Re: SSL/TLS

2015-07-28 Thread SSL


thanks for advices .

i rewite smtpd.conf

pki mail.aoiyuma.mydns.jp certificate /etc/ssl/mail.aoiyuma.mydns.jp.crt
pki mail.aoiyuma.mydns.jp key /etc/ssl/private/mail.aoiyuma.mydns.jp.key
listen on lo0
listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth
table aliases db:/etc/mail/aliases.db
accept from any for domain aoiyuma.mydns.jp   alias aliases 
deliver to maildir
accept from any for domain aoiyuma.mydns.jp   
deliver to maildir
accept for localalias aliases 
deliver to maildir
accept for local
deliver to maildir

mynetwork1 = 6.2.6.2/32
mynetwork2 = 114.22.25.247/32
accept from source $mynetwork1 for any relay
accept from source $mynetwork2 for any relay
reject from any for any

thunderbird automativally detects mail server .
about smtp
---
authentification nethod : passeword , transmitted insecurely
conectio security:none

perhaps TLS does not run .

so
--
accept for local alias aliases deliver to mda /usr/local/bin/maildrop 
-f -

accept from any for domain aoiyuma.mydns.jp \
deliver to mda /usr/local/bin/maildrop -f -
or like is needed ?

-
regards




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SSL/TLS

2015-07-28 Thread Mariano Baragiola
In my experience, Thunderbird auto-configuration is not good.

Configure it manually, choosing STARTTLS as the encryption method.

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SSL/TLS

2015-07-28 Thread SSL



On 2015e9407f28f% 19:18, Mariano Baragiola wrote:

In my experience, Thunderbird auto-configuration is not good.

Configure it manually, choosing STARTTLS as the encryption method.


thanks lot .

i rewrite smtpd.conf


pki mail.aoiyuma.mydns.jp certificate /etc/ssl/mail.aoiyuma.mydns.jp.crt
pki mail.aoiyuma.mydns.jp key /etc/ssl/private/mail.aoiyuma.mydns.jp.key

listen on lo0
listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth
listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth

table aliases db:/etc/mail/aliases.db
accept from any for domain aoiyuma.mydns.jp   alias aliases 
deliver to maildir
accept from any for domain aoiyuma.mydns.jp   
deliver to maildir
accept for localalias aliases 
deliver to maildir
accept for local
deliver to maildir

mynetwork1 = 61.214.236.211/32
mynetwork2 = 114.22.25.247/32
accept from source $mynetwork1 for any relay
accept from source $mynetwork2 for any relay

#reject from any for any
accept from local for any relay  - this line
accept from local for any relay
---
then i send mail y...@gmail.com .


my failure was 'reject from any for any' .
are there open relay when ' accept from local for any relay' is replaced .







--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SSL/TLS

2015-07-28 Thread Denis Fondras
 are there open relay when ' accept from local for any relay' is replaced .
 

Nope !
from local means that only the machine running OpenSMTPd or any
*authenticated* client can relay.

Moreover, if no rule is matching then OpenSMTPd rejects the mail (default
setting = secure setting)

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SSL/TLS

2015-07-28 Thread SSL

i follow you .

On 2015e9407f28f% 19:18, Mariano Baragiola wrote:

In my experience, Thunderbird auto-configuration is not good.

Configure it manually, choosing STARTTLS as the encryption method.


surely i can send mail from x...@aoiyuma.mydns.jp   to x...@aoiyuma.mydns.jp
but cannod send mail   from x...@aoiyuma.mydns.jp   to y...@gmail.com
(previously can send )

 tail /var/log/maillog

Jul 29 04:36:36 aoiyuma smtpd[13370]: smtp-in: Closing session 
0d8c97396558bc0b


Jul 29 04:36:49 aoiyuma smtpd[13370]: smtp-in: New session 
0d8c973acd272d09 from host e0109-114-22-25-247.uqwimax.jp [114.22.25.247]


Jul 29 04:36:49 aoiyuma smtpd[13370]: smtp-in: Started TLS on session 
0d8c973acd272d09: version=TLSv1/SSLv3, 
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128


Jul 29 04:36:50 aoiyuma smtpd[13370]: smtp-in: Accepted authentication 
for user tuyosi on session 0d8c973acd272d09


Jul 29 04:36:50 aoiyuma smtpd[13370]: smtp-in: Failed command on session 
0d8c973acd272d09: RCPT TO:y...@gmail.com = 550 Invalid recipient

^
Jul 29 04:36:52 aoiyuma smtpd[13370]: smtp-in: Closing session 
0d8c973acd272d09




--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SSL/TLS

2015-07-28 Thread Herbert J. Skuhra
On Tue, Jul 28, 2015 at 09:05:24PM +0900, tuyosi wrote:
 
 
 On 2015e9407f28f% 20:50, Denis Fondras wrote:
 are there open relay when ' accept from local for any relay' is replaced .
 
