Re: Re: Re: Re: How to detect the receiving of mail for sure from only that relay and then make action only in that case?
Hello Viktor 30. Jan 2015 16:05 by postfix-us...@dukhovni.org: http://www.postfix.org/postconf.5.html#check_ccert_access I did it with this option for Postfix server #2 config. I need to have the opportunity to set many relay clients some day so I use the access map. I also set the unique port to listen for the relay AUTH using TLS cert check so there is no conflict with the other ports and the options they are set with. The unique port to listen to for TLS cert AUTH on # server is 9443. I can check this now with simple telnet telnet XX.XX.XX.XX 9443 Trying XX.XX.XX.XX Connected to XX.XX.XX.XX. Escape character is '^]'. So now in the Postfix #1 relay client configuration I set - relay_transport = relay2:[XX.XX.XX.XX]:25 + relay_transport = relay2:[XX.XX.XX.XX]:9443 so to use the unique port for the SASL. Remember that when the relay is to relay2:[XX.XX.XX.XX]:25 with no AUTH then the mail is delivering okay. And now I send a usual test message again. I send it from a third party ISP that I know is good mail provider with not SMTP mistakes like I may be making. Just to remove that as uncertainty step. But now the message stops and does not deliver Jan 30 18:23:21 srchsvr PF-in/postscreen[19816]: CONNECT from [66.111.4.25]:45304 to [YY.YY.YY.YY]:25 Jan 30 18:23:21 srchsvr PF-in/postscreen[19816]: PASS OLD [66.111.4.25]:45304 Jan 30 18:23:21 srchsvr PF-in/smtpd[19817]: connect from http://out1-smtp.messagingengine.com[66.111.4.25] Jan 30 18:23:21 srchsvr PF-in/smtpd[19817]: C2C7C3E158: client=http://out1-smtp.messagingengine.com[66.111.4.25] Jan 30 18:23:22 srchsvr PF-in/cleanup[19823]: C2C7C3E158: message-id=9698787676.1979693.266987298.2c96c...@webmail.messagingengine.com Jan 30 18:23:22 srchsvr PF-in/qmgr[19668]: C2C7C3E158: from=xx...@fastmail.com, size=1912, nrcpt=1 (queue active) Jan 30 18:23:22 srchsvr PF-in/smtpd[19817]: disconnect from http://out1-smtp.messagingengine.com[66.111.4.25] Jan 30 18:23:22 srchsvr PF-out/smtpd[19825]: connect from srchsvr..ZZZ[127.0.0.1] Jan 30 18:23:22 srchsvr PF-out/smtpd[19825]: 160973C11E: client=srchsvr..ZZZ[127.0.0.1] Jan 30 18:23:22 srchsvr PF-out/cleanup[19828]: 160973C11E: message-id=9698787676.1979693.266987298.2c96c...@webmail.messagingengine.com Jan 30 18:23:22 srchsvr PF-out/smtpd[19825]: disconnect from srchsvr..ZZZ[127.0.0.1] Jan 30 18:23:22 srchsvr PF-in/smtp[19824]: C2C7C3E158: to=srcht...@clientdomain.com, relay=127.0.0.1[127.0.0.1]:10026, delay=0.44, delays=0.41/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 160973C11E) Jan 30 18:23:22 srchsvr PF-out/qmgr[19738]: 160973C11E: from=xx...@fastmail.com, size=2110, nrcpt=1 (queue active) Jan 30 18:23:22 srchsvr PF-in/qmgr[19668]: C2C7C3E158: removed Then there is a total quiet wait for a minute. Exactly one. Then only one more log info Jan 30 18:24:22 srchsvr PF-out/relay2/smtp[19829]: 160973C11E: to=srcht...@clientdomain.com, relay=XX.XX.XX.XX[XX.XX.XX.XX]:9443, delay=60, delays=0.01/0.01/60/0, dsn=4.4.2, status=deferred (lost connection with XX.XX.XX.XX[XX.XX.XX.XX] while receiving the initial server greeting) This is the only log info. For the #1 relay client side. There is nothing in the #2 server side. It is like there is no contact. I have changed the http://master.cf for PF-out to 'qmgr -v' and 'relay2 ... smtp -v' to may be see why the delay is so long or why is stops now. But in so far time I have no ideas. I will walk again through the details to do the debugging. But I can only do that if I have some right details. What is the place to look for the diagnosis? *S*
Re: Re: Re: Re: Re: How to detect the receiving of mail for sure from only that relay and then make action only in that case?
