Re: need help with setting LDAP search domains

[Viktor Dukhovni]

> On Mar 30, 2017, at 8:36 PM, pandorasbox55  wrote:
> 
> From what I have read, setting the /domain/ in the LDAP table should be what
> I need

That's correct.  With "domain" set, only lookup keys of the form 
"u...@example.com"
where "example.com" is listed in the "domain" list will be looked up.  All other
lookup keys will bypass LDAP and return no result.

> but I can't seem to get it to work.

And yet that's how it works, so perhaps you're not interpreting your
observations correctly.  Also with multiple tables defined, some of
the tables may be missing the "domain" constraint, and these will
generate the unwanted queries.

> Here's a sample of one of my LDAP alias tables:
> 
> server_host = [server:port]
> version = 3
> timeout = 5
> search_base = [ldapsearchbase]
> domain = my.domain.com

This is correct and sufficient.

-- 
Viktor.

Re: problem with protection.outlook.com released spam getting bounced

[John Stoffel]

> "Noel" == Noel Jones  writes:

Noel> On 3/30/2017 9:26 AM, John Stoffel wrote:
>> 
>> Hi all,
>> 
>> We're running postfix-2.6.6-6.el6_5.x86_64 on RHEL 6.6 and running
>> into a problem where emails that have been released from our outside
>> spam protection company, *.protection.outlook.com, are getting
>> rejected with messages like this:
>> 
>> Mar 26 06:00:56 mailhost postfix/smtpd[2270]: connect from 
>> mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
>> Mar 26 06:00:56 mailhost postfix/smtpd[2270]: 51235A07D1: 
>> client=mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
>> Mar 26 06:00:56 mailhost postfix/cleanup[2279]: 51235A07D1: 
>> message-id=<1490445496218.20153408.25880761.5137938...@backend.ttktravelinsider.com>
>> Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: 
>> from=, size=40439, nrcpt=1 (queue 
>> active)
>> Mar 26 06:00:56 mailhost postfix/local[2278]: 51235A07D1: 
>> to=, relay=local, delay=0.29, delays=0.28/0/0/0.01, 
>> dsn=5.4.6, status=bounced (mail forwarding loop for saba.shar...@sub.com)
>> Mar 26 06:00:56 mailhost postfix/bounce[2273]: 51235A07D1: sender 
>> non-delivery notification: 97DF2A080B
>> Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: removed
>> 
>> These emails are released by the end user and should be delivered, but are 
>> getting bounced back.
>> 
>> How would I go about figuring out if it's really a bogus "Delivered-To: " 
>> header that's causing this rejection?  
>> 

Noel> Some things you can do...

Noel> - search your logs for the message-id recorded above to see if this
Noel> message has been here before. Maybe this mail arrived before, was
Noel> forwarded off-site, then came back; don't do that.

So I looked back through my logs until early February and I didn't see
it.  So it's not that sort of loop as far as I can tell.  

Noel> - You can use the HOLD action to freeze an incoming message in the
Noel> queue before the local delivery agent has a chance to bounce it.
Noel> Then you can examine the message.   To HOLD the message, you can use
Noel> a check_recipient_access map, or a check_client_access map, or a
Noel> header_checks rule.

Ok, thanks for the hints!  I'll have to read up on how to do a
header_checks rule and implement it so that I can see what's going on
here.  

Noel> (NOTE: don't be tempted to use header_checks IGNORE to remove a
Noel> bogus Delivered-To header! The internet will thank you.)

I know, but ... I might be forced to, since my users are bitching
about losing email they release from spam.  But!  I can also take this
to the vendor as proof they are doing something wrong as well.  But
first I need to get some messages and headers to look at first.

Thanks for your help Noel.

Noel>   -- Noel Jones


>> 
>> 
>> # postconf -n
>> alias_database = hash:/etc/aliases
>> alias_maps = nis:mail.aliases
>> command_directory = /usr/sbin
>> config_directory = /etc/postfix
>> daemon_directory = /usr/libexec/postfix
>> data_directory = /var/lib/postfix
>> debug_peer_level = 2
>> fallback_transport =
>> html_directory = no
>> inet_interfaces = all
>> inet_protocols = ipv4
>> local_header_rewrite_clients = static:all
>> local_recipient_maps =
>> mail_owner = postfix
>> mailq_path = /usr/bin/mailq.postfix
>> manpage_directory = /usr/share/man
>> masquerade_domains = !hqmta.sub.com $myorigin
>> message_size_limit = 3024
>> mydestination = $myhostname, localhost.$mydomain, localhost,
>> $mydomain, sub.com, acs.sub.corp.com
>> mydomain = sub.corp.com
>> myhostname = mailhost.sub.corp.com
>> mynetworks = 127.0.0.0/8, 209.243.0.0/16, 10.0.0.0/8
>> myorigin = $mydomain
>> newaliases_path = /usr/bin/newaliases.postfix
>> queue_directory = /var/spool/postfix
>> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
>> relay_domains = $mydestination, other.com, otherfoobar.com
>> sample_directory = /usr/share/doc/postfix-2.6.6/samples
>> sender_canonical_maps = hash:/etc/postfix/sender_canonical
>> sendmail_path = /usr/sbin/sendmail.postfix
>> setgid_group = postdrop
>> transport_maps = hash:/etc/postfix/transport_maps
>> unknown_local_recipient_reject_code = 450
>> 

need help with setting LDAP search domains

[pandorasbox55]

Hi -

I have set up LDAP search queries for delivering mail. The queries appear to
be working correctly however, when checking the LDAP logs I am seeing
queries for any domain that mail is sent. (In the logs, it also appears that
the queries are being re-run, after the completion of a successful query,
with different portions of the original email address as search data.)

>From what I have read, setting the /domain/ in the LDAP table should be what
I need but I can't seem to get it to work. I have tested adding the
parameter with one domain, I would like to add more than one, but I am still
seeing searches being run for non-defined domains.
Any ideas?

