Unable to enforce the usage of the stronger tls ssl ciphers by Postfix
Hello list,
While using ubuntu 10.10, postfix 2.8.1, dovecot 2.0.12, openssl
0.9.8o, and trying to connect to the mail server via postfix
'submission' the best cipher that I am able to get is
DHE-RSA-AES128-SHA (128/128 bits)
As it is only the 11th entry in the list showed by
openssl ciphers -v 'ALL:@STRENGTH'
and giving that openssl in both mail server and client
machines show that better ciphers are supported, is there a way to
enforce a higher ciphers?
logs follow:
The (anonymized) session log goes like this:
May 22 09:25:27 mx postfix/smtpd[7984]: connect from
unknown[192.168.1.60]
May 22 09:25:27 mx postfix/smtpd[7984]: setting up TLS connection from
unknown[192.168.1.60]
May 22 09:25:28 mx postfix/smtpd[7984]: Anonymous TLS connection
established from unknown[192.168.1.60]: TLSv1 with cipher
DHE-RSA-AES128-SHA (128/128 bits)
May 22 09:25:35 mx postfix/smtpd[7984]: 299CD8192:
client=unknown[192.168.1.60], sasl_method=LOGIN,
sasl_username=test...@example.org
May 22 09:25:36 mx postfix/cleanup[8004]: 299CD8192: message-id=
May 22 09:25:36 mx postfix/qmgr[7946]: 299CD8192:
from=test...@example.org, size=506, nrcpt=1 (queue active)
May 22 09:25:36 mx postfix/smtpd[7984]: disconnect from
unknown[192.168.1.60]
$ grep -A 4 'submission' /etc/postfix/master.cf
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
Both client MUA and server MTA machines show:
$ openssl ciphers -v 'ALL:@STRENGTH' | head -n 11
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-DES-CBC3-SHASSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
$ sudo postconf -n | grep -v '^smtp_' | grep 'tls\|sasl'
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/example.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/example.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL
smtpd_tls_protocols = !SSLv2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Thank you,
Mark
Eric Magutu, CAPM wants to stay in touch on LinkedIn
LinkedIn Eric Magutu, CAPM requested to add you as a connection on LinkedIn: -- James, I'd like to add you to my professional network on LinkedIn. - Eric Magutu, CAPM Accept invitation from Eric Magutu, CAPM http://www.linkedin.com/e/ekybff-gnzxtseb-4i/qB3B5040SVrp2HIWv-3fZ6Ke54Thhyz_sjk8viB/blk/I2829894412_2/1BpC5vrmRLoRZcjkkZt5YCpnlOt3RApnhMpmdzgmhxrSNBszYOnP8Nd3gVe3AOe399bREUiyQVsnFRbP4Oe30TdzARej8LrCBxbOYWrSlI/EML_comm_afe/ View invitation from Eric Magutu, CAPM http://www.linkedin.com/e/ekybff-gnzxtseb-4i/qB3B5040SVrp2HIWv-3fZ6Ke54Thhyz_sjk8viB/blk/I2829894412_2/39vcz4Qd3AUej8UcAALqnpPbOYWrSlI/svi/ -- Why might connecting with Eric Magutu, CAPM be a good idea? People Eric Magutu, CAPM knows can discover your profile: Connecting to Eric Magutu, CAPM will attract the attention of LinkedIn users. See who's been viewing your profile: http://www.linkedin.com/e/ekybff-gnzxtseb-4i/wvp/inv18_wvmp/ -- (c) 2011, LinkedIn Corporation
Put mails to specific users in HOLD queue
Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. greetings, leon
Re: Put mails to specific users in HOLD queue
On 05/22/2011 04:24 PM Leon Meßner wrote: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. greetings, leon /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: john@example.comretry:4.0.0 Mailbox being migrated jane@exmpale.comretry:4.0.0 Mailbox being migrated postmap /etc/postfix/transport postfix reload Regards, Pascal -- The trapper recommends today: cafefeed.1114...@localdomain.org
Re: Put mails to specific users in HOLD queue
On Sun, May 22, 2011 at 04:39:22PM +0200, Pascal Volk wrote: On 05/22/2011 04:24 PM Leon Meßner wrote: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: john@example.comretry:4.0.0 Mailbox being migrated jane@exmpale.comretry:4.0.0 Mailbox being migrated postmap /etc/postfix/transport postfix reload If i understand right, this will send 4.0.0 as smtp status code and thus force a retry on the other end. This will suffice i suppose. Thanks, Leon
Re: Put mails to specific users in HOLD queue
