Re: question about envelop from.

2018-03-15 Thread john 

Thanks for the help.



smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high

Where did you get the idea that "high" was a TLS protocol version?


I think this got in there by mistake, its not in my postfiix 
configuration. My guess is that I started typing before moving cursor. 
ooops!

Sorry.

John A

Re: question about envelop from.

2018-03-14 Thread Viktor Dukhovni 


> On Mar 14, 2018, at 10:48 PM, John  wrote:
> 
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane

Fine.

> smtp_tls_ciphers = high

OK, but medium is perhaps sufficient.

> smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, 
> kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT

With "high" or "medium" you don't need to exclude "EXPORT" or "LOW".
You're also misspelling some of the cipher names, they are case-sensitive.
Try:

   smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr, 
kDHd, kDHr

You can exclude RC4 and 3DES, but it is not essential, and some very
small number of systems will now only be able to receive from you in
the clear.


> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high

Where did you get the idea that "high" was a TLS protocol version?

> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_ciphers = high

I would also suggest "medium" here.

> smtpd_tls_eecdh_grade = auto

This requires (and is recommended for) Postfix 3.2 or later.

> smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers

Not necessarily a good idea.  The server should perhaps be more
liberal.

-- 
Viktor.

Re: question about envelop from.

2018-03-14 Thread John 

Too complicated? How could this be improved?

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, 
aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high
smtp_tls_protocols = !SSLv2, !SSLv3

smtpd_sasl_auth_enable = no

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols

Re: question about envelop from.

2018-03-13 Thread Viktor Dukhovni 


> On Mar 13, 2018, at 12:00 PM, Matus UHLAR - fantomas  
> wrote:
> 
> smtpd_tls_ciphers=high
> smtpd_tls_mandatory_ciphers=high
> smtpd_tls_exclude_ciphers=aNULL

My recommendation is:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = high

There's not much need to exclude any additional ciphers, but if you must,
see the previous post...

-- 
Viktor.

Re: question about envelop from.

2018-03-13 Thread Viktor Dukhovni 


> On Mar 13, 2018, at 11:36 AM, LuKreme  wrote:
> 
> In general, or these specific exclusions?

Mostly in general.  Why do cleartext with clients that can't do strong ciphers,
let them encrypt with their medium ciphers.

> I've had
> 
> smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4
> 
> For a pretty long time now 

That said, the above are fine to exclude, they are just unnecessary
attack surface, with the exception of "RC4" nobody needs these for
interoperability at this time.  And even "RC4" use is vanishingly
small.

-- 
Viktor.

Re: question about envelop from.

2018-03-13 Thread Matus UHLAR - fantomas 

On 13.03.18 09:36, LuKreme wrote:

On Mar 13, 2018, at 09:17, Viktor Dukhovni  wrote:

smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 
DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES


This too is unwise.  Remove this setting.


In general, or these specific exclusions?

I've had

smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4

For a pretty long time now


I have:

smtpd_tls_ciphers=high
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers=aNULL
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

Re: question about envelop from.

2018-03-13 Thread LuKreme 
On Mar 13, 2018, at 09:17, Viktor Dukhovni  wrote:
>> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 
>> DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
> 
> This too is unwise.  Remove this setting.

In general, or these specific exclusions?

I've had

smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4

For a pretty long time now 

-- 
My main job is trying to come up with new and innovative and effective ways to 
reject even more mail. I'm up to about 97% now.

Re: question about envelop from.

2018-03-13 Thread Viktor Dukhovni 


> On Mar 13, 2018, at 10:53 AM, L.P.H. van Belle  wrote:
> 
> Yes, i've set smtpd_tls_ask_ccert to yes.

You almost certainly don't need this.

> Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must 
> be a miss on my side after the switch from 2.10 to 3.1 postfix.

"Verified" is not possible with smtpd(8).  "Trusted" could happen when the 
client
certificate is signed by a trusted CA:

   http://www.postfix.org/FORWARD_SECRECY_README.html#status

but, typically, you should not be requesting client certificates that
serve no purpose.

> I need ssl verification

Not for incoming traffic, there just supporting STARTTLS is all you need.

> smtpd_starttls_timeout = 300s

Don't duplicate default settings.

> smtpd_use_tls=yes
> smtpd_enforce_tls = no

These are obsolete

> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 2

You don't need these.  I see no evidence of any meaningful use of
client certs.  At least not on port 25 via main.cf.

> smtpd_tls_always_issue_session_ids = no

This is the default.

> smtpd_tls_received_header = yes

Second time this is set.

> smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer

It is much better to have all the required intermediates in
your certfile, and leave this field empty.

> smtpd_tls_ciphers = high

This is unwise, the (default in supported releases) "medium" is better, see:

   https://tools.ietf.org/html/rfc7435

> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 
> DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES

This too is unwise.  Remove this setting.

