TLS cert - bug in documentation or bug in my understanding ??

Life was so much simpler when I just used self-signed certs for everything... Looking at http://www.postfix.org/TLS_README.html The documentation says ``This means that the Postfix server public-key certificate file must include the server certificate first, then the issuing CA(s) (bottom-up

RE: TLS cert - bug in documentation or bug in my understanding ??

Hai, Try it like this, there is no need for combining the certificates. # TLS parameters smtp_tls_cert_file = /etc/ssl/certs/certificate.cer smtp_tls_key_file = /etc/ssl/private/certificate.key smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer smtpd_tls_key_file = /etc/ssl/private/certifica

Re: pcre matching

On 2015-08-18 18:51, nico...@devels.es wrote: > > Even more useful than checking the Subject, I use header_checks to check > some properties on attachments. In fact, I've picked Wietse's example on > the header_checks (5) man page [1] and tuned it to my needs. This allows > one to reject mails base

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 03:09 AM, L.P.H. van Belle wrote: Hai, Try it like this, there is no need for combining the certificates. # TLS parameters smtp_tls_cert_file = /etc/ssl/certs/certificate.cer smtp_tls_key_file = /etc/ssl/private/certificate.key smtpd_tls_cert_file = /etc/ssl/certs/certificate.c

RE: TLS cert - bug in documentation or bug in my understanding ??

>-Oorspronkelijk bericht- >Van: al...@domblogger.net >[mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder >Verzonden: woensdag 19 augustus 2015 12:42 >Aan: postfix-users@postfix.org >Onderwerp: Re: TLS cert - bug in documentation or bug in my >understanding ?? > > > >On 08/19/201

RE: TLS cert - bug in documentation or bug in my understanding ??

sorry, a correction on the previous. This is wrong : >add in main.cf : in smtpd_client_restrictions, just after >permit_mynetworks: > >smtpd_discard_ehlo_keyword_address_maps = >cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr > just add smtpd_discard_ehlo_keyword_address_maps =

RE: TLS cert - bug in documentation or bug in my understanding ??

some "to old" tls clients wil fail with postfix. I dont know if the use DHE. and its NOT a postfix error. what happens is, why client-server are changing keys, the client closes the connection. and a message appears in your log, server closed connection and no mail is recieved. old windows excha

Re: Restricting what Groups can send mail to off-site destinations

On 8/19/2015 1:18 AM, Ashish Yadav wrote: > Hi, > > I have been able to implement feature in the Postfix server so that > I can allow specific group of people to send emails outside the > local domain like gmail.com and other users can not. > > My Server's information is given

Re: Postfix and Mailman 2 virtual alias domain integration

On 18 Aug 2015, at 16:58, Jim Reid wrote: On 18 Aug 2015, at 21:55, Tom Browder wrote: Okay, now assuming my server IP address is 1.2.3.4, do the following DNS records appear reasonable? No. There should be just one PTR record for an IP address. The only reason for that "should" is to avo

Re: Postfix and Mailman 2 virtual alias domain integration

On Wed, Aug 19, 2015 at 10:17:33AM -0400, Bill Cole wrote: > On 18 Aug 2015, at 16:58, Jim Reid wrote: > > >On 18 Aug 2015, at 21:55, Tom Browder wrote: > > > >>Okay, now assuming my server IP address is 1.2.3.4, do the following > >>DNS records appear reasonable? > > > >No. There should be just

Re: TLS cert - bug in documentation or bug in my understanding ??

On Wed, Aug 19, 2015 at 02:09:27AM -0700, Alice Wonder wrote: > The documentation says > > ``This means that the Postfix server public-key certificate file must > include the server certificate first, then the issuing CA(s) (bottom-up > order).'' > > Then it gives an example > > cat server_cert

Re: TLS cert - bug in documentation or bug in my understanding ??

