Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

[Wietse Venema]

Oh, and what should happen when the host has multiple PTR records
that properly satisfy the reverse/forward name check?  Postfix picks
only one, and it may not pick the same one every time..

Writing code is easy, what about writing first the documentation
how this is supposed to behave?

If a feature needs more text for its limitations than for its
functionality, then perhaps that is a sign of a problematic feature?

Wietse

Nik Kostaras:
> Hi Wietse,
> 
> Very good question!
> >From my point of view I'd like to have the ability to chose whether to 
> >enable this filtering option (separately from the existing IP filtering),
> acknowledging the risks of mail loss (with a "Here be dragons" warning in the 
> documentation).
> 
>  If you are interested I can send a patch with a new config option.
> 
> Many thanks,
> Nik Kostaras
> 
> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema
> Sent: 11 September 2017 16:57
> To: Postfix users 
> Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames
> 
> Nik Kostaras:
> > Hi all,
> > 
> > Postfix documentation mentions (for 
> > smtpd_discard_ehlo_keyword_address_maps):
> > 
> > ?The tables are not searched by hostname for robustness reasons.?
> > 
> > Is it possible to describe what these reasons are? (performance 
> > related?)
> 
> Ask the question: if DNS lookup does not work, even if only for a brief time, 
> would that result in the loss of mail?
> 
> The purpose of this feature is to prevent a server from announcing a feature 
> to an SMTP client, for example because it would result in the loss of mail (a 
> client has a problem with that feature).
> 
> What should happen:
> 
> a) Don't suppress keywords based on hostname, and risk losing mail.
> 
> b) Don't accept mail, to avoid loss of mail.
> 
> c) Something else?
> 
>   Wietse
> 
> --
> Message Processed by the Clearswift R Dogfood Secure Email Gateway V4.7.0
> 
> This e-mail and any files transmitted with it are strictly confidential, may 
> be privileged and are intended only for use by the addressee unless otherwise 
> indicated.  If you are not the intended recipient any use, dissemination, 
> printing or copying is strictly prohibited and may be unlawful.  If you have 
> received this e-mail in error, please delete it immediately and contact the 
> sender as soon as possible.  Clearswift cannot be held liable for delays in 
> receipt of an email or any errors in its content. Clearswift accepts no 
> responsibility once an e-mail and any attachments leave us. Unless expressly 
> stated, opinions in this message are those of the individual sender and not 
> of Clearswift.
> 
> This email message has been inspected by Clearswift for inappropriate content 
> and security threats. 
> 
> To find out more about Clearswift?s solutions please visit www.clearswift.com
> 
> 

Re: Letsencrypt tip

[Viktor Dukhovni]

> On Sep 11, 2017, at 1:37 PM, Bill Shirley  wrote:
> 
> Thanks for the info.
> 
> With acme.sh, reloads are only done when the certificate is renewed.

It is best to just leave Postfix alone, and not reload even then.

If you run certbot often enough to renew well in advance of expiration,
reloads of Postfix are unnecessary, and just needlessly interrupt orderly
processing of email by the queue manager.  Usually the new certificate will
be automatically in use within "$max_idle * $max_use" seconds, and typically
sooner, because processes either idle out quickly or reach the re-use limit
quickly, handling $max_use connections that are exactly $max_idle apart is
rather unlikely  By default that's 1 seconds or just under 3 hours.

-- 
Viktor.

Re: Letsencrypt tip

[Bill Shirley]

Thanks for the info.

With acme.sh, reloads are only done when the certificate is renewed.

Bill

On 9/11/2017 1:18 PM, Viktor Dukhovni wrote:

On Sep 11, 2017, at 1:10 PM, Bill Shirley  wrote:

acme.sh can issue the reload command (--reloadcmd):
https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html

This is NOT needed for Postfix.  The certificate file is not
held in memory for a sufficiently long time to make routine
reloads warranted.

Re: Letsencrypt tip

[Viktor Dukhovni]

> On Sep 11, 2017, at 1:10 PM, Bill Shirley  wrote:
> 
> acme.sh can issue the reload command (--reloadcmd):
> https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html

This is NOT needed for Postfix.  The certificate file is not
held in memory for a sufficiently long time to make routine
reloads warranted.

