Re: Postfix stable release 3.5.0

2020-03-16 Thread Wietse Venema 
Viktor Dukhovni:
> On Mon, Mar 16, 2020 at 10:16:13AM -0400, Wietse Venema wrote:
> 
> > [An on-line version of this announcement will be available at
> > http://www.postfix.org/announcements/postfix-3.5.0.html]
> > 
> > Postfix stable release 3.5.0 is available. Support has ended for
> > legacy release Postfix 3.1.
> 
> Congratulations and thanks for the continued support!
> 
> This is roughly (I am surely missing some early snapshots) number 1145
> in a linear sequence of public snapshots starting with beta-19990122 (I
> don't have a copy of anything earlier).
> 
> Including stable release updates and non-prod snapshots the total
> tarball count rises to 1653.  A daunting volume of work over more than
> 21 years.  Much appreciated.

You're welcome, and of course thanks for your contributions over
the years.

To get some iedea of the number of tarballs prior to the public beta:

  1  142562 May  7  1997 19970220.tar.gz (23 years ago)
...
129  394329 Jul 10  2000 19980107-alpha.tar.gz (closed alpha)
...
258   21619 Dec  8  1998 postfix-contrib-beta.tar.gz
259  591523 May  7  1999 postfix-beta-19981209.tar.gz

The last two are the split Postfix beta, with separate tarballs for
contributed code and IBM-original code. I guess this is a version that 

Wietse

Re: Postfix stable release 3.5.0

2020-03-16 Thread Scott Kitterman 



On March 16, 2020 10:49:26 PM UTC, Viktor Dukhovni  
wrote:
>On Mon, Mar 16, 2020 at 10:16:13AM -0400, Wietse Venema wrote:
>
>> [An on-line version of this announcement will be available at
>> http://www.postfix.org/announcements/postfix-3.5.0.html]
>> 
>> Postfix stable release 3.5.0 is available. Support has ended for
>> legacy release Postfix 3.1.
>
>Congratulations and thanks for the continued support!
>
>This is roughly (I am surely missing some early snapshots) number 1145
>in a linear sequence of public snapshots starting with beta-19990122 (I
>don't have a copy of anything earlier).
>
>Including stable release updates and non-prod snapshots the total
>tarball count rises to 1653.  A daunting volume of work over more than
>21 years.  Much appreciated.


Absolutely.

I've uploaded 3.5.0 to Debian Unstable and it's built on all 19 Linux 
architectures we build for.  That seems like a lot to me.  Cross-platform 
support doesn't happen by accident.

I'd also like to take special note of the long support for existing releases.  
Because of the consistently high quality of postfix updates, we do post-Debian 
release updates for our stable users.  We've been able to provide them with a 
continuously improving experience through delivering these updates (a Debian 
oldstable user can install 3.1.15 from our repositories and 3.4.10 should be 
available for stable in a few days).  I really appreciate your continuing 
commitment to quality.

Scott K

Re: Postfix stable release 3.5.0

2020-03-16 Thread Viktor Dukhovni 
On Mon, Mar 16, 2020 at 10:16:13AM -0400, Wietse Venema wrote:

> [An on-line version of this announcement will be available at
> http://www.postfix.org/announcements/postfix-3.5.0.html]
> 
> Postfix stable release 3.5.0 is available. Support has ended for
> legacy release Postfix 3.1.

Congratulations and thanks for the continued support!

This is roughly (I am surely missing some early snapshots) number 1145
in a linear sequence of public snapshots starting with beta-19990122 (I
don't have a copy of anything earlier).

Including stable release updates and non-prod snapshots the total
tarball count rises to 1653.  A daunting volume of work over more than
21 years.  Much appreciated.

-- 
Viktor.

Re: gmail.com is Unsecure ssl cert ?

2020-03-16 Thread Viktor Dukhovni 


On Mon, Mar 16, 2020 at 02:45:55PM -0400, Wietse Venema wrote:

> > Looks valid to me, unless I'm missing something, or is posttls-finger 
> > missing something?
> 
> Postfix code will enforce the security level that you specify.
> If you want Postfix to trust the certificate, then specify that.
> 
>   posttlls-finger -l  ...
> 
> Ditto in main.cf and smtp_tls_policy_maps.

