[pfx] Re: postfix check_sender_access and subdomain test

[Scott Techlist via Postfix-users]

Noel:

As I understand from your explanation, if I keep my 
parent_domain_matches_subdomains = smtpd_access_maps
Then the preceding dot format is moot/not needed.  Only
outbound.protection.outlook.com OK
Check.


>The reason it doesn't work is you're confusing sender and client.

Indeed I was.

I've updated my personal postfix manual, and added comments in my respective 
files as reminders, so as to not get them (client/sender) mixed up next time.  
The details you covered in-line were very helpful for me. Much appreciated.  

And now with client checks, it's working as desired.






___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

[Scott Techlist via Postfix-users]

>>Depending on whether omain is client or sender or ...
>>
>>...
>>reject_unauth_destination
>>...
>>check_client_access hash:/pathname
>>reject_rbl_client example.com
>>...
>>
>>Or
>>
>>...
>>reject_unauth_destination
>>...
>>check_sender_access hash:/pathname
>>reject_rbl_client example.com
>>...
>>
>>Or ???
>>
>>Where the table returns OK for the allowlisted domain.
>>
>>  Wietse
>
>
>I'm always apprehensive when you answer .
>
>I think I've misunderstood client and sender, I added the test to my 
>check_sender_access hash file.
>Will see how that does.  Thank you.

Correction:
I added the test to my check_client_access hash file


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

[Scott Techlist via Postfix-users]

>> check_sender_access hash:/etc/postfix/sender_checks,
>
>That directive checks the email address which is used in the SMTP MAIL
>FROM command.
>
>I believe you need to use check_client_access to check the verified
>client hostname instead of check_sender_access.
>
>

Bill & Noel, thank you both for the assist.  

Moving my check from sender_checks to client_checks appears to have resolved my 
issue, I now see some RBL listed M$ host's mail making it past my RBL checks.  

Seems I always mix up client and sender, somewhere many years ago I got it 
stuck in my head postfix client checks was IP only.  Obviously incorrect.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

[Scott Techlist via Postfix-users]

>Scott Techlist via Postfix-users:
>> I need to allow a domain to bypass my RBL checks.  I'm doing something 
>> wrong, or I'm
>misunderstanding what I'm checking from my logs.  I'd be grateful for an 
>assist to remedy.
>>
>
>Depending on whether omain is client or sender or ...
>
>...
>reject_unauth_destination
>...
>check_client_access hash:/pathname
>reject_rbl_client example.com
>...
>
>Or
>
>...
>reject_unauth_destination
>...
>check_sender_access hash:/pathname
>reject_rbl_client example.com
>...
>
>Or ???
>
>Where the table returns OK for the allowlisted domain.
>
>   Wietse


I'm always apprehensive when you answer .  

I think I've misunderstood client and sender, I added the test to my 
check_sender_access hash file.  Will see how that does.  Thank you.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

[Scott Techlist via Postfix-users]

>I can tell you there is significant spam from that Microsoft IP space. That 
>spamcop doesn't have false positives, but rather due to >the sharing of IP 
>space, senders that aren't spammers get tarred with the same brush as the 
>spammers.  I did a grep on the maillog >files and that is a firehose of spam. 

>Up to you of course. I have a few posts on the list trying to whitelist just 
>one sender. 

I agree. My problem is I have a business client that I process mail for, and 
they converted from in-house Exchange to O365.  I was rejecting their email to 
me LOL, not good for the relationship.  And they are losing a lot of their 
customer's mail who are also using O365.  It's become too many to micromanage, 
and their perception is it' smy fault, not M$.  I don’t see much of a way out 
of letting the blacklisted M$ servers "in"/around my RBLs.  FWIW, I've only 
bypassed my RBL checks, what comes in still goes through the rest of the checks 
(spamassassin etc.).




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Viktor Dukhovni via Postfix-users]

On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users 
wrote:

> Would someone please describe the configuration settings needed to support
> TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> configuration files:

This is not the right question.  Some "weak" ciphers are appropriate in
opportunistic TLS, because they are better than cleartext.  This applies
when they are still the best available to a non-negligible set of peers.

- Provided your system prefers stronger ciphers, and the offered
  "weak" ciphers don't put the integrrity of the handshake at
  risk, weak ciphers are fine, provided strong ones are preferred.

> smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem

This is not needed.  Consider setting "tls_preempt_cipherlist = yes".

> Here's what I see when I use nmap to retrieve the supported ciphers (note
> that there are only TLS 1.2 ciphers listed, and some are weak):

What do you consider weak?

> 587/tcp open  submission
> | ssl-enum-ciphers:
> |   TLSv1.2:
> | ciphers:
> |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> |   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> |   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> |   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> |   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> |   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> |   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
> |   TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> |   TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> |   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> |   TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
> |   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] postfix check_sender_access and subdomain test

[lists--- via Postfix-users]

I can tell you there is significant spam from that Microsoft IP space. That 
spamcop doesn't have false positives, but rather due to the sharing of IP 
space, senders that aren't spammers get tarred with the same brush as the 
spammers.  I did a grep on the maillog files and that is a firehose of spam.

Up to you of course. I have a few posts on the list trying to whitelist just 
one sender.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

[Noel Jones via Postfix-users]

On 2/28/2024 1:38 PM, Scott Techlist via Postfix-users wrote:
I need to allow a domain to bypass my RBL checks.  I’m doing 
something wrong, or I’m misunderstanding what I’m checking from my 
logs.  I’d be grateful for an assist to remedy.


This box is an old postfix install Postfix version 2.2.10. (I know, 
working on migrating)


access maps processing has not changed significantly since then.



main.cf: (full postconf –n output follows below)

parent_domain_matches_subdomains = smtpd_access_maps

check_sender_access hash:/etc/postfix/sender_checks,

I need to let mail from outbound.protection.outlook.com, and bypass 
my RBL checks. My old understanding is that the first OK “wins” 


The first OK ends that section of restrictions. A reject in any 
other section will still reject the mail.


Each restriction section must pass (or be empty)
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_relay_restrictions (in newer postfix)
smtpd_recipient_restrictions
smtpd_data_restrictions
smtpd_end_of_data_restrictions




...


Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT 
from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 
554 Service unavailable; Client host [40.107.255.101] blocked using 
bl.spamcop.net; Blocked - see 
https://www.spamcop.net/bl.shtml?40.107.255.101; 
from= 
to= proto=ESMTP 
helo=


Isn’t the sender = connect from = 
mail-psaapc01on2101.outbound.protection.outlook.com ?


NO, that's the client. The client is the computer that sends the 
mail, represented by its IP address, or the hostname PTR of that IP.


The sender is the SMTP MAIL FROM and is listed in the postfix logs 
as the from= address. This may or may not be the same as the From: 
header in the email.




In my sender_checks file I’ve tried:

outbound.protection.outlook.com OK

.outbound.protection.outlook.com OK # to match subdomains as an 
attempt to get it to work.