-- 
Viktor.

Re: Letsencrypt tip

[Bill Shirley]

acme.sh can issue the reload command (--reloadcmd):
https://www.mail-archive.com/dovecot@dovecot.org/msg70894.html

Get an email from acme.sh:
https://www.mail-archive.com/dovecot@dovecot.org/msg70895.html

Bill


On 9/11/2017 4:59 AM, Gary wrote:
As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the 
new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test 
domain, getting ready for the Oct 1st Google insistence on encryption.)


Letsencrypt suggests running acme on a daily basis, so just do the same for 
Postfix and Dovecot.

RE: smtpd_discard_ehlo_keyword_address_maps support for hostnames

[Nik Kostaras]

Hi Wietse,

Very good question!
>From my point of view I'd like to have the ability to chose whether to enable 
>this filtering option (separately from the existing IP filtering),
acknowledging the risks of mail loss (with a "Here be dragons" warning in the 
documentation).

 If you are interested I can send a patch with a new config option.

Many thanks,
Nik Kostaras

-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Wietse Venema
Sent: 11 September 2017 16:57
To: Postfix users 
Subject: Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

Nik Kostaras:
> Hi all,
> 
> Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):
> 
> ?The tables are not searched by hostname for robustness reasons.?
> 
> Is it possible to describe what these reasons are? (performance 
> related?)

Ask the question: if DNS lookup does not work, even if only for a brief time, 
would that result in the loss of mail?

The purpose of this feature is to prevent a server from announcing a feature to 
an SMTP client, for example because it would result in the loss of mail (a 
client has a problem with that feature).

What should happen:

a) Don't suppress keywords based on hostname, and risk losing mail.

b) Don't accept mail, to avoid loss of mail.

c) Something else?

Wietse

--
Message Processed by the Clearswift R Dogfood Secure Email Gateway V4.7.0

This e-mail and any files transmitted with it are strictly confidential, may be 
privileged and are intended only for use by the addressee unless otherwise 
indicated.  If you are not the intended recipient any use, dissemination, 
printing or copying is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please delete it immediately and contact the 
sender as soon as possible.  Clearswift cannot be held liable for delays in 
receipt of an email or any errors in its content. Clearswift accepts no 
responsibility once an e-mail and any attachments leave us. Unless expressly 
stated, opinions in this message are those of the individual sender and not of 
Clearswift.

This email message has been inspected by Clearswift for inappropriate content 
and security threats. 

To find out more about Clearswift’s solutions please visit www.clearswift.com

Re: Throttling bursts of connections at postscreen? More to do here?

[@lbutlr]

On 11 Sep 2017, at 10:24, /dev/rob0  wrote:
> 

Re: Throttling bursts of connections at postscreen? More to do here?

[yodeller]

> > > Is there anything more you could do? Not really. If you really 
> > > want the log lines to go away you could put in a DENY in your 
> > > hosts table, but if you do that you're going to be doing it A 
> > > LOT.

I wanted to know if these were overloading Postfix.  Sounds like a no.

Also sounds like just Postscreen is dealing with these with no problem, and no 
resource overload.

And, I've put in place fail2ban + ipset to "shut these up" too.

Thanks!

Re: Letsencrypt tip

[Marat Khalili]

Real-world example (ugly but works):


letsencrypt -tn --apache renew | tee "$LOG_FILE"

if ! grep -q '^No renewals were attempted.$' "$LOG_FILE"; then
CERTIFICATES_PATH='/etc/letsencrypt/live/example.com'
RENEWAL_STATUS=`sed -nr 's#^ '"$CERTIFICATES_PATH"'/fullchain.pem 
\((.*)\)$#\1#p' "$LOG_FILE"`

if [[ "$RENEWAL_STATUS" == 'success' ]]; then

[...]

elif [[ "$RENEWAL_STATUS" == 'skipped' ]]; then
echo "$CERTIFICATES_PATH not renewed, not propagating."
else
echo "ERROR: Unknown renewal status of $CERTIFICATES_PATH: 
$RENEWAL_STATUS" >&2

fi
fi



--

With Best Regards,
Marat Khalili

How to check for upcoming certificate expiration...

