Wietse Venema via Postfix-users:
> Viktor Dukhovni via Postfix-users:
> [. in BDAT payload]
> > > If my suspicion is correct, a dwnstream server may receive the
> > > normal and suggled content as two separate messages.
> >
> > I don't see why. It shouldn't matter how Microsoft's MTA ends up
> >
On Tue, Dec 19, 2023 at 10:56:58AM +0100, "Jan P. Kessler via Postfix-users"
wrote:
> > As a few on this list may recall, it is 25 years ago today that the
> > "IBM secure mailer" had its public beta release. This was accompanied
> > by a nice article in the New York Times business section.
>
Viktor Dukhovni via Postfix-users:
[. in BDAT payload]
> > If my suspicion is correct, a dwnstream server may receive the
> > normal and suggled content as two separate messages.
>
> I don't see why. It shouldn't matter how Microsoft's MTA ends up
> with a message containing "." or (.), so long
On Tue, Dec 19, 2023 at 04:07:11PM +, Linkcheck via Postfix-users wrote:
> Sort of. I now have a problem where (it seems) ALL authenticated mail is not
> being dkim signed
How does your milter decide which messages to sign? Does it perhaps
look for:
Wietse Venema via Postfix-users wrote in
<4svjy117ywzj...@spike.porcupine.org>:
...
|I expect that a SOCKS5 client would not use much code, compared to
|the code that was needed with HaProxy.
Gaetan Bisson (former ArchLinux, a very smart math professor
Tahiti) has written a small LD_PRELOAD
On Tue, Dec 19, 2023 at 12:34:55PM -0600, Richard Raether via Postfix-users
wrote:
> In addition, the boss just asked is there a way to restrict the group of
> users that can send from that second domain? We are using ldap for
> authentication. Please forgive any ignorance on my part.
How does
Wietse
> This means that nginx ignores the source port in the proxy protocol.
> Is that documented somewhere?
Joachim Lindenberg:
> It does not ignore it, the variable exists. My configuration doesn't
> use it for outbound, as plenty of ports are in used, and dynamic
> is ok for the use case.
On Tue, Dec 19, 2023 at 10:42:14AM -0500, Wietse Venema via Postfix-users wrote:
> First, there is one mistake in my last quoted paragraph above. In
> the smuggled commands, an attacker can avoid an SMTP command
> pipelining violation, by using use BDAT instead of DATA.
> Below I'm indenting the
You can use
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
and reject_authenticated_sender_login_mismatch.
to define who can use what sender address.
Note this does not enforce the display From: header, only the
envelope sender. With normal mail clients this isn't a problem.
>This means that nginx ignores the source port in the proxy protocol.
>Is that documented somewhere?
It does not ignore it, the variable exists. My configuration doesn´t use it for
outbound, as plenty of ports are in used, and dynamic is ok for the use case.
Does postfix have a dependency on the
In addition, the boss just asked is there a way to restrict the group of
users that can send from that second domain? We are using ldap for
authentication. Please forgive any ignorance on my part.
On 12/19/23 10:22 AM, Noel Jones via Postfix-users wrote:
On 12/19/2023 9:41 AM, Richard Raether
Joachim Lindenberg via Postfix-users:
> >Is there a technical spec of that protocol? Does it look in any
> way like HaProxy protocol version 1 or 2? What are the source IP
> address and port?
> https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#:~:text=Enables%20the%20PROXY%20protocol
>
On 12/19/2023 9:41 AM, Richard Raether via Postfix-users wrote:
Problem:
Our mail server sends mail from cct.lsu.edu. A group of users want
to send mail and have their address be stellar-group.org. We already
have this in mydestination so we do /get/ email sent to that domain,
but at current
Saturday morning I put my new postfix mail server into operation,
replacing a years-old previous incarnation (about 15 user domains). The
new one, which has been under test for a long time, seemed to work with
no problems.
Monday morning I had two user complaints - could not send mail from
>Is there a technical spec of that protocol? Does it look in any way like
>HaProxy protocol version 1 or 2? What are the source IP address and port?
https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#:~:text=Enables%20the%20PROXY%20protocol
links to the expected suspect (HaProxy)...
John Levine via Postfix-users:
> This paper describes a clever hack that uses defective line endings to embed
> a second SMTP session inside a first one, which has the practical effect
> of letting you send fake authenticated mail from anyone else who uses the
> same mail system you do. If that
Joachim Lindenberg via Postfix-users:
> >How is this used to connect to an arbitrary destination on the Internet?
>
> This is probably nginx implementation specific, but one can configure a
> stream proxy as follows:
>
> stream {
> server {
> listen 10.200.200.1:12345
Wietse Venema via Postfix-users:
> Rejecting stray and while receiving mail will prevent
> Postfix from receiving "smuggled" SMTP commands after a malformed
> end-of-data sequence, and thus, it will prevent Postfix from
> forwarding them.
>
> So would rejecting an SMTP command pipelining
Problem:
Our mail server sends mail from cct.lsu.edu. A group of users want to
send mail and have their address be stellar-group.org. We already have
this in mydestination so we do /get/ email sent to that domain, but at
current you can't send email /from/ that domain and have the address
>How is this used to connect to an arbitrary destination on the Internet?
This is probably nginx implementation specific, but one can configure a stream
proxy as follows:
stream {
server {
listen 10.200.200.1:12345 proxy_protocol;
proxy_bind [$proxy_protocol_addr];
This paper describes a clever hack that uses defective line endings to embed
a second SMTP session inside a first one, which has the practical effect
of letting you send fake authenticated mail from anyone else who uses the
same mail system you do. If that system is MS Outlook, that's a lot of
On 2023-12-18 at 17:15:16 UTC-0500 (Mon, 18 Dec 2023 23:15:16 +0100)
Steffen Nurpmeso via Postfix-users
is rumored to have said:
Bill Cole via Postfix-users wrote in
<6039ed61-2c8f-4a12-b736-994d32632...@billmail.scconsult.com>:
|On 2023-12-17 at 09:27:36 UTC-0500 (Sun, 17 Dec 2023 06:27:36
Joachim Lindenberg via Postfix-users:
> I'd like to challenge that. (HA) Proxy protocol essentially implies
> to connect to another configured address and then prepend a string
> with connection info to the TCP stream.
Indeed. The (HA) proxy accepts a connection from an arbitrary client
IP
Sorry for replying to an old thread.
As a few on this list may recall, it is 25 years ago today that the
"IBM secure mailer" had its public beta release. This was accompanied
by a nice article in the New York Times business section.
I just wanted to say THANK YOU to you and any other
Hello Wietse,
maybe I should tell I am using nginx for all my inbound proxy protocol needs
(HA is via multiple addresses in DNS), and my email test service uses proxy
protocol outbound as well. Before I picked proxy protocol for that use case I
checked SOCKS or HTTP proxies but perceived the
25 matches
Mail list logo