Since that's a client, it will need to be in a map that uses 
check_client_access.


Alternately, you could use the from= address 
starscorp.onmicrosoft.com, or the parent domain onmicrosoft.com, in 
your sender_checks.




Can I go that deep on subdomains (e.g. 
outbound.protection.outlook.com)? Or do I need to only have 
“.outlook.com OK”


The dotted form only works with an empty 
parent_domain_matches_subdomains. There is no depth limit.


Use one form or the other depending on your preference for 
parent_domain_matches_subdomains, no need to use both.


The reason it doesn't work is you're confusing sender and client.



I tried testing my sender_checks file using:

postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks


(does not match)

postmap -q 'outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks


OK #(matches)


As documented, postmap is a simple test tool and does not do any 
automatic parent or subdomain searching.



  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

[Bill Cole via Postfix-users]

On 2024-02-28 at 14:38:41 UTC-0500 (Wed, 28 Feb 2024 13:38:41 -0600)
Scott Techlist via Postfix-users 
is rumored to have said:

I need to allow a domain to bypass my RBL checks.  I'm doing something 
wrong, or I'm misunderstanding what I'm checking from my logs.  I'd be 
grateful for an assist to remedy.




This box is an old postfix install Postfix version 2.2.10. (I know, 
working on migrating)




main.cf: (full postconf -n output follows below)



parent_domain_matches_subdomains = smtpd_access_maps

check_sender_access hash:/etc/postfix/sender_checks,


That directive checks the email address which is used in the SMTP MAIL 
FROM command.


I believe you need to use check_client_access to check the verified 
client hostname instead of check_sender_access.



I need to let mail from outbound.protection.outlook.com, and bypass my 
RBL checks.


That subdomain is used for outbound sending machine names, but I don't 
think MS uses it for envelope senders. *Most* of their outbound machines 
have "FCrDNS" but some don't, in which cases it won't hit. Nothing you 
can do about the ones they screw up.




My old understanding is that the first OK "wins" (maybe not?), and I 
have check sender before check RBL.  I don't seem to be getting a 
match/OK on it.




This is a sample log entry of what I'm trying to "OK" before it gets 
to my RBL checks and thus fails:




  Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]




Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 
554 Service unavailable; Client host [40.107.255.101] blocked using 
bl.spamcop.net; Blocked - see 
https://www.spamcop.net/bl.shtml?40.107.255.101; 
from= 
to= proto=ESMTP 
helo=




Isn't the sender = connect from = 
mail-psaapc01on2101.outbound.protection.outlook.com ?




In my sender_checks file I've tried:



outbound.protection.outlook.com OK

.outbound.protection.outlook.com OK # to match subdomains as an 
attempt to get it to work.




Can I go that deep on subdomains (e.g. 
outbound.protection.outlook.com)? Or do I need to only have 
".outlook.com OK"




I tried testing my sender_checks file using:



postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks


(does not match)



postmap -q 'outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks


OK #(matches)



In any case, what I'm doing does not prevent the RBL test that's after 
the sender check from being passed.




-

postconf -n:



alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

body_checks = pcre:/etc/postfix/body_checks.pcre

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

disable_vrfy_command = yes

html_directory = no

inet_interfaces = $host1, localhost

local_recipient_maps = hash:/etc/postfix/local_recipient

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailbox_size_limit = 483886080

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

message_size_limit = 20971520

mydestination = $host1,  localhost.$mydomain,  localhost,  
s-e-inc.com, $mydomain


mydomain = example.com

host1 = host1.example.com

mynetworks = localhost,$localdomain, [& other local IPs]

myorigin = $host1

newaliases_path = /usr/bin/newaliases.postfix

parent_domain_matches_subdomains = smtpd_access_maps

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

relay_domains = mlec.com

relay_recipient_maps = hash:/etc/postfix/relay_recipients

sample_directory = /usr/share/doc/postfix-2.2.10/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_data_restrictions = reject_unauth_pipelining,  permit

smtpd_helo_required = yes

smtpd_recipient_limit = 3000

smtpd_recipient_restrictions = reject_invalid_hostname,  
reject_non_fqdn_hostname,  reject_non_fqdn_sender,  
reject_non_fqdn_recipient,  permit_mynetworks,  
reject_unauth_destination,  check_recipient_mx_access 
hash:/etc/postfix/mx_access,  check_sender_mx_access 
hash:/etc/postfix/mx_access,  reject_unknown_sender_domain,  
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,  
check_helo_access hash:/etc/postfix/helo_checks,  check_sender_access 
hash:/etc/postfix/sender_checks,  check_client_access 
hash:/etc/postfix/client_checks,  check_client_access 
pcre:/etc/postfix/client_checks.pcre,  check_recipient_access 
hash:/etc/postfix/access,  reject_rbl_client 
zen.spamhaus.org=127.0.0.[2..255],  reject_rhsbl_client 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_sender 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_helo 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rb

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Scott Hollenbeck via Postfix-users]

> -Original Message-
> From: Wietse Venema via Postfix-users 
> Sent: Wednesday, February 28, 2024 3:11 PM
> To: Postfix users 
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> 
> Scott Hollenbeck via Postfix-users:
> > Right, but that page says "You are strongly encouraged not to change
this
> > setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when
> > "smtpd_tls_protocols = >=TLSv1.2".  Doesn't that setting include TLS
1.3?
> 
> tls_high_cipherlist and tls_medium_cipherlist primarily list the
> ciphers that Postfix should NOT use.

It turns out that the scanner I'm using (nmap --script ssl-enum-ciphers)
doesn't support TLS 1.3. Postfix may well be configured properly.

Scott

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Wietse Venema via Postfix-users]

Scott Hollenbeck via Postfix-users:
> Right, but that page says "You are strongly encouraged not to change this
> setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when
> "smtpd_tls_protocols = >=TLSv1.2".  Doesn't that setting include TLS 1.3?

tls_high_cipherlist and tls_medium_cipherlist primarily list the
ciphers that Postfix should NOT use.

Wioetse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Scott Hollenbeck via Postfix-users]

Right, but that page says "You are strongly encouraged not to change this
setting". I'm also unsure why I'm not seeing any TLS 1.3 ciphers when
"smtpd_tls_protocols = >=TLSv1.2".  Doesn't that setting include TLS 1.3?

