[pfx] Re: old TLS client
On 03/04/2024 01:08, Viktor Dukhovni via Postfix-users wrote: On Thu, Mar 28, 2024 at 09:58:13AM +0200, Levente Birta via Postfix-users wrote: That's worth a try: 588 inet ... smtpd -o smtpd_tls_security_level=encrypt -o smtpd_tls_mandatory_protocols=TLSv1.2 ... Limiting to only TLSv1.2 did the job. It sure looks like something was causing the client's initial attempt with TLS 1.3 to not work, and when the client retried with TLS 1.2, the server objected, since it supported TLS 1.3. Now that the server supports TLS 1.2 only, it did not mind the fallback signal, The other possibility, is that the client never tried TLS 1.3, and was implemented by a clueless keyboard-monkey, who decided to always send the fallback SCSV even though there was no fallback. That's sad, if true. As I said, this is an old (2019/2020) Dahua DVR ... I have doubts that this DVR supports TLSv1.3, although I don't remember when TLSv1.3 became largely used. From my experience, these devices are always few years behind the current accepted standard. ( like ActiveX vs HTML5 ) I saw NVR (2023 model) which still send email with TLSv1.2, but, at least, they negotiate correctly with the TLSv1.3 enabled smtpd server. Levi ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old TLS client
On Thu, Mar 28, 2024 at 09:58:13AM +0200, Levente Birta via Postfix-users wrote: > > That's worth a try: > > > > 588 inet ... smtpd > > -o smtpd_tls_security_level=encrypt > > -o smtpd_tls_mandatory_protocols=TLSv1.2 > > ... > > Limiting to only TLSv1.2 did the job. It sure looks like something was causing the client's initial attempt with TLS 1.3 to not work, and when the client retried with TLS 1.2, the server objected, since it supported TLS 1.3. Now that the server supports TLS 1.2 only, it did not mind the fallback signal, The other possibility, is that the client never tried TLS 1.3, and was implemented by a clueless keyboard-monkey, who decided to always send the fallback SCSV even though there was no fallback. That's sad, if true. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
On Tue, Apr 02, 2024 at 12:11:03PM -0400, David Mehler wrote: > Here is the complete log of the connections, IPS x-d out, but I tried > twice, once on 587, once with smtps enabled. Any help appreciated. As noted by Wietse, debug (verbose) logging is not useful here. Just normal logging is quite sufficient. > 2024-04-02T09:48:08.293161-04:00 hostname postfix/submission/smtpd[1529]: > improper command pipelining after EHLO from > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n As noted by Wietse, Postfix is reporting actual improper pipelining by the client, prior to the EHLO reply. > This is the port 465 atempt. > > 2024-04-02T09:49:02.419571-04:00 hostname postfix/smtps/smtpd[1575]: > SSL_accept error from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: -1 > 2024-04-02T09:49:02.419716-04:00 hostname postfix/smtps/smtpd[1575]: > warning: TLS library problem: error:0A000412:SSL routines::sslv3 alert bad > certificate:../ssl/record/rec_layer_s3.c:1590:SSL alert number 42: This is also something to attend to, since Thunderbird is unable to verify your certificate chain, and is sending a "bad certificate" TLS alert. Your certificate chain may be incomplete (missing intermediate CAs) or expired, or not issued by a trusted CA, ... On Tue, Apr 02, 2024 at 02:24:35PM -0400, Wietse Venema wrote: > > Here is the complete log of the connections, IPS x-d out, but I tried > > twice, once on 587, once with smtps enabled. Any help appreciated. > > We DID NOT ask for verbose logs. > > All we asked for is this: > > > postfix/submission/smtpd[1529]: improper command pipelining after EHLO > > from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n > > and that is logged without verbose logging. > > I found on-line reports from 2018 where Thunderbird sends > > EHLO we-guess.mozilla.org\r\nQUIT\r\n > > I suppose that is an autoconf feature that hopefully can be turned > off in Thunderbird, otherwise someone on the mozilla needs to learn > how SMTP works. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1681946 > https://bugzilla.mozilla.org/show_bug.cgi?id=538809 This covers the port 587 illegal pipelining, but perhaps the bad certificate on port 465 is part of the story. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
David Mehler via Postfix-users: > Hello, > > Here is the complete log of the connections, IPS x-d out, but I tried > twice, once on 587, once with smtps enabled. Any help appreciated. We DID NOT ask for verbose logs. All we asked for is this: > postfix/submission/smtpd[1529]: improper command pipelining after EHLO > from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n and that is logged without verbose logging. I found on-line reports from 2018 where Thunderbird sends EHLO we-guess.mozilla.org\r\nQUIT\r\n I suppose that is an autoconf feature that hopefully can be turned off in Thunderbird, otherwise someone on the mozilla needs to learn how SMTP works. https://bugzilla.mozilla.org/show_bug.cgi?id=1681946 https://bugzilla.mozilla.org/show_bug.cgi?id=538809 Wietse > Dave. > > #tail -f /var/log/mail.log > 2024-04-02T09:48:08.220604-04:00 hostname > postfix/submission/smtpd[1529]: connect from > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] > 2024-04-02T09:48:08.220939-04:00 hostname > postfix/submission/smtpd[1529]: smtp_stream_setup: maxtime=300 > enable_deadline=0 min_data_rate=0 > 2024-04-02T09:48:08.221246-04:00 hostname > postfix/submission/smtpd[1529]: match_hostname: > smtpd_client_event_limit_exceptions: xxx.xxx.xxx.xxx ~? 127.0.0.0/8 > 2024-04-02T09:48:08.221434-04:00 hostname > postfix/submission/smtpd[1529]: match_hostaddr: > smtpd_client_event_limit_exceptions: xxx.xxx.xxx.xxx ~? 127.0.0.0/8 > 2024-04-02T09:48:08.221704-04:00 hostname > postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match > 2024-04-02T09:48:08.221881-04:00 hostname > postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match > 2024-04-02T09:48:08.222386-04:00 hostname > postfix/submission/smtpd[1529]: auto_clnt_open: connected to private/anvil > 2024-04-02T09:48:08.222577-04:00 hostname > postfix/submission/smtpd[1529]: private/anvil: wanted attribute: protocol > 2024-04-02T09:48:08.222801-04:00 hostname > postfix/submission/smtpd[1529]: input attribute name: protocol > 2024-04-02T09:48:08.222935-04:00 hostname > postfix/submission/smtpd[1529]: input attribute value: anvil_protocol > 2024-04-02T09:48:08.223103-04:00 hostname > postfix/submission/smtpd[1529]: private/anvil: wanted attribute: (list > terminator) > 2024-04-02T09:48:08.223264-04:00 hostname > postfix/submission/smtpd[1529]: input attribute name: (end) > 2024-04-02T09:48:08.223453-04:00 hostname > postfix/submission/smtpd[1529]: send attr request = connect > 2024-04-02T09:48:08.223579-04:00 hostname > postfix/submission/smtpd[1529]: send attr ident = submission:xxx.xxx.xxx.xxx > 2024-04-02T09:48:08.223857-04:00 hostname > postfix/submission/smtpd[1529]: private/anvil: wanted attribute: status > 2024-04-02T09:48:08.223987-04:00 hostname > postfix/submission/smtpd[1529]: input attribute name: status > 2024-04-02T09:48:08.224153-04:00 hostname > postfix/submission/smtpd[1529]: input attribute value: 0 > 2024-04-02T09:48:08.224389-04:00 hostname > postfix/submission/smtpd[1529]: private/anvil: wanted attribute: count > 2024-04-02T09:48:08.224565-04:00 hostname > postfix/submission/smtpd[1529]: input attribute name: count > 2024-04-02T09:48:08.224734-04:00 hostname > postfix/submission/smtpd[1529]: input attribute value: 1 > 2024-04-02T09:48:08.225001-04:00 hostname > postfix/submission/smtpd[1529]: private/anvil: wanted attribute: rate > 2024-04-02T09:48:08.225165-04:00 hostname > postfix/submission/smtpd[1529]: input attribute name: rate > 2024-04-02T09:48:08.225314-04:00 hostname > postfix/submission/smtpd[1529]: input attribute value: 1 > 2024-04-02T09:48:08.225465-04:00 hostname > postfix/submission/smtpd[1529]: private/anvil: wanted attribute: (list > terminator) > 2024-04-02T09:48:08.225610-04:00 hostname > postfix/submission/smtpd[1529]: input attribute name: (end) > 2024-04-02T09:48:08.225750-04:00 hostname > postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 220 > hostname.example.com ESMTP > 2024-04-02T09:48:08.225896-04:00 hostname > postfix/submission/smtpd[1529]: smtp_stream_setup: maxtime=300 > enable_deadline=0 min_data_rate=0 > 2024-04-02T09:48:08.226037-04:00 hostname > postfix/submission/smtpd[1529]: watchdog_pat: 0x55810ef6a110 > 2024-04-02T09:48:08.293029-04:00 hostname > postfix/submission/smtpd[1529]: < xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: EHLO > we-guess.mozilla.org > 2024-04-02T09:48:08.293161-04:00 hostname > 2024-04-02T09:48:08.293252-04:00 hostname > postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match > 2024-04-02T09:48:08.293413-04:00 hostname > postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match > 2024-04-02T09:48:08.293480-04:00 hostname > postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: > 250-hostname.example.com > 2024-04-02T09:48:08.293547-04:00 hostname > postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: > 250-PIPELINING > 2024-04-02T09:48:08.29361
[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo
Hello, Here is the complete log of the connections, IPS x-d out, but I tried twice, once on 587, once with smtps enabled. Any help appreciated. Thanks. Dave. #tail -f /var/log/mail.log 2024-04-02T09:48:08.220604-04:00 hostname postfix/submission/smtpd[1529]: connect from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] 2024-04-02T09:48:08.220939-04:00 hostname postfix/submission/smtpd[1529]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 2024-04-02T09:48:08.221246-04:00 hostname postfix/submission/smtpd[1529]: match_hostname: smtpd_client_event_limit_exceptions: xxx.xxx.xxx.xxx ~? 127.0.0.0/8 2024-04-02T09:48:08.221434-04:00 hostname postfix/submission/smtpd[1529]: match_hostaddr: smtpd_client_event_limit_exceptions: xxx.xxx.xxx.xxx ~? 127.0.0.0/8 2024-04-02T09:48:08.221704-04:00 hostname postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match 2024-04-02T09:48:08.221881-04:00 hostname postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match 2024-04-02T09:48:08.222386-04:00 hostname postfix/submission/smtpd[1529]: auto_clnt_open: connected to private/anvil 2024-04-02T09:48:08.222577-04:00 hostname postfix/submission/smtpd[1529]: private/anvil: wanted attribute: protocol 2024-04-02T09:48:08.222801-04:00 hostname postfix/submission/smtpd[1529]: input attribute name: protocol 2024-04-02T09:48:08.222935-04:00 hostname postfix/submission/smtpd[1529]: input attribute value: anvil_protocol 2024-04-02T09:48:08.223103-04:00 hostname postfix/submission/smtpd[1529]: private/anvil: wanted attribute: (list terminator) 2024-04-02T09:48:08.223264-04:00 hostname postfix/submission/smtpd[1529]: input attribute name: (end) 2024-04-02T09:48:08.223453-04:00 hostname postfix/submission/smtpd[1529]: send attr request = connect 2024-04-02T09:48:08.223579-04:00 hostname postfix/submission/smtpd[1529]: send attr ident = submission:xxx.xxx.xxx.xxx 2024-04-02T09:48:08.223857-04:00 hostname postfix/submission/smtpd[1529]: private/anvil: wanted attribute: status 2024-04-02T09:48:08.223987-04:00 hostname postfix/submission/smtpd[1529]: input attribute name: status 2024-04-02T09:48:08.224153-04:00 hostname postfix/submission/smtpd[1529]: input attribute value: 0 2024-04-02T09:48:08.224389-04:00 hostname postfix/submission/smtpd[1529]: private/anvil: wanted attribute: count 2024-04-02T09:48:08.224565-04:00 hostname postfix/submission/smtpd[1529]: input attribute name: count 2024-04-02T09:48:08.224734-04:00 hostname postfix/submission/smtpd[1529]: input attribute value: 1 2024-04-02T09:48:08.225001-04:00 hostname postfix/submission/smtpd[1529]: private/anvil: wanted attribute: rate 2024-04-02T09:48:08.225165-04:00 hostname postfix/submission/smtpd[1529]: input attribute name: rate 2024-04-02T09:48:08.225314-04:00 hostname postfix/submission/smtpd[1529]: input attribute value: 1 2024-04-02T09:48:08.225465-04:00 hostname postfix/submission/smtpd[1529]: private/anvil: wanted attribute: (list terminator) 2024-04-02T09:48:08.225610-04:00 hostname postfix/submission/smtpd[1529]: input attribute name: (end) 2024-04-02T09:48:08.225750-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 220 hostname.example.com ESMTP 2024-04-02T09:48:08.225896-04:00 hostname postfix/submission/smtpd[1529]: smtp_stream_setup: maxtime=300 enable_deadline=0 min_data_rate=0 2024-04-02T09:48:08.226037-04:00 hostname postfix/submission/smtpd[1529]: watchdog_pat: 0x55810ef6a110 2024-04-02T09:48:08.293029-04:00 hostname postfix/submission/smtpd[1529]: < xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: EHLO we-guess.mozilla.org 2024-04-02T09:48:08.293161-04:00 hostname postfix/submission/smtpd[1529]: improper command pipelining after EHLO from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: QUIT\r\n 2024-04-02T09:48:08.293252-04:00 hostname postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match 2024-04-02T09:48:08.293413-04:00 hostname postfix/submission/smtpd[1529]: match_list_match: xxx.xxx.xxx.xxx: no match 2024-04-02T09:48:08.293480-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-hostname.example.com 2024-04-02T09:48:08.293547-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-PIPELINING 2024-04-02T09:48:08.293613-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-SIZE 52428800 2024-04-02T09:48:08.293675-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-ETRN 2024-04-02T09:48:08.293738-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-STARTTLS 2024-04-02T09:48:08.293801-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-ENHANCEDSTATUSCODES 2024-04-02T09:48:08.293863-04:00 hostname postfix/submission/smtpd[1529]: > xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: 250-8BITMIME 2024-04-02T09:48:08.293926-04:00 hostname postfix/submission/smtpd[1529]
[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere
On Tue, Apr 02, 2024 at 04:14:29AM -0400, Dan Mahoney via Postfix-users wrote: > Hey there all, > > I’m setting up a staging version of dayjob’s ticket system, and we’d > basically like postfix to still function, but instead of touching the > internet at all, just deliver everything to a single file (or a maildir, I > suppose), regardless of if a file is invoked via sendmail, or a port 25 > connection. I’d like nothing to leave the box. > > Is there some kind of transport hack I can use for this? # No local(8) delivery # alias_database = mydestination = local_transport = error:5.1.2 Mailbox unavailable # No locally hosted domains, but you may want to set one of these # non-empty to accept mail over SMTP, if mail comes in from outside, # but this could also be via submission, permit_mynetworks, ... # relay_domains = virtual_alias_domains = virtual_mailbox_domains = # Collapse all recipients to a single address, delivered to a single # maildir. # enable_original_recipient = no virtual_alias_maps = static:allmail@$mydomain default_transport = virtual virtual_mailbox_maps = static:/var/spool/virtual/allmail/ virtual_uid_maps = static:12345 virtual_gid_maps = static:12345 -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere
Dan Mahoney via Postfix-users: > Hey there all, > > I'm setting up a staging version of dayjob?s ticket system, and > we?d basically like postfix to still function, but instead of > touching the internet at all, just deliver everything to a single > file (or a maildir, I suppose), regardless of if a file is invoked > via sendmail, or a port 25 connection. I?d like nothing to leave > the box. > > Is there some kind of transport hack I can use for this? The local delivery agent comes to mind. It delivers to files or maildirs - It is the default setting for "local_transport". - It delivers by default to the system mail spool directory https://www.postfix.org/postconf.5.html#mail_spool_directory - It can deliver to the user's home directry https://www.postfix.org/postconf.5.html#home_mailbox And it can deliver to any file that is writable by the default user https://www.postfix.org/aliases.5.html https://www.postfix.org/postconf.5.html#default_privs https://www.postfix.org/local.8.html Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere
Dan Mahoney via Postfix-users skrev den 2024-04-02 10:14: Hey there all, I’m setting up a staging version of dayjob’s ticket system, and we’d basically like postfix to still function, but instead of touching the internet at all, just deliver everything to a single file (or a maildir, I suppose), regardless of if a file is invoked via sendmail, or a port 25 connection. I’d like nothing to leave the box. Is there some kind of transport hack I can use for this? https://unix.stackexchange.com/questions/132654/how-to-make-postfix-create-maildir note Maildir is storing in mbox file, while Maildir/ does store in maildir postfix does not need external tools to do it on its own, but why not just lmtp ? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Is there a way to just quickly deliver "everything" to a file somewhere
Hey there all, I’m setting up a staging version of dayjob’s ticket system, and we’d basically like postfix to still function, but instead of touching the internet at all, just deliver everything to a single file (or a maildir, I suppose), regardless of if a file is invoked via sendmail, or a port 25 connection. I’d like nothing to leave the box. Is there some kind of transport hack I can use for this? -Dan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org