domain, ... than the content language.
If this is a private mail server for only a small number of people, any
mail in a script that none of the users can read is almost guaranteed to
be spam, and would not be useful even if it wasn’t.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPG
x can to some extent enforce envelope to sender mismatches,
> the real concern is usually the "From:" header, ... whose content is not
> the MSAs job to enforce.
A milter must be used for this. Since this, along with DMARC, is a
core responsibility of a modern MTA, I am curious if
would
> be a performance disaster.
Is this because Postfix is designed assuming that queue access has low
latency, and therefore does not try to hide the latency with asynchronous
operations and batching?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
ted to deliver to someone hosted on office 365, we get a bounce
> like the below, where it seems to not have rejected on the envelope header,
> but on the envelope recipient..
Exchange 365 is correct to refuse delivery to support-st...@isc.org,
at least assuming that isc.org is not itself on
a config file has
changed and reload accordingly?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
therwise, the script can just send
mail directly.
You might try submitting a patch to add this feature to postdrop (the
privileged mail submission component of Postfix).
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
kend and it does work.
> Regular users can send emails after being authenticated.
Have you considered using Kerberos + channel binding instead of
LDAP authentication?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Desc
Don't do that.
>
> Also, you are receiving mail, presumably via SMTP, and then bouncing
> it. Don't do that.
Is there any reason for mail received on port 25 to be bounced? Or should
bouncing be reserved for authenticated mail submission?
--
Sincerely,
Demi Marie Obenour
ntication Milter?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
ters. See below
> for comments on those.
>
>> smtp_tls_loglevel = 1
>> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
>> smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
>
> The above parameter isn't needed (and maybe the one
> above it too). TLSv1 and TLSv1.1 are better than no
> encryption at all. And these settings are for outgoing
> connections. So even if your mail server is scanned as
> part of a naive cookie-cutter security assessment, the
> scanner won't know that you are willing to use those
> deprecated protocols for sending mail, and so won't
> complain. If you don't exclude TLSv1 and TLSv1.1 in the
> similar smtpd_tls_protocols parameter, such a scanner
> would complain, even though it's still better than no
> encryption. Security scanners usually assume that
> policies that should apply to a web server (using
> mandatory encryption) should also apply to a mail
> server (using opportunistic encryption).
For ports 465 and 587, encryption should be mandatory, so requiring
strong ciphers is a good idea. Also, blocking non-forward-secrecy
ciphers is important to prevent the ROBOT attack.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
> --tlsc
> swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25
> --tls
> swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25
>
> Does this constitute proof that relaying isn't possible anymore?
You need to ensure that the outside world cannot connect to Postfix or
Dovecot directly, bypassing HAProxy.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
to test scache, how can I trigger it?
>>
>> If I send one email to multiple email addresses on same domain, will
>> this trigger scache? (ie, deliver multiple emails in one connection to
>> the server?)
>
> Did you build Postfix?
>
> Is this one of those contain
led
> configuration settings now.
An alternative, which I prefer, is to require all submission to be on port
465 (over TLS) and require SASL authentication on that port. Port 25 would
then be for receiving email only. I prefer using client certificates for
authentication, and having the secret
formance metrics for large email messages, because many connections
> are handled by a smaller number of single-threaded tlsproxy
> processes.
Can these processes handle multiple connections concurrently in an
event-driven manner?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB
r
> the disclosure of that info.
The most important part is not supporting RSA key exchange. If you support
RSA key exchange you may be vulnerable to e.g. ROBOT or Bleichenbacher’s CAT.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
or example:
>>>
>>> https://news.ycombinator.com/item?id=28312935
>>>
>> We do use Alpine Linux so maybe truncation is the issue? I thought it may
>> have been initially but couldn't find anything confirming
>>
> This is from the mail rela
e laptop is
> in the LAN or VPN.
> Then emails get lost if they arrive while not in the LAN / VPN.
>
> Or do you maybe have a different idea / suggestion about how to collect local
> system emails from laptop clients?
Place the FQDN in /etc/hosts.
--
Sincerely,
Demi Marie Obenour (she
loss caused by system-effing-d.
>
> https://www.postfix.org/MAILLOG_README.html
>
> Wietse
RateLimitIntervalSec=0 in journald.conf is also an option.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
ike they knew what they
> were talking about. That was of course 7 years ago so maybe things
> have changed since.
>
> nate
You should definitely deploy DNSSEC, but only after you are able to
deploy it properly. That means having procedures to avoid nasty DNSSEC-
related downtime.
