[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users 
Ahem, .. i however have to add one more sentence.. 

Steffen Nurpmeso wrote in
 <20230324193739.s-qco%stef...@sdaoden.eu>:
 ...
 ||reading, programming, and nature impressions, four to five hours
 ||a day, all in all, for caring for the (other) animal friends
 ||alone, sorry.

Please .. that "other animal" includes myself, mind you; i believe
soul-wise there is no difference, let alone value-wise, how hard
that may be to accept for (western) minds.

But now i wish a nice weekend if somehow possible, and stop
posting on this lengthy and totally off-topic thread.

Ciao!

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users 
Steffen Nurpmeso wrote in
 <20230324185751.jdgjq%stef...@sdaoden.eu>:
 |Bernardo Reino wrote in
 | <10n74127-037p-o42n-6617-3po1sq231...@oozx.bet>:
 ||On Fri, 24 Mar 2023, Steffen Nurpmeso wrote:
 ||> Bernardo Reino wrote in
 ||> <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>:
 ||>|On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote:
 ||> ...
 ||>|> (That is pretty off-topic for postfix; except maybe for fun
 ||>|> posting my SMTP related firewall
 ||> ...
 ||>|> add_rule -p tcp --src ${addr}${mask} \
 ||>|>--dport ${p_smtp} -m limit --limit 60/m \
 ||>|>-j f_m0_2
 ||> ...
 ||>|Could it be that $mask is set to something like /24 (or worse), and that
 ||>|somebody in the (ip) neighborhood of Jaroslaw is triggering your script?
 ||>
 ||> 60/m is low heh?  This is only a very, very small corner of the
 ||> internet.  These "unlimited" are mostly about bandwidth.
 ||
 ||I meant that maybe you were blocking a whole /24 range (i.e. mask=/24) \
 ||so that 
 ||Jaroslaw's IP address was being blocked by mistake.
 |
 |Ah, you really meant it literally?
 |The above is actually "unblocking".
 |Jaroslaw did something no-good, he must have accessed ports which
 |are not meant to be accessed, likely SSH or so, because normally
 |he would have went through a "rejection" chain a couple of times,
 |then entered "alien", and only then, after some more actions, he
 |would have entered "alien_super".  Yet, two days ago, i was seeing
 |live that he was not only in the "smtp" Linux firewall "-m recent"
 |list, but directly entered "alien_super".  But i am not logging or
 |something, in fact i am funeral dry regarding all that mess, 
 |i have so much to do with off-topic things that unfocus me from
 |reading, programming, and nature impressions, four to five hours
 |a day, all in all, for caring for the (other) animal friends
 |alone, sorry.
 |
 ||I realize that the rules you posted relate to rate limiting (which \
 ||is OK, and 
 ||60/m is also not low for my standards), but thought that maybe whatever \
 ||other 
 ||script you may be using for the actual blocking may be doing the same.
 |
 |Hm, cron-parse-mail.awk does in END{}
 |
 |  ...
 |  if(dropno > 0){
 |  if(DEBUG > 1)
 |  print "/root/bin/net-qos.sh add alien_super " ipl
 |  else
 |  system("/root/bin/net-qos.sh add alien_super " ipl)
 |  ...
 |
 |so yes -- but i did not see anything of him in /var/log/mail
 |except good mails i had in inbox.  IIrc.  (Server is AlpineLinux,
 |with busybox syslogd (though otherwise i swear on
 |github.com/troglobit/sysklogd) and SYSLOGD_OPTS="-D -S -t -b 5",
 |ie a megabyte of logs all-in-all, which is not much for postfix.
 |Dependent upon how many "attackers" there are, not more than
 |a day; about 23 hours right now.
 |
 ||To me it is still not clear what the problem is, i.e. what is triggering \
 ||your 
 ||blocking of his connections, but I suspect it's an error from your \
 ||side (i.e. 
 ||from your firewall rules and/or log-parsing-scripts).
 |
 |These are pretty much unchanged for some years.

I was actually blocklisted ever since i wrote the message against
the western way of doing things, reiterating Karl Marx (150 years)
and the adorable (mostly American i think) Club of Rome (51
years), i hope i have done so.
I get many dozens of NetBSD mails, there must have been an
"unlock".  Hihihihi.
I am delighted that a representative of a German hospital (and of
a very famous one) is on this list!
And now stopping off-topicisim by quoting Harry Mulisch from "The
discovery of the heaven" (there are books of him i like more) with
"The screaming blue eyed is Kindergartened, but the real hero of
our story will eventually discover heaven", which is really what
i hope.  Thank you.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users 
Steffen Nurpmeso wrote in
 <20230324175540.o_vn-%stef...@sdaoden.eu>:
 |Bernardo Reino wrote in
 | <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>:
 ||On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote:
 | ...
 ||> (That is pretty off-topic for postfix; except maybe for fun
 ||> posting my SMTP related firewall
 | ...
 ||> add_rule -p tcp --src ${addr}${mask} \
 ||>--dport ${p_smtp} -m limit --limit 60/m -j f_m0_2
 | ...
 ||Could it be that $mask is set to something like /24 (or worse), and that 
 ||somebody in the (ip) neighborhood of Jaroslaw is triggering your script?

Btw i occasionally block myself, so there is a port-knock thing
running that whitelists the caller for 30 seconds.  Before i used
my datagram-based WireGuard VPN, with only SSH (TCP) and SOCKS5
proxying over that (ControlMaster), i had to use that often due to
my weak wireless access (via D-Netz, by then) that caused
connection breaks.  But with WireGuard that then bypasses the
"filter" ruleset but for first connection setups (for good), this
allows for very tough firewall plus long-living TCP through it.
It is really a great thing to use.  (And much more lean than
OpenVPN or so.)  So that now really off-topic.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users 
Bernardo Reino wrote in
 <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>:
 |On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote:
 ...
 |> (That is pretty off-topic for postfix; except maybe for fun
 |> posting my SMTP related firewall
 ...
 |> add_rule -p tcp --src ${addr}${mask} \
 |>--dport ${p_smtp} -m limit --limit 60/m -j f_m0_2
 ...
 |Could it be that $mask is set to something like /24 (or worse), and that 
 |somebody in the (ip) neighborhood of Jaroslaw is triggering your script?

60/m is low heh?  This is only a very, very small corner of the
internet.  These "unlimited" are mostly about bandwidth.

   change_chain f_m0_2
   add_rule -j CONNMARK --or-mark $((${M0} | ${M2}))
   add_rule -j ACCEPT

that are then picked up by according rules in the "mangle" table

  change_chain POSTROUTING
  ...
  add_rule -j CONNMARK --restore-mark
  ...
  add_rule -j m_marks
  ...
  change_chain m_marks
  ...
add_rule -m connmark --mark ${M0}/${M0} -j m_marks

where "M0" just bypasses some checks which could declassify them

  ...
  add_rule -m connmark --mark ${M2}/${M2} -j m_a2

if they were only "M2",

  ...
  change_chain m_a2
  add_rule -j CLASSIFY --set-class 1:20
  add_rule -j ACCEPT

so this ends up solely as traffic control:

   ${tc} class add dev ${1} parent 1:1 classid 1:20 htb \
  rate ${R1} ceil ${R0} ${burst} prio 2
   ...
   ${tc} qdisc add dev ${1} parent 1:20 handle 20: sfq perturb 10

but do not ask tc questions, i have no idea what i am doing.

Other than that i am surely much older than Jaroslaw.
(Though i was environmental and hm "philosophical" (pooh!)
"activist" already when i was 22.  Yet i am no Swedish virgin, so
who gives a shit.)

 |(I apologize for replying to this off-topic topic).

Yeah, me too.


# $1=[ap]+ $2=addr -> $addr, $port, $ip6 ([non-]empty), $mask (or ALL BITS)
ipaddr_split() {
   addr=${2%:*}
   port=${2##*:}
   [ "${addr}" = "${port}" ] && port=

   ip6=
   if [ "${addr}" != "${addr%]*}" ]; then
  ip6=y
  addr=${addr%]*}
  addr=${addr#[*}
   fi

   mask=
   if [ "${addr}" != "${addr%/*}" ]; then
  mask=/${addr#*/}
  [ "${mask}" = / ] && mask=
  addr=${addr%/*}
   fi
   [ -z "${mask}" ] && { [ -z "${ip6}" ] && mask=/32 || mask=/128; }

   [ -z "${addr}" ] && [ "${1}" != "${1%a*}" ] && {
  echo >&2 'IP address required, none given: '${2}
  return 1
   }

   [ -z "${port}" ] && [ "${1}" != "${1%p*}" ] && {
  echo >&2 '(IP) Socket port required, none given: '${2}
  return 1
   }

   return 0
}

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-23 Thread Bernardo Reino via Postfix-users 

On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote:


[...]

(That is pretty off-topic for postfix; except maybe for fun
posting my SMTP related firewall

[...]

add_rule -p tcp --src ${addr}${mask} \
   --dport ${p_smtp} -m limit --limit 60/m -j f_m0_2

[...]


Could it be that $mask is set to something like /24 (or worse), and that 
somebody in the (ip) neighborhood of Jaroslaw is triggering your script?


(I apologize for replying to this off-topic topic).

Cheers,
Bernardo
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-23 Thread Jaroslaw Rafa via Postfix-users 
Dnia 23.03.2023 o godz. 19:08:53 Steffen Nurpmeso pisze:
> You are unlocked again.  (But as it periodically came back
> every few minutes yesterday evening, it likely will now, too.)
> 
> This cannot be if you do normal SMTP or HTTP, not from the
> firewall side.  These rules only lowers bandwidth, but it is not
> that slow for normal SMTP traffic in the end overall.  No way via
> SMTP or HTTP into alien or even alien_super.

I have today morning set up an outgoing firewall on my server that doesn't
pass any other packets towards your server than to port 25, or being part of
an ESTABLISHED TCP connection (for example reply packets when you send me
mail). I am watching the counter on the DROP rule that drops all other
packets. It is zero.

I also spin up a server at AWS that I sometimes use for testing (normally it
is down), sent a few e-mails between my server and the server at AWS, and
then ran tcpdump the whole day on the AWS server watching for any packets
that are coming from my server. Nothing came.

So I find it highly improbable that any strange packets can be coming from
my server to yours. I don't know the source of these packets.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-23 Thread Steffen Nurpmeso via Postfix-users 
Jaroslaw Rafa wrote in
 <20230322230223.ga17...@rafa.eu.org>:
 |Dnia 22.03.2023 o godz. 23:05:59 Steffen Nurpmeso via Postfix-users pisze:
 |> I have very strict firewall rules, and you have become blocked for
 |> last access + 84000 seconds.
 |> Should work again.
 |
 |I again got blocked... As I wrote you off-list, I'm running now tcpdump \
 |with
 |filter set to "host 217.144.132.164" and there's no other traffic except
 |normal SMTP traffic to port 25. Have no idea where any strange packets \
 |might
 |originate.

You are unlocked again.  (But as it periodically came back
every few minutes yesterday evening, it likely will now, too.)

This cannot be if you do normal SMTP or HTTP, not from the
firewall side.  These rules only lowers bandwidth, but it is not
that slow for normal SMTP traffic in the end overall.  No way via
SMTP or HTTP into alien or even alien_super.

I have (a) simple AWK parser(s) on the postfix (and HTTP) logs,
but really simple (though not so simple as the first version), and
needs REJECT or "too many errors after", and there was nothing
strange from your side last night when i looked either.  Not in
the SMTP logs.

