Re: Glibc Vulnerability -- CVE-2015-0235

[Jonas Wielicki]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

FWIW, in the original advisory at [1], section 4, there is a snippet
of C you can use to test whether you are vulnerable. If you are, you
should probably upgrade asap. The fact that no exploit for a specific
program has been found is no final proof there is none, although I
don’t doubt that Qualys took great effort in finding exploits
(considering the detail of their advisory, which reads really great).

In the follow-up [2] they state by the way that they also looked at
postfix.

best regards,
jwi

   [1]: http://www.openwall.com/lists/oss-security/2015/01/27/9
   [2]: http://www.openwall.com/lists/oss-security/2015/01/27/18

On 28.01.2015 06:17, Vijay Rajah wrote:
> Hello,
> 
> I'm sure most of you are aware of the latest Glibc vulnerability.
> (FYI: http://www.openwall.com/lists/oss-security/2015/01/27/9)
> 
> I'm not sure If postfix is vulnerable. I see from that posting
> that, exim under certain configurations, is vulnerable.
> 
> I think since postfix supports IPV6, it would use the
> getaddrinfo() function. Is there any place where the older
> getbyhostname() function is still used?
> 
> Is postfix in any way at all, vulnerable to this bug?
> 
> -Thanks Vijay
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJUyIC8AAoJEMBiAyWXYliKg8YP/3WTSQHEkJ0bS821f8aMcc9/
/hobnSgSn/l9XmPvLquVHSEVgANhrk7bZ13hwRrMinP1c1Xp3PZqVe/zBMJ0fwkL
a8EthZHnRQm/lb45JnXKJsAk9JOfwGYGzjNMb8OvMQfgCsqxBgPgHCTFt1sVjcd3
YH9nQYZ0Tj8szMuqZd6WaRrWlmir8tSkUrW+6+VJePxoesYZNotGfY9b/Y+cMi3P
n6zcWWuw7nyuZCh3kda/gNJM6zSIFl+Xux7pzG2bvkAHWJ8mGfRtUCyukiWehrQz
0EY1PZohizguVHtcjQ1xvbhVZ0Uj5RbYFwXWFkVGQgd3ZgZdREc1uAORPdMrApDF
XfjtC+Rm8/gqamKNOL0e+qW4GvCAhlSoNPwr1/4DrPipBQLcKHe815eCZv+t/r+6
dmF6nTD1kqSXqHNbB9R9VudDus83hmhkRNzYVTv39OPQzDjcsjxdqidY476C9YAP
NwuRv38H+K62nL8/bLaXbAiK2zB0H1Y9mvfogjcpCFwh6ZHI80MyfBKbgGqOVoWg
2qCT3GJX6IX+Q2iHUehtE81ilh4ZtoKWxALfkv7tmiQ+Qvg5F2r5c/lkalG2/Zoz
UfL+xV/o1wfRCMiS1njRAYTBLaRTJrqwpIWTEusA54r0MrcAio8h1s3wx55Ptxix
U3wOUR8iRRLB/AcfQCWf
=LUab
-END PGP SIGNATURE-

Re: Re: Re: Where to set the one only IP address for binding in the address verify?

[srach]

Helo Viktor

28. Jan 2015 06:10 by postfix-us...@dukhovni.org:


> No that's > http://main.cf> .  I meant > http://master.cf> .
>





Ach! That is my reading mistake.


> This gets added as an override option to that > http://master.cf
> transport definition.
>
> Clone "smtp unix ... smtp" or "relay unix ... smtp"
> to create a new transport.
>

It is done and works okay.

Thaks!

*S*

Re: Glibc Vulnerability -- CVE-2015-0235

[Benny Pedersen]

On 28. jan. 2015 06.50.31 Peter  wrote:


On 01/28/2015 06:17 PM, Vijay Rajah wrote:
> Hello,
>
> I'm sure most of you are aware of the latest Glibc vulnerability. (FYI:
> http://www.openwall.com/lists/oss-security/2015/01/27/9)
>
> I'm not sure If postfix is vulnerable. I see from that posting that,
> exim under certain configurations, is vulnerable.
>
> I think since postfix supports IPV6, it would use the getaddrinfo()
> function. Is there any place where the older getbyhostname() function is
> still used?
>
> Is postfix in any way at all, vulnerable to this bug?

