Re: postfix-tls error

On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: > " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: > to=, orig_to=, > relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, > dsn=4.7.5, status=deferred (Server certificate not verified) " That's nic

Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

On Tue, Aug 01, 2017 at 11:41:42PM +, Viktor Dukhovni wrote: > To see what you'd get for a particular protocol version: > > $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1 -V > 'CHACHA20:!aRSA:!aDSA:!PSK' > $ /opt/openssl/1.1.0/bin/openssl ciphers -s -tls1_1 -V > 'CHACHA20:!aRSA:!

Re: Specify VPN for postfix

Am 01.08.2017 um 20:39 schrieb Abi Askushi: > Since this is socks proxy and not vpn you could redirect postfix traffic > with iptables to the port your socks proxy listens. Plenty examples on > google. if you redirect the full postfix traffic you might end up in asymetric routing. Most important

Is it possible to suppress NDR/Delayed delivery messages generated by messages to a particular RCPT?

Hello list first of all: I know suppressing NDR/Delay Delivery Notifications is not a "good" thing as they can be helpful. But I have a case where I really need to suppress them :-) My mailsystem consinsts of two postfix instances (mx and scanner) and the mailbox servers where scanners deliver vi

Re: Postscreen and reject_rhsbl

On 01.08.17 16:58, Alex wrote: I'm using postfix-3.1.4 on fedora. I've just noticed I've configured both postscreen to use spamhaus and other RBLs as well as have configured the reject_rhsbl_* options. Is this duplicative and unnecessary? no. rehect_rhsbl rejects based on mail from: address, th

Re: postfix-tls error

> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=, orig_to=, relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) " > That's nic

Re: Is it possible to suppress NDR/Delayed delivery messages generated by messages to a particular RCPT?

Tobi: > Hello list > > first of all: I know suppressing NDR/Delay Delivery Notifications is not > a "good" thing as they can be helpful. > But I have a case where I really need to suppress them :-) > > My mailsystem consinsts of two postfix instances (mx and scanner) and > the mailbox servers whe

Re: postfix-tls error

> On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=, orig_to=, relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, dsn=4.7.5, status=deferred (Server certificate not verified) " > That's nic

Re: Specify VPN for postfix

2017-08-02 2:39 GMT+08:00 Abi Askushi : > Since this is socks proxy and not vpn you could redirect postfix traffic > with iptables to the port your socks proxy listens. Plenty examples on > google. Please offer a simple iptable exmples, if you may. Probably I was stuck by some asymmetric routing p

Re: Specify VPN for postfix

2017-08-02 15:28 GMT+08:00 Tobi : > Am 01.08.2017 um 20:39 schrieb Abi Askushi: >> Since this is socks proxy and not vpn you could redirect postfix traffic >> with iptables to the port your socks proxy listens. Plenty examples on >> google. > > if you redirect the full postfix traffic you might end

Re: Specify VPN for postfix

Say you have postfix sending outbound email on eth0 interface and TCP port 25, then you would have: iptables -t nat -A OUTPUT -p tcp -m tcp --dport 25 -j REDIRECT --to-ports You need to change the above to fit your specific network. On Wed, Aug 2, 2017 at 3:10 PM, Y

Re: SMTP connection reuse with TLS

Where is logs ? And lastly postconf -nf postconf -Mf from both servers, with that its more chance of more help

Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

On Wed, Aug 2, 2017, at 12:26 AM, Viktor Dukhovni wrote: > For the record, that "!aDSA" should have been "!aDSS", though it > makes little difference in this example as no DSA (aka DSS) CHACHA > algorithms exist and none are likely to ever be added. > > You can check with "openssl ciphers -v aDS

Re: postfix-tls error

On 8/2/2017 2:19 AM, Viktor Dukhovni wrote: > On Wed, Aug 02, 2017 at 12:10:31PM +0530, hyndavirap...@bel.co.in wrote: > >> " Aug 2 11:21:34 AHQ postfix/smtp[6372]: BEC5D67928BD: >> to=, orig_to=, >> relay=201.123.1.4[201.123.1.4]:25, delay=0.06, delays=0.04/0.01/0.01/0, >> dsn=4.7.5, status=defe

Re: Restricting the scope of "success" notifications

Matus UHLAR - fantomas: If filter was able to strip NOTIFY=, we'd have fine control over when to send notifications... On 31.07.17 07:14, Wietse Venema wrote: There is an example that modifies DSN commands in http://www.postfix.org/postconf.5.html#smtpd_command_filter That means we could use

Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

SHA1 cert signing is (being) deprecated https://www.entrust.com/sha-1-2017/ So SHA1-signed certs < BAD! Does that apply at all for ciphers using Mac=SHA1? I don't *think* it does. And I don't find anything that says it does. Or doesn't , as far as that goes. In my postfix logs, I still se

Re: Postscreen and reject_rhsbl

On 1 Aug 2017, at 16:58, Alex wrote: > Hi, > I'm using postfix-3.1.4 on fedora. I've just noticed I've configured > both postscreen to use spamhaus and other RBLs as well as have > configured the reject_rhsbl_* options. Is this duplicative and > unnecessary? No. There's no RHSBL support in postsc

TLS loglevel inbetween =1 & =2 ?

