Re: Self-signed TLS certificates

On 22 Jan 2018, at 15:31, Viktor Dukhovni wrote: > On Jan 22, 2018, at 2:43 AM, DTNX Postmaster wrote: > >>> A "real" certificate is useful if you have customers connecting to >>> your server as a submission service. While self-signed certs work >>>

Re: Self-signed TLS certificates

On 21 Jan 2018, at 21:47, Noel Jones wrote: > On 1/21/2018 2:26 PM, Danny Horne wrote: >> Hi all, >> >> Apologies if this has been discussed before, but currently I use >> self-signed certificates on my Postfix servers for TLS negotiation, I'm >> doing this mainly to keep the costs down. As far

Re: postfix mail routing from VMs

On 14 Aug 2015, at 11:22, Coert wrote: > Hello all, > > I have a setup with about 10 FreeBSD and Linux VMs. (all running postfix) > > One of the VMs is the primary mail host. > All the other VMs I configured to use the primary as relayhost > And I aliased root in /etc/aliases on all VMs to an a

Re: Update to recommended TLS settings

On 07 Aug 2015, at 06:14, Viktor Dukhovni wrote: > On Fri, Aug 07, 2015 at 02:55:42AM +0200, DTNX Postmaster wrote: > >> For most systems, monitoring the status of their encryption just isn't >> done at all; they use the defaults their device or server came with at >

Re: Update to recommended TLS settings

On 06 Aug 2015, at 21:44, Michael Ströder wrote: >>> simply look whether their system uses STARTTLS or not and won't check >>> which particular ciphers are used. IMO it might be a good learning effect >>> for >>> them if you disable STARTTLS for them. >> >> This is wrong. RC4 is not worse than

Re: Going through Google spam filters

On 27 Jul 2015, at 12:15, Marius Gologan wrote: > If you have ever replied to the working sender @ grinta.net, receiving > messages from that sender in Inbox @ Gmail is not relevant. The sender @ > grinta.net is whitelisted in the current Gmail account. > > Usually, the descriptive banner displa

Re: Going through Google spam filters

On 26 Jul 2015, at 20:12, Viktor Dukhovni wrote: > On Sun, Jul 26, 2015 at 07:59:48PM +0200, DTNX Postmaster wrote: > >> Make everything 'zed.grinta.net', forward and reverse, including your >> MX record, and create CNAME records for your convenience, such as mail

Re: Going through Google spam filters

On 26 Jul 2015, at 18:16, Daniele Nicolodi wrote: > Hello, > > I apologize in advance because my problem is not strictly related to > postfix, but I don't know another mailing list with helpful people with > enough knowledge of the of the subject. > > I have my personal emails handled by my own

Re: RC4 in live email servers?

On 21 Jul 2015, at 17:34, Viktor Dukhovni wrote: > On Tue, Jul 21, 2015 at 09:49:01AM +0200, A. Schulze wrote: > >>> Should I remove "smtpd_tls_mandatory_exclude_ciphers = 3DES" >>> and look how the cipher use change over the next days ? >> >> immediately after I removed "smtpd_tls_mandatory_ex

Re: RC4 in live email servers?

On 21 Jul 2015, at 17:28, A. Schulze wrote: >> I suspect this is a problem with either your configuration, or your TLS >> stack. Exchange 2010 should do better, even in it's default >> configuration, as the minimum OS stack is Windows Server 2008, which >> supports TLSv1 with the 'ECDHE-RSA-AES12

Re: RC4 in live email servers?

On 21 Jul 2015, at 09:49, A. Schulze wrote: >> Should I remove "smtpd_tls_mandatory_exclude_ciphers = 3DES" >> and look how the cipher use change over the next days ? > > immediately after I removed "smtpd_tls_mandatory_exclude_ciphers = 3DES" > some servers fail to establish TLS. At least one w

Re: RC4 in live email servers?

On 20 Jul 2015, at 18:20, Viktor Dukhovni wrote: > You'll get the same result, without losing interop with RC4-only > systems (if any) via the above. However, you'll still break Exchange > 2003, unless you arrange to rank 3DES below RC4, or disable 3DES > (don't know of any systems that have wor

Re: RC4 in live email servers?

