Hello,
I'm lost and don't find any solution anymore, so I now need to ask.
I'm running three mail-servers with Postfix 2.9.6 (valid TLS cert), 2.7.2
(self-signed), 2.11.0 (self-signed).
And whatever I do I'm unable to get any of these three to show a trusted
connection to any of the others.
In an older episode, on 2014-02-23 00:38, Peter Marius wrote:
So it is just a coincidence that the "MAIL FROM" and "From:" match for web.de?
Both ways of usage are common and legitimate, so I would not call it a
coincidence. See
https://de.wikipedia.org/wiki/SMTP#Protokoll
Nothing wrong/fis
Dirk St?cker:
> Hello,
>
> I'm lost and don't find any solution anymore, so I now need to ask.
If in doubt, turn off chroot. Some Linux distributions mistakenly
turn it on and make Postfix unnecessarily difficult to use.
Wietse
http://www.postfix.org/DEBUG_README.html#no_chroot
TRY TUR
I might switch from Dovecot to Courier or something else one day, but will
probably always use Postfix, so it is less work and I like to catch the "bad
guys" as early as possible in the chain, will try header_checks now. :-)
Yeah, discarding feels little harsh, but the last 10-15 years the mails
On Sun, Feb 23, 2014 at 02:28:07PM +0100, Dirk St?cker wrote:
> And whatever I do I'm unable to get any of these three to show a
> trusted connection to any of the others. It trusts Google and GMX
> and whatever, but not my own servers. That's disturbing.
>
> Here the configs I use essentially
E
Viktor Dukhovni:
> diff --git a/src/tls/tls_client.c b/src/tls/tls_client.c
> --- a/src/tls/tls_client.c
> +++ b/src/tls/tls_client.c
> @@ -1045,7 +1045,9 @@ TLS_SESS_STATE *tls_client_start(const
> TLS_CLIENT_START_PROPS *props)
> */
> if (log_mask & TLS_LOG_SUMMARY)
> msg_info("
Hi all :-) I'm searching for how notify by email the mail queue... (if
there're emails inside queue). Any idea?
thanks!
Pol
Am 23.02.2014 19:22, schrieb Pol Hallen:
> Hi all :-) I'm searching for how notify by email the mail queue... (if
> there're emails inside queue). Any idea?
will not help much if it's too late and you reveive
no mails at all but in most caes enough to realize
that there is a problem growing
/et
Cheers! Very thanks boy :-)
Pol
> Am 23.02.2014 19:22, schrieb Pol Hallen:
>> Hi all :-) I'm searching for how notify by email the mail queue... (if
>> there're emails inside queue). Any idea?
>
> will not help much if it's too late and you reveive
> no mails at all but in most caes enough to rea
On Sun, Feb 23, 2014 at 12:38:26PM -0500, Wietse Venema wrote:
> Applied to Postfix 2.8 and onwards.
Thanks. Returning to the OP's question, disabling anonymous
cipher-suites will no substantially help to (after the fact) detect
MITM attacks. All the attacker has to do is present some other
cer
I'm not sure if anyone use policyd (postfix cluebringer) but I can't solve
a noise problem. policyd put limits to a number of emails, so reading this
post from policyd:
http://lists.policyd.org/pipermail/users_lists.policyd.org/2013-December/004283.html
"I think You want postfix to accept all mai
Postfix has built-in rate limiting for outbound mail. See the rate_delay
example in http://www.postfix.org/QSHAPE_README.html#backlog
Wietse
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
On Sun, Feb 23, 2014 at 02:28:07PM +0100, Dirk St?cker wrote:
And whatever I do I'm unable to get any of these three to show a
trusted connection to any of the others. It trusts Google and GMX
and whatever, but not my own servers. That's disturbing.
Am 23.02.2014 23:57, schrieb Dirk Stöcker:
> Seems Postfix still need to learn a lot about secure connections
seems you need to do so
in case of opportunistic there is not real trust
trusted in case of a secure connection means both sides know each
other - opportunistic means the other side nee
On Mon, 24 Feb 2014, li...@rhsoft.net wrote:
Seems Postfix still need to learn a lot about secure connections
seems you need to do so
in case of opportunistic there is not real trust
trusted in case of a secure connection means both sides know each
other - opportunistic means the other side
On Sun, 23 Feb 2014, Dirk Stöcker wrote:
If this is important to you, set:
smtp_tls_exclude_ciphers=aNULL
for the transport that delivers mail between your internal systems.
Does not sound like what I want. I don't want to hardcode a specific handling
for some servers, I want that the "
On Sun, Feb 23, 2014 at 11:57:35PM +0100, Dirk St?cker wrote:
> >When both sides are Postfix, and the client is opportunistic, the
> >server and client typically agree to a cipher-suite without any
> >certificates. Why bother, if the client does not check anyway.
>
> Because it allows to at to l
On Mon, Feb 24, 2014 at 12:25:50AM +0100, Dirk St?cker wrote:
> >> smtp_tls_exclude_ciphers=aNULL
> >>
> >> for the transport that delivers mail between your internal systems.
> >
> >Does not sound like what I want. I don't want to hardcode a
> >specific handling for some servers, I want that the
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
smtp_tls_verify_certs=whenpossible
SMTP is not HTTP. Due to MX indirection, peer authentication is
not possible without explicit per-destination configuration. Once
you've gone to all that trouble, you may as well configure a "secure"
channel.
I
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
I hope there aren't any TLS capable mailservers, which fallback to
unencrypted transmission, when I use this.
Fallback is up the client. I am not aware of any Internet facing
MX hosts that offer STARTTLS without any server certificate. Lots
of SMTP
Am 24.02.2014 01:16, schrieb Dirk Stöcker:
> On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
>>> smtp_tls_verify_certs=whenpossible
>>
>> SMTP is not HTTP. Due to MX indirection, peer authentication is
>> not possible without explicit per-destination configuration. Once
>> you've gone to all that
On 23 Feb 2014, at 15:57 , Dirk Stöcker wrote:
> Seems Postfix still need to learn a lot about secure connections. Your
No, you are simply not understanding the purpose of opportunistic TLS. The
purpose is not to verify identity, but simply to encrypt the transmission
channel. Identity is meani
Dirk St?cker:
> On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
>
> >> I hope there aren't any TLS capable mailservers, which fallback to
> >> unencrypted transmission, when I use this.
> >
> > Fallback is up the client. I am not aware of any Internet facing
> > MX hosts that offer STARTTLS without a
On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk St?cker wrote:
> >SMTP is not HTTP. Due to MX indirection, peer authentication is
> >not possible without explicit per-destination configuration. Once
> >you've gone to all that trouble, you may as well configure a "secure"
> >channel.
>
> I know t
hould not rely on this old bug forever. It will eventually
> > > be fixed.
> > >
> > Get it.
> > Thank you
>
> Moreover, snapshot 20140219 does not change anything: the test that
> I added is a NOOP. Thus, the 20140219 SMTP client behaves the same
> way as
I have the following log entry:
(Slightly modified to protect the innocent, changed actual name to user and
domain to example)
" 2014-02-24T16:45:12.836244+11:00 penguin postfix/smtpd[6520]: warning:
Illegal address syntax from localhost[127.0.0.1] in MAIL command:
<-timeshare.escape.artist-use
26 matches
Mail list logo
