Re: canonical vs smtp_generic_maps vs ...?

[Noel Jones]

On 2/17/2017 1:24 PM, Marek Kozlowski wrote:
> On 02/17/2017 08:09 PM, Noel Jones wrote:
>> On 2/17/2017 12:53 PM, Marek Kozlowski wrote:
>>> When smithj authenticates via SASL to my server and sends e-mail from
>>> `smi...@something.com' locally or remotely I'd like to replace it to
>>> `j.sm...@sth.com'. But if mail form `smi...@something.com' is received
>>> from remote SMTP hosts any address changes should NOT be applied.
>>
>> Excellent, yes canonical_maps is what you need, but you'll need to
>> limit the scope to submission.  See Viktor's reply for how to do
>> that.  Come back if you have any questions.
> 
> Honestly, I'd like to use canonicals for postsrsd (protecting external
> forwards from SPF rules) so if I could use some other mechanism here...
> 
> Best regards,
> Marek
> 

I don't use postsrsd so can't offer any specific advice on that.
Canonical maps is the feature you need for the address rewriting you
have described.  You can use multiple canonical_maps as long as they
aren't trying to match the same input key.



  -- Noel Jones

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Viktor Dukhovni]

> On Feb 17, 2017, at 5:33 PM, Chris Green  wrote:
> 
> OK, so the older version is using SMTP STARTTLS which runs on port 587

This is how TLS has worked in MTA-to-MTA SMTP for the last > 15 years.

https://tools.ietf.org/html/rfc3207

> and the newer (>=3) version is using TLS directly on port 465.

No, Postfix 3.0 and later *also* support SMTP over TLS as used
by some systems on port 465.  The submission service on 587 and
the relay service on port 25 continue to support STARTTLS.

To use submission on port 587 the server needs to provide that
service.  If a server only supports "smtps" on 465, then that's
what you need to use.

-- 
Viktor.

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Chris Green]

On Fri, Feb 17, 2017 at 05:24:54PM -0500, Viktor Dukhovni wrote:
> 
> > On Feb 17, 2017, at 10:43 AM, Chris Green  wrote:
> > 
> > Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
> > postfix 3, is that what makes the difference?
> 
> Yes.
> 
> > I'd still like a simple explanation though!  :-)
> 
> That's the simple explanation.  SMTP directly over TLS requires the new
> feature.  TLS via the SMTP STARTTLS command dates back to Postfix 2.2
> (and unofficial patches in even older Postfix versions).
> 
OK, so the older version is using SMTP STARTTLS which runs on port 587
and the newer (>=3) version is using TLS directly on port 465.

Should it still be possible to use SMTP STARTTLS on port 587 with
newer postfix versions?  I couldn't make this work, or at least I
don't think I could.  I'd be happier using as far as possible the same
configuration on all my installations.

-- 
Chris Green

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Viktor Dukhovni]

> On Feb 17, 2017, at 10:43 AM, Chris Green  wrote:
> 
> Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
> postfix 3, is that what makes the difference?

Yes.

> I'd still like a simple explanation though!  :-)

That's the simple explanation.  SMTP directly over TLS requires the new
feature.  TLS via the SMTP STARTTLS command dates back to Postfix 2.2
(and unofficial patches in even older Postfix versions).

-- 
Viktor.

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[@lbutlr]

On 2017-02-17 (12:38 MST), "Fazzina, Angelo"  wrote:
> 
> I thought the master.cf file is where you config what protocol to listen for ?

He is SENDING outbound mail to his upstream, not listening for incoming mail.

As for the original post, 587 is the right port to use anyway, so ignore your 
ISPs instructions to use the wrong port?

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Strong Ciphers to use with Postfix

[Daniel Bareiro]

On 17/02/17 12:46, L.P.H. van Belle wrote:
> Hai, 

Hi, Louis.

> It all depends all in what you need and want. 
> 
> After monitoring for about a year on with or without encryption. 
> I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. 
> Which i simply dont allow anymore. ( The sslv2/v3 ) 
> Due to the dutch "Privacy laws" users are oblgated to have/use encrypted 
> lines. And a lot should be encrypted. 
>
> So I preffer a high but compatible set. 
> A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl  
> My prefered site to check ciphersets.  
> Im also running debian jessie postfix 2.11.

I tried to test against tls.imirhil.fr, but the check ends with an error
saying that the process lasted more than 2 min. I'm not sure what might
be the cause of this. In mail.log I see the received connections to make
the checks.

> And yes, there is always room for improvements, but my cipher check shows me 
> the following and im happy with it. 
> 
>   2 TLSv1 with cipher AES256-SHA
>   6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
>  13 TLSv1.2 with cipher AES256-SHA
>  27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA
>  34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256
> 103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA
> 302 TLSv1 with cipher DHE-RSA-AES256-SHA
> 772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384
>2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
>   11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA

Very interesting statistics.