30. Jan 2015 19:21 by postfix-us...@dukhovni.org:
What software is listening on that port?
I see it is the Postfix part of the Zimbra commercail mail server.
I am told that it must be a unique port for only using TLS AUTH.
I can check this now with simple telnet
?telnet XX.XX.XX.XX 9443
?? Trying XX.XX.XX.XX
?? Connected to XX.XX.XX.XX.
?? Escape character is '^]'.
Where is the SMTP 220 banner???
I do not know. That is only the reply that I see to telnet.
For a #2 server that I control especially that is clean Postfix I know how to
make all this work. The documents are thick but they are clear as soon as I
know which too look for.
For this commercial server I do not know so much. Their Postfix is not so
clean as upstream here I think.
So now in the Postfix #1 relay client configuration I set
- relay_transport = relay2:[XX.XX.XX.XX]:25
+ relay_transport = relay2:[XX.XX.XX.XX]:9443
No, you should have stopped at the previous step, your port 9443
service is not working. Look in the logs on that server.
There is nothing in the logs about the port 9443 service. So they say to me.
Jan 30 18:24:22 srchsvr PF-out/relay2/smtp[19829]: 160973C11E:
to= srcht...@clientdomain.com , relay=XX.XX.XX.XX[XX.XX.XX.XX]:9443,
delay=60, delays=0.01/0.01/60/0, dsn=4.4.2, status=deferred (lost
connection
with XX.XX.XX.XX[XX.XX.XX.XX] while receiving the initial server greeting)
As expected. Check the remote logs.
May be there can be some other better logging. I will ask the admin.
I have changed the http://master.cf for PF-out to 'qmgr -v'
Whatever for?
I was meaning for the PF-in. But only because it is very obvious to me that
there is a quiet minute imediately after it. That is strange. So I look to
see may be it is the problem.
and 'relay2 ... smtp -v'
The remote server does not answer, debugging the local side is pointless,
especially the queue manager which does not even communicate with the
remote system.
I do not understand the problem is with the no reponse only because I do not
see in my #1 server logs the details of the communication to the remote. May
be because I did not yet look in the right logs.
*S*
PS
When I tell the admin there to check the logs more when I test again with
telnet
telnet XX.XX.XX.XX 9443
Trying XX.XX.XX.XX...
Connected to XX.XX.XX.XX.
Escape character is '^]'.
On the #2 server there is a 'trace log' that sees only this info
19:41:27.246:qtp5875679863-15-selector-ServerConnectorManager@8d369853/1
OPENED SslConnection@2b076a2f{NEED_UNWRAP,eio=-1/-1,di=-1} -
HttpConnection@8bc779de{IDLE}
19:41:27.246:qtp5875679863-15-selector-ServerConnectorManager@8d369853/1
OPENED HttpConnection@8bc779de{IDLE}
He says there is no more. I think that is not so right. There can always be
more.
This says nothing that is helping to me. I think may be the problem is still
some other place.
Re: Re: Re: How to detect the receiving of mail for sure from only that relay and then make action only in that case?