At smtpd_tls_loglevel=2 I get ALL of this in my logs Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:before SSL initialization Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:before SSL initialization Aug 2 03:19:26 maryland

Re: TLS loglevel inbetween =1 & =2 ?

On Wed, Aug 02, 2017 at 08:52:59AM -0700, robg...@nospammail.net wrote: > At > > smtpd_tls_loglevel=2 > > I get ALL of this in my logs > > Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: > SSL_accept:before SSL initialization > Aug 2 03:19:26 maryland postfix/handoff

Re: TLS loglevel inbetween =1 & =2 ?

On Wed, Aug 2, 2017, at 09:11 AM, Viktor Dukhovni wrote: > This is logged at level 1. Ok. Then I've got this morning's mystery! If my syslog was 'lossy', it woulnd't log it in the loglevel = 2 case would it? Until I figure out what's going wrong here, just edit main.cf

Re: SMTP connection reuse with TLS

On 08/01/2017 03:32 PM, Viktor Dukhovni wrote: On Tue, Aug 01, 2017 at 02:41:52PM -0700, mark burdett wrote: Hi, I was curious if there are any plans for postfix to eventually support SMTP connection reuse with STARTTLS. This requires a complex outbound TLS proxy to cache the connections in p

Re: SMTP connection reuse with TLS

On Wed, Aug 2, 2017 at 6:57 PM, mark burdett wrote: > That's true, as a work-around. Unfortunately we're talking about not just > opening a new TCP connection but also reestablishing TLS, which means yet > more RTT and CPU. So the increased concurrency will be significant and > will require up

Re: TLS loglevel inbetween =1 & =2 ?

On 2 Aug 2017, at 12:20, robg...@nospammail.net wrote: On Wed, Aug 2, 2017, at 09:11 AM, Viktor Dukhovni wrote: This is logged at level 1. Ok. Then I've got this morning's mystery! If my syslog was 'lossy', it woulnd't log it in the loglevel = 2 case would it? Maybe. There's wide variati

Re: TLS loglevel inbetween =1 & =2 ?

On Wed, Aug 02, 2017 at 09:20:46AM -0700, robg...@nospammail.net wrote: > On Wed, Aug 2, 2017, at 09:11 AM, Viktor Dukhovni wrote: > > This is logged at level 1. > > Ok. Then I've got this morning's mystery! > > If my syslog was 'lossy', it woulnd't log it in the loglevel = 2 case would > it?

Re: SMTP connection reuse with TLS

On Wed, Aug 02, 2017 at 09:57:43AM -0700, mark burdett wrote: > > Increased latency can be amortized with increased concurrency. > > Just open more connections and the overall throughput rate will > > remain the same. > > > > Throughput = Concurrency / Latency > > That's true, as a work-arou

Re: SMTP connection reuse with TLS

On Wed, Aug 02, 2017 at 07:11:23PM +0200, Marco Pizzoli wrote: > Have a look at: > - smtp_tls_session_cache_database <-- this is the most important thing. I > suggest lmdb as the backing store Yes, but Berkeley DB also works well enough in practice. > - if you are on Linux on virtual, also to RN

Re: Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

On Wed, Aug 02, 2017 at 08:30:21AM -0700, robg...@nospammail.net wrote: > SHA1 cert signing is (being) deprecated By the CAs, so you don't need to take any action. With all the trusted CAs no longer issuing SHA-1 certs, pretty soon all the extant SHA-1 certs will expire, and there'll be nothing

Re: SMTP connection reuse with TLS

On Wed, Aug 2, 2017 at 7:44 PM, Viktor Dukhovni wrote: > On Wed, Aug 02, 2017 at 07:11:23PM +0200, Marco Pizzoli wrote: > > > Have a look at: > > - smtp_tls_session_cache_database <-- this is the most important thing. > I > > suggest lmdb as the backing store > > Yes, but Berkeley DB also works w

