Hello,
I configured my Email server (actually a mailcow-dockerized which in turn uses
postfix) to enforce TLS for outbound mail. Obviously that will fail
occasionally, but I also have a daemon watching the postfix queue and alerting
me. Kind of works for me. Ok, while subscribing to this mailin
Hello Bill,
you could as well just turn off encryption. If you don´t care to whom you
disclose information, why not allow anyone to read it?
Are you also not using a trusted certificate or even no certificate for your
public web site?
Seriously, I know this is discussion 10+ years. Is it better t
: Monday, 10 January 2022 00:01
An: postfix-users@postfix.org
Betreff: Re: TLS enforcement options?
On Sun, Jan 09, 2022 at 10:22:36PM +0100, Joachim Lindenberg wrote:
> I configured my Email server (actually a mailcow-dockerized which in
> turn uses postfix) to enforce TLS for outboun
Jan 2022, at 10:07 pm, Joachim Lindenberg
> wrote:
>
> thanks for the insights. Based on my experience, the mail domain is almost
> never in the SANs of a certificate, not even with self-hosted domains like
> mine. In other words, secure is likely to cause a lot more manual
>So you're looking for DANE or else "verify" conditional on DNSSEC, that's not
>a feature of Postfix, and many DNSSEC-signed domains have neither DANE, nor
>certificates that verify.
>Will you be making manual exceptions for them all? Yes, many happen to have
>MX host with working WebPKI cert
Hello Levi,
In my experience the best spam protection is a custom domain with an email
server supporting gray-listing (postfix does). I receive almost no spam on my
own domain but plenty on addresses hosted by public email providers like
live.com (despite the rigorous black listing of outlook.co
Hello,
I am trying to debug/enable/test DANE on one of my domains. Actually the domain
runs an experimental SMTP receiver running for domain et.lindenberg.one with
six MXs, some of them configured to cause certificate validations to fail. To
the best of my knowledge I added syntactically cor
Hello Viktor,
thanks for looking into it!
>A signed TLSA "2 1 1" record for mx03 matching the Let's Encrypt "R3"
>intermediate issuer. You should really also publish at least also a TLSA
>record matching "R4" key. See
>https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Thanks for the adv
-users@postfix.org
Betreff: Re: no TLSA records found?
On Sun, Jan 23, 2022 at 10:13:17PM +0100, Joachim Lindenberg wrote:
> I am really wondering why it works for one domain and doesn´t for mine.
See: https://dnsviz.net/d/et.lindenberg.one/dnssec/
It appears that "et.lindenberg.one&quo
Hello all,
after experimenting with dane, verify, and other policies of
http://www.postfix.org/TLS_README.html#client_tls, I am wondering whether the
options available are really what should be available.
Right now a sender can configure that policy as a system default or per target
domain. Ob
There is a distinct setting smtp_dns_support_level = dnssec in main.cf. Doing
the extra lookups seems doable to me (not looking at the source code so far).
Joachim
-Ursprüngliche Nachricht-
Von: owner-postfix-us...@postfix.org Im
Auftrag von Wietse Venema
Gesendet: Sunday, 6 February 20
Don´t know what exactly you are trying to do, but to monitor the queue, I use
postqueue -j (for json).
Forcing some messages to remain in the queue is easy: just define a transport
policy like dane-only for a destination that does not support dane.
-- Joachim
-Ursprüngliche Nachricht-
Vo
I know that postfix writes to a log: However there is a lot of diagnostics in
the standard log that I am not interested to keep for a longer period of time.
Is there a way to tell postfix to write a distinct log of delivered emails
(delivered = next hop, not necessarily destination)?
Thanks,
J
I wanted to send a mail to a domain yesterday, that was using dead MX records
and one the one MX that was alive, was presenting an untrusted certificate (my
server uses verify by default). I added a transport map (or “route” as
mailcow-dockerized calls it) that points to the alive MX plus a TLS
HWANG
Gesendet: Friday, 27 May 2022 11:01
An: postfix-users@postfix.org
Betreff: Re: transport map with TLS policies?
Hellow Joachim,
"Joachim Lindenberg" writes:
> I wanted to send a mail to a domain yesterday, that was using dead MX
> records and one the one MX that was al
at all.
Does it?
Best Regards, Joachim
-Ursprüngliche Nachricht-
Von: owner-postfix-us...@postfix.org <> Im Auftrag von Byung-Hee HWANG
Gesendet: Friday, 27 May 2022 14:11
An: postfix-users@postfix.org
Betreff: Re: AW: transport map with TLS policies?
Hellow Joachim,
"Joachim
-us...@postfix.org <> Im Auftrag von Viktor Dukhovni
Gesendet: Friday, 27 May 2022 15:13
An: postfix-users@postfix.org
Betreff: Re: transport map with TLS policies?
On Fri, May 27, 2022 at 09:21:23AM +0200, Joachim Lindenberg wrote:
> I added a transport map (or “route” as mailcow-dockeri
I reconfigured one of my VPS to use the proxy protocol instead of NAT to
forward external traffic to my postfix (postscreen). I have set up nginx to
forward the TCP stream to port 10025 using proxy_protocol v1 (afaik v2 is not
yet supported by nginx), and when connecting I am getting back the re
otocol?
On Wed, Aug 03, 2022 at 03:11:33PM +0200, Joachim Lindenberg wrote:
> I reconfigured one of my VPS to use the proxy protocol instead of NAT
> to forward external traffic to my postfix (postscreen). I have set up
> nginx to forward the TCP stream to port 10025 using proxy_protocol
I definitely suggest to look into RFC 7672 SMTP-DANE instead of MTA-STS.
SMTP-DANE is more secure than MTA-STS, and in my "samples" also more widely
adopted than MTA-STS. In my view, MTA-STS is only interesting if you do not
want to adopt DNSSEC.
Postfix supports DANE out of the box, but you hav
Hello Henry,
I am running my own email-server as well and can connect to t-online. I assume
Viktor is right that they somehow check the imprint of a parallel web site. My
website does not indicate I am offering email service commercially, which in
fact I do only to organizations I know personall
UCEProtect are gangsters, even the founder admits: https://uceprotect.wtf/. You
don´t want to do anything about it, except you are located in Europe and can
complain to their customers and authorities violating GDPR.
Greetings,
Joachim
-Ursprüngliche Nachricht-
Von: owner-postfix-us..
relay?)
On 12/2/2022 3:27 PM, Joachim Lindenberg wrote:
> UCEProtect are gangsters, even the founder admits:
> https://uceprotect.wtf/ > You don´t want to do anything about it,
> except you are located in
Europe> and can complain to their customers and authorities violating G
Hello,
is Baknu, the author of https://github.com/baknu/DANE-for-SMTP around here? Or
does someone know her/his personal email address and can forward this message
as I´d like to get in contact?
Thanks,
Joachim
___
Postfix-users mailing list -- postf
DNSSEC is mandatory for DANE.
Greetings,
Joachim
-Ursprüngliche Nachricht-
Von: Byung-Hee HWANG via Postfix-users
Gesendet: Donnerstag, 11. Mai 2023 08:17
An: Postfix Users
Betreff: [pfx] DANE and DNSSEC
Hellow Postfix hackers,
I have a questions while reading DANE docs. Is DNSSEC man
For Letsencrypt certificates I´d definitely go with 2 1 1
8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D and optionally
the R4 derivate and add their successors when these are about to expire, rather
than 3 1 1 and change every two months.
Best Regards,
Joachim
-Ursprüngl
Hello Byung-Hee ,
for testing you may want to try https://blog.lindenberg.one/EmailSecurityTest.
Best Regards,
Joachim
-Ursprüngliche Nachricht-
Von: Byung-Hee HWANG via Postfix-users
Gesendet: Mittwoch, 17. Mai 2023 10:16
An: Postfix-users
Betreff: [pfx] Re: DANE and DNSSEC
Now i add
decide on
her/his own.
Cheers,
Joachim
-Ursprüngliche Nachricht-
Von: raf via Postfix-users
Gesendet: Samstag, 20. Mai 2023 00:53
An: postfix-users@postfix.org
Betreff: [pfx] Re: DANE and DNSSEC
On Thu, May 18, 2023 at 08:54:16PM +0200, Joachim Lindenberg via Postfix-users
wrote
A more quick and dirty option is to configure transport policy "verify" for any
mta-sts destinations (I am doing this in a script).
That doesn´t really check the mx one connects to are enumerated, but at least
the certificate validation part of mta-sts will prevent connections to
arbitrary unaut
my understanding is, ISPs don´t block you, but none of the big providers
accepts emails from IPs of access networks. Thus if you want to run an email
server at home, you need either a relay, a VPS or a VPN with an IP address
having good reputation. Historically some ISP offered a relay, but ofte
Price is not the only question. If you have or want to comply with GDPR, you
have to pick one not under U.S. jurisdiction, and these are rare.