On 19 Jul 2015, at 21:09, Harald Koch wrote: > Maybe it's just a configuration error on my side, but all SMTP from yahoo.com > servers to mine still uses RC4... This depends on your Postfix settings, I reckon. On our setup, with a non-default cipher set and server-side cipher ordering, we see

Re: RC4 in live email servers?

On 19 Jul 2015, at 20:26, Wietse Venema wrote: > Viktor Dukhovni: >> On Sun, Jul 19, 2015 at 10:41:43AM +0200, DTNX Postmaster wrote: >> >> [ Additional data points would be useful, please don't be shy. >> Is anyone who's had to make adjustments to their c

Re: RC4 in live email servers?

On 19 Jul 2015, at 17:53, Viktor Dukhovni wrote: >> The primary reason is that the tail for versions of Postfix running on >> versions of OpenSSL older than 1.1 will be very long, easily 5-10 >> years, even if all vendors stick with the new defaults. > > I'm worried more about early adopters o

Re: RC4 in live email servers?

On 18 Jul 2015, at 22:12, Viktor Dukhovni wrote: > You've likely all been hearing that RC4 is on its way out, with > increasingly practical attacks to extract fixed plaintext that is > sent repeatedly in lots of messages (e.g. HTTP cookies). > > While it is not clear how to extend these attack

Re: Very Basic SPF Record

On 09 Jun 2015, at 07:39, Michael B Allen wrote: > On Tue, Jun 9, 2015 at 12:42 AM, DTNX Postmaster wrote: >> On 09 Jun 2015, at 05:20, Michael B Allen wrote: >> >>> I have never setup SPF records before. I have one server doing >>> everything although it h

Re: what is the reason for THIS spf failure?

On 09 Jun 2015, at 10:57, M. Fioretti wrote: > On 2015-06-09 06:38, DTNX Postmaster wrote: > >> from the perspective of the recipient, your mail is originating >> from '81.88.62.172', which isn't included in your SPF record. >> Your SPF record dictates

Re: what is the reason for THIS spf failure?

apparently > hosted at register.it - server: mail.register.it, according to the MX > records) so I would suggest talking to postmas...@register.it > They have a misconfigured server that forwards mail in a incorrect way. > > -Ursprungligt meddelande- From: DTNX Postmaster > Sen

Re: Very Basic SPF Record

On 09 Jun 2015, at 05:20, Michael B Allen wrote: > I have never setup SPF records before. I have one server doing > everything although it has two names www.busicorp.com and > mail.busicorp.com. > > My understanding is the following is probably what I want: > > v=spf1 mx ~all > > Would you ag

Re: what is the reason for THIS spf failure?

On 08 Jun 2015, at 20:14, M. Fioretti wrote: > On 2015-06-08 20:06, M. Fioretti wrote: >> On 2015-06-08 17:46, DTNX Postmaster wrote: >>> Have you followed the link in the error message, and read the >>> explanation? >> Of course I have. But, with all respect, it

Re: what is the reason for THIS spf failure?

On 08 Jun 2015, at 18:03, M. Fioretti wrote: > I had my SPF/Dkim setup all set, also thanks to help from this list.. > until 2/3 days ago. Since then, I have received 2/3 rejected messages, > from unrelated servers, all very similar to the one below, from which > I have only removed the subject a

Re: spamhaus - reasons of ban IP

On 01 Jun 2015, at 23:01, Zalezny Niezalezny wrote: > @Michael J Wise, that was question partly about Postfix. Please read more > carefully all posts... Please read this carefully; http://www.postfix.org/DEBUG_README.html Michael is right. This is not a support mechanism for Spamhaus, and you

Re: logjam & SMTP

On 28 May 2015, at 12:16, A. Schulze wrote: >> There are several problems with your configuration. Please refer to the >> mailinglist archive for how to configure Postfix to deal with Logjam. >> It has been discussed extensively in this thread; >> >> http://marc.info/?t=14323933481&r=1&w=2 >

Re: logjam & SMTP

On 28 May 2015, at 11:38, A. Schulze wrote: > the crypto weakness of the month is named "logjam". > If you could connect to https://dhe512.zmap.io your SSL-Client / Browser > support weak crypto. > What does that mean for postfix? > > We setup a postfix smtp server with > >smtpd_tls_dh1024