Everything is as expected.  Postfix defaults to opportunistic TLS, which
does not care about the peer certificate (does not attempt to verify
it), and *also* by default has an empty trust store.  If you want to
trust some list of random third-parties, you have to explicitly turn
that on.  And if you want "Verified", rather than "trusted" you
often have to also specify appropriate name matching:

$ posttls-finger -c -l secure -L summary -F /etc/ssl/cert.pem gmail.com 
mx.google.com
posttls-finger: Verified TLS connection established
   to gmail-smtp-in.l.google.com[172.217.197.26]:25: TLSv1.3 with
   cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
   server-signature RSA-PSS (2048 bits) server-digest SHA256

-- 
Viktor.

Re: gmail.com is Unsecure ssl cert ?

2020-03-16 Thread Wietse Venema 
Peter:
> On 17/03/20 2:08 am, Viktor Dukhovni wrote:
> > For opportunistic TLS, unvalidated certificates are not a failure.
> > There is no problem, everything is working as expected:
> > 
> >$ posttls-finger -l may -c -L summary gmail.com
> >posttls-finger: Untrusted TLS connection established to 
> > gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher 
> > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
> > RSA-PSS (2048 bits) server-digest SHA256
> 
> $ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername 
> "gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl 
> x509 -noout -text); sleep 0.1
> ...
> Certificate chain
>   0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
> i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
>   1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
> i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
> ...
>  Not After : May 19 20:43:24 2020 GMT
> ...
>  X509v3 Subject Alternative Name:
> ...DNS:gmail-smtp-in.l.google.com,...
> ...
> 
> Looks valid to me, unless I'm missing something, or is posttls-finger 
> missing something?

Postfix code will enforce the security level that you specify.
If you want Postfix to trust the certificate, then specify that.

posttlls-finger -l  ...

Ditto in main.cf and smtp_tls_policy_maps.

Wietse

Re: gmail.com is Unsecure ssl cert ?

2020-03-16 Thread Peter 

On 17/03/20 2:08 am, Viktor Dukhovni wrote:

For opportunistic TLS, unvalidated certificates are not a failure.
There is no problem, everything is working as expected:

   $ posttls-finger -l may -c -L summary gmail.com
   posttls-finger: Untrusted TLS connection established to 
gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256


$ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername 
"gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl 
x509 -noout -text); sleep 0.1

...
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
...
Not After : May 19 20:43:24 2020 GMT
...
X509v3 Subject Alternative Name:
...DNS:gmail-smtp-in.l.google.com,...
...

Looks valid to me, unless I'm missing something, or is posttls-finger 
missing something?



Peter

Re: how to reroute messages in queue

2020-03-16 Thread James B. Byrne 



On Mon, March 16, 2020 13:37, Wietse Venema wrote:

>
> Is that a content filter setting? You may be able to work around
> that with "postsuper -r AD79220201". That command moves the message
> to the maildrop queue. From there on, Postfix ignores the content
> filter record, and handles the message as if it is submnitted with
> /usr/sbin/sendmail. If you have enabled content inspection for the
> pickup daemon, then the message will get a new content_filter record
> with the correct IP address.
>
>   Wietse
>

Thank you very much.  That worked perfectly

for Q in $(mailq | grep Mar | cut -f1 -d" "); do postsuper -r $Q; done


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

Re: how to reroute messages in queue

2020-03-16 Thread Wietse Venema 
James B. Byrne:
> postfix v-3.4.9 on FreeBSD-12.
> 
> We run our postfix mail exchangers in FreeBSD jails.  Following the conversion
> of one of these from ezjail to iocage we encountered a problem with amavisd 
> and
> opendkim resulting from the different manner in which iocage handles the
> loopback address.
> 
> These issues have been resolved.  However, there are 20 messages stuck in the
> delivery queue all having the same reason:
> 
> AD79220201  1501819 Mon Mar 16 08:34:42  byrn...@harte-lyne.ca
> (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024:
> Connection refused)

Is that a content filter setting? You may be able to work around
that with "postsuper -r AD79220201". That command moves the message
to the maildrop queue. From there on, Postfix ignores the content
filter record, and handles the message as if it is submnitted with
/usr/sbin/sendmail. If you have enabled content inspection for the
pickup daemon, then the message will get a new content_filter record
with the correct IP address.