Here's a sample of one of my LDAP alias tables:

server_host = [server:port]
version = 3
timeout = 5
search_base = [ldapsearchbase]
domain = my.domain.com
query_filter
=(&(|(mail=%s)(mailAlternateAddress=%s)(mailEquivalentAddress=%s))(!(mailuserstatus=disabled)))
result_attribute = mailRoutingAddress
size_limit = 1
expansion_limit = 1

tia,
=lc




--
View this message in context: 
http://postfix.1071664.n5.nabble.com/need-help-with-setting-LDAP-search-domains-tp89782.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: problem with protection.outlook.com released spam getting bounced

[John Stoffel]

> "Wietse" == Wietse Venema  writes:

Wietse> Postfix reports this error because it is responsible for 'example.com'
Wietse> and the message has 'Delivered-To: u...@example.com'.

Thank you for your reply!  And thank you for postfix in general, it's
made my life simpler in so many ways. 

Wietse> There are several options:

Wietse> 1) Your error. Your system is sending mail out after adding the
Wietse> 'Delivered-To: u...@example.com' header, and it comes back from
Wietse> outlook.com. If Postfix did not block such email then it could loop
Wietse> forever.

In this case no, the email is all coming from external people and
getting blocked by the spam filtering system.  When the user goes to
release it, then it gets looped back.

Wietse> 2) User error. After your system adds the 'Delivered-To: 
u...@example.com'
Wietse> header, some of your users forward their email off-site.  That email
Wietse> ends up at a system that looks at the message header address and
Wietse> that forwards that email to outlook.com. This results in a similar
Wietse> problem as (1). If Postfix did not block such email then it could
Wietse> loop forever.

This is something to check, but I'm not sure. 

Wietse> 2) Outlook error. Outlook.com adds the 'Delivered-To: u...@example.com'
Wietse> header. In that case all mail from Outlook.com would have this
Wietse> problem. It does not seem likely.

Wietse> My money is on (1) or (2).

Is there any way I can keep a copy of these emails for debugging, even
though I still bounce them back?  I'd like to confirm what the headers
are if at all possible.

John

Re: problem with protection.outlook.com released spam getting bounced

[Noel Jones]

On 3/30/2017 9:26 AM, John Stoffel wrote:
> 
> Hi all,
> 
> We're running postfix-2.6.6-6.el6_5.x86_64 on RHEL 6.6 and running
> into a problem where emails that have been released from our outside
> spam protection company, *.protection.outlook.com, are getting
> rejected with messages like this:
> 
>   Mar 26 06:00:56 mailhost postfix/smtpd[2270]: connect from 
> mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
>   Mar 26 06:00:56 mailhost postfix/smtpd[2270]: 51235A07D1: 
> client=mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
>   Mar 26 06:00:56 mailhost postfix/cleanup[2279]: 51235A07D1: 
> message-id=<1490445496218.20153408.25880761.5137938...@backend.ttktravelinsider.com>
>   Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: 
> from=, size=40439, nrcpt=1 (queue active)
>   Mar 26 06:00:56 mailhost postfix/local[2278]: 51235A07D1: 
> to=, relay=local, delay=0.29, delays=0.28/0/0/0.01, 
> dsn=5.4.6, status=bounced (mail forwarding loop for saba.shar...@sub.com)
>   Mar 26 06:00:56 mailhost postfix/bounce[2273]: 51235A07D1: sender 
> non-delivery notification: 97DF2A080B
>   Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: removed
> 
> These emails are released by the end user and should be delivered, but are 
> getting bounced back.
> 
> How would I go about figuring out if it's really a bogus "Delivered-To: " 
> header that's causing this rejection?  
> 

Some things you can do...

- search your logs for the message-id recorded above to see if this
message has been here before. Maybe this mail arrived before, was
forwarded off-site, then came back; don't do that.

- You can use the HOLD action to freeze an incoming message in the
queue before the local delivery agent has a chance to bounce it.
Then you can examine the message.   To HOLD the message, you can use
a check_recipient_access map, or a check_client_access map, or a
header_checks rule.

(NOTE: don't be tempted to use header_checks IGNORE to remove a
bogus Delivered-To header! The internet will thank you.)



  -- Noel Jones


> 
> 
> # postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = nis:mail.aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> fallback_transport =
> html_directory = no
> inet_interfaces = all
> inet_protocols = ipv4
> local_header_rewrite_clients = static:all
> local_recipient_maps =
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> masquerade_domains = !hqmta.sub.com $myorigin
> message_size_limit = 3024
> mydestination = $myhostname, localhost.$mydomain, localhost,
> $mydomain, sub.com, acs.sub.corp.com
> mydomain = sub.corp.com
> myhostname = mailhost.sub.corp.com
> mynetworks = 127.0.0.0/8, 209.243.0.0/16, 10.0.0.0/8
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
> relay_domains = $mydestination, other.com, otherfoobar.com
> sample_directory = /usr/share/doc/postfix-2.6.6/samples
> sender_canonical_maps = hash:/etc/postfix/sender_canonical
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> transport_maps = hash:/etc/postfix/transport_maps
> unknown_local_recipient_reject_code = 450
> 

Re: problem with protection.outlook.com released spam getting bounced

[Wietse Venema]

Postfix reports this error because it is responsible for 'example.com'
and the message has 'Delivered-To: u...@example.com'.

There are several options:

1) Your error. Your system is sending mail out after adding the
'Delivered-To: u...@example.com' header, and it comes back from
outlook.com. If Postfix did not block such email then it could loop
forever.

2) User error. After your system adds the 'Delivered-To: u...@example.com'
header, some of your users forward their email off-site.  That email
ends up at a system that looks at the message header address and
that forwards that email to outlook.com. This results in a similar
problem as (1). If Postfix did not block such email then it could
loop forever.

2) Outlook error. Outlook.com adds the 'Delivered-To: u...@example.com'
header. In that case all mail from Outlook.com would have this
problem. It does not seem likely.