 Nope !
 from local means that only the machine running OpenSMTPd or any
 *authenticated* client can relay.
 
 Moreover, if no rule is matching then OpenSMTPd rejects the mail (default
 setting = secure setting)
 
 kind advice .
 
 surely   i can send mail from x...@aoiyuma.mydns.jp to y...@gmail.com 
 .
 
 
 strangely  i cannot send mail from Y@gmailto
 x...@aoiyuma.mydns.jp .
 -
 
 Delivery to the following recipient failed permanently:
 
  tuy...@aoiyuma.mydns.jp
 
 Technical details of permanent failure:
 Google tried to deliver your message, but it was rejected by the server for 
 the recipient domain aoiyuma.mydns.jp by mail.aoiyuma.mydns.jp. 
 [157.7.208.141].
 
 The error that the other server returned was:
 530 5.5.1 Invalid command: Must issue an AUTH command first

You have:

listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth

From smtpd.conf(5):

If the auth parameter is used, then a client may only start an SMTP transaction
after a successful authentication. Any remote sender that passed SMTPAUTH is
treated as if it was the server's local user that was sending the mail. This
means that filter rules using from local will be matched. If auth-optional is
specified, then SMTPAUTH is not required to establish an SMTP transaction. This
is only useful to let a listener accept incoming mail from untrusted senders
and outgoing mail from authenticated users in situations where it is not
possible to listen on the submission port.

And I think you want smtps on port 465 not tls!

-- 
Herbert

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: SSL/TLS

2015-07-28 Thread SSL

i rewrite  smtpd.conf by auth-optional
this one allow to mail to  from gmail.com .

-by https://www.opensmtpd.org/smtpd.conf.5.html
If *auth-optional* is specified, then SMTPAUTH is not required to 
establish an SMTP transaction. This is only useful to let a listener 
accept incoming mail from untrusted senders and outgoing mail from 
authenticated users in situations where it is not possible to listen on 
the submission port.
Both *auth* and *auth-optional* accept an optional table as a parameter. 
When provided, credentials are looked up in this table. Credentials 
format is described in table(5).

---

how about this ?

pki mail.aoiyuma.mydns.jp certificate /etc/ssl/mail.aoiyuma.mydns.jp.crt
pki mail.aoiyuma.mydns.jp key /etc/ssl/private/mail.aoiyuma.mydns.jp.key
listen on lo0
listen on em0 port 25  tls pki mail.aoiyuma.mydns.jp auth-optional
listen on em0 port 465 tls pki mail.aoiyuma.mydns.jp auth-optional
listen on em0 port 587 tls pki mail.aoiyuma.mydns.jp auth-optional
table aliases db:/etc/mail/aliases.db
accept from any for domain aoiyuma.mydns.jp   alias aliases 
deliver to maildir
accept from any for domain aoiyuma.mydns.jp   
deliver to maildir
accept for localalias aliases 
deliver to maildir
accept for local
deliver to maildir

mynetwork1 = 6.2.6.2/32
mynetwork2 = 114.22.25.247/32
accept from source $mynetwork1 for any relay
accept from source $mynetwork2 for any relay
accept from local for any relay




Re: SSL/TLS

2015-07-28 Thread SSL

Hi all .
following the advices that I received in the past ,  Itry to put together .

I think that there aremistakes.
Please point out at that time.

In addition, please use the translation site because this is written in 
Japanese.


For example,
https://translate.google.co.jp/?hl=ja
--
tuyosi takesima


Re: SSL/TLS

2015-07-27 Thread Seth

On Mon, 27 Jul 2015 19:40:39 -0700, SSL tuy...@aoiyuma.mydns.jp wrote:

i am afraid of being attacked .
so i want to limit PCs in japan only (if japanese PC is hacked , this  
setting in not safe ) .


It would probably be more appropriate and effective to use a firewall such  
as OpenBSD's pf to accomplish this goal. OpenBSD also provides spamd  
which, along with a few selected real time black lists added to the mix,  
makes a very effective spam filter.



but i want to use conection secrity SSL/TLS .
how to do it ?


The smptd.conf(5) man page documents key generation in the EXAMPLES  
section near the end.


