Re: canonical vs smtp_generic_maps vs ...?
On 2/17/2017 1:24 PM, Marek Kozlowski wrote: > On 02/17/2017 08:09 PM, Noel Jones wrote: >> On 2/17/2017 12:53 PM, Marek Kozlowski wrote: >>> When smithj authenticates via SASL to my server and sends e-mail from >>> `smi...@something.com' locally or remotely I'd like to replace it to >>> `j.sm...@sth.com'. But if mail form `smi...@something.com' is received >>> from remote SMTP hosts any address changes should NOT be applied. >> >> Excellent, yes canonical_maps is what you need, but you'll need to >> limit the scope to submission. See Viktor's reply for how to do >> that. Come back if you have any questions. > > Honestly, I'd like to use canonicals for postsrsd (protecting external > forwards from SPF rules) so if I could use some other mechanism here... > > Best regards, > Marek > I don't use postsrsd so can't offer any specific advice on that. Canonical maps is the feature you need for the address rewriting you have described. You can use multiple canonical_maps as long as they aren't trying to match the same input key. -- Noel Jones
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
> On Feb 17, 2017, at 5:33 PM, Chris Greenwrote: > > OK, so the older version is using SMTP STARTTLS which runs on port 587 This is how TLS has worked in MTA-to-MTA SMTP for the last > 15 years. https://tools.ietf.org/html/rfc3207 > and the newer (>=3) version is using TLS directly on port 465. No, Postfix 3.0 and later *also* support SMTP over TLS as used by some systems on port 465. The submission service on 587 and the relay service on port 25 continue to support STARTTLS. To use submission on port 587 the server needs to provide that service. If a server only supports "smtps" on 465, then that's what you need to use. -- Viktor.
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
On Fri, Feb 17, 2017 at 05:24:54PM -0500, Viktor Dukhovni wrote: > > > On Feb 17, 2017, at 10:43 AM, Chris Greenwrote: > > > > Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in > > postfix 3, is that what makes the difference? > > Yes. > > > I'd still like a simple explanation though! :-) > > That's the simple explanation. SMTP directly over TLS requires the new > feature. TLS via the SMTP STARTTLS command dates back to Postfix 2.2 > (and unofficial patches in even older Postfix versions). > OK, so the older version is using SMTP STARTTLS which runs on port 587 and the newer (>=3) version is using TLS directly on port 465. Should it still be possible to use SMTP STARTTLS on port 587 with newer postfix versions? I couldn't make this work, or at least I don't think I could. I'd be happier using as far as possible the same configuration on all my installations. -- Chris Green
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
> On Feb 17, 2017, at 10:43 AM, Chris Greenwrote: > > Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in > postfix 3, is that what makes the difference? Yes. > I'd still like a simple explanation though! :-) That's the simple explanation. SMTP directly over TLS requires the new feature. TLS via the SMTP STARTTLS command dates back to Postfix 2.2 (and unofficial patches in even older Postfix versions). -- Viktor.
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
On 2017-02-17 (12:38 MST), "Fazzina, Angelo"wrote: > > I thought the master.cf file is where you config what protocol to listen for ? He is SENDING outbound mail to his upstream, not listening for incoming mail. As for the original post, 587 is the right port to use anyway, so ignore your ISPs instructions to use the wrong port? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Strong Ciphers to use with Postfix
On 17/02/17 12:46, L.P.H. van Belle wrote: > Hai, Hi, Louis. > It all depends all in what you need and want. > > After monitoring for about a year on with or without encryption. > I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. > Which i simply dont allow anymore. ( The sslv2/v3 ) > Due to the dutch "Privacy laws" users are oblgated to have/use encrypted > lines. And a lot should be encrypted. > > So I preffer a high but compatible set. > A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl > My prefered site to check ciphersets. > Im also running debian jessie postfix 2.11. I tried to test against tls.imirhil.fr, but the check ends with an error saying that the process lasted more than 2 min. I'm not sure what might be the cause of this. In mail.log I see the received connections to make the checks. > And yes, there is always room for improvements, but my cipher check shows me > the following and im happy with it. > > 2 TLSv1 with cipher AES256-SHA > 6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 > 13 TLSv1.2 with cipher AES256-SHA > 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA > 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 > 103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA > 302 TLSv1 with cipher DHE-RSA-AES256-SHA > 772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 >2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 > 11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA Very interesting statistics. > # Add these to log you ciphers used. > smtp_tls_loglevel=1 > smtpd_tls_loglevel=1 > > # check encrypted connections with : > # grep "connection established from.