Re: Security & Compatibility

On 26 May 2015, at 12:21, Postfix User wrote: > On Tue, 26 May 2015 08:14:43 +, Viktor Dukhovni stated: > >> On Mon, May 25, 2015 at 03:49:09PM -0400, Postfix User wrote: >> >>> On Mon, 25 May 2015 13:52:07 +, Viktor Dukhovni stated: >>> -o smtpd_tls_dh1024_param_file=$msa_tls_dh1

Re: Security & Compatibility

On 25 May 2015, at 15:52, Viktor Dukhovni wrote: > On Mon, May 25, 2015 at 02:35:38PM +0200, DTNX Postmaster wrote: > >> No, not for submission, where clients will submit their authentication >> details, allowing them to bypass most of the restrictions that are in >&

Re: Security & Compatibility

On 25 May 2015, at 14:35, DTNX Postmaster wrote: > On 25 May 2015, at 13:23, Viktor Dukhovni wrote: > >> On Mon, May 25, 2015 at 10:36:24AM +0200, DTNX Postmaster wrote: >> >>> I am talking about the MSA here, Viktor, not MTA to MTA traffic. That's >>

Re: Security & Compatibility

On 25 May 2015, at 13:23, Viktor Dukhovni wrote: > On Mon, May 25, 2015 at 10:36:24AM +0200, DTNX Postmaster wrote: > >> I am talking about the MSA here, Viktor, not MTA to MTA traffic. That's >> what the previous poster was asking about; > > My advice stands.

Re: Security & Compatibility

On 25 May 2015, at 01:57, Viktor Dukhovni wrote: > On Sun, May 24, 2015 at 08:00:30PM +0200, DTNX Postmaster wrote: > >> Assuming you are talking about the MSA (submission) and not MTA to MTA >> traffic, you can cover the vast majority of the scenarios with the >> fo

Re: Security & Compatibility

On 24 May 2015, at 18:09, CSS wrote: >>> I thought I saw that listed on this forum earlier this year. >> >> Don't believe all the nonsense posted on the Internet. > > Related to the previous paragraph, I know that when I fiddle with > SSL settings on a web server, I can easily dig up informatio

Re: tls_policy

On 30 Apr 2015, at 08:46, Birta Levente wrote: > Looked at the mailing list archive I resolved with smtp_tls_policy_maps = > hash:/etc/postfix/tls_policy: > > tls_policy: > irs.ro may protocols=TLSv1 ciphers=medium exclude=3DES:MD5 Instead of forcing "TLSv1"

Re: tls_policy

On 30 Apr 2015, at 08:25, Birta Levente wrote: > On 29/04/2015 20:56, Viktor Dukhovni wrote: >> On Wed, Apr 29, 2015 at 03:53:00PM +0300, Birta Levente wrote: >> >>> I see many SSL_connect error for different domains which mail service hosted >>> at microsoft: >>> >>> Apr 28 10:32:12 srv1 postf

Re: tls_policy

On 29 Apr 2015, at 14:53, Birta Levente wrote: > Hello > > I see many SSL_connect error for different domains which mail service hosted > at microsoft: > > Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to > irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection > Apr 28

Re: Stan Hoeppner's fqrdns.pcre file?

On 28 Apr 2015, at 23:23, Steve Jenkins wrote: > On Tue, Apr 28, 2015 at 2:13 PM, Terry Barnum > wrote: > github URL for curl: > > $ curl > https://raw.githubusercontent.com/stevejenkins/hardwarefreak.com-fqrdns.pcre/master/fqrdns.pcre > >

Re: Stan Hoeppner's fqrdns.pcre file?

On 28 Apr 2015, at 18:04, Alex Regan wrote: > Hi, > >>I should have mentioned that I actually did that, once I couldn't >>find Stan's site: >> >>https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre >> >> >> For those who are using it, I've replaced it with a version from

Re: SASL support is not compiled in

On 07 Apr 2015, at 12:49, i...@itrezero.it wrote: > Hi all. > I’ve recompiled a fresh version of Postfix 3. > No problem with PCRE support (I read the specific readme!). The compilation > was ok and Postfix is up and running with PCRE. > Now I’m trying to add Dovecot SASL support, but postfix re

Re: retirement

On 16 Mar 2015, at 14:57, Noel Jones wrote: > On 3/15/2015 9:04 PM, John Allen wrote: >> Retirement - Mine. >> >> I have finally persuaded my family that it would be a good idea to >> give up on the family server. >> >> I have two, probably minor, problems >> >> 1. informing senders of recipie

