Hello Bill,
you could as well just turn off encryption. If you don´t care to whom you
disclose information, why not allow anyone to read it?
Are you also not using a trusted certificate or even no certificate for your
public web site?
Seriously, I know this is discussion 10+ years. Is it better t
Hello Victor,
thanks for the insights. Based on my experience, the mail domain is almost
never in the SANs of a certificate, not even with self-hosted domains like
mine. In other words, secure is likely to cause a lot more manual configuration
than verify.
I´d definitely appreciate if mail.cloud
> On 10 Jan 2022, at 10:07 pm, Joachim Lindenberg
> wrote:
>
> thanks for the insights. Based on my experience, the mail domain is almost
> never in the SANs of a certificate, not even with self-hosted domains like
> mine. In other words, secure is likely to cause a lot more manual
> configur
RFC 8996 deprecated TLS 1.0 and TLS 1.1 .
Would you consider to update default values for
smtp_tls_mandatory_protocols
smtp_tls_protocols,
smtpd_tls_mandatory_protocols
smtpd_tls_protocols
so that TLS 1.0 and TLS 1.1 are disabled by default ?
Hello Viktor, all,
as I wrote in another mail:
... Email authentication requires two steps...
* DNSSEC
* trustworthy certificates (either trusted root or DANE) and validation ..
unless we want to resort to manually configuring trust (obviously entries in
/etc/hosts are less likely to be manipulat
Dnia 10.01.2022 o godz. 09:35:49 Joachim Lindenberg pisze:
> Are you also not using a trusted certificate or even no certificate for
> your public web site?
Did you notice the recent thread on this list about http://www.postfix.org
website (NOT https) where Viktor and others explained why there is
Dnia 10.01.2022 o godz. 12:54:46 Joachim Lindenberg pisze:
> Maybe some background (all summarization errors and judgments mine):
> German data protection authorities level define kind of four compliance
> levels for email encryption
> 0 - no encryption and thus definitely illegal
> 1 - encryption
On Mon, Jan 10, 2022 at 09:35:49AM +0100, Joachim Lindenberg wrote:
> You could as well just turn off encryption. If you don´t care to whom
> you disclose information, why not allow anyone to read it?
https://datatracker.ietf.org/doc/html/rfc7435
https://datatracker.ietf.org/doc/html/rfc7
On Mon, Jan 10, 2022 at 12:54:46PM +0100, Joachim Lindenberg wrote:
> German data protection authorities level define kind of four
> compliance levels for email encryption
>
> 0 - no encryption and thus definitely illegal
> 1 - encryption (not clearly specified whether certs need to be validated)
On 10.01.22 12:50, Kveta Kladov wrote:
RFC 8996 deprecated TLS 1.0 and TLS 1.1 .
Would you consider to update default values for
smtp_tls_mandatory_protocols
smtp_tls_protocols,
smtpd_tls_mandatory_protocols
smtpd_tls_protocols
so that TLS 1.0 and TLS 1.1 are disabled by default ?
for mandat
On Mon, Jan 10, 2022 at 12:50:49PM +0100, Kveta Kladov wrote:
> RFC 8996 deprecated TLS 1.0 and TLS 1.1 .
>
> Would you consider to update default values for
>
> smtp_tls_mandatory_protocols
> smtp_tls_protocols,
> smtpd_tls_mandatory_protocols
> smtpd_tls_protocols
>
> so that TLS 1.0 and TLS
W dniu 2022-01-10 o 13:02, Jaroslaw Rafa pisze:
There are many sites like this, that contain only publicly available
information. No login, no purchases, no personal data collected. What is the
benefit of using HTTTPS in that case? (Except of protecting you from
possible spying, but what will
> RFC 8996 deprecated TLS 1.0 and TLS 1.1 .
>
> Would you consider to update default values for
>
> smtp_tls_mandatory_protocols
> smtp_tls_protocols,
> smtpd_tls_mandatory_protocols
> smtpd_tls_protocols
>
> so that TLS 1.0 and TLS 1.1 are disabled by default ?
There's no clear ben
Dnia 10.01.2022 o godz. 13:44:56 Łukasz Wąsikowski pisze:
>
> I can think of many cases where information about which site you are
> visiting is important, even if there is nothing private on those
> sites.
>
> Do you want your ISP to sell your health insurance company
> information that you are
?ukasz W?sikowski:
>
> W dniu 2022-01-10 o?13:02, Jaroslaw Rafa pisze:
>
> > There are many sites like this, that contain only publicly available
> > information. No login, no purchases, no personal data collected. What is the
> > benefit of using HTTTPS in that case? (Except of protecting you fr
On 1/10/22 07:23, Viktor Dukhovni wrote:
> On Mon, Jan 10, 2022 at 12:50:49PM +0100, Kveta Kladov wrote:
>
>> RFC 8996 deprecated TLS 1.0 and TLS 1.1 .
>>
>> Would you consider to update default values for
>>
>> smtp_tls_mandatory_protocols
>> smtp_tls_protocols,
>> smtpd_tls_mandatory_protocols
Hi,
I have a postfix-3.5.10 system and having a little trouble configuring
it to ensure I'm not including any vulnerable ciphers. I had
previously posted about this issue in September, and thought I
followed the instructions I was given, but a recent security scan
(onsecurity) shows port 25 is sti
Hi, here is some follow-up info I received that provides more details
on what the vulnerability scan is reporting:
Testing cipher categories
NULL ciphers (no encryption) not offered (OK)
Anonymous NULL Ciphers (no authentication)offered (NOT ok)
Export ciphers (w/o A
This question is answered regularly on this list.
http://www.postfix.org/TLS_README.html#server_cipher
> By default anonymous ciphers are enabled. … One can't force a remote
> SMTP client to check the server certificate, so excluding anonymous
> ciphers is generally unnecessary.
Hi,
We'd like to debug some emails sent through a multi instance withouth
having any impact on the mail flow so I have added
always_bcc=de...@whatever.com to the main.cf of that instance and
reloaded it.
But instead of sending copies of the emails to the debug address,
postfix relays both
My understanding is that always_bcc does not work:
- if receive_override_options includes no_address_mappings; or
- after Postfix has forwarded mail internally; or
- for mails generated by Postfix itself
On 10/01/2022 16:28, Zsombor B wrote:
We'd like to debug some emails sent through a multi in
Zsombor B:
> Hi,
>
>
>
> We'd like to debug some emails sent through a multi instance withouth
> having any impact on the mail flow so I have added
> always_bcc=de...@whatever.com to the main.cf of that instance and
> reloaded it.
>
> But instead of sending copies of the emails to the debug
On 2022-01-10 at 11:08:49 UTC-0500 (Mon, 10 Jan 2022 11:08:49 -0500)
Alex
is rumored to have said:
Hi,
I have a postfix-3.5.10 system and having a little trouble configuring
it to ensure I'm not including any vulnerable ciphers. I had
previously posted about this issue in September, and though
Is there an existing system out there that integrates with postfix that makes
it simple for a user to add 'private' email addresses that are aliased to their
real email and also to then bitbucket the email?
What I am thinking about is something where a user can request a new alias and
get back
On 2022-01-10 18:25, @lbutlr wrote:
I can think of some (messy) ways to do this, but before I start
cobbling something together, I am hoping this is something someone has
already done.
why external ?
in main.cf:
mydestination = localhost
virtual_alias = hash:/path/to/virtual_alias
in virtua
I can think of some (messy) ways to do this, but before I start cobbling
something together, I am hoping this is something someone has already done.
Are you asking for software or ideas?
Hello,
You utilized HTTP as an example on a mailing list concerned with SMTP,
we'll see how that goes below.
On Mon, 10 Jan 2022, Jaroslaw Rafa wrote:
[...]
There are many sites like this, that contain only publicly available
information. No login, no purchases, no personal data collected. Wh
On 1/10/22 07:02, Jaroslaw Rafa wrote:
> Dnia 10.01.2022 o godz. 09:35:49 Joachim Lindenberg pisze:
>> Are you also not using a trusted certificate or even no certificate for
>> your public web site?
>
> Did you notice the recent thread on this list about http://www.postfix.org
> website (NOT http
Hello
http://ftp.porcupine.org/mirrors/postfix-release/index.html
All links are broken (404) for postfix-3.7-20220103
And this happens constantly once every 2-3 months for the experimental
release.
