Re: Testing new server

2019-04-19 Thread Viktor Dukhovni 
On Fri, Apr 19, 2019 at 03:35:03PM -0700, Daniel Miller wrote:

> I've setup a new server - and it *was* working fine...but then I enabled 
> a few more settings...  I was attempting to make hardenize.com happy 
> (and I'm glad I did - it exposed some stupid mistakes on my part).

But now your server no longer responds at all after the TLS handshake
completes.  Perhaps a firewall issue?  You can ignore the certificate
verification warnings, an empty list of trusted CAs means that no
verification is expected.

$ posttls-finger danmarkreps.com
posttls-finger: Connected to smtp.danmarkreps.com[107.175.220.136]:25
posttls-finger: < 220 mail.danmarkreps.com ESMTP Postfix
posttls-finger: > EHLO amnesiac.invalid
posttls-finger: < 250-mail.danmarkreps.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-SIZE 7
posttls-finger: < 250-VRFY
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 NOOP
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched 
subjectAltName: danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: 
host.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: 
imap.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: 
mail.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched 
subjectAltName: smtp.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: 
www.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25 CommonName 
danmarkreps.com
posttls-finger: certificate verification failed for 
smtp.danmarkreps.com[107.175.220.136]:25: untrusted issuer /O=Digital Signature 
Trust Co./CN=DST Root CA X3
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: 
subject_CN=danmarkreps.com, issuer_CN=Let's Encrypt Authority X3, 
fingerprint=E2:D2:9F:04:A5:1B:E8:8A:EA:1C:DA:67:81:01:D4:FD:01:97:6B:33, 
pkey_fingerprint=A0:52:8A:C6:88:89:C0:C1:43:72:9D:29:D5:C2:0D:BD:5F:9B:BC:D6
posttls-finger: Untrusted TLS connection established to 
smtp.danmarkreps.com[107.175.220.136]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256
posttls-finger: > EHLO amnesiac.invalid
posttls-finger: timeout while sending EHLO
posttls-finger: > QUIT
posttls-finger: warning: timeout while sending QUIT command

-- 
Viktor.

Re: Testing new server

2019-04-19 Thread Daniel Miller 

On 4/19/2019 3:35 PM, Daniel Miller wrote:


If anyone wants to test - please try sending to the address "pubtest at 
danmarkreps.com".




Well...I've gotten at least one test message (thank you Lazy G!) so I 
can't be *completely* broken.


Which leaves me with two likely possibilities - either Gmail/Hotmail, 
unique to themselves, are expecting some responses from my server that 
they aren't getting...or I must have something filtering them at a lower 
level.


This server was setup partially as a testbed for a new config. In 
particular, I'm trying ASSP in the "proper" manner, where ASSP only 
directly listens on port 25 - ports 465/587 are handled by Postfix 
initially.  And that's been working fine - but now that I've actually 
enabled TLS in ASSP...


brief deviation - I thought I had TLS enabled previously...trying to 
make hardenize happy showed that ASSP didn't have access to my 
certificates.  Apparently my installation of certbot didn't allow read 
access to the necessary folders.  Note to all - if you're going to use 
the "live" certs directly from any other program make sure you have 
proper read/enter access to the "live" and "archive" folders.


Now that I've corrected that and am actually supporting STARTTLS...I 
have this problem. Does anyone see anything wrong via their logs or 
telnet? Otherwise either Gmail/Hotmail must have me blocked...or I'm 
blocking them and have to find where it's hiding.


--
Daniel

Testing new server

2019-04-19 Thread Daniel Miller 
I've setup a new server - and it *was* working fine...but then I enabled 
a few more settings...  I was attempting to make hardenize.com happy 
(and I'm glad I did - it exposed some stupid mistakes on my part).


I'm able to send without issue and receive from most other servers. But 
in particular, Google & Outlook seem unable to connect via TLS.  It 
looks like the initial handshakes are fine...but then nothing happens.


If anyone wants to test - please try sending to the address "pubtest at 
danmarkreps.com".


Thank you.

--
Daniel

Re: Testing new server

2018-05-16 Thread Steve Huston 
On Wed, May 16, 2018 at 9:28 AM Matus UHLAR - fantomas 
wrote:
> On 15.05.18 16:54, Steve Huston wrote:
> >To do so, I'd like to send a copy of all locally-delivered
> >mail from the old machine to the new one to have it processed there.
> always_bcc and *_bcc_maps will not help you - they acceps single address,
so
> even if you configured that address to be sent to remote server, it's
always
> just one address.

> unless you'd configure recipient_bcc_maps for each recipient - but it
still
> would be different address than processed locally.

That's what I was afraid of.  Alright, I'll test on a smaller scale and for
the load test... we'll do it live :D

Thanks!


-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
   Princeton University  |ICBM Address: 40.346344   -74.652242
 345 Lewis Library   |"On my ship, the Rocinante, wheeling through
   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
 (267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'

Re: Testing new server

2018-05-16 Thread Matus UHLAR - fantomas 

On 15.05.18 16:54, Steve Huston wrote:

I have an old machine I'm in the process of retiring, and want to test its
replacement.  To do so, I'd like to send a copy of all locally-delivered
mail from the old machine to the new one to have it processed there.  I've
set "default_transport = discard:Outgoing email disabled for testing" on
the new server, and tested single messages here and there, but am having
trouble figuring out a way to tell the old machine that its local_transport
should be both the normal local delivery and in addition to send a copy to
another server.

I did find always_bcc and the bcc maps, but I'm not sure if that's the
right answer.  A transport map seems like the right answer, but that
appears to only have a single target.


always_bcc and *_bcc_maps will not help you - they acceps single address, so
even if you configured that address to be sent to remote server, it's always
just one address.

unless you'd configure recipient_bcc_maps for each recipient - but it still
would be different address than processed locally.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller

Testing new server

2018-05-15 Thread Steve Huston 
I have an old machine I'm in the process of retiring, and want to test its
replacement.  To do so, I'd like to send a copy of all locally-delivered
mail from the old machine to the new one to have it processed there.  I've
set "default_transport = discard:Outgoing email disabled for testing" on
the new server, and tested single messages here and there, but am having
trouble figuring out a way to tell the old machine that its local_transport
should be both the normal local delivery and in addition to send a copy to
another server.

I did find always_bcc and the bcc maps, but I'm not sure if that's the
right answer.  A transport map seems like the right answer, but that
appears to only have a single target.

-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
   Princeton University  |ICBM Address: 40.346344   -74.652242
 345 Lewis Library   |"On my ship, the Rocinante, wheeling through
   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
 (267) 793-0852  | headlong into mystery."  -Rush, 'Cygnus X-1'