Re: TLS issue
The problem is only going to get worse, so any guidance and probably even some more general error messages giving more direct hints would be appreciated. The guy who just posted his solution to interoperable with old postfix and the Windows patch he could us is a perfect example. Sent from my Amiga 1000 > On Dec 2, 2016, at 2:16 PM, Wietse Venemawrote: > > Viktor Dukhovni: >> >>> On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny >>> wrote: >>> >>> Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error >>> from smtptransit.de.net.intra[152.21.2.44]: -1 >>> Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library >>> problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared >>> cipher:s3_srvr.c:1352: >> >> Your Postfix SMTP server accepting an inbound connection could not >> complete a TLS handshake with the remote SMTP client, because the >> remote SMTP client's list of supported TLS ciphers, TLS signature >> algorithms, supported EC curves, ... did not support any of the >> corresponding parameter combinations available on your server. >> >> For more detailed help, you should post more detail of your TLS >> configuration. (The shell commands below assume a POSIX shell, >> not csh or similar): > > With 'no shared ciphers' happening frequently, do we want to set > up a TLS troubleshooting document, or is the decision tree too > complex for such a document to be useful? > >Wietse
Re: Azure Active Directory
> As long as saslauthd can bind against it like a regular Active Directory > (=LDAP) server, it should work without special configuration inside > postfix. Does Azure AD support LDAP? At least in the beginning it didn’t, but I haven’t come across a definitive answer. There is a new RESTful API called Azure AD Graph. (If I have understood correctly, the MS LDAP implementation didn’t scale well to Azure proportions.) (I’m sorry I am late to the party.) -- Cheers Petri GSM +358 400 505 939
Re: What is the number means?
> On 12/02/2016 04:26 PM, Gao wrote: > > I'd like ask a dumb question: I see there are many things in > > Postfix which named as pipe(8), smtp(5), lmtp(8). So what is > > number 5 or 8 mean? Version number? > > On Fri, Dec 02, 2016 at 04:34:04PM -0500, Michael Munger wrote: > Linux man page numbers. Actually, no. See Wietse's post. Linux man page sections differ somewhat from the BSD standard used by Postfix. The most notable difference is that the Linux convention would put the superuser commands (such as postfix(1) and postsuper(1)) in section 8 of the manual along with the daemons. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Re: What is the number means?
Thanks. Gao On 2016-12-02 01:34 PM, Michael Munger wrote: Linux man page numbers. http://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean#3587 Michael Munger, dCAP, MCPS, MCNPS, MBSS High Powered Help, Inc. Microsoft Certified Professional Microsoft Certified Small Business Specialist Digium Certified Asterisk Professional mich...@highpoweredhelp.com On 12/02/2016 04:26 PM, Gao wrote: Hi, I'd like ask a dumb question: I see there are many things in Postfix which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? Version number? Gao
Re: What is the number means?
Gao: > Hi, > > I'd like ask a dumb question: I see there are many things in Postfix > which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? > Version number? The numbers refer to sections in the UNIX programmer's manual. The convention used in Postfix dates from the late 1970s. I approximate the convention from 4.2BSD (SunOS and Ultrix): 1=commands, 2=syscalls, 3-libraries, 5=file formats, 8=daemons. Wietse
Re: What is the number means?
Linux man page numbers. http://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean#3587 Michael Munger, dCAP, MCPS, MCNPS, MBSS High Powered Help, Inc. Microsoft Certified Professional Microsoft Certified Small Business Specialist Digium Certified Asterisk Professional mich...@highpoweredhelp.com On 12/02/2016 04:26 PM, Gao wrote: > Hi, > > I'd like ask a dumb question: I see there are many things in Postfix > which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 > mean? Version number? > > Gao >
Re: [postfix-users] What is the number means?
> I'd like ask a dumb question: I see there are many things in Postfix which > named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? Version > number? http://unix.stackexchange.com/questions/3586/what-do-the-numbers-in-a-man-page-mean Gabor
What is the number means?
