Re: question about envelop from.
Thanks for the help. smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high Where did you get the idea that "high" was a TLS protocol version? I think this got in there by mistake, its not in my postfiix configuration. My guess is that I started typing before moving cursor. ooops! Sorry. John A
Re: question about envelop from.
> On Mar 14, 2018, at 10:48 PM, Johnwrote: > > smtp_dns_support_level = dnssec > smtp_tls_security_level = dane Fine. > smtp_tls_ciphers = high OK, but medium is perhaps sufficient. > smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, > kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT With "high" or "medium" you don't need to exclude "EXPORT" or "LOW". You're also misspelling some of the cipher names, they are case-sensitive. Try: smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr, kDHd, kDHr You can exclude RC4 and 3DES, but it is not essential, and some very small number of systems will now only be able to receive from you in the clear. > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high Where did you get the idea that "high" was a TLS protocol version? > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_ciphers = high I would also suggest "medium" here. > smtpd_tls_eecdh_grade = auto This requires (and is recommended for) Postfix 3.2 or later. > smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers Not necessarily a good idea. The server should perhaps be more liberal. -- Viktor.
Re: question about envelop from.
Too complicated? How could this be improved? smtp_dns_support_level = dnssec smtp_tls_security_level = dane smtp_tls_ciphers = high smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_sasl_auth_enable = no smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_ciphers = high smtpd_tls_eecdh_grade = auto smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers smtpd_tls_protocols = $smtp_tls_protocols smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols
Re: question about envelop from.
> On Mar 13, 2018, at 12:00 PM, Matus UHLAR - fantomas> wrote: > > smtpd_tls_ciphers=high > smtpd_tls_mandatory_ciphers=high > smtpd_tls_exclude_ciphers=aNULL My recommendation is: smtpd_tls_ciphers = medium smtpd_tls_mandatory_ciphers = high There's not much need to exclude any additional ciphers, but if you must, see the previous post... -- Viktor.
Re: question about envelop from.
> On Mar 13, 2018, at 11:36 AM, LuKremewrote: > > In general, or these specific exclusions? Mostly in general. Why do cleartext with clients that can't do strong ciphers, let them encrypt with their medium ciphers. > I've had > > smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4 > > For a pretty long time now That said, the above are fine to exclude, they are just unnecessary attack surface, with the exception of "RC4" nobody needs these for interoperability at this time. And even "RC4" use is vanishingly small. -- Viktor.
Re: question about envelop from.
On 13.03.18 09:36, LuKreme wrote: On Mar 13, 2018, at 09:17, Viktor Dukhovniwrote: smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES This too is unwise. Remove this setting. In general, or these specific exclusions? I've had smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4 For a pretty long time now I have: smtpd_tls_ciphers=high smtpd_tls_mandatory_ciphers=high smtpd_tls_exclude_ciphers=aNULL -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: question about envelop from.
On Mar 13, 2018, at 09:17, Viktor Dukhovniwrote: >> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, >> DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES > > This too is unwise. Remove this setting. In general, or these specific exclusions? I've had smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4 For a pretty long time now -- My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.
Re: question about envelop from.
> On Mar 13, 2018, at 10:53 AM, L.P.H. van Bellewrote: > > Yes, i've set smtpd_tls_ask_ccert to yes. You almost certainly don't need this. > Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must > be a miss on my side after the switch from 2.10 to 3.1 postfix. "Verified" is not possible with smtpd(8). "Trusted" could happen when the client certificate is signed by a trusted CA: http://www.postfix.org/FORWARD_SECRECY_README.html#status but, typically, you should not be requesting client certificates that serve no purpose. > I need ssl verification Not for incoming traffic, there just supporting STARTTLS is all you need. > smtpd_starttls_timeout = 300s Don't duplicate default settings. > smtpd_use_tls=yes > smtpd_enforce_tls = no These are obsolete > smtpd_tls_ask_ccert = yes > smtpd_tls_ccert_verifydepth = 2 You don't need these. I see no evidence of any meaningful use of client certs. At least not on port 25 via main.cf. > smtpd_tls_always_issue_session_ids = no This is the default. > smtpd_tls_received_header = yes Second time this is set. > smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer It is much better to have all the required intermediates in your certfile, and leave this field empty. > smtpd_tls_ciphers = high This is unwise, the (default in supported releases) "medium" is better, see: https://tools.ietf.org/html/rfc7435 > smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, > DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES This too is unwise. Remove this setting. > # Enable EECDH key exchange for Forward Security > smtpd_tls_eecdh_grade=ultra With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far better off with the default of "auto". http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade -- -- Viktor.