Scott

> -Original Message-
> From: Wietse Venema via Postfix-users 
> Sent: Wednesday, February 28, 2024 2:38 PM
> To: Postfix users 
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> 
> Scott Hollenbeck via Postfix-users:
> > Thanks, here's the output:
> >
> > $ postconf -H | grep -E 'high|medium'
> > tls_high_cipherlist
> > tls_medium_cipherlist
> > $
> >
> 
> No, a hint to study the postconf(5) manpage.
> https://www.postfix.org/postconf.5.html#tls_high_cipherlist
> https://www.postfix.org/postconf.5.html#tls_medium_cipherlist
> 
>   Wietse
> >
> > Scott
> >
> > > -Original Message-
> > > From: Wietse Venema via Postfix-users 
> > > Sent: Wednesday, February 28, 2024 2:18 PM
> > > To: Postfix users 
> > > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No
Weak
> > > Ciphers
> > >
> > > Scott Hollenbeck via Postfix-users:
> > > > Sorry, I should note that this is for postfix 3.6.4.
> > > >
> > >
> > > postconf -H | grep -E 'high|medium'
> > >
> > >   Wietse
> > > >
> > > > > -Original Message-
> > > > > From: Scott Hollenbeck via Postfix-users

> > > > > Sent: Wednesday, February 28, 2024 8:55 AM
> > > > > To: postfix-users@postfix.org
> > > > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No
Weak
> > > > Ciphers
> > > > >
> > > > > Would someone please describe the configuration settings needed to
> > > support
> > > > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have
in
> > my
> > > > > configuration files:
> > > > >
> > > > > main.cf:
> > > > >
> > > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> > > > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> > > > > smtpd_tls_security_level = may
> > > > > smtpd_tls_mandatory_ciphers = high
> > > > > smtpd_tls_protocols = >=TLSv1.2
> > > > > smtpd_tls_mandatory_protocols = >=TLSv1.2
> > > > > smtpd_tls_session_cache_database =
> > > btree:${data_directory}/smtpd_scache
> > > > > smtp_tls_session_cache_database =
> btree:${data_directory}/smtp_scache
> > > > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> > > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> > > > >
> > > > > master.cf:
> > > > >
> > > > > submission inet n   -   n   -   -   smtpd
> > > > >   -o syslog_name=postfix/submission
> > > > >   -o smtpd_tls_security_level=encrypt
> > > > >   -o smtpd_sasl_auth_enable=yes
> > > > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > > > >
> > > > > Here's what I see when I use nmap to retrieve the supported
ciphers
> > (note
> > > > > that there are only TLS 1.2 ciphers listed, and some are weak):
> > > > >
> > > > > $ nmap-ciphers 587 mysite.com
> > > > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> > > > > Nmap scan report for mysite.com (173.255.237.114)
> > > > > Host is up (0.00017s latency).
> > > > > Other addresses for mysite.com (not scanned):
> > > > > 2600:3c03::f03c:91ff:fe70:dbb
> > > > > rDNS record for 173.255.237.114: mysite.net
> > > > >
> > > > > PORTSTATE SERVICE
> > > > > 587/tcp open  submission
> > > > > | ssl-enum-ciphers:
> > > > > |   TLSv1.2:
> > > > > | ciphers:
> > > > > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> > > > > |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) -
> A
> > > > > |   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> > > > > |   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> > > > > |   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> > > > > |   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> > > > > |   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> > > > > |   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> > > > > |   TLS_DH_anon_

[pfx] Re: postfix check_sender_access and subdomain test

[Wietse Venema via Postfix-users]

Scott Techlist via Postfix-users:
> I need to allow a domain to bypass my RBL checks.  I'm doing something wrong, 
> or I'm misunderstanding what I'm checking from my logs.  I'd be grateful for 
> an assist to remedy.
> 

Depending on whether omain is client or sender or ...

...
reject_unauth_destination
...
check_client_access hash:/pathname
reject_rbl_client example.com
...

Or

...
reject_unauth_destination
...
check_sender_access hash:/pathname
reject_rbl_client example.com
...

Or ???

Where the table returns OK for the allowlisted domain.

Wietse
> 
> This box is an old postfix install Postfix version 2.2.10. (I know, working 
> on migrating)
> 
>  
> 
> main.cf: (full postconf -n output follows below)
> 
>  
> 
> parent_domain_matches_subdomains = smtpd_access_maps 
> 
> check_sender_access hash:/etc/postfix/sender_checks,
> 
>  
> 
> I need to let mail from outbound.protection.outlook.com, and bypass my RBL 
> checks. My old understanding is that the first OK "wins" (maybe not?), and I 
> have check sender before check RBL.  I don't seem to be getting a match/OK on 
> it.
> 
>  
> 
> This is a sample log entry of what I'm trying to "OK" before it gets to my 
> RBL checks and thus fails:
> 
>  
> 
>   Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from 
> mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]
> 
>  
> 
> Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from 
> mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 554 
> Service unavailable; Client host [40.107.255.101] blocked using 
> bl.spamcop.net; Blocked - see 
> https://www.spamcop.net/bl.shtml?40.107.255.101; 
> from= 
> to= proto=ESMTP 
> helo=
> 
>  
> 
> Isn't the sender = connect from = 
> mail-psaapc01on2101.outbound.protection.outlook.com ?
> 
>  
> 
> In my sender_checks file I've tried:
> 
>  
> 
> outbound.protection.outlook.com OK
> 
> .outbound.protection.outlook.com OK # to match subdomains as an attempt to 
> get it to work.
> 
>  
> 
> Can I go that deep on subdomains (e.g. outbound.protection.outlook.com)? Or 
> do I need to only have ".outlook.com OK"
> 
>  
> 
> I tried testing my sender_checks file using:
> 
>  
> 
> postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
> hash:/etc/postfix/sender_checks
> 
> (does not match)
> 
>  
> 
> postmap -q 'outbound.protection.outlook.com' hash:/etc/postfix/sender_checks
> 
> OK #(matches)
> 
>  
> 
> In any case, what I'm doing does not prevent the RBL test that's after the 
> sender check from being passed.
> 
>  
> 
> -
> 
> postconf -n:
> 
>  
> 
> alias_database = hash:/etc/aliases
> 
> alias_maps = hash:/etc/aliases
> 
> body_checks = pcre:/etc/postfix/body_checks.pcre
> 
> broken_sasl_auth_clients = yes
> 
> command_directory = /usr/sbin
> 
> config_directory = /etc/postfix
> 
> content_filter = smtp-amavis:[127.0.0.1]:10024
> 
> daemon_directory = /usr/libexec/postfix
> 
> debug_peer_level = 2
> 
> disable_vrfy_command = yes
> 
> html_directory = no
> 
> inet_interfaces = $host1, localhost
> 
> local_recipient_maps = hash:/etc/postfix/local_recipient
> 
> mail_owner = postfix
> 
> mail_spool_directory = /var/spool/mail
> 
> mailbox_size_limit = 483886080
> 
> mailq_path = /usr/bin/mailq.postfix
> 
> manpage_directory = /usr/share/man
> 
> message_size_limit = 20971520
> 
> mydestination = $host1,  localhost.$mydomain,  localhost,  s-e-inc.com, 
> $mydomain
> 
> mydomain = example.com
> 
> host1 = host1.example.com
> 
> mynetworks = localhost,$localdomain, [& other local IPs]
> 
> myorigin = $host1
> 
> newaliases_path = /usr/bin/newaliases.postfix
> 
> parent_domain_matches_subdomains = smtpd_access_maps
> 
> queue_directory = /var/spool/postfix
> 
> readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
> 
> recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> 
> relay_domains = mlec.com
> 
> relay_recipient_maps = hash:/etc/postfix/relay_recipients
> 
> sample_directory = /usr/share/doc/postfix-2.2.10/samples
> 
> sendmail_path = /usr/sbin/sendmail.postfix
> 
> setgid_group = postdrop
> 
> smtpd_data_restrictions = reject_unauth_pipelining,  permit
> 
> smtpd_helo_required = yes
> 
> smtpd_recipient_limit = 3000
> 
> smtpd_recipient_restrictions = reject_invalid_hostname,  
> reject_non_fqdn_hostname,  reject_non_fqdn_sender,  
> reject_non_fqdn_recipient,  permit_mynetworks,  reject_unauth_destination,  
> check_recipient_mx_access hash:/etc/postfix/mx_access,  
> check_sender_mx_access hash:/etc/postfix/mx_access,  
> reject_unknown_sender_domain,  check_recipient_access 
> pcre:/etc/postfix/recipient_checks.pcre,  check_helo_access 
> hash:/etc/postfix/helo_checks,  check_sender_access 
> hash:/etc/postfix/sender_checks,  check_client_access 
> hash:/etc/postfix/client_checks,  check_client_access 
> pcre:/etc/postfix/client_checks.pcre,  check_recipient_access 
> hash:/etc/postfix/access,  reject_rbl_client 
> zen.spamh