> # Add these to log you ciphers used. 
> smtp_tls_loglevel=1
> smtpd_tls_loglevel=1
> 
> # check encrypted connections with : 
> # grep "connection established from.*with cipher" /var/log/mail.log|awk 
> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n 
> # check for clear text connections:
> # grep "connection established from" /var/log/mail.log | grep -v cipher| awk 
> '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n

Thanks for sharing these scripts to total the connections with each cipher.

> # outgoing connections: smtp
> smtp_tls_protocols = !SSLv2,!SSLv3

I have not explicitly defined this variable, so I have the default value
that is:

smtp_tls_protocols = !SSLv2

So I think it may be advisable to add !SSLv3.

> smtp_tls_ciphers = high

I have not explicitly defined this variable, so I have the default value
that is "export".

I was reading the documentation [1] where reference is made to "minimum
TLS cipher grade", but I'm not clear how these degrees are defined.

> smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4

> smtp_tls_security_level = may

Here for smtp_tls_security_level I also have the same configuration.

> smtp_tls_note_starttls_offer = yes

I have not explicitly defined this variable, so I have the default value
that is "no". I was reading the documentation about this and it says
"Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
is not already enabled for that server". This is not clear to me or
maybe I'm missing something. If the remote server provides STARTTLS,
then is not TLS enabled on that server?

> # incoming connections: smtpd
> smtpd_use_tls = yes
> smtpd_enforce_tls = no

Here we agree. The smtpd_enforce_tls variable is not declared in my
main.cf, but the value "no" is the default.

> smtpd_tls_protocols = !SSLv2,!SSLv3

I have not declared specifically this variable in my main.cf, and I see
that it is empty:

# postconf | grep smtpd_tls_protocols
smtpd_tls_protocols =
tlsproxy_tls_protocols = $smtpd_tls_protocols

In the Postfix documentation [2] I see that the default value is
!SSLv2,!SSLv3. Maybe this has changed in recent versions? I'm using
Postfix 2.11.3-1 en Debian Jessie 8.7.

> smtpd_tls_ciphers = high

Here I have a question similar to the one I mentioned for
smtp_tls_ciphers. How are these cipher grades [3] defined? Here I am
also using the value "export", since I have not explicitly defined this
variable in main.cf.

> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 
> DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
> #, RSA+AES

Despite having smtpd_tls_protocols with a empty value, when testing on
ssl-tools.net, it shows that I am not using weak ciphers (it shows an
SSL3 that is crossed out). Is this related to the values in the
smtpd_tls_exclude_ciphers variable suggested by Angelo (DEA-CBC-SHA,
DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL)?

> smtpd_tls_eecdh_grade = ultra

Here I have the default value, which is "strong". It seems to be an
acceptable value from what I see in the documentation [4].


Thanks for your reply and your time.

Kind regards,
Daniel

[1] http://www.postfix.org/postconf.5.html#smtp_tls_ciphers
[2] http://www.postfix.org/postconf.5.html#smtpd_tls_protocols
[3] http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
[4] http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade



signature.asc
Description: OpenPGP 

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Chris Green]

On Fri, Feb 17, 2017 at 07:35:42PM +, Chris Green wrote:
> [snip long message]
> 
> Sorry about the duplicate, you can see I really am having trouble with
> my E-Mail!  :-)
> 
... and I'm talking rubbish anyway, I've got two subscriptions! Aarrgghh!!

-- 
Chris Green

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Dominic Raferd]

On 17 February 2017 at 19:38, Fazzina, Angelo  wrote:
> Hi,
> I thought the master.cf file is where you config what protocol to listen for ?
>
> Submission  or SMTPS
>
> I'm no expert either, just curious what your setup is.
> -ALF
>
> -Angelo Fazzina
> Operating Systems Programmer / Analyst
> University of Connecticut,  UITS, SSG, Server Systems
> 860-486-9075
>
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Chris Green
> Sent: Friday, February 17, 2017 10:43 AM
> To: postfix-users@postfix.org
> Subject: Different treatment of ports 465 and 587 between postfix versions 
> 2.9 and 3.1
>
> I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6
> on a Raspberry Pi running Debian.
>
> They seem to act very differently as regards the use of ports 465 and
> 587 and I'd like things clarified so I can understand better.
>
> I use both postfix installations to send outgoing E-Mail (i.e. mail
> which is leaving my home LAN) to my hosting company's servers.  Their
> documentation says that I should use port 465 and TLS to connect to
> the SMTP server.
>
> ...
> Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
> postfix 3, is that what makes the difference?  I'd still like a simple
> explanation though!  :-)

see http://www.postfix.org/TLS_README.html#client_smtps
- use stunnel for postfix <3.0 (it still works for postfix >=3.0)

RE: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Fazzina, Angelo]

Hi,
I thought the master.cf file is where you config what protocol to listen for ?