On Wed, Aug 19, 2015 at 12:09:13PM +0200, L.P.H. van Belle wrote: > Try it like this, there is no need for combining the certificates. Actually, there is. It avoids the need to worry about the CApath, which can then be left empty. > if [ -d /etc/ssl/private ]; then > mkdir -p /etc/ssl/priv

Re: Postfix and Mailman 2 virtual alias domain integration

On Wed, Aug 19, 2015 at 2:26 AM, L.P.H. van Belle wrote: Okay, I assume then that this should be the only PTR record: 4.3.2.1.in-addr.arpa. IN PTR B.tld. >>> >>> Yes. Provided of course B.tld is The One True Hostname for >>your server. >> >>It is! > > No, imo, it is not.. and this s

Re: Postfix and Mailman 2 virtual alias domain integration

On Wed, Aug 19, 2015 at 2:26 AM, L.P.H. van Belle wrote: Okay, I assume then that this should be the only PTR record: 4.3.2.1.in-addr.arpa. IN PTR B.tld. >>> >>> Yes. Provided of course B.tld is The One True Hostname for >>your server. >> >>It is! > > No, imo, it is not.. and this s

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 07:51 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 12:09:13PM +0200, L.P.H. van Belle wrote: Try it like this, there is no need for combining the certificates. Actually, there is. It avoids the need to worry about the CApath, which can then be left empty. if [ -d /etc

upgrade broke postfix

I'm struggling with a broken Postfix and can't figure out what's wrong. I upgraded the mail server from FreeBSD 8.4-RELEASE to 10.2-RELEASE yesterday. After upgrading, you have to upgrade all packages, but that breaks my Postfix install because it doesn't include sasl. So I uninstalled it an

Re: upgrade broke postfix

Following up on my own post... I ran this and got the following results. No idea what it means: # postfix upgrade-configuration set-permissions Note: the following files or directories still exist but are no longer part of Postfix: /usr/local/etc/postfix/access /usr/local/etc/postfi

Re: TLS cert - bug in documentation or bug in my understanding ??

On Wed, Aug 19, 2015 at 08:46:03AM -0700, Alice Wonder wrote: > >>if [ -d /etc/ssl/private ]; then > >> mkdir -p /etc/ssl/private > >> chmod 710 /etc/ssl/private > >>fi > > I ended up specifying smtpd_tls_CAfile > > which has both the intermediary certs. > > That works well and is not d

Re: upgrade broke postfix

On 8/19/2015 10:49 AM, Paul Schmehl wrote: > This morning I got up and checked on the server, and the queue was > filled up. I'm seeing transport errors in the logs: > status=deferred (mail transport unavailable) log fragments not particularly useful... Postfix likely provided details earlier

Re: upgrade broke postfix

On Wed, Aug 19, 2015 at 10:49:35AM -0500, Paul Schmehl wrote: > After reinstalling, I had problems with policyd-weight. I was seeing these > errors in the logs: > > postfix/policyd-weight[17306]: warning: child: err: Undefined subroutine > &Net::DNS::Packet::dn_expand called at /u > sr/local/bin

SSL_accept errors after recent upgrade to LibreSSL 2.2.2

Hi — This is postfix 3.0.2 and FreeBSD-10.2/STABLE. I switched from OpenSLL to LibreSSL some month ago. My relevant SSL/TLS settings for receiving mail didn't change ever since that time (postconf -n | grep tls | grep smtpd) smtpd_use_tls = yes smtpd_tls_auth_only = yes

Re: upgrade broke postfix

--On August 19, 2015 at 4:21:52 PM + Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 10:49:35AM -0500, Paul Schmehl wrote: After reinstalling, I had problems with policyd-weight. I was seeing these errors in the logs: postfix/policyd-weight[17306]: warning: child: err: Undefined subrout

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 08:59 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 08:46:03AM -0700, Alice Wonder wrote: if [ -d /etc/ssl/private ]; then mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private fi I ended up specifying smtpd_tls_CAfile which has both the intermediary certs. Tha

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On Wed, Aug 19, 2015 at 06:30:43PM +0200, Michael Grimm wrote: > This is postfix 3.0.2 and FreeBSD-10.2/STABLE. I switched from OpenSLL to > LibreSSL some month ago. LibreSSL is not tested with Postfix, and so not officially supported. > My relevant SSL/TLS settings for receiving mail didn't cha

DKIM DNS record

Following the tutorial here: http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ What would a DKIM DNS record look like for my server mail.skjoldebrand.eu? /Martin S

Re: TLS cert - bug in documentation or bug in my understanding ??