*with cipher" /var/log/mail.log|awk > '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n > # check for clear text connections: > # grep "connection established from" /var/log/mail.log | grep -v cipher| awk > '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n Thanks for sharing these scripts to total the connections with each cipher. > # outgoing connections: smtp > smtp_tls_protocols = !SSLv2,!SSLv3 I have not explicitly defined this variable, so I have the default value that is: smtp_tls_protocols = !SSLv2 So I think it may be advisable to add !SSLv3. > smtp_tls_ciphers = high I have not explicitly defined this variable, so I have the default value that is "export". I was reading the documentation [1] where reference is made to "minimum TLS cipher grade", but I'm not clear how these degrees are defined. > smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 > smtp_tls_security_level = may Here for smtp_tls_security_level I also have the same configuration. > smtp_tls_note_starttls_offer = yes I have not explicitly defined this variable, so I have the default value that is "no". I was reading the documentation about this and it says "Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not already enabled for that server". This is not clear to me or maybe I'm missing something. If the remote server provides STARTTLS, then is not TLS enabled on that server? > # incoming connections: smtpd > smtpd_use_tls = yes > smtpd_enforce_tls = no Here we agree. The smtpd_enforce_tls variable is not declared in my main.cf, but the value "no" is the default. > smtpd_tls_protocols = !SSLv2,!SSLv3 I have not declared specifically this variable in my main.cf, and I see that it is empty: # postconf | grep smtpd_tls_protocols smtpd_tls_protocols = tlsproxy_tls_protocols = $smtpd_tls_protocols In the Postfix documentation [2] I see that the default value is !SSLv2,!SSLv3. Maybe this has changed in recent versions? I'm using Postfix 2.11.3-1 en Debian Jessie 8.7. > smtpd_tls_ciphers = high Here I have a question similar to the one I mentioned for smtp_tls_ciphers. How are these cipher grades [3] defined? Here I am also using the value "export", since I have not explicitly defined this variable in main.cf. > smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, > DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES > #, RSA+AES Despite having smtpd_tls_protocols with a empty value, when testing on ssl-tools.net, it shows that I am not using weak ciphers (it shows an SSL3 that is crossed out). Is this related to the values in the smtpd_tls_exclude_ciphers variable suggested by Angelo (DEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL)? > smtpd_tls_eecdh_grade = ultra Here I have the default value, which is "strong". It seems to be an acceptable value from what I see in the documentation [4]. Thanks for your reply and your time. Kind regards, Daniel [1] http://www.postfix.org/postconf.5.html#smtp_tls_ciphers [2] http://www.postfix.org/postconf.5.html#smtpd_tls_protocols [3] http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers [4] http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade signature.asc Description: OpenPGP
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
On Fri, Feb 17, 2017 at 07:35:42PM +, Chris Green wrote: > [snip long message] > > Sorry about the duplicate, you can see I really am having trouble with > my E-Mail! :-) > ... and I'm talking rubbish anyway, I've got two subscriptions! Aarrgghh!! -- Chris Green
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
On 17 February 2017 at 19:38, Fazzina, Angelowrote: > Hi, > I thought the master.cf file is where you config what protocol to listen for ? > > Submission or SMTPS > > I'm no expert either, just curious what your setup is. > -ALF > > -Angelo Fazzina > Operating Systems Programmer / Analyst > University of Connecticut, UITS, SSG, Server Systems > 860-486-9075 > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Chris Green > Sent: Friday, February 17, 2017 10:43 AM > To: postfix-users@postfix.org > Subject: Different treatment of ports 465 and 587 between postfix versions > 2.9 and 3.1 > > I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6 > on a Raspberry Pi running Debian. > > They seem to act very differently as regards the use of ports 465 and > 587 and I'd like things clarified so I can understand better. > > I use both postfix installations to send outgoing E-Mail (i.e. mail > which is leaving my home LAN) to my hosting company's servers. Their > documentation says that I should use port 465 and TLS to connect to > the SMTP server. > > ... > Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in > postfix 3, is that what makes the difference? I'd still like a simple > explanation though! :-) see http://www.postfix.org/TLS_README.html#client_smtps - use stunnel for postfix <3.0 (it still works for postfix >=3.0)
RE: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
