RE: smtpd_sasl_security_options clarification

> > Michael Fox: > > http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options says > "the > > following security features are defined for the cyrus server .". > Dovecot is > > not mentioned. So, is it correct to interpret this to mean that this > > postfix setting is a noop when

Re: smtpd_sasl_security_options clarification

Michael Fox: > http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options says "the > following security features are defined for the cyrus server .". Dovecot is > not mentioned. So, is it correct to interpret this to mean that this > postfix setting is a noop when dovecot is used for

Re: smtpd_sasl_security_options clarification

Wietse: > Dovecot tells Postfix the supported mechanism names and their > security properties. Postfix intersects that with the main.cf > settings, and announces the mechanisms that remain. Michael Fox: > O.K. Thanks. > > Can be more specific about which SASL mechanisms are allowed or

RE: smtpd_sasl_security_options clarification

> In other words, how do I know which mechanisms will be > > disallowed with "noactive" or "nodictionary" or allowed by > "forward_secrecy" > > or "mutual_auth"? I'm unable to connect the dots. > > You can find out about SASL active etc. attacks in RFC 4422 > https://tools.ietf.org/html/rfc4422

Re: Brutal attacks

On 2016-07-09 18:34, Robert Schetterer wrote: additional fail2ban, but log parse was to slow at my side and for sure use postscreen Its possible to trigger fail2ban from a policyd: https://www.mtpolicyd.org/documentation.html#Mail::MtPolicyd::Plugin::Fail2Ban Markus --

Re: server / client configuration for Authenticated Relay server

Please define "is not working". Wietse

Re: Brutal attacks

I found this in "man iptables-extensions" Examples: # allow 2 telnet connections per client host iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT It could be adapted to offer basic DoS protection for postfix. Unfortunately my

server / client configuration for Authenticated Relay server

Dear Colleagues, I`m trying to configure authenticated relay server (SASL) using RHEL Postfix 2.6.6. System will transport E-mails only from authenticated clients. 1) Most of that clients are in the same subnet, does it make sense to authtenicate that clients with passwords ? Do we need to use

Re: New SASL generic failure

On Sat, Jul 9, 2016 at 9:57 AM, Viktor Dukhovni wrote: > >> On Jul 8, 2016, at 10:09 PM, Rick Zeman wrote: >> >> How might 'filtering out that mechanism" be done, Viktor? Doesn't >> sound (or look like, based on SASL_README) that it's something done

Re: New SASL generic failure

> On Jul 11, 2016, at 9:27 AM, Rick Zeman wrote: > > Explicitly filtering in: > > smtp_sasl_mechanism_filter = plain, login > > did the trick. I didn't need to filter out XOAUTH2. Whether through an explicit deny, or by omission, either way the effect is to disable

smtpd_sasl_security_options clarification

http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options says "the following security features are defined for the cyrus server .". Dovecot is not mentioned. So, is it correct to interpret this to mean that this postfix setting is a noop when dovecot is used for sasl authentication?

Re: server / client configuration for Authenticated Relay server

On 11 Jul 2016, at 4:30, Zalezny Niezalezny wrote: Dear Colleagues, I`m trying to configure authenticated relay server (SASL) using RHEL Postfix 2.6.6. System will transport E-mails only from authenticated clients. 1) Most of that clients are in the same subnet, does it make sense to