Submission  or SMTPS 

I'm no expert either, just curious what your setup is.
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Chris Green
Sent: Friday, February 17, 2017 10:43 AM
To: postfix-users@postfix.org
Subject: Different treatment of ports 465 and 587 between postfix versions 2.9 
and 3.1

I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6
on a Raspberry Pi running Debian.

They seem to act very differently as regards the use of ports 465 and
587 and I'd like things clarified so I can understand better.

I use both postfix installations to send outgoing E-Mail (i.e. mail
which is leaving my home LAN) to my hosting company's servers.  Their
documentation says that I should use port 465 and TLS to connect to
the SMTP server.

On the postfix 3.1 system this works, I specify port 465 in main.cf
and everything is as it should be.  The local additions and changes to
main.cf are as follows:-

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
myhostname = esprimo.zbmc.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = zbmc.eu
mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
relayhost = [mail3.gridhost.co.uk]:465
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtp_sasl_auth_enable = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
message_size_limit = 12048
compatibility_level = 2


However on the postfix 2.9 installation on the raspberry pi using port
465 fails.  What I see in /var/log/mail.log when sending a mail is as
follows:-

Feb 17 15:07:06 pi postfix/pickup[20154]: 1C9A322C52: uid=1000 from=
Feb 17 15:07:06 pi postfix/cleanup[20187]: 1C9A322C52: 
message-id=<20170217150706.1c9a322...@zbmc.eu>
Feb 17 15:07:06 pi postfix/qmgr[20153]: 1C9A322C52: from=, 
size=293, nrcpt=1 (queue active)
Feb 17 15:07:06 pi postfix/smtp[20189]: CLIENT wrappermode (port smtps/465) 
is unimplemented
Feb 17 15:07:06 pi postfix/smtp[20189]: instead, send to (port 
submission/587) with STARTTLS
Feb 17 15:08:06 pi postfix/smtp[20189]: 1C9A322C52: 
to=, relay=mail3.gridhost.co.uk[95.142.156.18]:465, 
delay=60, delays=0.16/0.21/60/0, dsn=4.4.2, status=deferred (lost connection 
with mail3.gridhost.co.uk[95.142.156.18] while receiving the initial server 
greeting)

If (as the above suggests) I change to port 587 then everything works
OK.

The relevant parts of main.cf on the Raspberry Pi are:-

# smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
myhostname = zbmc.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = zbmc.eu
mydestination = pi.zbmc.eu, localhost.zbmc.eu, localhost
relayhost = [mail3.gridhost.co.uk]:587
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtp_sasl_auth_enable = yes
smtp_tls_security_level = encrypt
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
message_size_limit = 12048
# smtp_generic_maps = hash:/etc/postfix/generic

As you can see it's basically the same as the other one, except that
it needs port 587 instead of 465.

Can anyone explain this please?  I assume it's due to some change
between postfix 2.9 and postfix 3.1 but I may be entirely wrong, I'm
hardly a postfix expert.  Alternatively could there be some difference
in the default installation set-up between the Debian on the Pi and
Xubuntu on the other machine?

Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
postfix 3, is that what makes the difference?  I'd still like a simple
explanation though!  :-)


-- 
Chris Green

Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Chris Green]

[snip long message]

Sorry about the duplicate, you can see I really am having trouble with
my E-Mail!  :-)

-- 
Chris Green

Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1

[Chris Green]

I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6
on a Raspberry Pi running Debian.

They seem to act very differently as regards the use of ports 465 and
587 and I'd like things clarified so I can understand better.

I use both postfix installations to send outgoing E-Mail (i.e. mail
which is leaving my home LAN) to my hosting company's servers.  Their
documentation says that I should use port 465 and TLS to connect to
the SMTP server.

On the postfix 3.1 system this works, I specify port 465 in main.cf
and everything is as it should be.  The local additions and changes to
main.cf are as follows:-

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
myhostname = esprimo.zbmc.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = zbmc.eu
mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu
relayhost = [mail3.gridhost.co.uk]:465
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtp_sasl_auth_enable = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
message_size_limit = 12048
compatibility_level = 2


However on the postfix 2.9 installation on the raspberry pi using port
465 fails.  What I see in /var/log/mail.log when sending a mail is as
follows:-

Feb 17 15:07:06 pi postfix/pickup[20154]: 1C9A322C52: uid=1000 from=
Feb 17 15:07:06 pi postfix/cleanup[20187]: 1C9A322C52: 
message-id=<20170217150706.1c9a322...@zbmc.eu>
Feb 17 15:07:06 pi postfix/qmgr[20153]: 1C9A322C52: from=, 
size=293, nrcpt=1 (queue active)
Feb 17 15:07:06 pi postfix/smtp[20189]: CLIENT wrappermode (port smtps/465) 
is unimplemented
Feb 17 15:07:06 pi postfix/smtp[20189]: instead, send to (port 
submission/587) with STARTTLS
Feb 17 15:08:06 pi postfix/smtp[20189]: 1C9A322C52: 
to=, relay=mail3.gridhost.co.uk[95.142.156.18]:465, 
delay=60, delays=0.16/0.21/60/0, dsn=4.4.2, status=deferred (lost connection 
with mail3.gridhost.co.uk[95.142.156.18] while receiving the initial server 
greeting)

If (as the above suggests) I change to port 587 then everything works
OK.