On 05/22/2011 05:16 PM Leon Meßner wrote: On Sun, May 22, 2011 at 04:39:22PM +0200, Pascal Volk wrote: … /etc/postfix/transport: john@example.comretry:4.0.0 Mailbox being migrated jane@exmpale.comretry:4.0.0 Mailbox being migrated … If i understand right, this will send 4.0.0 as smtp status code and thus force a retry on the other end. This will suffice i suppose. No, Postfix will accept the mail from the remote host an keep in the queue, until you've set the correct transport again. Regards, Pascal -- The trapper recommends today: decade.1114...@localdomain.org
Re: Put mails to specific users in HOLD queue
* Leon Meßner l.mess...@physik.tu-berlin.de: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. Of course, simply use check_recipient_access: l.mess...@physik.tu-berlin.de hold -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Put mails to specific users in HOLD queue
On Sun, 2011-05-22 at 17:16:52 +0200, Leon Meßner wrote: On Sun, May 22, 2011 at 04:39:22PM +0200, Pascal Volk wrote: On 05/22/2011 04:24 PM Leon Meßner wrote: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: john@example.comretry:4.0.0 Mailbox being migrated jane@exmpale.comretry:4.0.0 Mailbox being migrated postmap /etc/postfix/transport postfix reload If i understand right, this will send 4.0.0 as smtp status code and thus force a retry on the other end. This will suffice i suppose. You misunderstand. As documented in error(8), when the service name is retry, Postfix defers all recipients in the delivery request using the next-hop information as the reason for non-delivery. -- Sahil Tandon sa...@freebsd.org
Re: Put mails to specific users in HOLD queue
On Sun, 2011-05-22 at 20:38:09 +0200, Ralf Hildebrandt wrote: * Leon Meßner l.mess...@physik.tu-berlin.de: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. Of course, simply use check_recipient_access: l.mess...@physik.tu-berlin.de hold This affects all recipients of a message; the retry transport is probably more suitable for the OP. -- Sahil Tandon sa...@freebsd.org
Re: postfix/forwarders and sender rewrite scheme
Le 21/05/2011 20:19, Reindl Harald a écrit : hi is there any recommended way to implement SRS (Sender Rewrite Scheme) in Postfix to get rid of SPF warnings/blocks for via virtual_alias_maps forwarded messages? if you want to implement SRS, then you'll need to deliver to an external program which does that. untested elabor...@your.own.risk you could use smtp_generic_maps, something like /(.*)@(google\.com)$/ srs-AHBHSRD-$1@$2 and to get bounces forwarded back to sender, virtual_alias_maps /^srs-AHBHSRD-(.*)@(google\.com)$/ $1@$2 replace AHBHSRD with anything to avoid people abusing your virtual alias... but as soon as this is known, you'll be abused. so make this dynamic. you could use an sql map to generate a random string... /untested status=sent (250 mail from IP 193.104.1.241 soft failed sender ID check. Please ensure this IP is authorized to send mail on behalf of [google.com]) ___ currently most forwarders are implmented this way, and yes the round(deliver_to) is needed because numeric targets are physical usermappings from dbmail and the limitation at the end is to make sure that multi-forwardings are handeled native by dbmail virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwarders.cf user = dbmailro password = * dbname = dbmail hosts= unix:/var/lib/mysql/mysql.sock inet:127.0.0.1:3307 query= select deliver_to from dbmail_aliases where alias='%u@%d' and round(deliver_to)=0 and (select count(*) from dbmail_aliases where alias='%u@%d')=1;
Re: postfix/forwarders and sender rewrite scheme