Wietse

> Is there any way to change the queued messages target address from 127.0.0.1 
> to
> the one assigned by iocage, in this case 127.0.32.1?
> 
> Sincerely,
> 
> 
> -- 
> ***  e-Mail is NOT a SECURE channel  ***
> Do NOT transmit sensitive data via e-Mail
>  Do NOT open attachments nor follow links sent by e-Mail
> 
> James B. Byrnemailto:byrn...@harte-lyne.ca
> Harte & Lyne Limited  http://www.harte-lyne.ca
> 9 Brockley Drive  vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada  L8E 3C3
> 
>

how to reroute messages in queue

2020-03-16 Thread James B. Byrne 
postfix v-3.4.9 on FreeBSD-12.

We run our postfix mail exchangers in FreeBSD jails.  Following the conversion
of one of these from ezjail to iocage we encountered a problem with amavisd and
opendkim resulting from the different manner in which iocage handles the
loopback address.

These issues have been resolved.  However, there are 20 messages stuck in the
delivery queue all having the same reason:

AD79220201  1501819 Mon Mar 16 08:34:42  byrn...@harte-lyne.ca
(delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024:
Connection refused)

Is there any way to change the queued messages target address from 127.0.0.1 to
the one assigned by iocage, in this case 127.0.32.1?

Sincerely,


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

Postfix stable release 3.5.0

2020-03-16 Thread Wietse Venema 
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.5.0.html]

Postfix stable release 3.5.0 is available. Support has ended for
legacy release Postfix 3.1.

The main changes are below. See the RELEASE_NOTES file for further details.

  * Support for the haproxy v2 protocol. The Postfix implementation
supports TCP over IPv4 and IPv6, as well as non-proxied
connections; the latter are typically used for heartbeat tests.

  * Support to force-expire email messages. This introduces new
postsuper(1) command-line options to request expiration, and
additional information in mailq(1) or postqueue(1) output.

  * The Postfix SMTP and LMTP client support a list of nexthop
destinations separated by comma or whitespace. These destinations
will be tried in the specified order. Examples:

/etc/postfix/main.cf:
relayhost = foo.example, bar.example
default_transport = smtp:foo.example, bar.example

Incompatible changes:

  * Logging: Postfix daemon processes now log the from= and to=
addresses in external (quoted) form in non-debug logging (info,
warning, etc.). This means that when an address localpart
contains spaces or other special characters, the localpart will
be quoted, for example:

from=<"name with spaces"@example.com>

Specify "info_log_address_format = internal" for backwards compatibility.

  * Postfix now normalizes IP addresses received with XCLIENT,
XFORWARD, or with the HaProxy protocol, for consistency with
direct connections to Postfix. This may change the appearance
of logging, and the way that check_client_access will match
subnets of an IPv6 address.

You can find the updated Postfix source code at the mirrors listed
at http://www.postfix.org/.

Wietse

Re: client_access not working

2020-03-16 Thread Wietse Venema 
Viktor Dukhovni:
> On Mon, Mar 16, 2020 at 09:06:00AM +0100, Robby Van Mieghem wrote:
> 
> > smtpd_client_restrictions =
> >   check_client_access cidr:${config_directory}/client_access,
> >   reject
> > 
> > # EOP ranges as indicated by MS
> > 23.103.132.0/22 OK
> > 23.103.136.0/21 OK
> > 23.103.156.0/22 OK
> > 23.103.198.0/24 OK
> > 23.103.200.0/22 OK
> > 23.103.212.0/22 OK
> 
> Unsurpringly, this returns "OK" for the listed entries, and
> no result otherwise, which then in "smtpd_client_restrictions"
> falls through to "reject".
> 
> > Tried testing it also with:
> >
> >  $  postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access
> >
> > ? no result
> 
> As expected, since "1.1.1.1" does not appear to be listed in the CIDR
> table.
> 
> > So it generally allows every IP now...
> 
> No, that's not the right conclusion.