[pfx] postfix check_sender_access and subdomain test

[Scott Techlist via Postfix-users]

I need to allow a domain to bypass my RBL checks.  I'm doing something wrong, 
or I'm misunderstanding what I'm checking from my logs.  I'd be grateful for an 
assist to remedy.

 

This box is an old postfix install Postfix version 2.2.10. (I know, working on 
migrating)

 

main.cf: (full postconf -n output follows below)

 

parent_domain_matches_subdomains = smtpd_access_maps 

check_sender_access hash:/etc/postfix/sender_checks,

 

I need to let mail from outbound.protection.outlook.com, and bypass my RBL 
checks. My old understanding is that the first OK "wins" (maybe not?), and I 
have check sender before check RBL.  I don't seem to be getting a match/OK on 
it.

 

This is a sample log entry of what I'm trying to "OK" before it gets to my RBL 
checks and thus fails:

 

  Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]

 

Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 554 
Service unavailable; Client host [40.107.255.101] blocked using bl.spamcop.net; 
Blocked - see https://www.spamcop.net/bl.shtml?40.107.255.101; 
from= to= 
proto=ESMTP helo=

 

Isn't the sender = connect from = 
mail-psaapc01on2101.outbound.protection.outlook.com ?

 

In my sender_checks file I've tried:

 

outbound.protection.outlook.com OK

.outbound.protection.outlook.com OK # to match subdomains as an attempt to get 
it to work.

 

Can I go that deep on subdomains (e.g. outbound.protection.outlook.com)? Or do 
I need to only have ".outlook.com OK"

 

I tried testing my sender_checks file using:

 

postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks

(does not match)

 

postmap -q 'outbound.protection.outlook.com' hash:/etc/postfix/sender_checks

OK #(matches)

 

In any case, what I'm doing does not prevent the RBL test that's after the 
sender check from being passed.

 

-

postconf -n:

 

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

body_checks = pcre:/etc/postfix/body_checks.pcre

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

disable_vrfy_command = yes

html_directory = no

inet_interfaces = $host1, localhost

local_recipient_maps = hash:/etc/postfix/local_recipient

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailbox_size_limit = 483886080

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

message_size_limit = 20971520

mydestination = $host1,  localhost.$mydomain,  localhost,  s-e-inc.com, 
$mydomain

mydomain = example.com

host1 = host1.example.com

mynetworks = localhost,$localdomain, [& other local IPs]

myorigin = $host1

newaliases_path = /usr/bin/newaliases.postfix

parent_domain_matches_subdomains = smtpd_access_maps

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

relay_domains = mlec.com

relay_recipient_maps = hash:/etc/postfix/relay_recipients

sample_directory = /usr/share/doc/postfix-2.2.10/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_data_restrictions = reject_unauth_pipelining,  permit

smtpd_helo_required = yes

smtpd_recipient_limit = 3000

smtpd_recipient_restrictions = reject_invalid_hostname,  
reject_non_fqdn_hostname,  reject_non_fqdn_sender,  reject_non_fqdn_recipient,  
permit_mynetworks,  reject_unauth_destination,  check_recipient_mx_access 
hash:/etc/postfix/mx_access,  check_sender_mx_access 
hash:/etc/postfix/mx_access,  reject_unknown_sender_domain,  
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,  
check_helo_access hash:/etc/postfix/helo_checks,  check_sender_access 
hash:/etc/postfix/sender_checks,  check_client_access 
hash:/etc/postfix/client_checks,  check_client_access 
pcre:/etc/postfix/client_checks.pcre,  check_recipient_access 
hash:/etc/postfix/access,  reject_rbl_client zen.spamhaus.org=127.0.0.[2..255], 
 reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_sender 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_helo 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rbl_client psbl.surriel.com,  
reject_rbl_client bl.spamcop.net,  reject_rhsbl_sender 
fresh.spameatingmonkey.net,  reject_rhsbl_client fresh.spameatingmonkey.net,  
reject_rhsbl_sender uribl.spameatingmonkey.net,  reject_rhsbl_client 
uribl.spameatingmonkey.net,  reject_rbl_client 
sip-sip24.metbpp3hnheh.invaluement.com,  check_policy_service 
unix:postgrey/socket, permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $host1

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/certs

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Wietse Venema via Postfix-users]

Scott Hollenbeck via Postfix-users:
> Thanks, here's the output:
> 
> $ postconf -H | grep -E 'high|medium'
> tls_high_cipherlist
> tls_medium_cipherlist
> $
> 

No, a hint to study the postconf(5) manpage.
https://www.postfix.org/postconf.5.html#tls_high_cipherlist
https://www.postfix.org/postconf.5.html#tls_medium_cipherlist