[Viktor Dukhovni]

> On Sep 11, 2017, at 5:21 AM, Dominic Raferd  wrote:
> 
> Does anyone know a way to detect if the certificate currently being used by 
> Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up 
> the updated letsencrypt certificate)?

See below for OpenSSL 1.0.2 or later.  Earlier versions don't
have the "-verify_hostname" option, you can delete it if you
like, and omit that part of the certificate check, in which
case the code will also work for OpenSSL 1.0.1 and earlier
(which are EOL).

-- 
Viktor.

#! /bin/bash

if [ $# -lt 3 -o $# -gt 4 ]; then
  printf "Usage: %s[port]\n" "$0" >&2
  exit 1
fi

# default
port=587

trusted=$1; shift
days=$1; shift
host=$1; shift
if [ $# -gt 0 ]; then port=$1; shift; fi

detail=$(
  (
raw=$(
  (sleep 2; printf "QUIT\r\n") |
  openssl s_client -connect "$host:$port" -starttls smtp \
-CAfile "$trusted" \
-servername "$host" \
-verify 9 \
-verify_return_error \
-verify_hostname "$host" \
-showcerts 2>&3
)

if [ $? -ne 0 ]; then
   printf -- "%s\n" "$raw" >&3
   printf -- "SSL handshake failed\n" >&3
   exit 1
fi

chain=$(
  printf -- "%s\n" "$raw" | tee /dev/fd/3 |
  openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
  openssl pkcs7 -print_certs
)

if [ -z "$chain" ]; then
  printf "Error getting server chain\n" >&2; exit 1
else
  # Sadly, verify(1) prior to OpenSSL 1.1.0 did not return
  # meaningful exit codes.   So we look instead for output
  # lines that start with "error".
  #
  openssl verify \
-trusted "$CAfile" \
-attime $(( $(date +%s) + 86400 * $days )) \
-untrusted <(printf -- "%s\n" "$chain") \
<(printf -- "%s\n" "$chain") 2>&1 | tee /dev/fd/3 |
  if grep -i '^error' >/dev/null; then
printf -- "Verification failed\n" >&2; exit 1
  fi
fi
  ) 3>&1
)
if [ $? -ne 0 ]; then printf -- "%s\n" "$detail"; exit 1; fi

Re: smtpd_discard_ehlo_keyword_address_maps support for hostnames

[Wietse Venema]

Nik Kostaras:
> Hi all,
> 
> Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):
> 
> ?The tables are not searched by hostname for robustness reasons.?
> 
> Is it possible to describe what these reasons are? (performance related?)

Ask the question: if DNS lookup does not work, even if only for a
brief time, would that result in the loss of mail?

The purpose of this feature is to prevent a server from announcing
a feature to an SMTP client, for example because it would result
in the loss of mail (a client has a problem with that feature).

What should happen:

a) Don't suppress keywords based on hostname, and risk losing mail.

b) Don't accept mail, to avoid loss of mail.

c) Something else?

Wietse

Re: Letsencrypt tip

[Mike]

On 9/11/2017 5:21 AM, Dominic Raferd wrote:
> 
> 
> On 11 September 2017 at 11:59, Gary  > wrote:
> 
> As you know, letsencrypt certs can be automatically updated.
> However, you need to reload/restart Postfix/Dovecot to use the new
> cert. My email client insisted I had an expired cert. I couldn't
> download or send email. (Fortunately I'm on a test domain, getting
> ready for the Oct 1st Google insistence on encryption.)
> 
> Letsencrypt suggests running acme on a daily basis, so just do the
> same for Postfix and Dovecot.
> 
> 
> ​Does anyone know a way to detect if the certificate currently being
> used by Postfix and/or Dovecot is nearing expiry (esp. in case they
> haven't picked up the updated letsencrypt certificate)?
> 

Why not use entr (http://entrproject.org/) to detect when there is a new
certificate file, and restart Dovecot/Postfix?

Re: Throttling bursts of connections at postscreen? More to do here?

[Kris Deugau]

@lbutlr wrote:

Is there anything more you could do? Not really. If you really want the log 
lines to go away you could put in a DENY in your hosts table, but if you do 
that you're going to be doing it A LOT.