Am 22.05.2011 22:22, schrieb mouss: Le 21/05/2011 20:19, Reindl Harald a écrit : hi is there any recommended way to implement SRS (Sender Rewrite Scheme) in Postfix to get rid of SPF warnings/blocks for via virtual_alias_maps forwarded messages? if you want to implement SRS, then you'll need to deliver to an external program which does that. untested elabor...@your.own.risk you could use smtp_generic_maps, something like /(.*)@(google\.com)$/ srs-AHBHSRD-$1@$2 and to get bounces forwarded back to sender, virtual_alias_maps /^srs-AHBHSRD-(.*)@(google\.com)$/$1@$2 replace AHBHSRD with anything to avoid people abusing your virtual alias... but as soon as this is known, you'll be abused. so make this dynamic. you could use an sql map to generate a random string... /untested Hm, this is not a solution because google is one of thousands examples this must be generic and triggered by forwarding for gmx.at, gmx.de, web.de or callit if you want because you can not select which senders are writing mails to a forwarding-address it amkes me really sad that postfix can not do this native since more and more domains using SPF in their dns-records and forwarders are not a bad thing per se status=sent (250 mail from IP 193.104.1.241 soft failed sender ID check. Please ensure this IP is authorized to send mail on behalf of [google.com]) ___ currently most forwarders are implmented this way, and yes the round(deliver_to) is needed because numeric targets are physical usermappings from dbmail and the limitation at the end is to make sure that multi-forwardings are handeled native by dbmail virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwarders.cf user = dbmailro password = * dbname = dbmail hosts= unix:/var/lib/mysql/mysql.sock inet:127.0.0.1:3307 query= select deliver_to from dbmail_aliases where alias='%u@%d' and round(deliver_to)=0 and (select count(*) from dbmail_aliases where alias='%u@%d')=1; -- Reindl Harald the lounge interactive design GmbH A-1060 Vienna, Hofmühlgasse 17 CTO / software-development / cms-solutions p: +43 (1) 595 3999 33, m: +43 (676) 40 221 40 icq: 154546673, http://www.thelounge.net/ http://www.thelounge.net/signature.asc.what.htm signature.asc Description: OpenPGP digital signature
Re: Put mails to specific users in HOLD queue
On 05/22/2011 09:06 PM, Sahil Tandon wrote: On Sun, 2011-05-22 at 17:16:52 +0200, Leon Meßner wrote: On Sun, May 22, 2011 at 04:39:22PM +0200, Pascal Volk wrote: On 05/22/2011 04:24 PM Leon Meßner wrote: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: john@example.comretry:4.0.0 Mailbox being migrated jane@exmpale.comretry:4.0.0 Mailbox being migrated postmap /etc/postfix/transport postfix reload If i understand right, this will send 4.0.0 as smtp status code and thus force a retry on the other end. This will suffice i suppose. You misunderstand. As documented in error(8), when the service name is retry, Postfix defers all recipients in the delivery request using the next-hop information as the reason for non-delivery. That said, temporarily rejecting mail is actually the RFC-correct way to take a mail server and its mailboxes out of commission. The HOLD queue is useful when you need to act on a small number of specific messages, but in general soft-rejecting would be better, because it informs the sender as well. Of course, if he adapts his migration plan by first setting up the new mailbox destination system, a simple transport_maps entry is all that is required. -- J.
sent mail statistics - lots more than expected?
I've recently been keeping an eye on my mail statistics usingmailgraph http://mailgraph.schweikert.ch/ . I'm impressed by the amount of spam/rejections achieved using just postgrey and some postfix restrictions. One thing that is puzzling me is the number of sent/received msgs. eg today's stats have 108 msgs sent and 187 received. With the number of mailing lists I'm on and the number of users on thisfamily domain, that sounds about right for the received messages. But there is no way 108 messages were sent. I don't think I personally sent any other than this one. The other users on this domain would not have sent that many, maybe 10 tops. It's the same for weekly and monthly stats. The sent messages seems extremely high. Wondering if the sent for this application included the postfix rejection messages? What other messages could be included? Sorry if this is OT here, but figured many users here would be familiar with it? -- Troy Piggins
Re: sent mail statistics - lots more than expected?
