> On Dec 10, 2019, at 12:40 PM, Fred Morris wrote:
>
> "Am I secure?" That's a philosophical question. Will I have enough for
> retirement? Can I ever feel secure as long as there is a dolphin in danger on
> the planet? Or... there's no point in trying, because a meteoroid will wipe
> us all o
There is a lot of flawed reasoning about security ...take for example:
On Mon, 9 Dec 2019, LuKreme wrote:
On Dec 9, 2019, at 12:58, Viktor Dukhovni wrote
[...]
unauthenticated loopback (and other "mynetworks")
traffic is normal.
The configuration as posted, and specifically the line I quoted
On 09/12/2019 20:54, Viktor Dukhovni wrote:
On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
The configuration as posted, and specifically the line I quoted directly above
my comment, allowed unauthenticated traffic from anything on the LAN. This
means random printers, IOT devices, android phones
On 12/9/19 2:29 PM, @lbutlr wrote:
On 09 Dec 2019, at 13:54, Viktor Dukhovni wrote:
On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
The configuration as posted, and specifically the line I quoted directly above
my comment, allowed unauthenticated traffic from anything on the LAN. This
means rand
On 09 Dec 2019, at 13:54, Viktor Dukhovni wrote:
> On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
>> The configuration as posted, and specifically the line I quoted directly
>> above my comment, allowed unauthenticated traffic from anything on the LAN.
>> This means random printers, IOT devices, an
> On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
>
> The configuration as posted, and specifically the line I quoted directly
> above my comment, allowed unauthenticated traffic from anything on the LAN.
> This means random printers, IOT devices, android phones, etc were allowed to
> send mail unc
On Dec 9, 2019, at 12:58, Viktor Dukhovni wrote
> Please don't impute false crises. There is no "security hole", though the
> configuration is a mess, unauthenticated loopback (and other "mynetworks")
> traffic is normal.
The configuration as posted, and specifically the line I quoted directly a
On Mon, Dec 09, 2019 at 01:02:23PM +, Felix Rubio wrote:
> Thank you very much for your answer. I really appreciate the time you
> took to go through it. The reason for having the tls/auth parameters
> configured was, actually, a requirement I did not write (sorry for that,
> I wrote th
On Mon, Dec 09, 2019 at 06:15:16AM -0700, @lbutlr wrote:
> > On 09 Dec 2019, at 00:17, Felix Rubio wrote:
> >
> > Allow unencrypted/unauthenticated users to submit mail from local
> > (127.0.0.x) connections
Whether or not one is willing (or needs) to allow unauthenticated connections
from 12
Yes, because those ranges belonged to virtual interfaces I previously
had on my machine. I removed that already. Thank you for the comment,
though!
On 2019-12-09 13:15, @lbutlr wrote:
On 09 Dec 2019, at 00:17, Felix Rubio wrote:
Allow unencrypted/unauthenticated users to submit mail from lo
> On 09 Dec 2019, at 00:17, Felix Rubio wrote:
>
> Allow unencrypted/unauthenticated users to submit mail from local
> (127.0.0.x) connections
There is no need for this, and it is dangerous. Just because a connection is
local doesn’t mean it is trustworthy.
>mynetworks = 127.0.0.0/24,
Hi Viktor,
Thank you very much for your answer. I really appreciate the time you
took to go through it. The reason for having the tls/auth parameters
configured was, actually, a requirement I did not write (sorry for that,
I wrote the mail in a hurry :-/):
- Require encrypted and authenti
On Mon, Dec 09, 2019 at 07:17:46AM +, Felix Rubio wrote:
> My requirements are:
> - Require encrypted and authenticated user to submit mail from non-local
> (other than 127.0.0.x) connections
> - Allow unencrypted/unauthenticated users to submit mail from local
> (127.0.0.x) connections
>
Hi all,
I have been running a postfix server for a while. Though I think I
have come with a sensible configuration, I have not been able to check
if it is really sound. Can somebody give it a look, security-wise?
My requirements are:
- Require encrypted and authenticated user to submit ma
Dave Jones:
> I know there is a "postfix check" that will do some basic checks of
> permissions and directories, but is there a command that will check config
> file syntax? For example, if an IP address is fat-fingered in the
> mynetworks line, postfix will reload and run but gives "Temporary loo
I know there is a "postfix check" that will do some basic checks of
permissions and directories, but is there a command that will check config
file syntax? For example, if an IP address is fat-fingered in the
mynetworks line, postfix will reload and run but gives "Temporary lookup
failure" errors
you don't want "reject_unknown_recipient_domain" for submissions because
a MUA can't handle a 4xx reject and the same for
"reject_unknown_sender_domain"
"smtpd_sender_restrictions" is not needed at all if you enforce auth and
"reject_authenticated_sender_login_mismatch"
for a submission-only
I have a working solution for a submission-only system I’m setting up. It
seems to be doing what I need.
There will be no local delivery. Even the cronjobs on this system will be sent
elsewhere.
The configuration is shown below. I’ve disabled several services; I think they
won’t be required.
Perfect, thanks!
On Mon, Aug 11, 2014, at 09:26 AM, Noel Jones wrote:
> Yes, that sounds right.
On 8/11/2014 11:19 AM, terrygalant.li...@fastest.cc wrote:
> Hi Noel
>
> On Mon, Aug 11, 2014, at 09:11 AM, Noel Jones wrote:
>> proxy_interfaces should list any external IPs that *this* postfix is
>> connected to on the other side of a NAT. Any IPs that are not
>> "local" on this box that connec
Hi Noel
On Mon, Aug 11, 2014, at 09:11 AM, Noel Jones wrote:
> proxy_interfaces should list any external IPs that *this* postfix is
> connected to on the other side of a NAT. Any IPs that are not
> "local" on this box that connect to postfix should be listed here.
By 'connect' you do mean 'repon
On 8/11/2014 11:04 AM, terrygalant.li...@fastest.cc wrote:
> Greetings!
>
> I have 3 servers connected via lan & vpn.
>
> SERVER-1 is a hosted VM in the cloud
> EXTIF eth0 (198.51.100.1, 198.51.100.2, 10.0.1.1)
> TUNIF tun1 (192.168.1.1)
>
> SERVER-2 is my LAN's router/firewall
> EXTIF e
Greetings!
I have 3 servers connected via lan & vpn.
SERVER-1 is a hosted VM in the cloud
EXTIF eth0 (198.51.100.1, 198.51.100.2, 10.0.1.1)
TUNIF tun1 (192.168.1.1)
SERVER-2 is my LAN's router/firewall
EXTIF eth0 (203.0.113.1)
TUNIF tun1 (192.168.1.2)
INTIF eth1 (10.0.2.1, 172.16.2.1
Am 05.11.2013 12:41, schrieb mark hardwick:
> For this I followed some short instructions for postfix + amavisd-new here :
> http://blog.purrdeta.com/2012/06/guide-to-dkim-signing-with-amavisd-new-and-postfix/
This setup works only if the mail is delivered on the submission-port.
If you would li
On 11/5/2013 5:41 AM, mark hardwick wrote:
> Hi All
> I'm setting up a new email server and I'm fairly green so I just wanted
> someone to confirm I'm not doing anything stupid.
>
> First I've followed the instructions from Falco here:
> http://www.howtoforge.com/virtual-users-and-domains-with-po
Hi All
I'm setting up a new email server and I'm fairly green so I just wanted someone
to confirm I'm not doing anything stupid.
First I've followed the instructions from Falco here:
http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-debian-wheezy
thi
On Thursday 27 October 2011 03:43:26 IT geek 31 wrote:
> > No, since that will only whitelist the sender part;
> > smtpd_recipient_restrictions may still reject the message or the
> > recipient(s).
> > Put the sender check in smtpd_recipient_restrictions instead.
>
> So would this work:
>
> smtpd
>So would this work:
>
>smtpd_recipient_restrictions = permit_sasl_authenticated,
>check_sender_access hash:/usr/pkg/etc/postfix/sender_access,
>reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client
>zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit
>
>As in the m
> No, since that will only whitelist the sender part;
> smtpd_recipient_restrictions may still reject the message or the
> recipient(s).
> Put the sender check in smtpd_recipient_restrictions instead.
So would this work:
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_sender_acces
On 2011-10-27 01:35, IT geek 31 wrote:
I guess what I'm after is a way to whitelist certain senders. ie. if
they're okay, then no further processing is needed - just deliver. Is
this possible? If so, presumably smtpd_sender_restrictions =
check_sender_access hash:/sender_access is the place to
Hi Rob
Thanks for your reply - that's certainly cleared a few things up!
>> check_recipient_access hash:/usr/pkg/etc/postfix/access,
>
> "access" is a bad name for this. Since you're checking recipient
> addresses, I would suggest a name of "rcpt_access", or similar.
I've renamed this to sender_
On Wednesday 26 October 2011 16:28:43 IT geek 31 wrote:
> I'm trying to achieve the following:
>
> Stop spammers (obviously)
> Permit relaying when I'm outside the network (using SASL)
>
> After reading through postconf, to prevent duplicate checks I
> removed a number of checks from smtpd_sender
Hi,
I'm trying to achieve the following:
Stop spammers (obviously)
Permit relaying when I'm outside the network (using SASL)
After reading through postconf, to prevent duplicate checks I removed
a number of checks from smtpd_sender_restrictions, so that it now
looks like this:
smtpd_sender_rest
take the latest srpm of your distributions version
as base and remove patches from the SPEC-File
Am 24.01.2011 10:01, schrieb Walter Pinto:
> I couldn't find any 2.8.0-1 SRPMS.
--
Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / software-d
I couldn't find any 2.8.0-1 SRPMS.