*nod*  If there's only one persistent host, it may be worth blocking at 
some higher level (I'm partial to "iptables -j DENY") but if the 
connections aren't resulting in spam actually arriving at some mailbox 
on your system the only "problem" is the volume of log data.


-kgd

Re: Letsencrypt tip

[Viktor Dukhovni]

> On Sep 11, 2017, at 4:59 AM, Gary  wrote:
> 
> As you know, letsencrypt certs can be automatically updated. However, you 
> need to reload/restart Postfix/Dovecot to use the new cert.

This is false for Postfix.  The Postfix SMTP server processes
(smtpd(8) and tlsproxy(8)) that use the server certificate
are short-lived (lifetime depends on the max_use and max_idle
parameters).  As new processes are spawned they use the
new certificate.

A reload is only needed if you've messed and are replacing your
submission service certificate in a hurry after it has expired
and you're already having problems.  Otherwise, you can replace
your certificate a week or so in advance, and no restarts are
needed for Postfix.

> Letsencrypt suggests running acme on a daily basis, so just do the same for 
> Postfix and Dovecot.

If you are also publishing TLSA records, see:

   
http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
   https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
   
https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
   
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
   http://tools.ietf.org/html/rfc7671#section-8.1
   http://tools.ietf.org/html/rfc7671#section-8.4

-- 
Viktor.

Re: Letsencrypt tip

[Dominic Raferd]

On 11/09/2017 12:33, Christian Kivalo wrote:

On 2017-09-11 11:21, Dominic Raferd wrote:

​Does anyone know a way to detect if the certificate currently being
used by Postfix and/or Dovecot is nearing expiry (esp. in case they
haven't picked up the updated letsencrypt certificate)?

You mean like this from the letsencrypt forum

adapted for submission on port 587 with starttls:
openssl s_client -connect yourdomain.tld:587 -starttls smtp 
-servername yourdomain.tld 2>/dev/null | openssl x509 -noout -dates


https://community.letsencrypt.org/t/it-there-a-command-to-show-how-many-days-certificate-you-have/11351/2 



Thanks to all for the great tips. This example gives exit code 1 if the 
certificate has less than 3 days (259200 seconds) to expiry:


echo|sudo openssl s_client -connect 127.0.0.1:587 -starttls smtp 
-servername my.domain.tld 2>/dev/null|openssl x509 -noout -checkend 259200

Re: Letsencrypt tip

[Admin Beckspaced]

On 11.09.2017 10:59, Gary wrote:
As you know, letsencrypt certs can be automatically updated. However, 
you need to reload/restart Postfix/Dovecot to use the new cert. My 
email client insisted I had an expired cert. I couldn't download or 
send email. (Fortunately I'm on a test domain, getting ready for the 
Oct 1st Google insistence on encryption.)


Letsencrypt suggests running acme on a daily basis, so just do the 
same for Postfix and Dovecot.



I use acme client dehydrated

https://github.com/lukas2511/dehydrated

There you have the options of a hook to restart services after 
certificate renew


Works like a charm ;)

smtpd_discard_ehlo_keyword_address_maps support for hostnames

[Nik Kostaras]

Hi all,

Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):

“The tables are not searched by hostname for robustness reasons.”

Is it possible to describe what these reasons are? (performance related?)

Is it worth adding a new parameter that performs the same functionality on 
hostnames? (and if left empty it doesn't perform any checks).

Many thanks,

Nik Kostaras

Team Leader

[Telephone] +44 118 903 8635

[Twitter]@clearswift

[Clearswift] 

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | 
United Kingdom


Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps 
and endpoint. On-premise and Hosted deployment options available.

Participate in our latest series of webinars focussing on today’s cyber 
security concerns. View them 
here.

This e-mail and any files transmitted with it are strictly confidential, may be 
privileged and are intended only for use by the addressee unless otherwise 
indicated.  If you are not the intended recipient any use, dissemination, 
printing or copying is strictly prohibited and may be unlawful.  If you have 
received this e-mail in error, please delete it immediately and contact the 
sender as soon as possible.  Clearswift cannot be held liable for delays in 
receipt of an email or any errors in its content. Clearswift accepts no 
responsibility once an e-mail and any attachments leave us. Unless expressly 
stated, opinions in this message are those of the individual sender and not of 
Clearswift.

