On 2023-04-11 15:49:30, Matus UHLAR - fantomas via Postfix-users wrote:
>>> On Fri, Apr 07, 2023 at 11:25:33AM -0400, micah via Postfix-users wrote:
>>>> 2023-04-06T07:34:42.281789+00:00 mx1 postfix/smtpd[1680368]:
>>>> SSL_accept:before SSL initialization
>
Thanks for the reply, and the suggestions, please see below in-line.
On 2023-04-07 13:25:42, Viktor Dukhovni via Postfix-users wrote:
> On Fri, Apr 07, 2023 at 11:25:33AM -0400, micah via Postfix-users wrote:
>
>> I have a few remote hosts who cannot send me mail, and I'm tryin
Hello,
I have a few remote hosts who cannot send me mail, and I'm trying to
determine the best way to debug these SSL_accept error messages and turn
them into a solution so the mail can be actually sent.
With smtpd_tls_log_level = 2, I was able to capture the information
about the what is happe
On 2021-11-17 15:25:19, Florian Effenberger wrote:
> Hello Micah,
>
> micah wrote on 17.11.21 at 15:11:
>
>> I've been doing some tests of my postfix server and sometimes when I
>> connect, I get *two* ESMTP banners, one that has a hyphen (-) after the
>&g
xample.net ESMTP (spam is not appreciated)
quit
221 2.0.0 Bye
Can someone explain what the two banners mean, and why they happen
sometimes, and are slightly different?
thanks!
Micah
On 2021-02-24 19:23:18, ghe2001 wrote:
> Any chance of terminating this thread -- my disk is only a terabyte.
+1 for terminating this thread.
> Programmers can call a variable or label whatever they want to. It's one of
> their perks.
>
> And they can change it if they want to. But it's often
ested in participating.
Who cares if Pliny the Elder used it once, and he totally didn't mean it
in a racist way, he probably had loads of black friends!
--
micah
Kris Deugau writes:
> micah anderson wrote:
>> Allen Coates writes:
>>> The web page https://www.abuseat.org/faq.html (about half-way down the
>>> page)
>>> has an honest - and fairly recent - appraisal of a number of DNSBLs.
>>
>
Allen Coates writes:
> On 24/05/2020 23:22, micah anderson wrote:
>> We paid for access to spamhaus for a while, but they jacked up the
>> prices and now its far too expensive even for their non-profit rate.
>>
>> What RBLs do people find to be effective now days? I
to spamhaus for a while, but they jacked up the
prices and now its far too expensive even for their non-profit rate.
What RBLs do people find to be effective now days? I was looking at
SpamRats, which I did not know about before, but it looks decent.
--
micah
ch. Definitely it was not a CPU issue, might
> be networking.
Better investigate before blaming Postfix! We are using Postfix very
happily, without firewalling these, and without slowdown, on a very busy
set of machines. Postscreen has helped tremendously in this respect.
--
micah
Matus UHLAR - fantomas writes:
> welcome to the internet. Can be misconfigured client, spamware somewhere,
> scan, whatever. Firewalling those automatically is the only way to limit
> those messages.
I'm curious what kind of firewalling rules that people have come up with
to limit these. Are you
Wietse Venema writes:
> micah anderson:
>> Eray Aslan writes:
>>
>> > On Wed, Dec 19, 2018 at 02:36:50PM -0500, Viktor Dukhovni wrote:
>> >> If there are no objections, I can change the default to "may" when
>> >> TLS is compiled in.
&
.
I just wanted to circle back to this thread - it seems like nobody had
any objections to this change, and there were even proposed changes
sent, but I don't see that it ever got integrated?
--
micah
Viktor Dukhovni writes:
>> On Oct 11, 2019, at 10:19 AM, micah anderson wrote:
>>
>> I am aware of that, but I'm not asking specifically how to implement
>> this, I'm more trying to find out what really is the concern here with
>> enabling this, and
"A. Schulze" writes:
> micah anderson:
>
>> If we want to try and respect MTA-STS, when doing STARTTLS, the sender
>> needs to send the right information in the TLS SNI (Server Name
>> Inidication) extension. An MTA-STS-honoring SMTP client expects to
>&g
can people connect to all the servers you've
connected to in the past, with SNI, and see if it aborts connections and
then make a list that we can go harass to fix?
--
micah
"@lbutlr" writes:
> On 12 Apr 2019, at 08:46, micah anderson wrote:
>> he site https://hardenize.com provides relatively decent Email reports,
>> along with other reports. It checks a number of things including certs,
>> MTA-STS, TLS-RPT, DANE, SPF, DMARC, a
Scott Kitterman writes:
> On Friday, April 12, 2019 10:46:50 AM micah anderson wrote:
>> The site https://hardenize.com provides relatively decent Email reports,
>> along with other reports. It checks a number of things including certs,
>> MTA-STS, TLS-RPT, DANE, SPF, DMA
Viktor Dukhovni writes:
>> On Apr 12, 2019, at 10:46 AM, micah anderson wrote:
>>
>> I know that 'hardening postfix' threads have been posted here a number
>> of times, I've read them and I understand the recommendations if you
>> want to con
micah anderson writes:
> 2. Server suite preferences: they break down each preferred cipher
> selection for each TLS verison, and are unhappy about the cipher suite
> configuration being suboptimal, specifically that the forward secrecy
> ciphers (ECDHE or DHE) and authenticated enc
lready cause problems with Windows
2000 Microsoft Exchange, but I feel that may be an acceptable trade-off
at this point.
micah
0. http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
1. not even sure this would be the right format, but this would be the ord
upports a subset of OpenDKIM's options and has a few of it's own added to
> support Ed25519).
I've been eyeing dkimpy-milter as something I'd like to switch to at
some point, but I need the multi-domain bits that opendkim has. So
definitely looking forward to advancements on dkimpy!
--
micah
't help your current situation, but I highly suggest you
setup postfwd with some sending limits, so that this does not happen
again in the future.
--
micah
maintainers do this in main.cf, instead of having it be a compile time
option... but I think that the right thing to do is to have it be a
compile time option, where the default is set to 'may', like you said
earlier (although I cannot comment on the accuracy of the code):
#ifdef USE_TLS
#define DEF_SMTP_TLS_LEVEL "may"
#else
#define DEF_SMTP_TLS_LEVEL ""
#endif
--
micah
the overall
opportunistic landscape if it were enabled. Because STARTTLS was
designed to be enabled opportunistically, it is designed to fall back to
cleartext when it doesn't exist, so I do not see any problem with it
being the default.
I do not understand why anyone would complain about this. Anyone who
cannot handle this change to the defaults can explicitly set the config
option the way that the rest of the world has been explicitly setting
the config option all along anyway.
--
micah
micah writes:
> Viktor Dukhovni writes:
>
>>> On Dec 6, 2017, at 8:08 PM, micah wrote:
>>>
>>> Is there any reason why postfix, when compiled with TLS, can simply set
>>> the default to 'may'?
>>
>> This is easy enough to imp
being used.
I agree that this should change, but the best way I know to get this to
change is to get microsoft and google to agree to stop accepting any
email that is not encrypted and not using tls1.2 by May 1st, 2020. This
will move the market, so to speak and still give people plenty of time
to make it happen.
--
micah
t actually should be *default*), but I'm wondering about
the other recommended ciphers/protocols/excludes etc. as well.
thanks!
--
micah
0.
http://postfix.1071664.n5.nabble.com/Update-to-recommended-TLS-settings-td78583.html
s
log entry:
postfix/smtpd[15949]: warning: unknown macro name "submit_reject_footer" in
expansion request
could it be because I put the submit_reject_footer= at the end of
main.cf? Does that matter?
micah
t_reject_footer=\c For further help, contact support
postfix/smtpd[21083]: warning: unknown macro name "submit_reject_footer" in
expansion request
(this is postfix 2.11)
micah
why is it that this does not work for smtps?
thanks,
micah
ere it was no longer stable, causing heavy CPU usage in the cleanup
processes and the OOM killer to get crazy with the cheeze-whiz.
micah
Karol Augustin writes:
> On 2018-01-30 16:44, Ghislain Adnet wrote:
>> hi,
>>
>> We participated in some police enquiries about emails sent to
>> blackmail people and get the source IP. The ISP answered
>> that they use proxy systems and they requires IP+port to be able to
>> track the source.
Viktor Dukhovni writes:
>> On Dec 6, 2017, at 8:08 PM, micah wrote:
>>
>> Is there any reason why postfix, when compiled with TLS, can simply set
>> the default to 'may'?
>
> This is easy enough to implement, the only complication is
> that the docum
ore experienced users.
>
> Noel has a good point. Let's not make OpenSSL a hard dependency.
>
> How would one recognize 'first-time' installation? If that helps
> only the tiny minority of sites that install Postfix from source,then
> it does not seem to be a good target. Better to get the vendors to
> run those commands instead.
Is there any reason why postfix, when compiled with TLS, can simply set
the default to 'may'?
If it is compiled without TLS, the default should be 'no'.
micah
Viktor Dukhovni writes:
>> On Dec 6, 2017, at 1:41 PM, micah wrote:
>>
>>>> main.cf
>>>> smtpd_tls_security_level = may
>>
>> Is there a reason why 'smtpd_tls_security_level = may' is not default in
>> postfix? What needs
lt? It seems harmless to
have that enabled by default, with no negative effects that I can decern
and improves the overall opportunistic landscape if it were
default.
thanks,
micah
ad_maps and am looking for more
clarity on what exactly this does. Documentation simply states, "The
lookup tables that the proxymap(8) server is allowed to access for the
read-only service", are there security concerns or other trade-offs with
adding lookup tables to do this?
thanks,
micah
Noel Jones writes:
> On 10/25/2017 1:54 PM, micah anderson wrote:
>>
>> Hello,
>>
>> I've configured check_sasl_access to be a sql map, like so:
>>
>> proxy:mysql:/etc/postfix/checks/check_sasl_access.sql
>>
>> and that check_sasl_a
ated multiple times, once for each address included.
