Re: TLS issue

[John Stoffel]

The problem is only going to get worse, so any guidance and probably even some 
more general error messages giving more direct hints would be appreciated.  

The guy who just posted his solution to interoperable with old postfix and the 
Windows patch he could us is a perfect example.

Sent from my Amiga 1000

> On Dec 2, 2016, at 2:16 PM, Wietse Venema  wrote:
> 
> Viktor Dukhovni:
>> 
>>> On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny 
>>>  wrote:
>>> 
>>> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error 
>>> from smtptransit.de.net.intra[152.21.2.44]: -1
>>> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library 
>>> problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared 
>>> cipher:s3_srvr.c:1352:
>> 
>> Your Postfix SMTP server accepting an inbound connection could not
>> complete a TLS handshake with the remote SMTP client, because the
>> remote SMTP client's list of supported TLS ciphers, TLS signature
>> algorithms, supported EC curves, ... did not support any of the
>> corresponding parameter combinations available on your server.
>> 
>> For more detailed help, you should post more detail of your TLS
>> configuration.  (The shell commands below assume a POSIX shell,
>> not csh or similar):
> 
> With 'no shared ciphers' happening frequently, do we want to set
> up a TLS troubleshooting document, or is the decision tree too
> complex for such a document to be useful?
> 
>Wietse

Re: Azure Active Directory

[Petri Riihikallio]

> As long as saslauthd can bind against it like a regular Active Directory
> (=LDAP) server, it should work without special configuration inside
> postfix.

Does Azure AD support LDAP? At least in the beginning it didn’t, but I haven’t 
come across a definitive answer. There is a new RESTful API called Azure AD 
Graph. (If I have understood correctly, the MS LDAP implementation didn’t scale 
well to Azure proportions.)

(I’m sorry I am late to the party.)
-- 
Cheers
Petri
GSM +358 400 505 939

Re: What is the number means?

[/dev/rob0]

> On 12/02/2016 04:26 PM, Gao wrote:
> > I'd like ask a dumb question: I see there are many things in 
> > Postfix which named as pipe(8), smtp(5), lmtp(8). So what is 
> > number 5 or 8 mean? Version number?
> >
On Fri, Dec 02, 2016 at 04:34:04PM -0500, Michael Munger wrote:
> Linux man page numbers.

Actually, no.  See Wietse's post.  Linux man page sections differ 
somewhat from the BSD standard used by Postfix.  The most notable 
difference is that the Linux convention would put the superuser 
commands (such as postfix(1) and postsuper(1)) in section 8 of the 
manual along with the daemons.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: What is the number means?

[Gao]

Thanks.


Gao


On 2016-12-02 01:34 PM, Michael Munger wrote:

Linux man page numbers.

http://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean#3587


Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com
On 12/02/2016 04:26 PM, Gao wrote:

Hi,

I'd like ask a dumb question: I see there are many things in Postfix
which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8
mean? Version number?

Gao

Re: What is the number means?

[Wietse Venema]

Gao:
> Hi,
> 
> I'd like ask a dumb question: I see there are many things in Postfix 
> which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? 
> Version number?

The numbers refer to sections in the UNIX programmer's manual. The
convention used in Postfix dates from the late 1970s. I approximate
the convention from 4.2BSD (SunOS and Ultrix): 1=commands, 2=syscalls,
3-libraries, 5=file formats, 8=daemons.

Wietse

Re: What is the number means?

[Michael Munger]

Linux man page numbers.

http://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean#3587


Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com
On 12/02/2016 04:26 PM, Gao wrote:
> Hi,
>
> I'd like ask a dumb question: I see there are many things in Postfix
> which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8
> mean? Version number?
>
> Gao
>

Re: [postfix-users] What is the number means?

[Kiss Gabor (Bitman)]

> I'd like ask a dumb question: I see there are many things in Postfix which
> named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? Version
> number?

http://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean

Gabor

What is the number means?

[Gao]

Hi,

I'd like ask a dumb question: I see there are many things in Postfix 
which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? 
Version number?


Gao

Re: TLS issue

[Postfix User]

On Fri, 2 Dec 2016 14:16:20 -0500 (EST), Wietse Venema stated:

>With 'no shared ciphers' happening frequently, do we want to set
>up a TLS troubleshooting document, or is the decision tree too
>complex for such a document to be useful?

