Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 2022-08-22 14:46, Viktor Dukhovni wrote: [..] You don't need to sign your own domain in order to secure outbound traffic to domains that others have signed. You just need a local validating resolver such as "unbound", with DNSSEC validation turned on. Ok, yeah I was thinking more of DANE for my own domains rather than validating others. My take is that the person in question likes being a cult leader, dispensing wisdom to adherents, who then, along with the leader, get to feel superior to the uninitiated masses. Interesting! I have no idea who that person is just came across that post in a comment on a website somewhere years ago, I had read others complain about DNSSEC but hadn't seen what appeared to be as fairly organized specific thoughts on the subject rather than a one liner that they hate DNSSEC without saying why. The tooling around DNSSEC has significantly improved recently, making hands-off auto-pilot operation much simpler in e.g. BIND 9.16 and later. Or you can get your domain professionally operated by Google, one.com, OVH, ... who operate millions of signed domains with no issues. I checked and I do have BIND 9.16 where I host my domains(on my own servers). I'll think about it more, my home setup is quite simple I haven't invested much time in it since before 2010 probably(other than OS updates and stuff to keep it going). I have been using Dyn DNS for work related DNS stuff since about 2009, even though Oracle keeps saying they plan to retire the legacy Dyn stuff(and say the newer Oracle cloud DNS uses the same Dyn backend), it's still alive until May 2023 at least. In any case, outbound DANE does not require anything non-trivial on your end. Good to know, thanks!! nate
Re: Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 2022-08-22 14:30, Viktor Dukhovni wrote: Correct, because there's no point. Mail would be sent whether the certificate is trusted or not, and whether or not the DNS-ID matches expectations. Setting up a TLS policy for each domain that's hosted by Microsoft is unrealistic, and they don't yet support DANE (but this is planned). ok thanks! I looked into DANE yesterday had never heard of it before that I can recall anyway, and it appeared to need DNSSEC, which isn't something I've had an interest to deploy. I read what appeared to be a really good blog post on DNSSEC a few years ago that really ripped it apart (https://sockpuppet.org/blog/2015/01/15/against-dnssec/). Can't vouch for accuracy but the person seemed like they knew what they were talking about. That was of course 7 years ago so maybe things have changed since. nate
Fwd: Re: Postfix 3.5 and outbound TLS/SSL
On 2022-08-22 13:55, Viktor Dukhovni wrote: This should be the full certificate chain, not just the lead certificate. For that, you need at least: smtp_tls_security_level = may or perhaps (given a local validating resolver and only loopback nameserver IPs in /etc/resolv.conf or equivalent): smtp_dns_support_level = dnssec smtp_tls_security_level = dane thanks Viktor and Jaroslaw! Things are working fine, I put the cert chain in the main cert file again, no errors this time. Outbound TLS is working ok now postfix/smtp[7329]: Untrusted TLS connection established to example-com.mail.protection.outlook.com[104.47.55.110]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) I assume it says Untrusted because Postfix doesn't have any CAs that it is configured for?(assuming Office 365 uses a real SSL cert). Probably doesn't matter. It's just my personal email server. thanks nate
Postfix 3.5 and outbound TLS/SSL
Hello list
Been using postfix for over 20 years now, though haven't really spent
much
time on the SSL end of things for it.
A few years ago I setup SSL for inbound mainly for SASL auth sending
that
has worked fine.
More recently I formalized this configuration even more in an attempt to
make my system more up to date, being able to send and receive with
TLS.
This is my TLS related configuration
[..]
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_CAfile = /etc/postfix/cacerts.pem
smtpd_tls_cert_file =
/etc/ssl/yehat.aphroland.org/yehat.aphroland.org_2022.crt
smtpd_tls_key_file =
/etc/ssl/yehat.aphroland.org/yehat.aphroland.org.key_nopass
[..]
I have verified that inbound email can come in with TLS, such as this
log entry regarding my communications with the Postfix majordomo a
short time ago:
postfix/smtpd[5797]: Anonymous TLS connection established from
camomile.cloud9.net[168.100.1.3]: TLSv1.2 with cipher AECDH-AES256-SHA
(256/256 bits)
I use a cheap shit SSL provider (Comodo), and didn't have their CA
chain added to Postfix until today. I used the TLS checker on
www.checktls.com and it reports green across the board with an
overall score of 114. Cert valid, chain valid, everything looks
good.
https://www.checktls.com/TestReceiver?LEVEL=DETAILEMAIL=aphroland.org
What I am confused by is Postfix does not appear to be attempting
to use TLS on any outbound emails. I have tested with Gmail and
with MS Office 365. Sample tcpdump
---
220 DM6NAM10FT086.mail.protection.outlook.com Microsoft ESMTP MAIL
Service ready at Mon, 22 Aug 2022 20:14:33 +
EHLO yehat.aphroland.org
250-DM6NAM10FT086.mail.protection.outlook.com Hello [64.62.244.122]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8
MAIL FROM: SIZE=1549
RCPT TO:
ORCPT=rfc822;anotherem...@example2.com
DATA
250 2.1.0 Sender OK
250 2.1.5 Recipient OK
354 Start mail input; end with .
[..]
I have looked around and can't find what I may be doing wrong here. What
I've
read implies to me that if SSL is enabled for inbound then it should
just work
for outbound(if the other side supports it). I would expect to see some
kind of error or something but it doesn't even try.
I do have a basic content filtering setup, something that dates back
again
to about 20 years ago, relevant lines from Postfix master.conf:
smtp inet n - - - - smtpd -o
content_filter=filter:
filter unix - n n - - pipe user=filter argv=/usr/local/sbin/filter.sh -f
${sender} -- ${recipient}
That just passes email through Spamassassin and Anomy Mail Sanitizer. I
tried disabling this (changing the smtp setting back to basic by
removing
the "-o content_filter=filter:" though it seemed to have no effect, I
suspect this is unrelated to TLS on outbound. I expect by the time the
message is in the queue to go outbound it's already passed through
the filtering, and is not filtered again when the message is
transmitted.
thanks
nate
Re: Do not include first 'Received' header when received via 465/587?
On Fri, 6 Mar 2009, Noel Jones wrote: Victor Duchovni wrote: Probably want a : in there to make it a valid header: header_checks.pcre: if /^Received:/ /\n\tby (smtp\.example\.com \(Postfix\) with ESTMPS?A id \w+)/ REPLACE X-Submitted: to $1 endif Yes, thanks. I extrapolated from this, and got something that works perfectly - thanks so much! if /^Received:/ /.*by (hostname \(Postfix\) with ESMTPS?A).*/ REPLACE X-Submitted: to $1 endif My servers do additional processing, and add received headers after this, so no issues with spam filters (as mentioned later in this thread.) Appreciate the help!
Do not include first 'Received' header when received via 465/587?
Hi, I have a client that I have set up the submission port and 465 (for submission over raw SSL). They use many different internet connections, and a few of them (Panera Bread in particular) have their IP on blacklists. Because the IP gets included in the first Received header from Postfix, some sites are catching the mail as spam (apparently some sites scan all 'Received' headers for DNSBL's? Sigh.) I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. I'm not finding a clean way of doing this; hoping someone has been down this road before so I don't have to reinvent the wheel. ;) Appreciate any advice - thanks much! -Nate
Re: Do not include first 'Received' header when received via 465/587?
On Thu, 5 Mar 2009, Wietse Venema wrote: I've found tricks to remove or edit Received headers for specific IP's via 'header_checks'; however, what I'd like to be able to do is either remove the header altogether or modify the IP to one of the IP's that we own for all authenticated users that submit mail via 465/587. $ man header_checks | less +/IGNORE $ man header_checks | less +/REPLACE Thanks.. I've got that, but I'm not finding a way to only match mail that comes in via Submission, and not via regular SMTP. Is there a way to tell Postfix to only apply the header_checks to certain mail processes? I suppose I could do something like 'no_header_body_checks' on the main SMTP process, but it'd be nice to be able to do some checks there in the future too. -Nate
Set outgoing IP address based on sender e-mail address?
Hey all, Sorry if this is a FAQ, I can't find anything about it online. Is it possible to set the outgoing IP address of a locally-generated message based on the sender's e-mail address? IE, if a message is submitted via 'pickup' with the sender address of 'u...@example1.com', use the IP '192.168.100.10' for the outgoing IP address. If a message is submitted via 'pickup' with the sender address of 'u...@example2.com', use the IP '192.16.100.11' for the outgoing IP address. Basically, in a virtual hosting environment, I'd like to ensure that mail sent via one user cannot affect another user's IP's 'reputation', and I'd also like the outgoing mail server to match the incoming MX record for the domain. Thanks! -Nate
Re: [Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]
At 03:53 PM 3/18/2008, you wrote: Wietse Venema wrote: There is no reason why this can't be implemented, but I want to avoid chaos in Postfix. So I don't want to keep adding more and more ad-hoc parameters to the Postfix-to-SASL library interface. This interface is also used by Cyrus SASL and may be used for other non-Cyrus implementations later. Changes to this API should be carefully designed. Alex: I understand. It's have to wait unless it can really be necessary for more users and could be part of 'official' API. I wrote about it as for not near future wish. As for 'some day'. In the case of the Postfix TLS library we ran into a similar problem, when APIs kept growing with more and more function call parameters. To maintain some level of elegance I introduced function calls with named parameters: TLS_SERVER_START(...stuff..., ctx = smtpd_tls_ctx, stream = state-client, log_level = var_smtpd_tls_loglevel, timeout = var_smtpd_starttls_tmout, ...more stuff...); C does not have named parameter lists, but they can be emulated with a little bit of C preprocessor fu. This looks like a usable approach for extending the Postfix-to-SASL library interface. Another approach is using a call-back function that queries Postfix for specific information. This is the approach taken with the Postfix Milter client, but it is probably over-kill for SASL. Wietse I'll throw my request in for this feature to be prioritized. We're using SMTP AUTH in postfix, querying the dovecot auth socket which works well; however, in our virtual hosted environment it requires that customers login with their full email address. Great in practice, but impractical when a hosting account moves over and has 300, or 3000 subscribers all using username only authentication. In that case, with dovecot currently the query is written to compare full email (if exists to the database) and if not, it compares the local_ip value of the connection to the database to do a domain match so the full domain is not required and then concatenates the domain which was just looked up by local_ip to the username for a full match. As the dovecot auth socket does not receive the local_ip information from postfix currently, this is not an option. It would help us out a lot if this feature were in there. I noticed somebody wrote a patch for postfix-2.3.8. I'm not a C programmer myself, so I'm not sure of it's quality or if this code could be used or committed to the postfix source tree. Found at http://preview.tinyurl.com/b87z44 - Nathan
Re: [Fwd: Re: Fwd: Re: postfix, dovecot auth and rip/lip]
At 06:45 PM 2/10/2009, post...@corwyn.net wrote: At 07:22 PM 2/10/2009, Nate wrote: At 03:53 PM 3/18/2008, you wrote: Wietse Venema wrote: We're using SMTP AUTH in postfix, querying the dovecot auth socket which works well; however, in our virtual hosted environment it requires that customers login with their full email address. Great in practice, but impractical when a hosting account moves over and has 300, or 3000 subscribers all using username only authentication. In that case, with dovecot currently the query is written to compare full email Couldn't you just change the sql query to compare the login passed in to the left side of the User ID/email address? Rick Unfortunately not, because the server runs multiple domains, so if it compared r...@% for instance in the query it would likely return multiple results, and dovecot will reject on multiple results, as it should. - Nate