My money is on (1) or (2).

Wietse

Re: problem with protection.outlook.com released spam getting bounced

[John Stoffel]

> "Dominic" == Dominic Raferd  writes:

Dominic> On 30 March 2017 at 15:26, John Stoffel  wrote:


Dominic> Hi all,

Dominic> We're running postfix-2.6.6-6.el6_5.x86_64 on RHEL 6.6 and running
Dominic> into a problem where emails that have been released from our 
outside
Dominic> spam protection company, *.protection.outlook.com, are getting
Dominic> rejected with messages like this:

Dominic>   Mar 26 06:00:56 mailhost postfix/smtpd[2270]: connect from
Dominic> mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
Dominic>   Mar 26 06:00:56 mailhost postfix/smtpd[2270]: 51235A07D1: client=
Dominic> mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
Dominic>   Mar 26 06:00:56 mailhost postfix/cleanup[2279]: 51235A07D1: 
message-id=<
Dominic> 
1490445496218.20153408.25880761.5137938...@backend.ttktravelinsider.com>
Dominic>   Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: from=<
Dominic> ttkpub.nore...@ttktravelinsider.com>, size=40439, nrcpt=1 (queue 
active)
Dominic>   Mar 26 06:00:56 mailhost postfix/local[2278]: 51235A07D1: to=<
Dominic> saba.shar...@sub.com>, relay=local, delay=0.29, 
delays=0.28/0/0/0.01, dsn=
Dominic> 5.4.6, status=bounced (mail forwarding loop for 
saba.shar...@sub.com)
Dominic>   Mar 26 06:00:56 mailhost postfix/bounce[2273]: 51235A07D1: sender
Dominic> non-delivery notification: 97DF2A080B
Dominic>   Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: removed

Dominic> These emails are released by the end user and should be delivered, 
but are
Dominic> getting bounced back.

Dominic> How would I go about figuring out if it's really a bogus 
"Delivered-To: "
Dominic> header that's causing this rejection?


Dominic> Did you see this earlier thread: http://postfix.1071664.n5.nabble.com/
Dominic> What-is-causing-this-mail-forwarding-loop-bounce-td62199.html ?

I have looked at that thread, but I don't have a good answer.  I can
understand Wietse's comments in there, but I'm trying to also solve
this type of problem, and I've posted my postconf -n output, and the
logs from my mail host.   

Of course protection.outlook.com says they're not doing anything
special... but I don't believe them.  But I can't prove it without
keeping a copy of the bounced email somehow.  

Is there a good way to log the full headers of these emails before
they get rejected, so I can at least know what's going on here?

Thanks,
John

Re: message_size_limit - how to configure on multiple instances ?

[Viktor Dukhovni]

> On Mar 30, 2017, at 12:35 PM, Zalezny Niezalezny 
>  wrote:
> 
> # postconf -d | grep message

The "postconf -d" command returns compiled-in defaults.
For your actual settings, try "postconf", either with
no options or as "postconf -n" for just non-default
settings.  See postconf(1) for details.

-- 
Viktor.

Re: message_size_limit - how to configure on multiple instances ?

[Wietse Venema]

postconf -c /path/to/config/dir message_size_limit

Re: need little help with DKIM, if possible.

[Viktor Dukhovni]

> On Mar 30, 2017, at 12:35 PM, Dominic Raferd  wrote:
> 
> As I understand it, ​DKIM requires a separate DNS record for each subdomain

No, DKIM has no such requirement.  The DKIM signing domain "d=" in the
DKIM signature header is not constrained to match the domain in the
rfc2822 "From:" header.  All that DKIM conveys is the identity of the
domain responsible for the content.  DKIM authenticates the origin
domain, not the author.

-- 
Viktor.

Re: need little help with DKIM, if possible.

[Dominic Raferd]

​​


On 30 March 2017 at 16:19, Fazzina, Angelo  wrote:

> Thank you Dominic,
>
>
>
> I think I am starting to confuse the 2 sides of the coin and wanted
> clarification.
>
>
>
> If I setup DKIM, it is to be used by whom ?
>
> Is it for anyone including my own domain, when an @uconn.edu email is
> received, it is to be checked ?
>
>
>
> A.  Does my DKIM entry in DNS help with sending from x...@example.com
>  to x...@uconn.edu ?
>
> B.  Does my DKIM entry in DNS help with sending from x...@uconn.edu to
> x...@example.com?
>
> C.  Does my DKIM entry in DNS help with sending from  x...@uconn.edu
> to y...@uconn.edu ?
>
>
>
> In “C” I am thinking emails from staff to student and vice versa. Staff on
> O365 and students on Google Apps.
>
> Both cloud solutions.
>
> *Student to staff* would go  google ->  to my MX record which is spam
> appliance -> postfix box -> O365 servers
>
> *Staff to Student*  would go O365 -> to my MX record which is spam
> appliance -> postfix box  -> Google servers
>

As I understand it, ​DKIM requires a separate DNS record for each subdomain
to which it will apply (unlike DMARC). So if you want to send emails with
header 'From: ​​alf02013@​​appmail.uconn.edu' and you want these to have a
useful DKIM header, then there must be a DNS TXT entry at mykey._
domainkey.appmail.uconn.edu, and the private key to which this relates must
have been used by your mailserver to generate the DKIM header (with
s=mykey) that appears in your email. With a separate but similar DNS TXT
entry at mykey._domainkey.uconn.edu, the same private key could be used by
your mailserver to generate a valid DKIM header for an email from
angelo.fazz...@uconn.edu.

*Any* MUA can check your DKIM header to see whether the email is unmodified
since the DKIM header was created by the private keyholder; but a valid
DKIM header means very little unless it matches (is 'aligned with') the
domain in the 'From' header, since a malefactor can still create an email
faking your 'From' address and insert their own valid DKIM header based on
their own domain (which will verify against their DNS TXT record). DMARC
takes DKIM and adds in the concept of alignment, but of course it first
requires that you are using DKIM.

