SSL_accept error/TLS library problem

could somebody please explain what these errors mean ? postfix/smtpd[2608]: connect from 61-216-2-13.HINET-IP.hinet.net[61.216.2.13] postfix/smtpd[2608]: SSL_accept error from 61-216-2-13.HINET-IP.hinet.net[61.216.2.13]: -1 postfix/smtpd[2608]: warning: TLS library problem: 2608:error:1408F10B:SSL

Re: Right way to force autresponder script to authenticate against postfix

Hi Wietse, thank again for your help. Here goes the info, it looks good but obviously it isn't as long as vacation.pl keeps getting (554 5.7.1 : Relay access denied). postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions mynetworks = 127.0.0.1/32 91.121.120.208/32 [::1]/128 [2

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris: > Hi Wietse, > > thank again for your help. Here goes the info, it looks good but > obviously it isn't as long as vacation.pl keeps getting (554 5.7.1 : > Relay access denied). > > postconf mynetworks smtpd_recipient_restrictions smtpd_relay_restrictions > mynetworks = 127.0.0.1/32 91.1

Re: Right way to force autresponder script to authenticate against postfix

Hi Wietse, as i stated in the first message this is why postfix is rejecting, right? I mean, i've setted reject_unauth_destination and here i'm trying to send an email to someone who's mail isn't managed by me and so my postfix mta isn't the final destination, is it right? So if i'm right i'm not

Re: Postfix 3.1 and TLS Cert Files

On Mon, Mar 7, 2016 at 10:57 PM, Viktor Dukhovni wrote: > On Mon, Mar 07, 2016 at 08:30:54PM -0600, Tom Browder wrote: >> On Mon, Mar 7, 2016 at 5:13 PM, Viktor Dukhovni >> wrote: >> > On Mon, Mar 07, 2016 at 03:18:11PM -0600, Tom Browder wrote: >> >> I have a server with several vhosts. I am wo

question concerning access policy

Hi, I have a postfix server with a check in smtpd_recipient_restrictions: Reject_non_fqdn_recipient Check_policy_service unix: private/policy …… And in master Policy unix - …….. Pointing to perl script Everything works as expected. And now to the que

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris: > Hi Wietse, > > as i stated in the first message this is why postfix is rejecting, > right? Yes. I suppose this is not what you want. The choices are - add permit_mynetworks in smtpd_recipient_restrictions - add SASL authentication to the Perl script (which is outside the help that

Re: (B)CC message to external email adres when sending to localaddress

Matt .: > Hi, > > Is there a way to send (B)CC messages to a specified external email > address when I send to a local address ? To add a recipient when sending mail to example.com: /etc/postfix/main.cf: sender_bcc_maps = hash:/etc/postfix/sender_bcc /etc/postfix/sender_bcc: @example.co

Re: question concerning access policy

Peter S?rensen: > And now to the question. I have seen than one of the attributes to get is > queue_id > > I really would like that but my queue_id is of course empty in this state. > > Is it possible to get the queue_id in an SMTPD access policy request ? The queue ID is the queue file name.

Re: Postfix 3.1 and TLS Cert Files

On Tue, Mar 08, 2016 at 05:57:41AM -0600, Tom Browder wrote: > I clearly was not even thinking about the > several types of virtual hosts. I am running multiple virtual hosts > on a single, real Apache server. I have a fair amount of experience > with TLS and Apache but none with TLS and Postfix

Re: SSL_accept error/TLS library problem

On Tue, Mar 08, 2016 at 10:10:13AM +0100, Thomas Keller wrote: > postfix/smtpd[2608]: connect from 61-216-2-13.HINET-IP.hinet.net[61.216.2.13] A compromised botnet machine is connecting to your Postfix server. > postfix/smtpd[2608]: warning: TLS library problem: 2608:error:1408F10B:SSL > routin

Re: Right way to force autresponder script to authenticate against postfix

Hi Wietse, thanks a lot for the list of ways to go. I'm worried about the security risks of adding adding permit_mynetworks to smtpd_recipient_restrictions What do you think about this? Would you see it as a security flaw? I could easily modify de perl script to provide authentication against Po

postfix/smtpd connections from unknown users. Dealing with same?

This afternoon, over the course of about 4 hours, I’ve logged 741 connections like this. Mar 8 15:05:46 zeus postfix/smtpd[92324]: connect from unknown[185.130.5.90] Mar 8 15:07:30 zeus postfix/smtpd[92616]: connect from unknown[131.161.138.190] Mar 8 15:07:39 zeus postfix/smtpd[92324]: connec

Re: Right way to force autresponder script to authenticate against postfix

Pau Peris: > If i'd go by the third option, sending through sendmail instead of > SMTP, i would loose the headers automatically set by Postfix. Where did you get that idea from? Wietse

Re: postfix/smtpd connections from unknown users. Dealing with same?

Robert Chalmers: > This afternoon, over the course of about 4 hours, I?ve logged 741 > connections like this. > > Mar 8 15:05:46 zeus postfix/smtpd[92324]: connect from unknown[185.130.5.90] > Mar 8 15:07:30 zeus postfix/smtpd[92616]: connect from > unknown[131.161.138.190] > Mar 8 15:07:39 ze

Re: postfix/smtpd connections from unknown users. Dealing with same?

On Mar 8, 2016, at 9:15 AM, Robert Chalmers wrote: > I can put them in a postfix blacklist. And possible write a script to update > the list on a daily basis as more are added. Are you using postscreen? If not, you should. You’ll see dogs like: Mar 8 09:35:20 mail postfix/postscreen[78466]: CO

Re: Postfix 3.1 and TLS Cert Files

On Tuesday, March 8, 2016, Viktor Dukhovni wrote: > On Tue, Mar 08, 2016 at 05:57:41AM -0600, Tom Browder wrote: ... > When working with Postfix, try to forget everything related to > Apache, essentially none of that is relevant to Postfix. Your > "virtual hosts" are just domains. You want an MX

Re: postfix drown attack migation on version 2.3 (rhel5)?

Err. Is there patch to disable sslv2 in postfix 2.3 ? Eero 2016-03-03 9:21 GMT+02:00 Viktor Dukhovni : > > > On Mar 3, 2016, at 2:12 AM, Eero Volotinen > wrote: > > > > Hi, > > > > Can some one give working migation intructions for postfix 2.3 > (postfix-2.3.3-7.el5) many of instructions are no

Re: postfix/smtpd connections from unknown users. Dealing with same?

Yes, I am using postscreen. So I’m presuming that’s enough. postconf -n | grep postscreen postscreen_access_list = permit_mynetworks, cidr:/usr/local/etc/postfix/postscreen_access.cidr, cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr postscreen_bare_newline_action = enforce postscree

Re: postfix drown attack migation on version 2.3 (rhel5)?

On Tue, Mar 08, 2016 at 06:48:11PM +0200, Eero Volotinen wrote: > Err. Is there patch to disable sslv2 in postfix 2.3 ? No. The supported Postfix releases are at this time 2.10, 2.11, 3.0 and 3.1. Since the underlying issue is in OpenSSL, instead disable SSLv2 in OpenSSL, unless you're also usi

Re: postfix drown attack migation on version 2.3 (rhel5)?

Err. I am using RHEL 5 that is still supported, but there is no way to disable sslv2 in postfix.. really insane support policy in RHEL 5? Eero 2016-03-08 18:55 GMT+02:00 Viktor Dukhovni : > On Tue, Mar 08, 2016 at 06:48:11PM +0200, Eero Volotinen wrote: > > > Err. Is there patch to disable sslv2

Re: postfix drown attack migation on version 2.3 (rhel5)?

On Tue, Mar 08, 2016 at 07:00:09PM +0200, Eero Volotinen wrote: > Err. I am using RHEL 5 that is still supported, but there is no way to > disable sslv2 in postfix.. really insane support policy in RHEL 5? I'm sure RedHat can backport appropriate fixes to Postfix, OpenSSL or both as they see fit.

Re: postfix drown attack migation on version 2.3 (rhel5)?

> 2016-03-08 18:55 GMT+02:00 Viktor Dukhovni : > > > On Tue, Mar 08, 2016 at 06:48:11PM +0200, Eero Volotinen wrote: > > > > > Err. Is there patch to disable sslv2 in postfix 2.3 ? > > > > No. The supported Postfix releases are at this time 2.10, 2.11, > > 3.0 and 3.1. On Tue, Mar 08, 2016 at 07

Re: postfix drown attack migation on version 2.3 (rhel5)?

