Re: [courier-users] Disable SSL for esmtpd on port 25
Hello. Am 30.05.2016 um 05:46 schrieb Mark Constable: > Our recipient client gets a bounce from our server when they try to > send to, for instance, @dss.gov.au so I presume these servers are not > falling back to an unencrypted connection. This is a recent example > of our client trying to send to x...@dss.gov.au... It's YOUR server that ist not falling back to unencrypted. And these bounces are for OUTBOUND mail. Which version of courier do you use? Newer courier should fall back to unencrypted since 0.71, released in March 2013 (according to [1]). What are your TLS settings in "courierd" file? Especially TLS_PROTOCOL and TLS_CIPHER_LIST. You can disable STARTTLS for outbound mail completely with the ESMTP_USE_STARTTLS set to 0. But the whole internet is moving towards TLS and you want to be the one to move the other way. Correct your settings, if the other hand has problems, inform them to correct their settings and everything will work. :) [1]: https://sourceforge.net/p/courier/courier.git/ci/master/tree/courier/ChangeLog - Bernd signature.asc Description: OpenPGP digital signature -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 28/05/16 23:23, Sam Varshavchik wrote: >> We only use authenticated relaying via 465/SSL and 587/TLS so none >> of our clients use port 25 for auth/relay. The problem is our client >> recipient has to contact our support which then asks them for a copy >> of the error, then I get it, then I have to squirrel around in the >> mail logs to determine IP/hosts and hope a dig mx finds the right >> mailserver etc then whitelists that server/mx and cross my fingers >> I got all that right and our client can continue on their merry way. > > Do you know for sure that the sender bounces the mail if it can't > negotiate SSL; that the sender does not fallback to unencrypted? Our recipient client gets a bounce from our server when they try to send to, for instance, @dss.gov.au so I presume these servers are not falling back to an unencrypted connection. This is a recent example of our client trying to send to x...@dss.gov.au... May 24 12:12:26 s1 courierd: newmsg,id=xxx, auth=xxx: dns; [xxx] ([:::xxx]) May 24 12:12:26 s1 courierd: started,id=xxx,from=,module=esmtp,host=dss.gov.au,addr= May 24 12:12:27 s1 courieresmtp: id=xxx,from=,addr=: 500 couriertls: connect: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error May 24 12:12:27 s1 courieresmtp: id=xxx,from=,addr=,status: failure May 24 12:12:27 s1 courierd: completed,id=xxx May 24 12:12:27 s1 courierd: started,id=xxx,from=<>,module=dsn,host=,addr= May 24 12:12:27 s1 courierd: completed,id=xxx No real hint of a unencrypted connection in any of the examples I checked. Other failed domains are... orica.com network.pmc.gov.au bg-group.com jc.com.au ecanyons.com signature.asc Description: OpenPGP digital signature -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
Mark Constable writes: On 27/05/16 02:20, Matus UHLAR - fantomas wrote: >> Some lame govt mailservers are still using SSL23... >> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error" >> and rather than whitelist them I'm sure I used to just disable SSL >> via /etc/courier/esmtpd altogether (currently using v0.68.2)... > > why not whitelisting? Why to avoid security just because some can't > cope with it? We only use authenticated relaying via 465/SSL and 587/TLS so none of our clients use port 25 for auth/relay. The problem is our client recipient has to contact our support which then asks them for a copy of the error, then I get it, then I have to squirrel around in the mail logs to determine IP/hosts and hope a dig mx finds the right mailserver etc then whitelists that server/mx and cross my fingers I got all that right and our client can continue on their merry way. Do you know for sure that the sender bounces the mail if it can't negotiate SSL; that the sender does not fallback to unencrypted? pgpyNJOyiCXkz.pgp Description: PGP signature -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
>On Fri 27/May/2016 14:39:59 +0200 Matus UHLAR - fantomas wrote: >> % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server >> 261 >> % grep relay= /var/log/mail | grep sm-mta | grep -c from= >> 1007 On 27.05.16 20:02, Alessandro Vesely wrote: >Cute, I guess sm-mta is the machine name... but wait, why do I miss the >STARTTLS=server part? Also, doesn't the from= include errors? Most errors and >unencrypted sessions seem to be related to spammers... this is sendmail log... I have tls turned on for years. yeah, I think I should disable ssl23 :) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 05/27/2016 05:39 AM, Matus UHLAR - fantomas wrote: > Aha... doesn't couriertls produce an error when too low tls version is tried > by the client? It should, but the "SSL23" message that Mark originally mentioned don't really indicate that the clients are using SSL2 or SSL3 (as best I can tell). The message "tlsv1 alert decode error" should indicate that the peer is using TLS v1, but didn't understand some extension that's present in OpenSSL, used by Courier. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 05/27/2016 11:02 AM, Alessandro Vesely wrote: > but wait, why do I miss the STARTTLS=server part? Logs will look slightly different for builds on OpenSSL and those on gnutls. That'd be my guess. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On Fri 27/May/2016 14:39:59 +0200 Matus UHLAR - fantomas wrote: > >> I don't know how to check what percentage of port 25 mailserver to >> mailserver connections may be SSL encrypted to justify leaving SSL >> on port 25 for server to server connections. Would you (or anyone) >> have any idea how many mailservers are successfully connecting to >> each other via SSL these days? What I do is checking courierd's Received: line; "with ESMTPS" stands for "ESMTP with STARTTLS", according to: http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml#mail-parameters-7 > % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server > 261 > % grep relay= /var/log/mail | grep sm-mta | grep -c from= > 1007 Cute, I guess sm-mta is the machine name... but wait, why do I miss the STARTTLS=server part? Also, doesn't the from= include errors? Most errors and unencrypted sessions seem to be related to spammers... Ale -- -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
>On 27/05/16 02:20, Matus UHLAR - fantomas wrote: >>> Some lame govt mailservers are still using SSL23... >>> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error" >>> and rather than whitelist them I'm sure I used to just disable SSL >>> via /etc/courier/esmtpd altogether (currently using v0.68.2)... >> >> why not whitelisting? Why to avoid security just because some can't >> cope with it? On 27.05.16 13:07, Mark Constable wrote: >We only use authenticated relaying via 465/SSL and 587/TLS so none >of our clients use port 25 for auth/relay. The problem is our client >recipient has to contact our support which then asks them for a copy >of the error, then I get it, then I have to squirrel around in the >mail logs to determine IP/hosts and hope a dig mx finds the right >mailserver etc then whitelists that server/mx and cross my fingers >I got all that right and our client can continue on their merry way. Aha... doesn't couriertls produce an error when too low tls version is tried by the client? >I don't know how to check what percentage of port 25 mailserver to >mailserver connections may be SSL encrypted to justify leaving SSL >on port 25 for server to server connections. Would you (or anyone) >have any idea how many mailservers are successfully connecting to >each other via SSL these days? % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server 261 % grep relay= /var/log/mail | grep sm-mta | grep -c from= 1007 % grep relay= /var/log/mail.1 | grep sm-mta | grep -c from= 1349 % grep relay= /var/log/mail.1 | grep sm-mta | grep -c STARTTLS=server 296 that gives some 25% -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 27/05/16 02:20, Matus UHLAR - fantomas wrote: >> Some lame govt mailservers are still using SSL23... >> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error" >> and rather than whitelist them I'm sure I used to just disable SSL >> via /etc/courier/esmtpd altogether (currently using v0.68.2)... > > why not whitelisting? Why to avoid security just because some can't > cope with it? We only use authenticated relaying via 465/SSL and 587/TLS so none of our clients use port 25 for auth/relay. The problem is our client recipient has to contact our support which then asks them for a copy of the error, then I get it, then I have to squirrel around in the mail logs to determine IP/hosts and hope a dig mx finds the right mailserver etc then whitelists that server/mx and cross my fingers I got all that right and our client can continue on their merry way. I don't know how to check what percentage of port 25 mailserver to mailserver connections may be SSL encrypted to justify leaving SSL on port 25 for server to server connections. Would you (or anyone) have any idea how many mailservers are successfully connecting to each other via SSL these days? -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 26.05.16 17:12, Mark Constable wrote: >I just set up a new server and I can't for the life of me remember, >or find, how to disable SSL on port 25 for general incoming mail? > >Some lame govt mailservers are still using SSL23... > >SSL23_GET_SERVER_HELLO:tlsv1 alert decode error > >and rather than whitelist them I'm sure I used to just disable SSL >via /etc/courier/esmtpd altogether (currently using v0.68.2)... why not whitelisting? Why to avoid security just because some can't cope with it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
Mark Constable writes: I just set up a new server and I can't for the life of me remember, or find, how to disable SSL on port 25 for general incoming mail? Some lame govt mailservers are still using SSL23... SSL23_GET_SERVER_HELLO:tlsv1 alert decode error and rather than whitelist them I'm sure I used to just disable SSL via /etc/courier/esmtpd altogether (currently using v0.68.2)... ~ egrep -v "^(#|$)" /etc/courier/esmtpd PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin SHELL=/bin/bash ULIMIT=32768 BOFHCHECKDNS=1 BOFHNOEXPN=1 BOFHNOVRFY=1 TARPIT=1 NOADDMSGID=1 NOADDDATE=1 ESMTP_LOG_DIALOG=0 AUTH_REQUIRED=0 COURIERTLS=/usr/bin/couriertls Remove the COURIERTLS setting. pgpn_zexU_rgk.pgp Description: PGP signature -- Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users