-
f is misconfigured. I don’t
run a mail server, but if I did, I would be pretending that Google
had p=quarantine, even though it has p=none. I would also be using
DNS over TLS to 8.8.8.8 with pinned CA certificates to get Google’s
DNS records, and refusing to send mail to Google unless a Goog
e better, especially on
>>>> the dmz.
>
>> On 8/19/22 07:08, Matus UHLAR - fantomas wrote:
>>> I'd say "especially for connections crossing not-secured network".
>>> mails within LAN/DMZ should be safe unencrypted, unless you have reason
;especially for connections crossing not-secured network".
> mails within LAN/DMZ should be safe unencrypted, unless you have reason not
> to trust the network or someone on it.
Google made this assumption and it turned out to be wrong. Use mutually
authenticated TLS.
--
Sincerely,
Demi
eiving server will trust the sending server.
I recommend using client certificate authentication on port 465 instead.
IP addresses are not a strong form of authentication unless one is using
a secure VPN such as WireGuard. Also one should be encrypting traffic
anyway as a ma
ebinding protection in unbound.conf.
You should allow only the expected RFC1918 addresses, not all of them
and certainly not loopback.
What RFC1918 addresses are you seeing?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
net.
That is, unauthorized users must not be able to submit DNS queries
to it. If they can, I suspect it would be considered a public
recursive resolver and blocked.
Can you provide your `unbound.conf` as well as all of the files
it includes?
--
Sincerely,
Demi Marie Obenour (she/he
-user / user aliases are processed after the virtual
> alias, yes?
>
> I think the big problem here (as Bob Proulx pointed out) is that the
> forwarded mail is spam. For my own email, I do spam filtering on a
> different machine (i.e., after postfix has delivered it). I'm
Indeed. Interesting. I use duckduckgo (which relies on Bing afaik) and it
> doesn’t find that.
>
>> which links to https://github.com/openssl/openssl/issues/11378
>> <https://github.com/openssl/openssl/issues/11378>. The
>> latter had a breaking fix, backed it out for
recipient address lookups, which is good for reliability.
>
> The documentation is consistent with this behavior.
>
> I think that replacing the documentation with (correct) pseudocode
> would not be an improvement. Humans are not machines.
I agree, but including correct pseudocode coul
> Wietse
TPM-backed storage might work, but I suspect it is too slow in
practice. One could use TPM-based disk encryption though.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
t;> imaps/pop3/smtps/submission services (tls encrypted of course)
>>
>> one way to authenticate may be using Kerberos.
>
> Not recommended for roaming users accessing submission service via
> public Internet.
>
> Ciao, Michael.
Hard disagree; Kerberos is safe
ers (Dovecot, Apache, ...). May be this
> is a hint into the direction of what might help you.
>
> Cheers, Dirk.
Please enable channel binding if you go with this route.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
d out all features for PKI client cert enrollment from
> Firefox and Thunderbird. So today it's easier to issue client certs to
> Outlook users than to Thunderbird users. :-(
>
> Ciao, Michael.
Please report a bug on https://bugzilla.mozilla.org as this is a problem
with Thunderbi
On 4/26/22 01:35, Antonio Leding wrote:
> Anyone who thinks that F2B merely “quiets logs” unfortunately has no
> idea what F2B actually does…
Would you mind explaining?
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP publ
ice re DMARC, never have or will use it.
>
> Which indeed IS a word of advice. :)
And a bad one.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
it is in Postfix, it will be
implemented properly.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
terface, and is necessary to avoid a trivial denial of
service by being slow to consume events. Inotify does tell you when
events have been lost, though, which allows you to resynchronize.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
I was too lazy to write code that determines if these are
> 1-to-1 or 1-to-many, but also because it might reveal too much
> information. It will just report that the address before alias
> expansion or forwarding is valid.
>
> Wietse
Is reject_unverified_recipient the correct app
> no hard limit.
>
> However, increasing the number of processes only improves performce
> up to the point that the OS kernel can no longer provide resources
> to all those running processes.
To what extend is Postfix’s process-per-connection architecture a
limitation here?
ve is equivalent to:
>
> smtpd_client_restrictions =
> check_helo_access pcre:/etc/postfix/helo_access.pcre
> check_client_access regexp:/etc/postfix/helo_access.regex
>
> Wietse
Would it be possible for Postfix to issue a warning for such deprecated
synt
figure it very carefully.
>
> what if mailman did not accept subscribers with dmarc policy reject ?
That is not a good idea. You may lose legitimate subscribers this way.
Use a mailing list package that can handle header-from rewriting.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB2
rmore, both Google and Mozilla have declared
insecure HTTP to be deprecated.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
use disabling
legacy protocols will reduce OpenSSL’s attack surface. However, if DANE,
MTA-STS, or certificate verification is in use, then TLS 1.0 and TLS 1.1
should be disabled, as Postfix will fail closed in that case. The same
is true for SMTPS and submission with mandatory STARTTLS.
--
.postfix.org/ currently works for me.
Browsers are starting to deprecate that, though.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
systems but okay on the others?
>
> Bob
My intuition is that either some timeout somewhere got hit, or that
some I/O failed (rather than being queued forever) and caused an error
paging in some code. That would cause Postfix to die with SIGBUS.
Do you have Postfix set to automatical
ending to engage in a secondary boycott of major mail service
> providers' (e.g. Microsoft) customers.
>
> (and no, I'm not affiliated with them in any way.)
Do all of the major mail service providers have valid DMARC? If so,
one approach would be to reject (or, more likely,
On 4/30/21 8:44 AM, Wietse Venema wrote:
> @lbutlr:
>> On 29 Apr 2021, at 17:05, Wietse Venema wrote:
>>>This release requires "postfix stop" before updating, or before
>>>backing out to an earlier release, because some internal protocols
>>>have changed. Otherwise, long-running daemon
On 4/28/21 6:59 PM, Asai wrote:
> Thank you, Wietse:
>>
>> This means that client systems are compromised with malware
>> that sends email directly to the outside world, bypassing
>> your mail server.
>>
>> To stop these, block outbound port 25 on your firewall for all
>> systems except your mail s
On 4/27/21 9:30 AM, Paul Menzel wrote:
> Dear Wietse,
>
>
> Am 27.04.21 um 14:49 schrieb Wietse Venema:
>> Paul Menzel:
>
>>> In our infrastructure, we are building Postfix from source with an
>>> unprivileged user, and also try to run most services as an unprivileged
>>> user. Privileged ports
On 4/18/21 8:04 PM, Viktor Dukhovni wrote:
> On Sun, Apr 18, 2021 at 07:59:07PM -0400, Demi Marie Obenour wrote:
>
>>>> Would it be possible to support trusting based on subject alt name?
>>>> I would like a machine with a certificate for a.example.com to send
>&g
On 4/18/21 2:39 PM, Wietse Venema wrote:
> Demi Marie Obenour:
>>>> It seems that There are knobs that let you list *individual certs* for
>>>> allowing trusted relaying, but not *individual ca's*.
>>>>
>>>> Is there any way around this?
On 4/17/21 5:15 PM, Wietse Venema wrote:
> Dan Mahoney (Gushi):
>> All,
>>
>> The dayjob has a number of machines out in the wild that need to be able
>> to send mail (mostly from cron jobs) home to the mothership. Not all have
>> controllable reverse DNS. It's an issue with donated colo and tr
On 4/15/21 11:00 AM, Wietse Venema wrote:
> Demi Marie Obenour:
>> Would the following be a good idea?
> [a bunch of port-dependent behavior]
>
> That is all good and well, but this needs to be made configurable.
>
> I boldly assume this will use the xxx_tls_wrapper_mode
On 4/14/21 3:39 PM, Wietse Venema wrote:
> Viktor Dukhovni:
>> On Wed, Apr 14, 2021 at 02:24:23PM -0400, Wietse Venema wrote:
>>> TL;DR: the idea is to change the smtpd_forbidden_commands default
>>> setting to something like:
>>>
>>> CONNECT GET POST pcre:{/^\x16/ Possible TLS handshake}
>>>
>
On 3/21/21 8:13 PM, John Levine wrote:
> It appears that Wietse Venema said:
>> With uniform or compressed payloads, 256 bytes become 261 on average,
>> thus it takes 978.9 bytes on average to expand into 998. Add CR
>> and LF to the 998, and we have an expansion of 1000/978.9=1.022 or
>> just a
On 3/21/21 2:25 PM, Wietse Venema wrote:
> John Levine:
>> It appears that Wietse Venema said:
>>> Demi Marie Obenour:
>>>> How useful would BINARYMIME support be? It does mean that DKIM signing
>>>> would need to be done in the sending path, but I cann
would be a nice feature, tbh. The only open-source MTA I
know of with built-in DKIM is Exim but I would never dare use it in
production.
Ideally, the signing keys should be in a separate process for privilege
separation, but Postfix is already multi-process so that should be
doable. Of cour
56 matches
Mail list logo
