Wietse:
> > You can find out about SASL active etc. attacks in RFC 4422
> > https://tools.ietf.org/html/rfc4422
>
Michael Fox:
> Thanks. Yes, that describes the attack categories. But it doesn't answer
> the above question. Is the categorization documented somewhere? If not,
> how are we to kn
I'm getting spam leaking through from sites with non-resolving IP or
invalid DNS, sending mail to myself as me. Here's an example:
Jul 12 08:03:52 minbar postfix/smtpd[17824]: warning: hostname
static.vnpt.vn does not resolve to address 14.167.212.244
Jul 12 08:03:52 minbar postfix/smtpd[17824]:
> smtpd_sender_restrictions =
> permit_mynetworks
permit_tls_clientcerts
permit_sasl_authenticated
> reject_invalid_hostname
> reject_unknown_sender_domain
> reject_non_fqdn_sender
check_sender_access hash:/etc/postfix/block-local-sender
/etc/postfix
On 12 Jul 2016, at 9:14, Phil Stracchino wrote:
I'm getting spam leaking through from sites with non-resolving IP or
invalid DNS, sending mail to myself as me.
You COULD use reject_unknown_client_hostname but it has substantial
false positives.
More directly, you could enforce your own SPF
On 07/12/16 10:30, Bill Cole wrote:
> On 12 Jul 2016, at 9:14, Phil Stracchino wrote:
>
>> I'm getting spam leaking through from sites with non-resolving IP or
>> invalid DNS, sending mail to myself as me.
>
> You COULD use reject_unknown_client_hostname but it has substantial
> false positives.
>
> This is standard terminology, and therefore not defined in either
> Postfix or SASL RFC.
>
> Active network attack: an attacker modifies the communication between
> parties.
>
> Mutual authentication: each party authenticates to the other party.
Thanks. But again, the question is *NOT* abo
On 13/07/16 15:38, Michael Fox wrote:
> Thanks. But again, the question is *NOT* about the terminology or the
> general meaning or definition of the categories. The question is
> specifically asking which authentication mechanisms Postfix places in those
> categories.
I think the actual security
On 13/07/16 15:56, Peter wrote:
> On 13/07/16 15:38, Michael Fox wrote:
>> Thanks. But again, the question is *NOT* about the terminology or the
>> general meaning or definition of the categories. The question is
>> specifically asking which authentication mechanisms Postfix places in those
>> ca
> >
> > I think the actual security features list is dependant on the SASL
> > implementation, and which mechs satisfy each security feature is defined
> > in cyrus and dovecot sasl.
Ah. So you're saying that for each auth mechanism configured in the SASL
implementation (dovecot in my case), the
On 13/07/16 16:30, Michael Fox wrote:
> Ah. So you're saying that for each auth mechanism configured in the SASL
> implementation (dovecot in my case), the SASL implementation is sending
> Postfix a tuple which includes the mechanism name and which categories it
> fits into, rather than Postfix ke
> Yes, again from the quote from Wietse that you snipped out:
>
> > Dovecot tells Postfix the supported mechanism names and their
> > security properties.
O.K. Thanks.
I read but did not understand the quote above. Your explanation was clearer
and I understood it the first time.
Thanks again,
On 12 Jul 2016, at 15:44, Phil Stracchino wrote:
On 07/12/16 10:30, Bill Cole wrote:
On 12 Jul 2016, at 9:14, Phil Stracchino wrote:
I'm getting spam leaking through from sites with non-resolving IP or
invalid DNS, sending mail to myself as me.
You COULD use reject_unknown_client_hostname b
I have a possibly unusual AUTH/TLS combination requirement. As a newbie, I
could use a sanity check.
Requirements:
* All virtual mail clients will use SASL AUTH
* Virtual mail clients on specific internal networks MUST NOT be offered
TLS. This is to satisfy FCC requirements prohibiting the use o
Hopefully this won't be interpreted as thread hijacking, but can you elaborate
of this?
---
reject_rbl_client zen.spamhaus.org=127.0.0.2,
reject_rbl_client zen.spamhaus.org=127.0.0.3,
reject_rbl_client zen.spamhaus.org=127.0.0.4,
reject_rbl_client zen.spamhaus.org=127.0.0.10,
reject_rbl_clien
A good combination of rbl lists with postscreen im using.
postscreen_dnsbl_threshold=4
postscreen_dnsbl_sites =
b.barracudacentral.org*4
bad.psky.me*4
zen.spamhaus.org*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
15 matches
Mail list logo