--
Pavel
Pavel Yakovlev:
> Hello
>
> http://ftp.porcupine.org/mirrors/postfix-release/index.html
>
> All links are broken (404) for postfix-3.7-20220103
>
> And this happens constantly once every 2-3 months for the experimental
> release.
Updated.
Wietse
W dniu 2022-01-10 o 15:33, Wietse Venema pisze:
There are many sites like this, that contain only publicly available
information. No login, no purchases, no personal data collected. What is the
benefit of using HTTTPS in that case? (Except of protecting you from
possible spying, but what will b
>So you're looking for DANE or else "verify" conditional on DNSSEC, that's not
>a feature of Postfix, and many DNSSEC-signed domains have neither DANE, nor
>certificates that verify.
>Will you be making manual exceptions for them all? Yes, many happen to have
>MX host with working WebPKI cert
> On 11 Jan 2022, at 3:43 am, Wietse Venema wrote:
>
> Recipients added with always_bcc, xxx_bcc_maps, etc., are treated
> just like any other recipients. All recipients are subject to
> content_filter, relayhost, etc.
Fortunately, they're also subject to transport table lookups,
so it is fairly
On Mon, Jan 10, 2022 at 11:17:12AM -0500, Alex wrote:
>
> NULL ciphers (no encryption) not offered (OK)
> Anonymous NULL Ciphers (no authentication)offered (NOT ok)
In addition to the text in TLS_README, see:
https://datatracker.ietf.org/doc/html/rfc7672#section
for those following along, I find this a useful, summary reference
Hands-on: implementing DANE in PostfixCryptographic security for mail transport
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix
Hi,
> > I have a postfix-3.5.10 system and having a little trouble configuring
> > it to ensure I'm not including any vulnerable ciphers. I had
> > previously posted about this issue in September, and thought I
> > followed the instructions I was given, but a recent security scan
> > (onsecurity)
Hello,
is it safe to ban senders that generate SPF Softfail ?
policyd-spf: prepend Received-SPF: Softfail
I have pasted full header here: https://ctxt.io/2/AABg5vIYEw
What I am asking is, are there situations where legitimate sender
(non-spam) would generate soft fail?
On Monday, January 10, 2022 11:00:43 PM EST Fourhundred Thecat wrote:
> Hello,
>
> is it safe to ban senders that generate SPF Softfail ?
>
>policyd-spf: prepend Received-SPF: Softfail
>
> I have pasted full header here: https://ctxt.io/2/AABg5vIYEw
>
> What I am asking is, are there situat
Hi,all
After smtp authentication failed, is it possible to accecpt and send the email
as anonymous?
JWD
* JWD:
> After smtp authentication failed, is it possible to accecpt and send
> the email as anonymous?
Can you provide more details on what you are trying to achieve?
Generally speaking, you can use permit_mynetworks in your smtpd
restrictions to exempt local clients from SMTP authentication. H
> On 2022-01-11 05:00, Fourhundred Thecat wrote:
Hello,
is it safe to ban senders that generate SPF Softfail ?
policyd-spf: prepend Received-SPF: Softfail
I have pasted full header here: https://ctxt.io/2/AABg5vIYEw
What I am asking is, are there situations where legitimate sender
(non-spa
On Mon, Jan 10, 2022 at 07:15:46PM -0500, Alex wrote:
> > The vulnerabilities I am aware of that justify sticking to v1.2/3 in
> > web, IMAP, and database servers are not viable against SMTP because of
> > the brief, non-repetitive, and largely unpredictable nature of the TLS
> > sessions used by
There is a website, which sending email use smtp authentication only, can not
use anonymous.
Postfix is a mail gateway, and I don't want install a smtp authentication
backend.
Will permit_mynetworks parameter ignore smtp authentication, and accept the
email?
JWD
From: Ralph Seichter
Date:
On 2022-01-11 07:55, Fourhundred Thecat wrote:
sorry, the previous link expired. Here is the header again:
https://ctxt.io/2/AABgetU0Fw
www-data@
co.uk
amazon.ch
good point its softfailed
what would one do on reply
On 2022-01-11 08:21, JWD wrote:
There is a website, which sending email use smtp authentication only,
can not use anonymous.
Postfix is a mail gateway, and I don't want install a smtp
authentication backend.
Will permit_mynetworks parameter ignore smtp authentication, and
accept the email?
log
45 matches
Mail list logo