Honestly, I don't know if postfix uses that function or not, but if
postfix isn't vulnerable then you almost certainly have some other
program on your box that is.  I would recommend that you update glibc
without delay regardless.


bug is resolved in glibc 2.18, and possible other distros with lots of 
backports, in gentoo its glibc 2.19 stable, note update glibc can not be 
reversed in terms of version numbers, so be sure to ask maintainers first

Re: Re: Where to set the one only IP address for binding in the address verify?

[Viktor Dukhovni]

On Wed, Jan 28, 2015 at 06:01:33AM +, srach wrote:

> > The setting is per-transport.  Therefore you need a suitable
> > additional transport entry in master.cf with an 
> > smtp_bind_address
> > override, and a custom address_verify_transport or similar.
> 
> Okay I see the idea.
> 
> In the master.cf config I set already before
> 
> address_verify_relay_transport = smtp:[11.22.33.44]:25

No that's main.cf.  I meant master.cf.

> address_verify_relay_transport = smtp:[11.22.33.44]:25 

This changes to a transport other than "smtp".

> smtp_bind_address=55.66.77.88

This gets added as an override option to that master.cf
transport definition.

Clone "smtp unix ... smtp" or "relay unix ... smtp"
to create a new transport.

-- 
Viktor.

Re: Re: Where to set the one only IP address for binding in the address verify?

[srach]

Helo Viktor
28. Jan 2015 05:46 by postfix-us...@dukhovni.org:


> The setting is per-transport.  Therefore you need a suitable
> additional transport entry in > http://master.cf>  with an 
> smtp_bind_address
> override, and a custom address_verify_transport or similar.
>




Okay I see the idea.




In the http://master.cf config I set already before





address_verify_relay_transport = smtp:[11.22.33.44]:25





that says the IP address to verify TO.  So I think I can use that set too the 
IP address bind FROM.





When it is the suggested idea to "with an smtp_bind_address override" is that 
form of




address_verify_relay_transport = smtp:[11.22.33.44]:25 
smtp_bind_address=55.66.77.88




?




I read the




http://www.postfix.org/postconf.5.html#address_verify_relay_transport


http://www.postfix.org/postconf.5.html#relay_transport


http://www.postfix.org/transport.5.html





documents but do I miss the override method of syntax?




*S*

Re: Glibc Vulnerability -- CVE-2015-0235

[Peter]

On 01/28/2015 06:17 PM, Vijay Rajah wrote:
> Hello,
> 
> I'm sure most of you are aware of the latest Glibc vulnerability. (FYI:
> http://www.openwall.com/lists/oss-security/2015/01/27/9)
> 
> I'm not sure If postfix is vulnerable. I see from that posting that,
> exim under certain configurations, is vulnerable.
> 
> I think since postfix supports IPV6, it would use the getaddrinfo()
> function. Is there any place where the older getbyhostname() function is
> still used?
> 
> Is postfix in any way at all, vulnerable to this bug?

Honestly, I don't know if postfix uses that function or not, but if
postfix isn't vulnerable then you almost certainly have some other
program on your box that is.  I would recommend that you update glibc
without delay regardless.


Peter

Re: Where to set the one only IP address for binding in the address verify?

[Viktor Dukhovni]

On Wed, Jan 28, 2015 at 05:44:41AM +, srach wrote:

> For a client's security reason I must make the IP binding for the address 
> verification stop to come from a certain IP address.
> 
> How is done to set the IP bind address for the address_verify procedure ONLY, 
> different than the smtp_bind_address?

The setting is per-transport.  Therefore you need a suitable
additional transport entry in master.cf with an smtp_bind_address
override, and a custom address_verify_transport or similar.

-- 
Viktor.

Where to set the one only IP address for binding in the address verify?

[srach]

I am working next on the Postfix Recipient address verification step from the 
document http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient.

Because I must make the other parts work the parameter in main configuration 
is set

smtp_bind_address = 0.0.0.0

All this works especialy good for the multi-homed host I have.  It has a few 
IP addresses.

For a client's security reason I must make the IP binding for the address 
verification stop to come from a certain IP address.

How is done to set the IP bind address for the address_verify procedure ONLY, 
different than the smtp_bind_address?

I do not read it or understand it in the document.