This email message has been inspected by Clearswift for inappropriate content 
and security threats. 

To find out more about Clearswift’s solutions please visit www.clearswift.com

Re: Increasing spam level to backup MX

[Philip Paeps]

On 2017-09-11 14:13:29 (+0200), Davide Marchi wrote:
activating a backup server I realized that some spammers using this 
server to send spam to my relay_recipient_maps addresses. Spam is then 
successfully forwarded to the main server.


Is there a parameter to prevent this type of action? A type check "do 
not receive email if the main server is reachable...?


Or should I operate directly by SpamAssassin?


Your backup servers should have the same filtering in place as your main 
server.  If not, spam will sneak through.


For a simple setup, a separate backup server will often do more harm 
than good.


If you're using postscreen and you have multiple IP addresses 
configured,, you should investigate the 
``postscreen_whitelist_interfaces`` option to give spammers who try 
backup MXes a hard time.


Last time I checked, it was not possible to share the postscreen 
temporary whitelist between machines.


Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information

Increasing spam level to backup MX

[Davide Marchi]

Hi Friends,

activating a backup server I realized that some spammers using this 
server to send spam to my relay_recipient_maps addresses. Spam is then 
successfully forwarded to the main server.


Is there a parameter to prevent this type of action? A type check "do 
not receive email if the main server is reachable...?


Or should I operate directly by SpamAssassin?

many many thanks



Davide

Re: Letsencrypt tip

[Ralph Seichter]

On 11.09.2017 11:21, Dominic Raferd wrote:

> ​Does anyone know a way to detect if the certificate currently being
> used by Postfix and/or Dovecot is nearing expiry (esp. in case they
> haven't picked up the updated letsencrypt certificate)?

See https://www.monitoring-plugins.org/ -- The plugins check_smtp and
check_http, which I use via Icinga to monitor my servers, can verify if
a certificate nears its expiry date in less than N days, as a byproduct
of checking if the respective services are actually up and running.

-Ralph

Re: how to use check file in master.cf

[xiedeacc]

Thanks very much



获取 Outlook for iOS





On Mon, Sep 11, 2017 at 8:02 PM +0800, "Wietse Venema"  
wrote:










xiedeacc:
> how to use parameters like
> smtpd_recipient_restrictions=check_recipient_access
> hash:/etc/postfix/recipient_access in master.cf, postfix will log fatal
> error and process exit

According to 'man 5 master':

  -o { name = value } (long form, Postfix >= 3.0)

  -o name=value (short form)
 Override the named main.cf configuration  parameter.
..
 NOTE 2: with the "short form" shown above, do not specify
 whitespace around the "="  or  in  parameter  values.  To
 specify  a  parameter value that contains whitespace, use
 the long form described above, or use commas  instead  of
 spaces, or specify the value in main.cf. Example:

 /etc/postfix/master.cf:
 submission inet  smtpd
 -o smtpd_xxx_yyy=$submission_xxx_yyy

 /etc/postfix/main.cf
 submission_xxx_yyy = text with whitespace...

Re: how to use check file in master.cf

[Wietse Venema]

xiedeacc:
> how to use parameters like
> smtpd_recipient_restrictions=check_recipient_access
> hash:/etc/postfix/recipient_access in master.cf, postfix will log fatal
> error and process exit

According to 'man 5 master':

  -o { name = value } (long form, Postfix >= 3.0)

  -o name=value (short form)
 Override the named main.cf configuration  parameter.
..
 NOTE 2: with the "short form" shown above, do not specify
 whitespace around the "="  or  in  parameter  values.  To
 specify  a  parameter value that contains whitespace, use
 the long form described above, or use commas  instead  of
 spaces, or specify the value in main.cf. Example:

 /etc/postfix/master.cf:
 submission inet  smtpd
 -o smtpd_xxx_yyy=$submission_xxx_yyy

 /etc/postfix/main.cf
 submission_xxx_yyy = text with whitespace...

Re: how to use check file in master.cf

[@lbutlr]

On Sep 11, 2017, at 4:49 AM, @lbutlr  wrote:
> smtpd_recipient_restrictions =
> permit_mynetworks,

Well, that's useful, the leading spaces were stripped.

Hrm.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: how to use check file in master.cf

[@lbutlr]

On Sep 11, 2017, at 1:55 AM, xiedeacc  wrote:
> how to use parameters like
> smtpd_recipient_restrictions=check_recipient_access
> hash:/etc/postfix/recipient_access in master.cf, postfix will log fatal
> error and process exit

Formatting matters, and this is well documented. the specific error should help 
narrow down the problem.

This is what mine looks like (leading spaces on the lines are signifiant):

smtpd_recipient_restrictions =
 permit_mynetworks,
 reject_unauth_destination,
 reject_non_fqdn_sender,
 reject_non_fqdn_recipient,
 reject_unknown_sender_domain,
 reject_invalid_hostname,
 reject_unlisted_recipient,
 reject_unlisted_sender,
 reject_unknown_reverse_client_hostname,
 check_recipient_access hash:$config_directory/recipient_access
 check_sender_access pcre:$config_directory/sender_access.pcre,
 check_client_access hash:$config_directory/access,
 permit

(do not copy this, chances are it will fail for your install)

The problem could be in the recipient access file (most likely), or in 
master.cf.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: OT lightweight IMAP client

[@lbutlr]

On Sep 10, 2017, at 8:36 PM, Viktor Dukhovni  wrote:
> http://blog.lance.tw/posts/2013/08/24/attach-mails-as-attachments-in-mutt/

Thanks!

(I've read a lot of mutt pages and that's the first time I've seen ^D mentioned)

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Letsencrypt tip

[Petri Riihikallio]

> Gary  kirjoitti 11.09.2017 kello 11:59:
> 
> As you know, letsencrypt certs can be automatically updated. However, you 
> need to reload/restart Postfix/Dovecot to use the new cert. My email client 
> insisted I had an expired cert. I couldn't download or send email. 
> (Fortunately I'm on a test domain, getting ready for the Oct 1st Google 
> insistence on encryption.)
> 
> Letsencrypt suggests running acme on a daily basis, so just do the same for 
> Postfix and Dovecot.

If you are running Certbot by EFF you should to take a look at post-hook and 
deploy-hook options for renew. There you can set a script to run after Certbot 
to restart or reload services as required.

-- 
Cheers
Petri
https://metis.fi/en/petri
tel:+358400505939




smime.p7s
Description: S/MIME cryptographic signature

Re: Change of SMTP encryption policy at Google?

[Gary]

Yes. You are absolutely correct regarding SMTP. However I suspect many people 
will switch to Letsencrypt for everything (web and mail). 

I for one set up a self signed email certificate with a 10 year lifetime 
because this is work. That isn't really a good plan. Letsencrypt, once it 
works, seems like the way to go.

  Original Message  
From: pmen...@molgen.mpg.de
Sent: September 11, 2017 2:23 AM
To: li...@lazygranch.com
Cc: postfix-users@postfix.org
Subject: Re: Change of SMTP encryption policy at Google?

Dear Gary,


On 09/11/17 11:20, Gary wrote:
> https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/
> 
> This site says Oct 24. I recall Oct 1.  Maybe it was pushed back.

Please note, this is about the HTTP/HTTPS protocols and not SMTP.

[…]


Kind regards,

Paul

Re: Letsencrypt tip

[Christian Kivalo]

On 2017-09-11 11:21, Dominic Raferd wrote:

​Does anyone know a way to detect if the certificate currently being
used by Postfix and/or Dovecot is nearing expiry (esp. in case they
haven't picked up the updated letsencrypt certificate)?

You mean like this from the letsencrypt forum

adapted for submission on port 587 with starttls:
openssl s_client -connect yourdomain.tld:587 -starttls smtp -servername 
yourdomain.tld 2>/dev/null | openssl x509 -noout -dates


https://community.letsencrypt.org/t/it-there-a-command-to-show-how-many-days-certificate-you-have/11351/2

--
 Christian Kivalo

Re: Change of SMTP encryption policy at Google?