Hello all Thanks for the multiple advises. 30. Jan 2015 13:46 by a...@extracted.org: On Fri, 2015-01-30 at 05:35 +, Viktor Dukhovni wrote: And I often find it easier to configure client certs, no SASL or PAM configuration nightmares. :-) I have made the easy decisision for the TLS method with agreement that it is more simple. SASL especially the Cyrus method is full of confusion for me! With the TLS method I made the self-signed CA and client certificates. I installed the client certificate on the #1 server and the CA certificate on the #2 server. I have the sha1 fingerprint calculation for both of the certificates srach_CA.crt SHA1 Fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11 srachsvr_client.crt SHA1 Fingerprint=22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22 On the #1 server in the http://main.cf I set relay_transport = relay2:[11.22.33.44]:9443 smtp_tls_policy_maps = /etc/postfix-out/tls_policy /etc/postfix-out/tls_policy [11.22.33.44]:9443 fingerprint match=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11 So if right this will make for sure that the relay server only will relay to the #2 server if the #2 server gives this fingerprint in the TLS hand shake reply. But at the document http://www.postfix.org/TLS_README.html I think the tls_policy is for destinations. So only for the sending side. I too want the #2 server to only ACCEPT the relay mail from the #1 server if the #1 server gives the fingerprint = 22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22. So this is not tls_policy file on the #2 server? Where is the configuration to be set for the #2 server to only accept relay mail from the #1 server if match equals? Here is a quick write up with recipient relay addresses using a SMTP transport with an MD5 hash, somewhat like above. You could do it with relay domains also I suppose and with most transports I would imagine.. It is a very dirty method if MTA TLS CERT verification is your single point of security however. http://myspew.com/projects/postfix-tls-fingerprints-for-mta-to-mta-identification Why is this a very dirty method? I think it is a strong method may be the best no? *S*
What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Bleh. I think I am tired and making worse and worse mistakes. May be I need to make a step away for some time. :-( I have made some change that I cannot find and have an error now I do not see or know the cause for. I made a Postfix instance for getting mail with Postscreen and recipient verify steps, and some of the recipient restrictions for smtpd. It is named 'pf-in'. I also made a Postfix instance for simple sending out mail. It is named 'pf-out'. The TLS is turned on to the 'Opportunistic' type with '= may' for both the instances. So I think it should use the TLS when it is available and be okay if not. On my laptop I send a test email. It sends to the 'pf-in' instance sendmail -i -f root -t EOF From: s...@srchdomain.com To: srcht...@clientdomain.com Subject: test test EOF I see the mail processing with Postscreen 'pf-in' Jan 29 19:01:08 srchsvr pf-in/postscreen[11780]: CONNECT from [XX.XX.XX.XX]:43942 to [YY.YY.YY.YY]:25 Jan 29 19:01:08 srchsvr pf-in/postscreen[11780]: WHITELISTED [XX.XX.XX.XX]:43942 Then next after the Postscreen PASS the mail goes to the internal smtpd on 'pf-in' Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: connect from unknown[XX.XX.XX.XX] Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: AB1E08F422: client=unknown[XX.XX.XX.XX] Jan 29 19:01:08 srchsvr pf-in/cleanup[11785]: AB1E08F422: message-id=20150129190108.4200d40...@srchdell.srchdomain.com Jan 29 19:01:08 srchsvr pf-in/smtpd[11781]: disconnect from unknown[XX.XX.XX.XX] And then into the queue and is send to the 'pf-out' instance Jan 29 19:01:08 srchsvr pf-in/qmgr[11632]: AB1E08F422: from=r...@srchdomain.com, size=536, nrcpt=1 (queue active) Jan 29 19:01:08 srchsvr pf-out/smtpd[11787]: connect from http://srchsvr.srchdomain.com[127.0.0.1] But now the log says Jan 29 19:01:08 srchsvr pf-in/smtp[11786]: AB1E08F422: to=srcht...@clientdomain.com, relay=127.0.0.1[127.0.0.1]:10026, delay=0.13, delays=0.11/0.01/0.02/0, dsn=4.7.0, status=deferred (TLS is required, but host 127.0.0.1[127.0.0.1] refused to start TLS: 454 4.7.0 TLS not available due to local problem) I think this says the problem is in the 'pf-out' instance but it is the 'pf-in' instance that hears it and says it in the log. I have been searching on the sentences TLS is required refused to start TLS 454 4.7.0 TLS not available due to local problem But only found some suggestions that the Certificate I use is not good. I know that it is since it uses okay in other applications. What idea can I try to fix for this crazy problem I have done myself? *S*
Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Patrick 29. Jan 2015 19:37 by p...@sys4.de: The problem is probaly in the lines above in your log. Have you tried to reload postfix (to get a clear offset in the log) Yes many times. and then telnet to 127.0.0.1? Before I am complaining some more times I will first explore with telnet. I was only sending mails. telnet I think will make some things clear Send postconf -n and we will be able to help you. Okay I will get there. For what instance do you think? the 'in' or 'out'? Or both of them? *S*
Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
With the testing by both telnet and openssl s_client I can see the TLS as the available option but I see too the None cipher. I am suspecting this though confusing. I will first read more on the testing with these tools and understanding the meaning of the logging reply for them. I also see the idea from Wietse to look in to other location for logs reply. I did that once or more alredy but will see to that again right now. telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 http://mx.srchdomain.com ESMTP . No UCE permitted. EHLO http://test.com http://250-mx.srchdomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-XCLIENT NAME ADDR PROTO HELO REVERSE_NAME PORT LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN telnet 127.0.0.1 10026 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 http://srchsvr.srchdomain.com ESMTP . No UCE permitted. EHLO http://test.com http://250-srchsvr.srchdomain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN openssl s_client -crlf -connect 127.0.0.1:25 -starttls smtp -tls1_2 -CApath /etc/ssl/certs CONNECTED(0003) 139892197459600:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:361: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 312 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1422561244 Timeout : 7200 (sec) Verify return code: 0 (ok) --- openssl s_client -crlf -connect 127.0.0.1:10026 -starttls smtp -tls1_2 -CApath /etc/ssl/certs CONNECTED(0003) 140014293526160:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:361: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 246 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1422561276 Timeout : 7200 (sec) Verify return code: 0 (ok) --- And then I will look at my 'postconf -n' myself first too. Better to do it myself first. I must find this since I did it to myself. When I can not then I will have to be begging. Bleh again! *S*
Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Wietse 29. Jan 2015 20:49 by wie...@porcupine.org: submission inet n - n - - smtpd -o syslog_name=postfix/submission ... smtps inet n - n - - smtpd -o syslog_name=postfix/smtps ... The same could be done with the smtp service: relay unix - - n - - smtp -o syslog_name=postfix/relay That is a good advise to be reminded! For while I am doing the debugging like this and may be always too I am adding this idea to many services I clone and use. *S*
Re: Re: Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
Hello Wietse: 29. Jan 2015 21:02 by wie...@porcupine.org: Postfix could do this automatically, but it is too late for the upcoming stable release to make such a change. Only knowing the info is good for now! If it is some day done automatically then that I think would be usefull. For that possibility I will ask one more question. When this is created in the config relay unix - - n - - smtp -o syslog_name=postfix/relay or -o syslog_name=postfix/relay2 In the logs it says ... postfix/relay/smtp ... ... postfix/relay2/smtp ... Is that all the needed infos? May be it is enough only to say ... postfix/relay ... ... postfix/relay2 ... I do not know the best for all cases but for just my debugging now it is enough infos. *S*
Re: Re: Re: Re: What is my self-made TLS problem for Postfix to Postfix transport TLS not available due to local problem ?
