On 2014-02-24 john wrote:
> I have the following log entry:
> (Slightly modified to protect the innocent, changed actual name to
> user and domain to example)
>
> " 2014-02-24T16:45:12.836244+11:00 penguin postfix/smtpd[6520]:
> warning: Illegal address syntax from localhost[127.0.0.1] in MAIL
> c
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I know that there are many side-effects and things which don't work,
but that does not mean that one can at least try?
Sorry, no half-assed solutions that work only sometimes and break
unpredictably.
Yes, the same story again. When it does not work
Dirk St?cker:
> >> 5) with a trusted cert matching the hostname + hostname == reverse DNS
> >
> > This is even more meaningless.
>
> It is an additional level of security. Only a very small bit, yes, but it
PLEASE DO NOT call this "security". This stuff is weaker than spam
filter heuristics, an
On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
> > >Oh yes - DNSSEC. When will it come? In hundred years?
> >
> >Available today. Two of my domains are signed, the third will be
> >shortly. And you're complaining about people being complacent and
> >stuck in the past.
>
> I don't
Hello,
I am using reject_unverified_recipient to reject undeliverable addresses on our
hosts. We are using postfix with cyrus as imap server. I have a question
regarding the reject_unverified_recipient setting for local over quota
addresses in combination with a .forward file.
Clients on the h
Michael van Es:
> Hello,
>
> Clients on the host can use a procmail filter, the .forward file
> forwards the message to procmail [which gives the mail to Cyrus].
[how can Postfix "verify" find out that the Cyrus mailbox is over-quota]
It can't, not even when Postfix gives the mail directly to C
Wietse Venema:
> Michael van Es:
> > Hello,
> >
> > Clients on the host can use a procmail filter, the .forward file
> > forwards the message to procmail [which gives the mail to Cyrus].
>
> [how can Postfix "verify" find out that the Cyrus mailbox is over-quota]
>
> It can't, not even when Pos
On Mon, Feb 24, 2014 at 10:21:59AM -0500, Wietse Venema wrote:
> Wietse Venema:
> > Michael van Es:
> > > Hello,
> > >
> > > Clients on the host can use a procmail filter, the .forward file
> > > forwards the message to procmail [which gives the mail to Cyrus].
> >
> > [how can Postfix "verify"
On Mon, 24 Feb 2014, Wietse Venema wrote:
The absence of observed variation does not mean nothing of relevance
has changed, and the presence of benign observed changes drowns out
the malicious ones, assuming that the malicious party is stupid
enough to reveal itself.
Well, if the only output o
On Mon, Feb 24, 2014 at 06:35:43PM +0100, Dirk St?cker wrote:
> >The absence of observed variation does not mean nothing of relevance
> >has changed, and the presence of benign observed changes drowns out
> >the malicious ones, assuming that the malicious party is stupid
> >enough to reveal itself
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I don't want to have a perfection box which can't communicate with
the rest of the world, but something which helps with todays
internet.
Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
mailserver has TLSA records. Enabling DNSSEC doe
Am 24.02.2014 19:03, schrieb Dirk Stöcker:
> On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
>
>>> I don't want to have a perfection box which can't communicate with
>>> the rest of the world, but something which helps with todays
>>> internet.
>>
>> Nonsense. Patrick Koetter's .de domain is DNSSEC s
Dirk St?cker:
> On Mon, 24 Feb 2014, Wietse Venema wrote:
>
> > The absence of observed variation does not mean nothing of relevance
> > has changed, and the presence of benign observed changes drowns out
> > the malicious ones, assuming that the malicious party is stupid
> > enough to reveal itse
On Mon, Feb 24, 2014 at 07:03:21PM +0100, Dirk St?cker wrote:
> >Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
> >mailserver has TLSA records. Enabling DNSSEC does not prevent you
> >from communicating with the rest of the world. Furthermore, you
> >can enable DNSSEC validation
On Mon, Feb 24, 2014 at 01:16:39AM +0100, Dirk Stöcker wrote:
> On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
> >If you want scalable security for SMTP, become an early adopter
> >of DANE TLS, available in Postfix 2.11. Today, you'll be able
> >to opportunistically authenticate the handful of DNSSEC
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
With a bit of luck roughly 5 years. Exim has not implemented DANE
yet, and the RFC for DANE TLS for SMTP has not yet been ratified
by the IETF. The first Postfix release with DANE just came out
last month, and is not in most O/S distributions.
You'
On Mon, 24 Feb 2014, /dev/rob0 wrote:
Oh yes - DNSSEC. When will it come? In hundred years?
Dirk, do you mind explaining this? Are you having trouble finding
DNSSEC-enabled DNS hosting?
Reading about it for years - always with "Delayed" as main information
(same like for IPv6). But OTOH dur
On 24 Feb 2014, at 06:09 , Viktor Dukhovni wrote:
> On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
>
> Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
> mailserver has TLSA records. Enabling DNSSEC does not prevent you
> from communicating with the rest of the world
On Mon, Feb 24, 2014 at 10:15:48PM +0100, Dirk St?cker wrote:
> >You're asking for a verification status that would indicate
> >conditional MITM protection:
> >
> > - False negative: MITM protection is illusory when the MX
> > hostname is compromised through DNS record forgery.
> >
> > - F
On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> > Furthermore, you
> > can enable DNSSEC validation in your resolver before your own domain
> > is signed. The two are independent.
>
> Wait, what? You can?
Sure, you can validate other people's domains even if your own
domain is not si
* Viktor Dukhovni :
> On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
>
> > > Furthermore, you
> > > can enable DNSSEC validation in your resolver before your own domain
> > > is signed. The two are independent.
> >
> > Wait, what? You can?
>
> Sure, you can validate other people's dom
On 24 Feb 2014, at 14:43 , Viktor Dukhovni wrote:
> Sure, you can validate other people's domains even if your own
> domain is not signed. These are independent.
Oh, right. Yes. OTHER people's domains. Never mind. :)
--
Sometimes the only thing you could do for people was to be there. --Soul
M
On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> On 24 Feb 2014, at 06:09 , Viktor Dukhovni
> wrote:
> > On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
> >
> > Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
> > mailserver has TLSA records. Enabling DNSS
On Mon, Feb 24, 2014 at 10:50:24PM +0100, Patrick Ben Koetter wrote:
> * Viktor Dukhovni :
> > On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> > > unbound is better than bind for this sort of thing? (I noticed
> > > freeBSD 10 has switched from bind to unbound, I expect they
> > > have
On Mon, Feb 24, 2014 at 04:38:12PM -0600, /dev/rob0 wrote:
> On Mon, Feb 24, 2014 at 02:36:46PM -0700, LuKreme wrote:
> > On 24 Feb 2014, at 06:09 , Viktor Dukhovni
> > wrote:
> > > On Mon, Feb 24, 2014 at 12:26:42PM +0100, Dirk St?cker wrote:
> > >
> > > Nonsense. Patrick Koetter's .de domain
25 matches
Mail list logo