+1 for a "TLS Troubleshooting Document"

-- 
Jerry

Re: Suppress connection logging for IP

[Wietse Venema]

Ray Dzek:
> Hi,
> 
> We have a load balancer that opens a connection to the SMTP port
> on our postfix boxes to ensure the ports are alive and kicking.
> But obviously, this generates a lot of log clutter that is not
> needed. How would I go about suppressing the connect from... /
> disconnect from... log entry for this particular IP?

There is no such option. Use grep to suppress uninteresting info.
When you rotate logfiles, data compression will greatly reduce
repeated information.

Wietse

Re: Suppress connection logging for IP

[Christian Kivalo]

Am 2. Dezember 2016 20:39:58 MEZ, schrieb Ray Dzek :
>Hi,
>
>We have a load balancer that opens a connection to the SMTP port on our
>postfix boxes to ensure the ports are alive and kicking. But obviously,
>this generates a lot of log clutter that is not needed. How would I go
>about suppressing the connect from... / disconnect from... log entry
>for this particular IP?

Configure your syslog daemon to discard these messages from the stream.

>
>Thanks in advance,
>
>Ray
-- 
Christian Kivalo

Suppress connection logging for IP

[Ray Dzek]

Hi,

We have a load balancer that opens a connection to the SMTP port on our postfix 
boxes to ensure the ports are alive and kicking. But obviously, this generates 
a lot of log clutter that is not needed. How would I go about suppressing the 
connect from... / disconnect from... log entry for this particular IP?

Thanks in advance,

Ray

Re: TLS issue

[Wietse Venema]

Viktor Dukhovni:
> 
> > On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny 
> >  wrote:
> > 
> > Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error 
> > from smtptransit.de.net.intra[152.21.2.44]: -1
> > Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library 
> > problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared 
> > cipher:s3_srvr.c:1352:
> 
> Your Postfix SMTP server accepting an inbound connection could not
> complete a TLS handshake with the remote SMTP client, because the
> remote SMTP client's list of supported TLS ciphers, TLS signature
> algorithms, supported EC curves, ... did not support any of the
> corresponding parameter combinations available on your server.
> 
> For more detailed help, you should post more detail of your TLS
> configuration.  (The shell commands below assume a POSIX shell,
> not csh or similar):

With 'no shared ciphers' happening frequently, do we want to set
up a TLS troubleshooting document, or is the decision tree too
complex for such a document to be useful?

Wietse

Re: TLS issue

[Viktor Dukhovni]

> On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny  
> wrote:
> 
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error from 
> smtptransit.de.net.intra[152.21.2.44]: -1
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library 
> problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared 
> cipher:s3_srvr.c:1352:

Your Postfix SMTP server accepting an inbound connection could not
complete a TLS handshake with the remote SMTP client, because the
remote SMTP client's list of supported TLS ciphers, TLS signature
algorithms, supported EC curves, ... did not support any of the
corresponding parameter combinations available on your server.

For more detailed help, you should post more detail of your TLS
configuration.  (The shell commands below assume a POSIX shell,
not csh or similar):

   * What version of OpenSSL is your Postfix SMTP server linked with?
 Post the output of:

$ openssl version -v -p
$ ldd $(type -p openssl)
$ ldd $(postconf -xh daemon_directory)/smtpd

   * Post the output of:

$ postconf -n | egrep '^(smtpd_|)tls_'

   * Post the output of (executed as root):

# for cert in $(postconf -xh smtpd_tls_cert_file smtpd_tls_eccert_file 
smtpd_tls_dcert_file)
  do
  echo "$cert:"
  openssl x509 -in $cert -subject -issuer -dates
  done

* If the problem is ongoing capture some TCP traffic from that client:

# client=152.21.2.44
# ifname=eth0; : set ifname to match your external interface
# pcap=/var/tmp/$client.pcap
# (umask 077; tcpdump -c 1000 -i $ifname -s 0 -w $pcap host $client and 
tcp port 25) &

 This may be useful later.  It will capture at most 1000 packets from/to 
that
 client.  That is often enough to capture a few STARTTLS attempts.  If 
you're
 unlucky, it will catch just a portion of a session that is sending a large
 attachment, in that case you'll try again later...

