Re: [courier-users] Disable SSL for esmtpd on port 25
>On Fri 27/May/2016 14:39:59 +0200 Matus UHLAR - fantomas wrote: >> % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server >> 261 >> % grep relay= /var/log/mail | grep sm-mta | grep -c from= >> 1007 On 27.05.16 20:02, Alessandro Vesely wrote: >Cute, I guess sm-mta is the machine name... but wait, why do I miss the >STARTTLS=server part? Also, doesn't the from= include errors? Most errors and >unencrypted sessions seem to be related to spammers... this is sendmail log... I have tls turned on for years. yeah, I think I should disable ssl23 :) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 05/27/2016 05:39 AM, Matus UHLAR - fantomas wrote: > Aha... doesn't couriertls produce an error when too low tls version is tried > by the client? It should, but the "SSL23" message that Mark originally mentioned don't really indicate that the clients are using SSL2 or SSL3 (as best I can tell). The message "tlsv1 alert decode error" should indicate that the peer is using TLS v1, but didn't understand some extension that's present in OpenSSL, used by Courier. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On 05/27/2016 11:02 AM, Alessandro Vesely wrote: > but wait, why do I miss the STARTTLS=server part? Logs will look slightly different for builds on OpenSSL and those on gnutls. That'd be my guess. -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
On Fri 27/May/2016 14:39:59 +0200 Matus UHLAR - fantomas wrote: > >> I don't know how to check what percentage of port 25 mailserver to >> mailserver connections may be SSL encrypted to justify leaving SSL >> on port 25 for server to server connections. Would you (or anyone) >> have any idea how many mailservers are successfully connecting to >> each other via SSL these days? What I do is checking courierd's Received: line; "with ESMTPS" stands for "ESMTP with STARTTLS", according to: http://www.iana.org/assignments/mail-parameters/mail-parameters.xhtml#mail-parameters-7 > % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server > 261 > % grep relay= /var/log/mail | grep sm-mta | grep -c from= > 1007 Cute, I guess sm-mta is the machine name... but wait, why do I miss the STARTTLS=server part? Also, doesn't the from= include errors? Most errors and unencrypted sessions seem to be related to spammers... Ale -- -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Disable SSL for esmtpd on port 25
>On 27/05/16 02:20, Matus UHLAR - fantomas wrote: >>> Some lame govt mailservers are still using SSL23... >>> "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error" >>> and rather than whitelist them I'm sure I used to just disable SSL >>> via /etc/courier/esmtpd altogether (currently using v0.68.2)... >> >> why not whitelisting? Why to avoid security just because some can't >> cope with it? On 27.05.16 13:07, Mark Constable wrote: >We only use authenticated relaying via 465/SSL and 587/TLS so none >of our clients use port 25 for auth/relay. The problem is our client >recipient has to contact our support which then asks them for a copy >of the error, then I get it, then I have to squirrel around in the >mail logs to determine IP/hosts and hope a dig mx finds the right >mailserver etc then whitelists that server/mx and cross my fingers >I got all that right and our client can continue on their merry way. Aha... doesn't couriertls produce an error when too low tls version is tried by the client? >I don't know how to check what percentage of port 25 mailserver to >mailserver connections may be SSL encrypted to justify leaving SSL >on port 25 for server to server connections. Would you (or anyone) >have any idea how many mailservers are successfully connecting to >each other via SSL these days? % grep relay= /var/log/mail | grep sm-mta | grep -c STARTTLS=server 261 % grep relay= /var/log/mail | grep sm-mta | grep -c from= 1007 % grep relay= /var/log/mail.1 | grep sm-mta | grep -c from= 1349 % grep relay= /var/log/mail.1 | grep sm-mta | grep -c STARTTLS=server 296 that gives some 25% -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 -- What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users