Re: postfix rsyslog not logging

2017-01-24 Thread Benning, Markus 

If /dev/log would not be hardcoded in syslog.h it would be possible to
make the socket configurable in postfix and output directly to the 
rsyslog process.


:-(

On 2017-01-23 15:04, wie...@porcupine.org wrote:
And the logging daemon uses more CPU than Postfix. We're back 20 years 
ago.



--
https://markusbenning.de/

Re: postfix rsyslog not logging

2017-01-22 Thread Benning, Markus 

Hi,

on most linux distributions /dev/log is owned by systemd-journald these 
days.


Check if your logs reach the journal:

  journalctl -u postfix

If thats the case, check if rsyslog reads logs from journald:

  $ModLoad imjournal


 Markus

On 2017-01-22 16:41, Bartłomiej Solarz-Niesłuchowski wrote:
Suddenly after upgrade to FC25 postfix stops logging in 
/var/log/maillog.


in /etc/rsyslog.conf is:

mail.* -/var/log/maillog


--
https://markusbenning.de/

Re: Customize log messages?

2016-12-04 Thread Benning, Markus 

On 2016-12-02 15:10, Michael Munger wrote:

This is a great idea. This is a spam filter that is integrated into a
CRM system, so I needed to parse and dump the information so it could 
be

sucked up later.

Here's what I ultimately created. It still needs some work (mainly
because it re-reads the whole file every time, and I should use
timestamps and a half-interval search algorithm to find the
last-processed time stamp. I am relying on log rotate to make it
not-too-terribly-big).

https://github.com/mjmunger/postfix-log-parser


Maybe you want to take a look at my saftpresse project:

https://github.com/benningm/saftpresse

Its a event pipe/log analyzer.
Its modular and the Postfix plugin is based on refactured
code of the pflogsum script:

https://github.com/benningm/saftpresse/blob/master/lib/Log/Saftpresse/Plugin/Postfix.pm

It has a syslog and systemd-journald input and could output to 
elasticsearch.

It may be easier to query an elasticsearch index than parsing logs.
Or you just click together some reports with kibana.
I remeber that somewhere there was a plugin or PDF generator for it.

 Markus
--
https://markusbenning.de/

Re: Policy server problem: connection timed out or connection reset by peer

2016-08-19 Thread Benning, Markus 

On 2016-08-17 17:34, Zhang Huangbin wrote:

I got a problem with my own Postfix policy server (written in Python).
Postfix usually works fine with it, but sometimes it raised error like
this:

Aug 17 08:32:52 mail1 postfix/smtpd[24298]: warning: problem talking
to server 127.0.0.1:1234: Connection reset by peer
Aug 17 08:34:05 mail1 postfix/smtpd[24771]: warning: problem talking
to server 127.0.0.1:1234: Connection timed out

Then time Postfix raised these errors, my policy server is still
working and properly processing requests (checked its log file).


Your policy daemon may not be able to handle the incoming request fast 
enought.


If new connections are not processed the linux kernel will maintain a 
backlog of
ESTABLISHED connections. The size of this queue is set with the listen() 
call.
If your connections stay too long in this state the client (postfix) 
will decide

to abort with an timeout.

If the backlog overflows it depend on the value of:

sysctl net.ipv4.tcp_abort_on_overflow

what happens.
Depending on your syncookie setting in the kernel it may also report a 
possible

SYN flood condition in this case. (check dmesg)

The connection reset may also occur when you client activly closes the 
connection.

eg. in case of failure and the process is closed by the kernel

Is suggest that you check what slows or blocks processing of the request 
in your
policy daemon. Does it do lookups which also may timeout? Are there lock 
conditions?


If everything is fine it may also be a scaling problem with the 
architecture of

your policy daemon.

If your daemon just uses a single threaded accept loop a single request 
could block/slow down

the whole daemon.

If you're using a async event loop you may do things which block for too 
long.