Unfortunately in the real world DKIM is often used badly, including by
large organisations that should know better, so an unaligned DKIM header
(or one that is faulty in some other way) is only an indication that
there *just
might* be a problem and nothing more. Similarly the presence of a DKIM TXT
entry in DNS does not guarantee that all valid emails from this domain will
have a DKIM header. This is another advantage of DMARC with p=reject,
because no organisation can afford to have such a policy unless it is
confident that its emails will all be correctly signed and aligned.

If any of the above is wrong, I hope someone will explain better.

Dominic

message_size_limit - how to configure on multiple instances ?

[Zalezny Niezalezny]

Hi,

I have a serious Problem. On my server I have 2 postfix instances.

On the master instance I have changed message size limit from 10Mb to 30Mb.
Unfortuantely postconf shows still 10MB. How may I change this?

Postfix instances on my server:

[root@unixserver5 opt]# postmulti -l
-   massmailing y /etc/postfix
postfix-mail massmailing y /etc/postfix-mail



This is configured in /etc/postfix/main.cf

[root@unixsmtp05 opt]# cat /etc/postfix/main.cf | grep ^messag
message_size_limit = 3072
[root@unixsmtp05 opt]#


Postconf still keeping default configuration. How to change message size
globaly on all instances ?

[root@unixserver5 opt]# postconf -d | grep message
message_reject_characters =
postconf: warning: inet_protocols: disabling IPv6 name/address support:
Address family not supported by protocol
message_size_limit = 1024
message_strip_characters =
qmgr_message_active_limit = 2
qmgr_message_recipient_limit = 2
qmgr_message_recipient_minimum = 10
smtpd_client_message_rate_limit = 0




Please help me.





With kind regards

Zalezny

Broken opportunistic TLS senders (was: Another yahoo problem)

[Viktor Dukhovni]

On Thu, Mar 30, 2017 at 02:54:09PM +0200, Benny Pedersen wrote:

> Levente Birta skrev den 2017-03-30 14:27:
> 
> > Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
> > [98.137.64.231]:33591
> > Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
> > problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> > certificate unknown:s3_pkt.c:1275:SSL alert number 46:

A "certificate unknown" alert is unlikely to be an issue with the
SSL/TLS protocol version.

> > At the end I think the mail is received in plain text
> > Could be the problem at my side?
> 
> your problem is that you miss ssl3 support with yahoo still use :(

This is not correct, many Yahoo MTAs support TLSv1.2, e.g.:

Mar 24 13:30:12 amnesiac postfix/smtpd[25034]:
Anonymous TLS connection established from
nm21-vm3.bullet.mail.ir2.yahoo.com[212.82.96.254]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

However, I also have:

Feb 27 02:39:15 amnesiac postfix/smtpd[13779]: SSL_accept error from 
sonic326-4.consmr.mail.ne1.yahoo.com[66.163.186.123]: 0
Feb 27 02:39:15 amnesiac postfix/smtpd[13779]: warning: TLS library 
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Feb 28 00:55:49 amnesiac postfix/smtpd[259]: SSL_accept error from 
sonic305-54.consmr.mail.ne1.yahoo.com[66.163.185.180]: 0
Feb 28 00:55:49 amnesiac postfix/smtpd[259]: warning: TLS library problem: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar  3 05:27:33 amnesiac postfix/smtpd[5897]: SSL_accept error from 
sonic315-47.consmr.mail.bf2.yahoo.com[74.6.134.221]: 0
Mar  3 05:27:33 amnesiac postfix/smtpd[5897]: warning: TLS library problem: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar  6 07:44:57 amnesiac postfix/smtpd[576]: SSL_accept error from 
sonic313-47.consmr.mail.bf2.yahoo.com[74.6.133.221]: 0
Mar  6 07:44:57 amnesiac postfix/smtpd[576]: warning: TLS library problem: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar  7 15:50:03 amnesiac postfix/smtpd[8740]: SSL_accept error from 
sonic314-47.consmr.mail.bf2.yahoo.com[74.6.132.221]: 0
Mar  7 15:50:03 amnesiac postfix/smtpd[8740]: warning: TLS library problem: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar 29 14:57:45 amnesiac postfix/smtpd[2319]: SSL_accept error from 
sonic305-3.consmr.mail.bf2.yahoo.com[74.6.133.42]: 0
Mar 29 14:57:45 amnesiac postfix/smtpd[2319]: warning: TLS library problem: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar 30 00:40:11 amnesiac postfix/smtpd[17880]: SSL_accept error from 
sonic309-27.consmr.mail.sg3.yahoo.com[106.10.244.90]: 0
Mar 30 00:40:11 amnesiac postfix/smtpd[17880]: warning: TLS library 
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

This suggests some ignoramus has configured the "sonic...consmr..."
systems to drop unauthenticated TLS connections and send in cleartext
instead.  The same issue can be seen with mimecast:

Feb 28 20:31:31 amnesiac postfix/smtpd[13789]: SSL_accept error from 
us-smtp-delivery-112.mimecast.com[216.205.24.112]: 0
Feb 28 20:31:31 amnesiac postfix/smtpd[13789]: warning: TLS library 
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar 27 03:59:06 amnesiac postfix/smtpd[27065]: SSL_accept error from 
us-smtp-delivery-203.mimecast.com[216.205.24.203]: 0
Mar 27 03:59:06 amnesiac postfix/smtpd[27065]: warning: TLS library 
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Mar 28 15:16:14 amnesiac postfix/smtpd[24429]: SSL_accept error from 
us-smtp-delivery-120.mimecast.com[216.205.24.120]: 0
Mar 28 15:16:14 amnesiac postfix/smtpd[24429]: warning: TLS library 
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown:s3_pkt.c:1493:SSL alert number 46:

Seems some folks need detention after school to copy RFC7435 in
long-hand a dozen times.