> # Enable EECDH key exchange for Forward Security
> smtpd_tls_eecdh_grade=ultra

With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far
better off with the default of "auto".

   http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade

-- 
-- 
Viktor.

RE: question about envelop from.

2018-03-13 Thread L . P . H . van Belle 
Hello Victor, 


> -Oorspronkelijk bericht-
> Van: postfix-us...@dukhovni.org 
> [mailto:owner-postfix-us...@postfix.org] Namens Viktor Dukhovni
> Verzonden: dinsdag 13 maart 2018 15:27
> Aan: Postfix users
> Onderwerp: Re: question about envelop from.
> 
> 
> 
> > On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle 
> <be...@bazuin.nl> wrote:
> > 
> > Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: 
> reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 
> <MAILER-DAEMON@apmcsqa01.poort>: Sender address rejected: 
> Domain not found; from=<MAILER-DAEMON@apmcsqa01.poort> 
> >  
> > about this: 
> > envelope-from="MAILER-DAEMON@apmcsqa01.poort" 
> >  
> > Im looking for the correct rfc where its described that the 
> part @apmcsqa01.poort  should be @thesendingdomain.tld 
> > where thesendingdomain.tld is also a resolvable domain, 
> because not it does not make sence because the now 
> mailer-daemon wil never be accepted because its non resolveable
> 
> In addition to not being resolvable, the envelope sender 
> address here is also
> problematic because "MAILER-DAEMON@" should only ever appear 
> in the message
> headers and NEVER as the envelope sender.  The correct 
> envelope sender for
> bounces is the empty (or null) sender:
> 
>   MAIL FROM:<>
> 
> not
> 
>   MAIL FROM:<mailer-dae...@example.net>
> 
> Sure, some domain could in theory have an actual user mailbox named
> "mailer-daemon", but that is most unlikely.  It is rather clear that
> the server in question is generating backscatter with a non-empty
> envelope sender address, thus potentially leading to mail loops.
> 
> It is good that your server is rejecting this traffic.
> 
> Finally, it seems you may be requesting client certificates 
> on port 25,
> (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder
> why...
> 
>http://www.postfix.org/FORWARD_SECRECY_README.html#status
> 
> do you have "smtpd_tls_ask_ccert = yes"?
> 
> -- 
>   Viktor.
> 


Yes, i've set smtpd_tls_ask_ccert to yes. 

I do also have Anonymous messages
Anonymous TLS connection established from 
mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be 
a miss on my side after the switch from 2.10 to 3.1 postfix. 

I need ssl verification, in not running a high volume site and i just enabled 
DKIM SPF TLSA and DANE for this server. 
Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian)  ( 
config below ) 

Best regards, 

Louis



### General Defaults
smtpd_banner = $myhostname ESMTP Ready
mail_version = 007
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2
mailbox_size_limit = 0
recipient_delimiter = +
empty_address_recipient = MAILER-DAEMON

### Limit the info given to outside servers
show_user_unknown_table_name = no

### no one needs to ask our server who is on it
disable_vrfy_command = yes

 user!domain != user@domain
swap_bangpath = no

 user%domain != user@domain
allow_percent_hack = no

### Tarpit until RCPT TO: to reject the email for nagios compatability
smtpd_delay_reject = yes

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 20
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2

### Tranports and slowdown delivery to per domain are set here also.
transport_maps = hash:/etc/postfix/personal/transport_maps.map
## Transports Tuning outgoing connections ! Esa max concurrent connections 
(polite)
## see also transport file and master.cf
# Throttle limit policy mail (global)
smtp_destination_concurrency_limit = 5
smtp_extra_recipient_limit = 2

# Polite policy
polite_destination_concurrency_limit = 3
polite_destination_rate_delay = 0
polite_destination_recipient_limit = 5

# Turtle policy
turtle_destination_concurrency_limit = 2
turtle_destination_rate_delay = 1s
turtle_destination_recipient_limit = 2
##
###

## 100 Mb size limit 
message_size_limit = 10240

# Postfix before 3.0 by default permits non-ASCII content in headers and 
addresses.
strict_7bit_headers = yes

2bounce_notice_recipient = postmas...@somedomain.tld
2bounce_notice_recipient = postmas...@somedomain.tld
bounce_notice_recipient = postmas...@somedomain.tld
delay_notice_recipient = postmas...@somedomain.tld
error_notice_recipient = postmas...@somedomain.tld
notify_classes = bounce, resource, software

## Being strict to the RFC not only stops unwanted mail,
## it also blocks legitimate mail from poorly-written mail applications.
## default = no
strict_

Re: question about envelop from.

2018-03-13 Thread Viktor Dukhovni 


> On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle  wrote:
> 
> Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from 
> smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 : 
> Sender address rejected: Domain not found; 
> from= 
>  
> about this: 
> envelope-from="MAILER-DAEMON@apmcsqa01.poort" 
>  
> Im looking for the correct rfc where its described that the part 
> @apmcsqa01.poort  should be @thesendingdomain.tld 
> where thesendingdomain.tld is also a resolvable domain, because not it does 
> not make sence because the now mailer-daemon wil never be accepted because 
> its non resolveable

In addition to not being resolvable, the envelope sender address here is also
problematic because "MAILER-DAEMON@" should only ever appear in the message
headers and NEVER as the envelope sender.  The correct envelope sender for
bounces is the empty (or null) sender:

MAIL FROM:<>

not

MAIL FROM:

Sure, some domain could in theory have an actual user mailbox named
"mailer-daemon", but that is most unlikely.  It is rather clear that
the server in question is generating backscatter with a non-empty
envelope sender address, thus potentially leading to mail loops.

It is good that your server is rejecting this traffic.

Finally, it seems you may be requesting client certificates on port 25,
(incoming TLS status is "Untrusted" rather than "Anonymous") I wonder
why...

   http://www.postfix.org/FORWARD_SECRECY_README.html#status

do you have "smtpd_tls_ask_ccert = yes"?

-- 
Viktor.

RE: question about envelop from.

2018-03-13 Thread L . P . H . van Belle 
Hai Matus, 
Thank you for the reply, most apriciated. 

No, but its a "government" server, so i need to be very sure..   ;-) 
Thanks, i was looking in the wrong rfc. 


Best regards, 

Louis
 

> -Oorspronkelijk bericht-
> Van: uh...@fantomas.sk 
> [mailto:owner-postfix-us...@postfix.org] Namens Matus UHLAR - fantomas
> Verzonden: dinsdag 13 maart 2018 14:05
> Aan: postfix-users@postfix.org
> Onderwerp: Re: question about envelop from.
> 
> On 13.03.18 13:54, L.P.H. van Belle wrote:
> >Im reading through rfc's but the following is still not clear for me.
> > 
> >E-mail is rejected base on the envelop-from adres from a 
> mail-daemon with postfix + postfix-policyd-spf
> > 
> >I saw the following in the postfix logs.
> >Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS 
> connection established from smtp1..nl[x.xx.xxx.xx]: 
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> >Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy 
> action=PREPEND Received-SPF: none (apmcsqa01.poort: No 
> applicable sender policy available) 
> receiver=hostname.domain.nl; identity=mailfrom; 
> envelope-from="MAILER-DAEMON@apmcsqa01.poort"; 
> helo=smtp1..nl; client-ip=x.xx.xxx.xx]
> >Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: 
> reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 
> <MAILER-DAEMON@apmcsqa01.poort>: Sender address rejected: 
> Domain not found; from=<MAILER-DAEMON@apmcsqa01.poort>
> > 
> >about this:
> >envelope-from="MAILER-DAEMON@apmcsqa01.poort"
> 
> who and why configured non-existing domain name there?
> 
> >Im looking for the correct rfc where its described that the 
> part @apmcsqa01.poort  should be @thesendingdomain.tld
> 
> RFC 5321, section 2.3.5.  Domain Names:
> 
> Only resolvable, fully-qualified domain names (FQDNs) are 
> permitted
> when domain names are used in SMTP.
> 
> >where thesendingdomain.tld is also a resolvable domain, 
> because not it does
> > not make sence because the now mailer-daemon wil never be 
> accepted because
> > its non resolveable
> 
> correct. that is the expected behaviour.
> do you expect someone to accept mail from non-existing 
> (invalid) addresses?
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
> 
>

Re: question about envelop from.

2018-03-13 Thread Matus UHLAR - fantomas 

On 13.03.18 13:54, L.P.H. van Belle wrote:

Im reading through rfc's but the following is still not clear for me.
 
E-mail is rejected base on the envelop-from adres from a mail-daemon with 
postfix + postfix-policyd-spf
 
I saw the following in the postfix logs.
Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection 
established from smtp1..nl[x.xx.xxx.xx]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND Received-SPF: 
none (apmcsqa01.poort: No applicable sender policy available) 
receiver=hostname.domain.nl; identity=mailfrom; 
envelope-from="MAILER-DAEMON@apmcsqa01.poort"; helo=smtp1..nl; 
client-ip=x.xx.xxx.xx]
Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from 
smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 : Sender 
address rejected: Domain not found; from=
 
about this:
envelope-from="MAILER-DAEMON@apmcsqa01.poort"


who and why configured non-existing domain name there?


Im looking for the correct rfc where its described that the part 
@apmcsqa01.poort  should be @thesendingdomain.tld


RFC 5321, section 2.3.5.  Domain Names:

   Only resolvable, fully-qualified domain names (FQDNs) are permitted
   when domain names are used in SMTP.


where thesendingdomain.tld is also a resolvable domain, because not it does
not make sence because the now mailer-daemon wil never be accepted because
its non resolveable


correct. that is the expected behaviour.
do you expect someone to accept mail from non-existing (invalid) addresses?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!