To test access rules properly, use XCLIENT.
http://www.postfix.org/XCLIENT_README.html

Wietse

Re: client_access not working

2020-03-16 Thread Viktor Dukhovni 
On Mon, Mar 16, 2020 at 09:06:00AM +0100, Robby Van Mieghem wrote:

> smtpd_client_restrictions =
>   check_client_access cidr:${config_directory}/client_access,
>   reject
> 
> # EOP ranges as indicated by MS
> 23.103.132.0/22 OK
> 23.103.136.0/21 OK
> 23.103.156.0/22 OK
> 23.103.198.0/24 OK
> 23.103.200.0/22 OK
> 23.103.212.0/22 OK

Unsurpringly, this returns "OK" for the listed entries, and
no result otherwise, which then in "smtpd_client_restrictions"
falls through to "reject".

> Tried testing it also with:
>
>  $  postmap -q "1.1.1.1" cidr:/etc/postfix-EOP2DC/client_access
>
> à no result

As expected, since "1.1.1.1" does not appear to be listed in the CIDR
table.

> So it generally allows every IP now...

No, that's not the right conclusion.

-- 
Viktor.

Re: gmail.com is Unsecure ssl cert ?

2020-03-16 Thread Viktor Dukhovni 
> On Mar 16, 2020, at 9:04 AM, Benny Pedersen  wrote:
> 
> tested with
> 
> posttls-finger gmail.com
> 
> is it my own postfix that fails with this ?
> 
> how can i solve it ?

For opportunistic TLS, unvalidated certificates are not a failure.
There is no problem, everything is working as expected:

  $ posttls-finger -l may -c -L summary gmail.com
  posttls-finger: Untrusted TLS connection established to 
gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256

-- 
Viktor.

gmail.com is Unsecure ssl cert ?

2020-03-16 Thread Benny Pedersen 



tested with

posttls-finger gmail.com

is it my own postfix that fails with this ?

how can i solve it ?

Re: How to match From as MAILFROM

2020-03-16 Thread Scott Kitterman 
On Monday, March 16, 2020 5:54:02 AM EDT Burn Zero wrote:
> Hi,
> 
> I have configured an internal postfix server where users will use that as
> relay servers to relay emails to outside and internal users.
> 
> I have restricted postfix to allow only one domain as MAILFROM and deny
> rest all. But how to restrict From address like this? Is there any way in
> postfix?

It's out of scope for postfix itself to do that, but vrfydmn [1] does exactly 
that and can be added to your postfix configuration.

Scott K

[1] https://github.com/croessner/vrfydmn

How to match From as MAILFROM

2020-03-16 Thread Burn Zero 
Hi,

I have configured an internal postfix server where users will use that as
relay servers to relay emails to outside and internal users.

I have restricted postfix to allow only one domain as MAILFROM and deny
rest all. But how to restrict From address like this? Is there any way in
postfix?

Thank you.

client_access not working

2020-03-16 Thread Robby Van Mieghem 
Hello

I'm setting up a new postfix multi-instance and having issue with the
client_access setting ( this worked fine on our other RH6 servers with
postfix 2.6.6 )

Now with RH8 and postfix 3.3.1 it's not working. We are using the same
config :

smtpd_client_restrictions   =

check_client_access cidr:${config_directory}/client_access,

reject



Waar de client_access bevat :



# EOP ranges as indicated by MS

23.103.132.0/22 OK

23.103.136.0/21 OK

23.103.156.0/22 OK

23.103.198.0/24 OK

23.103.200.0/22 OK

23.103.212.0/22 OK

…..


Tried testing it also with : postmap -q "1.1.1.1"
cidr:/etc/postfix-EOP2DC/client_access à no result


So it generally allows every IP now...


Anyone else came into this one ?


regs