How can I make this only occur once in the header and now repeat it for
every address CC/BCC'd?
thanks!
micah
Viktor Dukhovni writes:
> On Sun, Jan 05, 2014 at 06:31:46PM -0500, micah wrote:
>
>> > Given cipherlist class names:
>> >
>> >kEECDH - cipher suites that support Ephemeral ECDH key exchange
>> >kEDH- cipher suites that support Ephemeral DH
Hi Viktor,
Thanks for the reply.
Viktor Dukhovni writes:
> On Thu, Jan 02, 2014 at 06:03:40PM -0500, micah wrote:
>
>> I notice that you are using OpenSSL's private terminology (EDH and
>> EECDH) instead of the standard terminology (DHE and ECDHE).
>
>
in this FORWARD_SECRECY_README is to
change to using the standard terminology and just include a footnote
about the non-standard names until those fade from our collective
nightmare.
Micah
0. especially since https://tools.ietf.org/html/rfc4492 was clearly
publicly announced -- they just c
options to do that?
thanks,
micah
/www.postfix.org/postconf.5.html#smtpd_tls_exclude_ciphers what
the correct syntax to use there is, I tried kxECDHE but that didn't work
either. Do you what format those are specified in?
micah
micah writes:
> Viktor Dukhovni writes:
>
>> On Wed, Oct 02, 2013 at 03:39:06PM -0400, Micah Anderson wrote:
>>
>>> From my understanding of the way postfix currently operates, there is no
>>> smtpd/stmp TLS setting that can be set that would provide a
>
Viktor Dukhovni writes:
> On Wed, Oct 02, 2013 at 03:39:06PM -0400, Micah Anderson wrote:
>
>> From my understanding of the way postfix currently operates, there is no
>> smtpd/stmp TLS setting that can be set that would provide a
>> configuration that would re
Viktor Dukhovni writes:
> On Wed, Oct 02, 2013 at 07:38:42PM -0400, micah wrote:
>
>> I suppose there is no way to achieve some middle ground of doing
>> opportunistic encryption, but for those who are only talking with bad
>> protocols and ciphers (or clear-text) do a no
Viktor Dukhovni writes:
> On Wed, Oct 02, 2013 at 03:39:06PM -0400, Micah Anderson wrote:
>
>> From my understanding of the way postfix currently operates, there is no
>> smtpd/stmp TLS setting that can be set that would provide a
>> configuration that would re
>From my understanding of the way postfix currently operates, there is no
smtpd/stmp TLS setting that can be set that would provide a
configuration that would result in a more 'hardened' configuration,
without causing interoperability problems. If I am wrong, I'm very
interested in knowing where.
Patrick Ben Koetter writes:
> * micah anderson :
>>
>> I'm running a busy server that is periodically experiencing problems
>> with tlsmgr, at various times (typically once a day at minimum), the
>> following appears in the logs:
>>
>> Jun 16
ls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 28800
swap_bangpath = no
tls_random_exchange_name = /var/lib/postfix/prng_exch
1 willet:/home/micah# cat /etc/postfix/master.cf |e
o get a larger number of bytes
means that you lose the benefit of having the EGD data mixed in with the
system's random pool.
micah
0. http://www.postfix.org/TLS_README.html
1. http://www.entropykey.co.uk/
2. http://www.postfix.org/TLS_README.html#tlsmgr_controls
--
pgpAUGJchemwT.pgp
Description: PGP signature
Excerpts from wietse's message of Tue Nov 10 17:22:57 -0500 2009:
> micah anderson:
> > > > hosts = mysql-cluster1 mysql-cluster1
> > >
> > > This repeats the query only if the session breaks. However, the
> > > hosts are tried without delay,
Excerpts from wietse's message of Tue Nov 10 15:45:38 -0500 2009:
> micah anderson:
> > > If anything should retry the query, then it would be the mysql
> > > client. The proxymap can't make such decisions (for example, it
> > > makes no sense to re
Excerpts from wietse's message of Mon Nov 09 17:06:11 -0500 2009:
> Micah Anderson:
> > I would like to reduce the mysql transport retry time (or perhaps the
> > proxymap retry time?), is there a variable that I can tweak down to
> > reduce the time between retries of
sees
these, not the sender, and they are just retried, is that correct?
Thanks for any advice, I haven't found anything that specifically would
be related to this in
http://www.postfix.org/postconf.5.html#command_time_limit but I might
have missed something.
micah
signature.asc
Descriptio
On Thu, September 4, 2008 8:56 am, mouss wrote:
> Micah wrote:
>> I've been fighting with this problem a bit now. Google and RTFM have
>> been pretty kind to me, and I'm about 90% to having a solution
>> implemented. I've gotten hung up on one little detail,
mailbox)
Sep 3 20:18:01 perrin postfix/qmgr[19404]: 4C44D3353FF: removed
It looks a lot like it's not doing any sort of authentication when
trying to connect to the ISP's mail server. Any suggestions? Feel
free to suggest something that might seem painfully obvious to you,
Than
60 matches
Mail list logo