The relevant parts of main.cf on the Raspberry Pi are:-

# smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination
myhostname = zbmc.eu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = zbmc.eu
mydestination = pi.zbmc.eu, localhost.zbmc.eu, localhost
relayhost = [mail3.gridhost.co.uk]:587
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
smtp_sasl_auth_enable = yes
smtp_tls_security_level = encrypt
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
message_size_limit = 12048
# smtp_generic_maps = hash:/etc/postfix/generic

As you can see it's basically the same as the other one, except that
it needs port 587 instead of 465.

Can anyone explain this please?  I assume it's due to some change
between postfix 2.9 and postfix 3.1 but I may be entirely wrong, I'm
hardly a postfix expert.  Alternatively could there be some difference
in the default installation set-up between the Debian on the Pi and
Xubuntu on the other machine?

Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in
postfix 3, is that what makes the difference?  I'd still like a simple
explanation though!  :-)


-- 
Chris Green

Re: canonical vs smtp_generic_maps vs ...?

[Marek Kozlowski]

On 02/17/2017 08:09 PM, Noel Jones wrote:
> On 2/17/2017 12:53 PM, Marek Kozlowski wrote:
>> When smithj authenticates via SASL to my server and sends e-mail from
>> `smi...@something.com' locally or remotely I'd like to replace it to
>> `j.sm...@sth.com'. But if mail form `smi...@something.com' is received
>> from remote SMTP hosts any address changes should NOT be applied.
> 
> Excellent, yes canonical_maps is what you need, but you'll need to
> limit the scope to submission.  See Viktor's reply for how to do
> that.  Come back if you have any questions.

Honestly, I'd like to use canonicals for postsrsd (protecting external
forwards from SPF rules) so if I could use some other mechanism here...

Best regards,
Marek



smime.p7s
Description: S/MIME Cryptographic Signature

Re: canonical vs smtp_generic_maps vs ...?

[Noel Jones]

On 2/17/2017 12:53 PM, Marek Kozlowski wrote:
> When smithj authenticates via SASL to my server and sends e-mail from
> `smi...@something.com' locally or remotely I'd like to replace it to
> `j.sm...@sth.com'. But if mail form `smi...@something.com' is received
> from remote SMTP hosts any address changes should NOT be applied.

Excellent, yes canonical_maps is what you need, but you'll need to
limit the scope to submission.  See Viktor's reply for how to do
that.  Come back if you have any questions.



  -- Noel Jones

Re: canonical vs smtp_generic_maps vs ...?

[Marek Kozlowski]

On 02/17/2017 07:41 PM, Noel Jones wrote:
> On 2/17/2017 12:04 PM, Marek Kozlowski wrote:
>> I'm searching for a possibbility of rewriting (senders') addresses only
>> for all mail originating from my system - no matter if it is local or
>> remote delivery. I mean: rewriting sender's address for mail from SASL
>> authenticated users and leaving as is for all other mail. May I ask for
>> some tips?
>
> From your short description, it sounds as if canonical_maps is what
> you need.  If that doesn't seem to fit, please describe your needs
> in more detail.

I perform maps in form of some LDAP queries. In my case it is possible
that my server receives mail from some remote hosts while LDAP queries
return positive results. In such case any replacements should NOT be
applied. For mail from SASL authenticated users I'd like to rewrite
senders' addresses according to LDAP queries results no matter if it is
local or remote delivery.

When smithj authenticates via SASL to my server and sends e-mail from
`smi...@something.com' locally or remotely I'd like to replace it to
`j.sm...@sth.com'. But if mail form `smi...@something.com' is received
from remote SMTP hosts any address changes should NOT be applied.

Best ragerds,
Marek




smime.p7s
Description: S/MIME Cryptographic Signature

Re: canonical vs smtp_generic_maps vs ...?

[Viktor Dukhovni]

> On Feb 17, 2017, at 1:04 PM, Marek Kozlowski  
> wrote:
> 
> I'm searching for a possibbility of rewriting (senders') addresses only
> for all mail originating from my system - no matter if it is local or
> remote delivery. I mean: rewriting sender's address for mail from SASL
> authenticated users and leaving as is for all other mail. May I ask for
> some tips?

Apply suitable canonical_maps with submission via port 587.  Do not offer
SASL authentication with the port 25 inbound MX service.

You can use a separate Postfix instance for the MSA, or, alternatively,
just a separate master.cf smtpd(8) service on port 587 along with a
"-o cleanup_service_name=submission_cleanup" setting and a additional
cleanup(8) that has "-o canonical_maps=$submission_canonical_maps",
optionally the same "-o canonical_maps" override could also be specified
for the submission smtpd(8).

-- 
Viktor.

Re: canonical vs smtp_generic_maps vs ...?

[Noel Jones]

On 2/17/2017 12:04 PM, Marek Kozlowski wrote:
> I'm searching for a possibbility of rewriting (senders') addresses only
> for all mail originating from my system - no matter if it is local or
> remote delivery. I mean: rewriting sender's address for mail from SASL
> authenticated users and leaving as is for all other mail. May I ask for
> some tips?
> 
> Best ragrads,
> MArek
> 

>From your short description, it sounds as if canonical_maps is what
you need.  If that doesn't seem to fit, please describe your needs
in more detail.



  -- Noel Jones

canonical vs smtp_generic_maps vs ...?

[Marek Kozlowski]

:-)

"The optional generic(5) table specifies an address mapping that applies
when mail is delivered. This is the opposite of  canonical(5)  mapping,
which applies when mail is received."
(http://www.postfix.org/generic.5.html)

Nice...

"With the smtp_generic_maps parameter you can specify generic(5) lookup
tables that replace local mail addresses by valid Internet addresses
when mail leaves the machine via SMTP."
(http://www.postfix.org/ADDRESS_REWRITING_README.html#generic)

Close but... "when mail LEAVES the machine"...

I'm searching for a possibbility of rewriting (senders') addresses only
for all mail originating from my system - no matter if it is local or
remote delivery. I mean: rewriting sender's address for mail from SASL
authenticated users and leaving as is for all other mail. May I ask for
some tips?

Best ragrads,
MArek



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Strong Ciphers to use with Postfix

[Viktor Dukhovni]

On Fri, Feb 17, 2017 at 12:44:35PM -0300, Daniel Bareiro wrote:

Do not confuse opportunistic TLS in SMTP with browser to webserver
TLS in HTTPS.  In the name of improving security such settings make
your MTA less secure.  There are still many systems that can only
do TLS 1.0 and not TLS 1.1 or TLS 1.2.  Other systems may not
support your rather narrow choice of ciphersuites.

In the absence of interoperable TLS capabilities, many systems will
send you email in the clear.  Is that an improvement?  Other systems
may not be able to send at all.  See RFC7435.

Postfix has sensible default TLS settings, despite what some clueless
checklist may suggest.

> So I think this would replace this lines of https://cipherli.st:
> 
> --
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtpd_tls_mandatory_ciphers = medium
> tls_medium_cipherlist = AES128+EECDH:AES128+EDH
> --

Better yet, ignore that site and its counterproductive advice.

> smtpd_use_tls=yes

Obsolete legacy setting.

> smtpd_tls_security_level = may (X)

Its current replacement.

> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file=/etc/ssl/postfix.cert
> smtpd_tls_key_file=/etc/ssl/postfix.key

Good.

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X)

With Postfix 2.11 and later, session tickets (stored by the client)
are preferred and a server-side cache is no longer recommended.
Leave empty unless running an older Postfix version.

-- 
Viktor.

Re: Domain loops to itself

[Wietse Venema]

Nikolaos Milas:
> On 17/2/2017 4:12 ??, Wietse Venema wrote:
> 
> > You missed the preceding warning that says why.
> >
> > - The server greets with the same hostname (in the 220 line)
> > as the client wants to use (in the EHLO cdommand).
> >
> > - The server IP address matches $mydestination or $proxy_interfaces.
> 
> Thanks Wietse,
> 
> I didn't change anything, but it has now started working properly.

Again, please look for Postfix warnings that say "host greeted me
with my own name" or similar. If there are none then there was a
problem where DNS resolved a destination to a hostname with an IP
address that matches the mydestination or proxy_interfaces setting
of the sending MTA.

Wietse

Re: Domain loops to itself

[Thomas Leuxner]

* Nikolaos Milas  2017.02.17 15:59:

>hesperia-space.eu   relay:[vmail.noa.gr]
> 
> line, but even when I added it and restarted postfix (service postfix
> restart), it wouldn't work.

transport_maps = hash:/etc/postfix/transportmap

You need to run postmap on a hashed map for it to take effect.

Regards
Thomas


signature.asc
Description: Digital signature

RE: Strong Ciphers to use with Postfix

[L . P . H . van Belle]

Hai, 

It all depends all in what you need and want. 

After monitoring for about a year on with or without encryption. 
I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. 
Which i simply dont allow anymore. ( The sslv2/v3 ) 
Due to the dutch "Privacy laws" users are oblgated to have/use encrypted lines. 
And a lot should be encrypted. 

So I preffer a high but compatible set. 
A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl  
My prefered site to check ciphersets.  
Im also running debian jessie postfix 2.11.