Wietse
> 
> Scott
> 
> > -Original Message-
> > From: Wietse Venema via Postfix-users 
> > Sent: Wednesday, February 28, 2024 2:18 PM
> > To: Postfix users 
> > Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> > Ciphers
> > 
> > Scott Hollenbeck via Postfix-users:
> > > Sorry, I should note that this is for postfix 3.6.4.
> > >
> > 
> > postconf -H | grep -E 'high|medium'
> > 
> > Wietse
> > >
> > > > -Original Message-
> > > > From: Scott Hollenbeck via Postfix-users 
> > > > Sent: Wednesday, February 28, 2024 8:55 AM
> > > > To: postfix-users@postfix.org
> > > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
> > > Ciphers
> > > >
> > > > Would someone please describe the configuration settings needed to
> > support
> > > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in
> my
> > > > configuration files:
> > > >
> > > > main.cf:
> > > >
> > > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> > > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> > > > smtpd_tls_security_level = may
> > > > smtpd_tls_mandatory_ciphers = high
> > > > smtpd_tls_protocols = >=TLSv1.2
> > > > smtpd_tls_mandatory_protocols = >=TLSv1.2
> > > > smtpd_tls_session_cache_database =
> > btree:${data_directory}/smtpd_scache
> > > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> > > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> > > >
> > > > master.cf:
> > > >
> > > > submission inet n   -   n   -   -   smtpd
> > > >   -o syslog_name=postfix/submission
> > > >   -o smtpd_tls_security_level=encrypt
> > > >   -o smtpd_sasl_auth_enable=yes
> > > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > > >
> > > > Here's what I see when I use nmap to retrieve the supported ciphers
> (note
> > > > that there are only TLS 1.2 ciphers listed, and some are weak):
> > > >
> > > > $ nmap-ciphers 587 mysite.com
> > > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> > > > Nmap scan report for mysite.com (173.255.237.114)
> > > > Host is up (0.00017s latency).
> > > > Other addresses for mysite.com (not scanned):
> > > > 2600:3c03::f03c:91ff:fe70:dbb
> > > > rDNS record for 173.255.237.114: mysite.net
> > > >
> > > > PORTSTATE SERVICE
> > > > 587/tcp open  submission
> > > > | ssl-enum-ciphers:
> > > > |   TLSv1.2:
> > > > | ciphers:
> > > > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> > > > |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> > > > |   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> > > > |   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> > > > |   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> > > > |   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> > > > |   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> > > > |   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> > > > |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> > > > |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> > > > |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> > > > |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> > > > |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> > > > |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> > > > |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> > > > |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> > > > |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> > > > |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> > > > |   TLS_ECDHE_RSA_WITH_AR

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Scott Hollenbeck via Postfix-users]

Thanks, here's the output:

$ postconf -H | grep -E 'high|medium'
tls_high_cipherlist
tls_medium_cipherlist
$

Empty cipher lists?

Scott

> -Original Message-
> From: Wietse Venema via Postfix-users 
> Sent: Wednesday, February 28, 2024 2:18 PM
> To: Postfix users 
> Subject: [pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> 
> Scott Hollenbeck via Postfix-users:
> > Sorry, I should note that this is for postfix 3.6.4.
> >
> 
> postconf -H | grep -E 'high|medium'
> 
>   Wietse
> >
> > > -Original Message-
> > > From: Scott Hollenbeck via Postfix-users 
> > > Sent: Wednesday, February 28, 2024 8:55 AM
> > > To: postfix-users@postfix.org
> > > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
> > Ciphers
> > >
> > > Would someone please describe the configuration settings needed to
> support
> > > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in
my
> > > configuration files:
> > >
> > > main.cf:
> > >
> > > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> > > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> > > smtpd_tls_security_level = may
> > > smtpd_tls_mandatory_ciphers = high
> > > smtpd_tls_protocols = >=TLSv1.2
> > > smtpd_tls_mandatory_protocols = >=TLSv1.2
> > > smtpd_tls_session_cache_database =
> btree:${data_directory}/smtpd_scache
> > > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> > > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> > >
> > > master.cf:
> > >
> > > submission inet n   -   n   -   -   smtpd
> > >   -o syslog_name=postfix/submission
> > >   -o smtpd_tls_security_level=encrypt
> > >   -o smtpd_sasl_auth_enable=yes
> > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > >
> > > Here's what I see when I use nmap to retrieve the supported ciphers
(note
> > > that there are only TLS 1.2 ciphers listed, and some are weak):
> > >
> > > $ nmap-ciphers 587 mysite.com
> > > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> > > Nmap scan report for mysite.com (173.255.237.114)
> > > Host is up (0.00017s latency).
> > > Other addresses for mysite.com (not scanned):
> > > 2600:3c03::f03c:91ff:fe70:dbb
> > > rDNS record for 173.255.237.114: mysite.net
> > >
> > > PORTSTATE SERVICE
> > > 587/tcp open  submission
> > > | ssl-enum-ciphers:
> > > |   TLSv1.2:
> > > | ciphers:
> > > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> > > |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> > > |   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> > > |   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> > > |   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> > > |   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> > > |   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> > > |   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> > > |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> > > |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> > > |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> > > |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> > > |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> > > |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1)
> - A
> > > |   TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> > > |   TLS_ECDH_anon_WITH_AES_256_C

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Wietse Venema via Postfix-users]

Scott Hollenbeck via Postfix-users:
> Sorry, I should note that this is for postfix 3.6.4.
> 

postconf -H | grep -E 'high|medium'

Wietse
> 
> > -Original Message-
> > From: Scott Hollenbeck via Postfix-users 
> > Sent: Wednesday, February 28, 2024 8:55 AM
> > To: postfix-users@postfix.org
> > Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
> Ciphers
> > 
> > Would someone please describe the configuration settings needed to support
> > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> > configuration files:
> > 
> > main.cf:
> > 
> > smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> > smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> > smtpd_tls_security_level = may
> > smtpd_tls_mandatory_ciphers = high
> > smtpd_tls_protocols = >=TLSv1.2
> > smtpd_tls_mandatory_protocols = >=TLSv1.2
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> > smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> > 
> > master.cf:
> > 
> > submission inet n   -   n   -   -   smtpd
> >   -o syslog_name=postfix/submission
> >   -o smtpd_tls_security_level=encrypt
> >   -o smtpd_sasl_auth_enable=yes
> >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> > 
> > Here's what I see when I use nmap to retrieve the supported ciphers (note
> > that there are only TLS 1.2 ciphers listed, and some are weak):
> > 
> > $ nmap-ciphers 587 mysite.com
> > Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> > Nmap scan report for mysite.com (173.255.237.114)
> > Host is up (0.00017s latency).
> > Other addresses for mysite.com (not scanned):
> > 2600:3c03::f03c:91ff:fe70:dbb
> > rDNS record for 173.255.237.114: mysite.net
> > 
> > PORTSTATE SERVICE
> > 587/tcp open  submission
> > | ssl-enum-ciphers:
> > |   TLSv1.2:
> > | ciphers:
> > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> > |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> > |   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> > |   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> > |   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> > |   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> > |   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> > |   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> > |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> > |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> > |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> > |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> > |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> > |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
> > |   TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> > |   TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> > |   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> > |   TLS_RSA_WITH_AES_256_GCM_SH

[pfx] Re: userid for file delivery ?