Hi, I thought the master.cf file is where you config what protocol to listen for ? Submission or SMTPS I'm no expert either, just curious what your setup is. -ALF -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG, Server Systems 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Chris Green Sent: Friday, February 17, 2017 10:43 AM To: postfix-users@postfix.org Subject: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1 I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6 on a Raspberry Pi running Debian. They seem to act very differently as regards the use of ports 465 and 587 and I'd like things clarified so I can understand better. I use both postfix installations to send outgoing E-Mail (i.e. mail which is leaving my home LAN) to my hosting company's servers. Their documentation says that I should use port 465 and TLS to connect to the SMTP server. On the postfix 3.1 system this works, I specify port 465 in main.cf and everything is as it should be. The local additions and changes to main.cf are as follows:- smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = esprimo.zbmc.eu alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = zbmc.eu mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu relayhost = [mail3.gridhost.co.uk]:465 mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 smtp_sasl_auth_enable = yes smtp_tls_wrappermode = yes smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd message_size_limit = 12048 compatibility_level = 2 However on the postfix 2.9 installation on the raspberry pi using port 465 fails. What I see in /var/log/mail.log when sending a mail is as follows:- Feb 17 15:07:06 pi postfix/pickup[20154]: 1C9A322C52: uid=1000 from= Feb 17 15:07:06 pi postfix/cleanup[20187]: 1C9A322C52: message-id=<20170217150706.1c9a322...@zbmc.eu> Feb 17 15:07:06 pi postfix/qmgr[20153]: 1C9A322C52: from=, size=293, nrcpt=1 (queue active) Feb 17 15:07:06 pi postfix/smtp[20189]: CLIENT wrappermode (port smtps/465) is unimplemented Feb 17 15:07:06 pi postfix/smtp[20189]: instead, send to (port submission/587) with STARTTLS Feb 17 15:08:06 pi postfix/smtp[20189]: 1C9A322C52: to= , relay=mail3.gridhost.co.uk[95.142.156.18]:465, delay=60, delays=0.16/0.21/60/0, dsn=4.4.2, status=deferred (lost connection with mail3.gridhost.co.uk[95.142.156.18] while receiving the initial server greeting) If (as the above suggests) I change to port 587 then everything works OK. The relevant parts of main.cf on the Raspberry Pi are:- # smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = zbmc.eu alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = zbmc.eu mydestination = pi.zbmc.eu, localhost.zbmc.eu, localhost relayhost = [mail3.gridhost.co.uk]:587 mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 smtp_sasl_auth_enable = yes smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd message_size_limit = 12048 # smtp_generic_maps = hash:/etc/postfix/generic As you can see it's basically the same as the other one, except that it needs port 587 instead of 465. Can anyone explain this please? I assume it's due to some change between postfix 2.9 and postfix 3.1 but I may be entirely wrong, I'm hardly a postfix expert. Alternatively could there be some difference in the default installation set-up between the Debian on the Pi and Xubuntu on the other machine? Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in postfix 3, is that what makes the difference? I'd still like a simple explanation though! :-) -- Chris Green
Re: Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
[snip long message] Sorry about the duplicate, you can see I really am having trouble with my E-Mail! :-) -- Chris Green
Different treatment of ports 465 and 587 between postfix versions 2.9 and 3.1
I am running postfix 3.1.0 on an xubuntu 16.04 system and postfix 2.9.6 on a Raspberry Pi running Debian. They seem to act very differently as regards the use of ports 465 and 587 and I'd like things clarified so I can understand better. I use both postfix installations to send outgoing E-Mail (i.e. mail which is leaving my home LAN) to my hosting company's servers. Their documentation says that I should use port 465 and TLS to connect to the SMTP server. On the postfix 3.1 system this works, I specify port 465 in main.cf and everything is as it should be. The local additions and changes to main.cf are as follows:- smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = esprimo.zbmc.eu alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = zbmc.eu mydestination = zbmc.eu esprimo.zbmc.eu, esprimo, chris.zbmc.eu relayhost = [mail3.gridhost.co.uk]:465 mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 smtp_sasl_auth_enable = yes smtp_tls_wrappermode = yes smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd message_size_limit = 12048 compatibility_level = 2 However on the postfix 2.9 installation on the raspberry pi using port 465 fails. What I see in /var/log/mail.log when sending a mail is as follows:- Feb 17 15:07:06 pi postfix/pickup[20154]: 1C9A322C52: uid=1000 from= Feb 17 15:07:06 pi postfix/cleanup[20187]: 1C9A322C52: message-id=<20170217150706.1c9a322...