Re: mailer-daemon bounce notifications with original message in clear text?

[Jim Rice]

The sending platform is Sitecore, which I believe is a Microsoft platform.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: TLS client certificates and auth external

[Viktor Dukhovni]

> On Jan 8, 2019, at 5:17 PM, Bastian Schmidt  wrote:
> 
> I have an email client (K-9 on Android), which, when using TLS client 
> certificates insists on sending an auth external. However, postfix/SASL does 
> not advertise external auth, which causes the client to not being able to use 
> client certificates with postfix.
> 
> As I see it, postfix is missing the external mechanism as specified in RFC 
>  (SASL) completely. Thus, I have implemented this feature (for TLS CA 
> client certs) and I am currently successfully running this on a local 
> installation using cyrus sasl.
> 
> I would be willing to provide a patch and would really like to see this 
> integrated in future versions of postfix.
> 
> I hope this is the right postfix mailing list for this request.

Well perhaps postfix-devel is equally or more appropriate.

There is a key design issue here:

 * In typical Postfix configurations we see relay restrictions of
   the form:

smtpd_relay_restrictions = 
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

   which is fine, when the user has enrolled for a login account
   on the receiving system.  But with client certs, anyone can get
   a client certificate from some CA, or even mint their own.

   So what does "SASL authenticated" mean with client certs?  Is
   there a particular issuing CA that's the only one trusted to
   issue client certs?  Or does the client certificate fingerprint
   need to match a lookup table for it to be considered authenticated?

   My advice is that a trusted CA, and likely often accidentally every
   CA on the planet from one of the usual CA bundles, is much too risky
   in this context, and would drag in revocation lists, OCSP, and that
   whole dumpster-fire of PKI issues.

   Therefore, the meaning of SASL authenticated for EXTERNAL should be
   that the client certificate fingerprint matches a lookup table that
   maps the client certificate to something resembling a SASL user name.

   You would then either "permit_sasl_authenticated" without distinguishing
   between one user and another, or else use "check_sasl_access" based on
   username obtained from the fingerprint->username map.  You could also
   then use the "sender login mismatch" features by matching the username
   with valid sender addresses, ...

Otherwise, "EXTERNAL" should be fairly straight-forward.  Feel free to
move the discussion to postfix-devel, or continue here to the extent
the discussion stays high level, rather than dives into the implementation.

-- 
Viktor.

TLS client certificates and auth external

[Bastian Schmidt]

Hello,

I have an email client (K-9 on Android), which, when using TLS client 
certificates insists on sending an auth external. However, postfix/SASL 
does not advertise external auth, which causes the client to not being 
able to use client certificates with postfix.


As I see it, postfix is missing the external mechanism as specified in 
RFC  (SASL) completely. Thus, I have implemented this feature (for 
TLS CA client certs) and I am currently successfully running this on a 
local installation using cyrus sasl.


I would be willing to provide a patch and would really like to see this 
integrated in future versions of postfix.


I hope this is the right postfix mailing list for this request.

Bastian

Re: mailer-daemon bounce notifications with original message in clear text?

[Wietse Venema]

Jim Rice:
> Is there any way to configure bounce to compose the response message
> in clear text (message/rfc822)?

I can assure you that Postfix does not send .eml attachments.
That's a Microsoft thing.

In a Postfix bounce message, the undelivered message is returned
as message/rfc822. Proof is below the signature. I replaced the
domain name, ip address, and username info but left the message
structure intact.

I suspect that you are viewing Postfix bounces that have been
munged by some peoprietary mail system.

Wietse

Date: Tue,  8 Jan 2019 20:13:47 + (UTC)
From: MAILER-DAEMON@ip-ipaddr.ec2.internal (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: owner-postfix-us...@postfix.org
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="50F3E210E0.1546978427/some-server"
Message-ID: <20190108201347.3966820F72@some-server>
Status: O

This is a MIME-encapsulated message.