Hello Troy, Monday, May 23, 2011, 12:25:40 AM, you wrote: I've recently been keeping an eye on my mail statistics usingmailgraph http://mailgraph.schweikert.ch/ . I'm impressed by the amount of spam/rejections achieved using just postgrey and some postfix restrictions. One thing that is puzzling me is the number of sent/received msgs. eg today's stats have 108 msgs sent and 187 received. With the number of mailing lists I'm on and the number of users on thisfamily domain, that sounds about right for the received messages. But there is no way 108 messages were sent. I don't think I personally sent any other than this one. The other users on this domain would not have sent that many, maybe 10 tops. It's the same for weekly and monthly stats. The sent messages seems extremely high. Wondering if the sent for this application included the postfix rejection messages? What other messages could be included? Sorry if this is OT here, but figured many users here would be familiar with it? Hi Troy, I run a similar setup at home too (in addition to work). Can I suggest you post your postconf -n to start with? And if you've changed it at all your master.cf would help. Be sure you're not setup as an open relay too, but let us read over your config here on the list to help you. My first thought from the default install would be to switch off soft_bounce in main.cf with soft_bounce = no -- Regards, Mark
Re: sent mail statistics - lots more than expected?
On 05/23/2011 01:25 AM, Troy Piggins wrote: I've recently been keeping an eye on my mail statistics usingmailgraph http://mailgraph.schweikert.ch/ . I'm impressed by the amount of spam/rejections achieved using just postgrey and some postfix restrictions. One thing that is puzzling me is the number of sent/received msgs. eg today's stats have 108 msgs sent and 187 received. With the number of mailing lists I'm on and the number of users on thisfamily domain, that sounds about right for the received messages. But there is no way 108 messages were sent. I don't think I personally sent any other than this one. The other users on this domain would not have sent that many, maybe 10 tops. It's the same for weekly and monthly stats. The sent messages seems extremely high. Wondering if the sent for this application included the postfix rejection messages? What other messages could be included? Postfix is an MTA - mail comes in, mail goes out. Mailgraph counts all messages where the status=sent. This includes DSNs sent by postfix. If you don't believe the numbers, feel free to parse the log yourself :) Sorry if this is OT here, but figured many users here would be familiar with it? Another useful tool to gather statistics is pflogsumm; this provides more detail about what happened to messages. -- J.
Re: sent mail statistics - lots more than expected?
* Jeroen Geilman wrote : * On 05/23/2011 01:25 AM, Troy Piggins wrote: I've recently been keeping an eye on my mail statistics usingmailgraph http://mailgraph.schweikert.ch/ . I'm impressed by the amount of spam/rejections achieved using just postgrey and some postfix restrictions. One thing that is puzzling me is the number of sent/received msgs. eg today's stats have 108 msgs sent and 187 received. With the number of mailing lists I'm on and the number of users on thisfamily domain, that sounds about right for the received messages. But there is no way 108 messages were sent. I don't think I personally sent any other than this one. The other users on this domain would not have sent that many, maybe 10 tops. It's the same for weekly and monthly stats. The sent messages seems extremely high. Wondering if the sent for this application included the postfix rejection messages? What other messages could be included? Postfix is an MTA - mail comes in, mail goes out. Mailgraph counts all messages where the status=sent. This includes DSNs sent by postfix. Right. Gotchya. Thanks for that, and now the numbers make sense. I guess for me it's the legit sent/rec'd versus spam/virus/rejections that's important and that certainly tells the tale. If you don't believe the numbers, feel free to parse the log yourself :) Thanks, but no thanks :) Sorry if this is OT here, but figured many users here would be familiar with it? Another useful tool to gather statistics is pflogsumm; this provides more detail about what happened to messages. Thanks. Will look into that one. -- Troy Piggins
sender_dependent_relayhost_maps question
Hello All, Assume the following setup: Client from xyz.com logins to Many_Companies.com, accesses their email campaign software running on Many_Companies.com and sends out newsletters. A short time later a client from def.com logins to Many_Companies.com, accesses their email campaign software running on Many_Companies.com and sends out newsletters. They both access the same software just have user accounts that are different on the same server. Postfix uses sender_dependent_relayhost_maps to channel xyz.com messages to interface eth0:1 and def.com messages to the the eth0:2 interface. Those virtual interfaces are mapped to IP addresses that are registered addresses for xyc.com and def.com respectively. Here is the question: Will the received from headers in those messages reflect an origination IP address of Many_Companies.com's IP address or xyc.com and def.com IP addresses respectively? I need the setup to reflect origination emails only coming from the respective IP addresses for xyz.com and def.com, NOT Many_Companies.com's IP address. Thank you.