*S*

Glibc Vulnerability -- CVE-2015-0235

[Vijay Rajah]

Hello,

I'm sure most of you are aware of the latest Glibc vulnerability. (FYI: 
http://www.openwall.com/lists/oss-security/2015/01/27/9)


I'm not sure If postfix is vulnerable. I see from that posting that, 
exim under certain configurations, is vulnerable.


I think since postfix supports IPV6, it would use the getaddrinfo() 
function. Is there any place where the older getbyhostname() function is 
still used?


Is postfix in any way at all, vulnerable to this bug?

-Thanks
Vijay

Re: E-mail Log Search Engine v0.9.18 released

[Istvan Prosinger]

Oh nice! Will take a look asap

On 26.1.2015 22:26, Nicolas HAHN wrote:

Hello there,*

*I've released *version 0.9.18 of the ELSE *as a tar.gz archive on
Sourceforge:
https://sourceforge.net/projects/x-itools/files/X-Itools%20releases/E-mail%20Log%20Search%20Engine/



As well as an updated Virtual Machine based on CentOS 7, made for demo
purpose.

Availability of documentations for v0.9.18 is currently an ongoing
process, but some is already available in the Sourceforge Wiki pages of
this project, there: http://sourceforge.net/p/x-itools/wiki/


For this release, the biggest feature I've tried to implement is the
*RTAAM* engine. If I had to define it, I would give 3 definitions:
- *an E-mail flow threats detection and prevention system*, or
- *an E-mail Firewall solution*, or
- *a mix of "Postfix/Anvil", "Fail2ban", "Firewall", "Monitoring",
"Reporting"*

Enjoy :)

--
Nicolas

Re: Error sending email

[Viktor Dukhovni]

On Tue, Jan 27, 2015 at 03:13:56AM -0700, saulos wrote:

> I installed on Ubuntu server 14.04 Postfix,mysql,dovecot following
> instruction on various sites, all test they suggest seems to be OK but when
> I try to send email I get this error:
> 
> connect from ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]
> Jan 26 15:51:11 lannet postfix/smtpd[12357]: SSL_accept error from
> ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]: -1
> Jan 26 15:51:11 lannet postfix/smtpd[12357]: warning: TLS library problem:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:s23_srvr.c:649:

The client sends garbage instead of an SSL/TLS client HELLO message.

What SSL library is the client using to negotiate an SSL connection
after STARTTLS?

> I spent a long time on google try to see if I can solve it but with no luck
> :(

Try wireshark instead of Google.

-- 
Viktor.

Re: Policyd not working

[Christian Rößner]

> Am 27.01.2015 um 17:53 schrieb rupesh chandurkar 
> :
> 
> How I can verify my postfix is integrate with "Policyd".

postconf -n

There must be some check_policy_service somewhere.

smtpd_recipient_restrictions =
…
check_policy_service …

Also check with

lsof -Pni :PORT_OF_YOUR_SERVICE

that it is listening

Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: How can I enforce TLS for certain sending hosts?

[Viktor Dukhovni]

On Tue, Jan 27, 2015 at 03:42:13PM +0100, Ralf Hildebrandt wrote:

> Something along the lines of:
> smtp_tls_policy_maps = cdb:/etc/postfix/tls-policy
> 
> but for smtpd (if a connection comes in from $HOST, then require
> "encrypt", reject otherwise)

main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_helo_restrictions = 
check_helo_access ${indexed}tls-by-helo

tls-by-helo:
example.com reject_plaintext_session

I would not recommed setting reject_plaintext_session to 5XX, hosts
falling back to cleartext after a transient TLS failure should not
then bounce the message when a cleartext "MAIL FROM:" is rejected.

Perhaps the documentation for this parameter should mention that
the 450 default is generally the right long-term setting, rather
than an initial safety-net.

-- 
Viktor.

Policyd not working

[rupesh chandurkar]

Hi All,

I am try to configured Policy server for control my outgoing mail by 
min/hour/day.

I create "Quotas" for Outbound rule but it's not work. Also, didn't get any 
logs in "maillogs" or "cbpolicyd.log".

How I can verify my postfix is integrate with "Policyd".


Main.cf
=
smtpd_recipient_restrictions = check_policy_service inet:xx.xx.xx.xx:10031, 
permit_mynetworks
=

Regards,
Rupesh


Thanks & Regards,
Rupesh Chandurkar

Re: SMTP SASL between different local dmains.