Well. 'You need to use sendmail' :) Maybe I just need to download postfix.src.rpm and rpmbuild --rebuild. Eero 2016-03-08 19:11 GMT+02:00 /dev/rob0 : > > 2016-03-08 18:55 GMT+02:00 Viktor Dukhovni : > > > > > On Tue, Mar 08, 2016 at 06:48:11PM +0200, Eero Volotinen wrote: > > > > > > > Err. Is

Re: postfix drown attack migation on version 2.3 (rhel5)?

Eero Volotinen wrote on 3/3/2016 1:12 AM: Hi, Can some one give working migation intructions for postfix 2.3 (postfix-2.3.3-7.el5) many of instructions are not working correctly on so old version. (as settings are not supported) thanks, -- Eero Eero, I believe you simply need to apply the

Re: Right way to force autresponder script to authenticate against postfix

I'm sorry, i think i completely missunderstood option 3. I thought using sendmail would bypass Postfix completely. I assume this is wrong and it will still make use of Postfix mta? So it makes no difference on using sendmail or SMTP at "application/programming language" level? Thanks! On Tue, Mar

Re: Postfix 3.1 and TLS Cert Files

Tom, I've been following this thread and also not clear on your objectives. See inline. In message Tom Browder writes: > > On Mon, Mar 7, 2016 at 10:57 PM, Viktor Dukhovni > wrote: > > On Mon, Mar 07, 2016 at 08:30:54PM -0600, Tom Browder wrote: > >> On Mon, Mar 7, 2016 at 5:13 PM, Viktor Duk

Re: Right way to force autresponder script to authenticate against postfix

The third option was: - submit autoreplies with /usr/sbin/sendmail instead of SMTP. Pau Peris: > If i'd go by the third option, sending through sendmail instead of > SMTP, i would loose the headers automatically set by Postfix. Wietse: > Where did you get that idea from? Pau Peris: > I'm sorry,

Re: Postfix 3.1 and TLS Cert Files

> On Mar 8, 2016, at 2:31 PM, Curtis Villamizar > wrote: > > With HTTP the server cert is provided after HTTP identifies which > virtual host it thinks its talking to. The IP address along gives no > clue. That connection is then used only for that virtual host. This > is why you can have a

Re: Postfix 3.1 and TLS Cert Files

On Tue, Mar 8, 2016 at 1:31 PM, Curtis Villamizar wrote: > Tom, > > I've been following this thread and also not clear on your > objectives. See inline. ... > Fine so far but you haven't said what you expect the postfix MX to do > with received mail. You have a few choices. > > Relay it per dom

warning: rcpt count mismatch with Milter

Hello, I've set up a BCC map for archiving e-mails: # Archiving sender_bcc_maps = pcre:${config_directory}/bcc_sender.pcre bcc_sender.pcre: /(.*)@(.*)local\.domain/archive_local.domain And I'm also using batv-tools/milter () as Milter: # milte

Re: upgrading postfix 3.0.x to 3.1

On Wed, Mar 2, 2016 at 10:20 PM, Wietse Venema wrote: > Brett @Google: > > Hello, > > > > I am upgrading 3.0.x to 3.1 it seems the build process has changed, there > > are a few issues at least on solaris, maybe due to the dual 32/64 bit > > library formats when compared to Linux. > > > > (runnin

Re: upgrading postfix 3.0.x to 3.1

Brett @Google: > On Wed, Mar 2, 2016 at 10:20 PM, Wietse Venema wrote: > > > Brett @Google: > > > Hello, > > > > > > I am upgrading 3.0.x to 3.1 it seems the build process has changed, there > > > are a few issues at least on solaris, maybe due to the dual 32/64 bit > > > library formats when com

Re: warning: rcpt count mismatch with Milter

J?rg Backschues: > Hello, > > I've set up a BCC map for archiving e-mails: > > # Archiving > sender_bcc_maps = pcre:${config_directory}/bcc_sender.pcre > > bcc_sender.pcre: > /(.*)@(.*)local\.domain/archive_local.domain > > And I'm also using batv-tools/milter > (

Re: Postfix 3.1 and TLS Cert Files

On 09/03/16 06:44, Viktor Dukhovni wrote: On Mar 8, 2016, at 2:31 PM, Curtis Villamizar wrote: With HTTP the server cert is provided after HTTP identifies which virtual host it thinks its talking to. The IP address along gives no clue. That connection is then used only for that virtual host