Re: Testing new server
On Fri, Apr 19, 2019 at 03:35:03PM -0700, Daniel Miller wrote: > I've setup a new server - and it *was* working fine...but then I enabled > a few more settings... I was attempting to make hardenize.com happy > (and I'm glad I did - it exposed some stupid mistakes on my part). But now your server no longer responds at all after the TLS handshake completes. Perhaps a firewall issue? You can ignore the certificate verification warnings, an empty list of trusted CAs means that no verification is expected. $ posttls-finger danmarkreps.com posttls-finger: Connected to smtp.danmarkreps.com[107.175.220.136]:25 posttls-finger: < 220 mail.danmarkreps.com ESMTP Postfix posttls-finger: > EHLO amnesiac.invalid posttls-finger: < 250-mail.danmarkreps.com posttls-finger: < 250-STARTTLS posttls-finger: < 250-SIZE 7 posttls-finger: < 250-VRFY posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 NOOP posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched subjectAltName: danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: host.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: imap.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: mail.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched subjectAltName: smtp.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: www.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25 CommonName danmarkreps.com posttls-finger: certificate verification failed for smtp.danmarkreps.com[107.175.220.136]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3 posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subject_CN=danmarkreps.com, issuer_CN=Let's Encrypt Authority X3, fingerprint=E2:D2:9F:04:A5:1B:E8:8A:EA:1C:DA:67:81:01:D4:FD:01:97:6B:33, pkey_fingerprint=A0:52:8A:C6:88:89:C0:C1:43:72:9D:29:D5:C2:0D:BD:5F:9B:BC:D6 posttls-finger: Untrusted TLS connection established to smtp.danmarkreps.com[107.175.220.136]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 posttls-finger: > EHLO amnesiac.invalid posttls-finger: timeout while sending EHLO posttls-finger: > QUIT posttls-finger: warning: timeout while sending QUIT command -- Viktor.
Re: Testing new server
On 4/19/2019 3:35 PM, Daniel Miller wrote: If anyone wants to test - please try sending to the address "pubtest at danmarkreps.com". Well...I've gotten at least one test message (thank you Lazy G!) so I can't be *completely* broken. Which leaves me with two likely possibilities - either Gmail/Hotmail, unique to themselves, are expecting some responses from my server that they aren't getting...or I must have something filtering them at a lower level. This server was setup partially as a testbed for a new config. In particular, I'm trying ASSP in the "proper" manner, where ASSP only directly listens on port 25 - ports 465/587 are handled by Postfix initially. And that's been working fine - but now that I've actually enabled TLS in ASSP... brief deviation - I thought I had TLS enabled previously...trying to make hardenize happy showed that ASSP didn't have access to my certificates. Apparently my installation of certbot didn't allow read access to the necessary folders. Note to all - if you're going to use the "live" certs directly from any other program make sure you have proper read/enter access to the "live" and "archive" folders. Now that I've corrected that and am actually supporting STARTTLS...I have this problem. Does anyone see anything wrong via their logs or telnet? Otherwise either Gmail/Hotmail must have me blocked...or I'm blocking them and have to find where it's hiding. -- Daniel
Testing new server
I've setup a new server - and it *was* working fine...but then I enabled a few more settings... I was attempting to make hardenize.com happy (and I'm glad I did - it exposed some stupid mistakes on my part). I'm able to send without issue and receive from most other servers. But in particular, Google & Outlook seem unable to connect via TLS. It looks like the initial handshakes are fine...but then nothing happens. If anyone wants to test - please try sending to the address "pubtest at danmarkreps.com". Thank you. -- Daniel
Re: Testing new server
On Wed, May 16, 2018 at 9:28 AM Matus UHLAR - fantomaswrote: > On 15.05.18 16:54, Steve Huston wrote: > >To do so, I'd like to send a copy of all locally-delivered > >mail from the old machine to the new one to have it processed there. > always_bcc and *_bcc_maps will not help you - they acceps single address, so > even if you configured that address to be sent to remote server, it's always > just one address. > unless you'd configure recipient_bcc_maps for each recipient - but it still > would be different address than processed locally. That's what I was afraid of. Alright, I'll test on a smaller scale and for the load test... we'll do it live :D Thanks! -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
Re: Testing new server
On 15.05.18 16:54, Steve Huston wrote: I have an old machine I'm in the process of retiring, and want to test its replacement. To do so, I'd like to send a copy of all locally-delivered mail from the old machine to the new one to have it processed there. I've set "default_transport = discard:Outgoing email disabled for testing" on the new server, and tested single messages here and there, but am having trouble figuring out a way to tell the old machine that its local_transport should be both the normal local delivery and in addition to send a copy to another server. I did find always_bcc and the bcc maps, but I'm not sure if that's the right answer. A transport map seems like the right answer, but that appears to only have a single target. always_bcc and *_bcc_maps will not help you - they acceps single address, so even if you configured that address to be sent to remote server, it's always just one address. unless you'd configure recipient_bcc_maps for each recipient - but it still would be different address than processed locally. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Testing new server
I have an old machine I'm in the process of retiring, and want to test its replacement. To do so, I'd like to send a copy of all locally-delivered mail from the old machine to the new one to have it processed there. I've set "default_transport = discard:Outgoing email disabled for testing" on the new server, and tested single messages here and there, but am having trouble figuring out a way to tell the old machine that its local_transport should be both the normal local delivery and in addition to send a copy to another server. I did find always_bcc and the bcc maps, but I'm not sure if that's the right answer. A transport map seems like the right answer, but that appears to only have a single target. -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University |ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'