Re: Put mails to specific users in HOLD queue
On Sun, 2011-05-22 at 23:57:18 +0200, Jeroen Geilman wrote: On 05/22/2011 09:06 PM, Sahil Tandon wrote: On Sun, 2011-05-22 at 17:16:52 +0200, Leon Meßner wrote: On Sun, May 22, 2011 at 04:39:22PM +0200, Pascal Volk wrote: On 05/22/2011 04:24 PM Leon Meßner wrote: Hi, i'm curious if there is a mechanism to stop postfix from delivering mail for just specific recipients. I ask because i need to migrate some users mail storage and need to umount it. It would be nice to generate no errors and just hold the mails in the queue until i release them again. /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transport /etc/postfix/transport: john@example.comretry:4.0.0 Mailbox being migrated jane@exmpale.comretry:4.0.0 Mailbox being migrated postmap /etc/postfix/transport postfix reload If i understand right, this will send 4.0.0 as smtp status code and thus force a retry on the other end. This will suffice i suppose. You misunderstand. As documented in error(8), when the service name is retry, Postfix defers all recipients in the delivery request using the next-hop information as the reason for non-delivery. That said, temporarily rejecting mail is actually the RFC-correct way to take a mail server and its mailboxes out of commission. Perhaps this is not an option for the OP due to reasons unknown to us. The HOLD queue is useful when you need to act on a small number of specific messages, but in general soft-rejecting would be better, because it informs the sender as well. The retry transport results in messages being placed into the deferred (not hold) queue. Of course, if he adapts his migration plan by first setting up the new mailbox destination system, a simple transport_maps entry is all that is required. Sure, but the OP had a specific requirement, and the proposed transport solution should fulfill it. A related example from the archives: http://article.gmane.org/gmane.mail.postfix.user/198002 -- Sahil Tandon sa...@freebsd.org
Barracuda Reputatin System and Postfix
Hi, I have come across the following error when one of my clients try to send mail to a party using mobile broadband. I think barracuda looks at the client's IP address (given by mobile broadband). How can I tackle this? I know that you can do header check on postfix and remove the line where the originating IP is removed. Is that the solution? mail..com[xxx.xxx.xxx.xx] said: 554 Service unavailable; Client host [mymailserver.com] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=ccc.ccc.ccc.ccc (in reply to end of DATA command) Regards Jay
Re: Barracuda Reputatin System and Postfix
On Mon, 2011-05-23 at 07:37:16 +0530, Janantha Marasinghe wrote: I have come across the following error when one of my clients try to send mail to a party using mobile broadband. I think barracuda looks at the client's IP address (given by mobile broadband). How can I tackle this? I know that you can do header check on postfix and remove the line where the originating IP is removed. Is that the solution? http://article.gmane.org/gmane.mail.postfix.user/220757 -- Sahil Tandon sa...@freebsd.org
Virtual Domains
I'm changing an active Postfix server (with a single domain) to be able to support additional virtual domains (using MySQL). I'm slightly confused and would appreciate some advice: does the existing active domain need to be migrated into MySQL, or can it live outside (and alongside)? There are only half-a-dozen or so users on this server, so if a migration is necessary (or recommended), what's the best way of going about it? Thanks, Des -- Des Dougan Principal Dougan Consulting Group Inc. http://www.DouganConsulting.tel -- Get all my contact information here. http://www.DouganConsulting.com Peace of Mind, One Computer at a Time. --- Imagine anyone on the planet being able to find and then contact you with a single click. YourName.tel is all you will give anyone ever again. Want in? http://registertel.tel/
Re: Virtual Domains