@zbmc.eu> Feb 17 15:07:06 pi postfix/qmgr[20153]: 1C9A322C52: from=, size=293, nrcpt=1 (queue active) Feb 17 15:07:06 pi postfix/smtp[20189]: CLIENT wrappermode (port smtps/465) is unimplemented Feb 17 15:07:06 pi postfix/smtp[20189]: instead, send to (port submission/587) with STARTTLS Feb 17 15:08:06 pi postfix/smtp[20189]: 1C9A322C52: to= , relay=mail3.gridhost.co.uk[95.142.156.18]:465, delay=60, delays=0.16/0.21/60/0, dsn=4.4.2, status=deferred (lost connection with mail3.gridhost.co.uk[95.142.156.18] while receiving the initial server greeting) If (as the above suggests) I change to port 587 then everything works OK. The relevant parts of main.cf on the Raspberry Pi are:- # smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = zbmc.eu alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = zbmc.eu mydestination = pi.zbmc.eu, localhost.zbmc.eu, localhost relayhost = [mail3.gridhost.co.uk]:587 mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 smtp_sasl_auth_enable = yes smtp_tls_security_level = encrypt smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd message_size_limit = 12048 # smtp_generic_maps = hash:/etc/postfix/generic As you can see it's basically the same as the other one, except that it needs port 587 instead of 465. Can anyone explain this please? I assume it's due to some change between postfix 2.9 and postfix 3.1 but I may be entirely wrong, I'm hardly a postfix expert. Alternatively could there be some difference in the default installation set-up between the Debian on the Pi and Xubuntu on the other machine? Ah, I've maybe just spotted the reason, smtp_tls_wrappermode is new in postfix 3, is that what makes the difference? I'd still like a simple explanation though! :-) -- Chris Green
Re: canonical vs smtp_generic_maps vs ...?
On 02/17/2017 08:09 PM, Noel Jones wrote: > On 2/17/2017 12:53 PM, Marek Kozlowski wrote: >> When smithj authenticates via SASL to my server and sends e-mail from >> `smi...@something.com' locally or remotely I'd like to replace it to >> `j.sm...@sth.com'. But if mail form `smi...@something.com' is received >> from remote SMTP hosts any address changes should NOT be applied. > > Excellent, yes canonical_maps is what you need, but you'll need to > limit the scope to submission. See Viktor's reply for how to do > that. Come back if you have any questions. Honestly, I'd like to use canonicals for postsrsd (protecting external forwards from SPF rules) so if I could use some other mechanism here... Best regards, Marek smime.p7s Description: S/MIME Cryptographic Signature
Re: canonical vs smtp_generic_maps vs ...?
On 2/17/2017 12:53 PM, Marek Kozlowski wrote: > When smithj authenticates via SASL to my server and sends e-mail from > `smi...@something.com' locally or remotely I'd like to replace it to > `j.sm...@sth.com'. But if mail form `smi...@something.com' is received > from remote SMTP hosts any address changes should NOT be applied. Excellent, yes canonical_maps is what you need, but you'll need to limit the scope to submission. See Viktor's reply for how to do that. Come back if you have any questions. -- Noel Jones
Re: canonical vs smtp_generic_maps vs ...?
On 02/17/2017 07:41 PM, Noel Jones wrote: > On 2/17/2017 12:04 PM, Marek Kozlowski wrote: >> I'm searching for a possibbility of rewriting (senders') addresses only >> for all mail originating from my system - no matter if it is local or >> remote delivery. I mean: rewriting sender's address for mail from SASL >> authenticated users and leaving as is for all other mail. May I ask for >> some tips? > > From your short description, it sounds as if canonical_maps is what > you need. If that doesn't seem to fit, please describe your needs > in more detail. I perform maps in form of some LDAP queries. In my case it is possible that my server receives mail from some remote hosts while LDAP queries return positive results. In such case any replacements should NOT be applied. For mail from SASL authenticated users I'd like to rewrite senders' addresses according to LDAP queries results no matter if it is local or remote delivery. When smithj authenticates via SASL to my server and sends e-mail from `smi...@something.com' locally or remotely I'd like to replace it to `j.sm...@sth.com'. But if mail form `smi...@something.com' is received from remote SMTP hosts any address changes should NOT be applied. Best ragerds, Marek smime.p7s Description: S/MIME Cryptographic Signature
Re: canonical vs smtp_generic_maps vs ...?
> On Feb 17, 2017, at 1:04 PM, Marek Kozlowski> wrote: > > I'm searching for a possibbility of rewriting (senders') addresses only > for all mail originating from my system - no matter if it is local or > remote delivery. I mean: rewriting sender's address for mail from SASL > authenticated users and leaving as is for all other mail. May I ask for > some tips? Apply suitable canonical_maps with submission via port 587. Do not offer SASL authentication with the port 25 inbound MX service. You can use a separate Postfix instance for the MSA, or, alternatively, just a separate master.cf smtpd(8) service on port 587 along with a "-o cleanup_service_name=submission_cleanup" setting and a additional cleanup(8) that has "-o canonical_maps=$submission_canonical_maps", optionally the same "-o canonical_maps" override could also be specified for the submission smtpd(8). -- Viktor.
