ratelimiting outgoing mail

2013-07-11 Thread Przemysław Orzechowski
Hi I need to setup server that will ratelimit outgoing mail but will accept all messages from authenticated users regardles of ratelimit. I know its somewhat strange approach but ... its higherups decission Im thinking of dual instance setup First instance will accept external mail and mail fr

Re: ratelimiting outgoing mail

2013-07-11 Thread Wietse Venema
Przemys?aw Orzechowski: > Hi > > I need to setup server that will ratelimit outgoing mail but will accept > all messages from authenticated users regardles of ratelimit. > I know its somewhat strange approach but ... its higherups decission postfwd (postfwd.org) implements per-client/sender rate

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Stefan Jakobs
Am Mittwoch, 10. Juli 2013, 18:32:32 schrieb Viktor Dukhovni: > On Wed, Jul 10, 2013 at 05:21:38PM +0200, Stefan Jakobs wrote: > > I attached a full trace with a successful TLS session, an unsuccessful TLS > > session and the following fallback to a clear session. > > The trace looks wrong. I'm not

Re: multiple relay

2013-07-11 Thread Wietse Venema
Pol Hallen: [ Charset ISO-8859-1 unsupported, converting... ] > Hi all :-) I'm not sure which parameters is correct, I've: > > pc1 - user1 > pc2 - user2 > pc3 - user3 > > I need set postifx with multiple relay: > > if user1 send an email to domain1, postfix should be send using > mail.server1.or

Block before Recipient address rejected: User unknown?

2013-07-11 Thread Juerg Reimann
Hi everybody, Is there a way to reject a certain sender email address before he gets a 550 5.1.1 : Recipient address rejected: User unknown? When I add the sender to header_check, he still gets first the User unknown reject when he sends to an unknown user... Thanks, Juerg

Re: Block before Recipient address rejected: User unknown?

2013-07-11 Thread Wolfgang Zeikat
On 2013-07-11 14:30, Juerg Reimann wrote: Is there a way to reject a certain sender email address before he gets a 550 5.1.1 : Recipient address rejected: User unknown? When I add the sender to header_check, he still gets first the User unknown reject when he sends to an unknown user... See htt

Re: ratelimiting outgoing mail

2013-07-11 Thread Marko Weber | ZBF
hi, Am 2013-07-11 12:58, schrieb wie...@porcupine.org: Przemys?aw Orzechowski: Hi I need to setup server that will ratelimit outgoing mail but will accept all messages from authenticated users regardles of ratelimit. I know its somewhat strange approach but ... its higherups decission post

Re: Block before Recipient address rejected: User unknown?

2013-07-11 Thread Wietse Venema
Juerg Reimann: [ Charset UTF-8 unsupported, converting... ] > Hi everybody, > > Is there a way to reject a certain sender email address before he > gets a 550 5.1.1 : Recipient address rejected: User unknown? > When I add the sender to header_check, he still gets first the > User unknown reject wh

Re: multiple relay

2013-07-11 Thread Pol Hallen
> http://www.postfix.org/SOHO_README.html#client_sasl_sender Wietse thanks :-) Pol

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote: > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \ > "ALL:+RC4:@STRENGTH" -connect server.example.com:25 > 250 DSN > drop connection and then reconnect > SSL3 alert write:warning:close notify > CONNECTED(000

Re: GSSAPI with SMTP client

2013-07-11 Thread Viktor Dukhovni
On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote: > Just for posterity, I put together a set of instructions on how to do > this beginning to end here: > > https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-and-a-relaying-smtp-client/ > > Though it uses FreeIPA

Re: bad_sender_restrictions and baddomain_restrictions, working together

2013-07-11 Thread Feel Zhou
Hello, my friend smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_reject_addr_check, check_client_access cidr:/etc/postfix/enforce_ip_match_domain If setting like this in main.cf, maybe "IP_match_domain" restrictions do not working what do you think? TOM 2013/7/11 F

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 01:48:01PM +, Viktor Dukhovni wrote: > Unfortunately, the "reconnect" code in s_client (at least with > 0.9.8j) forgets to do SMTP "STARTTLS", so this fails because > "220 hostname" is not an SSL server HELO. Fix reported in 2008, not yet applied: https://rt.openssl.o

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Stefan Jakobs
Viktor Dukhovni wrote: > On Thu, Jul 11, 2013 at 01:47:09PM +0200, Stefan Jakobs wrote: > > $ openssl s_client -no_ssl2 -reconnect -starttls smtp -state -cipher \ > > > > "ALL:+RC4:@STRENGTH" -connect server.example.com:25 > > > > 250 DSN > > drop connection and then reconnect > > SSL3 alert w

Re: SSL3_GET_MESSAGE:unexpected message

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote: > > > SSL_connect:error in SSLv3 read server hello A > > > 13820:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > > > > > number:s3_pkt.c:281: > > > > Unfortunately, the "reconnect" code in s_client (at least with > > 0.9.8

Re: bad_sender_restrictions and baddomain_restrictions, working together

2013-07-11 Thread Noel Jones
On 7/11/2013 9:32 AM, Feel Zhou wrote: > Hello, my friend > smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/sender_reject_addr_check, > check_client_access cidr:/etc/postfix/enforce_ip_match_domain > If setting like this in main.cf , maybe > "IP_match_domain"

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Stefan Jakobs
Viktor Dukhovni wrote: > On Thu, Jul 11, 2013 at 04:55:00PM +0200, Stefan Jakobs wrote: [...] > So 0.9.8j does not implement session tickets correctly. With Postfix > 2.11 you can add: > > tls_ssl_options = NO_TICKET > > to main.cf to work-around this specific problem, without disabling >

Re: GSSAPI with SMTP client

2013-07-11 Thread Erinn Looney-Triggs
On 07/11/2013 10:01 AM, Viktor Dukhovni wrote: > On Wed, Jul 10, 2013 at 09:17:40PM -0400, Erinn Looney-Triggs wrote: > >> Just for posterity, I put together a set of instructions on how to do >> this beginning to end here: >> >> https://stomp.colorado.edu/blog/blog/2013/07/09/on-freeipa-postfix-a

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote: > > So 0.9.8j does not implement session tickets correctly. With Postfix > > 2.11 you can add: > > > > tls_ssl_options = NO_TICKET > > > > to main.cf to work-around this specific problem, without disabling > > TLSv1, but I would

Re: GSSAPI with SMTP client

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 11:23:50AM -0400, Erinn Looney-Triggs wrote: > > GSSAPI inside TLS currently does not perform channel binding, and > > so your session can be hijacked, after the client authenticates > > with GSSAPI. You can use "fingerprint" security if your server > > certificate is not

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote: > Now I get it. Thank you Viktor for walking me through this. Note that if you disable "SSLv2" as recommended for a long time time now: smtp_tls_protocols = !SSLv2 smtp_tls_mandatory_protocols = !SSLv2 you may well f

Re: SSL3_GET_MESSAGE:unexpected message (thanks)

2013-07-11 Thread Viktor Dukhovni
On Thu, Jul 11, 2013 at 03:54:37PM +, Viktor Dukhovni wrote: > Therefore, disable SSLv2 in the Postfix client, and you'll almost > never see this issue. (You could run into it if a server decided > to renew a ticket, but this is rather unlikely, almost certainly > no SMTP servers have code fo