote: > My problem is that when the .forward file only has just "username", > "thismachine" does not check the aliases file to see that it is the > machine that > keeps mail for that user. It adds @domain to the name and sends it off to > our main NIS machine that

Re: need input on user .forward file format

2015-06-02 Thread Sharon Stahl
On 06/01/2015 01:27 PM, Wietse Venema wrote: Sharon Stahl: Hi Wietse, I came back to work and did a lot of testing but adding $mydomain to the mydestination definition made no difference with the .forward file only having a username causing a mail loop. Error in maillog appears to indic

Re: LMTP delivery failover

2015-06-02 Thread Wietse Venema
Quanah Gibson-Mount: > --On Tuesday, March 17, 2015 12:00 PM -0700 Quanah Gibson-Mount > wrote: > > > > Hi Viktor, > > > > We've been able to start testing this patch. So far, it is working as > > expected. > > It has continued to hold up through more extensive testing. Will this make > it

Re: LMTP delivery failover

2015-06-02 Thread Quanah Gibson-Mount
--On Tuesday, March 17, 2015 12:00 PM -0700 Quanah Gibson-Mount wrote: Hi Viktor, We've been able to start testing this patch. So far, it is working as expected. It has continued to hold up through more extensive testing. Will this make it into Postfix 3.1 or the next 3.0 release? Tha

Re: Receiving email from Everbridge alert systems

2015-06-02 Thread francis picabia
On Tue, Jun 2, 2015 at 12:13 PM, Wietse Venema wrote: > francis picabia: >> A remaining concern is bypassing the content_filter >> >> I've scanned through http://www.postfix.org/FILTER_README.html >> and googled this issue. >> >> I think I'd understand the FILTER documentation better >> with a rea

Re: Receiving email from Everbridge alert systems

2015-06-02 Thread Wietse Venema
francis picabia: > A remaining concern is bypassing the content_filter > > I've scanned through http://www.postfix.org/FILTER_README.html > and googled this issue. > > I think I'd understand the FILTER documentation better > with a real example. > > Let's say I want everything to go through the

Re: Receiving email from Everbridge alert systems

2015-06-02 Thread francis picabia
A remaining concern is bypassing the content_filter I've scanned through http://www.postfix.org/FILTER_README.html and googled this issue. I think I'd understand the FILTER documentation better with a real example. Let's say I want everything to go through the content filter unless it comes from

Re: Configuring DANE TLSA - "wizard"

2015-06-02 Thread Olaf Schreck
> It turns downgrade attacks into denial of service. DANE-enabled > clients do not deliver mail in cleartext to servers with published > TLSA RRs. Thanks, Victor. Should have re-read TLS_README before asking. > DO NOT publish stale TLSA records!!! Errm? No I didn't.

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

2015-06-02 Thread Steve Jenkins
On Tue, Jun 2, 2015 at 2:33 AM, furio ercolessi wrote: > > Their recommended setting is > > reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99], > reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99], > reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99] > > Return code

Re: Configuring DANE TLSA - "wizard"

2015-06-02 Thread Viktor Dukhovni
On Tue, Jun 02, 2015 at 03:55:07PM +0200, Olaf Schreck wrote: > Slightly OT: These slides > > > https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf > > state on page 26: "DANE TLSA Benefits: prevents STARTTLS "downgrade" attacks" > > I'm probably missing something. How does

Re: Configuring DANE TLSA - "wizard"

2015-06-02 Thread Olaf Schreck
Slightly OT: These slides > https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf state on page 26: "DANE TLSA Benefits: prevents STARTTLS "downgrade" attacks" I'm probably missing something. How does publication of a TLSA record prevent STARTTLS downgrade attacks? Thanks,

Re: Configuring DANE TLSA - "wizard"

2015-06-02 Thread Viktor Dukhovni
On Tue, Jun 02, 2015 at 11:17:55AM +0200, Per Thorsheim wrote: > Quite a bit of useful info at sys4.de, but in German. Found this english > translation as a rather quick guide for parts of the process: > http://noflex.org/implementing-dnssec-dane-email-step-step/ A few comments: 1. Key generati

Re: connexion outook to postfix

2015-06-02 Thread Koko Wijatmoko
courier-imapd ??? this is postfix mailing list... On Tue, 02 Jun 2015 10:15:24 + emmanuel wrote: > I try to connect my outlook with my postfix server and i got this > errors: > > Jun 2 12:14:00 ns204035 courier-imapd: Connection, ip= > [:::x.x.x.x] Jun 2 12:14:01 ns204035 courier-imap

connexion outook to postfix

2015-06-02 Thread emmanuel
I try to connect my outlook with my postfix server and i got this errors: Jun 2 12:14:00 ns204035 courier-imapd: Connection, ip=[:::x.x.x.x] Jun 2 12:14:01 ns204035 courier-imapd: Disconnected, ip=[:::x.x.x.x], time=1 Jun 2 12:14:02 ns204035 courier-imapd: Connection, ip=[:::x.x

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

2015-06-02 Thread furio ercolessi
On Mon, Jun 01, 2015 at 06:08:40PM -0700, Steve Jenkins wrote: > > This is expanding a bit on Elijah's OP, but here are my current > restrictions that I've been running for a while: > > smtpd_recipient_restrictions = > [...] > reject_rbl_client zen.spamhaus.org, > reject_rhsbl_cl

Re: Strip receipt request

2015-06-02 Thread Viktor Dukhovni
On Mon, Jun 01, 2015 at 11:56:18PM +, Daniel Miller wrote: > Is there a way of removing return-receipt requests from internal senders > for a particular external recipient? ?Or does this require a separate > tool/script to pass sent messages through? This requires a content-filter. Return re

Re: Configuring DANE TLSA - "wizard"

2015-06-02 Thread Per Thorsheim
Thx! Quite a bit of useful info at sys4.de, but in German. Found this english translation as a rather quick guide for parts of the process: http://noflex.org/implementing-dnssec-dane-email-step-step/ .per Den 02.06.2015 10:47, skrev Danny Horne: > I think this is what I used...a fair bit of scro

Re: Configuring DANE TLSA - "wizard"

2015-06-02 Thread Danny Horne
I think this is what I used...a fair bit of scrolling to get to relevant information but I hope it helps https://ripe68.ripe.net/presentations/253-DANEs_don%27t_lie-20140512.pdf On 02/06/2015 9:35 am, Per Thorsheim wrote: > Cannot find a simple process guide for configuring DANE TLSA support & >

Configuring DANE TLSA - "wizard"

2015-06-02 Thread Per Thorsheim
Cannot find a simple process guide for configuring DANE TLSA support & publish relevant DNSSEC signed information. Anyone got a complete guide from start to finish? BR, Per