On Sun, 2011-05-22 at 19:33:03 -0700, Des Dougan wrote: I'm changing an active Postfix server (with a single domain) to be able to support additional virtual domains (using MySQL). I'm slightly confused and would appreciate some advice: does the existing active domain need to be migrated into MySQL, or can it live outside (and alongside)? Alongside is fine. -- Sahil Tandon sa...@freebsd.org
Re: Virtual Domains
Thanks, Sahil. What's the best way of doing that? Regards, Des On May 2011, at 7:42 PM, Sahil Tandon wrote: On Sun, 2011-05-22 at 19:33:03 -0700, Des Dougan wrote: I'm changing an active Postfix server (with a single domain) to be able to support additional virtual domains (using MySQL). I'm slightly confused and would appreciate some advice: does the existing active domain need to be migrated into MySQL, or can it live outside (and alongside)? Alongside is fine. -- Sahil Tandon sa...@freebsd.org -- Des Dougan Principal Dougan Consulting Group Inc. http://www.DouganConsulting.tel -- Get all my contact information here. http://www.DouganConsulting.com Peace of Mind, One Computer at a Time. --- Imagine anyone on the planet being able to find and then contact you with a single click. YourName.tel is all you will give anyone ever again. Want in? http://registertel.tel/
Re: Unable to enforce the usage of the stronger tls ssl ciphers by Postfix
On 5/22/2011 4:27 AM, Mark Alan wrote:
Hello list,
While using ubuntu 10.10, postfix 2.8.1, dovecot 2.0.12, openssl
0.9.8o, and trying to connect to the mail server via postfix
'submission' the best cipher that I am able to get is
DHE-RSA-AES128-SHA (128/128 bits)
As it is only the 11th entry in the list showed by
openssl ciphers -v 'ALL:@STRENGTH'
and giving that openssl in both mail server and client
machines show that better ciphers are supported, is there a way to
enforce a higher ciphers?
logs follow:
random thoughts...
Is postfix also the client? What are the settings on that
machine?
Are you certain you're connecting to the submission port?
adding -o syslog_name=postfix-submission or similar to the
master.cf submission entry is helpful.
Remove your *_exlude_ciphers entries and let openssl figure it
out itself. It usually does a better job of finding the best
common cipher than you can by hand.
-- Noel Jones
The (anonymized) session log goes like this:
May 22 09:25:27 mx postfix/smtpd[7984]: connect from
unknown[192.168.1.60]
May 22 09:25:27 mx postfix/smtpd[7984]: setting up TLS connection from
unknown[192.168.1.60]
May 22 09:25:28 mx postfix/smtpd[7984]: Anonymous TLS connection
established from unknown[192.168.1.60]: TLSv1 with cipher
DHE-RSA-AES128-SHA (128/128 bits)
May 22 09:25:35 mx postfix/smtpd[7984]: 299CD8192:
client=unknown[192.168.1.60], sasl_method=LOGIN,
sasl_username=test...@example.org
May 22 09:25:36 mx postfix/cleanup[8004]: 299CD8192: message-id=
May 22 09:25:36 mx postfix/qmgr[7946]: 299CD8192:
from=test...@example.org, size=506, nrcpt=1 (queue active)
May 22 09:25:36 mx postfix/smtpd[7984]: disconnect from
unknown[192.168.1.60]
$ grep -A 4 'submission' /etc/postfix/master.cf
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
Both client MUA and server MTA machines show:
$ openssl ciphers -v 'ALL:@STRENGTH' | head -n 11
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-DES-CBC3-SHASSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
$ sudo postconf -n | grep -v '^smtp_' | grep 'tls\|sasl'
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unauth_pipelining, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_non_fqdn_sender,
reject_unlisted_sender, reject_unknown_sender_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth-client
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/example.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/ssl/private/example.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = AES128, DES, MD5, aNULL
smtpd_tls_protocols = !SSLv2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
Thank you,
Mark
Re: sent mail statistics - lots more than expected?
* Mark Homoky wrote : * Monday, May 23, 2011, 12:25:40 AM, you wrote: I've recently been keeping an eye on my mail statistics usingmailgraph http://mailgraph.schweikert.ch/ . I'm impressed by the amount of spam/rejections achieved using just postgrey and some postfix restrictions. One thing that is puzzling me is the number of sent/received msgs. eg today's stats have 108 msgs sent and 187 received. With the number of mailing lists I'm on and the number of users on thisfamily domain, that sounds about right for the received messages. But there is no way 108 messages were sent. I don't think I personally sent any other than this one. The other users on this domain would not have sent that many, maybe 10 tops. It's the same for weekly and monthly stats. The sent messages seems extremely high. Wondering if the sent for this application included the postfix rejection messages? What other messages could be included? Sorry if this is OT here, but figured many users here would be familiar with it? Hi Troy, I run a similar setup at home too (in addition to work). Can I suggest you post your postconf -n to start with? Here is a trimmed output of what (I think) will be relevant. If you think I've trimmed too hard, please let me know. body_checks = pcre:/etc/postfix/body_checks.pcre broken_sasl_auth_clients = yes content_filter = smtp-amavis:[127.0.0.1]:10024 delay_warning_time = 4h disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks.pcre postscreen_dnsbl_sites = list.dnswl.org*-5 sender_bcc_maps = pcre:/etc/postfix/sender_bcc smtpd_client_restrictions = permit_mynetworks, reject_invalid_hostname, check_client_access regexp:/etc/postfix/white_list check_client_access regexp:/etc/postfix/rejections smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, check_helo_access regexp:/etc/postfix/helo_restrictions smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit_dnswl_client list.dnswl.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service inet:127.0.0.1:10023 smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain And if you've changed it at all your master.cf would help. I've only amended master.cf for postgrey and amavisd-new: pickupfifo n - - 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks smtp-amavis unix- - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inetn - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks Be sure you're not setup as an open relay too, but let us read over your config here on the list to help you. I'm pretty sure, and hopeful, that the above config prevents this. My first thought from the default install would be to switch off soft_bounce in main.cf with soft_bounce = no I don't have soft_bounce set or called up at all, so would just be the default for a ubuntu install. I'll check into what that is. -- Troy Piggins
Which Linux have the most recent Postfix ?
Hello Anyone could tell me which Linux distro have the most recent stable Postfix available as a package ? Thanks
Re: Barracuda Reputatin System and Postfix
Tell the postmaster at the receiving end that they are blocking legitimate mail thanks to overly aggressive (ie. brain dead) settings from Barracuda. It should not matter at all the IP address of the person sending an email. Jim On May 22, 2011, at 9:07 PM, Janantha Marasinghe wrote: Hi, I have come across the following error when one of my clients try to send mail to a party using mobile broadband. I think barracuda looks at the client's IP address (given by mobile broadband). How can I tackle this? I know that you can do header check on postfix and remove the line where the originating IP is removed. Is that the solution? mail..com[xxx.xxx.xxx.xx] said: 554 Service unavailable; Client host [mymailserver.com] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=ccc.ccc.ccc.ccc (in reply to end of DATA command) Regards Jay
Re: postfix/forwarders and sender rewrite scheme
Le 22/05/2011 23:33, Reindl Harald a écrit : Am 22.05.2011 22:22, schrieb mouss: Le 21/05/2011 20:19, Reindl Harald a écrit : hi is there any recommended way to implement SRS (Sender Rewrite Scheme) in Postfix to get rid of SPF warnings/blocks for via virtual_alias_maps forwarded messages? if you want to implement SRS, then you'll need to deliver to an external program which does that. untested elabor...@your.own.risk you could use smtp_generic_maps, something like /(.*)@(google\.com)$/srs-AHBHSRD-$1@$2 and to get bounces forwarded back to sender, virtual_alias_maps /^srs-AHBHSRD-(.*)@(google\.com)$/ $1@$2 replace AHBHSRD with anything to avoid people abusing your virtual alias... but as soon as this is known, you'll be abused. so make this dynamic. you could use an sql map to generate a random string... /untested Hm, this is not a solution because google is one of thousands examples this must be generic and triggered by forwarding for gmx.at, gmx.de, web.de or callit if you want because you can not select which senders are writing mails to a forwarding-address that was an example. /(.*)@([^@]*)$/) would catch any domain. but of course, at your own risk.. it amkes me really sad that postfix can not do this native since more and more domains using SPF in their dns-records and forwarders are not a bad thing per se spf things have been discussed to death a long long time ago and the subject is considered taboo here. please check the archives. [snip]
Re: Barracuda Reputatin System and Postfix
Tell the postmaster at the receiving end that they are blocking legitimate mail thanks to overly aggressive (ie. brain dead) settings from Barracuda. It should not matter at all the IP address of the person sending an email. And if the postmaster at the receiving end assumes that if this were a brain-dead setting, surely Barracuda wouldn't offer it as an option, now would they?, have them look at the following FAQ page from Spamhaus: http://www.spamhaus.org/faq/answers.lasso?section=Spamhaus%20PBL#185 and, in particular, read the warning about deep parsing and why a mail server must *NOT* do deep parsing using Spamhaus's PBL block list (their list of dynamic end-user IP addresses that ought to be sending out their mail via their ISP's mail server rather than trying to talk directly to destinations). Rich Wales ri...@richw.org
fatal: lock file defer error
Hi, We are running Postfix 2.8.1 with Dovecot 1.2.12 on CentOS 5.6 (64 bit) on a VM. The system is in production. From time to time (about 2-3 times a week), I get an error fatal: lock file defer message ID: defer service failure. After that, it seems to continue normally, without any intervention. It's not a high traffic system (less than 1000 messages per hour in/out) [this is also due to it being behind a mail gateway device filtering spam]. Here is an example from the log: May 22 08:10:24 vmail postfix/qmgr[2490]: 2A0F96E64C1: from=, size=3028, nrcpt=1 (queue active) May 22 08:10:26 vmail postfix/qmgr[2490]: 18A13C4D1D6: from=geor...@space.noa.gr, size=68730, nrcpt=194 (queue active) May 22 08:10:47 vmail postfix/smtp[4952]: connect to libra.astro.bas.bg[195.96.237.193]:25: Connection timed out May 22 08:10:49 vmail postfix/smtp[4953]: connect to bagn.obs-mip.fr[193.52.224.7]:25: Connection timed out May 22 08:11:08 vmail postfix/bounce[5079]: fatal: lock file defer 18A13C4D1D6: Resource temporarily unavailable May 22 08:11:09 vmail postfix/smtp[4953]: warning: 18A13C4D1D6: defer service failure May 22 08:11:09 vmail postfix/smtp[4953]: 18A13C4D1D6: to=nadege.meun...@bagn.obs-mip.fr, relay=none, delay=155951, delays=155927/0.63/23/0, dsn=4.4.1, status=deferred (connect to bagn.obs-mip.fr[193.52.224.7]:25: Connection timed out) May 22 08:11:09 vmail postfix/master[2482]: warning: process /usr/libexec/postfix/bounce pid 5079 exit status 1 May 22 08:11:29 vmail postfix/bounce[5181]: fatal: lock file defer 18A13C4D1D6: Resource temporarily unavailable May 22 08:11:47 vmail postfix/smtp[4952]: 18A13C4D1D6: to=duch...@libra.astro.bas.bg, relay=none, delay=155949, delays=155927/0.63/21/0, dsn=4.4.1, status=deferred (connect to libra.astro.bas.bg[195.96.237.193]:25: Connection timed out) May 22 08:11:48 vmail postfix/smtp[4953]: warning: 18A13C4D1D6: defer service failure May 22 08:11:47 vmail postfix/master[2482]: warning: /usr/libexec/postfix/bounce: bad command startup -- throttling Can someone please provide some insight to the problem and suggest a solution? Thanks in advance, Nick smime.p7s Description: S/MIME Cryptographic Signature