--50F3E210E0.1546978427/some-server
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host some-server.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

   The mail system

: delivery temporarily suspended: connect to
www.some-domain[ipaddr]:25: Connection timed out

--50F3E210E0.1546978427/some-server
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; some-server
X-Postfix-Queue-ID: 50F3E210E0
X-Postfix-Sender: rfc822; owner-postfix-us...@postfix.org
Arrival-Date: Sun, 30 Sep 2018 19:08:23 + (UTC)

Final-Recipient: rfc822; some-user@some-domain
Original-Recipient: rfc822;postfix-users-outgoing
Action: failed
Status: 4.4.1
Diagnostic-Code: X-Postfix; delivery temporarily suspended: connect to
www.some-domain[ipaddr]:25: Connection timed out

--50F3E210E0.1546978427/some-server
Content-Description: Undelivered Message
Content-Type: message/rfc822

Return-Path: 
Received: from english-breakfast.cloud9.net (english-breakfast.cloud9.net 
[168.100.1.7])
by some-server (Postfix) with ESMTPS id 50F3E210E0
for ; Sun, 30 Sep 2018 19:08:23 + (UTC)
Received: by english-breakfast.cloud9.net (Postfix)
id BD2CD333251; Sun, 30 Sep 2018 15:06:52 -0400 (EDT)
Delivered-To: postfix-users-outgo...@cloud9.net
Received: from localhost (localhost [127.0.0.1])
by english-breakfast.cloud9.net (Postfix) with ESMTP id BAB94333250
for ; Sun, 30 Sep 2018 15:06:52 
-0400 (EDT)
X-Virus-Scanned: amavisd-new at cloud9.net
Received: from english-breakfast.cloud9.net ([127.0.0.1])
by localhost (english-breakfast.cloud9.net [127.0.0.1]) (amavisd-new, 
port 10024)
with ESMTP id h0IFeV-Y9R0Z for ;
Sun, 30 Sep 2018 15:06:52 -0400 (EDT)
Received: by english-breakfast.cloud9.net (Postfix, from userid 54)
id 9B61253; Sun, 30 Sep 2018 15:06:52 -0400 (EDT)
Delivered-To: postfix-us...@cloud9.net
Received: from localhost (localhost [127.0.0.1])
by english-breakfast.cloud9.net (Postfix) with ESMTP id 815E6333250
for ; Sun, 30 Sep 2018 15:06:52 -0400 (EDT)
X-Virus-Scanned: amavisd-new at cloud9.net
Received: from english-breakfast.cloud9.net ([127.0.0.1])
by localhost (english-breakfast.cloud9.net [127.0.0.1]) (amavisd-new, 
port 10024)
with ESMTP id 58aBvaCxATHY for ;
Sun, 30 Sep 2018 15:06:52 -0400 (EDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by english-breakfast.cloud9.net (Postfix) with ESMTPS id 6030B333248
for ; Sun, 30 Sep 2018 15:06:52 -0400 (EDT)
Received: from [192.168.1.161] (unknown [192.168.1.161])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by straasha.imrryr.org (Postfix) with ESMTPSA id 4373730BD37
for ; Sun, 30 Sep 2018 15:06:51 -0400 (EDT)
Content-Type: text/plain;
charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Subject: Re: set-permissions fails: how to fix and/or manual set correct
 permissions?
From: Viktor Dukhovni 
In-Reply-To: 
Date: Sun, 30 Sep 2018 15:06:50 -0400
Content-Transfer-Encoding: 7bit
Reply-To: Postfix users 
Message-Id: 
References: <42nw2d73gwzj...@spike.porcupine.org>
 
 <88c68dbb-8e13-4313-a238-c088a4492...@dukhovni.org>
 
To: Postfix users 
X-Mailer: Apple Mail (2.3445.100.39)
Sender: owner-postfix-us...@postfix.org
Precedence: bulk
List-Id: Postfix users 
List-Post: 
List-Help: 
List-Unsubscribe: 

Re: Retiring oqmgr?

[Wietse Venema]

Patrick Ben Koetter:
> Configuring a new Postfix server I just ran across the commented entry for
> oqmgr and I thought: It must have been ages qmgr had been renamed to oqmgr and
> it might be time to remove that entry from master.cf.

Problem with nqmgr is that there is only one person who really knows
how it works, and a few who understand major portions of it. I am
nog among those people. I therefore kept oqmgr around as an insurance.

Wietse

mailer-daemon bounce notifications with original message in clear text?

[Jim Rice]

We have a client connecting with a custom pop-client script that wants to parse 
mailer-daemon bounce notifications.
But the original email content is being returned as an .eml attachment.

Is there any way to configure bounce to compose the response message in clear 
text (message/rfc822)?

mail_version = 3.1.1

Retiring oqmgr?

[Patrick Ben Koetter]

Configuring a new Postfix server I just ran across the commented entry for
oqmgr and I thought: It must have been ages qmgr had been renamed to oqmgr and
it might be time to remove that entry from master.cf.

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein