Re: password security

On 26/4/2022 20:11, Antonio Leding wrote: “…I'm just saying it's [F2B] not a solution to modern brute-force attack on passwords/accounts….” It’s actually staggering that you say this because of how incredibly inaccurate this statement is… Presume someone goes brute-force against a PostFix se

Re: SMTPD delay rejects evaluation

On 3/1/2022 14:55, Alexander Stienstra wrote: On 29-12-2021 11:13, Matus UHLAR - fantomas wrote: - With smtpd_delay_reject=no, Postfix will log a DNSBL 'reject' in smtpd_client_restrictions without any sender or recipient information. That makes it difficult to answer questions about "missin

Re: SMTPD delay rejects evaluation]

On 26/12/2021 17:51, Wietse Venema wrote: Depends on what you mean with "accurate". I mean the locally maintained IP RBL. It is critical as this will be doing most of the rejection. - With smtpd_delay_reject=yes, Postfix logs the client, helo, sender, and recipient. With delays set to ye

Re: SMTPD delay rejects evaluation]

On 25/12/2021 17:55, Wietse Venema wrote: Use fail2ban etc. to lock out bad clients, whether they fail SASL requirements, rate limit requirements, or other requirements. I used to do it with fail2ban for a while and still use it in some cases but I wanted something in-house more permanent and

Re: SMTPD delay rejects evaluation]

On 25/12/2021 16:50, Wietse Venema wrote: Wietse Venema: Rejects for SMTP syntax and SASL login are evaluated separate from smtpd_{client, helo, etc}_restrictions. SASL was my main concern. Is it possible to evaluate and reveal that info last then after all other rejects instead of first and

Re: SMTPD delay rejects evaluation

On 25/12/2021 14:45, Wietse Venema wrote: Lefteris Tsintjelis: I am trying to find more info about how delay rejects work and more specifically how they are evaluated in case of multiple rejections when delay rejects are on. Are all restrictions evaluated until RCPT TO in case of multiple

SMTPD delay rejects evaluation

I am trying to find more info about how delay rejects work and more specifically how they are evaluated in case of multiple rejections when delay rejects are on. Are all restrictions evaluated until RCPT TO in case of multiple rejects? Do some restrictions have priority over others if more than

SMTPS and submission protection

Is there a way to limit access by RBLs postscreen alike? Lefteris

Re: dkim updating keys

On 23/6/2019 23:25, Ralph Seichter wrote: * Lefteris Tsintjelis: In case DNS does not use notify then yes you should wait for the zone refresh time in SOA (not TTL) for all slaves to sync. I recommended the zone's TTL because it is the upper limit for all cached data to disappear The

Re: dkim updating keys

On 23/6/2019 16:20, Ralph Seichter wrote: * Esteban L.: Trying to figure this out with as little disruption as possible. I sugest you do the following, in order: * Generate new key. * Add new key's data, using a new DKIM selector, to your DNS. * Wait for your domain zone's DNS TTL to expir

Re: Best practices link for postscreen

On 22/6/2019 17:36, Wietse Venema wrote: Sharing a non-persistent cache (memcache) is the only option because it can respond with low latency both for old and new queries. But that of course limits the cache size. Sharing a persistent cache is not an option because that requires a DBMS with mil

Re: Best practices link for postscreen

On 22/6/2019 10:18, Durga Prasad Malyala wrote: > Hi > Does anyone have best practices link for postscreen implementation. http://rob0.nodns4.us/postscreen.html http://www.postfix.org/POSTSCREEN_README.html It is a start but I would also like to see more examples and recommendations in more advan

Re: DANE with own CA

On 14/6/2019 21:18, Viktor Dukhovni wrote: > > The use of private CAs with certificate usage DANE-TA(2) is specified > for SMTP and supported in Postfix, Exim, ... See: > > https://tools.ietf.org/html/rfc7671#section-5.2 > > The trust-anchor CA certificate MUST be included in your certifica

Re: DANE with own CA

On 14/6/2019 22:34, Benny Pedersen wrote: Lefteris Tsintjelis skrev den 2019-06-14 21:18: On 14/6/2019 22:15, Benny Pedersen wrote: Lefteris Tsintjelis skrev den 2019-06-14 20:54: Is there a way to check from logs or headers if DANE was used (un)successfully and possibly monitor the method

Re: DANE with own CA

On 14/6/2019 22:15, Benny Pedersen wrote: Lefteris Tsintjelis skrev den 2019-06-14 20:54: Is there a way to check from logs or headers if DANE was used (un)successfully and possibly monitor the method as well? grep Verified in logs This could very well be from the "known" CAs

Re: DANE with own CA

On 14/6/2019 21:20, Viktor Dukhovni wrote: On Fri, Jun 14, 2019 at 06:22:55PM +0300, Lefteris Tsintjelis wrote: Best to create the DNS record from the public certificate. No, actually, best to create from the public key. https://github.com/danefail/list/issues/47#issuecomment-456623996

Re: DANE with own CA

On 14/6/2019 16:05, Lefteris Tsintjelis wrote: On 14/6/2019 14:39, Ralph Seichter wrote: * Lefteris Tsintjelis: Can I use DANE with postfix or do I need a certificate from a known CA in order to do that? With DNSSEC in place, you can simply add the DNS records based on your own CA's

Re: DANE with own CA

On 14/6/2019 14:39, Ralph Seichter wrote: * Lefteris Tsintjelis: Can I use DANE with postfix or do I need a certificate from a known CA in order to do that? With DNSSEC in place, you can simply add the DNS records based on your own CA's data. No need for certificates from a "well

Re: DANE with own CA

On 14/6/2019 14:39, Ralph Seichter wrote: * Lefteris Tsintjelis: Can I use DANE with postfix or do I need a certificate from a known CA in order to do that? With DNSSEC in place, you can simply add the DNS records based on your own CA's data. No need for certificates from a "well

DANE with own CA

Hi, I already have a working DSNSEC with my own CA. Can I use DANE with postfix or do I need a certificate from a known CA in order to do that? smime.p7s Description: S/MIME Cryptographic Signature

Re: Virtual users and local users in the same domain?

On 12/6/2019 16:20, @lbutlr wrote: Can I have mydestination be blank? And rely on virtual for the local users until I move everyone? Yes of course and you should have mydestination blank otherwise you will get a domain warning listed in virtual and local. If you list local users in virtual,

Re: Blacklistd interaction

On 6/5/2019 16:30, Wietse Venema wrote: Lefteris Tsintjelis: On 6/5/2019 12:03, lists wrote: SSHGuard now works for more than ssh. It has hooks for postfix and other services. That is great then! More and much better choices other than log parsers. Fyi, SSHGuard is a logfile parser

Re: Blacklistd interaction

On 6/5/2019 20:07, @lbutlr wrote: On 6 May 2019, at 06:33, Lefteris Tsintjelis wrote: On 6/5/2019 15:14, @lbutlr wrote: On 6 May 2019, at 02:10, Lefteris Tsintjelis wrote: Fail2ban and equivalent log parsers are just too resource hungry, No they aren't. Yes they are. Not on my

Re: Blacklistd interaction

On 6/5/2019 15:14, @lbutlr wrote: On 6 May 2019, at 02:10, Lefteris Tsintjelis wrote: Fail2ban and equivalent log parsers are just too resource hungry, No they aren't. Yes they are. messy and more time consuming to maintain Sounds like you are parting some false information other

Re: Blacklistd interaction

On 6/5/2019 12:03, lists wrote: SSHGuard now works for more than ssh. It has hooks for postfix and other services. That is great then! More and much better choices other than log parsers.

Re: Blacklistd interaction

On 6/5/2019 9:42, @lbutlr wrote: On 4 May 2019, at 15:52, Lefteris Tsintjelis wrote: Would be great to consider its future adoption and if possible to take it even further to interact with postscreen. Why would this be a good thing for postfix to do? There are already plenty of tools that

Re: Blacklistd interaction

On 5/5/2019 0:26, Wietse Venema wrote: Wietse Venema: Lefteris Tsintjelis: I am struggling to find some info about how postfix collaborates with blacklistd but can't seem to find much. I assume this is only login based so far (works REALLY great BTW). Besides the false logins, the quest

Blacklistd interaction

I am struggling to find some info about how postfix collaborates with blacklistd but can't seem to find much. I assume this is only login based so far (works REALLY great BTW). Besides the false logins, the question I have is if it is possible to use blacklistd with postscreen also (I assume it

Re: Turn off command pipelining for a domain

On 6/1/2019 4:48 π.μ., John Fawcett wrote: Only thing is that you'll have to specify ip addresses not domain names, since dns lookups are not available for these maps. The remote servers of yahoo is mostly the problem. I rarely see this issue with any other servers but it usually applies to th

Turn off command pipelining for a domain

Is there a possible way to turn off command pipelining completely for a whole domain based on DNS? The pipelining-firewalling of yahoo.com seems to be broken quite often. Something like: yahoo.com pipelining

Re: Brute force attacks in various ports

> On 26 Jul 2016, at 21:35, Benny Pedersen wrote: > > On 2016-07-26 19:55, Lefteris Tsintjelis wrote: >> On 26 Jul 2016, at 20:36, Benny Pedersen wrote: >>> fail2ban based on pbl, but in fail2ban whitelist isp you have users in >> Is log parsing the only way? &g

Re: Brute force attacks in various ports

On 26 Jul 2016, at 20:36, Benny Pedersen wrote: > > fail2ban based on pbl, but in fail2ban whitelist isp you have users in Is log parsing the only way?