Re: canonical vs smtp_generic_maps vs ...?
On 2/17/2017 12:04 PM, Marek Kozlowski wrote: > I'm searching for a possibbility of rewriting (senders') addresses only > for all mail originating from my system - no matter if it is local or > remote delivery. I mean: rewriting sender's address for mail from SASL > authenticated users and leaving as is for all other mail. May I ask for > some tips? > > Best ragrads, > MArek > >From your short description, it sounds as if canonical_maps is what you need. If that doesn't seem to fit, please describe your needs in more detail. -- Noel Jones
canonical vs smtp_generic_maps vs ...?
:-) "The optional generic(5) table specifies an address mapping that applies when mail is delivered. This is the opposite of canonical(5) mapping, which applies when mail is received." (http://www.postfix.org/generic.5.html) Nice... "With the smtp_generic_maps parameter you can specify generic(5) lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP." (http://www.postfix.org/ADDRESS_REWRITING_README.html#generic) Close but... "when mail LEAVES the machine"... I'm searching for a possibbility of rewriting (senders') addresses only for all mail originating from my system - no matter if it is local or remote delivery. I mean: rewriting sender's address for mail from SASL authenticated users and leaving as is for all other mail. May I ask for some tips? Best ragrads, MArek smime.p7s Description: S/MIME Cryptographic Signature
Re: Strong Ciphers to use with Postfix
On Fri, Feb 17, 2017 at 12:44:35PM -0300, Daniel Bareiro wrote: Do not confuse opportunistic TLS in SMTP with browser to webserver TLS in HTTPS. In the name of improving security such settings make your MTA less secure. There are still many systems that can only do TLS 1.0 and not TLS 1.1 or TLS 1.2. Other systems may not support your rather narrow choice of ciphersuites. In the absence of interoperable TLS capabilities, many systems will send you email in the clear. Is that an improvement? Other systems may not be able to send at all. See RFC7435. Postfix has sensible default TLS settings, despite what some clueless checklist may suggest. > So I think this would replace this lines of https://cipherli.st: > > -- > smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_mandatory_ciphers = medium > tls_medium_cipherlist = AES128+EECDH:AES128+EDH > -- Better yet, ignore that site and its counterproductive advice. > smtpd_use_tls=yes Obsolete legacy setting. > smtpd_tls_security_level = may (X) Its current replacement. > smtpd_tls_auth_only = yes > smtpd_tls_cert_file=/etc/ssl/postfix.cert > smtpd_tls_key_file=/etc/ssl/postfix.key Good. > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X) With Postfix 2.11 and later, session tickets (stored by the client) are preferred and a server-side cache is no longer recommended. Leave empty unless running an older Postfix version. -- Viktor.
Re: Domain loops to itself
Nikolaos Milas: > On 17/2/2017 4:12 ??, Wietse Venema wrote: > > > You missed the preceding warning that says why. > > > > - The server greets with the same hostname (in the 220 line) > > as the client wants to use (in the EHLO cdommand). > > > > - The server IP address matches $mydestination or $proxy_interfaces. > > Thanks Wietse, > > I didn't change anything, but it has now started working properly. Again, please look for Postfix warnings that say "host greeted me with my own name" or similar. If there are none then there was a problem where DNS resolved a destination to a hostname with an IP address that matches the mydestination or proxy_interfaces setting of the sending MTA. Wietse
Re: Domain loops to itself
* Nikolaos Milas2017.02.17 15:59: >hesperia-space.eu relay:[vmail.noa.gr] > > line, but even when I added it and restarted postfix (service postfix > restart), it wouldn't work. transport_maps = hash:/etc/postfix/transportmap You need to run postmap on a hashed map for it to take effect. Regards Thomas signature.asc Description: Digital signature
RE: Strong Ciphers to use with Postfix
Hai, It all depends all in what you need and want. After monitoring for about a year on with or without encryption. I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3. Which i simply dont allow anymore. ( The sslv2/v3 ) Due to the dutch "Privacy laws" users are oblgated to have/use encrypted lines. And a lot should be encrypted. So I preffer a high but compatible set. A setup like this : https://tls.imirhil.fr/smtp/mail.van-belle.nl My prefered site to check ciphersets. Im also running debian jessie postfix 2.11. And yes, there is always room for improvements, but my cipher check shows me the following and im happy with it. 2 TLSv1 with cipher AES256-SHA 6 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 13 TLSv1.2 with cipher AES256-SHA 27 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA 34 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 103 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA 302 TLSv1 with cipher DHE-RSA-AES256-SHA 772 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 2307 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 11684 TLSv1 with cipher ECDHE-RSA-AES256-SHA # Add these to log you ciphers used. smtp_tls_loglevel=1 smtpd_tls_loglevel=1 # check encrypted connections with : # grep "connection established from.*with cipher" /var/log/mail.log|awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' |sort|uniq -c| sort -n # check for clear text connections: # grep "connection established from" /var/log/mail.log | grep -v cipher| awk '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | sort | uniq -c | sort -n # outgoing connections: smtp smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_ciphers = high smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes # incoming connections: smtpd smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES #, RSA+AES smtpd_tls_eecdh_grade = ultra Greetz, Louis > -Oorspronkelijk bericht- > Van: domi...@timedicer.co.uk [mailto:owner-postfix-us...@postfix.org] > Namens Dominic Raferd > Verzonden: vrijdag 17 februari 2017 16:05 > Aan: Postfix users > Onderwerp: Re: Strong Ciphers to use with Postfix > > On 17 February 2017 at 14:43, Fazzina, Angelo> wrote: > > Hi, > > Here is how I am dealing with "weak ciphers" > > You may be able to do the same type of config ? > > > > > > In /etc/postfix/main.cf > > > > > > # -ALF 2016-09-07 > > # disable RC4 ciphers with TLS connections. > > #smtpd_tls_exclude_ciphers = RC4, aNULL > > # -ALF 2017-01-09 > > # disable weak ciphers, and RC4 ciphers > > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, > aNULL > > #-ALF 2107-01-09 > > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES- > CBC3-SHA, RC4, aNULL > > > > > > > > -Angelo Fazzina > > Operating Systems Programmer / Analyst > > University of Connecticut, UITS, SSG, Server Systems > > 860-486-9075 > > > > -Original Message- > > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Daniel Bareiro > > Sent: Friday, February 17, 2017 9:40 AM > > To: Postfix users > > Subject: Strong Ciphers to use with Postfix > > > > Hi all! > > > > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. > > > > I would like to know what you think of the security settings suggested > > here [1] for Postfix. > > > > I have tested it against this [2] site, but it seems that fails to > > discard other ciphers; on "Weak ciphers" I get "supported > > RSA_WITH_RC4_128_SHA". > > > > As I have learned from here, if your MTA is receiving from the world > or sending to the world there is little point in enforcing > super-strong ciphers on the corresponding connection (smtpd or smtp). > If you refuse all unencrypted communication, and only permit > super-strong ciphers, you may not be able to receive or send some > emails, because not all (even genuine) MTAs will support this; but > otherwise if you only permit super-strong ciphers you will just get > more unencrypted communication. Of course it is usually > pointless/unwise to permit broken ciphers, but these are anyway > disabled by default in postfix.
Re: Strong Ciphers to use with Postfix
On 17/02/17 11:43, Fazzina, Angelo wrote: > Hi, Hi, Angelo. Thanks for your prompt reply. > Here is how I am dealing with "weak ciphers" > You may be able to do the same type of config ? > > > In /etc/postfix/main.cf > > > # -ALF 2016-09-07 > # disable RC4 ciphers with TLS connections. > #smtpd_tls_exclude_ciphers = RC4, aNULL > # -ALF 2017-01-09 > # disable weak ciphers, and RC4 ciphers > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL > #-ALF 2107-01-09 > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, > EDH-RSA-DES-CBC3-SHA, RC4, aNULL I tried this configuration and I get in the test that now it does not found weak ciphers. Thanks for sharing! So I think this would replace this lines of https://cipherli.st: -- smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = AES128+EECDH:AES128+EDH -- right? Or do you think some of those other lines should be included? What do you think of the other lines mentioned? -- smtpd_use_tls=yes smtpd_tls_security_level = may (X) smtpd_tls_auth_only = yes smtpd_tls_cert_file=/etc/ssl/postfix.cert smtpd_tls_key_file=/etc/ssl/postfix.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache (X) -- Currently I have not configured the lines with an "X". I'm using currently "smtpd_tls_security_level = may" that use TLS if this is supported by the remote SMTP server, otherwise use plaintext. But I'm not using "smtpd_tls_security_level = may". I see the default value for this parameter is empty. Is that equivalent to "none"? Thanks for your time. Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Re: Strong Ciphers to use with Postfix
On 17 February 2017 at 14:43, Fazzina, Angelowrote: > Hi, > Here is how I am dealing with "weak ciphers" > You may be able to do the same type of config ? > > > In /etc/postfix/main.cf > > > # -ALF 2016-09-07 > # disable RC4 ciphers with TLS connections. > #smtpd_tls_exclude_ciphers = RC4, aNULL > # -ALF 2017-01-09 > # disable weak ciphers, and RC4 ciphers > smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL > #-ALF 2107-01-09 > # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers > #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, > EDH-RSA-DES-CBC3-SHA, RC4, aNULL > > > > -Angelo Fazzina > Operating Systems Programmer / Analyst > University of Connecticut, UITS, SSG, Server Systems > 860-486-9075 > > -Original Message- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Daniel Bareiro > Sent: Friday, February 17, 2017 9:40 AM > To: Postfix users > Subject: Strong Ciphers to use with Postfix > > Hi all! > > I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. > > I would like to know what you think of the security settings suggested > here [1] for Postfix. > > I have tested it against this [2] site, but it seems that fails to > discard other ciphers; on "Weak ciphers" I get "supported > RSA_WITH_RC4_128_SHA". > As I have learned from here, if your MTA is receiving from the world or sending to the world there is little point in enforcing super-strong ciphers on the corresponding connection (smtpd or smtp). If you refuse all unencrypted communication, and only permit super-strong ciphers, you may not be able to receive or send some emails, because not all (even genuine) MTAs will support this; but otherwise if you only permit super-strong ciphers you will just get more unencrypted communication. Of course it is usually pointless/unwise to permit broken ciphers, but these are anyway disabled by default in postfix.
Re: Domain loops to itself
On 17/2/2017 4:12 μμ, Wietse Venema wrote: You missed the preceding warning that says why. - The server greets with the same hostname (in the 220 line) as the client wants to use (in the EHLO cdommand). - The server IP address matches $mydestination or $proxy_interfaces. Thanks Wietse, I didn't change anything, but it has now started working properly. I am also getting all those test emails I sent earlier and had not been delivered until now (and they were obviously in the sending servers' queues). I can't tell for sure what the problem may have been. Could it be due to transport_maps caching (or something like that)? I had initially forgotten to add the hesperia-space.eu relay:[vmail.noa.gr] line, but even when I added it and restarted postfix (service postfix restart), it wouldn't work. Thanks anyway, Nick
RE: Strong Ciphers to use with Postfix
Hi, Here is how I am dealing with "weak ciphers" You may be able to do the same type of config ? In /etc/postfix/main.cf # -ALF 2016-09-07 # disable RC4 ciphers with TLS connections. #smtpd_tls_exclude_ciphers = RC4, aNULL # -ALF 2017-01-09 # disable weak ciphers, and RC4 ciphers smtpd_tls_exclude_ciphers = DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL #-ALF 2107-01-09 # disable SWEET32 ciphers, weak ciphers, and RC4 ciphers #smtpd_tls_exclude_ciphers = IDEA-CBC-SHA, DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, RC4, aNULL -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG, Server Systems 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Daniel Bareiro Sent: Friday, February 17, 2017 9:40 AM To: Postfix usersSubject: Strong Ciphers to use with Postfix Hi all! I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. I would like to know what you think of the security settings suggested here [1] for Postfix. I have tested it against this [2] site, but it seems that fails to discard other ciphers; on "Weak ciphers" I get "supported RSA_WITH_RC4_128_SHA". Thanks in advance. Kind regards, Daniel [1] https://cipherli.st [2] https://ssl-tools.net/mailservers
Strong Ciphers to use with Postfix
Hi all! I'm using Debian GNU/Linux Jessie 8.7 with Postfix 2.11.3-1. I would like to know what you think of the security settings suggested here [1] for Postfix. I have tested it against this [2] site, but it seems that fails to discard other ciphers; on "Weak ciphers" I get "supported RSA_WITH_RC4_128_SHA". Thanks in advance. Kind regards, Daniel [1] https://cipherli.st [2] https://ssl-tools.net/mailservers signature.asc Description: OpenPGP digital signature
Re: Domain loops to itself
Nikolaos Milas: > Hello, > > I have been using the following config without problems, but after I > added the domain: hesperia-space.eu, mail to the new domain becomes > undelivered with the error (example from one attempt to send mail): > > Feb 17 15:21:38 mailgw3 postfix/smtpd[17664]: NOQUEUE: reject: RCPT from > mail-wr0-x242.google.com[2a00:1450:400c:c0c::242]: 450 4.1.1 >: Recipient address rejected: unverified > address: mail for hesperia-space.eu loops back to myself; You missed the preceding warning that says why. - The server greets with the same hostname (in the 220 line) as the client wants to use (in the EHLO cdommand). - The server IP address matches $mydestination or $proxy_interfaces. Wietse
Re: Postfix 20 years ago
On 12/02/17 15:06, Wietse Venema wrote: > Last month it was 20 years ago that I started writing Postfix code. > After coming to IBM research in November 1996, I spent most of > December and January making notes on paper. I knew that writing a > mail system was more work than any of my prior projects. > > The oldest tarball, dated 19970220, contains library functions plus > two early versions of the master daemon. There are 8086 lines of > code, 4204 lines after stripping the comments, and the only > documentation was my pile of hand-written notes. > > For comparison, today's Postfix 3.2.0 RC1 release candidate weighs > in at 236533 lines of code, 137257 after stripping comments. The > documentation amounts to 32589 lines of hand-written HTML source, > plus 41878 lines of auto-generated HTML. > > Much of today's effort is not visible as new features (thought there > still are enough to make an upgrade worthwhile), but happens behind > the scenes as improvements to internal code, and updated tests to > ensure that future changes won't inadvertantly break something. Dear Wietse, I still remember when I started to take my first steps in GNU/Linux system administration by installing Sendmail for my own use and some time later I started with Postfix. Those were the nice days where I used to exchange knowledge with the community of the hierarchy es.comp.os.linux in the newsgroups. Thank you so much to you and to the team of developers for the affection, time and dedication that you have given to Postfix. Long live and prosper, Postfix _\\// (My trekker side haha) Kind regards, Daniel signature.asc Description: OpenPGP digital signature
Domain loops to itself
Hello, I have been using the following config without problems, but after I added the domain: hesperia-space.eu, mail to the new domain becomes undelivered with the error (example from one attempt to send mail): Feb 17 15:21:38 mailgw3 postfix/smtpd[17664]: NOQUEUE: reject: RCPT from mail-wr0-x242.google.com[2a00:1450:400c:c0c::242]: 450 4.1.1: Recipient address rejected: unverified address: mail for hesperia-space.eu loops back to myself; from= to= proto=ESMTP helo= The sent email never makes it to the final (relayed) destination. I have added the domain in the relay_domains setting and in the /etc/postfix/transportmap file, as you can see below. Can you please notice what is wrong? I have spent quite some time, but I can't tell where the problem is. I post the config, as is, including the new domain: # postconf -n allowed_list1 = check_client_access cidr:/etc/postfix/vmail.cidr,reject allowed_list2 = check_client_access cidr:/etc/postfix/internalnetworks.cidr,reject command_directory = /usr/sbin config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_process_limit = 50 disable_vrfy_command = yes enable_long_queue_ids = yes header_checks = pcre:/etc/postfix/blacklisted_maillists html_directory = no inet_interfaces = all inet_protocols = ipv4, ipv6 local_recipient_maps = local_transport = error:local mail delivery is disabled mail_name = NOA Mail Srv XAPITI XPICTOY mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 15728640 mydestination = mynetworks = 127.0.0.1/32 [::1]/128 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_exceptions.cidr postscreen_blacklist_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2, psbl.surriel.com*2 postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce queue_directory = /var/spool/postfix relay_domains = noa.gr, astro.noa.gr, admin.noa.gr, nestor.noa.gr, space.noa.gr, meteo.noa.gr, gein.noa.gr, technet.noa.gr, hesperia-space.eu relay_recipient_maps = sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_helo_required = yes smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/amavis_bypass check_sender_access hash:/etc/postfix/blacklisted_senders check_sender_access pcre:/etc/postfix/blacklisted_maillists reject_unverified_recipient reject_unauth_destination check_recipient_access hash:/etc/postfix/protected_destinations check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre permit_mynetworks reject_invalid_hostname reject_unauth_pipelining reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service unix:postgrey/socket permit smtpd_restriction_classes = allowed_list1,allowed_list2 transport_maps = hash:/etc/postfix/transportmap unknown_local_recipient_reject_code = 550 unverified_sender_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtualmap # cat /etc/postfix/transportmap noa.gr relay:[vmail.noa.gr] admin.noa.grrelay:[vmail.noa.gr] nestor.noa.gr relay:[vmail.noa.gr] space.noa.grrelay:[vmail.noa.gr] meteo.noa.grrelay:[vmail.noa.gr] gein.noa.gr relay:[vmail.noa.gr] technet.noa.gr relay:[vmail.noa.gr] astro.noa.grrelay:[vmail.noa.gr] hesperia-space.eu relay:[vmail.noa.gr] Thanks in advance, Nick