Re: valvula or policyd

Hi, i just uploaded version 1.15 of mtpolicyd with support for accounting and quotas: https://markusbenning.de/blog/?p=36 I also wrote a small guide on how to implement smtp level accounting/quotas with mtpolicyd: https://mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::HowtoA

Issues using Postfix behind a load balancer

Hello! First time caller, long time listener :). I've been working on a new mail filtering solution for our company that revolves around the solution receiving inbound mail through a load balancer. We have come upon an issue that I am not finding any sort of documentation or notes that others

Re: DANE and DLV

I assume this list is "best" to "worst" ; Use "3 1 1", the other three are OK, but "3 1 1" is better. _25._tcp.mx.example.com. IN TLSA 3 1 1 _25._tcp.mx.example.com. IN TLSA 3 0 1 _25._tcp.mx.example.com. IN TLSA 3 1 2 _25._tcp.mx.example.com. IN TLSA 3

Re: DANE and DLV

On Wed, Jan 07, 2015 at 01:00:10PM -0500, John wrote: > I assume this list is "best" to "worst" Roughly speaking yes, though none are a disaster. Pick usage "3" in most cases, but if you known what you're doing, want to operate an internal CA and have lots of hosts to secure, usage 2 might be ri

Re: Issues using Postfix behind a load balancer

Brad Riemann: > The issue, if you don't see it, is that postfix seems to be using > the load balancer ip as the last hop, and because the load balancer > is just pushing content through it is not recording the previous > hop to the headers, which is causing some issues.. Postfix can get the client

RE: Issues using Postfix behind a load balancer

Thanks Wietse, I figured that was where I was at, but was hoping there were other options I hadn't uncovered.. Brad -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: Wednesday, January 07, 2015 12:32 PM To:

Re: Issues using Postfix behind a load balancer

On Wed, Jan 07, 2015 at 01:31:45PM -0500, Wietse Venema wrote: > Brad Riemann: > > The issue, if you don't see it, is that postfix seems to be using > > the load balancer ip as the last hop, and because the load balancer > > is just pushing content through it is not recording the previous > > hop

Re: DANE and DLV

On 1/7/2015 1:22 PM, Viktor Dukhovni wrote: I am not sure I understand this. Why are you linking the two? I am not linking anything. I am not sure what TLSA updates has to do with key rotation, other than they might be a good idea to do them at the same time. May be its my odd ball way of readi

Re: DANE and DLV

On 07/01/15 02:07, Jim Reid wrote: BTW, it's particularly unwise to adopt DLV to kludge around TLD registries or registrars who can't/won't support DNSSEC properly. This was the OP's rationale for going down that path. IMO the OP should switch to another registrar and let the slacker registrar

Re: DANE and DLV

On 07/01/15 02:01, Viktor Dukhovni wrote: Of the approximately 800 domains that I found to have published DANE TLSA records for SMTP to date, too many had various problems. We'll announce a testing site soon that will help detect problems early, but it won't prevent them if the site's administr

Re: DANE and DLV

On Wed, Jan 07, 2015 at 01:47:06PM -0500, John wrote: > >I am not sure I understand this. Why are you linking the two? > >I am not linking anything. > > I am not sure what TLSA updates has to do with key rotation, other than they > might be a good idea to do them at the same time. May be its my od

Re: DANE and DLV

* Jean Bruenn 2015.01.07 19:54: > I don't want to go offtopic but there seem to be still "many" > registrars which do not support dnssec. I for example asked > three different registrars in germany and got the same > answer - they're working on it, due to the little demand > they haven't implemen

Re: DANE and DLV

On 07/01/15 20:09, Thomas Leuxner wrote: * Jean Bruenn 2015.01.07 19:54: I don't want to go offtopic but there seem to be still "many" registrars which do not support dnssec. I for example asked three different registrars in germany and got the same answer - they're working on it, due to the

Re: DANE and DLV

On Wed, Jan 07, 2015 at 07:54:03PM +0100, Jean Bruenn wrote: > I am > sure that I'll be able to find a registrar in germany with the > same prices, a similar realtime API and dnssec support. > Still I would not like to switch after 10+ years without any > trouble, to another registrar - call me la

Re: DANE and DLV

On Wed, January 7, 2015 13:54, Jean Bruenn wrote: > > On 07/01/15 02:07, Jim Reid wrote: >> BTW, it's particularly unwise to adopt DLV to kludge around TLD >> registries or registrars who can't/won't support DNSSEC properly. >> This was the OP's rationale for going down that path. IMO the >> OP sh

Re: DANE and DLV

On Wed, Jan 07, 2015 at 02:44:11PM -0500, James B. Byrne wrote: > This is exactly our situation. We presently use DLV. I can get our > upstream registrar to manually add DS RRs for our .com, .net; and I > believe our .org tlds. But they will not do so for our principal tlds > that belong to .ca.

Re: DANE and DLV

I've been watching this thread with interest. Assume I have a domain with DNSSEC and inbound mail servers behind a (load-balanced) MX which support TLS. If I've been following along correctly, if I publish a DNS record of the form: _25._tcp.*mx.mydomain.org *. IN TLSA 3

Re: DANE and DLV

On Wed, Jan 07, 2015 at 02:07:25PM -0600, John Hascall wrote: > Assume I have a domain with DNSSEC and inbound mail servers behind a > (load-balanced) MX which support TLS. With All of the MX hosts having the same private key and certificate: > If I've been following along correctly, if I publis

Re: DANE and DLV

Thanks. very helpful. One more question, though. You say: With All of the MX hosts having the same private key and certificate: *(this is true for us)* ... Or else multiple such TLSA RRs one per real MX host behind the load-balancer, if the number of back-end hosts is reasonably small. *(this n

Re: DANE and DLV

On Wed, Jan 07, 2015 at 02:29:51PM -0600, John Hascall wrote: > On what what basis would we decide between a single TLSA record for the MX > vs. individual TLSA records for each actual host? Frankly, I don't see much point in load-balancers in front of inbound port 25 MX hosts. So I'd publish a

ANN: The missing Cyrus SASL man pages

If you need to configure SMTP AUTH in Postfix you either have the choice to use Cyrus SASL or Dovecot. Cyrus SASL is useful especially on boundary filters, where you don't want to install Dovecot "just to get authentication". But Cyrus SASL is a little underdocumented... Long ago I began to write

Re: ANN: The missing Cyrus SASL man pages

Patrick Ben Koetter: > If you need to configure SMTP AUTH in Postfix you either have the choice to > use Cyrus SASL or Dovecot. Cyrus SASL is useful especially on boundary > filters, where you don't want to install Dovecot "just to get authentication". > > But Cyrus SASL is a little underdocumente

max. safe value "postscreen_greet_wait"

Hi are there some data which value is acceptable for "postscreen_greet_wait" to not end in legit SMTP servers give up and try again later? we see a massive botnet starting with around Dec/27 and daily deliveriy attempts rasied from 5000 to 5 - previously i had 10 seconds and 3 in case o

Re: max. safe value "postscreen_greet_wait"

li...@rhsoft.net: > Hi > > are there some data which value is acceptable for > "postscreen_greet_wait" to not end in legit SMTP servers give up and try > again later? I would not recommend more than the 6-second default. Legitimate mailing lists may operate with reduced time limits, and if a cl

Re: max. safe value "postscreen_greet_wait"

Am 07.01.2015 um 22:38 schrieb James B. Byrne: On Wed, January 7, 2015 16:29, li...@rhsoft.net wrote: Hi are there some data which value is acceptable for "postscreen_greet_wait" to not end in legit SMTP servers give up and try again later? Klensin Standards Track

Re: max. safe value "postscreen_greet_wait"

Am 07.01.2015 um 22:46 schrieb Wietse Venema: li...@rhsoft.net: Hi are there some data which value is acceptable for "postscreen_greet_wait" to not end in legit SMTP servers give up and try again later? I would not recommend more than the 6-second default. Legitimate mailing lists may opera

Re: Yet another relay access denied problem

You're right, I'm not the big mail server expert. And sometimes I pose basic questions. But I'm asking since I want functionality AND security to work. No-one likes spam. So thanks to those who provided valuable input I was able to achieve both, according to several open mail relay tests (from

Re: DANE and DLV

On 07/01/2015 3:02 PM, Viktor Dukhovni wrote: On Wed, Jan 07, 2015 at 02:44:11PM -0500, James B. Byrne wrote: This is exactly our situation. We presently use DLV. I can get our upstream registrar to manually add DS RRs for our .com, .net; and I believe our .org tlds. But they will not do so f

limiting the _occassional_ burst of connections from a bad actor?

Hi What's the correct method in Postfix for preventing this sort of connection burst (log below)? I can sure deal with it AFTER the fact. But I'm looking for the best way to shut it down asap WHILE it's happening, and then prevent from happening again. I found this section http://www.postf

Re: limiting the _occassional_ burst of connections from a bad actor?

On 1/7/2015 10:09 PM, rogt3...@proinbox.com wrote: > Hi > > What's the correct method in Postfix for preventing this sort of connection > burst (log below)? > > I can sure deal with it AFTER the fact. But I'm looking for the best way to > shut it down asap WHILE it's happening, and then preven

dkim-milter for postfix

Hi, i try to implement dkim signature our server postfix (2.6.6) my dkim-filter config is like this prog path /usr/sbin/dkim-filter configuration parameters # To sign only, use -bs # EXTRA_FLAGS=-bs USER=dkim-milter PORT=inet:20209@localhost SIGNING_DOMAIN="domain" SELECTOR_NAME="m1" KEYFILE="/