[Markus Schönhaber via Postfix-users]

28.02.24, 19:09 +0100, John Levine via Postfix-users:

> Here's another question that might be answered in the documentation
> but I can't find it.  If I have a file delivery like this in
> the /etc/aliases file
> 
> foo: /a/b/somefile
> 
> what userid writes to the file?  postfix? nobody?
> 
> I realize that for user mailboxes it's the user, but
> in this case, there's no user, just the file.  TIA.
man 5 aliases:

>/file/name
>   Mail  is  appended  to  /file/name. For details on how a
>   file is written see the sections "EXTERNAL  FILE  DELIV‐
>   ERY"  and  "DELIVERY  RIGHTS" in the local(8) documenta‐
>   tion.  Delivery is not limited to  regular  files.   For
>   example,  to  dispose  of  unwanted  mail, deflect it to
>   /dev/null.

man 8 local:

> DELIVERY RIGHTS
>Deliveries to external files and  external  commands  are  made
>with  the  rights of the receiving user on whose behalf the de‐
>livery is made.  In the absence of a user context, the local(8)
>daemon uses the owner rights of the  :include:  file  or  alias
>database.   When those files are owned by the superuser, deliv‐
>ery is made with the rights specified  with  the  default_privs
>configuration parameter.

-- 
Regards
  mks

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: userid for file delivery ?

[Wietse Venema via Postfix-users]

John Levine via Postfix-users:
> Here's another question that might be answered in the documentation
> but I can't find it.  If I have a file delivery like this in
> the /etc/aliases file
> 
> foo: /a/b/somefile
> 
> what userid writes to the file?  postfix? nobody?
> 
> I realize that for user mailboxes it's the user, but
> in this case, there's no user, just the file.  TIA.

$ man 8 local 

DELIVERY RIGHTS
   Deliveries to external files and external commands are  made  with  the
   rights  of the receiving user on whose behalf the delivery is made.  In
   the absence of a user context,  the  local(8)  daemon  uses  the  owner
   rights  of  the :include: file or alias database.  When those files are
   owned by the superuser, delivery is made with the rights specified with
   the default_privs configuration parameter.

The default_privs setting is "default_privs = nobody".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Scott Hollenbeck via Postfix-users]

Sorry, I should note that this is for postfix 3.6.4.

Scott

> -Original Message-
> From: Scott Hollenbeck via Postfix-users 
> Sent: Wednesday, February 28, 2024 8:55 AM
> To: postfix-users@postfix.org
> Subject: [pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak
Ciphers
> 
> Would someone please describe the configuration settings needed to support
> TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
> configuration files:
> 
> main.cf:
> 
> smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
> smtpd_tls_security_level = may
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_protocols = >=TLSv1.2
> smtpd_tls_mandatory_protocols = >=TLSv1.2
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
> smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem
> 
> master.cf:
> 
> submission inet n   -   n   -   -   smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 
> Here's what I see when I use nmap to retrieve the supported ciphers (note
> that there are only TLS 1.2 ciphers listed, and some are weak):
> 
> $ nmap-ciphers 587 mysite.com
> Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
> Nmap scan report for mysite.com (173.255.237.114)
> Host is up (0.00017s latency).
> Other addresses for mysite.com (not scanned):
> 2600:3c03::f03c:91ff:fe70:dbb
> rDNS record for 173.255.237.114: mysite.net
> 
> PORTSTATE SERVICE
> 587/tcp open  submission
> | ssl-enum-ciphers:
> |   TLSv1.2:
> | ciphers:
> |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
> |   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
> |   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
> |   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
> |   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
> |   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
> |   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
> |   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
> |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
> |   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
> |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
> |   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
> |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
> |   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
> |   TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
> |   TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
> |   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
> |   TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> |   TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
> |   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
> |   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
> |   TLS_RSA_WITH_CAMEL

[pfx] userid for file delivery ?

[John Levine via Postfix-users]

Here's another question that might be answered in the documentation
but I can't find it.  If I have a file delivery like this in
the /etc/aliases file

foo: /a/b/somefile

what userid writes to the file?  postfix? nobody?

I realize that for user mailboxes it's the user, but
in this case, there's no user, just the file.  TIA.

R's,
John


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix gmail relay SASL authentication failed invalid parameter supplied

[Nuno Catarino via Postfix-users]

Solved
Many thanks to *Wietse Venema*
The solution could be as simple as:

/etc/postfix/main.cf:
smtp_sasl_mechanism_filter = login plain



Nuno Catarino  escreveu (quarta, 28/02/2024 à(s)
15:04):

> Hi there, i'm using leap 15.5, trying to send emails thru gmail relay and
> getting crazy.
> Send my configuration for someone to help me
> when i'm trying to send the email the error is:
>
> postfix/pickup[30145]: CFC982C034E: uid=0 from=
> postfix/cleanup[30149]: CFC982C034E:
> message-id=<20240228100831.CFC982C034E@localhost>
> postfix/qmgr[30144]: CFC982C034E: from=, size=428,
> nrcpt=1 (queue active)
> postfix/smtp[31278]: CFC982C034E: to=, relay=
> smtp.gmail.com[64.233.167.109]:587, delay=5.5, delays=0.05/0/5.4/0,
> dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate
> to server smtp.gmail.com[64.233.167.109]: invalid parameter supplied)
>
> *In the gmail account i have created a apps password*
>
> *In the file /etc/postfix/sasl_passwd*
> [smtp.gmail.com]:587 nuno.catar...@.pt:   
>
>
>
> *the result of the commandpostmap -q “[smtp.gmail.com
> ]:587” lmdb:/etc/postfix/sasl_passwdis:*
> nuno.catar...@.pt:   
>
>
>
> *I did thepostmap /etc/postfix/sasl_passwdand restarted the postfix
> service*
>
> *The configuration file /etc/postfix/master.cf *
> is
>
> smtp  inet  n   -   n   -   -   smtpd
> pickupfifo  n   -   n   60  1   pickup
> cleanup   unix  n   -   n   -   0   cleanup
> qmgr  fifo  n   -   n   300 1   qmgr
> #qmgr fifo  n   -   n   300 1   oqmgr
> tlsmgrunix  -   -   n   1000?   1   tlsmgr
> rewrite   unix  -   -   n   -   -   trivial-rewrite
> bounceunix  -   -   n   -   0   bounce
> defer unix  -   -   n   -   0   bounce
> trace unix  -   -   n   -   0   bounce
> verifyunix  -   -   n   -   1   verify
> flush unix  n   -   n   1000?   0   flush
> proxymap  unix  -   -   n   -   -   proxymap
> proxywrite unix -   -   n   -   1   proxymap
> smtp  unix  -   -   n   -   -   smtp
> relay unix  -   -   n   -   -   smtp
> #   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix  n   -   n   -   -   showq
> error unix  -   -   n   -   -   error
> retry unix  -   -   n   -   -   error
> discard   unix  -   -   n   -   -   discard
> local unix  -   n   n   -   -   local
> virtual   unix  -   n   n   -   -   virtual
> lmtp  unix  -   -   n   -   -   lmtp
> anvil unix  -   -   n   -   1   anvil
> scacheunix  -   -   n   -   1   scache
> postlog   unix-dgram n  -   n   -   1   postlogd
>
> *result of the command postconf -n*
>
> alias_maps = lmdb:/etc/aliases
> biff = no
> canonical_maps = lmdb:/etc/postfix/canonical
> command_directory = /usr/sbin
> compatibility_level = 3.6
> content_filter =
> daemon_directory = /usr/lib/postfix/bin/
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
> $daemon_directory/$process_name $process_id & sleep 5
> defer_transports =
> delay_warning_time = 1h
> disable_dns_lookups = no
> disable_mime_output_conversion = no
> disable_vrfy_command = yes
> html_directory = /usr/share/doc/packages/postfix-doc/html
> inet_interfaces = localhost
> inet_protocols = ipv4
> mail_owner = postfix
> mail_spool_directory = /var/mail
> mailbox_command =
> mailbox_size_limit = 0
> mailbox_transport =
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains =
> masquerade_exceptions = root
> message_size_limit = 0
> message_strip_characters = \0
> mydestination = $myhostname, localhost.$mydomain
> myhostname = localhost
> mynetworks_style = subnet
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
> relay_clientcerts =
> relay_domains = $mydestination, lmdb:/etc/postfix/relay
> relayhost = [smtp.gmail.com]:587
> relocated_maps = lmdb:/etc/postfix/relocated
> sample_directory = /usr/share/doc/packages/postfix-doc/samples
> sender_canonical_maps = lmdb:/etc/postfix/sender_canonical
> sendmail_path = /usr/sbin/sendmail
> setgid_group = maildrop
> smtp_enforce_tls = no
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =
> smtp_tls_CAfile = /etc/ssl/ca-bundle.pe