-- 
Viktor.

Re: Another yahoo problem

[chaouche yacine]

On Thursday, March 30, 2017 4:09 PM, "li...@lazygranch.com" 
 wrote:
>Perhaps sslv3 related.
>http://disablessl3.com/


Thanks for the valuable link.

 -- Yassine.

Re: need little help with DKIM, if possible.

[P.V.Anthony]

On 30/03/2017 23:19, Fazzina, Angelo wrote:


If I setup DKIM, it is to be used by whom ?

Is it for anyone including my own domain, when an @uconn.edu email is
received, it is to be checked ?



A.  Does my DKIM entry in DNS help with sending from
x...@example.com to
x...@uconn.edu?

B.  Does my DKIM entry in DNS help with sending from
x...@uconn.eduto
x...@example.com?

C.  Does my DKIM entry in DNS help with sending from
x...@uconn.eduto y...@uconn.edu?



In “C” I am thinking emails from staff to student and vice versa. Staff
on O365 and students on Google Apps.

Both cloud solutions.

*Student to staff*would go  google ->  to my MX record which is spam
appliance -> postfix box -> O365 servers

*Staff to Student* would go O365 -> to my MX record which is spam
appliance -> postfix box  -> Google servers


Not sure about your case. I will share my case.

my domain mindmedia.com.sg has a dns entry like so.

;; QUESTION SECTION:
;default._domainkey.mindmedia.com.sg. INTXT

;; ANSWER SECTION:
default._domainkey.mindmedia.com.sg. 3600 IN TXT "v=DKIM1; t=s; 
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/XW/fnNOu4RjJhtQGT2OfSyw5VtjqMPco1Sf9XlYMVi9dFBrPIJR6+Hmu93SOLQQvUdVIqG8PZuAG177Ke2+ZKxwEFZycuC6xey5MxLGKaVD9GuQPAeHpzRg9NQmz9qjnRkd315CgKUxqMx7pg6dcDsE2tqnU+FGxx65EAsczUQIDAQAB"


In the my email server that host emails for mindmedia.com.sg has a DKIM 
Private-key.


Everytime I send email using smtp through my server that is hosting my 
emails, an application linked with postfix, will sign my every email 
using the mindmedia.com.sg's DKIM Private-key.


The receiving party's smtp server will check the dkim signature header 
in the email with the one in the txt dns entry of 
default._domainkey.mindmedia.com.sg.


If it verify, then dkim has passed.

This is my understanding.

I hope this helps.

P.V.Anthony



smime.p7s
Description: S/MIME Cryptographic Signature

Re: problem with protection.outlook.com released spam getting bounced

[Dominic Raferd]

On 30 March 2017 at 15:26, John Stoffel  wrote:

>
> Hi all,
>
> We're running postfix-2.6.6-6.el6_5.x86_64 on RHEL 6.6 and running
> into a problem where emails that have been released from our outside
> spam protection company, *.protection.outlook.com, are getting
> rejected with messages like this:
>
>   Mar 26 06:00:56 mailhost postfix/smtpd[2270]: connect from
> mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
>   Mar 26 06:00:56 mailhost postfix/smtpd[2270]: 51235A07D1: client=
> mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
>   Mar 26 06:00:56 mailhost postfix/cleanup[2279]: 51235A07D1: message-id=<
> 1490445496218.20153408.25880761.5137938...@backend.ttktravelinsider.com>
>   Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: from=<
> ttkpub.nore...@ttktravelinsider.com>, size=40439, nrcpt=1 (queue active)
>   Mar 26 06:00:56 mailhost postfix/local[2278]: 51235A07D1: to=<
> saba.shar...@sub.com>, relay=local, delay=0.29, delays=0.28/0/0/0.01,
> dsn=5.4.6, status=bounced (mail forwarding loop for saba.shar...@sub.com)
>   Mar 26 06:00:56 mailhost postfix/bounce[2273]: 51235A07D1: sender
> non-delivery notification: 97DF2A080B
>   Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: removed
>
> These emails are released by the end user and should be delivered, but are
> getting bounced back.
>
> How would I go about figuring out if it's really a bogus "Delivered-To: "
> header that's causing this rejection?


Did you see this earlier thread:
http://postfix.1071664.n5.nabble.com/What-is-causing-this-mail-forwarding-loop-bounce-td62199.html
?
​

Re: No milters have been used at around midnight

[Viktor Dukhovni]

> On Mar 30, 2017, at 11:15 AM, Christian Rößner 
>  wrote:
> 
> It is a VM, but the host uses ECC-RAM. No errors were reported to the kernel 
> message buffer.

Is it possible that some log messages were lost when the log
socket got re-created as part of log-rotation?

Do your milters always add headers?  Or only for spammy messages?

Also, you have default_action=accept, perhaps your milters were too
busy at the time.  When did milter logging cease?  When did it resume?
What was the message delivery rate during the "gap"...

-- 
Viktor.

RE: need little help with DKIM, if possible.

[Fazzina, Angelo]

Thank you Dominic,

I think I am starting to confuse the 2 sides of the coin and wanted 
clarification.

If I setup DKIM, it is to be used by whom ?
Is it for anyone including my own domain, when an @uconn.edu email is received, 
it is to be checked ?


A.  Does my DKIM entry in DNS help with sending from 
x...@example.com  to 
x...@uconn.edu ?

B.  Does my DKIM entry in DNS help with sending from 
x...@uconn.edu to 
x...@example.com?

C.  Does my DKIM entry in DNS help with sending from  
x...@uconn.edu to y...@uconn.edu ?

In “C” I am thinking emails from staff to student and vice versa. Staff on O365 
and students on Google Apps.
Both cloud solutions.
Student to staff would go  google ->  to my MX record which is spam appliance 
-> postfix box -> O365 servers
Staff to Student  would go O365 -> to my MX record which is spam appliance -> 
postfix box  -> Google servers

Thanks to anyone willing to go down the rabbit hole here….
-ALF

-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut,  UITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Dominic Raferd
Sent: Wednesday, March 29, 2017 3:56 PM
To: Postfix users 
Subject: Re: need little help with DKIM, if possible.



On 29 March 2017 at 20:36, Fazzina, Angelo 
> wrote:

Thank you Doug,

I fixed the name so the unsupported character "_" is not used.

Please review my latest test, as I have a question.



Is there anything in the DKIM config files I can change to get rid of this 
message ?



Authentication-Results: verifier.port25.com; 
dkim=pass (signature verifies; identity doesn't match any headers) 
header.d=mta4.uits.uconn.edu



Am I supposed to get the headers to match ?

DKIM check details:

Result: pass (signature verifies; identity doesn't match any headers)

ID(s) verified: header.d=mta4.uits.uconn.edu

Canonicalized Headers:


to:check-a...@verifier.port25.com'0D''0A'

from:"Fazzina,'20'Angelo"'20'<
​​
alf02013@
​​
appmail.uconn.edu>'0D''0A'

date:Wed,'20'29'20'Mar'20'2017'20'15:29:26'20'-0400'0D''0A'

dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=
​​
mta4.uits.uconn.edu;'20's=dkim1;'20't=1490815766;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;'20'h=To:From:Date:From;'20'b=

​The problem I think is that you have set up a dkim record for emails from 
domain ​
​
mta4.uits.uconn.edu but you are sending an email 
from 
​
appmail.uconn.edu (i.e. the internal 'From:' 
header is set to
​
alf02013@
​​
appmail.uconn.edu). Hence the report that 
the dkim identity ('d=') doesn't match any headers.

Re: No milters have been used at around midnight

[Christian Rößner]

> Am 30.03.2017 um 16:00 schrieb Wietse Venema :
> 
> Nothing was changed, but something stopped working. Do you have ECC
> memory enabled?

It is a VM, but the host uses ECC-RAM. No errors were reported to the kernel 
message buffer.

Christian
-- 
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345



smime.p7s
Description: S/MIME cryptographic signature

Re: Another yahoo problem

[lists]

Perhaps sslv3 related.
http://disablessl3.com/

  Original Message  
From: Levente Birta
Sent: Thursday, March 30, 2017 5:28 AM
To: Postfix users
Subject: Another yahoo problem

Hi

I have a problem with getting mails from yahoo, only from yahoo but now 
from all servers.
here is the log:

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from 
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library 
problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert 
certificate unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT 
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from 
[98.137.64.231]:33591 in tests after SMTP handshake
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT 
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: CONNECT from 
[98.137.64.231]:37770 to [176.223.199.38]:25
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: NOQUEUE: reject: RCPT 
from [98.137.64.231]:37770: 450 4.3.2 Service currently unavailable; 
from=, 
to=, proto=ESMTP, 
helo=
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: PASS NEW 
[98.137.64.231]:37770
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: DISCONNECT 
[98.137.64.231]:37770

...
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: connect from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: SSL_accept error from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]: 0
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: warning: TLS library problem: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: lost connection after 
STARTTLS from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: disconnect from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 starttls=0/1 
commands=1/2
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: CONNECT from 
[98.137.64.231]:33638 to [my.ip.add.ress]:25
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: PASS OLD 
[98.137.64.231]:33638
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: connect from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result: 
"['None', '', 'helo']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: None; identity=no SPF record; 
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; 
envelope-from=s.e.n.d.e.r.a.d.d.r.e@yahoo.com; receiver=
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result: 
"['Pass', 'sender SPF authorized', 'mailfrom']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: Pass; identity=mailfrom; 
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; 
envelope-from=s.e.n.d.e.r.a.d.d.r.e@yahoo.com; receiver=
Mar 30 14:18:39 wsrv policyd-spf[41310]: prepend Authentication-Results: 
host.server.host; spf=pass (mailfrom) smtp.mailfrom=yahoo.com 
(client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; 
envelope-from=s.e.n.d.e.r.a.d.d.r.e@yahoo.com; receiver=)
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: 3vv2FC6QJmz53Nc7n: 
client=sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:40 wsrv postfix/cleanup[37513]: 3vv2FC6QJmz53Nc7n: 
message-id=<675236413.329268.1490870647...@mail.yahoo.com>
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: 
sonic303-49.consmr.mail.gq1.yahoo.com [98.137.64.231] not internal
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: not authenticated
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: DKIM 
verification successful
Mar 30 14:18:40 wsrv opendmarc[2140]: 3vv2FC6QJmz53Nc7n: yahoo.com pass
Mar 30 14:18:40 wsrv postfix/qmgr[1771]: 3vv2FC6QJmz53Nc7n: 
from=, size=3486, nrcpt=1 (queue 
active)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) ESMTP :10024 
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ: 
 ->  
SIZE=3486 Received: from host.server.host ([127.0.0.1]) by localhost 
(host.server.host
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP for 
; Thu, 30 Mar 2017 14:18:40 +0300 (EEST)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) Checking: OBTvTMhgT_kq 
[98.137.64.231]  -> 

Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p003 1 Content-Type: 
multipart/alternative
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p001 1/1 Content-Type: 
text/plain, size: 118 B, name:
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p002 1/2 Content-Type: 
text/html, size: 675 B, name:
Mar 30 14:18:40 wsrv clamd[41770]: 
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p004: OK
Mar 30 14:18:40 wsrv clamd[41770]: 

problem with protection.outlook.com released spam getting bounced

[John Stoffel]

Hi all,

We're running postfix-2.6.6-6.el6_5.x86_64 on RHEL 6.6 and running
into a problem where emails that have been released from our outside
spam protection company, *.protection.outlook.com, are getting
rejected with messages like this:

  Mar 26 06:00:56 mailhost postfix/smtpd[2270]: connect from 
mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
  Mar 26 06:00:56 mailhost postfix/smtpd[2270]: 51235A07D1: 
client=mail-sn1nam01lp0113.outbound.protection.outlook.com[207.46.163.113]
  Mar 26 06:00:56 mailhost postfix/cleanup[2279]: 51235A07D1: 
message-id=<1490445496218.20153408.25880761.5137938...@backend.ttktravelinsider.com>
  Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: 
from=, size=40439, nrcpt=1 (queue active)
  Mar 26 06:00:56 mailhost postfix/local[2278]: 51235A07D1: 
to=, relay=local, delay=0.29, delays=0.28/0/0/0.01, 
dsn=5.4.6, status=bounced (mail forwarding loop for saba.shar...@sub.com)
  Mar 26 06:00:56 mailhost postfix/bounce[2273]: 51235A07D1: sender 
non-delivery notification: 97DF2A080B
  Mar 26 06:00:56 mailhost postfix/qmgr[27442]: 51235A07D1: removed

These emails are released by the end user and should be delivered, but are 
getting bounced back.

How would I go about figuring out if it's really a bogus "Delivered-To: " 
header that's causing this rejection?  



# postconf -n
alias_database = hash:/etc/aliases
alias_maps = nis:mail.aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
fallback_transport =
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_header_rewrite_clients = static:all
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = !hqmta.sub.com $myorigin
message_size_limit = 3024
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain, sub.com, acs.sub.corp.com
mydomain = sub.corp.com
myhostname = mailhost.sub.corp.com
mynetworks = 127.0.0.0/8, 209.243.0.0/16, 10.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, other.com, otherfoobar.com
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
transport_maps = hash:/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 450

Re: Queue ID availability for milters on multi-message connections/sessions?

[Kris Deugau]

Wietse Venema wrote:

Below are the SMTP commands/responses, and the test-milter output
showing that the second "DATA" event is reported with the correct
queue ID.


OK, thanks!  I'll take it up further with the milter authors.

-kgd

Re: No milters have been used at around midnight

[Wietse Venema]

Nothing was changed, but something stopped working. Do you have ECC
memory enabled?

Wietse

Re: Another yahoo problem

[Benny Pedersen]

Levente Birta skrev den 2017-03-30 14:27:

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from 
[98.137.64.231]:33591

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT 
[98.137.64.231]:33591

Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from
[98.137.64.231]:33591 in tests after SMTP handshake
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT 
[98.137.64.231]:33591



At the end I think the mail is received in plain text
Could be the problem at my side?


your problem is that you miss ssl3 support with yahoo still use :(


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3


this makes it worse or have no effect if you dont have a ssl library 
that support it anymore, yahoo should upgrade to a working tls to solve 
it


you can disable starttls for there client ips, if thats solve it, write 
to yahoo about it

Another yahoo problem

[Levente Birta]

Hi

I have a problem with getting mails from yahoo, only from yahoo but now 
from all servers.

here is the log:

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from 
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library 
problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert 
certificate unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT 
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from 
[98.137.64.231]:33591 in tests after SMTP handshake
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT 
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: CONNECT from 
[98.137.64.231]:37770 to [176.223.199.38]:25
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: NOQUEUE: reject: RCPT 
from [98.137.64.231]:37770: 450 4.3.2 Service currently unavailable; 
from=, 
to=, proto=ESMTP, 
helo=
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: PASS NEW 
[98.137.64.231]:37770
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: DISCONNECT 
[98.137.64.231]:37770


...
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: connect from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: SSL_accept error from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]: 0
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: warning: TLS library problem: 
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate 
unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: lost connection after 
STARTTLS from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: disconnect from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 starttls=0/1 
commands=1/2
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: CONNECT from 
[98.137.64.231]:33638 to [my.ip.add.ress]:25
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: PASS OLD 
[98.137.64.231]:33638
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: connect from 
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result: 
"['None', '', 'helo']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: None; identity=no SPF record; 
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; 
envelope-from=s.e.n.d.e.r.a.d.d.r.e@yahoo.com; receiver=
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result: 
"['Pass', 'sender SPF authorized', 'mailfrom']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: Pass; identity=mailfrom; 
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; 
envelope-from=s.e.n.d.e.r.a.d.d.r.e@yahoo.com; receiver=
Mar 30 14:18:39 wsrv policyd-spf[41310]: prepend Authentication-Results: 
host.server.host; spf=pass (mailfrom) smtp.mailfrom=yahoo.com 
(client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; 
envelope-from=s.e.n.d.e.r.a.d.d.r.e@yahoo.com; receiver=)
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: 3vv2FC6QJmz53Nc7n: 
client=sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:40 wsrv postfix/cleanup[37513]: 3vv2FC6QJmz53Nc7n: 
message-id=<675236413.329268.1490870647...@mail.yahoo.com>
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: 
sonic303-49.consmr.mail.gq1.yahoo.com [98.137.64.231] not internal

Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: not authenticated
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: DKIM 
verification successful

Mar 30 14:18:40 wsrv opendmarc[2140]: 3vv2FC6QJmz53Nc7n: yahoo.com pass
Mar 30 14:18:40 wsrv postfix/qmgr[1771]: 3vv2FC6QJmz53Nc7n: 
from=, size=3486, nrcpt=1 (queue 
active)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) ESMTP :10024 
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ: 
 ->  
SIZE=3486 Received: from host.server.host ([127.0.0.1]) by localhost 
(host.server.host
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP for 
; Thu, 30 Mar 2017 14:18:40 +0300 (EEST)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) Checking: OBTvTMhgT_kq 
[98.137.64.231]  -> 

Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p003 1 Content-Type: 
multipart/alternative
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p001 1/1 Content-Type: 
text/plain, size: 118 B, name:
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p002 1/2 Content-Type: 
text/html, size: 675 B, name:
Mar 30 14:18:40 wsrv clamd[41770]: 
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p004: OK
Mar 30 14:18:40 wsrv clamd[41770]: 
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p001: OK
Mar 30 14:18:40 wsrv clamd[41770]: 
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p002: OK

Re: Postfix cannot start tls: handshake failure

[Den1]

Viktor Dukhovni wrote
>> On Mar 30, 2017, at 12:03 AM, Den1 

> webmaster@

>  wrote:
>> 
>>> smtp_tls_ciphers = medium
>>> smtp_tls_exclude_ciphers =
>>> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
>> 
>> Why would you exclude these ciphers
> 
> Because:
> 
>   * MD5 is weak, obsolete and unnecessary
>   * SRP and PSK require special code to use, and excluding these
> is actually a NOOP, but makes clearer that they'll never be used.
>   * DSS is weak, obsolete and unnecessary
>   * The kECDH and kDH "fixed DH" algorithms should never have been added
> to OpenSSL and were removed in OpenSSL 1.1.0.  They are not needed.
>   * SEED, IDEA, RC2, and RC5 are are never used and are not needed.
>   * RC4 is weak and no longer needed.
>   
> Shorter cipherlists avoid some interoperability issues.  Especially
> with older Windows systems, but to interoperate with those you'd need
> to leave RC4 enabled.  Such systems have largely been replaced, you're
> not likely to run into them.
> 
>> and make them medium, Louis? 
> 
> The cipher grade in Postfix sets a "floor" on the ciphers used, that
> is only medium or better.  Nobody is "making them medium":
> 
> http://www.postfix.org/postconf.5.html#smtp_tls_ciphers
> 
> -- 
>   Viktor.

Appreciate your input, Viktor. Than you. 



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake-failure-tp89684p89755.html
Sent from the Postfix Users mailing list archive at Nabble.com.

No milters have been used at around midnight

[Christian Rößner]

Hi,

this morning I found a spam mail in my inbox, which normally should have been 
triggered by my spam milter. As I checked the headers, I found out that the 
milter service did not add any headers.

I checked the logs for the QID and found out that the milter was not even 
requested. Further I saw that not even one milter was requested:

Mar 30 00:02:20 mx postfix/postscreen[20916]: PASS NEW 
[2a02:4a8:ac24:126::105:130]:53402
Mar 30 00:02:20 mx postfix/smtpd[20918]: connect from 
ipv6.antirelay.smtp.cz[2a02:4a8:ac24:126::105:130]:53402
Mar 30 00:02:22 mx postfix/smtpd[20918]: Anonymous TLS connection established 
from ipv6.antirelay.smtp.cz[2a02:4a8:ac24:126::
105:130]:53402: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
Mar 30 00:02:22 mx postfix/smtpd[20918]: 3vthZQ6rwlzGp4v: 
client=ipv6.antirelay.smtp.cz[2a02:4a8:ac24:126::105:130]:53402
Mar 30 00:02:22 mx postfix/incoming/cleanup[20926]: 3vthZQ6rwlzGp4v: 
message-id=
Mar 30 00:02:23 mx postfix/qmgr[4629]: 3vthZQ6rwlzGp4v: 
from=, size=57769, nrcpt=1 (queue active)
Mar 30 00:02:23 mx postfix/smtpd[20918]: disconnect from 
ipv6.antirelay.smtp.cz[2a02:4a8:ac24:126::105:130]:53402 ehlo=2 starttls=1 
mail=1 rcpt=1 data=1 quit=1 commands=7
Mar 30 00:02:23 mx postfix/lmtp[20920]: 3vthZQ6rwlzGp4v: 
to=, orig_to=, 
relay=::1[::1]:24, delay=0.32, delays=0.19/0.01/0.01/0.11, dsn=2.0.0, 
status=sent (250 2.0.0  GTYCBe8u3FjsUQAAm3ipfw Saved)
Mar 30 00:02:23 mx postfix/qmgr[4629]: 3vthZQ6rwlzGp4v: removed

There exists only one exception for turning off milters which is shown here:

smtpd_milter_maps:
---
# relay.roessner-net.de
134.255.226.249 DISABLE
[2a05:bec0:28:1:134:255:226:249]DISABLE
---

Unfortunately I do not know how to reproduce this issue. I do not understand 
why none of the milters where requested.

There does not exist any special treatment for milters (say exceptions, 
whatever) for milters except the server "relay" as shown above.

Here is a part of the main.cf that handles the milters:

main.cf:
---
vrfydmn_opposite = {
inet:[::1]:30074,
connect_timeout=5s,
default_action=accept
}
spammilter = {
inet:[::1]:30076,
connect_timeout=5s,
default_action=accept
}

milter_connect_macros =
j,
v,
{client_ptr},
{daemon_name},
{daemon_addr},
{daemon_port}

milter_mail_macros =
i,
{auth_type},
{auth_authen},
{auth_author},
{mail_addr},
{mail_host},
{mail_mailer},
{client_name}

incoming_smtpd_milters =
${vrfydmn_opposite},
${spammilter}
---

master.cf:
---
smtpd pass  -   -   y   -   -   smtpd
-o smtpd_milters=${incoming_smtpd_milters}
-o cleanup_service_name=cleanup2
---

As you see in the logs, there are no connect messages from both milters.

The setup is unchanged since months. The only thing that I could guess is:

- this spam is around midnight. At the same time (1-2mins difference), other 
connections from "relay.roessner-net.de" and "mail.roessner-net.de" came in and 
worked as expected. Daily logroate stuff. "relay" would switch off milters...
- Last "foreign" mail (not one of my own servers) sent a mail with working 
milters at 23:45:22 and after 00:08:39

So the problem occurred when my relay server was active _and_ a remote MTA 
connected.

But: If the timestamps are correct in syslog, I did not have simultaneous mails 
at midnight. Just one-by-one. But several.

Any suggestions, if I miss something? Could this be a problem with 
smtpd_milters_maps that some switching did not work as expected? I have no idea 
:)

Btw: Postfix 3.2.0

Kind regards

Christian
-- 
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345



smime.p7s
Description: S/MIME cryptographic signature