RE: question about envelop from.
Hello Victor, > -Oorspronkelijk bericht- > Van: postfix-us...@dukhovni.org > [mailto:owner-postfix-us...@postfix.org] Namens Viktor Dukhovni > Verzonden: dinsdag 13 maart 2018 15:27 > Aan: Postfix users > Onderwerp: Re: question about envelop from. > > > > > On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle > <be...@bazuin.nl> wrote: > > > > Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: > reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 > <MAILER-DAEMON@apmcsqa01.poort>: Sender address rejected: > Domain not found; from=<MAILER-DAEMON@apmcsqa01.poort> > > > > about this: > > envelope-from="MAILER-DAEMON@apmcsqa01.poort" > > > > Im looking for the correct rfc where its described that the > part @apmcsqa01.poort should be @thesendingdomain.tld > > where thesendingdomain.tld is also a resolvable domain, > because not it does not make sence because the now > mailer-daemon wil never be accepted because its non resolveable > > In addition to not being resolvable, the envelope sender > address here is also > problematic because "MAILER-DAEMON@" should only ever appear > in the message > headers and NEVER as the envelope sender. The correct > envelope sender for > bounces is the empty (or null) sender: > > MAIL FROM:<> > > not > > MAIL FROM:<mailer-dae...@example.net> > > Sure, some domain could in theory have an actual user mailbox named > "mailer-daemon", but that is most unlikely. It is rather clear that > the server in question is generating backscatter with a non-empty > envelope sender address, thus potentially leading to mail loops. > > It is good that your server is rejecting this traffic. > > Finally, it seems you may be requesting client certificates > on port 25, > (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder > why... > >http://www.postfix.org/FORWARD_SECRECY_README.html#status > > do you have "smtpd_tls_ask_ccert = yes"? > > -- > Viktor. > Yes, i've set smtpd_tls_ask_ccert to yes. I do also have Anonymous messages Anonymous TLS connection established from mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be a miss on my side after the switch from 2.10 to 3.1 postfix. I need ssl verification, in not running a high volume site and i just enabled DKIM SPF TLSA and DANE for this server. Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian) ( config below ) Best regards, Louis ### General Defaults smtpd_banner = $myhostname ESMTP Ready mail_version = 007 biff = no append_dot_mydomain = no delay_warning_time = 4h readme_directory = no compatibility_level = 2 mailbox_size_limit = 0 recipient_delimiter = + empty_address_recipient = MAILER-DAEMON ### Limit the info given to outside servers show_user_unknown_table_name = no ### no one needs to ask our server who is on it disable_vrfy_command = yes user!domain != user@domain swap_bangpath = no user%domain != user@domain allow_percent_hack = no ### Tarpit until RCPT TO: to reject the email for nagios compatability smtpd_delay_reject = yes ### Tarpit those bots/clients/spammers who send errors or scan for accounts smtpd_error_sleep_time = 20 smtpd_soft_error_limit = 1 smtpd_hard_error_limit = 3 smtpd_junk_command_limit = 2 ### Tranports and slowdown delivery to per domain are set here also. transport_maps = hash:/etc/postfix/personal/transport_maps.map ## Transports Tuning outgoing connections ! Esa max concurrent connections (polite) ## see also transport file and master.cf # Throttle limit policy mail (global) smtp_destination_concurrency_limit = 5 smtp_extra_recipient_limit = 2 # Polite policy polite_destination_concurrency_limit = 3 polite_destination_rate_delay = 0 polite_destination_recipient_limit = 5 # Turtle policy turtle_destination_concurrency_limit = 2 turtle_destination_rate_delay = 1s turtle_destination_recipient_limit = 2 ## ### ## 100 Mb size limit message_size_limit = 10240 # Postfix before 3.0 by default permits non-ASCII content in headers and addresses. strict_7bit_headers = yes 2bounce_notice_recipient = postmas...@somedomain.tld 2bounce_notice_recipient = postmas...@somedomain.tld bounce_notice_recipient = postmas...@somedomain.tld delay_notice_recipient = postmas...@somedomain.tld error_notice_recipient = postmas...@somedomain.tld notify_classes = bounce, resource, software ## Being strict to the RFC not only stops unwanted mail, ## it also blocks legitimate mail from poorly-written mail applications. ## default = no strict_
Re: question about envelop from.