[pfx] Re: Postfix gmail relay SASL authentication failed invalid parameter supplied

[Wietse Venema via Postfix-users]

Nuno Catarino via Postfix-users:
> postfix/smtp[31278]: CFC982C034E: to=,
> relay=smtp.gmail.com[64.233.167.109]:587,
> delay=5.5, delays=0.05/0/5.4/0, dsn=4.7.0, status=deferred (SASL
> authentication failed; cannot authenticate to server
> smtp.gmail.com[64.233.167.109]:
> invalid parameter supplied)

Here is a hint:

https://www.cyrusimap.org/sasl/sasl/reference/manpages/library/sasl_errors.html
lists all Cyrus SASL error codes, one of which is:

SASL_BADPARAM
Invalid Parameter Supplied

There are many search engine hits for "invalid parameter supplied" and they
involve Cyrus LDAP support. 

Another hit:
https://askubuntu.com/questions/1189871/postfix-saslnot-workign-on-upgrade-to-19-10o

The solution could be as simple as:

/etc/postfix/main.cf:
smtp_sasl_mechanism_filter = login plain

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix gmail relay SASL authentication failed invalid parameter supplied

[Bill Cole via Postfix-users]

On 2024-02-28 at 10:04:05 UTC-0500 (Wed, 28 Feb 2024 15:04:05 +)
Nuno Catarino via Postfix-users 
is rumored to have said:

> Hi there, i'm using leap 15.5, trying to send emails thru gmail relay and
> getting crazy.
> Send my configuration for someone to help me
> when i'm trying to send the email the error is:
>
> postfix/pickup[30145]: CFC982C034E: uid=0 from=
> postfix/cleanup[30149]: CFC982C034E:
> message-id=<20240228100831.CFC982C034E@localhost>
> postfix/qmgr[30144]: CFC982C034E: from=, size=428, nrcpt=1
> (queue active)
> postfix/smtp[31278]: CFC982C034E: to=,
> relay=smtp.gmail.com[64.233.167.109]:587,
> delay=5.5, delays=0.05/0/5.4/0, dsn=4.7.0, status=deferred (SASL
> authentication failed; cannot authenticate to server
> smtp.gmail.com[64.233.167.109]:
> invalid parameter supplied)
>
> *In the gmail account i have created a apps password*
>
> *In the file /etc/postfix/sasl_passwd*
> [smtp.gmail.com]:587 nuno.catar...@.pt:   

The error indicates that the password and/or username were incorrect.

I believe you need to remove any spaces in the GMail app password.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix and smtpd_proxy_timeout

[natan via Postfix-users]

W dniu 28.02.2024 o 16:14, Wietse Venema via Postfix-users pisze:

natan via Postfix-users:

for"us...@domain.ltd"
Feb 27 16:02:28 smtp1v postfix/cleanup[23476]: warning:
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error
for"us...@domain.ltd"
Feb 27 16:02:29 smtp1v postfix/cleanup[23476]: warning:
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error
for"us...@domain.ltd"
Feb 27 16:02:30 smtp1v postfix/cleanup[23476]: warning:
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error
for"us...@domain.ltd"

thenx

Clearly, this is edited evidence. I will reach out to you off-list.

Wietse
___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org


--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix and smtpd_proxy_timeout

[Wietse Venema via Postfix-users]

natan via Postfix-users:
> for "us...@domain.ltd"
> Feb 27 16:02:28 smtp1v postfix/cleanup[23476]: warning: 
> proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
> for "us...@domain.ltd"
> Feb 27 16:02:29 smtp1v postfix/cleanup[23476]: warning: 
> proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
> for "us...@domain.ltd"
> Feb 27 16:02:30 smtp1v postfix/cleanup[23476]: warning: 
> proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
> for "us...@domain.ltd"

Clearly, this is edited evidence. I will reach out to you off-list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Postfix gmail relay SASL authentication failed invalid parameter supplied

[Nuno Catarino via Postfix-users]

Hi there, i'm using leap 15.5, trying to send emails thru gmail relay and
getting crazy.
Send my configuration for someone to help me
when i'm trying to send the email the error is:

postfix/pickup[30145]: CFC982C034E: uid=0 from=
postfix/cleanup[30149]: CFC982C034E:
message-id=<20240228100831.CFC982C034E@localhost>
postfix/qmgr[30144]: CFC982C034E: from=, size=428, nrcpt=1
(queue active)
postfix/smtp[31278]: CFC982C034E: to=,
relay=smtp.gmail.com[64.233.167.109]:587,
delay=5.5, delays=0.05/0/5.4/0, dsn=4.7.0, status=deferred (SASL
authentication failed; cannot authenticate to server
smtp.gmail.com[64.233.167.109]:
invalid parameter supplied)

*In the gmail account i have created a apps password*

*In the file /etc/postfix/sasl_passwd*
[smtp.gmail.com]:587 nuno.catar...@.pt:   



*the result of the commandpostmap -q “[smtp.gmail.com
]:587” lmdb:/etc/postfix/sasl_passwdis:*
nuno.catar...@.pt:   



*I did thepostmap /etc/postfix/sasl_passwdand restarted the postfix service*

*The configuration file /etc/postfix/master.cf *
is

smtp  inet  n   -   n   -   -   smtpd
pickupfifo  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   n   -   -   smtp
relay unix  -   -   n   -   -   smtp
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
postlog   unix-dgram n  -   n   -   1   postlogd