It is like I said that I did this to myself. I was looking under the wrong cup in the Shell Game! Yesterday I had a change to trasnport from 'pf-out' not over the open internet only over my private internet with a VPN. I did this with reading a posting from another person. I changed the http://main.cf for 'pf-out' - relay_transport = relay:[XX.XX.XX.XX]:25 + relay_transport = relay2:[192.168.1.66]:25 In the http://master.cf config for 'pf-out' there is relay unix - - n - - smtp -o smtp_bind_address=YY.YY.YY.YY relay2 unix - - n - - smtp -o smtp_bind_address=192.168.0.15 Returning the change - relay_transport = relay2:[192.168.1.66]:25 + relay_transport = relay:[XX.XX.XX.XX]:25 it is sending again with no TLS errors. I think it is some more firewall rules I need on the server so that TLS negotiation may be okay in bi-direction. But I do not yet see any DROP infos in the logs I am looking into. I think it is strange in the Postfix log it is showing only the 'smtp' service name not the 'relay2' name. It was some misdirection for me. May be it can be done to add some more labels. Thanks for the advise to look with telnet and very much watch in detail the step-by-step sending through each IP and port. Now I must understand the missing rules in the firewall. *S*
How to detect the receiving of mail for sure from only that relay and then make action only in that case?
I am working on making secure conditions on Postfix sending and receiving only relays. There are two Postfix servers in two locations. In the #1 location Postfix configuration is so that 1. Send any mail out to any server on the internet with SMTP like always 2. Relay some specifics mail to only the #2 location Postfix in to Port 25 #1 Postfix instance is doing all the Postscreen BeforeQueue filters. So when it passes to #2 server the mail with relay I want #2 server 1. Know for sure that the relay mail comes from the #1 server. A added header can be made fake so I look for a better way that is not possible to fake. 2. If from (1.) it is known for sure to be good relay from the #1 server then the #2 server must NOT do the normal scanning with Postscreen more filter. 3. Still receive normal mail from the internet to Port 25 too. Only in this case then do not bypass and do the normal scanning. In the documents Relay control, junk mail control, and per-user policies http://www.postfix.org/SMTPD_ACCESS_README.html#relay There is much discussions on the restrictions to do. Only I am concerned of the Dangerous use I read and the faking I said above. What is the good method for sure identity detection like above and then disable the scanning only in that case? *S*
Re: Re: How to detect the receiving of mail for sure from only that relay and then make action only in that case?
Hello Viktor 30. Jan 2015 04:05 by postfix-us...@dukhovni.org: Save yourself a lot of complexity and use a different port for this on the destination system. You could use 587, for example. This automatically bypasses postscreen. So when it passes to #2 server the mail with relay I want #2 server ?1. Know for sure that the relay mail comes from the #1 server.? A added header can be made fake so I look for a better way that is not possible to fake. Restrict access to the non-default port via TLS client certs or SASL. Okay good advise again. With the SASL opportunity is it still true that Postfix with the Dovecot SASL where I am building Postfix with -DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=dovecot is not possible to use as SASL client but only Cyrus? http://www.postfix.org/SASL_README.html#client_sasl At this time, the Dovecot SASL implementation does not provide client functionality. With the TLS client cert opportunity for authenticating my Postfix relay as client to the other mail server that is receiving the relay mail I have some small confusion. When I make the self-signed client certificate for my Postfix relay instance I have read that I must give it the email address of the 'login user' exactly so it can be a match. I do not know which user I must give? Becuase there will be mail for many different users that will be relayed. *S*
local lmtp file lookup for parameter use. Okay format for use in both of the main.cf and master.cf configuration?
I am next working on using local database file lookups for Postfix
configuration use.
I see how in the document
http://www.postfix.org/DATABASE_README.html
to use MySQL and LDAP for some things. With some examples and tests I am
sucessful.
I see too the example for hash: or btree: or lmdb:.
So I can make a definition
vi /etc/postfix/test_parameters
test_address 1.2.3.4
postmap test_parameters
And then query for the definition at the shell make the right result
postmap -q test_address lmdb:/etc/postfix/test_parameters
1.2.3.4
So I want to now do it the same in the Postfix configuration
vi http://main.cf
- test_address = 1.2.3.4
+ test_address = postmap -q lmdb:/etc/postfix/test_parameters
inet_interfaces = ${test_address}
I tried also
+ test_address = `postmap -q lmdb:/etc/postfix/test_parameters`
+ test_address = lmdb:/etc/postfix/test_parameters
But it does not work. I do not see any error with the test. Only that
postfix: fatal: config variable inet_interfaces: host not found: `postmap
I do not see a good example of this use in the document
http://www.postfix.org/lmdb_table.5.html
How is it done right? Or better question. Which is a document to do it
right?
Also I see in the documents many examples for retrieving the parameters for
Postfix configuration from a database for use in
http://main.cf
But is it too possible in
http://master.cf
? So for example
addrver unix - - n - - smtp
- -o smtp_bind_address=1.2.3.4
+ -o smtp_bind_address=postmap -q lmdb:/etc/postfix/test_parameters
?
*S*
Using greylisting and other policies all in one. Use built in Postifx policy functions or other popular ones?
I have read the documents for some different Greylisting opportunities for Postfix This built into Postfix http://www.postfix.org/SMTPD_POLICY_README.html#greylist and popular ones http://wiki.policyd.org http://postgrey.schweikert.ch I am not finding a modern comparison of these and a decision point for choosing one to use best in the latest Postfix versions. Many online postings have a comment but they are most for older versions of Postfix. I wonder if Postfix with modern versions is integrating better ideas and to do it all in one? I think maybe that the choice is not just the recommended built in one of Postifx? It depends on the goals? My interested goals are to block spam with Spamassassin block viruses with ClamAV greylist mail from freemail domains with one policy greylist mail from certain countries with another policy not use Amavis, it is too confusing for me My use will be usually less than 1 mails per day. What do the experts here do for these policies when all together? There are many choices I know, with so much information. It is like drinking from a firehose ! I enjoy though the option to learn and build each piece - it is a better road to sucess. Thanks for your good advice and experience! *S*
Re: Re: Using greylisting and other policies all in one. Use built in Postifx policy functions or other popular ones?
28. Jan 2015 18:43 by li...@rhsoft.net: besides that greylisting is harmful in case of large sending clusters not returning with the same IP while re-try a deferred message postscreen can do this more or less as side effect with deep protool tests Yes I see that opportunity in Postscreen. I do understand the warning for the large clusters. Then I have to be careful for choosing domains I know. For some I care , but for some I do not. But I do not see how to apply Postscreen maps for deep protocol tests only for some domains countries. Does it do this? And if there will be more checking with the Spamassassin and Clamav too I think there is good value in all in one policy integration instead of some in Postscreen too. I think that is making some sense? *S*
Re: Re: Re: Using greylisting and other policies all in one. Use built in Postifx policy functions or other popular ones?
28. Jan 2015 19:17 by wie...@porcupine.org: There are good reasons to NOT integrate, and instead use the least-expensive solution before the most-expensive solution. postscreen implements a least-expensive solution that eliminates most of the spambots without even allowing them to talk to a Postfix SMTP server process. Spamassassin and Clamav are most-expensive solutions that should be used only for mail that cannot be stopped via other means. Okay I see that. Don not spend your money unless you have to! So if that is done using Postscreen for some greylisting what option in Postscreen for only greylisting with the depp protocl tests for some domains is there? I am looking but still see no maps for it. *S*
Re: Re: Using greylisting and other policies all in one. Use built in Postifx policy functions or other popular ones?
28. Jan 2015 19:19 by li...@rhsoft.net: honestly with postscreen *without deep protocol tests) and rbl-scoring (DSNBL as well as DNSWL) there is no point for greylisting at all postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_dnsbl_sites = http://b.barracudacentral.org=127.0.0.2*7 That is a good idea approach! I did not know that so far. if you additionally configure a honeypot-backup-MX always responding with 450 if not already blacklisted around 50% of all bots will try the backup MX and never come back to the primary and they ones coming back are waiting some minutes by assuming greylisting and in the meantime many are on RBL's which where not at the first contact postscreen_whitelist_interfaces = !ip-of-backup-mx, static:all Yes this I did to the 2nd MX IP I have But I do not see how to apply Postscreen maps for deep protocol tests only for some domains countries. Does it do this? it can't by design, if it would have such capapbilities it would no longer be a lightweight daemon in front of spmtpd I think then the fear I am having for too much loss for some greylisting means that I will not use the greylisting in Postscreen. So turning off the deep protocol testing. postscreen kills 90% of all junk long before it connects to a expensive smtpd at all, independent of contentfilters that's much more value then pass every connection to limited smtpd and to harm with misconcepts like greylisting I think that is the same idea that Wietse said to me. Okay, some good ideas! *S*
Re: Re: Using greylisting and other policies all in one. Use built in Postifx policy functions or other popular ones?
28. Jan 2015 19:28 by li...@rhsoft.net: maybe you need some numbers why the below config is good and greylisting not needed peak day 2015/01 * postscreen rejects: 9 * spamassassin: 120 * clamav: 15 * delivered mail: 850 that are numbers for a single day Okay that is very good! Numbers are good to see. And they make a clear story. Wow that is really good percents. So I think I leave alone the greylisting idea and the deep protocol tests. For the later steps of both Spamassassin CLamav, to keep them less expensive too what recomends are there? Still the policyd or the spamc? I am starting to read the documents for these now with new eyes, not wanting the greylisting integrated or not. I am arriving to a good solution with these ideas. Asking with getting good answers here changes it for the better. I am seeing the documents are like a fat Oxford Dictionary. Many many words with official particular definitions. They are like a book for childs too, that it tells some very simple stories. But to write stories richly someday like Mr. Shakespeare we must have advise from old authors writing some bad books already in the past! :-)
Re: Re: Using greylisting and other policies all in one. Use built in Postifx policy functions or other popular ones?
28. Jan 2015 19:19 by li...@rhsoft.net: postscreen_dnsbl_sites = http://b.barracudacentral.org=127.0.0.2*7 http://dnsbl.inps.de=127.0.0.2*7 I see from the example you give that these are I think all DNSBL that are domain name searching only In the notes I am keeping from reading I see also a saying of good value for reject_rhsbl_client http://dbl.spamhaus.org reject_rhsbl_reverse_client http://dbl.spamhaus.org reject_rhsbl_sender http://dbl.spamhaus.org How is it to add these to the Postscreen not expensive checking too? I do not read in the Postsreen documents any regards rhsbl *S*
Re: Re: Re: Where to set the one only IP address for binding in the address verify?
Helo Viktor 28. Jan 2015 06:10 by postfix-us...@dukhovni.org: No that's http://main.cf . I meant http://master.cf . Ach! That is my reading mistake. This gets added as an override option to that http://master.cf transport definition. Clone smtp unix ... smtp or relay unix ... smtp to create a new transport. It is done and works okay. Thaks! *S*
Where to set the one only IP address for binding in the address verify?
I am working next on the Postfix Recipient address verification step from the document http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient. Because I must make the other parts work the parameter in main configuration is set smtp_bind_address = 0.0.0.0 All this works especialy good for the multi-homed host I have. It has a few IP addresses. For a client's security reason I must make the IP binding for the address verification stop to come from a certain IP address. How is done to set the IP bind address for the address_verify procedure ONLY, different than the smtp_bind_address? I do not read it or understand it in the document. *S*
Re: Re: Where to set the one only IP address for binding in the address verify?
Helo Viktor 28. Jan 2015 05:46 by postfix-us...@dukhovni.org: The setting is per-transport. Therefore you need a suitable additional transport entry in http://master.cf with an smtp_bind_address override, and a custom address_verify_transport or similar. Okay I see the idea. In the http://master.cf config I set already before address_verify_relay_transport = smtp:[11.22.33.44]:25 that says the IP address to verify TO. So I think I can use that set too the IP address bind FROM. When it is the suggested idea to with an smtp_bind_address override is that form of address_verify_relay_transport = smtp:[11.22.33.44]:25 smtp_bind_address=55.66.77.88 ? I read the http://www.postfix.org/postconf.5.html#address_verify_relay_transport http://www.postfix.org/postconf.5.html#relay_transport http://www.postfix.org/transport.5.html documents but do I miss the override method of syntax? *S*
What is good control for encryption in and out of Postscreen internal SMTP server?
I am reading and working to understand the MULTI_INSTANCE possibilities in Postfix. I am not sure yet that is a good solution for me. May be I can do what I must with only transport maps. I although have a question for configuring Postfix encryption if I am using many instances. Only a theoretical example In from Internet | IP=1.2.3.4 Postscreen | IP=loopback-only Postscreen Internal SMTP server [X] | -- 'in' IP=127.0.0.1:8001, out' IP=1.2.3.4 Relay SMTP server to some different clients What is the good setting for controling the cipher for the step I mark with [X] there? Now it is 127.0.0.1 but I may move or change it later. Is it confusing me some because of the configuration for the Postscreen smtp inet n - n - 1 postscreen smtpd pass - - n - - smtpd dnsblog unix - - n - 0 dnsblog tlsproxy unix - - n - 0 tlsproxy ... tlsmgr unix - - n 1000? 1 tlsmgr ... smtp unix - - n - - smtp relay unix - - n - - smtp ... #local unix - n n - - local ... When the Postscreen daemon talks to the internal SMTP server what service is it using? When the internal SMTP server talk then to the next-hop SMTP server what service is it using? I am not complete clear. But want to understand the steps. *S*
Re: Re: For getway relay-only situation getting Cannot start TLS: handshake failure. Can I get more details from only my server end?
Hello Viktor Your logs are too verbose. This just hides the real problem in a torrent of noise. This surprised me because we alway increase the logging when there is trouble right? But it was the most help! Resolving TLS handshake problems requires full-package PCAP captures and wireshark. I will learn to use the wireshark program. It is new for me but looks like it is powerful and I will have real benefits from it. Try loglevel = 1. smtp_tls_loglevel = 1 This makes it eazier to read the logs. smtp_tls_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384, high, medium The above is gibberish: Okay anyway I missed the info too. This was the magic. I made a mistake thinking the other parameters using lists of ciphers would be like here too. But only one. http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_ciphers The documented syntax is *exactly one* of: null, export, low, medium, high Since it is only one connection from my server to his client server and none other on the internet I changed the config to smtp_tls_ciphers = HIGH smtp_tls_exclude_ciphers = aNULL, RC4 This too is unnecessary. That surprises me too. I read many times that we must not use those ciphers. And the default is smtp_tls_exclude_ciphers (default: empty) So we have to set it right? smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 That's a terrible idea, the remote server probably does not support TLSv1.2. Restore the default or disable only: It does support TLSv1.2. And the client only wants TLSv1.2 the high-bit elliptical cipher. So I change to smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 smtp_tls_mandatory_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384 Of course for the outside internet I do not use those. And now everything works like perfect! Jan 25 21:09:16 srchmx postfix/smtp[9282]: Trusted TLS connection established to http://client1.clientdomain.com[45.3x.xxx.xxx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 25 21:09:18 srchmx postfix/smtp[9282]: A450E8F46B: to=srcht...@clientdomain.com, relay=http://client1.clientdomain.com[45.3x.xxx.xxx]:25, delay=2.5, delays=0.01/0.01/0.59/1.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 10F87101791) and the mail is relayed and delivered like I hoped it. The points you made available were good to learn and made it needed to think thrugh the details again with better understanding. Thank you for the advise. *S*