Re: retirement

On 16 Mar 2015, at 03:04, John Allen wrote: > Retirement - Mine. > > I have finally persuaded my family that it would be a good idea to give up on > the family server. > > I have two, probably minor, problems > informing senders of recipients address change. > redirect to recipients new addres

Re: Postfix migration from 2.0 to 2.6.6

On 20 Feb 2015, at 09:14, Zalezny Niezalezny wrote: > on one of my servers I`m planning to migrate very old Postfix 2.0 to quite > new one 2.6.6. > I migrated already all Postfix instances, so all Postfix configuration files > are already on the new machine (/etc/postfix*). Now its time to mig

Re: TLS Library Problem

On 01 Feb 2015, at 10:13, LuKreme wrote: > On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni > wrote: >> On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote: >> >>> The start was just date stamp info and PID: >>> >>> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem: >>>

Re: tcp_table with SSL/TLS

On 10 Jan 2015, at 23:45, Michael Ströder wrote: > wie...@porcupine.org (Wietse Venema) wrote: >> Viktor Dukhovni: >>> On Sat, Jan 10, 2015 at 08:22:17PM +0100, Michael Str?der wrote: >>> Are there any plans to support encrypted connections with tcp_table(5) maps? Something like

Re: dkim-milter for postfix

On 08 Jan 2015, at 15:02, DTNX Postmaster wrote: > On 08 Jan 2015, at 13:35, Selcuk Yazar wrote: > >> Our serve is redhat Red Hat Enterprise Linux Server (v. 6 for 64-bit >> x86_64), so stil redhat have postfix 2.6.6 , >> >> i dont want to take this risk for up

Re: dkim-milter for postfix

On 08 Jan 2015, at 13:35, Selcuk Yazar wrote: > Our serve is redhat Red Hat Enterprise Linux Server (v. 6 for 64-bit x86_64), > so stil redhat have postfix 2.6.6 , > > i dont want to take this risk for updating running system. we have 60.000 > users and i'm just one people :) Postfix tends to

Re: TLS issues with old Exchange Servers

On 05 Jan 2015, at 19:51, li...@rhsoft.net wrote: >>> Gmail's outbound servers prefers RC4-SHA if offered by the SMTP >>> server, when Gmail drops RC4 support, these domains will finally >>> feel real pressure to either disable or fix their TLS stack. >> >> Gmail prefers ECDHE-RSA-AES256-SHA, and

Re: TLS issues with old Exchange Servers

On 05 Jan 2015, at 19:33, Per Thorsheim wrote: > Den 05.01.2015 18:59, skrev li...@rhsoft.net: >> >> Am 05.01.2015 um 18:47 schrieb Viktor Dukhovni: >>> On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote: >>> >>>>> With RC4-SHA ear

Re: TLS issues with old Exchange Servers

On 05 Jan 2015, at 19:18, Viktor Dukhovni wrote: > On Mon, Jan 05, 2015 at 06:59:06PM +0100, li...@rhsoft.net wrote: > >>> No, this is a bad idea, it is in fact 3DES that is broken with such servers >> >> Shouldn't we start to disable RC4 as well as DES-CBC3-SHA for that horrible >> outdated cr

Re: TLS issues with old Exchange Servers

On 05 Jan 2015, at 18:59, li...@rhsoft.net wrote: > Am 05.01.2015 um 18:47 schrieb Viktor Dukhovni: >> On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote: >> >>>> With RC4-SHA early enough for the 11-year old Microsoft Exchange >>>> servers.

Re: TLS issues with old Exchange Servers

On 05 Jan 2015, at 18:47, Viktor Dukhovni wrote: > On Mon, Jan 05, 2015 at 06:01:03PM +0100, DTNX Postmaster wrote: > >>> With RC4-SHA early enough for the 11-year old Microsoft Exchange >>> servers. >> >> Sadly, older Exchange servers (2003 at least) w

Re: TLS issues with old Exchange Servers

On 05 Jan 2015, at 15:52, Viktor Dukhovni wrote: > On Mon, Jan 05, 2015 at 03:10:49PM +0100, Matthias Schneider wrote: > >> I noticed that many Exchange Servers nowadays have problems with TLS. Is >> there a way to make a fallback to plain if there is a timeout on MAIL FROM? > > Postfix 2.12 (a

Re: Postfix upgrade and RBL filtering

On 05 Dec 2014, at 11:33, Marek Dvorak wrote: > I have opensuse 12.1 (yes, old one but do not comment please). There was > installed Postfix what was a part of distro (version 2.8.x) and in > /var/log/mail there was information why remote client has been rejected > (because RBL and name of the RB

Re: TLS SNI support

On 07 Nov 2014, at 16:06, Wietse Venema wrote: > If real people have a need for SNI, what right do we have to tell > them to fuck off because they live in an imperfect world? > > Wietse Wouldn't it be prudent for that need to be demonstrated, though? So far, every time this comes up for

Re: TLS SNI support

On 07 Nov 2014, at 07:28, Peter wrote: >> and it is smart do it that way >> >> other than for webservers you have not different contents for different >> hostnames but mandatory user authentication - so why waste time and >> money dealing with different hostnames and certificates? > > I underst

Re: TLS SNI support

On 07 Nov 2014, at 01:13, Sven Köhler wrote: > Am 07.11.2014 um 01:54 schrieb Viktor Dukhovni: >> There are at present no plans for server-side SNI support in Postfix. > > It's disappointing to hear that. > >> OpenSSL does not even implement server-side SNI completely correctly >> as yet. > >

Re: TLS SNI support

On 07 Nov 2014, at 04:02, Peter wrote: >> Mind you, hosting of submission servers across organizational >> boundaries, typically means rather unnatural sharing of private >> keys, while hosting within a single organization, is perhaps poor >> planning, since a single MSA hostname could have been

Re: TLS SNI support

On 06 Nov 2014, at 23:35, Sven Köhler wrote: > Hi, > > does PostFix support TLS SNI (server name indication) now? I have found > some discussion, mostly saying that it might be implemented, but there > were several issues: > > 1) Mail clients don't seems to support it. > 2) Other MTAs don't see

Re: postfix with both smtpd and smtpd/haproxy

On 01 Nov 2014, at 20:41, Roman Naumenko wrote: > I'm trying to setup postfix behind haproxy for hailover and loadbalancing > purpose. It works fine with > > smtpd_upstream_proxy_protocol = haproxy > > but internal systems like amavis can't deliver mail locally, because :25 is > no longer acc

Re: illegal address syntax

On 21 Aug 2014, at 20:04, Joe Acquisto-j4 wrote: > Please excuse the top posting, if that offends, as I am forced to use a web > client that cannot bottom post. Easily. > > Here it is, only a bit obfuscated: > > "Aug 21 13:18:07 some_machine postfix/smtpd[23306]: warning: Illegal address > s

Re: illegal address syntax

On 21 Aug 2014, at 19:32, Joe Acquisto-j4 wrote: > Some mail from local (mynetworks) machines are getting mail rejected with > "warning: Illegal address syntax from blah in MAIL command: " > This is despite "resolve_numeric_domain = yes" in main.cf, which I read was > supposed to fix bad from

Re: compromised mail server

On 21 Aug 2014, at 14:54, Charles Richard wrote: > I have inherited a postfix 2.6 mail server which also uses Dovecot 1.1.14 . > > This is basically a legacy mail server that can't be shutoff because it is > now used only to forward the emails sent to a few mailboxes to the new email > address

Re: More about "Allow only mu servers to send mail from my domain"

On 08 Aug 2014, at 16:45, Andre Luiz Paiz wrote: > Quoting DTNX Postmaster : > >> On 08 Aug 2014, at 14:53, Andre Luiz Paiz wrote: >> >>> I was trying to use check_sender_access as sugested here in the forum to >>> avoid this type of SPAMs. But it is

Re: More about "Allow only mu servers to send mail from my domain"

On 08 Aug 2014, at 14:53, Andre Luiz Paiz wrote: > I was trying to use check_sender_access as sugested here in the forum to > avoid this type of SPAMs. But it is not working. > check_sender_access works more like a blacklist and the spammers are ready > for that. It is not working because you

Re: Allow only my servers to send mail from my domain

On 05 Aug 2014, at 15:53, Andre Luiz Paiz wrote: > Quoting Andre Luiz Paiz : > >> Is there an alternative? > > Good morning, > Does anybody have some tips to help me? Yes, I already gave you the 'check_sender_access' option as an alternative. Also, please do not use HTML to post to lists like

Re: Allow only my servers to send mail from my domain

On 04 Aug 2014, at 20:45, Andre Luiz Paiz wrote: > Quoting DTNX Postmaster : > >> On 04 Aug 2014, at 19:25, Andre Luiz Paiz wrote: >> >>> I´m receiving some e-mails coming from outside with the FROM pointing to my >>> local domain. This causes confu

Re: Allow only my servers to send mail from my domain

On 04 Aug 2014, at 19:25, Andre Luiz Paiz wrote: > I´m receiving some e-mails coming from outside with the FROM pointing to my > local domain. This causes confusion on my antispam tools. > Ex: I received an e-mail from the internet with webmas...@iqm.unicamp.br > (which is my domain) as FROM. H

Re: Enabling policies for certain domains

On 26 Jul 2014, at 17:35, Robert Fitzpatrick wrote: > I have enabled some policies like Postgrey to cut down on spam on my Postfix > 2.11 server. The server acts as the MX server for many domains, is it > possible to configure Postfix to activate these types of policies for certain > domains?

Re: Postfix Performance on Mac OS X

On 26 Jul 2014, at 01:42, McKinnon Chris wrote: > I’ve done some testing with swaks trying to track my performance issue. I > don’t think this is a postfix issue. It is just the most apparent symptom. > I’ve also noticed SSH to my server is quite laggy but if I use the command > line with S

Re: Postfix Performance on Mac OS X

On 24 Jul 2014, at 06:37, McKinnon Chris wrote: > I checked for “connect from unknown” errors coming from the client IPs in > mail.log and I’m not seeing any. The only warning I see for one client is: > > Jul 23 19:21:54 ravenviewhomes.com postfix/smtpd[61133]: warning: > fqdn_hidden[ip_hidde

Re: How to use only flat-file for passwords when using non-system users for a hosted, virtual domain?

On 10 Jul 2014, at 08:21, Arun wrote: > Hello, > > I am just starting to build up my Postfix server. > > I have been reading the many docs. I decided to set up with virtual_domains. > > For a simple first step I am not using the MySQL database tables yet, only > flat files. > > In my main.c

Re: Postfix and Generic rDNS

On 27 Jun 2014, at 11:52, Klaipedaville on Google wrote: > Thank you for your suggestion and quick reply. > > Well, my actual log entry has been posted in my first message. I only changed > the actual IP address. The log is: > > Postfix says, "hostname verification errors in FCrDNS: > Does

Re: Postfix and Generic rDNS

On 27 Jun 2014, at 10:53, Klaipedaville on Google wrote: > I have a quick question / request for clarification. I’ll try to be concise. > > My ISP has a generic rDNS. For clarity I’ll say that it is defined as > follows, "Generic rDNS means that a DNS query on the IP address resolves to > so

Re: Using Postfix for buffering > 1million mails

On 26 Jun 2014, at 18:25, Viktor Dukhovni wrote: > On Thu, Jun 26, 2014 at 03:58:40PM +, robin.wakefi...@ubs.com wrote: > >> We have been asked to consider using a set of 6 Postfix servers >> to provide a buffer between Exchange and our Compliance Archive >> servers, > > Have seen this done

Re: impact of new gTLDs

On 16 Jun 2014, at 17:22, Viktor Dukhovni wrote: > On Mon, Jun 16, 2014 at 09:12:18AM +0200, Erwan David wrote: > >> I do not know whether there is a email server there, but dk. has a A >> record, thus user@dk might be a valid email address... > > Though "technically" valid, it is in practice u

Re: yet another stupid question on header rewriting?

On 10 Jun 2014, at 13:02, Eero Volotinen wrote: > I need to rewrite incoming headers for one email address, how to do this? > > The main reason to do this is jira that accepts email only from one defined > emails > and I need to import mailinglist mails to that system. > > for example I need

Re: Disabling Anonymous Diffie Hellman

On 20 May 2014, at 15:25, Viktor Dukhovni wrote: > On Tue, May 20, 2014 at 02:11:34PM +0100, Colin Fowler wrote: > >> I've heard anecdotes of clients not using the best mutually supported >> encryption and instead just using whatever's first in the list of methods >> accepted by the server. I do

Re: Selective greylisting

On 14 May 2014, at 12:13, Matt Holgate wrote: > Most of the spam I receive these days tends to be malware with attached ZIP > files. I run clamav which weeds out some of it out, but a large amount still > seems to get through. > > I was wondering if greylisting would be a useful thing to try i

Re: SMTP STARTTLS - "best practices"?

On 25 Apr 2014, at 12:23, lst_ho...@kwsoft.de wrote: > Zitat von Viktor Dukhovni : > >> On Wed, Apr 23, 2014 at 04:54:44PM +0200, lst_ho...@kwsoft.de wrote: >> >>> Are there any experience with DNSSEC capable DNS Providers at the lower cost >>> range suitable for KMU? >> >> I've not looked at t

Re: Is anyone else having name service errors with barracudacentral.org?

On 26 Mar 2014, at 19:06, Viktor Dukhovni wrote: > On Wed, Mar 26, 2014 at 12:16:50PM -0500, deoren wrote: > >>> I use powerdns recursor locally on my MX. It is designed for, targeted >>> at, extremely high volume query loads, e.g. ISP environments, thus >>> logging such failures would be usele

Re: Compromised Passwords

On 06 Mar 2014, at 18:04, Adam Moffett wrote: > Two steps eliminated this problem for us: > > 1) Accounts with more than 6 failed login attempts in a 10 minute period are > disabled for 10 minutes. This makes brute force methods to find passwords > almost impossible. > > 2) Limit to 200 outg

Re: TLS client logging PATCH

On 26 Feb 2014, at 07:46, Viktor Dukhovni wrote: > On Wed, Feb 26, 2014 at 07:43:25AM +0100, Erwan David wrote: > >>> The local resolver can have the resolvers on the LAN configured as >>> forwarders, but you need the local stub resolver. No reason not to have >>> one, really, especially on a

Re: TLS client logging PATCH

On 26 Feb 2014, at 00:54, li...@rhsoft.net wrote: > Am 26.02.2014 00:46, schrieb DTNX Postmaster: >> On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: >>> Am 25.02.2014 17:41, schrieb Dirk Stöcker: >>>> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: >>

Re: TLS client logging PATCH

On 26 Feb 2014, at 00:29, li...@rhsoft.net wrote: > Am 25.02.2014 17:41, schrieb Dirk Stöcker: >> On Tue, 25 Feb 2014, Viktor Dukhovni wrote: smtp_dns_support_level = dnssec was enough to fix this. I'll see how many servers will have a "Verified" connection in the future. >>>

Re: postfix tries to send mail to domains with no mx record

On 11 Feb 2014, at 09:48, Klaffehn, Peter wrote: > yesterday i noticed an unexpected behaviour. This mail is lingering in the > outbound queue on my mailserver: > > 54086E032F 10413683 Fri Feb 7 14:04:21 some.user@my.domain > (lost connection with apple.de[17.149.160.31] while receiving the in

Re: new postfix on centos 6.5

On 14 Dec 2013, at 15:41, Danil Smirnov wrote: > From the version 2.7 we've got fantastic new feature - > sender_dependent_default_transport_maps which "allow sending mail with > source IP addresses that depend on the envelope sender". > > This option is very useful for defining reverse dns para

Re: OT: Large corporate email systems - Exchange vs open source *nix based

On 10 Dec 2013, at 15:42, Charles Marcus wrote: > On 2013-12-10 9:23 AM, DTNX Postmaster wrote: >> Do your own comparison based on the TCO of what you have, vs. what you will >> need for Exchange Server. Focus on the needs of the company over a five-year >> time perio

Re: OT: Large corporate email systems - Exchange vs open source *nix based

On 10 Dec 2013, at 14:57, Charles Marcus wrote: > There has been some whispers about considering migrating our mail systems to > Exchange Server, and I want to try to nip this in the bud if possible. > > I would like to ask for some help with providing some kind of comparison of > mid to large

Re: postfix 2.7.1 debian - does not query DNS

On 08 Nov 2013, at 01:34, Stan Hoeppner wrote: > On 11/7/2013 5:53 AM, Simon Loewenthal wrote: > >> Damned chroot now turned off, and lookups now work like they should have >> done :D > > The default Postfix chroot environment in Debian 6 Squeeze works fine > out of the box, as did Lenny. You