Re: Restricting the scope of "success" notifications

On Mon, Jul 31, 2017 at 09:16:46AM +0200, Tomas Macek wrote: > Hello, our system is sometimes under attack of spammers using > "NOTIFY=SUCCESS" param in "rcpt to: " header. And because of a random From > address, the DSN message obviously goes to an nonexistent server or user. > > I've read the "

Re: SMTP connection reuse with TLS

On Wed, Aug 02, 2017 at 08:03:14PM +0200, Marco Pizzoli wrote: > > Yes, but Berkeley DB also works well enough in practice. > > > > I believe you. But my experience comparing the two in OpenLDAP is strongly > toward lmdb. The Postfix SMTP cache is a very different use-case. The main incentive t

Re: TLS loglevel inbetween =1 & =2 ?

> Something is wrong with your syslog implementation or its config. Doesn't show up as a problem anywhere else afaict > Hard to say why, but the purpose of log level 1 is precisely to > log the TLS connection summary message. Ok. > Use the "collate" program (included with recent Postfix source

Re: postfix-tls error

On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote: > >> smtpd_tls_loglevel = 2 > > > > Change that to 1, and also set: > > > > smtp_tls_security_level = 1 > > > Oops, that should be > >smtp_tls_loglevel = 1 Indeed a typo, thanks for the corection, ... and then the OP must *P

Re: Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

On Wed, Aug 2, 2017, at 11:01 AM, Viktor Dukhovni wrote: > This is SHA-1 as a keyed MAC for TLS message integrity, not SHA-1 > in certificates. Yep > No better MAC is available for TLS 1.0 and 1.1, > for SHA2 ciphersuites you need TLS 1.2, which has not yet driven > out its predecessors. That

Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

On Wed, Aug 02, 2017 at 06:33:50AM -0700, robg...@nospammail.net wrote: > > For the record, that "!aDSA" should have been "!aDSS", though it > > makes little difference in this example as no DSA (aka DSS) CHACHA > > algorithms exist and none are likely to ever be added. > > > > You can check with

Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

On Wed, Aug 2, 2017, at 11:35 AM, Viktor Dukhovni wrote: > tls_high_cipherlist = > !aDSS:!MD5:!kECDH:!kDH:!RC2:!RC5:!IDEA:!SEED:aNULL:-aNULL:HIGH:@STRENGTH > tls_medium_cipherlist = > !aDSS:!MD5:!kECDH:!kDH:!RC2:!RC5:!IDEA:!SEED:aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH > > The additional exc

Does reject_non_fqdn_helo_hostname violate RFC?

Hi, I was investigating a rejected e-mail that was sent with the following error message: NOQUEUE: reject: RCPT from unknown[46.248.167.50]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from= to= proto=ESMTP helo= It was rejected, because I have reject_non_fqdn_hostname set

Re: Does reject_non_fqdn_helo_hostname violate RFC?

>From RFC 1123 - 5.2.5 HELO Command: RFC-821 Section 3.5 The sender-SMTP MUST ensure that the parameter in a HELO command is a valid principal host domain name for the client host. As a result, the receiver-SMTP will

Re: Does reject_non_fqdn_helo_hostname violate RFC?

RFC1123 is updated by, among others, RFC5321 which says in section 4.1.4: An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that bas

Re: Does reject_non_fqdn_helo_hostname violate RFC?

RFC5321 has a description of domain names in section 2.3.5 - 2.3.5. Domain Names A domain name (or often just a "domain") consists of one or more components, separated by dots if more than one appears. In the case of a top-level domain used by itself in an email address, a single s

NOTIFY=SUCCESS in Milter

Hello, I'm trying to get to know, if there is a chance to see in Milter, that the "NOTIFY=xxx,yyy,zzz" was specified by a client at rcpt to command like this: RCPT TO: NOTIFY=SUCCESS,FAILURE,DELAY If there is a chance, where I should find it? Is it supposed to be to seen in some of

Re: still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

On 2 Aug 2017, at 14:51, robg...@nospammail.net wrote: [... I guess RC4 is already gone. I do see some Au=SRP. No clue yet what those are. And even though it's enabled I have never seen a CAMELLIA cipher'd message; at least not in my logs. With default smtpd_tls_* settings and OpenSSL 1.0.2

Re: postfix-tls error

> On Wed, Aug 02, 2017 at 10:00:58AM -0500, Noel Jones wrote: > >> >> smtpd_tls_loglevel = 2 >> > >> > Change that to 1, and also set: >> > >> > smtp_tls_security_level = 1 >> >> >> Oops, that should be >> >>smtp_tls_loglevel = 1 > > Indeed a typo, thanks for the corection, ... and then th