Brute force attacks in various ports

Ever since postscreen is up and running I see very often from various IPs this: Jul 26 20:05:25 mx postfix/smtps/smtpd[20590]: too many errors after AUTH from unknown[109.167.202.37] Jul 26 20:05:25 mx postfix/smtps/smtpd[20590]: disconnect from unknown[109.167.202.37] ehlo=1 auth=0/1 commands=1

Re: Postscreen client based access through reverse DNS lookup

On 21 Jul 2016, at 21:27, Steve Jenkins wrote: > > Hi, Lefteris. Wietse has reiterated that Postscreen is not designed to do DNS > queries (beyond DNSB/WLs). His is the final word on the subject. :) No doubt about this one, of course and it is! :) > I had a few extra minutes this morning, so I

Re: Postscreen client based access through reverse DNS lookup

> On 21 Jul 2016, at 18:42, /dev/rob0 wrote: > > Can't you do the same thing (to solve your unstated problem, which I > assume might be to avoid delays with after-220 tests) with DNSWL and > postscreen_dnsbl_whitelist_threshold? > > Most large-scale legitimate senders are listed in list.dnswl

Re: Postscreen client based access through reverse DNS lookup

On 21 Jul 2016, at 18:58, Steve Jenkins wrote: > > If you're looking into Postscreen whitelisting, you might consider including > Postwhite in your solution: > > http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/ > >

Postscreen client based access through reverse DNS lookup

Would it be too much to ask for a single reverse DNS lookup client based black/white listing in postscreen? ... .gmail.com reject .live.com reject .postfix.org accept ...

Re: Postscreen white listing based on MX, SPF

On 16/07/2016 11:35, Jim Reid wrote: That wouldn’t have worked anyway. Assuming a reverse lookup of an IP address returns a name -- a big if -- there’s no guarantee that name has any relation to whatever domain name is in the MAIL FROM. For instance, lots of organisations outsource their email

Re: Postscreen white listing based on MX, SPF

On 16/07/2016 03:16, /dev/rob0 wrote: An MX lookup based on client IP is not possible. There are generally no MX records in "arpa." zones. MX lookup would be based on the domain in the MAIL FROM: address. That does indeed require SMTP inspection. As implemented, postscreen does not know the M

Re: Postscreen white listing based on MX, SPF

On 15/07/2016 16:38, wie...@porcupine.org wrote: That is fundamentally not how postscreen works. postscreen whitelists the client, not the combination (client + SMTP commands). Its purpose is to block bad clients with zero overhead for whitelisted clients, not doing things that require inspecting

Postscreen white listing based on MX, SPF

Is it possible to add points to clients based on valid SPF (-/~all) and/or valid MX records? For example, give points to a client if it is a valid MX, and/or, give points again if listed in SPF with -all, give less points if valid client but SPF is ~all etc.

Re: Brutal attacks

On 09 Jul 2016, at 19:34, Robert Schetterer wrote: Am 09.07.2016 um 17:07 schrieb Lefteris Tsintjelis: > Is this a good postfix way to stall attackers (besides log parsing and > fire walling)? Bots are increasing dramatically these days > > smtpd_soft_error_limit = 1 > smtpd_h

Brutal attacks

Is this a good postfix way to stall attackers (besides log parsing and fire walling)? Bots are increasing dramatically these days smtpd_soft_error_limit = 1 smtpd_hard_error_limit = 1 smtpd_error_sleep_time = 16s (or even more)

Re: Redirecting to devnull from master.cf

On 09/07/2016 17:50, Viktor Dukhovni wrote: On Sat, Jul 09, 2016 at 05:46:51PM +0300, Lefteris Tsintjelis wrote: >(not writing to /dev/null, only discarding input) Yes! Great idea, much better and simpler in CPU cycles than dev null actually! Thanks! If you really want to save CPU cyc

Re: Redirecting to devnull from master.cf

On 09/07/2016 17:25, Erwan David wrote: Le 09/07/2016 à 16:18, Lefteris Tsintjelis a écrit : Is there a way to redirect to dev null (without using local aliases) by using master.cf and a shell script maybe? http://www.postfix.org/FILTER_README.html#simple_filter Would something as simple as

Redirecting to devnull from master.cf

Is there a way to redirect to dev null (without using local aliases) by using master.cf and a shell script maybe? http://www.postfix.org/FILTER_README.html#simple_filter Would something as simple as this work? !/bin/sh cat >/dev/null exit $?

Re: Invalid warning list domain in BOTH mydestination and virtual_mailbox_domains

On Aug 2, 2010, at 10:47 am, Lefteris Tsintjelis wrote: > On Aug 2, 2010, at 3:59 am, Phill Macey wrote: > >> On 2 August 2010 10:10, Lefteris Tsintjelis wrote: >>> This warning does not make any sense at all since there is no such thing >>> listed in mydestinatio

Re: Invalid warning list domain in BOTH mydestination and virtual_mailbox_domains

On Aug 2, 2010, at 3:59 am, Phill Macey wrote: > On 2 August 2010 10:10, Lefteris Tsintjelis wrote: >> This warning does not make any sense at all since there is no such thing >> listed in mydestination. Any ideas? >> >> postfix/trivial-rewrite[7525]: warning: do no

Invalid warning list domain in BOTH mydestination and virtual_mailbox_domains

This warning does not make any sense at all since there is no such thing listed in mydestination. Any ideas? postfix/trivial-rewrite[7525]: warning: do not list domain mx.asda.gr in BOTH mydestination and virtual_mailbox_domains # postconf | grep mydest mydestination = localhost.asda.gr, localh