Re: postfix 2.7.1 debian - does not query DNS

On 07 Nov 2013, at 12:53, Simon Loewenthal wrote: > Damned chroot now turned off, and lookups now work like they should have done > :D > > And this nicely solved my RDNS_NONE scoring issue with SA, of course! > > Nov 7 12:49:16 lo postfix/smtpd[15712]: 32FD892: > client=english-breakfast.clo

Re: postfix 2.7.1 debian - does not query DNS

On 07 Nov 2013, at 12:19, Simon Loewenthal wrote: > I have a postfix instance on Debian 6 that has never performed DNS lookups > with version number 2.7.1-1+squeeze1. > > The mail.log lists all connections like > > Nov 6 17:40:54 lo postfix/smtpd[10283]: 4AD4292: client=unknown[82.2.1.3], >

Re: disable ipv6 when sending to gmail ?

On Oct 19, 2013, at 00:13, Dominik George wrote: >> if i would be you i would *not* use "v=spf1 mx ~all" > > If I were [...] ... > >> here you go for ipv6 >> >> http://www.openspf.org/SPF_Record_Syntax#ip6 > > Jeez, I don't believe it. The problem is that the mx mechanism simply > only enumer

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

On Oct 16, 2013, at 10:29, Michael Büker wrote: > Now, everything works. Phew. > > I might still combine the sender_dependent_default_transport_maps with my > sender_dependent_relayhost_maps so I don't have to maintain both files. Come > to > think of it: Couldn't I combine the single line in

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

On Oct 15, 2013, at 17:18, Viktor Dukhovni wrote: > On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote: > >>> Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem: >>> 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >>> number:s3_pkt.c:337: >>> >>>

Re: seamless postfix migration to a new server

On Oct 12, 2013, at 19:39, Jeroen Geilman wrote: > On 10/12/2013 07:16 PM, DTNX Postmaster wrote: >> On Oct 12, 2013, at 17:04, teknet9 wrote: >> >>> Thank you for advise. >>> I have many users i can not allow for any downtime (not even few seconds). >>

Re: seamless postfix migration to a new server

On Oct 12, 2013, at 17:04, teknet9 wrote: > Thank you for advise. > I have many users i can not allow for any downtime (not even few seconds). > Also i can not loose any single email. > Your solution will not guarantee that. > > I am looking for true HA solution. > > That is why both servers ne

Re: Google rejecting IPv6 mails

On Oct 7, 2013, at 19:25, Jim Reid wrote: > On 7 Oct 2013, at 18:15, Erwan David wrote: > >> Google is really rejecting emails in IPv6 because of a lack of PTR... > > If that's the case, good. Just do The Right Thing and arrange a valid PTR for > the IPv6 address that speaks SMTP. This should

Re: email address (u...@domain.tld) as username?

On Sep 27, 2013, at 11:32, Tomasz Chmielewski wrote: > On Fri, 27 Sep 2013 10:15:43 +0200 > DTNX Postmaster wrote: > >> Unless those users also need some system level access, this is where >> you use virtual domains. Use the software as intended, read the >> fabul

Re: email address (u...@domain.tld) as username?

On Sep 27, 2013, at 09:41, Tomasz Chmielewski wrote: > On Fri, 27 Sep 2013 09:23:43 +0200 > DTNX Postmaster wrote: > >>> How can I make Postfix deliver mail for such system users? >>> >>> Right now, it rejects mail to such users, with '(unknown user:

Re: email address (u...@domain.tld) as username?

On Sep 27, 2013, at 09:08, Tomasz Chmielewski wrote: > I have the following system users with their homedirs: > > t...@example.com - /home/t...@example.com/ > t...@domain.tld - /home/t...@domain.tld/ > > > How can I make Postfix deliver mail for such system users? > > Right now, it rejects m

Re: Virtual domain loop

On Sep 25, 2013, at 13:18, Bruce Markey wrote: > Ah ok. I was under the mistaken impression that there shouldn't be anything > in mydestination when using virtual domains. > > So where would i add the alias to send the r...@mail.secryption.com mail to > my account x...@secryption.com? This

Re: Virtual domain loop

On Sep 25, 2013, at 11:11, Bruce Markey wrote: > I'm getting a good number of bouces with the "loops back to itself" message. > > They are coming from r...@mail.secryption.com and sm...@mail.secryption.com. > > Since I am running virtual domains/users I can't add mail.secryption.com to > my de

  1   2   3   >