*result of the command postconf -n*

alias_maps = lmdb:/etc/aliases
biff = no
canonical_maps = lmdb:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 3.6
content_filter =
daemon_directory = /usr/lib/postfix/bin/
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
defer_transports =
delay_warning_time = 1h
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = localhost
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 0
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain
myhostname = localhost
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts =
relay_domains = $mydestination, lmdb:/etc/postfix/relay
relayhost = [smtp.gmail.com]:587
relocated_maps = lmdb:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps = lmdb:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/ssl/ca-bundle.pem
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_session_cache_database =
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = lmdb:/etc/postfix/access
smtpd_tls_CA

[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting

[Bill Cole via Postfix-users]

On 2024-02-27 at 16:39:54 UTC-0500 (Tue, 27 Feb 2024 13:39:54 -0800 
(PST))

lists--- via Postfix-users 
is rumored to have said:

I have a sender_checks file but I don't see that on the postfix.org 
website. Is that a deprecated parameter?


The names of Postfix map files are up to you. Their usage is determined 
by the specific restriction directive referencing them.


So you could have 'check_sender_access 
hash:/etc/postfix/any_name_you_like' and Postfix will use that file, as 
long as you populate it with access entries and 'postmap' it to create 
the .db file.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

[Scott Hollenbeck via Postfix-users]

Would someone please describe the configuration settings needed to support
TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my
configuration files:

main.cf:

smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mysite.net/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_dh1024_param_file = /etc/ssl/private/dh2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/private/dh512.pem

master.cf:

submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Here's what I see when I use nmap to retrieve the supported ciphers (note
that there are only TLS 1.2 ciphers listed, and some are weak):

$ nmap-ciphers 587 mysite.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:13 EST
Nmap scan report for mysite.com (173.255.237.114)
Host is up (0.00017s latency).
Other addresses for mysite.com (not scanned): 2600:3c03::f03c:91ff:fe70:dbb
rDNS record for 173.255.237.114: mysite.net

PORTSTATE SERVICE
587/tcp open  submission
| ssl-enum-ciphers:
|   TLSv1.2:
| ciphers:
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
|   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|   TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
|   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
|   TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
|   TLS_DH_anon_WITH_AES_128_CBC_SHA - F
|   TLS_DH_anon_WITH_AES_128_CBC_SHA256 - F
|   TLS_DH_anon_WITH_AES_128_GCM_SHA256 - F
|   TLS_DH_anon_WITH_AES_256_CBC_SHA - F
|   TLS_DH_anon_WITH_AES_256_CBC_SHA256 - F
|   TLS_DH_anon_WITH_AES_256_GCM_SHA384 - F
|   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA - F
|   TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 - F
|   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA - F
|   TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 - F
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A
|   TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|   TLS_ECDH_anon_WITH_AES_128_CBC_SHA - F
|   TLS_ECDH_anon_WITH_AES_256_CBC_SHA - F
|   TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
|   TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
|   TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|   TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|   TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
| compressors:
|   NULL
| cipher preference: client
|_  least strength: F

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
$

Thanks for your guidance,
Scott

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix and smtpd_proxy_timeout

[natan via Postfix-users]

Hi
In log i get:
Feb 27 15:57:28 smtp1v postfix/cleanup[23476]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:02:28 smtp1v postfix/cleanup[23476]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:02:29 smtp1v postfix/cleanup[23476]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:02:30 smtp1v postfix/cleanup[23476]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:05:28 smtp1v postfix/cleanup[24084]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:05:29 smtp1v postfix/cleanup[24084]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:05:30 smtp1v postfix/cleanup[24084]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:06:28 smtp1v postfix/cleanup[26225]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:11:28 smtp1v postfix/cleanup[26383]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:11:29 smtp1v postfix/cleanup[26383]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:13:28 smtp1v postfix/cleanup[26225]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:13:29 smtp1v postfix/cleanup[26225]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"
Feb 27 16:13:30 smtp1v postfix/cleanup[26395]: warning: 
proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new lookup error 
for "us...@domain.ltd"


Problem with connect to database was in ~15:56
some users get thats warrning
some users in this time send normaly - like postfix cached "proxy_map" 
connections


After restoring the connection to the database, the new connections were 
correct, but the old ones still received information that it was 
impossible to connect to the database.

After restart postfix all was ok

Another setup example
It happens the same as in the above case, when, for example, the 
database cluster transfers VIP IP (keepalived) from one SQL node to 
another (keepalived move IP)


All new connections work ok, but the old ones get an error connecting to 
the database.


W dniu 27.02.2024 o 17:44, Wietse Venema via Postfix-users pisze:

natan via Postfix-users:

If i set smtpd_proxy_timeout=60s I "terminating" (timeout) all old
connections who get
"warning: proxy:mysql:/etc/postfix/mysql_sender_bcc_maps_user.cf-new
lookup error foru...@test.lt"
after 60s ?

smtpd_proxy_timeout is a time limit for Postfix to talk to an
smtpd_proxy_filter.

It is NOT a time limit for talking to proxymap server.

As for the lookup error for an existing proxymap connection, the
proxymap client is supposed to retry the query forever, sleeping
one second between attempts.

Your logging examples do not match Postfix code, perhaps you can
provide mor accurate examples. Details matter.

Wietse
___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org


--
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: question regarding postmap -q test

[Markus Schönhaber via Postfix-users]

28.02.24, 09:20 +0100, lists--- via Postfix-users:

> My sender_access file contains
> 
> charity.donation.jp REJECT
> 
> postmap -q charity.donation.jp  hash:sender_access
> REJECT
> 
> So it returns REJECT as expected. However testing some random users at
> the domain:
> 
> postmap -q m...@charity.donation.jp  hash:sender_access
> 
> returns nothing. Is the domain being rejected in actual use even though
> postmap -q testing with a specific user at the domain name doesn't
> return anything?
Look at the fine manual that explains what postmap -q does:

>-q key Search the specified maps for key and write the first value 
> found to the standard output stream. The exit status is zero when the  re‐
>   quested information was found.
> 
>   Note:  this  performs  a single query with the key as 
> specified, and does not make iterative queries with substrings of the key as 
> de‐
>   scribed for access(5), canonical(5), transport(5), virtual(5) 
> and other Postfix table-driven features.

-- 
Regards
  mks

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] question regarding postmap -q test

[lists--- via Postfix-users]

My sender_access file contains

charity.donation.jp REJECT

postmap -q charity.donation.jp  hash:sender_access
REJECT

So it returns REJECT as expected. However testing some random users at
the domain:

postmap -q m...@charity.donation.jp  hash:sender_access

returns nothing. Is the domain being rejected in actual use even though
postmap -q testing with a specific user at the domain name doesn't
return anything?

This test has similar results with OK instead of REJECT.

 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org