If you're using a prefork model you may have not enought processes 
running

or processing of a single request takes too long.

You should also check if postfix uses more keepalive connection then 
your policyd
is able to process in parallel. In this case the keepalive connection 
may block
all available slots. In this disable it with setting 
smtpd_policy_service_request_limit=0.



Markus

--
https://markusbenning.de/

Re: Brutal attacks

2016-07-11 Thread Benning, Markus 

On 2016-07-09 18:34, Robert Schetterer wrote:

additional fail2ban, but log parse was to slow at my side
and for sure use postscreen


Its possible to trigger fail2ban from a policyd:

https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban


Markus
--
https://markusbenning.de/

Re: No From: address in policy delegation protocol?

2016-06-28 Thread Benning, Markus 

On 2016-06-28 07:46, Zhang Huangbin wrote:

I have a simple Postfix policy server, and got a problem to reject
sender login mismatch (sender != sasl_username) with Outlook 2016:
user is able to specify a From: address, it would be any address you
want, and the From: address is not passed to policy server.

I can reproduce this issue with a simple Python program:

*) construct mail message with forge sender address. e.g. 'From:
'
*) send email as normal/legal user "auth_u...@my-domain.com" with smtp 
auth.
*) while sending email, specify the sender address as 
"auth_u...@my-domain.com".
*) When user received the email, his MUA shows the address in 'From:' 
as sender.


In this case:

- address 'fo...@forge.com' is not available in policy server
- attributes 'sender=' and 'sasl_username' are 
'auth_u...@my-domain.com'


So the question is, does Postfix parse the submitted mail message to
get 'From:' address? How can i overcome this?


Policy service is just a table lookup. From what restriction do you call
the policy lookup?

The From: is a header instead of a smtp protocol field.
It may be only available within a header check.

It may be easier to implement such a check within a content filter.
For example within a spamassassin rule/plugin.

Markus
--
https://markusbenning.de/

Re: simple greylisting by geoip? milter or policy server?

2016-06-14 Thread Benning, Markus 

On 2016-06-14 02:28, list...@tutanota.com wrote:

I am considering the installation of Greylisting with Postfix.

I want it only for one condition, to greylist mail originating from
certain countries.


Hi,

may be mtpolicyd is an option for you:

https://www.mtpolicyd.org

It is a modular policyd and ships with a plugin for geoip.
It works like this:

  
module = "GeoIPLookup"
database = "/usr/share/GeoIP/GeoIP.dat"
  
  
module = "GeoIPAction"
result_from = "geoip"
country_codes = "DE,AT,CH,FR,IT"
mode = passive
score = -1
  
  
module = "GeoIPAction"
result_from = "geoip"
country_codes = "RU,UA,CN,IN"
mode = passive
score = 5
  

Instead of a score you could also set actions:

  
module = "GeoIPAction"
result_from = "geoip"
country_codes = "AQ"
mode = "reject"
reject_message = "too cold"
  

Theres also a Greylisting plugin.
You can combine them for conditional greylisting:

  
module = "ScoreAction"
threshold = 5

  module = "Greylist"
  score = -5
  mode = "passive"
  # activating the autowl will require a SQL database
  use_autowl = 0

  


Markus

--
https://markusbenning.de/

[PATCH] Re: cyrus saslauthd error handling

2016-04-07 Thread Benning, Markus 

On 2016-04-06 16:19, Benning, Markus wrote:

In sasl.h:

#define SASL_FAIL   -1   /* generic failure */

Could this one be added to the AUTH_TEMP case?


I took a look at the cyrus-sasl code in lib/checkpw.c and most error 
cases there

return SASL_FAIL.

Wrong credentails return SASL_BADAUTH, SASL_NOAUTHZ
or something like SASL_PWLOCK, etc.

A list of codes is in  but i could not find much 
documentation about its usage.


As server side error should result in an temporary smtp error code
i suggest to map at least SASL_FAIL to the XSASL_AUTH_TEMP status.

diff --git a/postfix/src/xsasl/xsasl_cyrus_server.c 
b/postfix/src/xsasl/xsasl_cyrus_server.c

index 95c470d..91f93ab 100644
--- a/postfix/src/xsasl/xsasl_cyrus_server.c
+++ b/postfix/src/xsasl/xsasl_cyrus_server.c
@@ -480,6 +480,8 @@ static int xsasl_cyrus_server_auth_response(int 
sasl_status,

sasl_status = SASL_BADAUTH;
vstring_strcpy(reply, xsasl_cyrus_strerror(sasl_status));
switch (sasl_status) {
+  case SASL_FAIL:
+  case SASL_NOMEM:
case SASL_TRYAGAIN:
case SASL_UNAVAIL:
return XSASL_AUTH_TEMP;



--
https://markusbenning.de/

Re: cyrus saslauthd error handling

2016-04-06 Thread Benning, Markus 

On 2016-04-06 16:19, Benning, Markus wrote:

In sasl.h:

#define SASL_FAIL   -1   /* generic failure */

Could this one be added to the AUTH_TEMP case?


Could it be that the libsasl uses SASL_FAIL also in case of a wrong 
password?

In this case i think it would be an error in libsasl.
It instead should return

#define SASL_UNAVAIL-24  /* remote authentication server unavailable 
*/


 Markus
--
https://markusbenning.de/

cyrus saslauthd error handling

2016-04-06 Thread Benning, Markus 

Hi,

when i use a cyrus saslauthd:

pwcheck_method: saslauthd
mech_list: plain login
saslauthd_path: /var/run/kokolores/mux

And the saslauthd is not running.
Then the socket /var/run/kokolores/mux does not exist and postfix 
returns


535 5.7.8 Error: authentication failed: generic failure

Shouldn't postfix return a temporary error in this case?

In xsasl_cyrus_server.c:

switch (sasl_status) {
case SASL_TRYAGAIN:
case SASL_UNAVAIL:
return XSASL_AUTH_TEMP;
default:
return (XSASL_AUTH_FAIL);
}

In sasl.h:

#define SASL_FAIL   -1   /* generic failure */

Could this one be added to the AUTH_TEMP case?

Maybe there are a few more error in sasl.h which indicate
service-side problems and should be handled with a temporary error.

#define SASL_NOMEM  -2   /* memory shortage failure */
#define SASL_BUFOVER-3   /* overflowed buffer */


 Markus

--
https://markusbenning.de/

Re: SASL with secure password storage

2016-03-27 Thread Benning, Markus 

On 2016-03-24 15:31, Benning, Markus wrote:
i'm currently searching for a way to implement SASL authentication with 
postfix

and a secure password mechanism like bcrypt.


Here comes kokolores:

https://github.com/benningm/kokolores

An alternative saslauthd with plugin support.


--
https://markusbenning.de/

SASL with secure password storage

2016-03-24 Thread Benning, Markus 

Hello postfix users,

i'm currently searching for a way to implement SASL authentication with 
postfix

and a secure password mechanism like bcrypt.

sasldb -> plain text
sql -> requires plain text passwords
ldapdb -> requires a ldap server (could use whatever the ldap server 
implements)

saslauthd -> pam, rimap

An ideal solutions for my case would be a local sqlite datebase and 
bcrypt
password storage with the possiblity to migrate to a central sql 
database later.


Suggestions?

 Markus

--
https://markusbenning.de/

Re: postfix drown attack migation on version 2.3 (rhel5)?

2016-03-09 Thread Benning, Markus 

On 2016-03-03 08:12, Eero Volotinen wrote:

Can some one give working migation intructions for postfix 2.3
(postfix-2.3.3-7.el5) many of instructions are not working correctly
on so old version. (as settings are not supported)


Just install the RHSA errata:

https://rhn.redhat.com/errata/RHSA-2016-0302.html

It disables SSLv2 in libssl.


 Markus

--
https://markusbenning.de/

Re: Throttling locally generated email

2015-11-10 Thread Benning, Markus 

On 2015-11-10 23:42, Donald Bindner wrote:
smtpd_recipient_restrictions = check_policy_service 
inet:127.0.0.1:10040


You may want to use a different restriction than recipient.
The recipient restrictions are executed for every recipient.
It gets executed multiple times if the mail has more than one recipient.


However, this kind of rule seems to run only for mail "passing
through" my Postfix server and not for mail originating locally.  In
any event, the service running on port 10040 does not receive
connections from Postfix for mail that is generated locally.


If you mean real local submission by commandline, then you cant limit 
mails sent

this way. The checks are only implemented by smtpd.

If you mean the submission server (port 587) then you may want to check 
your master.cf.

May be it overwrites the option with different value like:

  -o smtpd_recipient_restrictions=


I'd love if someone would show an example that "hooks this up."  I'm
confident that I have postfwd configured correctly to listen on port
10040, I just need Postfix to talk to it.


No postfwd example, but mtpolicyd is also able to add quotas based on 
sasl_username:


https://www.mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::HowtoAccountingQuota


Markus

--
https://markusbenning.de/

Re: Conditional Greylisting

2015-09-18 Thread Benning, Markus 
I'm also using a policy daemon to build a score based on Whitelists, 
SPF, RBLs, GeoIP, etc.

And then apply greylisting, rejects based on the score.
(as in mtpolicyd example configuration: 
https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf)


But you can't do content checks in a recipient_restriction.
DKIM is based on message content.


 Markus

Am 2015-09-18 20:09, schrieb Bruce Marriner:

I have (well had, technically) all of these running under the
smtpd_recipient_restrictions with check_policy_service statements.

On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote:
I think he is out after doing a temporary fail after the DATA stage, 
thus

avoiding the chicken and egg problem.

-Ursprungligt meddelande-
From: Wietse Venema
Sent: Friday, September 18, 2015 7:50 PM
To: Postfix users
Subject: Re: Conditional Greylisting

Bruce Marriner:
> I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
> to completely bypass greylisting.  However, if it soft-fails those
> checks then I want it to greylist next.

You have a chicken and egg problem. DKIM signature verification
requires that Postfix receives the email message.  Greylisting
happens BEFORE Postfix receives the email message.

Wietse



--
https://markusbenning.de/

Re: Postfix 3.x for RedHat/CentOS 7.x

2015-09-06 Thread Benning, Markus 

Am 2015-09-05 20:43, schrieb Viktor Dukhovni:

What I've not yet checked, is whether Fedora (like Debian) has
started splitting up Postfix into multiple RPMs with optional
databases (LDAP, MySQL, ...) in separate packages, now that Postfix
supports shared library builds, and dynamic maps.  If they have
not, they probably should.

Who's the Fedora Postfix maintainer these days?

Debian Postfix seems to be cycle-starved, any volunteers to take
over and bring it up to date?


@Patrick:
The Fedora Packages are a good base to backport new versions to RHEL.
You can most current SRPMS from their build system at:
http://koji.fedoraproject.org/koji/packageinfo?packageID=363

@Viktor:
I also found that the debian packages had no updates for some time
when i tried to build a package with the policy_context patch.

I build an debian package with the latest postfix and my patch:

https://github.com/benningm/postfix/tree/debian

It tested it so far that "it worked for me".
As you mentioned shared libs and dynamicmaps needed adjustments.

I think its best to contact the current maintainer LaMont Jones.
If he is not able to update the package it may be possible futher
improve the updated package and do an non-maintainer upload.


 Markus

--
Markus Benning, https://markusbenning.de/

Re: postfix stats

2015-05-11 Thread Benning, Markus 

Am 2015-05-08 15:38, schrieb Tom Johnson:
Beside the classic pflogsumm interface my goal for the project is to 
be able

to output log data to ElasticSearch and counters to graphit.

That would enable live pflogsum, interactive and in color ;-)


Have you considered integrating amavisd-new log processing as well?
Consolidating all the logging info so that any given email can be
located via Elastic Search would be quite useful.  I've considered
doing something like this using fluentd or some other log-collection
system to gather data from multiple mailservers, but haven't had time
to actually implement anything like this myself.


Amavis is able to output JSON structured logging. I wrote a blog post 
about this some time ago:


https://markusbenning.de/blog/?p=10

I also posted a patch to the amavis list for a filtered JSON output 
since the
default json logging is very verbose and storing things like subject may 
not be

allowed for everyone:

http://lists.amavis.org/pipermail/amavis-users/2014-December/003371.html

It will be easy to read this JSON and to forward it into elasticsearch 
together with

the postfix logs.

 Markus


--
Markus Benning, https://markusbenning.de/

Re: postfix stats

2015-05-08 Thread Benning, Markus 

Am 2015-05-01 17:43, schrieb Patrick Ben Koetter:

You can find the project at Github:

https://github.com/benningm/saftpresse


ACK. Good tool. We use it a lot.


Good to know.

Beside the classic pflogsumm interface my goal for the project is to be 
able

to output log data to ElasticSearch and counters to graphit.

That would enable live pflogsum, interactive and in color ;-)

 Markus
--
Markus Benning, https://markusbenning.de/

Re: postfix stats

2015-05-08 Thread Benning, Markus 

Hello,

it takes input from STDIN. I'll update the examples.

If there is demand i'll push an release to cpan/git.

I created an fatpacked (includes the files from lib/) version of 
saftsumm and pushed it to:


https://markusbenning.de/tmp/saftsumm

I also added an --man option which outputs the manpage.

 Markus


Am 2015-05-05 11:43, schrieb Birta Levente:

On 01/05/2015 17:45, Benning, Markus wrote:

Hi,

if you are willed to test my pflogsumm fork and to provide some sample 
loglines

i'll implement postscreen statistics.

You can find the project at Github:

https://github.com/benningm/saftpresse

I modularized the pflogsumm code into seperate plugins:

https://github.com/benningm/saftpresse/tree/master/lib/Log/Saftpresse/Plugin 
Also Input and Outputs.


There are 2 commands. The command saftpresse will be a new interface 
to the code which

is configurable by configuration file. It is still work in progress.

The command saftsumm tries to resemble the pflogsumm commandline 
interface.
Additional features already in it are TLS and GeoIP statistics, and 
different outputs.

Currently pflogsumm, HTML, JSON and perl Dump.

My goal for saftpresse is to use it also for structured logging and to 
implement

more than just postfix logging.



Can you provide more information how to install?

The following command do nothing:
#./saftsumm -d yesterday /var/log/maillog


What I do on Centos 6.6:
put the lib/Log to /usr/share/perl5/

The test.pl says:
Parameter module is not defined for Input FileTail! at
/usr/share/perl5/Log/Saftpresse/Slurp.pm line 62.

Thanks,


--
Markus Benning, https://markusbenning.de/

Re: postfix stats

2015-05-01 Thread Benning, Markus 

Hi,

if you are willed to test my pflogsumm fork and to provide some sample 
loglines

i'll implement postscreen statistics.

You can find the project at Github:

https://github.com/benningm/saftpresse

I modularized the pflogsumm code into seperate plugins:

https://github.com/benningm/saftpresse/tree/master/lib/Log/Saftpresse/Plugin

Also Input and Outputs.

There are 2 commands. The command saftpresse will be a new interface to 
the code which

is configurable by configuration file. It is still work in progress.

The command saftsumm tries to resemble the pflogsumm commandline 
interface.
Additional features already in it are TLS and GeoIP statistics, and 
different outputs.

Currently pflogsumm, HTML, JSON and perl Dump.

My goal for saftpresse is to use it also for structured logging and to 
implement

more than just postfix logging.

Markus


Am 2015-05-01 02:24, schrieb Terry Barnum:

I've been using pflogsumm but it's old and doesn't know about
postscreen. I'd like to see how many connections are being refused by
postscreen. What do you like? logwatch? awstats? other?


--
Markus Benning, https://markusbenning.de/

Re: Policy attributes to PERL script

2015-03-01 Thread Benning, Markus 

Am 2015-02-27 14:45, schrieb MickTW8:
This issue I have is knowing how to read any of the attributes listed 
here

www.postfix.org/SMTPD_POLICY_README.html#protocol


Hello Mick,

it may be an option for your to implement your code as a plugin for 
mtpolicyd.

There's documentation for wrinting a simple plugin at:

https://www.mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::BasicModule

Then you wont have to care about accepting connections, parsing, logging 
and so on.


Another option may be to just copy over the Request class to your 
project and remove

dependencies on Net::Server, etc. from it:

https://github.com/benningm/mtpolicyd/blob/master/lib/Mail/MtPolicyd/Request.pm

 Markus


--
Markus Benning, https://markusbenning.de/

Re: Policy attributes to PERL script

2015-03-01 Thread Benning, Markus 

Am 2015-03-01 12:38, schrieb Mick:

Hello Markus,

Thanks very much for your reply.  I didn't come across Cookbook in my
searches but I don't think I will need it now as I'm very pleased to
report I got my first test policy implemented yesterday evening. Don't
laugh, all it does so far is block senders where 'sender' doesn't
match 'sasl-user'. Everyone has to start somewhere right? It does put
me in a place where I can write customised policies now.  I was
thinking of using mysql but everyone seems to use Berkeley DB? Maybe
worth considering as it has a locking arrangement.

One of my user email accounts was compromised a couple of months ago
and over a period of 5 hours thousands of SPAM messages were sent.
G! Since then I have become rather paranoid checking the mail log
whenever I can looking for Relay=' and auth failures manually barring
IPs that repeatedly fail to log in.  I need to relax a bit so decided
to try and write a SPAM limitation policy, as in ;

if (X number of messages sent in Y  time), {
 external relay access blocked until user resets password
}.

To do this I needed to read  the SASL_USERNAME field into PERL in
order to log and count SMTP requests to their account, now I can,
thanks to help given here. I think by Thursday I will have a test
version of  it up and running.


The reject_sender_login_mismatch in smtpd_sender_restriction already 
does that

as a native postfix check:

http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

The Accounting/Quota module in mtpolicyd can be used to count/limit 
mails
per sasl user in a SQL database supported by perl-DBI (SQLite, MySQL, 
etc.):


https://www.mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::HowtoAccountingQuota


Markus

--
Markus Benning, https://markusbenning.de/

Re: Queue id uniqueness

2015-01-22 Thread Benning, Markus 

Am 2015-01-22 10:26, schrieb hyndavirap...@bel.co.in:

I have enabled enable_long_queue_id = yes

Now my doubt is how long, queueids will be unique, for 150 mails/min 
mail

flow?


The id is build from the time and the file-id within the filesystem.
So each queue_id should be locally unique.
The long queueid will not repeat within a UNIX epoch.
The default queueid will not repeat within a second.

The code for generating the queue_id:

https://github.com/vdukhovni/postfix/blob/master/postfix/src/global/mail_queue.c#L393

The encoding is defined in:

https://github.com/vdukhovni/postfix/blob/master/postfix/src/global/mail_queue.h#L80


Markus

--
Markus Benning, https://markusbenning.de/

Re: Conditional/soft smtpd restrictions

2015-01-18 Thread Benning, Markus 

-Original Message- From: Noel Jones
Sent: Saturday, January 17, 2015 12:20 AM


You want to conditionally run some extra restrictions based on the
outcome of prior restrictions?  Some of the existing policy servers
do weighted scoring, which gives very similar results.