In fact, a VPS that does VPN is imho the best option and usually a lot cheaper
than a static IP address for your residential line. You can then host your
I remember there was the goal to use DANE for the mailing list, but I wonder
whether or to what extend that has been achieved.
Can someone please clarify?
Thanks,
Joachim
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscri
Hello,
are there any ideas or plans to implement SMTP Require TLS Option (RFC 8689) in
postfix?
I am aware of that in order to really leverage that, one needs a MUA using it,
plus a MTA supporting SMTP-DANE (RFC 7672) or MTA-STS (RFC 8461), but sure I
may be missing something.
Thanks,
Joach
e Venema via Postfix-users
Gesendet: Freitag, 13. Oktober 2023 20:10
An: Postfix users
Betreff: [pfx] Re: SMTP Require TLS Option?
Joachim Lindenberg via Postfix-users:
> Hello,
>
> are there any ideas or plans to implement SMTP Require TLS Option (RFC 8689)
> in postfix?
It is
>> Thunderbird "advertises" end-to-end-encryption only and confuses users
>> that actually use/benefit from SMTP-DANE where it tells "unencrypted".
>IMHO correctly. Email that isn't end-to-end encrypted *is* actually
>unencrypted in transit. TLS encrypts transmission only, but the message is
>a
I´d say Viktor is biased towards 3 1 1. You may call me biased towards 2 1 1
because I dislike pinning a key that is supposed to rotate.
In any case you need to automate updates or monitoring and I do, though the
relevant "change" use case in 2 1 1 didn´t happen so far.
Joachim
-Ursprünglich
I am running my postfix (mailcow) in my local network and interface to the
outside via a VPN that is terminated on a VPS with a static address with
adequate reputation. Historically I used NAT in both directions in- and
outbound, but I switched to use proxy protocol inbound as I am in fact now
Hello Wietse,
Yes, exactly, no second instance. Ok, implies I haven´t overlooked something.
Is this an option you are willing to consider?
The key benefit to guys like me is that one doesn´t have to manage two
instances, considering setup and maintenance, configuration (like tls
policies), backu
Hello Wietse,
maybe I should tell I am using nginx for all my inbound proxy protocol needs
(HA is via multiple addresses in DNS), and my email test service uses proxy
protocol outbound as well. Before I picked proxy protocol for that use case I
checked SOCKS or HTTP proxies but perceived the co
>How is this used to connect to an arbitrary destination on the Internet?
This is probably nginx implementation specific, but one can configure a stream
proxy as follows:
stream {
server {
listen 10.200.200.1:12345 proxy_protocol;
proxy_bind [$proxy_protocol_addr];
pr
>Is there a technical spec of that protocol? Does it look in any way like
>HaProxy protocol version 1 or 2? What are the source IP address and port?
https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#:~:text=Enables%20the%20PROXY%20protocol
links to the expected suspect (HaProxy)...
II
>This means that nginx ignores the source port in the proxy protocol.
>Is that documented somewhere?
It does not ignore it, the variable exists. My configuration doesn´t use it for
outbound, as plenty of ports are in used, and dynamic is ok for the use case.
Does postfix have a dependency on the
>A Postfix implementation will have to work for other use cases, too. It would
>be good to know how nginx in forward proxy mode handles or >ignores client
>address and port info, now and in the forseeable future.
I double checked documentation at
https://nginx.org/en/docs/stream/ngx_stream_prox
Wietse:
>Obviously, nginx will not know the Postfix SMTP client protocol stage, and the
>nginx settings will have to match the largest
>Postfix timeouts to avoid persistent mail delivery problems with some sites.
>Settings optimal for Postfix may conflict with 'web' proxy usage.
There is no need
Emmanuel :
>That's crazy, If you're able to run a dedicated proxy instance, you're able to
>run an outboud postfix instance too: the perfect proxy software for
>smtp/postfix is postfix.
>Otherwise it means that you're trying to solve your use-case at the wrong
>level and that should be dealt at
Emmanuel,
please read the thread
https://www.mail-archive.com/postfix-users@postfix.org/msg100852.html from the
beginning. SOCKS5 was already considered as an alternative to proxy protocol.
If you want to bash nginx then please provide some substance. I am running
multiple instances of web serv
Emmanuel:
>Nginx is mainly a buffering HTTP proxy/reverse proxy and/or a HTTP TLS
>termination endpoint or raw N to 1 TCP proxy. ...
Nginx can also act very good as a mere TCP proxy with proxy protocol. I am not
terminating TLS on my VPS except for public websites served directly by the VPS.
>The
Hello John,
are you willing to share what direction you/IETF are working towards?
What I am really missing is clear statements like SMTP-DANE, SPF, DKIM, DMARC
are mandatory unless you don´t use SMTP at all. While some public providers
support these, many German organizations do not.
Just checked
I haven´t seen this before, but at present my mail server is kind of
alternating between mail.example.com and the real hostname (or someone is
spoofing my IP-address which I doubt).
All configuration files I checked indicate the correct setting and postconf
myhostname returns the correct name.
-
Von: Bill Cole via Postfix-users
Gesendet: Montag, 12. Februar 2024 16:18
An: Joachim Lindenberg via Postfix-users
Betreff: [pfx] Re: postfix alternating between mail.example.com and real
hostname?
On 2024-02-12 at 07:07:03 UTC-0500 (Mon, 12 Feb 2024 13:07:03 +0100) Joachim
Lindenberg via
Imho you get pretty close to mta-sts if you use verify together with a
DNSSEC-validating resolver. You just validate the "authorized" MTAs by
different means.
I still think SMTP-DANE (RFC 7672) is preferrable.
Regards,
Joachim
-Ursprüngliche Nachricht-
Von: Michael W. Lucas via Postfix-u
Nachricht-
Von: Viktor Dukhovni via Postfix-users
Gesendet: Freitag, 8. März 2024 22:44
An: postfix-users@postfix.org
Betreff: [pfx] Re: mta-sts and smtp_tls_security_level
On Fri, Mar 08, 2024 at 10:01:29PM +0100, Joachim Lindenberg via Postfix-users
wrote:
> Imho you get pretty close
> Viktor Dukhovni:
> not sufficient market pressure to make it a priority.
Unfortunately yes, not yet.
> various load balancers would need to do online DNSSEC signing
Can you please elaborate why that should be required?
Thanks,
Joachim
___
Postfix-users
and smtp_tls_security_level
On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users
wrote:
> > Viktor Dukhovni:
> > not sufficient market pressure to make it a priority.
> Unfortunately yes, not yet.
> > various load balancers would need to do online DNS
Hello,
I am trying to obtain a SMTP command trace for a specific destination. I tried
with debug_peer_list and debug_peer_level, but it looked like not all commands
are included but lots of other information that were distracting.
Any tip?
The old recommendation to use Wireshark doesn´t work i
And the really hard part is to ensure those databases remain consistent with
network failures.
Cheers,
Joachim
-Ursprüngliche Nachricht-
Von: Wietse Venema via Postfix-users
Gesendet: Freitag, 14. Juni 2024 16:31
An: Postfix users
Betreff: [pfx] Re: distributed email system
Jeff Peng
sql databases optimize for consistency instead of availability. And even if you
design your data model not to rely on joins, to use unique ids per node, and to
replicate both directions or disallow writes on the slave, at least MariaDB
failed on partitioning, and I didn´t want or tried to use an
I have done some testing via my own tool and published results on
https://blog.lindenberg.one/EmailSecurityTest.
Gmx and web.de do support SMTP-DANE (with bugs), outlook and gmail don´t.
outlook and gmail also support MTA-STS at least partially. Proton support
SMTP-DANE inbound only. Yahoo don´
Gesendet: Mittwoch, 26. Juni 2024 14:11
An: postfix-users@postfix.org
Betreff: [pfx] Re: DANE and STS
On Wed, Jun 26, 2024 at 01:35:30PM +0200, Joachim Lindenberg via Postfix-users
wrote:
> I have done some testing via my own tool and published results on
> https://blog.lindenberg.one/Em
>there is also this online test tool :
>https://en.internet.nl/mail/gmail.com/1276778/
>https://en.internet.nl/mail/outlook.com/1276787/
>https://en.internet.nl/mail/proton.me/1276789/
Most of these online tools check inbound (the easy and marketing part) only.
Joachim
__
Wietse wrote:
> When an SRV response for "_smtps._tcp.example.com" names the standard SMTP
> port, the feature overrides a default TLS security level "may" with
> "encrypt". This is on/off configurable and needs a few lines of code in the
> SMTP client's MX host iterator to upgrade a default TLS
Wietse wrote:
>> Given the fact that "encrypt" implies no "dane" this sounds like a bad idea
>> for interoperability with dane sites.
> No problem. Postfix currently does not try DANE (or STS) with the default TLS
> security level "may".
Correct. But would you then ignore the suggested _smtps.exa
62 matches
Mail list logo