And yes, there is always room for improvements, but my cipher check shows me 
the following and im happy with it. 

  2 TLSv1 with cipher AES256-SHA
  6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384
 13 TLSv1.2 with cipher AES256-SHA
 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA
 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256
103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA
302 TLSv1 with cipher DHE-RSA-AES256-SHA
772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384
   2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
  11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA


# Add these to log you ciphers used. 
smtp_tls_loglevel=1
smtpd_tls_loglevel=1

# check encrypted connections with : 
# grep "connection established from.*with cipher" /var/log/mail.log|awk 
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n 
# check for clear text connections:
# grep "connection established from" /var/log/mail.log | grep -v cipher| awk 
'{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n

# outgoing connections: smtp
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes

# incoming connections: smtpd
smtpd_use_tls = yes
smtpd_enforce_tls = no
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 
DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
#, RSA+AES
smtpd_tls_eecdh_grade = ultra



Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: domi...@timedicer.co.uk [mailto:owner-postfix-us...@postfix.org]
> Namens Dominic Raferd
> Verzonden: vrijdag 17 februari 2017 16:05
> Aan: Postfix users
> Onderwerp: Re: Strong Ciphers to use with Postfix
> 
> On 17 February 2017 at 14:43, Fazzina, Angelo 
> wrote:
> > Hi,
> > Here is how I am dealing with "weak ciphers"
> > You may be able to do the same type of config ?
> >
> >
> > In /etc/postfix/main.cf
> >
> >
> > # -ALF 2016-09-07
> > # disable RC4 ciphers with TLS connections.
> > #smtpd_tls_exclude_ciphers = RC4, aNULL
> > # -ALF 2017-01-09
> > # disable weak ciphers, and RC4 ciphers
> > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4,
> aNULL
> > #-ALF 2107-01-09
> > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers
> > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-
> CBC3-SHA, RC4, aNULL
> >
> >
> >
> > -Angelo Fazzina
> > Operating Systems Programmer / Analyst
> > University of Connecticut,  UITS, SSG, Server Systems
> > 860-486-9075
> >
> > -Original Message-
> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> us...@postfix.org] On Behalf Of Daniel Bareiro
> > Sent: Friday, February 17, 2017 9:40 AM
> > To: Postfix users 
> > Subject: Strong Ciphers to use with Postfix
> >
> > Hi all!
> >
> > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1.
> >
> > I would like to know what you think of the security settings suggested
> > here [1] for Postfix.
> >
> > I have tested it against this [2] site, but it seems that fails to
> > discard other ciphers; on "Weak ciphers" I get "supported
> > RSA_WITH_RC4_128_SHA".
> >
> 
> As I have learned from here, if your MTA is receiving from the world
> or sending to the world there is little point in enforcing
> super-strong ciphers on the corresponding connection (smtpd or smtp).
> If you refuse all unencrypted communication, and only permit
> super-strong ciphers, you may not be able to receive or send some
> emails, because not all (even genuine) MTAs will support this; but
> otherwise if you only permit super-strong ciphers you will just get
> more unencrypted communication. Of course it is usually
> pointless/unwise to permit broken ciphers, but these are anyway
> disabled by default in postfix.

Re: Strong Ciphers to use with Postfix

[Daniel Bareiro]

On 17/02/17 11:43, Fazzina, Angelo wrote:

> Hi,

Hi, Angelo.

Thanks for your prompt reply.

> Here is how I am dealing with "weak ciphers"
> You may be able to do the same type of config ?
> 
> 
> In /etc/postfix/main.cf
> 
> 
> # -ALF 2016-09-07
> # disable RC4 ciphers with TLS connections.
> #smtpd_tls_exclude_ciphers = RC4, aNULL
> # -ALF 2017-01-09
> # disable weak ciphers, and RC4 ciphers
> smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL
> #-ALF 2107-01-09
> # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers
> #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, 
> EDH-RSA-DES-CBC3-SHA, RC4, aNULL

I tried this configuration and I get in the test that now it does not
found weak ciphers. Thanks for sharing!

So I think this would replace this lines of https://cipherli.st:

--
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
--

right? Or do you think some of those other lines should be included?


What do you think of the other lines mentioned?

--
smtpd_use_tls=yes
smtpd_tls_security_level = may (X)
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/ssl/postfix.cert
smtpd_tls_key_file=/etc/ssl/postfix.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X)
--

Currently I have not configured the lines with an "X".

I'm using currently "smtpd_tls_security_level = may" that use TLS if
this is supported by the remote SMTP server, otherwise use plaintext.
But I'm not using "smtpd_tls_security_level = may". I see the default
value for this parameter is empty. Is that equivalent to "none"?


Thanks for your time.


Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Re: Strong Ciphers to use with Postfix

[Dominic Raferd]

On 17 February 2017 at 14:43, Fazzina, Angelo  wrote:
> Hi,
> Here is how I am dealing with "weak ciphers"
> You may be able to do the same type of config ?
>
>
> In /etc/postfix/main.cf
>
>
> # -ALF 2016-09-07
> # disable RC4 ciphers with TLS connections.
> #smtpd_tls_exclude_ciphers = RC4, aNULL
> # -ALF 2017-01-09
> # disable weak ciphers, and RC4 ciphers
> smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL
> #-ALF 2107-01-09
> # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers
> #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, 
> EDH-RSA-DES-CBC3-SHA, RC4, aNULL
>
>
>
> -Angelo Fazzina
> Operating Systems Programmer / Analyst
> University of Connecticut,  UITS, SSG, Server Systems
> 860-486-9075
>
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Daniel Bareiro
> Sent: Friday, February 17, 2017 9:40 AM
> To: Postfix users 
> Subject: Strong Ciphers to use with Postfix
>
> Hi all!
>
> I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1.
>
> I would like to know what you think of the security settings suggested
> here [1] for Postfix.
>
> I have tested it against this [2] site, but it seems that fails to
> discard other ciphers; on "Weak ciphers" I get "supported
> RSA_WITH_RC4_128_SHA".
>

As I have learned from here, if your MTA is receiving from the world
or sending to the world there is little point in enforcing
super-strong ciphers on the corresponding connection (smtpd or smtp).
If you refuse all unencrypted communication, and only permit
super-strong ciphers, you may not be able to receive or send some
emails, because not all (even genuine) MTAs will support this; but
otherwise if you only permit super-strong ciphers you will just get
more unencrypted communication. Of course it is usually
pointless/unwise to permit broken ciphers, but these are anyway
disabled by default in postfix.

Re: Domain loops to itself

[Nikolaos Milas]

On 17/2/2017 4:12 μμ, Wietse Venema wrote:


You missed the preceding warning that says why.

- The server greets with the same hostname (in the 220 line)
as the client wants to use (in the EHLO cdommand).

- The server IP address matches $mydestination or $proxy_interfaces.


Thanks Wietse,

I didn't change anything, but it has now started working properly.

I am also getting all those test emails I sent earlier and had not been 
delivered until now (and they were obviously in the sending servers' 
queues).


I can't tell for sure what the problem may have been.

Could it be due to transport_maps caching (or something like that)? I 
had initially forgotten to add the


   hesperia-space.eu   relay:[vmail.noa.gr]

line, but even when I added it and restarted postfix (service postfix 
restart), it wouldn't work.


Thanks anyway,
Nick

RE: Strong Ciphers to use with Postfix

[Fazzina, Angelo]

Hi,
Here is how I am dealing with "weak ciphers"
You may be able to do the same type of config ?


In /etc/postfix/main.cf


# -ALF 2016-09-07
# disable RC4 ciphers with TLS connections.
#smtpd_tls_exclude_ciphers = RC4, aNULL
# -ALF 2017-01-09
# disable weak ciphers, and RC4 ciphers
smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL
#-ALF 2107-01-09
# disable SWEET32 ciphers, weak ciphers, and RC4 ciphers
#smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, 
RC4, aNULL



-Angelo Fazzina
Operating Systems Programmer / Analyst 
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Daniel Bareiro
Sent: Friday, February 17, 2017 9:40 AM
To: Postfix users 
Subject: Strong Ciphers to use with Postfix

Hi all!

I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1.

I would like to know what you think of the security settings suggested
here [1] for Postfix.

I have tested it against this [2] site, but it seems that fails to
discard other ciphers; on "Weak ciphers" I get "supported
RSA_WITH_RC4_128_SHA".



Thanks in advance.

Kind regards,
Daniel

[1] https://cipherli.st
[2] https://ssl-tools.net/mailservers

Strong Ciphers to use with Postfix

[Daniel Bareiro]

Hi all!

I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1.

I would like to know what you think of the security settings suggested
here [1] for Postfix.

I have tested it against this [2] site, but it seems that fails to
discard other ciphers; on "Weak ciphers" I get "supported
RSA_WITH_RC4_128_SHA".



Thanks in advance.

Kind regards,
Daniel

[1] https://cipherli.st
[2] https://ssl-tools.net/mailservers



signature.asc
Description: OpenPGP digital signature

Re: Domain loops to itself

[Wietse Venema]

Nikolaos Milas:
> Hello,
> 
> I have been using the following config without problems, but after I 
> added the domain: hesperia-space.eu, mail to the new domain becomes 
> undelivered with the error (example from one attempt to send mail):
> 
> Feb 17 15:21:38 mailgw3 postfix/smtpd[17664]: NOQUEUE: reject: RCPT from 
> mail-wr0-x242.google.com[2a00:1450:400c:c0c::242]: 450 4.1.1 
> : Recipient address rejected: unverified 
> address: mail for hesperia-space.eu loops back to myself; 

You missed the preceding warning that says why.