Hi, I'd like ask a dumb question: I see there are many things in Postfix which named as pipe(8), smtp(5), lmtp(8). So what is number 5 or 8 mean? Version number? Gao
Re: TLS issue
On Fri, 2 Dec 2016 14:16:20 -0500 (EST), Wietse Venema stated: >With 'no shared ciphers' happening frequently, do we want to set >up a TLS troubleshooting document, or is the decision tree too >complex for such a document to be useful? +1 for a "TLS Troubleshooting Document" -- Jerry
Re: Suppress connection logging for IP
Ray Dzek: > Hi, > > We have a load balancer that opens a connection to the SMTP port > on our postfix boxes to ensure the ports are alive and kicking. > But obviously, this generates a lot of log clutter that is not > needed. How would I go about suppressing the connect from... / > disconnect from... log entry for this particular IP? There is no such option. Use grep to suppress uninteresting info. When you rotate logfiles, data compression will greatly reduce repeated information. Wietse
Re: Suppress connection logging for IP
Am 2. Dezember 2016 20:39:58 MEZ, schrieb Ray Dzek: >Hi, > >We have a load balancer that opens a connection to the SMTP port on our >postfix boxes to ensure the ports are alive and kicking. But obviously, >this generates a lot of log clutter that is not needed. How would I go >about suppressing the connect from... / disconnect from... log entry >for this particular IP? Configure your syslog daemon to discard these messages from the stream. > >Thanks in advance, > >Ray -- Christian Kivalo
Suppress connection logging for IP
Hi, We have a load balancer that opens a connection to the SMTP port on our postfix boxes to ensure the ports are alive and kicking. But obviously, this generates a lot of log clutter that is not needed. How would I go about suppressing the connect from... / disconnect from... log entry for this particular IP? Thanks in advance, Ray
Re: TLS issue
Viktor Dukhovni: > > > On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny > >wrote: > > > > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error > > from smtptransit.de.net.intra[152.21.2.44]: -1 > > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library > > problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > > cipher:s3_srvr.c:1352: > > Your Postfix SMTP server accepting an inbound connection could not > complete a TLS handshake with the remote SMTP client, because the > remote SMTP client's list of supported TLS ciphers, TLS signature > algorithms, supported EC curves, ... did not support any of the > corresponding parameter combinations available on your server. > > For more detailed help, you should post more detail of your TLS > configuration. (The shell commands below assume a POSIX shell, > not csh or similar): With 'no shared ciphers' happening frequently, do we want to set up a TLS troubleshooting document, or is the decision tree too complex for such a document to be useful? Wietse
Re: TLS issue
> On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny> wrote: > > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error from > smtptransit.de.net.intra[152.21.2.44]: -1 > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library > problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher:s3_srvr.c:1352: Your Postfix SMTP server accepting an inbound connection could not complete a TLS handshake with the remote SMTP client, because the remote SMTP client's list of supported TLS ciphers, TLS signature algorithms, supported EC curves, ... did not support any of the corresponding parameter combinations available on your server. For more detailed help, you should post more detail of your TLS configuration. (The shell commands below assume a POSIX shell, not csh or similar): * What version of OpenSSL is your Postfix SMTP server linked with? Post the output of: $ openssl version -v -p $ ldd $(type -p openssl) $ ldd $(postconf -xh daemon_directory)/smtpd * Post the output of: $ postconf -n | egrep '^(smtpd_|)tls_' * Post the output of (executed as root): # for cert in $(postconf -xh smtpd_tls_cert_file smtpd_tls_eccert_file smtpd_tls_dcert_file) do echo "$cert:" openssl x509 -in $cert -subject -issuer -dates done * If the problem is ongoing capture some TCP traffic from that client: # client=152.21.2.44 # ifname=eth0; : set ifname to match your external interface # pcap=/var/tmp/$client.pcap # (umask 077; tcpdump -c 1000 -i $ifname -s 0 -w $pcap host $client and tcp port 25) & This may be useful later. It will capture at most 1000 packets from/to that client. That is often enough to capture a few STARTTLS attempts. If you're unlucky, it will catch just a portion of a session that is sending a large attachment, in that case you'll try again later... -- -- Viktor.
