[pfx] Re: How to set the minimum number of bits for (non-EC) DH key exchange?
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users wrote: > I am currently assessing the TLS security of a Postfix mail server and among > other things sslscan reported that the server allows a (non-EC) DH exchange > with only 1024 bits. While one solution would be to only allow ECDH(E) and > disable DH(E) entirely, I would rather like to keep support for DH(E) for > compatibility reasons but only enforce a lower limit on the size of the > finite group (maybe 2048 bit, or even 3072 bits preferably). How do I do that > with Postfix? I cannot find any smptd_tls_... setting which seems related to > that aspect. You are assessing mandatory TLS? Then disable non-ECDHE. You are assessing opertunistic TLS? Ignore it. Bastian -- It would be illogical to kill without reason. -- Spock, "Journey to Babel", stardate 3842.4 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
On Mon, Jan 15, 2024 at 10:15:53AM +0100, Admin Beckspaced via Postfix-users wrote: > > > somoene is trying to use your postfix as http proxy server. > > Looks like security scanner. > do you know the type of encoding? No, by "CONNECT", which is no SMTP command, but a HTTP one. Bastian -- Spock: The odds of surviving another attack are 13562190123 to 1, Captain. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: FW: Wrong email in DMARC dns
On Mon, Oct 30, 2023 at 02:36:33PM +0100, Szymon Malinowski via Postfix-users wrote: > You see the point? We got stuck in a loop of sending DMARC reports which are > beeing bounced because of unknown user. > Is there any way to prevent such situations? Don't send failure reports, ever. At least without DSN=NONE, with a non-empty sender or with spam filter on those addresses. See https://datatracker.ietf.org/doc/html/rfc5965#section-5 for more information. Bastian -- But Captain -- the engines can't take this much longer! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: identifying sender failing ssl/tls cipher ?
On Sat, Aug 12, 2023 at 09:47:57AM -0400, pgnd via Postfix-users wrote: > postconf -n | grep -i tls | grep -i cipher > smtp_tls_ciphers = medium > smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, > PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8, > 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256, > ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA > smtp_tls_mandatory_ciphers = medium > smtpd_tls_ciphers = medium > smtpd_tls_exclude_ciphers = > smtpd_tls_mandatory_ciphers = medium > tls_preempt_cipherlist = yes > tlsproxy_tls_mandatory_exclude_ciphers = > $smtpd_tls_mandatory_exclude_ciphers Start by reverting all of those to default. > i'm not seeing the cause of the problem :-/ > am i looking in the wrong place? or is that^ config already a cause? Well, you exclude still used ciphers. aNULL for example. So where did you get that from? Bastian -- Conquest is easy. Control is not. -- Kirk, "Mirror, Mirror", stardate unknown ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix database, aliases, permissions, configuration issue, help requested, perplexed
On Wed, Jul 19, 2023 at 11:23:53PM -0400, Viktor Dukhovni via Postfix-users wrote: > > #systemctl status postfix > > ? postfix.service - Postfix Mail Transport Agent > > Loaded: loaded (/lib/systemd/system/postfix.service; enabled; preset: > > e> > > Active: active (exited) since Wed 2023-07-19 15:02:03 EDT; 4s ago > > This is likely because of a mismatch between the service defintion and > the actual Postfix start code it invokes. Is the (ultimately master(8)) > process actually expected to remain in the foreground? Or is the > "exited" actually normal here, because the service definition is > starting a "background" job? This is an artifact of the way Debian derived systems handles multi instance Postfix. The real service is "postfix@-.service". And this one just acts as a restart all instances marker. So this state is okay. > > 2023-07-19T15:19:58.474716-04:00 hostname postfix/master[41002]: > > warning: process /usr/lib/postfix/sbin/smtpd pid 41013 exit status 1 Anything before that? Bastian -- Punishment becomes ineffective after a certain point. Men become insensitive. -- Eneg, "Patterns of Force", stardate 2534.7 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Split emails with multiple recipients
On Mon, Jun 05, 2023 at 10:21:47AM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > I've read a trick to reject particular recipient with temporary failure, > which results in mail for other recipient being accepted, and further retry > from sending server should only include that recipient, in which case you > can refuse whole mail. You should not do this. This can lead to very long delays. AFAIK every recipient requires at least one retry in this case, aka at least 300s. Bastian -- Each kiss is as the first. -- Miramanee, Kirk's wife, "The Paradise Syndrome", stardate 4842.6 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
On Tue, May 16, 2023 at 09:44:41AM -0400, Wietse Venema via Postfix-users wrote: > Looks like you have a *local* DNS problem. Check your routing, > including netmasks. The domain is broken. See https://dnsviz.net/d/info.apr.gov.rs/dnssec/ On of the listed name servers is unresponsive and also different between glue record and in zone record. Also the remaining server is broken: | The response had an invalid RCODE (FORMERR) until the NSID EDNS option | was removed. Bastian -- Where there's no emotion, there's no motive for violence. -- Spock, "Dagger of the Mind", stardate 2715.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
On Tue, May 16, 2023 at 07:32:55PM +0300, Eugene R via Postfix-users wrote: > Am I correct that the string in question should normally contain the SASL > response? While the "Password:" is apparently some interactive prompt, > indicating that something might be wrong with the connection or > configuration? No, this is part of the (broken?) LOGIN type. Use PLAIN and you don't have that problem. Bastian -- War isn't a good life, but it's life. -- Kirk, "A Private Little War", stardate 4211.8 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org