 In this second example, the aim is to permit mail relaying for any  
user

 that can authenticate using their normal login credentials.  An RSA
 certificate must be provided to prove the server's identity.  The mail
 server listens on all interfaces the default route(s) point to.  Mail
 with a local destination should be sent to an external mda.  First,  
the

 RSA certificate is created:

   # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
   # openssl req -new -x509 -key  
/etc/ssl/private/mail.example.com.key \

   -out /etc/ssl/mail.example.com.crt -days 365
   # chmod 600 /etc/ssl/mail.example.com.crt
   # chmod 600 /etc/ssl/private/mail.example.com.key

--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-10 Thread John Cox
On Mon, 9 Jun 2014 10:16:43 +0200, you wrote:

On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
 Hi
 
 That's not correct no, I get plenty of TLS 1.0 trafic and it has been
 the case for many years
 
 To parrot this on all of my various instances OpenSMTPD and not I get tons
 of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
 every now and again I see SSLv2 attempts which for most of my instances get
 killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
 But seriously for email any transport encryption is better than none and
 OpenSMTPD's default should be the best way to handle opportunistic TLS
 where you always try to use the highest protocol version supported with the
 best ciphers supported, and there shouldnt need to be a knob for it.
 
 Whilst I agree with what you are saying for general purpose mail
 servers, I can see applications where enforced encryption levels are
 worth having.  I can see that some company gateways, where they know
 all of the other endpoints, might wish to enforce appropriate
 encryption as everybody who should be talking to that MTA should be
 capable of it and anything else is therefore spam or hacking.  This is
 particularly plausible on any link where TLS or SSL is already
 mandatory.
 

please define enforced encryption levels ?
Tricky - I don't have a specific use case in mind, but I worked on
building a military email system (X.400 based - it was that long ago,
though they may still use it for all I know) and they were pretty keen
on nailing down exactly what was expected on each link.

pretty much anyone tweaking ssl_ciphers will actually downgrade security
or/and break interop with other servers. some people may know how to tie
things further for their specific use-cases but the minute we add a knob
other people will start using it and shoot themselves in the foot.
Sadly that is the case with pretty much all security, but the lack of
an ability to check/filter based on what security level has been
negotiated means that those people who _do_ know what they are doing
can't.  I'm still annoyed by the general (not smtpd particularly)
impossibility of having usefully functioning CRLs, which are pretty
much a requirement of any PK system but have been generally ignored to
date.

At the time being we're looking to is to have the bul0k of users safe by
default and we're looking for more:

   https://twitter.com/Mayeu/status/474109854651785216

the magic of OpenSMTPD, you do no TLS configuration and you're graded A
 by default 3  (test here: starttls.info)
I do not disagree

Im not saying that this will hold true forever but at this point in time
I would prefer that we dont have ssl_ciphers and that any improvement we
do is made to the default until we exhausted all possibilities to do so.
Fair enough - I just felt it was worth adding another point of view to
the discussion.

Thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-09 Thread John Cox
Hi

That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years

To parrot this on all of my various instances OpenSMTPD and not I get tons
of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
every now and again I see SSLv2 attempts which for most of my instances get
killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
But seriously for email any transport encryption is better than none and
OpenSMTPD's default should be the best way to handle opportunistic TLS
where you always try to use the highest protocol version supported with the
best ciphers supported, and there shouldnt need to be a knob for it.

Whilst I agree with what you are saying for general purpose mail
servers, I can see applications where enforced encryption levels are
worth having.  I can see that some company gateways, where they know
all of the other endpoints, might wish to enforce appropriate
encryption as everybody who should be talking to that MTA should be
capable of it and anything else is therefore spam or hacking.  This is
particularly plausible on any link where TLS or SSL is already
mandatory.

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-09 Thread Gilles Chehade
On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
 Hi
 
 That's not correct no, I get plenty of TLS 1.0 trafic and it has been
 the case for many years
 
 To parrot this on all of my various instances OpenSMTPD and not I get tons
 of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
 every now and again I see SSLv2 attempts which for most of my instances get
 killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
 But seriously for email any transport encryption is better than none and
 OpenSMTPD's default should be the best way to handle opportunistic TLS
 where you always try to use the highest protocol version supported with the
 best ciphers supported, and there shouldnt need to be a knob for it.
 
 Whilst I agree with what you are saying for general purpose mail
 servers, I can see applications where enforced encryption levels are
 worth having.  I can see that some company gateways, where they know
 all of the other endpoints, might wish to enforce appropriate
 encryption as everybody who should be talking to that MTA should be
 capable of it and anything else is therefore spam or hacking.  This is
 particularly plausible on any link where TLS or SSL is already
 mandatory.
 

please define enforced encryption levels ?

pretty much anyone tweaking ssl_ciphers will actually downgrade security
or/and break interop with other servers. some people may know how to tie
things further for their specific use-cases but the minute we add a knob
other people will start using it and shoot themselves in the foot.

At the time being we're looking to is to have the bul0k of users safe by
default and we're looking for more:

   https://twitter.com/Mayeu/status/474109854651785216

the magic of OpenSMTPD, you do no TLS configuration and you're graded A
 by default 3  (test here: starttls.info)

Im not saying that this will hold true forever but at this point in time
I would prefer that we dont have ssl_ciphers and that any improvement we
do is made to the default until we exhausted all possibilities to do so.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-09 Thread Adam Suhl
I think at build time you can fine-tune which ciphers you want by editing 
ssl.h -- in particular the SSL_CIPHERS define.
--Adam

On Mon, 9 Jun 2014, Gilles Chehade wrote:

 On Mon, Jun 09, 2014 at 08:39:52AM +0100, John Cox wrote:
  Hi
  
  That's not correct no, I get plenty of TLS 1.0 trafic and it has been
  the case for many years
  
  To parrot this on all of my various instances OpenSMTPD and not I get tons
  of TLS 1.0 and SSLv3 traffic, I wish I didn't but it still happens. Heck
  every now and again I see SSLv2 attempts which for most of my instances get
  killed. I haven't seen one on my OpenSMTPD instance yet but its only time.
  But seriously for email any transport encryption is better than none and
  OpenSMTPD's default should be the best way to handle opportunistic TLS
  where you always try to use the highest protocol version supported with the
  best ciphers supported, and there shouldnt need to be a knob for it.
  
  Whilst I agree with what you are saying for general purpose mail
  servers, I can see applications where enforced encryption levels are
  worth having.  I can see that some company gateways, where they know
  all of the other endpoints, might wish to enforce appropriate
  encryption as everybody who should be talking to that MTA should be
  capable of it and anything else is therefore spam or hacking.  This is
  particularly plausible on any link where TLS or SSL is already
  mandatory.
  
 
 please define enforced encryption levels ?
 
 pretty much anyone tweaking ssl_ciphers will actually downgrade security
 or/and break interop with other servers. some people may know how to tie
 things further for their specific use-cases but the minute we add a knob
 other people will start using it and shoot themselves in the foot.
 
 At the time being we're looking to is to have the bul0k of users safe by
 default and we're looking for more:
 
https://twitter.com/Mayeu/status/474109854651785216
 
 the magic of OpenSMTPD, you do no TLS configuration and you're graded A
  by default 3  (test here: starttls.info)
 
 Im not saying that this will hold true forever but at this point in time
 I would prefer that we dont have ssl_ciphers and that any improvement we
 do is made to the default until we exhausted all possibilities to do so.
 
 
 -- 
 Gilles Chehade
 
 https://www.poolp.org  @poolpOrg
 
 -- 
 You received this mail because you are subscribed to misc@opensmtpd.org
 To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
 
 

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: How to configure encryption ciphers and SSL/TLS protocols

2014-06-08 Thread Gilles Chehade
On Sat, Jun 07, 2014 at 03:40:12PM -0700, Clint Pachl wrote:
 Is there a way to configure smtpd to only use specified ciphers or limit it
 to TLSv1.[12]?
 
 I'm looking for something similar to Dovecot's `ssl_cipher_list` or Nginx's
 `ssl_ciphers` or `ssl_protocols` configuration directives.
 

no, we don't want to make this tunable.

the rationale is that we want to propose the best encryption by default.
if there is a better choice, it should be proposed and discussed openly
as it should become the new default.

yes, it's tempting to provide ssl_ciphers but unless there's a very good
reason to do it, we won't introduce this new knob.


 The reason I ask is because I'm very close to failing my PCI compliance
 because of smptd. They score each compliance test from 0 to 9. If any single
 score is 4.0 or higher, I fail PCI compliance. OpenSMTPD 5.4.2 is currently
 receiving a risk score of 3.9. I have a feeling that in the not too distant
 future this particular test will fail.

 My PCI-DSS vendor, Security Metrics, states that smtpd is vulnerable to
 information disclosure because of the initialization vector implementations
 in SSLv3 and TLSv1.0.

 Thier stated resolution is:
 
 Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
 Configure SSL/TLS servers to only support cipher suites that do not use
 block ciphers.


This can certainly be improved without adding ssl_ciphers knob


 I'm not a mail expert, but my feeling is that secured email hasn't been
 widespread until recent years. If any MTAs support encryption, they are
 probably using the latest protocols and ciphers.
 

That's not correct no, I get plenty of TLS 1.0 trafic and it has been
the case for many years

-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org