Re: Customize log messages?
This is a great idea. This is a spam filter that is integrated into a CRM system, so I needed to parse and dump the information so it could be sucked up later. Here's what I ultimately created. It still needs some work (mainly because it re-reads the whole file every time, and I should use timestamps and a half-interval search algorithm to find the last-processed time stamp. I am relying on log rotate to make it not-too-terribly-big). https://github.com/mjmunger/postfix-log-parser Michael Munger, dCAP, MCPS, MCNPS, MBSS High Powered Help, Inc. Microsoft Certified Professional Microsoft Certified Small Business Specialist Digium Certified Asterisk Professional mich...@highpoweredhelp.com On 12/02/2016 01:30 AM, @ wrote: > On 11/30/16 2:35 PM, Michael Munger wrote: > >> I am writing a log parser so that when users complain "so and so sent me >> an email and I didn't get it" I can query the logs and find this with >> ease. Ultimately, I want ot make this self service through a web page. > I went a different way. Users can chose to receive a "DMR" (Daily Mail > Report) and that report can contain either all the rejected email > addresses that were not accepted for their account (or domain), all > the accepted emails they got, or both. > > I have a bash script that does it, and when a user wants this, I > simply set up a crontab for them. Usually after a week or so they want > it turned off. The script sends them a lightly styled HTML table in > the email. > > The heart of the script is: > > if [ "$REJECT" = 1 ]; then > echo 'IP addressClaimed > address' > bzgrep "$MATCHPAT" $LOGF | grep -i reject | egrep 'from=<[^>]+>' | > grep -v "Protocol error" | \ > grep -v "$EXCLUDE" | sort -u | sed 's/from=,[]:' | > grep -v rejected | \ > awk '{print "REJECTED class=\"right\">"$16""$20""}' > fi > > if [ "$ACCEPT" = 1 ]; then > echo 'Accepted ID style="width:6em;">TimeFrom' > bzgrep -E 'DATA|\"from=\"' $LOGF | grep -v "<>"| \ > awk '{print $6"\t"$3"\t"$17"\t"$16}' | grep -v ESMTP | \ > grep -v "to="to=<.*$MATCHPAT" | \ > grep -v "$EXCLUDE" | sed 's/from//g' | sed 's/://' | tr -d > '=><' | > awk '{print ""$1" class=\"right\">"$2""$4""}' >fi > > For this to work > > smtpd_log_access_permit_actions = static:all > > must be set in main.cf. This makes your logs chattier, but provides me > with the line in the logs that I need to get this working. > > One user, in particular, was calling several times a week looking for > an email and now never calls. > > >
Re: TLS issue
Zalezny Niezalezny: > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library > problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher:s3_srvr.c:1352: This is asked onnce a week. Google for 'SSL3_GET_CLIENT_HELLO no shared cipher'. Wietse
Re: TLS issue
That looks like a problem with your certificates. You can check/verify them by openssl command. Thanks, Pawel 2016-12-02 9:22 GMT+00:00 Zalezny Niezalezny: > Hi, > > we have a problem with TLS on our Postfix server > > > ec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from > smtptransit.de.net.intra[152.21.2.44] > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error > from smtptransit.de.net.intra[152.21.2.44]: -1 > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS > library problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no > shared cipher:s3_srvr.c:1352: > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: lost connection > after STARTTLS from smtptransit.de.net.intra[152.21.2.44] > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: disconnect from > smtptransit.de.net.intra[152.21.2.44] > > > > > But to be honest I do not understand what is this. Maybe somebody will be > able to help here and explain. > > > Thanks in advance. > > Zalezny >
TLS issue
Hi, we have a problem with TLS on our Postfix server ec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from smtptransit.de.net.intra[152.21.2.44] Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error from smtptransit.de.net.intra[152.21.2.44]: -1 Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1352: Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: lost connection after STARTTLS from smtptransit.de.net.intra[152.21.2.44] Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: disconnect from smtptransit.de.net.intra[152.21.2.44] But to be honest I do not understand what is this. Maybe somebody will be able to help here and explain. Thanks in advance. Zalezny