-- 
-- 
Viktor.

Re: Customize log messages?

[Michael Munger]

This is a great idea. This is a spam filter that is integrated into a
CRM system, so I needed to parse and dump the information so it could be
sucked up later.

Here's what I ultimately created. It still needs some work (mainly
because it re-reads the whole file every time, and I should use
timestamps and a half-interval search algorithm to find the
last-processed time stamp. I am relying on log rotate to make it
not-too-terribly-big).

https://github.com/mjmunger/postfix-log-parser


Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com
On 12/02/2016 01:30 AM, @ wrote:
> On 11/30/16 2:35 PM, Michael Munger wrote:
>
>> I am writing a log parser so that when users complain "so and so sent me
>> an email and I didn't get it" I can query the logs and find this with
>> ease. Ultimately, I want ot make this self service through a web page.
> I went a different way. Users can chose to receive a "DMR" (Daily Mail
> Report) and that report can contain either all the rejected email
> addresses that were not accepted for their account (or domain), all
> the accepted emails they got, or both.
>
> I have a bash script that does it, and when a user wants this, I
> simply set up a crontab for them. Usually after a week or so they want
> it turned off. The script sends them a lightly styled HTML table in
> the email.
>
> The heart of the script is:
>
>  if [ "$REJECT" = 1 ]; then
>   echo 'IP addressClaimed
> address'
> bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' |
> grep -v "Protocol error" | \
>  grep -v "$EXCLUDE" | sort -u | sed 's/from=,[]:' |
> grep -v rejected | \
>  awk '{print "REJECTED class=\"right\">"$16""$20""}'
>   fi
>
>   if [ "$ACCEPT" = 1 ]; then
> echo 'Accepted ID style="width:6em;">TimeFrom'
>  bzgrep -E 'DATA|\"from=\"' $LOGF | grep -v "<>"| \
> awk '{print $6"\t"$3"\t"$17"\t"$16}' | grep -v ESMTP | \
> grep -v "to= "to=<.*$MATCHPAT" | \
> grep -v "$EXCLUDE" | sed 's/from//g' | sed 's/://' | tr -d
> '=><' |
> awk '{print ""$1" class=\"right\">"$2""$4""}'
>fi
>
> For this to work
>
> smtpd_log_access_permit_actions = static:all
>
> must be set in main.cf. This makes your logs chattier, but provides me
> with the line in the logs that I need to get this working.
>
> One user, in particular, was calling several times a week looking for
> an email and now never calls.
>
>
>

Re: TLS issue

[Wietse Venema]

Zalezny Niezalezny:
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library
> problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:1352:

This is asked onnce a week. Google for 'SSL3_GET_CLIENT_HELLO no shared cipher'.

Wietse

Re: TLS issue

[Paweł Grzesik]

That looks like a problem with your certificates.
You can check/verify them by openssl command.

Thanks,
Pawel

2016-12-02 9:22 GMT+00:00 Zalezny Niezalezny :

> Hi,
>
> we have a problem with TLS on our Postfix server
>
>
> ec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from
> smtptransit.de.net.intra[152.21.2.44]
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error
> from smtptransit.de.net.intra[152.21.2.44]: -1
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS
> library problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher:s3_srvr.c:1352:
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: lost connection
> after STARTTLS from smtptransit.de.net.intra[152.21.2.44]
> Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: disconnect from
> smtptransit.de.net.intra[152.21.2.44]
>
>
>
>
> But to be honest I do not understand what is this. Maybe somebody will be
> able to help here and explain.
>
>
> Thanks in advance.
>
> Zalezny
>

TLS issue

[Zalezny Niezalezny]

Hi,

we have a problem with TLS on our Postfix server


ec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from
smtptransit.de.net.intra[152.21.2.44]
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error
from smtptransit.de.net.intra[152.21.2.44]: -1
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library
problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1352:
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: lost connection
after STARTTLS from smtptransit.de.net.intra[152.21.2.44]
Dec  2 10:12:03 postfix-server01 postfix/smtpd[37036]: disconnect from
smtptransit.de.net.intra[152.21.2.44]




But to be honest I do not understand what is this. Maybe somebody will be
able to help here and explain.


Thanks in advance.

Zalezny