Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-29 Thread Bernd Wurst
Hello.

Am 30.05.2016 um 05:46 schrieb Mark Constable:
> Our recipient client gets a bounce from our server when they try to
> send to, for instance, @dss.gov.au so I presume these servers are not
> falling back to an unencrypted connection. This is a recent example
> of our client trying to send to x...@dss.gov.au...

It's YOUR server that ist not falling back to unencrypted. And these
bounces are for OUTBOUND mail.

Which version of courier do you use? Newer courier should fall back to
unencrypted since 0.71, released in March 2013 (according to [1]).
What are your TLS settings in "courierd" file? Especially TLS_PROTOCOL
and TLS_CIPHER_LIST.


You can disable STARTTLS for outbound mail completely with the
ESMTP_USE_STARTTLS set to 0. But the whole internet is moving towards
TLS and you want to be the one to move the other way. Correct your
settings, if the other hand has problems, inform them to correct their
settings and everything will work. :)


[1]:
https://sourceforge.net/p/courier/courier.git/ci/master/tree/courier/ChangeLog

- Bernd



signature.asc
Description: OpenPGP digital signature
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-29 Thread Mark Constable
On 28/05/16 23:23, Sam Varshavchik wrote:
>> We only use authenticated relaying via 465/SSL and 587/TLS so none
>> of our clients use port 25 for auth/relay. The problem is our client
>> recipient has to contact our support which then asks them for a copy
>> of the error, then I get it, then I have to squirrel around in the
>> mail logs to determine IP/hosts and hope a dig mx finds the right
>> mailserver etc then whitelists that server/mx and cross my fingers
>> I got all that right and our client can continue on their merry way.
> 
> Do you know for sure that the sender bounces the mail if it can't
> negotiate SSL; that the sender does not fallback to unencrypted?

Our recipient client gets a bounce from our server when they try to
send to, for instance, @dss.gov.au so I presume these servers are not
falling back to an unencrypted connection. This is a recent example
of our client trying to send to x...@dss.gov.au...

May 24 12:12:26 s1 courierd: newmsg,id=xxx, auth=xxx: dns; [xxx] ([:::xxx])
May 24 12:12:26 s1 courierd: 
started,id=xxx,from=,module=esmtp,host=dss.gov.au,addr=
May 24 12:12:27 s1 courieresmtp: id=xxx,from=,addr=:
 500 couriertls: connect: error:1407741A:SSL 
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error
May 24 12:12:27 s1 courieresmtp: 
id=xxx,from=,addr=,status: failure
May 24 12:12:27 s1 courierd: completed,id=xxx
May 24 12:12:27 s1 courierd: started,id=xxx,from=<>,module=dsn,host=,addr=
May 24 12:12:27 s1 courierd: completed,id=xxx

No real hint of a unencrypted connection in any of the examples I checked.

Other failed domains are...

orica.com
network.pmc.gov.au
bg-group.com
jc.com.au
ecanyons.com




signature.asc
Description: OpenPGP digital signature
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-28 Thread Sam Varshavchik

Mark Constable writes:


On 27/05/16 02:20, Matus UHLAR - fantomas wrote:
>> Some lame govt mailservers are still using SSL23...
>> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error"
>> and rather than whitelist them I'm sure I used to just disable SSL
>> via /etc/courier/esmtpd altogether (currently using v0.68.2)...
>
> why not whitelisting? Why to avoid security just because some can't
> cope with it?

We only use authenticated relaying via 465/SSL and 587/TLS so none
of our clients use port 25 for auth/relay. The problem is our client
recipient has to contact our support which then asks them for a copy
of the error, then I get it, then I have to squirrel around in the
mail logs to determine IP/hosts and hope a dig mx finds the right
mailserver etc then whitelists that server/mx and cross my fingers
I got all that right and our client can continue on their merry way.


Do you know for sure that the sender bounces the mail if it can't negotiate  
SSL; that the sender does not fallback to unencrypted?




pgpyNJOyiCXkz.pgp
Description: PGP signature
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-27 Thread Matus UHLAR - fantomas
>On Fri 27/May/2016 14:39:59 +0200 Matus UHLAR - fantomas wrote:
>> % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server
>> 261
>> % grep relay= /var/log/mail | grep sm-mta | grep -c from=
>> 1007

On 27.05.16 20:02, Alessandro Vesely wrote:
>Cute, I guess sm-mta is the machine name... but wait, why do I miss the
>STARTTLS=server part?  Also, doesn't the from= include errors?  Most errors and
>unencrypted sessions seem to be related to spammers...

this is sendmail log... I have tls turned on for years.
yeah, I think I should disable ssl23 :)
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-27 Thread Gordon Messmer
On 05/27/2016 05:39 AM, Matus UHLAR - fantomas wrote:
> Aha... doesn't couriertls produce an error when too low tls version is tried
> by the client?


It should, but the "SSL23" message that Mark originally mentioned don't 
really indicate that the clients are using SSL2 or SSL3 (as best I can 
tell).  The message "tlsv1 alert decode error" should indicate that the 
peer is using TLS v1, but didn't understand some extension that's 
present in OpenSSL, used by Courier.


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-27 Thread Gordon Messmer
On 05/27/2016 11:02 AM, Alessandro Vesely wrote:
> but wait, why do I miss the STARTTLS=server part?


Logs will look slightly different for builds on OpenSSL and those on 
gnutls.  That'd be my guess.


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-27 Thread Alessandro Vesely
On Fri 27/May/2016 14:39:59 +0200 Matus UHLAR - fantomas wrote:
> 
>> I don't know how to check what percentage of port 25 mailserver to
>> mailserver connections may be SSL encrypted to justify leaving SSL
>> on port 25 for server to server connections. Would you (or anyone)
>> have any idea how many mailservers are successfully connecting to
>> each other via SSL these days?

What I do is checking courierd's Received: line; "with ESMTPS" stands for
"ESMTP with STARTTLS", according to:
http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml#mail-parameters-7


> % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server
> 261
> % grep relay= /var/log/mail | grep sm-mta | grep -c from=
> 1007

Cute, I guess sm-mta is the machine name... but wait, why do I miss the
STARTTLS=server part?  Also, doesn't the from= include errors?  Most errors and
unencrypted sessions seem to be related to spammers...

Ale
-- 










































--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-27 Thread Matus UHLAR - fantomas
>On 27/05/16 02:20, Matus UHLAR - fantomas wrote:
>>> Some lame govt mailservers are still using SSL23...
>>> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error"
>>> and rather than whitelist them I'm sure I used to just disable SSL
>>> via /etc/courier/esmtpd altogether (currently using v0.68.2)...
>>
>> why not whitelisting? Why to avoid security just because some can't
>> cope with it?

On 27.05.16 13:07, Mark Constable wrote:
>We only use authenticated relaying via 465/SSL and 587/TLS so none
>of our clients use port 25 for auth/relay. The problem is our client
>recipient has to contact our support which then asks them for a copy
>of the error, then I get it, then I have to squirrel around in the
>mail logs to determine IP/hosts and hope a dig mx finds the right
>mailserver etc then whitelists that server/mx and cross my fingers
>I got all that right and our client can continue on their merry way.

Aha... doesn't couriertls produce an error when too low tls version is tried
by the client?

>I don't know how to check what percentage of port 25 mailserver to
>mailserver connections may be SSL encrypted to justify leaving SSL
>on port 25 for server to server connections. Would you (or anyone)
>have any idea how many mailservers are successfully connecting to
>each other via SSL these days?

% grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server
261
% grep relay= /var/log/mail | grep sm-mta | grep -c from=
1007

% grep relay= /var/log/mail.1 | grep sm-mta | grep -c from=
1349
% grep relay= /var/log/mail.1 | grep sm-mta | grep -c STARTTLS=server
296

that gives some 25%

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-26 Thread Mark Constable
On 27/05/16 02:20, Matus UHLAR - fantomas wrote:
>> Some lame govt mailservers are still using SSL23...
>> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error"
>> and rather than whitelist them I'm sure I used to just disable SSL
>> via /etc/courier/esmtpd altogether (currently using v0.68.2)...
>
> why not whitelisting? Why to avoid security just because some can't
> cope with it?

We only use authenticated relaying via 465/SSL and 587/TLS so none
of our clients use port 25 for auth/relay. The problem is our client
recipient has to contact our support which then asks them for a copy
of the error, then I get it, then I have to squirrel around in the
mail logs to determine IP/hosts and hope a dig mx finds the right
mailserver etc then whitelists that server/mx and cross my fingers
I got all that right and our client can continue on their merry way.

I don't know how to check what percentage of port 25 mailserver to
mailserver connections may be SSL encrypted to justify leaving SSL
on port 25 for server to server connections. Would you (or anyone)
have any idea how many mailservers are successfully connecting to
each other via SSL these days?

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-26 Thread Matus UHLAR - fantomas
On 26.05.16 17:12, Mark Constable wrote:
>I just set up a new server and I can't for the life of me remember,
>or find, how to disable SSL on port 25 for general incoming mail?
>
>Some lame govt mailservers are still using SSL23...
>
>SSL23_GET_SERVER_HELLO:tlsv1 alert decode error
>
>and rather than whitelist them I'm sure I used to just disable SSL
>via /etc/courier/esmtpd altogether (currently using v0.68.2)...

why not whitelisting? Why to avoid security just because some can't cope
with it?
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users


Re: [courier-users] Disable SSL for esmtpd on port 25

2016-05-26 Thread Sam Varshavchik

Mark Constable writes:


I just set up a new server and I can't for the life of me remember,
or find, how to disable SSL on port 25 for general incoming mail?

Some lame govt mailservers are still using SSL23...

SSL23_GET_SERVER_HELLO:tlsv1 alert decode error

and rather than whitelist them I'm sure I used to just disable SSL
via /etc/courier/esmtpd altogether (currently using v0.68.2)...

~ egrep -v "^(#|$)" /etc/courier/esmtpd
PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin
SHELL=/bin/bash
ULIMIT=32768
BOFHCHECKDNS=1
BOFHNOEXPN=1
BOFHNOVRFY=1
TARPIT=1
NOADDMSGID=1
NOADDDATE=1
ESMTP_LOG_DIALOG=0
AUTH_REQUIRED=0
COURIERTLS=/usr/bin/couriertls


Remove the COURIERTLS setting.



pgpn_zexU_rgk.pgp
Description: PGP signature
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users