[Managed Pvt nets]

On 27/01/2015 9:35:44 AM, "Stefano Ruberti"  
wrote:


It’s possible to configure Postfix to require SASL authentication for 
the relay between different local domains?
Your question is not clear enough, on what you really want to do. Do you 
want to relay to local domains or to the local host. SASL will work 
mostly depending on how you want it setup.


MPN.

Re: How can I enforce TLS for certain sending hosts?

[Wietse Venema]

Ralf Hildebrandt:
> Something along the lines of:
> smtp_tls_policy_maps = cdb:/etc/postfix/tls-policy
> 
> but for smtpd (if a connection comes in from $HOST, then require
> "encrypt", reject otherwise)

reject_plaintext_session?

Wietse

How can I enforce TLS for certain sending hosts?

[Ralf Hildebrandt]

Something along the lines of:
smtp_tls_policy_maps = cdb:/etc/postfix/tls-policy

but for smtpd (if a connection comes in from $HOST, then require
"encrypt", reject otherwise)

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: SMTP SASL between different local dmains.

[Stefano Ruberti]

I tried but it is not enough

--
Stefano


Il giorno 27/gen/2015, alle ore 09:47, Benny Pedersen  ha scritto:

> Stefano Ruberti skrev den 2015-01-27 08:35:
>> It’s possible to configure Postfix to require SASL authentication for
>> the relay between different local domains?
> 
> sure post postconf -n first
> 
> but  if you like to try self, remove permit_mynetworks in all places

Re: Error sending email

[saulos]

Hi thanks, this is the result:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_size_limit = 0
mydestination = localhost
mydomain = lannet.net
myhostname = mail.lannet.net
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relayhost = email-smtp.us-west-2.amazonaws.com:25
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/lannet.pem
smtpd_tls_key_file = /etc/ssl/private/serverlannet.key
smtpd_use_tls = yes
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

thanks
:)



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Error-sending-email-tp74141p74143.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: Error sending email

[li...@rhsoft.net]

Am 27.01.2015 um 11:13 schrieb saulos:

Hi, I'm new to Postfix.
I installed on Ubuntu server 14.04 Postfix,mysql,dovecot following
instruction on various sites, all test they suggest seems to be OK but when
I try to send email I get this error:

connect from ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]
Jan 26 15:51:11 lannet postfix/smtpd[12357]: SSL_accept error from
ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]: -1
Jan 26 15:51:11 lannet postfix/smtpd[12357]: warning: TLS library problem:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:649:
Jan 26 15:51:11 lannet postfix/smtpd[12357]: lost connection after CONNECT
from ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]
Jan 26 15:51:11 lannet postfix/smtpd[12357]: disconnect from
ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]

Both server are in AWS, one is my mail server and the other is my PHP
website
I spent a long time on google try to see if I can solve it but with no luck


"postconf -n" missing

most likely you broke your configuration with wrong settings

Error sending email

[saulos]

Hi, I'm new to Postfix.
I installed on Ubuntu server 14.04 Postfix,mysql,dovecot following
instruction on various sites, all test they suggest seems to be OK but when
I try to send email I get this error:

connect from ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]
Jan 26 15:51:11 lannet postfix/smtpd[12357]: SSL_accept error from
ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]: -1
Jan 26 15:51:11 lannet postfix/smtpd[12357]: warning: TLS library problem:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:649:
Jan 26 15:51:11 lannet postfix/smtpd[12357]: lost connection after CONNECT
from ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]
Jan 26 15:51:11 lannet postfix/smtpd[12357]: disconnect from
ec2-54-84-149-96.compute-1.amazonaws.com[54.84.149.96]

Both server are in AWS, one is my mail server and the other is my PHP
website
I spent a long time on google try to see if I can solve it but with no luck
:(
Thanks for any suggestions
:)



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Error-sending-email-tp74141.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Re: SMTP SASL between different local dmains.

[Benny Pedersen]

Stefano Ruberti skrev den 2015-01-27 08:35:

It’s possible to configure Postfix to require SASL authentication for
the relay between different local domains?


sure post postconf -n first

but  if you like to try self, remove permit_mynetworks in all places

Re: SMTP SASL between different local dmains.

[Patrick Ben Koetter]

* Stefano Ruberti :
> It’s possible to configure Postfix to require SASL authentication for the
> relay between different local domains? 

You mean Postfix would SASL authenticate itself when it transports a message
from itself to itself?

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein