[pfx] Re: Allow TLSv1 only for internal senders
Ahem, .. i however have to add one more sentence.. Steffen Nurpmeso wrote in <20230324193739.s-qco%stef...@sdaoden.eu>: ... ||reading, programming, and nature impressions, four to five hours ||a day, all in all, for caring for the (other) animal friends ||alone, sorry. Please .. that "other animal" includes myself, mind you; i believe soul-wise there is no difference, let alone value-wise, how hard that may be to accept for (western) minds. But now i wish a nice weekend if somehow possible, and stop posting on this lengthy and totally off-topic thread. Ciao! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Steffen Nurpmeso wrote in <20230324185751.jdgjq%stef...@sdaoden.eu>: |Bernardo Reino wrote in | <10n74127-037p-o42n-6617-3po1sq231...@oozx.bet>: ||On Fri, 24 Mar 2023, Steffen Nurpmeso wrote: ||> Bernardo Reino wrote in ||> <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>: ||>|On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: ||> ... ||>|> (That is pretty off-topic for postfix; except maybe for fun ||>|> posting my SMTP related firewall ||> ... ||>|> add_rule -p tcp --src ${addr}${mask} \ ||>|>--dport ${p_smtp} -m limit --limit 60/m \ ||>|>-j f_m0_2 ||> ... ||>|Could it be that $mask is set to something like /24 (or worse), and that ||>|somebody in the (ip) neighborhood of Jaroslaw is triggering your script? ||> ||> 60/m is low heh? This is only a very, very small corner of the ||> internet. These "unlimited" are mostly about bandwidth. || ||I meant that maybe you were blocking a whole /24 range (i.e. mask=/24) \ ||so that ||Jaroslaw's IP address was being blocked by mistake. | |Ah, you really meant it literally? |The above is actually "unblocking". |Jaroslaw did something no-good, he must have accessed ports which |are not meant to be accessed, likely SSH or so, because normally |he would have went through a "rejection" chain a couple of times, |then entered "alien", and only then, after some more actions, he |would have entered "alien_super". Yet, two days ago, i was seeing |live that he was not only in the "smtp" Linux firewall "-m recent" |list, but directly entered "alien_super". But i am not logging or |something, in fact i am funeral dry regarding all that mess, |i have so much to do with off-topic things that unfocus me from |reading, programming, and nature impressions, four to five hours |a day, all in all, for caring for the (other) animal friends |alone, sorry. | ||I realize that the rules you posted relate to rate limiting (which \ ||is OK, and ||60/m is also not low for my standards), but thought that maybe whatever \ ||other ||script you may be using for the actual blocking may be doing the same. | |Hm, cron-parse-mail.awk does in END{} | | ... | if(dropno > 0){ | if(DEBUG > 1) | print "/root/bin/net-qos.sh add alien_super " ipl | else | system("/root/bin/net-qos.sh add alien_super " ipl) | ... | |so yes -- but i did not see anything of him in /var/log/mail |except good mails i had in inbox. IIrc. (Server is AlpineLinux, |with busybox syslogd (though otherwise i swear on |github.com/troglobit/sysklogd) and SYSLOGD_OPTS="-D -S -t -b 5", |ie a megabyte of logs all-in-all, which is not much for postfix. |Dependent upon how many "attackers" there are, not more than |a day; about 23 hours right now. | ||To me it is still not clear what the problem is, i.e. what is triggering \ ||your ||blocking of his connections, but I suspect it's an error from your \ ||side (i.e. ||from your firewall rules and/or log-parsing-scripts). | |These are pretty much unchanged for some years. I was actually blocklisted ever since i wrote the message against the western way of doing things, reiterating Karl Marx (150 years) and the adorable (mostly American i think) Club of Rome (51 years), i hope i have done so. I get many dozens of NetBSD mails, there must have been an "unlock". Hihihihi. I am delighted that a representative of a German hospital (and of a very famous one) is on this list! And now stopping off-topicisim by quoting Harry Mulisch from "The discovery of the heaven" (there are books of him i like more) with "The screaming blue eyed is Kindergartened, but the real hero of our story will eventually discover heaven", which is really what i hope. Thank you. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Steffen Nurpmeso wrote in <20230324175540.o_vn-%stef...@sdaoden.eu>: |Bernardo Reino wrote in | <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>: ||On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: | ... ||> (That is pretty off-topic for postfix; except maybe for fun ||> posting my SMTP related firewall | ... ||> add_rule -p tcp --src ${addr}${mask} \ ||>--dport ${p_smtp} -m limit --limit 60/m -j f_m0_2 | ... ||Could it be that $mask is set to something like /24 (or worse), and that ||somebody in the (ip) neighborhood of Jaroslaw is triggering your script? Btw i occasionally block myself, so there is a port-knock thing running that whitelists the caller for 30 seconds. Before i used my datagram-based WireGuard VPN, with only SSH (TCP) and SOCKS5 proxying over that (ControlMaster), i had to use that often due to my weak wireless access (via D-Netz, by then) that caused connection breaks. But with WireGuard that then bypasses the "filter" ruleset but for first connection setups (for good), this allows for very tough firewall plus long-living TCP through it. It is really a great thing to use. (And much more lean than OpenVPN or so.) So that now really off-topic. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Bernardo Reino wrote in <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>: |On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: ... |> (That is pretty off-topic for postfix; except maybe for fun |> posting my SMTP related firewall ... |> add_rule -p tcp --src ${addr}${mask} \ |>--dport ${p_smtp} -m limit --limit 60/m -j f_m0_2 ... |Could it be that $mask is set to something like /24 (or worse), and that |somebody in the (ip) neighborhood of Jaroslaw is triggering your script? 60/m is low heh? This is only a very, very small corner of the internet. These "unlimited" are mostly about bandwidth. change_chain f_m0_2 add_rule -j CONNMARK --or-mark $((${M0} | ${M2})) add_rule -j ACCEPT that are then picked up by according rules in the "mangle" table change_chain POSTROUTING ... add_rule -j CONNMARK --restore-mark ... add_rule -j m_marks ... change_chain m_marks ... add_rule -m connmark --mark ${M0}/${M0} -j m_marks where "M0" just bypasses some checks which could declassify them ... add_rule -m connmark --mark ${M2}/${M2} -j m_a2 if they were only "M2", ... change_chain m_a2 add_rule -j CLASSIFY --set-class 1:20 add_rule -j ACCEPT so this ends up solely as traffic control: ${tc} class add dev ${1} parent 1:1 classid 1:20 htb \ rate ${R1} ceil ${R0} ${burst} prio 2 ... ${tc} qdisc add dev ${1} parent 1:20 handle 20: sfq perturb 10 but do not ask tc questions, i have no idea what i am doing. Other than that i am surely much older than Jaroslaw. (Though i was environmental and hm "philosophical" (pooh!) "activist" already when i was 22. Yet i am no Swedish virgin, so who gives a shit.) |(I apologize for replying to this off-topic topic). Yeah, me too. # $1=[ap]+ $2=addr -> $addr, $port, $ip6 ([non-]empty), $mask (or ALL BITS) ipaddr_split() { addr=${2%:*} port=${2##*:} [ "${addr}" = "${port}" ] && port= ip6= if [ "${addr}" != "${addr%]*}" ]; then ip6=y addr=${addr%]*} addr=${addr#[*} fi mask= if [ "${addr}" != "${addr%/*}" ]; then mask=/${addr#*/} [ "${mask}" = / ] && mask= addr=${addr%/*} fi [ -z "${mask}" ] && { [ -z "${ip6}" ] && mask=/32 || mask=/128; } [ -z "${addr}" ] && [ "${1}" != "${1%a*}" ] && { echo >&2 'IP address required, none given: '${2} return 1 } [ -z "${port}" ] && [ "${1}" != "${1%p*}" ] && { echo >&2 '(IP) Socket port required, none given: '${2} return 1 } return 0 } --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: [...] (That is pretty off-topic for postfix; except maybe for fun posting my SMTP related firewall [...] add_rule -p tcp --src ${addr}${mask} \ --dport ${p_smtp} -m limit --limit 60/m -j f_m0_2 [...] Could it be that $mask is set to something like /24 (or worse), and that somebody in the (ip) neighborhood of Jaroslaw is triggering your script? (I apologize for replying to this off-topic topic). Cheers, Bernardo ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 23.03.2023 o godz. 19:08:53 Steffen Nurpmeso pisze: > You are unlocked again. (But as it periodically came back > every few minutes yesterday evening, it likely will now, too.) > > This cannot be if you do normal SMTP or HTTP, not from the > firewall side. These rules only lowers bandwidth, but it is not > that slow for normal SMTP traffic in the end overall. No way via > SMTP or HTTP into alien or even alien_super. I have today morning set up an outgoing firewall on my server that doesn't pass any other packets towards your server than to port 25, or being part of an ESTABLISHED TCP connection (for example reply packets when you send me mail). I am watching the counter on the DROP rule that drops all other packets. It is zero. I also spin up a server at AWS that I sometimes use for testing (normally it is down), sent a few e-mails between my server and the server at AWS, and then ran tcpdump the whole day on the AWS server watching for any packets that are coming from my server. Nothing came. So I find it highly improbable that any strange packets can be coming from my server to yours. I don't know the source of these packets. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa wrote in <20230322230223.ga17...@rafa.eu.org>: |Dnia 22.03.2023 o godz. 23:05:59 Steffen Nurpmeso via Postfix-users pisze: |> I have very strict firewall rules, and you have become blocked for |> last access + 84000 seconds. |> Should work again. | |I again got blocked... As I wrote you off-list, I'm running now tcpdump \ |with |filter set to "host 217.144.132.164" and there's no other traffic except |normal SMTP traffic to port 25. Have no idea where any strange packets \ |might |originate. You are unlocked again. (But as it periodically came back every few minutes yesterday evening, it likely will now, too.) This cannot be if you do normal SMTP or HTTP, not from the firewall side. These rules only lowers bandwidth, but it is not that slow for normal SMTP traffic in the end overall. No way via SMTP or HTTP into alien or even alien_super. I have (a) simple AWK parser(s) on the postfix (and HTTP) logs, but really simple (though not so simple as the first version), and needs REJECT or "too many errors after", and there was nothing strange from your side last night when i looked either. Not in the SMTP logs. Note i do not look at the logs, nor make statistics, and the firewall does not log at all, except some SSH/VPN cases, i have no idea what you are doing. But you did not go over alien into alien_super, that much is plain. :) (That is pretty off-topic for postfix; except maybe for fun posting my SMTP related firewall ... fwcore_has_i smtp && add_rule -p tcp --dport ${p_smtp} -j i__smtp fwcore_has_i smtps && add_rule -p tcp --dport ${p_smtps} -j i__smtp fwcore_has_i submission && add_rule -p tcp --dport ${p_submission} -j i__smtp ... # i__smtp chain {{{ if fwcore_has_i smtp || fwcore_has_i smtps || fwcore_has_i submission; then change_chain i__smtp if [ -n "${FWCORE_SMTPX_NOLIMIT_PEERS}" ]; then for i in ${FWCORE_SMTPX_NOLIMIT_PEERS}; do if ipaddr_split a "${i}"; then if fwcore_has_i smtp; then [ -z "${port}" -o "${port}" = smtp ] && add_rule -p tcp --src ${addr}${mask} \ --dport ${p_smtp} -m limit --limit 60/m -j f_m0_2 fi if fwcore_has_i smtps; then [ -z "${port}" -o "${port}" = smtps ] && add_rule -p tcp --src ${addr}${mask} \ --dport ${p_smtps} -m limit --limit 60/m -j f_m0_2 fi #if fwcore_has_i submission; then # [ -z "${port}" -o "${port}" = submission ] && # add_rule -p tcp --src ${addr}${mask} \ # --dport ${p_smtps} -m limit --limit 60/m -j f_m0_2 #fi fi done fi #-m recent --name alien --set # Alienization now handled by cron-parse-mail.awk # -m recent --name alien --set add_rule -m recent --name smtp --set \ -m recent --name smtp ! --rcheck --seconds 600 --reap --hitcount 20 \ -j f_m2 add_rule -m recent --name smtp --rcheck --seconds 120 --hitcount 16 \ -j f_m5 add_rule -m recent --name smtp ! --rcheck --hitcount 32 -j f_m3 add_rule -j f_m5 fi # }}} No submission via firewall but through VPN. (SMTP de facto is "submissions", however. Yet, i could comment that out.) I hope i have not yet bored anyone by have posted that already in the past.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 22.03.2023 o godz. 23:05:59 Steffen Nurpmeso via Postfix-users pisze: > I have very strict firewall rules, and you have become blocked for > last access + 84000 seconds. > Should work again. I again got blocked... As I wrote you off-list, I'm running now tcpdump with filter set to "host 217.144.132.164" and there's no other traffic except normal SMTP traffic to port 25. Have no idea where any strange packets might originate. -- Pozdrowienia, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Steffen Nurpmeso wrote in <2023030559.mn7ux%stef...@sdaoden.eu>: |Jaroslaw Rafa wrote in | <20230322104345.ga10...@rafa.eu.org>: ||Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: ||> Luckily here a couple of shops remain, even for clothes and ||> electronics (mostly household). It is much uglier a bit further ... |Should work again. ... ok this is gray plus sender address verification ;-) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa wrote in <20230322104345.ga10...@rafa.eu.org>: |Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: |> Luckily here a couple of shops remain, even for clothes and |> electronics (mostly household). It is much uglier a bit further |[...] | |I replied to you off-list (as it's mostly off-topic with regard to \ |Postfix), |but the mail stays in queue - I get "Connection timed out" to your server. |Please check on your side. Uh, you played ugly games? /proc/net/xt_recent/alien_super:src=217.182.79.147 ttl: 49 last_seen: 4339606138 oldest_pkt: 3 4339604936, 4339605337, 4339606138, 4337394504, 4337396107, 4337504029, 4337504128, 4337504329, 4337504730, 4337505530, 4337924137, 4337924237, 4337924437, 4337924838, 4337925640, 4338344199, 4338344299, 4338344500, 4338344900, 4338345702, 4338764229, 4338764328, 4338764529, 4338764929, 4338765731, 4339184351, 4339184450, 4339184651, 4339185052, 4339185854, 4339604636, 4339604736 I have very strict firewall rules, and you have become blocked for last access + 84000 seconds. Should work again. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Viktor Dukhovni via Postfix-users skrev den 2023-03-22 16:36: On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via Postfix-users wrote: >> mx ~ # posttls-finger sdaoden.eu >> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 >> posttls-finger: < 220 sdaoden.eu ESMTP Postfix > > I can't even get the connection. I can't even ping sdaoden.eu from my > server. I belive its a firewall problem then, at sdaoden.eu, and the cert fails No, you just didn't attempt to verify it relative to the system's WebPKI certificate store. $ posttls-finger -F /etc/ssl/cert.pem -lsecure -c sdaoden.eu aha, this gives verified cert ok, should postfix it self not do the -F parmeter without posttls-finger special option ? have i done error here mx ~ # postconf -nf | grep smtp_ smtp_dns_support_level = dnssec smtp_tls_CAfile = /etc/letsencrypt/live/mx.junc.eu/cert.pem smtp_tls_CApath = /etc/letsencrypt/live/mx.junc.eu/ smtp_tls_cert_file = /etc/letsencrypt/live/mx.junc.eu/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/mx.junc.eu/privkey.pem smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_per_site smtp_tls_security_level = dane posttls-finger: sdaoden.eu[217.144.132.164]:25: matched peername: sdaoden.eu posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, issuer=R3, cert fingerprint=[...], pkey fingerprint=[...] posttls-finger: Verified TLS connection established to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 4096 is imho overkill :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via Postfix-users wrote: > >> mx ~ # posttls-finger sdaoden.eu > >> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 > >> posttls-finger: < 220 sdaoden.eu ESMTP Postfix > > > > I can't even get the connection. I can't even ping sdaoden.eu from my > > server. > > I belive its a firewall problem then, at sdaoden.eu, and the cert fails No, you just didn't attempt to verify it relative to the system's WebPKI certificate store. $ posttls-finger -F /etc/ssl/cert.pem -lsecure -c sdaoden.eu posttls-finger: sdaoden.eu[217.144.132.164]:25: matched peername: sdaoden.eu posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, issuer=R3, cert fingerprint=[...], pkey fingerprint=[...] posttls-finger: Verified TLS connection established to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
2023. 03. 22. 16:18 keltezéssel, Benny Pedersen via Postfix-users írta: Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 11:43: mx ~ # posttls-finger sdaoden.eu posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 posttls-finger: < 220 sdaoden.eu ESMTP Postfix posttls-finger: > EHLO mx.junc.eu posttls-finger: < 250-sdaoden.eu posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 50 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 CHUNKING posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: certificate verification failed for sdaoden.eu[217.144.132.164]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3 posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, issuer_CN=R3, fingerprint=B2:7D:30:F1:88:DD:05:A6:4C:40:4D:D0:FE:CE:79:A7:F4:84:D1:61:E9:73:AA:E9:8D:00:73:4D:2B:BA:0A:F9, pkey_fingerprint=C7:D5:CB:5F:D5:80:B1:E9:B7:75:7B:20:53:12:67:DD:51:69:0D:CF:6F:82:08:18:D1:0B:71:94:45:A7:A4:D0 posttls-finger: Untrusted TLS connection established to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 posttls-finger: > EHLO mx.junc.eu posttls-finger: < 250-sdaoden.eu posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 50 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 CHUNKING posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye echo "quit" | openssl s_client -starttls smtp -crlf -connect 217.144.132.164:25 Can't use SSL_get_servername depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = sdaoden.eu verify return:1 CONNECTED(0003) --- Certificate chain 0 s:CN = sdaoden.eu i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 24 22:17:39 2023 GMT; NotAfter: May 25 22:17:38 2023 GMT 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT --- Server certificate -BEGIN CERTIFICATE- MIIGXDCCBUSgAwIBAgISBELKxfg+aDh1nD1LJR/QA5ikMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAyMjQyMjE3MzlaFw0yMzA1MjUyMjE3MzhaMBUxEzARBgNVBAMT CnNkYW9kZW4uZXUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDIQVYy ljUMJZl+EjsvCnyHSyVl73KKBMtfChqm8SWyZQ3WjrqDPxGKAy5PGAFvmUGBfNio 4/H9dBuXpfEgS6+rMDtkDhTbW1ZuGjCmYVGtAXdyGkFOSeaLv9wOx76xDi+C7ws+ 41riIN1wjz07biKsEyuSmLq6le+75VE87/j889KlGVaIbc66KgCrmLJfdLA55qhS yJQZQkoRUgsmdpp64yn0BsO+V+FRVuzA1UFmiQVpciiQGA/Opz7hJEYMQS/6ll9a 9mGwe17h9zfX82F9PDjbNvQRyKg8WEWGr7zAxqGsUXqp0p0XK+n2qluX/CAAVs6g 4AH2FSpoEbEZz9PPMVqWTDFCEH+rUthjiR1LL63XIfqccS9Es1ORQfAOU6+qQPC7 cn2KdkUDVcKsm5lo3jM5cccg4mFwUarBlEl+pbYZDJ3VUrRn7Ct+0w4t2CAhAKz2 qISASjOi2z69BdxPIr2pAliyE+dVHtZLrqbaKoy5FRVYQJOugyB0VH44BmA9KqkL 1rAOi93DkE5k1OIzB6NWqAxJvK2gK+77SIIMylK/1Bxg+iEmYf1ssgn8ZgGygI05 nfny6tsBPaN233tnCn/LpNrDRvhR7zghVj4f93iXiDDIm2OjY/p6wNKSxlIUoJr4 hYFaSbtrg2vsGAIv6C9D+lKjqQWObBGAGTzIcQIDAQABo4IChzCCAoMwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB Af8EAjAAMB0GA1UdDgQWBBRxtjTLEVgmpPOZqJ/8IkNNMfej2zAfBgNVHSMEGDAW gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz LmkubGVuY3Iub3JnLzBXBgNVHREEUDBOgg5mdHAuc2Rhb2Rlbi5ldYIOZ2l0LnNk YW9kZW4uZXWCEGxpc3RzLnNkYW9kZW4uZXWCCnNkYW9kZW4uZXWCDnd3dy5zZGFv ZGVuLmV1MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW eQIEAgSB9QSB8gDwAHUAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA AAGGhbfKmAAABAMARjBEAiBjJJTs+HUKA6h3dM3XSTp4AO0mDxSq2JL63JI+SSmZ BQIgHvs9IfusUCQVHw4Pt18VOnR6uS2OZtc/WLNoNXqnpTMAdwB6MoxU2LcttiDq OOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYaFt8qsAAAEAwBIMEYCIQDcbAZlKkHY NJdZEqgIPwLOoQdByw0ur9mYW4grwcHN+wIhAK79SMMPaHZpVCdm8N3hxXjJ3TSX FvofUhbwRCWNx6NvMA0GCSqGSIb3DQEBCwUAA4IBAQBYZFNq9TTCZU8S7oEKwFRp +HLxvy1JnQ0PGmIUyAvmzDrDN/ZSCT3nCAAspqfEcDkq/FLJe/qjDFcxHQ1wanbg HH62oyx9xzEeZGI7MTWQ8oZYYmb3aOVZWDbI7pyr4VJ9ik3DuCSL32/aIoQGYxY1 5P2A87XP7IatuWPpw9v/nDjG2fB6RSJaGCYPGC2EElIxtbpgIF/EPgULNUPReSqy uIx62aGwQson5cbcgJ9hBjfjgnqwjpJuFlemruw3JAcN46e3S6WkctkSyHiFuPpZ
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 16:22: Dnia 22.03.2023 o godz. 16:18:11 Benny Pedersen via Postfix-users pisze: >raj@rafa:~$ mailq >-Queue ID- --Size-- Arrival Time -Sender/Recipient--- >5508C41121 8652 Mon Mar 20 23:35:40 r...@rafa.eu.org > (connect to sdaoden.eu[217.144.132.164]:25: >Connection timed out) > stef...@sdaoden.eu mx ~ # posttls-finger sdaoden.eu posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 posttls-finger: < 220 sdaoden.eu ESMTP Postfix I can't even get the connection. I can't even ping sdaoden.eu from my server. i belive its a firewall problem then, at sdaoden.eu, and the cert fails :/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 22.03.2023 o godz. 16:18:11 Benny Pedersen via Postfix-users pisze: > >raj@rafa:~$ mailq > >-Queue ID- --Size-- Arrival Time -Sender/Recipient--- > >5508C41121 8652 Mon Mar 20 23:35:40 r...@rafa.eu.org > > (connect to sdaoden.eu[217.144.132.164]:25: > >Connection timed out) > > stef...@sdaoden.eu > > mx ~ # posttls-finger sdaoden.eu > posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 > posttls-finger: < 220 sdaoden.eu ESMTP Postfix I can't even get the connection. I can't even ping sdaoden.eu from my server. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 11:43: Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: Luckily here a couple of shops remain, even for clothes and electronics (mostly household). It is much uglier a bit further [...] I replied to you off-list (as it's mostly off-topic with regard to Postfix), but the mail stays in queue - I get "Connection timed out" to your server. Please check on your side. raj@rafa:~$ mailq -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 5508C41121 8652 Mon Mar 20 23:35:40 r...@rafa.eu.org (connect to sdaoden.eu[217.144.132.164]:25: Connection timed out) stef...@sdaoden.eu mx ~ # posttls-finger sdaoden.eu posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 posttls-finger: < 220 sdaoden.eu ESMTP Postfix posttls-finger: > EHLO mx.junc.eu posttls-finger: < 250-sdaoden.eu posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 50 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 CHUNKING posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: certificate verification failed for sdaoden.eu[217.144.132.164]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3 posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, issuer_CN=R3, fingerprint=B2:7D:30:F1:88:DD:05:A6:4C:40:4D:D0:FE:CE:79:A7:F4:84:D1:61:E9:73:AA:E9:8D:00:73:4D:2B:BA:0A:F9, pkey_fingerprint=C7:D5:CB:5F:D5:80:B1:E9:B7:75:7B:20:53:12:67:DD:51:69:0D:CF:6F:82:08:18:D1:0B:71:94:45:A7:A4:D0 posttls-finger: Untrusted TLS connection established to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 posttls-finger: > EHLO mx.junc.eu posttls-finger: < 250-sdaoden.eu posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 50 posttls-finger: < 250-ETRN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 CHUNKING posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: > Luckily here a couple of shops remain, even for clothes and > electronics (mostly household). It is much uglier a bit further [...] I replied to you off-list (as it's mostly off-topic with regard to Postfix), but the mail stays in queue - I get "Connection timed out" to your server. Please check on your side. raj@rafa:~$ mailq -Queue ID- --Size-- Arrival Time -Sender/Recipient--- 5508C41121 8652 Mon Mar 20 23:35:40 r...@rafa.eu.org (connect to sdaoden.eu[217.144.132.164]:25: Connection timed out) stef...@sdaoden.eu -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa wrote in <20230318234124.ga32...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze: |> Eh, no. I do not do either. (Granted i use PayPal one, two times |> a month, but my bank account is not online-enabled.) |> I _never_ shopped online. This destroys local pharmacies, shops, |> small (hopefully) good jobs that sometimes exist for centuries. |> Western world cities have become faceless culture-free concrete |> djungles with McDonald's smell for kilometres. No. | |Well... if you could just buy the things you *absolutely need* anywhere \ |else |than online... if it were so simple... | |Sorry, but this is the reality, at least where I live. The local shops have |already been by large part destroyed by online shopping. It's too late. You |can't buy anything in a local shop if the shop doesn't sell it. | |Nowadays only the most popular and mass-bought items are available in |physical shops. If you need anything that is a bit less popular, you *have* |to buy it online. Sorry, that's it. Luckily here a couple of shops remain, even for clothes and electronics (mostly household). It is much uglier a bit further away, most smaller villages to not even have a bank or even a bakery no more; some have (also new) so-called "Tante Emma Laden" (Aunt Emma Shop) which offer a bit. Situation is bad for elder people on the land. Even very bad as younger doctors do not go there, and we have had a political movement on Germany over twenty years ago to do something against this trend. Unfortunately then there was a government change, but it surely would have failed even without that. It is just the western world .. and/but not only that and there, of course. (Though it is and was mostly the western world which puts pressure due to its way of doing things; others can do nothing but follow due to economic pressure, sooner or later. But that leads much too far.) |Two examples from last weeks: OMTP to CTIA headphone adapter for a mobile |phone? A replacement battery for a used laptop I just bought (in a physical |shop btw.)? No chance to get anywhere else than online. And I live in a |large city. What should people in rural areas say? Well. For one: i try to avoid too much consumation at first. Most of it is due to brain aka character failures, aka "replacement acts" (sorry, my english) to fill a void. Now whereas i grant there is nothing but void, that void is possibly full of light. That is of course religious, philosophical, etc. Take Alexander Solschenizyn: a hero, then in the Bolschewik Gulag, and when he came back all that he wanted was some bred, sauerkraut and a bottle of Milk a day. (Said Schostakowisch where he lived.) Eh. I think that christian guy also went to the desert and came back saying such before they nailed that sausage somewhere. That is that. No to it actually is yes. (Let alone that totally responseless western way of doing things, or do you buy fairphone and such. Cheap buying, expensive selling. Destroys life on earth. They knew that over 150 years ago btw.! And the Club of Rome gave a picture in 1972 that we still do not look at. No.) But sigh before i start praying. Regarding electronics we have a good one in Darmstadt for many decades, Zimmermann Electronic. And some good (other) computer shops, too. But this is a privileged and "rich" area here, so, well, yes, i can understand this. Of course i do. Then again, if it has not to happen from day to day, one could drive in the next bigger city and buy there, have a coffee or tea (or a smoke dependent who and where you are), and an afternoon in the city, and then go back, on the next Saturday or so. Or stay longer, for some Saturday night. |And as for the banking, I never understand the people who don't do online |banking. You have to constantly pay for something - electricity, Internet, |rent, insurance, telephone etc. - all this happens by transferring money to |some account. There's a dozen of these payments each month. Do you really Yes. Permanently, you initiate it once, and then it happens periodically. |want to go to the bank (or to a post office), stand there in a long line to |pay for this in cash or fill in a money transfer form on paper and give it |to the clerk, instead of doing it conveniently from your computer whenever Ah -- you know the bank was like that two decades ago. Then they did something interesting, shall you ever have read the book "The Money Exchangers" or what its name way, Arthur Hailey i think hmm. So the fun comes only if you know the book. They extended the room and split it 50:50 into a part full of "robots" and some places where human sit. A moving glass wall locks the human part away out of the work hours. The robotic part does no longer have a trashbin even, i think someone made some fire there (and the cameras did not help). So you mostly interact with the robots here. You know. Family businesses
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze: > Eh, no. I do not do either. (Granted i use PayPal one, two times > a month, but my bank account is not online-enabled.) > I _never_ shopped online. This destroys local pharmacies, shops, > small (hopefully) good jobs that sometimes exist for centuries. > Western world cities have become faceless culture-free concrete > djungles with McDonald's smell for kilometres. No. Well... if you could just buy the things you *absolutely need* anywhere else than online... if it were so simple... Sorry, but this is the reality, at least where I live. The local shops have already been by large part destroyed by online shopping. It's too late. You can't buy anything in a local shop if the shop doesn't sell it. Nowadays only the most popular and mass-bought items are available in physical shops. If you need anything that is a bit less popular, you *have* to buy it online. Sorry, that's it. Two examples from last weeks: OMTP to CTIA headphone adapter for a mobile phone? A replacement battery for a used laptop I just bought (in a physical shop btw.)? No chance to get anywhere else than online. And I live in a large city. What should people in rural areas say? And as for the banking, I never understand the people who don't do online banking. You have to constantly pay for something - electricity, Internet, rent, insurance, telephone etc. - all this happens by transferring money to some account. There's a dozen of these payments each month. Do you really want to go to the bank (or to a post office), stand there in a long line to pay for this in cash or fill in a money transfer form on paper and give it to the clerk, instead of doing it conveniently from your computer whenever you have time? > |Second, most web browsers nowadays (as well as mail clients) support TLS > |v1.2 since long time, so it's of course very little probability that \ > |someone > |who uses so outdated browser that it doesn't support TLS v1.2 will try to > |access your website, *and*: a) either that person will complain to you, or > |b) you will notice it in your httpd logs. > > Sorry i do not understand a word. Long time TLSv1.2, yes. I mean, if your website requires TLSv1.2 (because you mentioned lighthttpd, I assume you run some website), for you to notice any problems with it, the following conditions must be met: a) there is a person who is interested in accessing your website and at the same time uses a very outdated browser that doesn't suppport TLSv1.2 and either b) that person complains to you (eg. via e-mail) that he/she can't connect or c) you will notice browsing your httpd logs that some client was unable to connect due to incompatible TLS version. Only if a) and b) or a) and c) are met simultaneously, you will notice that there are any problems. There is very little probability that this will happen. Even a) alone isn't very probable, because there's a small number of people using so old browsers, and how many of them are interested in your particular website? But even if a) alone occurs, you will not notice any problems until b) or c) occurs as well. So it is quite obvious that you don't notice any problems. > For _me_ it works in practice and there is no fallout. I get > anything i need / expect. If you have to take care for some elder > servers then this is surely a problem you have to solve, > especially if it is your business. I'm not talking about any server that I take care for. I'm talking about a server of a company from which I receive emails, as their customer. Their server can negotiate only TLSv1 with my server. Anyway, it's better than if they would send their mail unencrypted. And they would, if I set *my* server to TLSv1.2 minimum (which I don't do). -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa wrote in <20230318203334.ga31...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: |> I still have no problems with |> |> smtpd_tls_mandatory_protocols = >=TLSv1.2 |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols |> # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. |> tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 |> smtpd_tls_mandatory_ciphers = high |> |> Neither for lighttpd nor for postfix. | |First, we should not mix HTTP(S) with SMTP, these are two completely |different things. While as strict TLS security as possible in the web |browsing is essential (think about various highly private data you are |transmitting eg. when doing online shopping or banking), it has much less Eh, no. I do not do either. (Granted i use PayPal one, two times a month, but my bank account is not online-enabled.) I _never_ shopped online. This destroys local pharmacies, shops, small (hopefully) good jobs that sometimes exist for centuries. Western world cities have become faceless culture-free concrete djungles with McDonald's smell for kilometres. No. |meaning in email, due to nature of TLS in email being opportunistic, that |means, if servers can't negotiate TLS connection, they fall back to |plaintext (unencrypted), because mail must be delivered anyway. | |As mail can go through various intermediate servers over which you have no |control, and can be stored on them for a period of time over which you have |no control, if anything highly sensitive is sent via email, it should be |end-to-end encrypted anyway, using applications like gpg or similar, \ |and not |rely on transport encryption. | |Second, most web browsers nowadays (as well as mail clients) support TLS |v1.2 since long time, so it's of course very little probability that \ |someone |who uses so outdated browser that it doesn't support TLS v1.2 will try to |access your website, *and*: a) either that person will complain to you, or |b) you will notice it in your httpd logs. Sorry i do not understand a word. Long time TLSv1.2, yes. |Third, there are still quite a few mail *servers* that don't support TLS |v1.2. In that case, they will fall back to plaintext when sending mail to |your server. Do you analyze your logs for such cases? I have looked once i switched. I noted a rush of lower connections once i posted the above last. Even the GNU server now uses more modern things, as it gets through. I do not know one. |When I occasionally browse my Postfix logs, I notice one particular server |(from which I receive mail quite often) that can negotiate only TLS v1 |connection with my server. So if I would require TLS>=1.2 on my server, \ |that |server would fall back to plaintext to send mail to me. I think that TLS v1 |is still better security than no encryption at all ;) For _me_ it works in practice and there is no fallout. I get anything i need / expect. If you have to take care for some elder servers then this is surely a problem you have to solve, especially if it is your business. In general people update OpenSSL / crypto library of choice, aka install their distribution's security updates, in which case all is well out of the box (and likely would be for some years). The only problem i currently have is Mar 18 22:24:53 postfix/smtpd[26025]: warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.1.0 may not be compatible with OpenSSL 3.0.0 i hope AlpineLinux recompiles some OpenSSL-linked software so we get rid of that. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On 19/03/23 07:44, Matus UHLAR - fantomas via Postfix-users wrote: I would generally allow the printer to use port 25. Port 25 is not a submission port and should not be used as such. Keep your submission separate from your MX traffic and you will avoid a whole heap of issues down the road. If you want a separate port for the printer then just create one in master.cf: 10465 inet n - n - - smtpd -o syslog_name=postfix/10465 -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=$mua_recipient_restrictions -o milter_macro_daemon_name=ORIGINATING ...or similar for a submission (non-wrappermode) port. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On 19/03/23 02:54, Gerd Hoerst via Postfix-users wrote: I setup my postfix for the clients to use only protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 A better way to do this is: smtpd_tls_protocols = >=TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 Don't do this! All you will accomplish is to force clients that don't support at least TLSv1.1 to connect in plain text instead. No encryption is never better than (arguably not very) weak encryption. in main.cf but unfortunately i have a sender (its a printer) which is not capable for TLSv1.1 and up.. As others have pointed out, TLSv1.0 is not that bad for smtp. Others have posted a solution for this, but honestly I would just allow >=TLSv1 and not worry about it. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote: I still have no problems with smtpd_tls_mandatory_protocols = >=TLSv1.2 This is fine, so long as you don't have a user that can't support at least TLSv1.2 that needs to use submission. smtpd_tls_protocols = $smtpd_tls_mandatory_protocols This will simply result in clients that can't support at least TLSv1.2 connecting in plain text instead. So rather than having (arguably not so) poor encryption for those client you would rather have no encryption at all? This does not make any sense. # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 I would avoid messing with this setting unless you really understand what you are doing, and even then it's not a very good idea. You could end up causing some clients to be unable to establish a connection or on the flip side you could inadvertently be enabling a cipher that ends up becoming vulnerable in the future unless you stay on top of this setting and remove it from the list. Note that the default for this setting is taken from openssl so when a vulnerability does get found in a cipher you will get an update to openssl from your OS vendor which will remove that cipher from the list, unless you do something like override it like you are doing above. smtpd_tls_mandatory_ciphers = high This is fine. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: > I still have no problems with > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtpd_tls_protocols = $smtpd_tls_mandatory_protocols > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 > smtpd_tls_mandatory_ciphers = high > > Neither for lighttpd nor for postfix. First, we should not mix HTTP(S) with SMTP, these are two completely different things. While as strict TLS security as possible in the web browsing is essential (think about various highly private data you are transmitting eg. when doing online shopping or banking), it has much less meaning in email, due to nature of TLS in email being opportunistic, that means, if servers can't negotiate TLS connection, they fall back to plaintext (unencrypted), because mail must be delivered anyway. As mail can go through various intermediate servers over which you have no control, and can be stored on them for a period of time over which you have no control, if anything highly sensitive is sent via email, it should be end-to-end encrypted anyway, using applications like gpg or similar, and not rely on transport encryption. Second, most web browsers nowadays (as well as mail clients) support TLS v1.2 since long time, so it's of course very little probability that someone who uses so outdated browser that it doesn't support TLS v1.2 will try to access your website, *and*: a) either that person will complain to you, or b) you will notice it in your httpd logs. Third, there are still quite a few mail *servers* that don't support TLS v1.2. In that case, they will fall back to plaintext when sending mail to your server. Do you analyze your logs for such cases? When I occasionally browse my Postfix logs, I notice one particular server (from which I receive mail quite often) that can negotiate only TLS v1 connection with my server. So if I would require TLS>=1.2 on my server, that server would fall back to plaintext to send mail to me. I think that TLS v1 is still better security than no encryption at all ;) -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Jaroslaw Rafa wrote in <20230318191215.gb30...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze: |> I setup my postfix for the clients to use only protocols > TLSv1 with |> |> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 |> smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 | |While the former makes some sense (requiring TLS>=1.1 for mail *submission* |from your users) - most mail clients are able to conform to this - \ |the latter |(requiring TLS>=1.1 for *incoming* mail on port 25) does not. Don't do it. I still have no problems with smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = $smtpd_tls_mandatory_protocols # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 smtpd_tls_mandatory_ciphers = high Neither for lighttpd nor for postfix. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze: > I setup my postfix for the clients to use only protocols > TLSv1 with > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 > smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 While the former makes some sense (requiring TLS>=1.1 for mail *submission* from your users) - most mail clients are able to conform to this - the latter (requiring TLS>=1.1 for *incoming* mail on port 25) does not. Don't do it. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On Sat, Mar 18, 2023 at 07:32:18PM +0100, Gerd Hoerst via Postfix-users wrote: > I read a tutorial to harden postfix and there they trew out TLSv1 The tutorial is mostly misguided. Though in practice, TLS 1.0 is increasingly rare on the public Internet, so the damage from disabling it is fairly low. So your server will score more points in a fashion show of modern cryptographic prowess if TLS 1.0 is disabled. You now have a choice between being fashionable, and being interoperable with a dwindling number of unfashionable systems. The latter also makes a non-conformist statement I guess. Choose your crowd. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 in main.cf in main.cf put a # in this lines, so its default from postconf -d but unfortunately i have a sender (its a printer) which is not capable for TLSv1.1 and up.. On 18.03.23 19:35, Benny Pedersen via Postfix-users wrote: add in master.cf -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1 -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1 so only port 465, 587 have this, but you should keep defaults Usually, smtpd_tls_mandatory_protocols are user on 465 and 587, while smtpd_tls_protocols is used on port 25. So you only need to define them properly in main.cf, unless you play with different settings on different ports. I would generally allow the printer to use port 25. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 in main.cf in main.cf put a # in this lines, so its default from postconf -d but unfortunately i have a sender (its a printer) which is not capable for TLSv1.1 and up.. add in master.cf -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1 -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1 so only port 465, 587 have this, but you should keep defaults this will do what you want, but imho why not keep all tls for all ? How can i manage to use TLSv1.1 and up from outside but allow TLSv1 from inside my network tlsv1 is less weak then tlsv1.1 others will comment now I am sure :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
Hi ! I read a tutorial to harden postfix and there they trew out TLSv1 Ciao Gerd Am 18.03.2023 um 16:07 schrieb Bill Cole via Postfix-users: On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100) Gerd Hoerst via Postfix-users is rumored to have said: Hi ! I setup my postfix for the clients to use only protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 in main.cf Why? but unfortunately i have a sender (its a printer) which is not capable for TLSv1.1 and up.. How can i manage to use TLSv1.1 and up from outside but allow TLSv1 from inside my network What do you believe to be the risk of allowing TLSv1.0 for SMTP? My understanding is that the marginal risks of TLSv1.0 are not relevant to SMTP. It is also inherently counter-productive to prohibit TLSv1.0 if you allow unencrypted SMTP as a fallback. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
If you must (not necessariy a god idea), your options are: - Multiple Posifix instances on different IP addresses. Each instance has its own main.cf and master.cf. - Single Postfix instance with different smtpd configurations in master.cf on different server IP addresses, using main.cf only for common settings. /etc/postfix.master.cf: # = # service type private unpriv chroot wakeup maxproc command # (yes) (yes) (yes) (never) (100) # = # SMTP service for internal clients) 1.2.3.4:smtp inet n - n - - smtpd -o { parameter = value } ... # SMTP service for xternal clients 1.2.3.5:smtp inet n - n - - smtpd -o { parameter = value } ... This is manageable when the differences ar small. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Allow TLSv1 only for internal senders
On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100) Gerd Hoerst via Postfix-users is rumored to have said: Hi ! I setup my postfix for the clients to use only protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 in main.cf Why? but unfortunately i have a sender (its a printer) which is not capable for TLSv1.1 and up.. How can i manage to use TLSv1.1 and up from outside but allow TLSv1 from inside my network What do you believe to be the risk of allowing TLSv1.0 for SMTP? My understanding is that the marginal risks of TLSv1.0 are not relevant to SMTP. It is also inherently counter-productive to prohibit TLSv1.0 if you allow unencrypted SMTP as a fallback. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org