[Paul Menzel]

Dear Gary,


On 09/11/17 11:20, Gary wrote:

https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/

This site says Oct 24. I recall Oct 1.  Maybe it was pushed back.


Please note, this is about the HTTP/HTTPS protocols and not SMTP.

[…]


Kind regards,

Paul

Re: Letsencrypt tip

[Dominic Raferd]

On 11 September 2017 at 11:59, Gary  wrote:

> As you know, letsencrypt certs can be automatically updated. However, you
> need to reload/restart Postfix/Dovecot to use the new cert. My email client
> insisted I had an expired cert. I couldn't download or send email.
> (Fortunately I'm on a test domain, getting ready for the Oct 1st Google
> insistence on encryption.)
>
> Letsencrypt suggests running acme on a daily basis, so just do the same
> for Postfix and Dovecot.
>

​Does anyone know a way to detect if the certificate currently being used
by Postfix and/or Dovecot is nearing expiry (esp. in case they haven't
picked up the updated letsencrypt certificate)?

Re: Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

[Gary]

https://threatpost.com/google-reminding-admins-http-pages-will-be-marked-not-secure-in-october/127709/

This site says Oct 24. I recall Oct 1.  Maybe it was pushed back. 

Yes for those of us that don't do e-commerce or something that requires 
encryption, this is a PITA. For my email, I had to accept the new cert, which 
would be the case if I used a traditional cert provider. But letsencrypt is 
talking about going to monthly updates.

Supposedly Google is going to make a big stink in the chrome browser if you 
don't do encryption. Your perfectly safe website will look toxic.

First world problem! Grumble grumble.

Anyway it was a forehead slap to restart the email programs, hence the PSA. I 
had to restart nginx as well. All this makes sense since you never know what 
the programmer holds in ram, so of course if you make a change, do a reload. 


  Original Message  
From: pmen...@molgen.mpg.de
Sent: September 11, 2017 2:06 AM
To: li...@lazygranch.com
Cc: postfix-users@postfix.org
Subject: Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

Dear Gary,


On 09/11/17 10:59, Gary wrote:

[…]

> (Fortunately I'm on a test domain, getting ready for the Oct 1st Google > 
> insistence on encryption.)
Could you please point me to the relevant announcement about that policy 
change?

[…]


Kind regards,

Paul

Change of SMTP encryption policy at Google? (was: Letsencrypt tip)

[Paul Menzel]

Dear Gary,


On 09/11/17 10:59, Gary wrote:

[…]


(Fortunately I'm on a test domain, getting ready for the Oct 1st Google > 
insistence on encryption.)
Could you please point me to the relevant announcement about that policy 
change?


[…]


Kind regards,

Paul

Letsencrypt tip

[Gary]

 As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert. I couldn't download or send email. (Fortunately I'm on a test domain, getting ready for the Oct 1st Google insistence on encryption.)Letsencrypt suggests running acme on a daily basis, so just do the same for Postfix and Dovecot.  

how to use check file in master.cf

[xiedeacc]

how to use parameters like
smtpd_recipient_restrictions=check_recipient_access
hash:/etc/postfix/recipient_access in master.cf, postfix will log fatal
error and process exit



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

[xiedeacc]

Ihave solved this by change outlook configuration, for outlook have to manual
set to send authentication to postfix, when add account to outlook, at other
configuration, send server, need choose my sender server(SMTP) need
authentication



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

[xiedeacc]

not confused, just because outlook stranger configuration, outlook have to
manual set to send authentication to postfix, when add account to outlook,
at other configuration, send server, need choose my sender server(SMTP) need
authentication



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Cannot send mail following upgrade to 3.1.4 - can't find user/alias info

[Erwan David]

On Mon, Sep 11, 2017 at 04:16:04AM CEST, "@lbutlr"  said:
> On Sep 10, 2017, at 6:25 PM, dennisthetiger  
> wrote:
> > Victor, Wietse, if I ever see you in real life, I should buy you a
> > $beverage. =D  Thanks, gentlemen.
> 
> I probably owe each of them a case or two.
> 

I think it would be bad for their health if everybody on the list
payed them the beers we owe them at the same time.


-- 
Erwan