- The server greets with the same hostname (in the 220 line)
as the client wants to use (in the EHLO cdommand).

- The server IP address matches $mydestination or $proxy_interfaces.

Wietse

Re: Postfix 20 years ago

[Daniel Bareiro]

On 12/02/17 15:06, Wietse Venema wrote:

> Last month it was 20 years ago that I started writing Postfix code.
> After coming to IBM research in November 1996, I spent most of
> December and January making notes on paper. I knew that writing a
> mail system was more work than any of my prior projects.
> 
> The oldest tarball, dated 19970220, contains library functions plus
> two early versions of the master daemon. There are 8086 lines of
> code, 4204 lines after stripping the comments, and the only
> documentation was my pile of hand-written notes.
> 
> For comparison, today's Postfix 3.2.0 RC1 release candidate weighs
> in at 236533 lines of code, 137257 after stripping comments. The
> documentation amounts to 32589 lines of hand-written HTML source,
> plus 41878 lines of auto-generated HTML.
> 
> Much of today's effort is not visible as new features (thought there
> still are enough to make an upgrade worthwhile), but happens behind
> the scenes as improvements to internal code, and updated tests to
> ensure that future changes won't inadvertantly break something.

Dear Wietse,

I still remember when I started to take my first steps in GNU/Linux
system administration by installing Sendmail for my own use and some
time later I started with Postfix. Those were the nice days where I used
to exchange knowledge with the community of the hierarchy
es.comp.os.linux in the newsgroups.

Thank you so much to you and to the team of developers for the
affection, time and dedication that you have given to Postfix.

Long live and prosper, Postfix _\\// (My trekker side haha)


Kind regards,
Daniel



signature.asc
Description: OpenPGP digital signature

Domain loops to itself

[Nikolaos Milas]

Hello,

I have been using the following config without problems, but after I 
added the domain: hesperia-space.eu, mail to the new domain becomes 
undelivered with the error (example from one attempt to send mail):


Feb 17 15:21:38 mailgw3 postfix/smtpd[17664]: NOQUEUE: reject: RCPT from 
mail-wr0-x242.google.com[2a00:1450:400c:c0c::242]: 450 4.1.1 
: Recipient address rejected: unverified 
address: mail for hesperia-space.eu loops back to myself; 
from= to= proto=ESMTP 
helo=


The sent email never makes it to the final (relayed) destination.

I have added the domain in the relay_domains setting and in the 
/etc/postfix/transportmap file, as you can see below.


Can you please notice what is wrong? I have spent quite some time, but I 
can't tell where the problem is.


I post the config, as is, including the new domain:

# postconf -n
allowed_list1 = check_client_access cidr:/etc/postfix/vmail.cidr,reject
allowed_list2 = check_client_access 
cidr:/etc/postfix/internalnetworks.cidr,reject

command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 50
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/blacklisted_maillists
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_name = NOA Mail Srv XAPITI XPICTOY
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15728640
mydestination =
mynetworks = 127.0.0.1/32 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_exceptions.cidr

postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, 
psbl.surriel.com*2

postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
relay_domains = noa.gr, astro.noa.gr, admin.noa.gr, nestor.noa.gr, 
space.noa.gr, meteo.noa.gr, gein.noa.gr, technet.noa.gr, hesperia-space.eu

relay_recipient_maps =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_client_access 
hash:/etc/postfix/amavis_bypass check_sender_access 
hash:/etc/postfix/blacklisted_senders check_sender_access 
pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient 
reject_unauth_destination check_recipient_access 
hash:/etc/postfix/protected_destinations 
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre 
permit_mynetworks reject_invalid_hostname reject_unauth_pipelining 
reject_non_fqdn_sender reject_unknown_sender_domain 
reject_non_fqdn_recipient reject_unknown_recipient_domain 
reject_rbl_client b.barracudacentral.org reject_rbl_client 
zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client 
bl.spamcop.net reject_rbl_client dnsbl.sorbs.net reject_rhsbl_client 
dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo 
dbl.spamhaus.org check_policy_service unix:postgrey/socket permit

smtpd_restriction_classes = allowed_list1,allowed_list2
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtualmap

# cat /etc/postfix/transportmap
noa.gr  relay:[vmail.noa.gr]
admin.noa.grrelay:[vmail.noa.gr]
nestor.noa.gr   relay:[vmail.noa.gr]
space.noa.grrelay:[vmail.noa.gr]
meteo.noa.grrelay:[vmail.noa.gr]
gein.noa.gr relay:[vmail.noa.gr]
technet.noa.gr  relay:[vmail.noa.gr]
astro.noa.grrelay:[vmail.noa.gr]
hesperia-space.eu   relay:[vmail.noa.gr]

Thanks in advance,
Nick