On Sun, Jan 23, 2011 at 06:56:09PM -0800, Walter Pinto wrote:
> make makefiles \
> CCARGS='-fPIC -DUSE_TLS -DUSE_SSL \
> -DHAS_MYSQL -I/usr/include/mysql -DPREFIX=\"/usr\" \
> -DSNAPSHOT -I/usr/include/openssl \
> -I/usr/include' \
> AUXLIBS='-L/usr/lib64 -L/usr/lib/openssl -lssl -lcrypto \
> -lz
I used the following to build from source after backing up my config dir:
make makefiles \
CCARGS='-fPIC -DUSE_TLS -DUSE_SSL \
-DHAS_MYSQL -I/usr/include/mysql -DPREFIX=\"/usr\" \
-DSNAPSHOT -I/usr/include/openssl \
-I/usr/include' \
AUXLIBS='-L/usr/lib64 -L/usr/lib/openssl -lssl -lcrypto \
-lz -l
On Fri, Jan 21, 2011 at 6:50 PM, Walter Pinto wrote:
> CentOS 5.5
>
> mail_version = 2.3.3
Hi Walter,
I realize that 2.3.3 is the version of Postfix that is installed by
the default CentOS repos, but as already recommended on this thread,
you may want to consider the jump to a newer version.
I
Noel,
You're correct about reject_sender_login_mismatch , the problem is
with my smtpd_sender_login_maps query and not the restriction itself.,
I'll have to revisit that at a later time. Thanks for all your help.
On 1/22/2011 4:46 PM, Walter Pinto wrote:
Thanks guys.
My relay server has been upgraded to 2.7.2 and smtp server to 2.4.13
inet_protocols = all< Had to add this due to some SPF records
now using ip6: entries
reject_sender_login_mismatch before permit_sasl_authenticated<---
Results in the
Thanks guys.
My relay server has been upgraded to 2.7.2 and smtp server to 2.4.13
inet_protocols = all < Had to add this due to some SPF records
now using ip6: entries
reject_sender_login_mismatch before permit_sasl_authenticated <---
Results in the following unwanted result:
Jan 22 14:30:
On 1/22/2011 11:10 AM, Stan Hoeppner wrote:
Walter Pinto put forth on 1/21/2011 10:57 PM:
I used the following command to determine what needed to be removed
from my main.cf:
postconf -d> defaultcfg&& postconf -n> customcfg&& perl -ne 'print
if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defau
Walter Pinto put forth on 1/21/2011 10:57 PM:
> I used the following command to determine what needed to be removed
> from my main.cf:
>
> postconf -d > defaultcfg && postconf -n > customcfg && perl -ne 'print
> if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg
>
> Then I made the suggested
On 1/22/2011 2:58 AM, Walter Pinto wrote:
This is the config for my SMTP server, anything stand out?
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 5
disable_vrfy_command =
This is the config for my SMTP server, anything stand out?
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/hea
Sahil,
I tested your command and it worked, thanks for that.
On Fri, 2011-01-21 at 20:57:18 -0800, Walter Pinto wrote:
> I used the following command to determine what needed to be removed
> from my main.cf:
>
> postconf -d > defaultcfg && postconf -n > customcfg && perl -ne 'print
> if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg
FWIW, an untested
I used the following command to determine what needed to be removed
from my main.cf:
postconf -d > defaultcfg && postconf -n > customcfg && perl -ne 'print
if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg
Then I made the suggested changes and I'm left with:
anvil_rate_time_unit = 180s
bod
On 1/21/2011 9:46 PM, Walter Pinto wrote:
Thanks Noel, I will make the suggested changes along with cleaning out
the defaults. As far as the check policy goes, I shouldnt have any
issues moving it on this server because all I have enabled is HELO and
SPF checking. Now on my SMTP server, I have to
Thanks Noel, I will make the suggested changes along with cleaning out
the defaults. As far as the check policy goes, I shouldnt have any
issues moving it on this server because all I have enabled is HELO and
SPF checking. Now on my SMTP server, I have to have it before or else
the quota checking d
On 1/21/2011 7:42 PM, Walter Pinto wrote:
Thanks Noel. Let me know if I'm missing anything. This server is
supposed to act just as a relay.
postconf -n
alias_maps =
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
CentOS 5.5
mail_version = 2.3.3
Walter Pinto put forth on 1/21/2011 7:42 PM:
> Thanks Noel. Let me know if I'm missing anything. This server is
> supposed to act just as a relay.
It sure would read a lot easier if you didn't manually declare all those default
settings. Which Linux distro is this? Whoever packages Postfix with
Thanks Noel. Let me know if I'm missing anything. This server is
supposed to act just as a relay.
postconf -n
alias_maps =
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directo
On 1/21/2011 7:11 PM, Walter Pinto wrote:
I've been somewhat satisfied with the config I've had in place for a
while, but I thought it wouldn't hurt to have the experts take a look
and see if I've fubared something. Would the preferred method be a
postconf -n or snippets from main.cf?
You're we
I've been somewhat satisfied with the config I've had in place for a
while, but I thought it wouldn't hurt to have the experts take a look
and see if I've fubared something. Would the preferred method be a
postconf -n or snippets from main.cf?
56 matches
Mail list logo
