Re: Different SSL certificate per virtual domain

2019-06-01 Thread Viktor Dukhovni 
On Sat, Jun 01, 2019 at 06:24:27PM +0530, Durga Prasad Malyala wrote:

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.

This requires at least Postfix 3.4, which is the latest stable
Postfix release.  You may need to build Postfix 3.4.5 from source,
if your O/S does not provide a Postfix 3.4.5 package (O/S packages
may call it 3.4.0, even when patches 1–5 are applied).

-- 
Viktor.

Re: ot: dkim "fail (message has been altered)" ?

2019-06-01 Thread Ralph Seichter 
* lists:

> Authentication-Results: geko.sbt.net.au (amavisd-new);
>   dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
>   domainkeys=fail (1024-bit key)
>   reason="fail (message has been altered)"

Domainkeys is long since deprecated. Also, the DKIM signature is
reported as OK, so that's not really a good example.

In any case, many mailing lists break DKIM sigs by modifying the subject
line or body of messages, so rejecting/discarding mail based on DKIM
alone is prone to cause trouble for you. DMARC offers an approach that
also includes SPF, but it has problems of its own.

> is that something that can be rejected/blocked in Postfix, and how? or
> where should that be utilized ?

You appear to be using amavis, so I suggest you use amavis' spam scoring
mechanisms instead of Postfix.

-Ralph

Re: ot: dkim "fail (message has been altered)" ?

2019-06-01 Thread Benny Pedersen 

li...@sbt.net.au skrev den 2019-06-01 15:39:

I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":


wow


Authentication-Results: geko.sbt.net.au (amavisd-new);
dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
domainkeys=fail (1024-bit key)
reason="fail (message has been altered)"
header.from=mai...@dossierinfotech.in.net
header.d=dossierinfotech.in.net


run amavisd-milter ?

did you report to that maillist ?

mailer@ is imho a dsn of content from dsn, why did this fail ?


is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?


postfix can only disable  milters, so you you like to stop it, do it in 
opendkim, but do not reject your self from millists, eg 
whitelist/disable maillist milters first

ot: dkim "fail (message has been altered)" ?

2019-06-01 Thread lists 
I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":

Authentication-Results: geko.sbt.net.au (amavisd-new);
dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
domainkeys=fail (1024-bit key)
reason="fail (message has been altered)"
header.from=mai...@dossierinfotech.in.net
header.d=dossierinfotech.in.net

is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?

thanks,

Voytek

Re: Different SSL certificate per virtual domain

2019-06-01 Thread Durga Prasad Malyala 
Thank you.
Let me check and get back to you.

Cheers/DP

On Sat, Jun 1, 2019, 18:39 Matt Anton  wrote:

> On 1 Jun 2019, at 14:54, Durga Prasad Malyala wrote:
>
> > Hello All,
>
> Hello,
>
> > I've googled but a bit confused.
> > I have a server with an IP hosting two different virtual domains.
> > Both domains need to have their individual SSL certificate like
> > mail.domain1.com and mail.domain2.com to download and send the same.
> > Is it possible in Postfix if I have only one public IP and achieve same?
> > Can you guide me to some links if possible.
> > Thanks/DP
>
> postconf’s manage has all you need to know to implement SNI support: <
> http://www.postfix.org/postconf.5.html#tls_server_sni_maps>
>
> But if this isn’t enough, there were in march 2019 excellent posts by
> Viktor and MK on the list detailing what’s to be done to achieve this:
>
> Viktor’s quote: <
> http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-tp100786p100802.html
> >
>
> MK’s quote: <
> http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819
> >
>
> hth
>
> --
> matt [at] lv223.org
> GPG key ID: 7D91A8CA
>

Re: Different SSL certificate per virtual domain

2019-06-01 Thread Matt Anton 
On 1 Jun 2019, at 14:54, Durga Prasad Malyala wrote:

> Hello All,

Hello,

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.
> Thanks/DP

postconf’s manage has all you need to know to implement SNI support: 


But if this isn’t enough, there were in march 2019 excellent posts by Viktor 
and MK on the list detailing what’s to be done to achieve this:

Viktor’s quote: 


MK’s quote: 


hth

-- 
matt [at] lv223.org
GPG key ID: 7D91A8CA


signature.asc
Description: OpenPGP digital signature

Different SSL certificate per virtual domain

2019-06-01 Thread Durga Prasad Malyala 
Hello All,
I've googled but a bit confused.
I have a server with an IP hosting two different virtual domains.
Both domains need to have their individual SSL certificate like
mail.domain1.com and mail.domain2.com to download and send the same.
Is it possible in Postfix if I have only one public IP and achieve same?
Can you guide me to some links if possible.
Thanks/DP

Re: OT: Postscreen and scoring/blocking by ISP

2019-06-01 Thread Wietse Venema 
Charles Sprickman:
> > There is no need to do everything in postscreen, especially considering
> > that the purpose is to block spambots, which is not the same thing
> > as blocking all spam operators.
> 
> I really want to weight against some sources, not block them entirely 
> though...

Quoting POSTSCREEN_README:

postscreen(8) is part of a multi-layer defense.

  * As the first layer, postscreen(8) blocks connections from zombies and other
spambots that are responsible for about 90% of all spam. It is implemented
as a single process to make this defense as inexpensive as possible.



  * The fourth layer provides heavy-weight content inspection with external
content filters. Typical examples are Amavisd-new, SpamAssassin, and Milter
applications.

In the last layer you get to combine different spamminess indicators
into one verdict.

Wietse