> On Mar 13, 2018, at 8:54 AM, L.P.H. van Bellewrote: > > Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from > smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 : > Sender address rejected: Domain not found; > from= > > about this: > envelope-from="MAILER-DAEMON@apmcsqa01.poort" > > Im looking for the correct rfc where its described that the part > @apmcsqa01.poort should be @thesendingdomain.tld > where thesendingdomain.tld is also a resolvable domain, because not it does > not make sence because the now mailer-daemon wil never be accepted because > its non resolveable In addition to not being resolvable, the envelope sender address here is also problematic because "MAILER-DAEMON@" should only ever appear in the message headers and NEVER as the envelope sender. The correct envelope sender for bounces is the empty (or null) sender: MAIL FROM:<> not MAIL FROM: Sure, some domain could in theory have an actual user mailbox named "mailer-daemon", but that is most unlikely. It is rather clear that the server in question is generating backscatter with a non-empty envelope sender address, thus potentially leading to mail loops. It is good that your server is rejecting this traffic. Finally, it seems you may be requesting client certificates on port 25, (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder why... http://www.postfix.org/FORWARD_SECRECY_README.html#status do you have "smtpd_tls_ask_ccert = yes"? -- Viktor.
RE: question about envelop from.
Hai Matus, Thank you for the reply, most apriciated. No, but its a "government" server, so i need to be very sure.. ;-) Thanks, i was looking in the wrong rfc. Best regards, Louis > -Oorspronkelijk bericht- > Van: uh...@fantomas.sk > [mailto:owner-postfix-us...@postfix.org] Namens Matus UHLAR - fantomas > Verzonden: dinsdag 13 maart 2018 14:05 > Aan: postfix-users@postfix.org > Onderwerp: Re: question about envelop from. > > On 13.03.18 13:54, L.P.H. van Belle wrote: > >Im reading through rfc's but the following is still not clear for me. > > > >E-mail is rejected base on the envelop-from adres from a > mail-daemon with postfix + postfix-policyd-spf > > > >I saw the following in the postfix logs. > >Feb 7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS > connection established from smtp1..nl[x.xx.xxx.xx]: > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > >Feb 7 00:00:16 hostname postfix/policy-spf[31766]: Policy > action=PREPEND Received-SPF: none (apmcsqa01.poort: No > applicable sender policy available) > receiver=hostname.domain.nl; identity=mailfrom; > envelope-from="MAILER-DAEMON@apmcsqa01.poort"; > helo=smtp1..nl; client-ip=x.xx.xxx.xx] > >Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: > reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8 > <MAILER-DAEMON@apmcsqa01.poort>: Sender address rejected: > Domain not found; from=<MAILER-DAEMON@apmcsqa01.poort> > > > >about this: > >envelope-from="MAILER-DAEMON@apmcsqa01.poort" > > who and why configured non-existing domain name there? > > >Im looking for the correct rfc where its described that the > part @apmcsqa01.poort should be @thesendingdomain.tld > > RFC 5321, section 2.3.5. Domain Names: > > Only resolvable, fully-qualified domain names (FQDNs) are > permitted > when domain names are used in SMTP. > > >where thesendingdomain.tld is also a resolvable domain, > because not it does > > not make sence because the now mailer-daemon wil never be > accepted because > > its non resolveable > > correct. that is the expected behaviour. > do you expect someone to accept mail from non-existing > (invalid) addresses? > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! > >
Re: question about envelop from.
On 13.03.18 13:54, L.P.H. van Belle wrote: Im reading through rfc's but the following is still not clear for me. E-mail is rejected base on the envelop-from adres from a mail-daemon with postfix + postfix-policyd-spf I saw the following in the postfix logs. Feb 7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection established from smtp1..nl[x.xx.xxx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND Received-SPF: none (apmcsqa01.poort: No applicable sender policy available) receiver=hostname.domain.nl; identity=mailfrom; envelope-from="MAILER-DAEMON@apmcsqa01.poort"; helo=smtp1..nl; client-ip=x.xx.xxx.xx] Feb 7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from smtp1..nl[x.xx.xxx.xx]]: 450 4.1.8: Sender address rejected: Domain not found; from= about this: envelope-from="MAILER-DAEMON@apmcsqa01.poort" who and why configured non-existing domain name there? Im looking for the correct rfc where its described that the part @apmcsqa01.poort should be @thesendingdomain.tld RFC 5321, section 2.3.5. Domain Names: Only resolvable, fully-qualified domain names (FQDNs) are permitted when domain names are used in SMTP. where thesendingdomain.tld is also a resolvable domain, because not it does not make sence because the now mailer-daemon wil never be accepted because its non resolveable correct. that is the expected behaviour. do you expect someone to accept mail from non-existing (invalid) addresses? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!