On Wed, Aug 19, 2015 at 09:57:37AM -0700, Alice Wonder wrote: > >>smtpd_tls_exclude_ciphers = RC4, 3DES, IDEA > >> > >>I still have to go through. > > > >It is not (yet) a good idea to disable RC4 or 3DES on the server > >side. IDEA is essentially unused, so removing it harmless. > >Don't (yet) d

Re: upgrade broke postfix

On Wed, Aug 19, 2015 at 11:42:36AM -0500, Paul Schmehl wrote: > >>This morning I got up and checked on the server, and the queue was filled > >>up. I'm seeing transport errors in the logs: status=deferred (mail > >>transport unavailable) > > > >WHICH TRANSPORT!!! Why are you "summarizing" the l

Re: DKIM DNS record

On August 19, 2015 7:08:22 PM Martin Skjöldebrand wrote: Following the tutorial here: http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ see output from opendkim-genkey, it create a private and a public file, the public file is what to pu

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 10:08 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 09:57:37AM -0700, Alice Wonder wrote: smtpd_tls_exclude_ciphers = RC4, 3DES, IDEA I still have to go through. It is not (yet) a good idea to disable RC4 or 3DES on the server side. IDEA is essentially unused, so removi

Re: upgrade broke postfix

--On August 19, 2015 at 5:16:03 PM + Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 11:42:36AM -0500, Paul Schmehl wrote: Well, with the complete log entry (provided in *this* message), we see that the "filter" transport is the one that's missing. >># cat master.cf | grep -v '#' >> smt

Re: upgrade broke postfix

On Wed, Aug 19, 2015 at 12:30:55PM -0500, Paul Schmehl wrote: > >The port 465 wrapper-mode service is for mail submission, and so > >should allow only authenticated users, and let them send outbound > >mail. Or perhaps you don't need it at all, if you don't know > >what it is for. > > No need to

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 18:58, Viktor Dukhovni wrote: > > On Wed, Aug 19, 2015 at 06:30:43PM +0200, Michael Grimm wrote: >> This is postfix 3.0.2 and FreeBSD-10.2/STABLE. I switched from OpenSLL to >> LibreSSL some month ago. > > LibreSSL is not tested with Postfix, and so not officially supported.

Re: DKIM DNS record

On Wed, Aug 19, 2015 at 10:07 AM, Martin Skjöldebrand < mar...@skjoldebrand.eu> wrote: > > Following the tutorial here: > > http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ > > What would a DKIM DNS record look like for my server mail.skjoldeb

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On Wed, Aug 19, 2015 at 07:49:42PM +0200, Michael Grimm wrote: > >mx1.enfer-du-nord.net[87.98.149.189]:25: TLSv1 with cipher > > DHE-RSA-AES256-SHA (256/256 bits) > > Yes, this is my receiving mailserver. > > One of the servers in question is one of the servers sending mail for this ML: >

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 20:02, Viktor Dukhovni wrote: > On Wed, Aug 19, 2015 at 07:49:42PM +0200, Michael Grimm wrote: >> One of the servers in question is one of the servers sending mail for this >> ML: >> >> Aug 19 19:08:29 mail postfix/smtpd[94303]: connect from >> russian-caravan.cloud9.net[260

I'm lost (was Re: upgrade broke postfix

I do this once in a blue moon, so troubleshooting problems requires me to dive back into man pages and try to understand what's going on. The error that I think is telling me what the problem is is: Aug 19 18:31:43 mail postfix/qmgr[41135]: warning: connect to transport private/filter: Connect

Control mail originating from /usr/sbin/sendmail

Is there any way in Postfix that mail originating from /usr/sbin/sendmail (e.g. sent via PHP's mail() function) can be handled differently than mail originating via SMTP? For example, I'd like to relay mail from /usr/sbin/sendmail via a different host, or perhaps add some additional filtering. Tha

Re: Control mail originating from /usr/sbin/sendmail

On Wed, Aug 19, 2015 at 11:46:25AM -0700, Patrick Gibson wrote: > Is there any way in Postfix that mail originating from > /usr/sbin/sendmail (e.g. sent via PHP's mail() function) can be > handled differently than mail originating via SMTP? For example, I'd > like to relay mail from /usr/sbin/send

Re: I'm lost (was Re: upgrade broke postfix

On Wed, Aug 19, 2015 at 01:38:34PM -0500, Paul Schmehl wrote: > I do this once in a blue moon, so troubleshooting problems requires me to > dive back into man pages and try to understand what's going on. The error > that I think is telling me what the problem is is: Aug 19 18:31:43 mail > postfix

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 20:21, Michael Grimm wrote: > I will revert to OpenSSL my primary mx, first. Done. BTW: LibreSSL 2.2.2 broke unbound 1.5.4 as well. > Then I will come back to this issue and provide you with tcpdump debugging > info. Now, my secondary is postfix/LibrSSL, only. Regards, Mic

Re: DKIM DNS record

Quoting Benny Pedersen : On August 19, 2015 7:08:22 PM Martin Skjöldebrand wrote: Following the tutorial here: http://arstechnica.com/business/2014/03/taking-e-mail-back-part-3-fortifying-your-box-against-spammers/ see output from opendkim-genkey, it create a private and a public file,

trying to figure out regex for custom_header checks

Hey All, I’m trying to figure out how to block all traffic .eu top level domain but I’m blocking everything with eu anywhere in the hostname. This what I’m using /^Received:.*\.eu/ REJECT This what I think I should change it to. /^Received:\b.*\.eu\b REJECT Is that correct or could someone

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On Wed, Aug 19, 2015 at 09:11:16PM +0200, Michael Grimm wrote: > On 19.08.2015, at 20:21, Michael Grimm wrote: > > > I will revert to OpenSSL my primary mx, first. > > Done. > BTW: LibreSSL 2.2.2 broke unbound 1.5.4 as well. > > > Then I will come back to this issue and provide you with tcpdu

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 21:40, Viktor Dukhovni wrote: > I've figured out what's going on. LibreSSL 2.2.2 appears to have > disabled support for the SSLv2-compatible client HELLO. Servers > that have not disabled SSLv2 are unable to complete an SSLv2-compatible > TLS handshake with LibreSSL 2.2.2. Co

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 08/19/2015 12:11 PM, Michael Grimm wrote: On 19.08.2015, at 20:21, Michael Grimm wrote: I will revert to OpenSSL my primary mx, first. Done. BTW: LibreSSL 2.2.2 broke unbound 1.5.4 as well. Already fixed in unbound upstream, they (unbound) were doing an improper version check if I re

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On Wed, Aug 19, 2015 at 09:54:01PM +0200, Michael Grimm wrote: > If I do understand that correctly, it has been a good advice to revert > back to OpenSSL running OS != OpenBSD. I stand by that advice. > And, if I am not mistaken, there is no way to tell postfix to work around > that disabled sup

Re: trying to figure out regex for custom_header checks

On Wed, Aug 19, 2015 at 03:39:32PM -0400, Ben Greenfield wrote: > I'm trying to figure out how to block all traffic .eu top level domain but > I'm blocking everything with eu anywhere in the hostname. > > This what I'm using > /^Received:.*\.eu/ REJECT > > This what I think I should change it

Re: trying to figure out regex for custom_header checks

> On Aug 19, 2015, at 4:04 PM, Viktor Dukhovni > wrote: > > On Wed, Aug 19, 2015 at 03:39:32PM -0400, Ben Greenfield wrote: > >> I'm trying to figure out how to block all traffic .eu top level domain but >> I'm blocking everything with eu anywhere in the hostname. >> >> This what I'm using

Re: trying to figure out regex for custom_header checks

On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote: > >> /^Received:\b.*\.eu\b REJECT > >> > >> Is that correct or could someone point out what I'm doing wrong. > > > > What you're doing wrong deciding that all mail from a .eu domain > > should be blocked and trying to block said mai

Re: trying to figure out regex for custom_header checks

> On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni > wrote: > > On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote: > /^Received:\b.*\.eu\b REJECT Is that correct or could someone point out what I'm doing wrong. >>> >>> What you're doing wrong deciding that all mail fr

Re: trying to figure out regex for custom_header checks

On 08/19/2015 01:14 PM, Ben Greenfield wrote: On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote: /^Received:\b.*\.eu\b REJECT Is that correct or could someone point out what I'm doing wrong. What you're doing wrong decidi

Fwd: trying to figure out regex for custom_header checks

> set postix server to check for rfc complaince and you see a spam drop of > atleast 90% and > setup postscreen with it.. 98% less spam > and in above just check for the helo compliance and not hostname checks, that > will drop to many ok servers.. > > greetz > > Louis > > > > > > >

Re: trying to figure out regex for custom_header checks

> On Aug 19, 2015, at 4:23 PM, Alice Wonder > wrote: > > > > On 08/19/2015 01:14 PM, Ben Greenfield wrote: >> >>> On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni >> > wrote: >>> >>> On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Gre

Re: trying to figure out regex for custom_header checks

> On Aug 19, 2015, at 4:43 PM, L.P.H. van Belle wrote: > > >> set postix server to check for rfc complaince and you see a spam drop of >> atleast 90% and is that this setting strict_rfc821_envelopes = yese >> setup postscreen with it.. 98% less spam I think I’m using post screen maybe not

Re: trying to figure out regex for custom_header checks

On Wed, Aug 19, 2015 at 04:14:10PM -0400, Ben Greenfield wrote: > > First explain the problem, rather than the solution. > > We receive a lot of spam that have very rare top level domains .site, .link, > .website, .eu. It is wrong to black TLDs, even if initially they appear to mostly send spa

Re: I'm lost (was Re: upgrade broke postfix

--On August 19, 2015 at 7:10:00 PM + Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 01:38:34PM -0500, Paul Schmehl wrote: I do this once in a blue moon, so troubleshooting problems requires me to dive back into man pages and try to understand what's going on. The error that I think is t

Re: DKIM DNS record

On August 19, 2015 9:38:27 PM Martin Skjöldebrand wrote: OK, when I compared to various examples on the net all of them have an added domain after "_domainkey." which is why I asked. man opendkim-genkey, see option -d

Re: trying to figure out regex for custom_header checks

> On Aug 19, 2015, at 5:43 PM, Viktor Dukhovni > wrote: > > On Wed, Aug 19, 2015 at 04:14:10PM -0400, Ben Greenfield wrote: > >>> First explain the problem, rather than the solution. >> >> We receive a lot of spam that have very rare top level domains .site, .link, >> .website, .eu. > > It

Re: upgrade broke postfix

--On August 19, 2015 at 5:47:44 PM + Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 12:30:55PM -0500, Paul Schmehl wrote: When it is broken, you need to fix it, not comment it out, *and* when commenting out multi-line entries in master.cf, you have to comment out *each* line, not just the

Re: pcre matching

Hi, >> [1] http://www.postfix.org/header_checks.5.html >> > > Do I need to check both Content-(Type|Disposition) ? > > from what I can see, an attachment is always identified by its filename, > as in: > > Content-Disposition: attachment; > filename="bla_bla.docx"; size=168097; > c

Re: upgrade broke postfix

On Wed, Aug 19, 2015 at 06:11:09PM -0500, Paul Schmehl wrote: > After I got the server working properly again, I began sifting through logs > trying to see if there were any clues. I found this in the messages log: > /var/log/messages:Aug 19 14:43:21 mail postfix/pipe[17690]: fatal: > get_service

Re: upgrade broke postfix

--On August 20, 2015 at 1:51:11 AM + Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 06:11:09PM -0500, Paul Schmehl wrote: After I got the server working properly again, I began sifting through logs trying to see if there were any clues. I found this in the messages log: /var/log/message

Re: upgrade broke postfix

On Wed, Aug 19, 2015 at 10:21:54PM -0500, Paul Schmehl wrote: > >This is not the right test. Try: > > > >$ getent passwd filter > > That returns nothing. It does return the line for my account. So what > would be the cause of that? Missing from the "passwd" sources as listed in nsswitch.c

Re: upgrade broke postfix

--On August 20, 2015 at 3:36:45 AM + Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 10:21:54PM -0500, Paul Schmehl wrote: > This is not the right test. Try: > >$ getent passwd filter That returns nothing. It does return the line for my account. So what would be the cause of that?

RE: Postfix and Mailman 2 virtual alias domain integration

>>> Okay, I assume then that this should be the only PTR record: >>> >>> 4.3.2.1.in-addr.arpa. IN PTR B.tld. >> >> Yes. Provided of course B.tld is The One True Hostname for >your server. > >It is! No, imo, it is not.. and this setup can be better i think. read on.. A hostname is not a domain