Note i do not look at the logs, nor make statistics, and the
firewall does not log at all, except some SSH/VPN cases, i have no
idea what you are doing.  But you did not go over alien into
alien_super, that much is plain. :)

(That is pretty off-topic for postfix; except maybe for fun
posting my SMTP related firewall

  ...
  fwcore_has_i smtp && add_rule -p tcp --dport ${p_smtp} -j i__smtp
fwcore_has_i smtps && add_rule -p tcp --dport ${p_smtps} -j i__smtp
fwcore_has_i submission &&
  add_rule -p tcp --dport ${p_submission} -j i__smtp
  ...
   # i__smtp chain {{{
   if fwcore_has_i smtp || fwcore_has_i smtps || fwcore_has_i submission; then
  change_chain i__smtp

  if [ -n "${FWCORE_SMTPX_NOLIMIT_PEERS}" ]; then
 for i in ${FWCORE_SMTPX_NOLIMIT_PEERS}; do
if ipaddr_split a "${i}"; then
   if fwcore_has_i smtp; then
  [ -z "${port}" -o "${port}" = smtp ] &&
 add_rule -p tcp --src ${addr}${mask} \
--dport ${p_smtp} -m limit --limit 60/m -j f_m0_2
   fi
   if fwcore_has_i smtps; then
  [ -z "${port}" -o "${port}" = smtps ] &&
 add_rule -p tcp --src ${addr}${mask} \
--dport ${p_smtps} -m limit --limit 60/m -j f_m0_2
   fi
   #if fwcore_has_i submission; then
   #   [ -z "${port}" -o "${port}" = submission ] &&
   #  add_rule -p tcp --src ${addr}${mask} \
   # --dport ${p_smtps} -m limit --limit 60/m -j f_m0_2
   #fi
fi
 done
  fi

  #-m recent --name alien --set
  # Alienization now handled by cron-parse-mail.awk
  #   -m recent --name alien --set
  add_rule -m recent --name smtp --set \
 -m recent --name smtp ! --rcheck --seconds 600 --reap --hitcount 20 \
 -j f_m2
  add_rule -m recent --name smtp --rcheck --seconds 120 --hitcount 16 \
 -j f_m5
  add_rule -m recent --name smtp ! --rcheck --hitcount 32 -j f_m3
  add_rule -j f_m5
   fi
   # }}}

No submission via firewall but through VPN.
(SMTP de facto is "submissions", however.  Yet, i could comment
that out.)  I hope i have not yet bored anyone by have posted that
already in the past.)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Jaroslaw Rafa via Postfix-users 
Dnia 22.03.2023 o godz. 23:05:59 Steffen Nurpmeso via Postfix-users pisze:
> I have very strict firewall rules, and you have become blocked for
> last access + 84000 seconds.
> Should work again.

I again got blocked... As I wrote you off-list, I'm running now tcpdump with
filter set to "host 217.144.132.164" and there's no other traffic except
normal SMTP traffic to port 25. Have no idea where any strange packets might
originate.
-- 
Pozdrowienia,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Steffen Nurpmeso via Postfix-users 
Steffen Nurpmeso wrote in
 <2023030559.mn7ux%stef...@sdaoden.eu>:
 |Jaroslaw Rafa wrote in
 | <20230322104345.ga10...@rafa.eu.org>:
 ||Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze:
 ||> Luckily here a couple of shops remain, even for clothes and
 ||> electronics (mostly household).  It is much uglier a bit further
 ...
 |Should work again.
 ...

ok this is gray plus sender address verification ;-)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Steffen Nurpmeso via Postfix-users 
Jaroslaw Rafa wrote in
 <20230322104345.ga10...@rafa.eu.org>:
 |Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze:
 |> Luckily here a couple of shops remain, even for clothes and
 |> electronics (mostly household).  It is much uglier a bit further
 |[...]
 |
 |I replied to you off-list (as it's mostly off-topic with regard to \
 |Postfix),
 |but the mail stays in queue - I get "Connection timed out" to your server.
 |Please check on your side.

Uh, you played ugly games?

  /proc/net/xt_recent/alien_super:src=217.182.79.147 ttl: 49 last_seen: 
4339606138 oldest_pkt: 3 4339604936, 4339605337, 4339606138, 4337394504, 
4337396107, 4337504029, 4337504128, 4337504329,
4337504730, 4337505530, 4337924137, 4337924237, 4337924437, 4337924838, 
4337925640, 4338344199, 4338344299, 4338344500, 4338344900, 4338345702, 
4338764229, 4338764328, 4338764529, 4338764929, 4338765731, 4339184351, 
4339184450, 4339184651, 4339185052, 4339185854, 4339604636, 4339604736

I have very strict firewall rules, and you have become blocked for
last access + 84000 seconds.
Should work again.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Benny Pedersen via Postfix-users 

Viktor Dukhovni via Postfix-users skrev den 2023-03-22 16:36:

On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via
Postfix-users wrote:


>> mx ~ # posttls-finger sdaoden.eu
>> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
>> posttls-finger: < 220 sdaoden.eu ESMTP Postfix
>
> I can't even get the connection. I can't even ping sdaoden.eu from my
> server.

I belive its a firewall problem then, at sdaoden.eu, and the cert 
fails


No, you just didn't attempt to verify it relative to the system's 
WebPKI

certificate store.

$ posttls-finger -F /etc/ssl/cert.pem -lsecure -c sdaoden.eu


aha, this gives verified cert ok, should postfix it self not do the -F 
parmeter without posttls-finger special option ?


have i done error here

mx ~ # postconf -nf | grep smtp_
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/letsencrypt/live/mx.junc.eu/cert.pem
smtp_tls_CApath = /etc/letsencrypt/live/mx.junc.eu/
smtp_tls_cert_file = /etc/letsencrypt/live/mx.junc.eu/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/mx.junc.eu/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_per_site
smtp_tls_security_level = dane

posttls-finger: sdaoden.eu[217.144.132.164]:25: matched peername: 
sdaoden.eu

posttls-finger: sdaoden.eu[217.144.132.164]:25:
subject_CN=sdaoden.eu, issuer=R3,
cert fingerprint=[...],
pkey fingerprint=[...]
posttls-finger: Verified TLS connection established
to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519
server-signature RSA-PSS (4096 bits)
server-digest SHA256


4096 is imho overkill :)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Viktor Dukhovni via Postfix-users 
On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via Postfix-users 
wrote:

> >> mx ~ # posttls-finger sdaoden.eu
> >> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
> >> posttls-finger: < 220 sdaoden.eu ESMTP Postfix
> > 
> > I can't even get the connection. I can't even ping sdaoden.eu from my
> > server.
> 
> I belive its a firewall problem then, at sdaoden.eu, and the cert fails 

No, you just didn't attempt to verify it relative to the system's WebPKI
certificate store.

$ posttls-finger -F /etc/ssl/cert.pem -lsecure -c sdaoden.eu
posttls-finger: sdaoden.eu[217.144.132.164]:25: matched peername: sdaoden.eu
posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, 
issuer=R3,
cert fingerprint=[...],
pkey fingerprint=[...]
posttls-finger: Verified TLS connection established
to sdaoden.eu[217.144.132.164]:25: TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519
server-signature RSA-PSS (4096 bits)
server-digest SHA256

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Varadi Gabor via Postfix-users 

2023. 03. 22. 16:18 keltezéssel, Benny Pedersen via Postfix-users írta:

Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 11:43:
mx ~ # posttls-finger sdaoden.eu
posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
posttls-finger: < 220 sdaoden.eu ESMTP Postfix
posttls-finger: > EHLO mx.junc.eu
posttls-finger: < 250-sdaoden.eu
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 50
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: certificate verification failed for 
sdaoden.eu[217.144.132.164]:25: untrusted issuer /O=Digital Signature 
Trust Co./CN=DST Root CA X3
posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, 
issuer_CN=R3, 
fingerprint=B2:7D:30:F1:88:DD:05:A6:4C:40:4D:D0:FE:CE:79:A7:F4:84:D1:61:E9:73:AA:E9:8D:00:73:4D:2B:BA:0A:F9, pkey_fingerprint=C7:D5:CB:5F:D5:80:B1:E9:B7:75:7B:20:53:12:67:DD:51:69:0D:CF:6F:82:08:18:D1:0B:71:94:45:A7:A4:D0
posttls-finger: Untrusted TLS connection established to 
sdaoden.eu[217.144.132.164]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (4096 bits) server-digest SHA256

posttls-finger: > EHLO mx.junc.eu
posttls-finger: < 250-sdaoden.eu
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 50
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye


echo "quit" | openssl s_client -starttls smtp -crlf -connect 
217.144.132.164:25


Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = sdaoden.eu
verify return:1
CONNECTED(0003)
---
Certificate chain
 0 s:CN = sdaoden.eu
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 24 22:17:39 2023 GMT; NotAfter: May 25 22:17:38 
2023 GMT

 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 
2025 GMT

 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 
2024 GMT

---
Server certificate
-BEGIN CERTIFICATE-
MIIGXDCCBUSgAwIBAgISBELKxfg+aDh1nD1LJR/QA5ikMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAyMjQyMjE3MzlaFw0yMzA1MjUyMjE3MzhaMBUxEzARBgNVBAMT
CnNkYW9kZW4uZXUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDIQVYy
ljUMJZl+EjsvCnyHSyVl73KKBMtfChqm8SWyZQ3WjrqDPxGKAy5PGAFvmUGBfNio
4/H9dBuXpfEgS6+rMDtkDhTbW1ZuGjCmYVGtAXdyGkFOSeaLv9wOx76xDi+C7ws+
41riIN1wjz07biKsEyuSmLq6le+75VE87/j889KlGVaIbc66KgCrmLJfdLA55qhS
yJQZQkoRUgsmdpp64yn0BsO+V+FRVuzA1UFmiQVpciiQGA/Opz7hJEYMQS/6ll9a
9mGwe17h9zfX82F9PDjbNvQRyKg8WEWGr7zAxqGsUXqp0p0XK+n2qluX/CAAVs6g
4AH2FSpoEbEZz9PPMVqWTDFCEH+rUthjiR1LL63XIfqccS9Es1ORQfAOU6+qQPC7
cn2KdkUDVcKsm5lo3jM5cccg4mFwUarBlEl+pbYZDJ3VUrRn7Ct+0w4t2CAhAKz2
qISASjOi2z69BdxPIr2pAliyE+dVHtZLrqbaKoy5FRVYQJOugyB0VH44BmA9KqkL
1rAOi93DkE5k1OIzB6NWqAxJvK2gK+77SIIMylK/1Bxg+iEmYf1ssgn8ZgGygI05
nfny6tsBPaN233tnCn/LpNrDRvhR7zghVj4f93iXiDDIm2OjY/p6wNKSxlIUoJr4
hYFaSbtrg2vsGAIv6C9D+lKjqQWObBGAGTzIcQIDAQABo4IChzCCAoMwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBRxtjTLEVgmpPOZqJ/8IkNNMfej2zAfBgNVHSMEGDAW
gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH
MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz
LmkubGVuY3Iub3JnLzBXBgNVHREEUDBOgg5mdHAuc2Rhb2Rlbi5ldYIOZ2l0LnNk
YW9kZW4uZXWCEGxpc3RzLnNkYW9kZW4uZXWCCnNkYW9kZW4uZXWCDnd3dy5zZGFv
ZGVuLmV1MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHUAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA
AAGGhbfKmAAABAMARjBEAiBjJJTs+HUKA6h3dM3XSTp4AO0mDxSq2JL63JI+SSmZ
BQIgHvs9IfusUCQVHw4Pt18VOnR6uS2OZtc/WLNoNXqnpTMAdwB6MoxU2LcttiDq
OOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYaFt8qsAAAEAwBIMEYCIQDcbAZlKkHY
NJdZEqgIPwLOoQdByw0ur9mYW4grwcHN+wIhAK79SMMPaHZpVCdm8N3hxXjJ3TSX
FvofUhbwRCWNx6NvMA0GCSqGSIb3DQEBCwUAA4IBAQBYZFNq9TTCZU8S7oEKwFRp
+HLxvy1JnQ0PGmIUyAvmzDrDN/ZSCT3nCAAspqfEcDkq/FLJe/qjDFcxHQ1wanbg
HH62oyx9xzEeZGI7MTWQ8oZYYmb3aOVZWDbI7pyr4VJ9ik3DuCSL32/aIoQGYxY1
5P2A87XP7IatuWPpw9v/nDjG2fB6RSJaGCYPGC2EElIxtbpgIF/EPgULNUPReSqy
uIx62aGwQson5cbcgJ9hBjfjgnqwjpJuFlemruw3JAcN46e3S6WkctkSyHiFuPpZ

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Benny Pedersen via Postfix-users 

Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 16:22:
Dnia 22.03.2023 o godz. 16:18:11 Benny Pedersen via Postfix-users 
pisze:

>raj@rafa:~$ mailq
>-Queue ID- --Size-- Arrival Time -Sender/Recipient---
>5508C41121 8652 Mon Mar 20 23:35:40  r...@rafa.eu.org
> (connect to sdaoden.eu[217.144.132.164]:25:
>Connection timed out)
> stef...@sdaoden.eu

mx ~ # posttls-finger sdaoden.eu
posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
posttls-finger: < 220 sdaoden.eu ESMTP Postfix


I can't even get the connection. I can't even ping sdaoden.eu from my
server.


i belive its a firewall problem then, at sdaoden.eu, and the cert fails 
:/


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Jaroslaw Rafa via Postfix-users 
Dnia 22.03.2023 o godz. 16:18:11 Benny Pedersen via Postfix-users pisze:
> >raj@rafa:~$ mailq
> >-Queue ID- --Size-- Arrival Time -Sender/Recipient---
> >5508C41121 8652 Mon Mar 20 23:35:40  r...@rafa.eu.org
> > (connect to sdaoden.eu[217.144.132.164]:25:
> >Connection timed out)
> > stef...@sdaoden.eu
> 
> mx ~ # posttls-finger sdaoden.eu
> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
> posttls-finger: < 220 sdaoden.eu ESMTP Postfix

I can't even get the connection. I can't even ping sdaoden.eu from my
server.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Benny Pedersen via Postfix-users 

Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 11:43:
Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users 
pisze:

Luckily here a couple of shops remain, even for clothes and
electronics (mostly household).  It is much uglier a bit further

[...]

I replied to you off-list (as it's mostly off-topic with regard to 
Postfix),
but the mail stays in queue - I get "Connection timed out" to your 
server.

Please check on your side.

raj@rafa:~$ mailq
-Queue ID- --Size-- Arrival Time -Sender/Recipient---
5508C41121 8652 Mon Mar 20 23:35:40  r...@rafa.eu.org
 (connect to sdaoden.eu[217.144.132.164]:25: Connection 
timed out)

 stef...@sdaoden.eu


mx ~ # posttls-finger sdaoden.eu
posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25
posttls-finger: < 220 sdaoden.eu ESMTP Postfix
posttls-finger: > EHLO mx.junc.eu
posttls-finger: < 250-sdaoden.eu
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 50
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: certificate verification failed for 
sdaoden.eu[217.144.132.164]:25: untrusted issuer /O=Digital Signature 
Trust Co./CN=DST Root CA X3
posttls-finger: sdaoden.eu[217.144.132.164]:25: subject_CN=sdaoden.eu, 
issuer_CN=R3, 
fingerprint=B2:7D:30:F1:88:DD:05:A6:4C:40:4D:D0:FE:CE:79:A7:F4:84:D1:61:E9:73:AA:E9:8D:00:73:4D:2B:BA:0A:F9, 
pkey_fingerprint=C7:D5:CB:5F:D5:80:B1:E9:B7:75:7B:20:53:12:67:DD:51:69:0D:CF:6F:82:08:18:D1:0B:71:94:45:A7:A4:D0
posttls-finger: Untrusted TLS connection established to 
sdaoden.eu[217.144.132.164]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (4096 bits) server-digest SHA256

posttls-finger: > EHLO mx.junc.eu
posttls-finger: < 250-sdaoden.eu
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 50
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Jaroslaw Rafa via Postfix-users 
Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze:
> Luckily here a couple of shops remain, even for clothes and
> electronics (mostly household).  It is much uglier a bit further
[...]

I replied to you off-list (as it's mostly off-topic with regard to Postfix),
but the mail stays in queue - I get "Connection timed out" to your server.
Please check on your side.

raj@rafa:~$ mailq
-Queue ID- --Size-- Arrival Time -Sender/Recipient---
5508C41121 8652 Mon Mar 20 23:35:40  r...@rafa.eu.org
 (connect to sdaoden.eu[217.144.132.164]:25: Connection timed out)
 stef...@sdaoden.eu
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-20 Thread Steffen Nurpmeso via Postfix-users 
Jaroslaw Rafa wrote in
 <20230318234124.ga32...@rafa.eu.org>:
 |Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze:
 |> Eh, no.  I do not do either.  (Granted i use PayPal one, two times
 |> a month, but my bank account is not online-enabled.)
 |> I _never_ shopped online.  This destroys local pharmacies, shops,
 |> small (hopefully) good jobs that sometimes exist for centuries.
 |> Western world cities have become faceless culture-free concrete
 |> djungles with McDonald's smell for kilometres.  No.
 |
 |Well... if you could just buy the things you *absolutely need* anywhere \
 |else
 |than online... if it were so simple...
 |
 |Sorry, but this is the reality, at least where I live. The local shops have
 |already been by large part destroyed by online shopping. It's too late. You
 |can't buy anything in a local shop if the shop doesn't sell it.
 |
 |Nowadays only the most popular and mass-bought items are available in
 |physical shops. If you need anything that is a bit less popular, you *have*
 |to buy it online. Sorry, that's it.

Luckily here a couple of shops remain, even for clothes and
electronics (mostly household).  It is much uglier a bit further
away, most smaller villages to not even have a bank or even
a bakery no more; some have (also new) so-called "Tante Emma
Laden" (Aunt Emma Shop) which offer a bit.  Situation is bad for
elder people on the land.  Even very bad as younger doctors do not
go there, and we have had a political movement on Germany over
twenty years ago to do something against this trend.
Unfortunately then there was a government change, but it surely
would have failed even without that.  It is just the western world
.. and/but not only that and there, of course.  (Though it is
and was mostly the western world which puts pressure due to its
way of doing things; others can do nothing but follow due to
economic pressure, sooner or later.  But that leads much too far.)

 |Two examples from last weeks: OMTP to CTIA headphone adapter for a mobile
 |phone? A replacement battery for a used laptop I just bought (in a physical
 |shop btw.)? No chance to get anywhere else than online. And I live in a
 |large city. What should people in rural areas say?

Well.  For one: i try to avoid too much consumation at first.
Most of it is due to brain aka character failures, aka
"replacement acts" (sorry, my english) to fill a void.  Now
whereas i grant there is nothing but void, that void is possibly
full of light.  That is of course religious, philosophical, etc.
Take Alexander Solschenizyn: a hero, then in the Bolschewik Gulag,
and when he came back all that he wanted was some bred, sauerkraut
and a bottle of Milk a day.  (Said Schostakowisch where he lived.)
Eh.  I think that christian guy also went to the desert and came
back saying such before they nailed that sausage somewhere.

That is that.  No to it actually is yes.  (Let alone that totally
responseless western way of doing things, or do you buy fairphone
and such.  Cheap buying, expensive selling.  Destroys life on
earth.  They knew that over 150 years ago btw.!  And the Club of
Rome gave a picture in 1972 that we still do not look at.  No.)

But sigh before i start praying.
Regarding electronics we have a good one in Darmstadt for many
decades, Zimmermann Electronic.  And some good (other) computer
shops, too.  But this is a privileged and "rich" area here, so,
well, yes, i can understand this.  Of course i do.

Then again, if it has not to happen from day to day, one could
drive in the next bigger city and buy there, have a coffee or tea
(or a smoke dependent who and where you are), and an afternoon in
the city, and then go back, on the next Saturday or so.  Or stay
longer, for some Saturday night.

 |And as for the banking, I never understand the people who don't do online
 |banking. You have to constantly pay for something - electricity, Internet,
 |rent, insurance, telephone etc. - all this happens by transferring money to
 |some account. There's a dozen of these payments each month. Do you really

Yes.  Permanently, you initiate it once, and then it happens
periodically.

 |want to go to the bank (or to a post office), stand there in a long line to
 |pay for this in cash or fill in a money transfer form on paper and give it
 |to the clerk, instead of doing it conveniently from your computer whenever

Ah -- you know the bank was like that two decades ago.  Then they
did something interesting, shall you ever have read the book "The
Money Exchangers" or what its name way, Arthur Hailey i think hmm.
So the fun comes only if you know the book.
They extended the room and split it 50:50 into a part full of
"robots" and some places where human sit.  A moving glass wall
locks the human part away out of the work hours.  The robotic part
does no longer have a trashbin even, i think someone made some
fire there (and the cameras did not help).
So you mostly interact with the robots here.

You know.  Family businesses

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Jaroslaw Rafa via Postfix-users 
Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze:
> Eh, no.  I do not do either.  (Granted i use PayPal one, two times
> a month, but my bank account is not online-enabled.)
> I _never_ shopped online.  This destroys local pharmacies, shops,
> small (hopefully) good jobs that sometimes exist for centuries.
> Western world cities have become faceless culture-free concrete
> djungles with McDonald's smell for kilometres.  No.

Well... if you could just buy the things you *absolutely need* anywhere else
than online... if it were so simple...

Sorry, but this is the reality, at least where I live. The local shops have
already been by large part destroyed by online shopping. It's too late. You
can't buy anything in a local shop if the shop doesn't sell it.

Nowadays only the most popular and mass-bought items are available in
physical shops. If you need anything that is a bit less popular, you *have*
to buy it online. Sorry, that's it.

Two examples from last weeks: OMTP to CTIA headphone adapter for a mobile
phone? A replacement battery for a used laptop I just bought (in a physical
shop btw.)? No chance to get anywhere else than online. And I live in a
large city. What should people in rural areas say?

And as for the banking, I never understand the people who don't do online
banking. You have to constantly pay for something - electricity, Internet,
rent, insurance, telephone etc. - all this happens by transferring money to
some account. There's a dozen of these payments each month. Do you really
want to go to the bank (or to a post office), stand there in a long line to
pay for this in cash or fill in a money transfer form on paper and give it
to the clerk, instead of doing it conveniently from your computer whenever
you have time?

>  |Second, most web browsers nowadays (as well as mail clients) support TLS
>  |v1.2 since long time, so it's of course very little probability that \
>  |someone
>  |who uses so outdated browser that it doesn't support TLS v1.2 will try to
>  |access your website, *and*: a) either that person will complain to you, or
>  |b) you will notice it in your httpd logs.
> 
> Sorry i do not understand a word.  Long time TLSv1.2, yes.

I mean, if your website requires TLSv1.2 (because you mentioned lighthttpd,
I assume you run some website), for you to notice any problems with it, the
following conditions must be met:

a) there is a person who is interested in accessing your website and at the
same time uses a very outdated browser that doesn't suppport TLSv1.2

and either

b) that person complains to you (eg. via e-mail) that he/she can't connect
or
c) you will notice browsing your httpd logs that some client was unable to
connect due to incompatible TLS version.

Only if a) and b) or a) and c) are met simultaneously, you will notice that
there are any problems. There is very little probability that this will
happen. Even a) alone isn't very probable, because there's a small number of
people using so old browsers, and how many of them are interested in your
particular website? But even if a) alone occurs, you will not notice any
problems until b) or c) occurs as well. So it is quite obvious that you
don't notice any problems.

> For _me_ it works in practice and there is no fallout.  I get
> anything i need / expect.  If you have to take care for some elder
> servers then this is surely a problem you have to solve,
> especially if it is your business.

I'm not talking about any server that I take care for. I'm talking about a
server of a company from which I receive emails, as their customer. Their
server can negotiate only TLSv1 with my server. Anyway, it's better than if
they would send their mail unencrypted. And they would, if I set *my* server
to TLSv1.2 minimum (which I don't do).
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Steffen Nurpmeso via Postfix-users 
Jaroslaw Rafa wrote in
 <20230318203334.ga31...@rafa.eu.org>:
 |Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze:
 |> I still have no problems with
 |> 
 |>   smtpd_tls_mandatory_protocols = >=TLSv1.2
 |>   smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
 |>   # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
 |>   tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
 |>   smtpd_tls_mandatory_ciphers = high
 |> 
 |> Neither for lighttpd nor for postfix.
 |
 |First, we should not mix HTTP(S) with SMTP, these are two completely
 |different things. While as strict TLS security as possible in the web
 |browsing is essential (think about various highly private data you are
 |transmitting eg. when doing online shopping or banking), it has much less

Eh, no.  I do not do either.  (Granted i use PayPal one, two times
a month, but my bank account is not online-enabled.)
I _never_ shopped online.  This destroys local pharmacies, shops,
small (hopefully) good jobs that sometimes exist for centuries.
Western world cities have become faceless culture-free concrete
djungles with McDonald's smell for kilometres.  No.

 |meaning in email, due to nature of TLS in email being opportunistic, that
 |means, if servers can't negotiate TLS connection, they fall back to
 |plaintext (unencrypted), because mail must be delivered anyway.
 |
 |As mail can go through various intermediate servers over which you have no
 |control, and can be stored on them for a period of time over which you have
 |no control, if anything highly sensitive is sent via email, it should be
 |end-to-end encrypted anyway, using applications like gpg or similar, \
 |and not
 |rely on transport encryption.
 |
 |Second, most web browsers nowadays (as well as mail clients) support TLS
 |v1.2 since long time, so it's of course very little probability that \
 |someone
 |who uses so outdated browser that it doesn't support TLS v1.2 will try to
 |access your website, *and*: a) either that person will complain to you, or
 |b) you will notice it in your httpd logs.

Sorry i do not understand a word.  Long time TLSv1.2, yes.

 |Third, there are still quite a few mail *servers* that don't support TLS
 |v1.2. In that case, they will fall back to plaintext when sending mail to
 |your server. Do you analyze your logs for such cases?

I have looked once i switched.  I noted a rush of lower
connections once i posted the above last.  Even the GNU server now
uses more modern things, as it gets through.  I do not know one.

 |When I occasionally browse my Postfix logs, I notice one particular server
 |(from which I receive mail quite often) that can negotiate only TLS v1
 |connection with my server. So if I would require TLS>=1.2 on my server, \
 |that
 |server would fall back to plaintext to send mail to me. I think that TLS v1
 |is still better security than no encryption at all ;)

For _me_ it works in practice and there is no fallout.  I get
anything i need / expect.  If you have to take care for some elder
servers then this is surely a problem you have to solve,
especially if it is your business.

In general people update OpenSSL / crypto library of choice, aka
install their distribution's security updates, in which case all
is well out of the box (and likely would be for some years).

The only problem i currently have is

  Mar 18 22:24:53 postfix/smtpd[26025]: warning: run-time library vs. 
compile-time header version mismatch: OpenSSL 3.1.0 may not be compatible with 
OpenSSL 3.0.0

i hope AlpineLinux recompiles some OpenSSL-linked software so we
get rid of that.


--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Peter via Postfix-users 

On 19/03/23 07:44, Matus UHLAR - fantomas via Postfix-users wrote:

I would generally allow the printer to use port 25.


Port 25 is not a submission port and should not be used as such.  Keep 
your submission separate from your MX traffic and you will avoid a whole 
heap of issues down the road.


If you want a separate port for the printer then just create one in 
master.cf:


10465 inet n   -   n   -   -   smtpd
-o syslog_name=postfix/10465
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o milter_macro_daemon_name=ORIGINATING

...or similar for a submission (non-wrappermode) port.


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Peter via Postfix-users 

On 19/03/23 02:54, Gerd Hoerst via Postfix-users wrote:

I setup my postfix for the clients to use only  protocols > TLSv1 with

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1


A better way to do this is:
smtpd_tls_protocols = >=TLSv1.1


smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1


Don't do this!  All you will accomplish is to force clients that don't 
support at least TLSv1.1 to connect in plain text instead.  No 
encryption is never better than (arguably not very) weak encryption.



in main.cf

but unfortunately i have a sender (its a printer) which is not capable 
for TLSv1.1 and up..


As others have pointed out, TLSv1.0 is not that bad for smtp.  Others 
have posted a solution for this, but honestly I would just allow >=TLSv1 
and not worry about it.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Peter via Postfix-users 

On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote:

I still have no problems with

   smtpd_tls_mandatory_protocols = >=TLSv1.2


This is fine, so long as you don't have a user that can't support at 
least TLSv1.2 that needs to use submission.



   smtpd_tls_protocols = $smtpd_tls_mandatory_protocols


This will simply result in clients that can't support at least TLSv1.2 
connecting in plain text instead.  So rather than having (arguably not 
so) poor encryption for those client you would rather have no encryption 
at all?  This does not make any sense.



   # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
   tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20


I would avoid messing with this setting unless you really understand 
what you are doing, and even then it's not a very good idea.  You could 
end up causing some clients to be unable to establish a connection or on 
the flip side you could inadvertently be enabling a cipher that ends up 
becoming vulnerable in the future unless you stay on top of this setting 
and remove it from the list.  Note that the default for this setting is 
taken from openssl so when a vulnerability does get found in a cipher 
you will get an update to openssl from your OS vendor which will remove 
that cipher from the list, unless you do something like override it like 
you are doing above.



   smtpd_tls_mandatory_ciphers = high


This is fine.


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Jaroslaw Rafa via Postfix-users 
Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze:
> I still have no problems with
> 
>   smtpd_tls_mandatory_protocols = >=TLSv1.2
>   smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
>   # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
>   tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
>   smtpd_tls_mandatory_ciphers = high
> 
> Neither for lighttpd nor for postfix.

First, we should not mix HTTP(S) with SMTP, these are two completely
different things. While as strict TLS security as possible in the web
browsing is essential (think about various highly private data you are
transmitting eg. when doing online shopping or banking), it has much less
meaning in email, due to nature of TLS in email being opportunistic, that
means, if servers can't negotiate TLS connection, they fall back to
plaintext (unencrypted), because mail must be delivered anyway.

As mail can go through various intermediate servers over which you have no
control, and can be stored on them for a period of time over which you have
no control, if anything highly sensitive is sent via email, it should be
end-to-end encrypted anyway, using applications like gpg or similar, and not
rely on transport encryption.

Second, most web browsers nowadays (as well as mail clients) support TLS
v1.2 since long time, so it's of course very little probability that someone
who uses so outdated browser that it doesn't support TLS v1.2 will try to
access your website, *and*: a) either that person will complain to you, or
b) you will notice it in your httpd logs.

Third, there are still quite a few mail *servers* that don't support TLS
v1.2. In that case, they will fall back to plaintext when sending mail to
your server. Do you analyze your logs for such cases?

When I occasionally browse my Postfix logs, I notice one particular server
(from which I receive mail quite often) that can negotiate only TLS v1
connection with my server. So if I would require TLS>=1.2 on my server, that
server would fall back to plaintext to send mail to me. I think that TLS v1
is still better security than no encryption at all ;)
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Steffen Nurpmeso via Postfix-users 
Jaroslaw Rafa wrote in
 <20230318191215.gb30...@rafa.eu.org>:
 |Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze:
 |> I setup my postfix for the clients to use only  protocols > TLSv1 with
 |> 
 |> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
 |> smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1
 |
 |While the former makes some sense (requiring TLS>=1.1 for mail *submission*
 |from your users) - most mail clients are able to conform to this - \
 |the latter
 |(requiring TLS>=1.1 for *incoming* mail on port 25) does not. Don't do it.

I still have no problems with

  smtpd_tls_mandatory_protocols = >=TLSv1.2
  smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
  # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
  tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20
  smtpd_tls_mandatory_ciphers = high

Neither for lighttpd nor for postfix.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Jaroslaw Rafa via Postfix-users 
Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze:
> I setup my postfix for the clients to use only  protocols > TLSv1 with
> 
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
> smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1

While the former makes some sense (requiring TLS>=1.1 for mail *submission*
from your users) - most mail clients are able to conform to this - the latter
(requiring TLS>=1.1 for *incoming* mail on port 25) does not. Don't do it.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Viktor Dukhovni via Postfix-users 
On Sat, Mar 18, 2023 at 07:32:18PM +0100, Gerd Hoerst via Postfix-users wrote:

> I read a tutorial to harden postfix and there they trew out TLSv1

The tutorial is mostly misguided.  Though in practice, TLS 1.0 is
increasingly rare on the public Internet, so the damage from disabling
it is fairly low.  So your server will score more points in a fashion
show of modern cryptographic prowess if TLS 1.0 is disabled.

You now have a choice between being fashionable, and being interoperable
with a dwindling number of unfashionable systems.  The latter also makes
a non-conformist statement I guess.  Choose your crowd.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Matus UHLAR - fantomas via Postfix-users 

Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54:


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1

in main.cf


in main.cf put a # in this lines, so its default from postconf -d


but unfortunately i have a sender (its a printer) which is not capable
for TLSv1.1 and up..


On 18.03.23 19:35, Benny Pedersen via Postfix-users wrote:

add in master.cf

-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1

so only port 465, 587 have this, but you should keep defaults
 
Usually, smtpd_tls_mandatory_protocols are user on 465 and 587, while 
smtpd_tls_protocols is used on port 25. 

So you only need to define them properly in main.cf, unless you play with 
different settings on different ports.


I would generally allow the printer to use port 25.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Benny Pedersen via Postfix-users 

Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54:


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1

in main.cf


in main.cf put a # in this lines, so its default from postconf -d


but unfortunately i have a sender (its a printer) which is not capable
for TLSv1.1 and up..


add in master.cf

 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1
 -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1

so only port 465, 587 have this, but you should keep defaults

this will do what you want, but imho why not keep all tls for all ?


How can i manage to use TLSv1.1 and up from outside but allow TLSv1
from inside my network


tlsv1 is less weak then tlsv1.1

others will comment now I am sure :)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Gerd Hoerst via Postfix-users 

Hi !

I read a tutorial to harden postfix and there they trew out TLSv1

Ciao Gerd

Am 18.03.2023 um 16:07 schrieb Bill Cole via Postfix-users:

On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100)
Gerd Hoerst via Postfix-users 
is rumored to have said:


Hi !

I setup my postfix for the clients to use only  protocols > TLSv1 with

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1

in main.cf


Why?

but unfortunately i have a sender (its a printer) which is not 
capable for TLSv1.1 and up..


How can i manage to use TLSv1.1 and up from outside but allow TLSv1 
from inside my network


What do you believe to be the risk of allowing TLSv1.0 for SMTP?

My understanding is that the marginal risks of TLSv1.0 are not 
relevant to SMTP. It is also inherently counter-productive to prohibit 
TLSv1.0 if you allow unencrypted SMTP as a fallback.



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Wietse Venema via Postfix-users 
If you must (not necessariy a god idea), your options are:

- Multiple Posifix instances on different IP addresses. Each instance
has its own main.cf and master.cf.

- Single Postfix instance with different smtpd configurations in
master.cf on different server IP addresses, using main.cf only for
common settings.

/etc/postfix.master.cf:
# =
# service type  private unpriv  chroot  wakeup  maxproc command
#   (yes)   (yes)   (yes)   (never) (100)
# =
# SMTP service for internal clients)
1.2.3.4:smtp  inet  n   -   n   -   -   smtpd
-o { parameter = value }
...

# SMTP service for xternal clients
1.2.3.5:smtp  inet  n   -   n   -   -   smtpd
-o { parameter = value }
...

This is manageable when the differences ar small.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Bill Cole via Postfix-users 

On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100)
Gerd Hoerst via Postfix-users 
is rumored to have said:


Hi !

I setup my postfix for the clients to use only  protocols > TLSv1 
with


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1

in main.cf


Why?

but unfortunately i have a sender (its a printer) which is not capable 
for TLSv1.1 and up..


How can i manage to use TLSv1.1 and up from outside but allow TLSv1 
from inside my network


What do you believe to be the risk of allowing TLSv1.0 for SMTP?

My understanding is that the marginal risks of TLSv1.0 are not relevant 
to SMTP. It is also inherently counter-productive to prohibit TLSv1.0 if 
you allow unencrypted SMTP as a fallback.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org