Conditional greylisting?  Some of the existing greylisting daemons
do that already.


Do you have any specific suggestions?
I looked at several policy servers and could not find one that could
be (natively) configured to do what I want -- and I would like to
avoid hacking/patching the internals...
In fact, generally I feel that one of the problems with existing
policy servers is that there are too many of them, without clear
leader or clear comparison available =)


The mtpolicyd can be used to apply actions based on scoring.

The default configuration builds a score based on dns 
whitelist/blacklists, spf and

geoip and applies actions based on the score:

https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf

Based on the score the client is:

 * rejected (and if configured with fail2ban blocked on IP layer)
 * greylisted
 * pass

If you're familiar with perl it should be easy to implement your own 
checks in plugins

(without hacking internals):

https://www.mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::BasicModule

There are already several plugins:

https://www.mtpolicyd.org/documentation.html

Feedback, code, bug reports, requests welcome.


Markus

--
Markus Benning, https://markusbenning.de/

Re: dovecot on wheezy, best ssl configuration ?

2015-01-09 Thread Benning, Markus 

Am 2015-01-09 07:27, schrieb m...@ruggedinbox.com:

Hi all, when hardening dovecot against the POODLE vulnerability,
we followed the advise to disable SSL2 and SSL3
but this is giving problems with some email clients (claws-mail).

ssl_protocols = !SSLv2 !SSLv3

results in the following error:

dovecot: pop3-login: Disconnected (no auth attempts in 1 secs):
user=, rip=XXX, lip=XXX, TLS handshaking: SSL_accept() failed:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher,
session=2C8jBjIMmQBVGNd1


The error message say 'no shared ciphers'. So it is not related to the 
ssl_protocols setting. The error means that there is no common cipher 
between the server and client.


What is your setting for ssl_cipher_list?

Try to expand the cipher string with the openssl cipher command:

openssl ciphers 'your ssl_cipher_list string'

Make sure you did not include !SSLv3 in the ciphers string. SSLv3 in the 
ciphers string is an alias for all ciphers defined in SSLv3. It includes 
also ciphers like 'DHE-RSA-AES256-SHA'. On older openssl version like 
0.9.8 there will be not much left without these ciphers:


$ openssl ciphers 'ALL:!SSLv3'
DES-CBC3-MD5:DES-CBC-MD5:EXP-RC2-CBC-MD5:RC2-CBC-MD5:EXP-RC4-MD5:RC4-MD5

If you exclude also LOW and MD5 there is nothing left:

$ openssl ciphers 'ALL:!LOW:!MD5:!SSLv3'
Error in cipher list
14478:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher 
match:ssl_lib.c:1188:


--
Markus

Re: valvula or policyd

2015-01-07 Thread Benning, Markus 

Hi,

i just uploaded version 1.15 of mtpolicyd with support for accounting 
and quotas:


https://markusbenning.de/blog/?p=36

I also wrote a small guide on how to implement smtp level 
accounting/quotas with mtpolicyd:


https://mtpolicyd.org/getting-started.html#Mail::MtPolicyd::Cookbook::HowtoAccountingQuota

--
Markus


Am 2014-12-23 13:50, schrieb Benning, Markus:

I just implemented a first version of a accounting plugin for
mtpolicyd:

https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Accounting

github project: https://github.com/benningm/mtpolicyd

I'm currently testing it on a small postfix installation with the
following setup:

Vhost in mtpolicyd.conf:

VirtualHost 12346
  name=accounting

  Plugin AcctClient
module = Accounting
fields = client_address,sasl_username,recipient,sender
  /Plugin
/VirtualHost

(dont forget to configure a database with db_dsn,db_user,db_password in 
global)


Check in postfix:

smtpd_end_of_data_restrictions = check_policy_service 
inet:127.0.0.1:12346


If you're using an smtpd_proxy_filter setup dont forget to add

-o smtpd_end_of_data_restrictions=

to the re-inject smtpd instances or you'll duplicate counters.

My plan is to test the plugin for a while and also implement a Quota 
plugin

to enforce limits and then release it with the next version.


Markus

On Sat, Dec 20, 2014 at 02:16:56PM +0100, Benning, Markus wrote:

Hello,

i created a policyd called mtpolicyd. You can find the project
website at:

https://mtpolicyd.org/

It is written in perl and is easily extentible thru perl plugins.
Currently its main target is spamfiltering/reputation and therefor i'm
already using it in production.

I'll have to extend it with more relay access control features in
near future.
I'm also willed to write a quota plugin(s) for it.
You're welcome if you want to contribute your requirements, use
cases, testing or code.

 Markus

Am 2014-12-19 16:04, schrieb Selcuk Yazar:
Hi,

we are using for quota management policyd v2.0.11 . i want to upgrage
policyd to 2.0.14 .

what is the best policyd software for postfix . Valvula in fist order
on list

should i upgrade or install valvula ?

thanks in advance.

--

Selçuk YAZAR

Re: valvula or policyd

2014-12-23 Thread Benning, Markus 
I just implemented a first version of a accounting plugin for
mtpolicyd:

https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Accounting

github project: https://github.com/benningm/mtpolicyd

I'm currently testing it on a small postfix installation with the
following setup:

Vhost in mtpolicyd.conf:

VirtualHost 12346
  name=accounting

  Plugin AcctClient
module = Accounting
fields = client_address,sasl_username,recipient,sender
  /Plugin
/VirtualHost

(dont forget to configure a database with db_dsn,db_user,db_password in global)

Check in postfix:

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:12346

If you're using an smtpd_proxy_filter setup dont forget to add

-o smtpd_end_of_data_restrictions=

to the re-inject smtpd instances or you'll duplicate counters.

My plan is to test the plugin for a while and also implement a Quota plugin
to enforce limits and then release it with the next version.


Markus

On Sat, Dec 20, 2014 at 02:16:56PM +0100, Benning, Markus wrote:
 Hello,
 
 i created a policyd called mtpolicyd. You can find the project
 website at:
 
 https://mtpolicyd.org/
 
 It is written in perl and is easily extentible thru perl plugins.
 Currently its main target is spamfiltering/reputation and therefor i'm
 already using it in production.
 
 I'll have to extend it with more relay access control features in
 near future.
 I'm also willed to write a quota plugin(s) for it.
 You're welcome if you want to contribute your requirements, use
 cases, testing or code.
 
  Markus
 
 Am 2014-12-19 16:04, schrieb Selcuk Yazar:
 Hi,
 
 we are using for quota management policyd v2.0.11 . i want to upgrage
 policyd to 2.0.14 .
 
 what is the best policyd software for postfix . Valvula in fist order
 on list
 
 should i upgrade or install valvula ?
 
 thanks in advance.
 
 --
 
 Selçuk YAZAR

Re: valvula or policyd

2014-12-20 Thread Benning, Markus 

Hello,

i created a policyd called mtpolicyd. You can find the project website 
at:


https://mtpolicyd.org/

It is written in perl and is easily extentible thru perl plugins.
Currently its main target is spamfiltering/reputation and therefor i'm
already using it in production.

I'll have to extend it with more relay access control features in near 
future.

I'm also willed to write a quota plugin(s) for it.
You're welcome if you want to contribute your requirements, use cases, 
testing or code.


 Markus

Am 2014-12-19 16:04, schrieb Selcuk Yazar:

Hi,

we are using for quota management policyd v2.0.11 . i want to upgrage
policyd to 2.0.14 .

what is the best policyd software for postfix . Valvula in fist order
on list

should i upgrade or install valvula ?

thanks in advance.

--

Selçuk YAZAR