Re: 250-AUTH LOGIN PLAIN not advertised. Why?

2015-11-23 Thread Patrick Ben Koetter 
* Mufit Eribol :
> 
> On 23.11.2015 00:16, Viktor Dukhovni wrote:
> >On Sun, Nov 22, 2015 at 09:43:46PM +0200, Mufit Eribol wrote:
> >
> >>I have been running postfix at a small company for years without any
> >>problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
> >>telnetting to port 25. It may be due to a change in the upgraded packages or
> >>a misconfiguration by me. Probably, I "fixed" something which is not broken.
> >Nothing is wrong, look below:
> >
> > $ posttls-finger onart.com.tr
> > posttls-finger: Connected to mail.randec.com[85.96.178.205]:25
> > posttls-finger: < 220 mail.onart.com.tr ESMTP Postfix
> > posttls-finger: > EHLO amnesiac.invalid
> > posttls-finger: < 250-mail.onart.com.tr
> > posttls-finger: < 250-PIPELINING
> > posttls-finger: < 250-SIZE 5000
> > posttls-finger: < 250-ETRN
> > posttls-finger: < 250-STARTTLS
> > posttls-finger: < 250-ENHANCEDSTATUSCODES
> > posttls-finger: < 250-8BITMIME
> > posttls-finger: < 250 DSN
> > posttls-finger: > STARTTLS
> > posttls-finger: < 220 2.0.0 Ready to start TLS
> > posttls-finger: mail.randec.com[85.96.178.205]:25 CommonName 
> > mail.onart.com.tr
> > posttls-finger: certificate verification failed for 
> > mail.randec.com[85.96.178.205]:25: self-signed certificate
> > posttls-finger: mail.randec.com[85.96.178.205]:25: 
> > subject_CN=mail.onart.com.tr, issuer_CN=mail.onart.com.tr, 
> > fingerprint=AB:0F:61:4C:9C:FB:22:DF:9F:61:55:60:61:B5:6A:B1:C7:03:44:4D, 
> > pkey_fingerprint=E7:65:0A:4E:AF:A7:8E:85:CC:D9:8F:8F:6C:00:32:48:1B:F1:16:3A
> > posttls-finger: Untrusted TLS connection established to 
> > mail.randec.com[85.96.178.205]:25: TLSv1.2 with cipher 
> > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> > posttls-finger: > EHLO amnesiac.invalid
> > posttls-finger: < 250-mail.onart.com.tr
> > posttls-finger: < 250-PIPELINING
> > posttls-finger: < 250-SIZE 5000
> > posttls-finger: < 250-ETRN
> > posttls-finger: < 250-AUTH PLAIN LOGIN
> > posttls-finger: < 250-AUTH=PLAIN LOGIN
> > posttls-finger: < 250-ENHANCEDSTATUSCODES
> > posttls-finger: < 250-8BITMIME
> > posttls-finger: < 250 DSN
> > posttls-finger: > QUIT
> > posttls-finger: < 221 2.0.0 Bye
> >
> >>I can send and receive mail system on ports 465 and 993 using SSL/TLS
> >>without any issue (seemingly). I am not sure if missing "250-AUTH LOGIN
> >>PLAIN" is a problem.If I telnet to 465 (or 993) I get no response.
> >Of course not, those ports require an initial SSL/TLS handshake.
> >
> Viktor, thank you for your check.I am relieved.
> 
> I realized that the related switch is
> 
> smtpd_tls_auth_only = yes
> 
> If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.

Uhmm, for the record, this setting wasn't on the postfix configuration list
you posted originally.

p@rick

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Feedback on Postscreen Whitelist Article

2015-11-23 Thread Steve Jenkins 
I just posted an article about how to whitelist Gmail and
Hotmail/Outlook.com IP addresses for Postscreen, based on the webmaster's
SPF records:

http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/

I'd appreciate feedback from anyone on this list generous enough to offer
it, so I can fix any mistakes or make the article better.

Thanks,

Steve


*Steve Jenkins*
*st...@stevejenkins.com *

Re: socket: malformed response

2015-11-23 Thread Larry Stone 

> On Nov 22, 2015, at 11:13 PM, Peter  wrote:
> 
> On 11/23/2015 05:51 PM, Vicki Brown wrote:
>> Also, from my discussion with him, Bernard Teo does seem to know what he's 
>> doing.
> 
> I suggest you type "man postfix", scroll down to the bottom and look at
> the list of authors, then compare that list to the two people who have
> been trying to help you here.  Note that you won't see "Bernard Teo" on
> that list.
> 
> You have two people that arguably know more about Postfix than anyone
> else in the entire world trying to help you here and you're arguing with
> them trying to tell them that they're wrong?

I’ll add to that having used Bernard Teo’s product to get my system setup with 
Postfix initially, I found that like many packages, it sets it up to operate in 
its own closed universe. When I reached a point where I wanted to integrate 
other things like Amavis, DKIM signing, and other filters, it was time to move 
away from what his product set up.

-- 
Larry Stone
lston...@stonejongleux.com







smime.p7s
Description: S/MIME cryptographic signature

Duplicate email issue with opendkim milter

2015-11-23 Thread Quanah Gibson-Mount 
I have the following configuration for passing email to OpenDKIM for 
processing:


[127.0.0.1]:10030 inet n - n - - smtpd
   -o local_recipient_maps=
   -o virtual_mailbox_maps=
   -o virtual_alias_maps=
   -o relay_recipient_maps=
   -o smtpd_restriction_classes=
   -o smtpd_delay_reject=no
   -o smtpd_milters=inet:localhost:8465
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_sender_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_reject_unlisted_sender=no
   -o smtpd_relay_restrictions=
   -o smtpd_data_restrictions=
   -o smtpd_end_of_data_restrictions=
   -o syslog_name=postfix/dkimmilter
   -o content_filter=smtp-amavis:[127.0.0.1]:10032


Since this was implemented, we've had an issue where when emails with a 
large number of recipients are processed, the result is that the recipients 
get duplicates of the email.  We found one workaround to this was to 
default_destination_recipient_limit to large value.


Recently, one of our clients found that setting:

-o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings


Also resolved the problem.  I've been reading over the docs, and it seems 
that this is a bit aggressive.  However, it does seem that at least some 
set of these options should be set.  I believe it is only necessary to set 
"no_address_mappings".  Does that seem correct?


Thanks,
Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread yahoogroups 
‎Regarding Spamhaus, I am periodically blacklisted on my hosted Web service 
provider because somebody ‎sets up an account on the same service, then spews 
spam. Because I share the same IP, I'm declared toxic. 

I have set up a VPS, which of course has its own IP, not to get in this boat. 
But I am so negative regarding Spamhaus due to unwarranted blocking that I 
refuse to use it.
‎

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread yahoogroups 
‎If wishes were horses. ;-) 

My xyz domain is on the VPS. I'm going to switch systems in a few days.
  Original Message  
From: Viktor Dukhovni
Sent: Monday, November 23, 2015 2:45 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: Feedback on Postscreen Whitelist Article

On Mon, Nov 23, 2015 at 02:29:45PM -0800, yahoogro...@lazygranch.xyz wrote:

>�Regarding Spamhaus, I am periodically blacklisted on my hosted Web service
> provider because somebody �sets up an account on the same service, then
> spews spam. Because I share the same IP, I'm declared toxic. 

Sounds like the listing is entirely appropriate... You might want
hosting from a provider that does a better job of controlling
outbound spam.

-- 
Viktor.

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread Viktor Dukhovni 
On Mon, Nov 23, 2015 at 02:29:45PM -0800, yahoogro...@lazygranch.xyz wrote:

>�Regarding Spamhaus, I am periodically blacklisted on my hosted Web service
> provider because somebody �sets up an account on the same service, then
> spews spam. Because I share the same IP, I'm declared toxic. 

Sounds like the listing is entirely appropriate...  You might want
hosting from a provider that does a better job of controlling
outbound spam.

-- 
Viktor.

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread Noel Jones 
On 11/23/2015 3:48 PM, rob...@chalmers.com.au wrote:
> Interesting article Steve. What happens when/if they change ip
> blocks in between cron runs?
> and I can't help thinking this may be a little redundant though,
> with spf, dkim and dmarc in place the source of the email is checked
> and acted upon accordingly.  
> 
> 

spf, dkim, dmarc, etc. don't work at the postscreen level.  The only
information that is known at this point is the connecting client IP.

That's why postscreen_dnsbl_whitelist_threshold is useful here.



  -- Noel Jones



> 
> 
> Sent from my iPad
> 
> On 23 Nov 2015, at 7:42 p.m., Steve Jenkins  > wrote:
> 
>> I just posted an article about how to whitelist Gmail and
>> Hotmail/Outlook.com  IP addresses for
>> Postscreen, based on the webmaster's SPF records:
>>
>> http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/
>>
>> I'd appreciate feedback from anyone on this list generous enough
>> to offer it, so I can fix any mistakes or make the article better.
>>
>> Thanks,
>>
>> Steve
>>
>>
>> *Steve Jenkins*
>> /st...@stevejenkins.com /
>>
>> 
>>  
>> 
>>  
>> 
>>   
>> 
>>

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread Steve Jenkins 
On Mon, Nov 23, 2015 at 1:03 PM, Noel Jones  wrote:

>
> Maintaining a local postscreen whitelist of well-known providers is
> largely obsolete.
>
> http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold
> http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites
>
> a minimal main.cf example would be something like:
> postscreen_dnsbl_sites = zen.spamhaus.org*1 list.dnswl.org*-1
> postscreen_dnsbl_whitelist_threshold = -1


Hi, Noel. Thanks for your input (it's always appreciated).

I do use both of those directives in my main.cf, after the
postscreen_access_list.

Here's what I'm currently running:

# POSTSCREEN OPTIONS v2015-06-02
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr,
cidr:/etc/postfix/gmail_whitelist.cidr,
cidr:/etc/postfix/msft_whitelist.cidr,
hash:/etc/postfix/postscreen_whitelist

postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -4

postscreen_dnsbl_sites =
zen.spamhaus.org*3
bl.mailspike.net*2
b.barracudacentral.org*2
bl.spameatingmonkey.net
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
wl.mailspike.net=127.0.0.[17;18]*-1
wl.mailspike.net=127.0.0.[19;20]*-2

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread Steve Jenkins 
On Mon, Nov 23, 2015 at 1:48 PM, rob...@chalmers.com.au <
rob...@chalmers.com.au> wrote:

> Interesting article Steve. What happens when/if they change ip blocks in
> between cron runs?
> and I can't help thinking this may be a little redundant though, with spf,
> dkim and dmarc in place the source of the email is checked and acted upon
> accordingly.
>

Hi, Robert. As Noel pointed out, this all occurs way before SPF, DKIM,
and/or DMARC come into play.

As for what happens if they IP blocks change between cron runs, a spammer
would have to take control of an old Google or Microsoft netblock in order
to increase any risk, which is unlikely.

And since this is a whitelist, any new IPs that haven't been picked up in
the no more than 7 days since the last query would be evaluated by
Postscreen per normal... and would likely still get through.

Re: Duplicate email issue with opendkim milter

2015-11-23 Thread Wietse Venema 
Quanah Gibson-Mount:
> I have the following configuration for passing email to OpenDKIM for 
> processing:
> 
> [127.0.0.1]:10030 inet n - n - - smtpd
> -o local_recipient_maps=
> -o virtual_mailbox_maps=
> -o virtual_alias_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_delay_reject=no
> -o smtpd_milters=inet:localhost:8465
> -o smtpd_client_restrictions=permit_mynetworks,reject
> -o smtpd_sender_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_reject_unlisted_sender=no
> -o smtpd_relay_restrictions=
> -o smtpd_data_restrictions=
> -o smtpd_end_of_data_restrictions=
> -o syslog_name=postfix/dkimmilter
> -o content_filter=smtp-amavis:[127.0.0.1]:10032
> 
> Since this was implemented, we've had an issue where when emails with a 
> large number of recipients are processed, the result is that the recipients 
> get duplicates of the email.  We found one workaround to this was to 
> default_destination_recipient_limit to large value.

Why did that make a difference?

Wietse

Re: Duplicate email issue with opendkim milter

2015-11-23 Thread Viktor Dukhovni 
On Mon, Nov 23, 2015 at 07:29:18PM -0500, Wietse Venema wrote:

> > I have the following configuration for passing email to OpenDKIM for 
> > processing:
> > 
> > [127.0.0.1]:10030 inet n - n - - smtpd
> > -o local_recipient_maps=
> > -o virtual_mailbox_maps=
> > -o virtual_alias_maps=
> > -o relay_recipient_maps=
> > -o smtpd_restriction_classes=
> > -o smtpd_delay_reject=no
> > -o smtpd_milters=inet:localhost:8465
> > -o smtpd_client_restrictions=permit_mynetworks,reject
> > -o smtpd_sender_restrictions=
> > -o smtpd_helo_restrictions=
> > -o smtpd_recipient_restrictions=permit_mynetworks,reject
> > -o smtpd_reject_unlisted_sender=no
> > -o smtpd_relay_restrictions=
> > -o smtpd_data_restrictions=
> > -o smtpd_end_of_data_restrictions=
> > -o syslog_name=postfix/dkimmilter
> > -o content_filter=smtp-amavis:[127.0.0.1]:10032
> > 
> > Since this was implemented, we've had an issue where when emails with a 
> > large number of recipients are processed, the result is that the recipients 
> > get duplicates of the email.  We found one workaround to this was to 
> > default_destination_recipient_limit to large value.
> 
> Why did that make a difference?

Well, of course I would change only "smtp-amavis_recipient_limit",
but the difference is that otherwise the default limit delivers at
most 50 recipients at a time to the content filter.  This reduces
opportunities for duplicate elimination (across lists), especially
with the default "enable_original_recipient = yes".

I've always (since ~2001) used large recipient limits with filter
transports, this also improves efficiency, no need to scan the same
content multiple times.

-- 
Viktor.

Re: socket: malformed response

2015-11-23 Thread Wietse Venema 
Vicki Brown:
> How many times do I need to say that /etc/postfix IS postfix.

You can either remove the symlink "/usr/local/cutedge/postfix/etc"
or you can add a configuration setting "alternate_config_directories
= /usr/local/cutedge/postfix/etc".

See email below for more. I have nothing to add to this thread.

Wietse

> > On Nov 20, 2015, at 04:24, Wietse Venema  wrote:
> > 
> > Viktor Dukhovni:
> >> On Thu, Nov 19, 2015 at 03:26:27PM -0800, Vicki Brown wrote:
> >> 
> >>> The only program that uses /usr/local/cutedge/postfix/etc is.. postfix.
> >> 
> >> Well, the real Postfix uses /etc/postfix, as evidenced by the errors
> >> logged by postdrop(1).  Whatever is asking sendmail(1) and postdrop(1)
> >> to use that other path is misconfigured.
> > 
> > I suspect that this setting is exported in the MAIL_CONF environment
> > variable by the master(8) daemon, which invokes the pipe(8) daemon,
> > which invokes your content filter, which invokes the Postfix sendmail
> > command, which invokes the postdrop command, which terminates with
> > a fatal error.
> > 
> > You have a mixed configuration where postdrop and sendmail require
> > /etc/postfix, and where the Postfix daemon programs require
> > /usr/local/cutedge/postfix/etc.
> > 
> > Mixed configurations are not supported.
> > 
> > You can work around this by adding the alternate_config_directories
> > setting as suggested by in the postdrop error message.
> > 
> > But you still are not supported.
> > 
> > Wietse
> > 
> 
> -- Vicki Brown
>   cfcl.com/vlb
> 
> 
>

Re: 250-AUTH LOGIN PLAIN not advertised. Why?

2015-11-23 Thread Bill Cole 

On 23 Nov 2015, at 1:58, Mufit Eribol wrote:


Viktor, thank you for your check.I am relieved.

I realized that the related switch is

smtpd_tls_auth_only = yes

If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.


You should understand what that does, since it is potentially very 
dangerous. If anyone actually *USES* a plaintext authentication 
mechanism (PLAIN or LOGIN) without the protection of TLS encryption, 
their authentication credentials are vulnerable to simple network 
sniffing attacks anywhere in the path between the server and the client. 
A high-quality SMTP client won't ever attempt plaintext authentication 
outside of TLS, but there are a lot of people using shoddy clients that 
might do so, IF the capability is advertised. Put more simply:


NOT advertising "AUTH PLAIN LOGIN" on unencrypted SMTP sessions is a 
security feature of Postfix (and some other MTAs) and is NOT indicative 
of a problem of any sort.

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread Noel Jones 
On 11/23/2015 1:42 PM, Steve Jenkins wrote:
> I just posted an article about how to whitelist Gmail and
> Hotmail/Outlook.com IP addresses for Postscreen, based on the
> webmaster's SPF records:
> 
> http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/
> 
> I'd appreciate feedback from anyone on this list generous enough to
> offer it, so I can fix any mistakes or make the article better.
> 
> Thanks,
> 
> Steve
> 
> 
> *Steve Jenkins*
> /st...@stevejenkins.com /
> 
> 
>  
> 
>  
> 
>   
> 
>  
  



Maintaining a local postscreen whitelist of well-known providers is
largely obsolete.

http://www.postfix.org/postconf.5.html#postscreen_dnsbl_whitelist_threshold
http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites

a minimal main.cf example would be something like:
postscreen_dnsbl_sites = zen.spamhaus.org*1 list.dnswl.org*-1
postscreen_dnsbl_whitelist_threshold = -1




  -- Noel Jones

Re: Feedback on Postscreen Whitelist Article

2015-11-23 Thread rob...@chalmers.com.au 
Interesting article Steve. What happens when/if they change ip blocks in 
between cron runs?
and I can't help thinking this may be a little redundant though, with spf, dkim 
and dmarc in place the source of the email is checked and acted upon 
accordingly.  




Sent from my iPad

> On 23 Nov 2015, at 7:42 p.m., Steve Jenkins  wrote:
> 
> I just posted an article about how to whitelist Gmail and Hotmail/Outlook.com 
> IP addresses for Postscreen, based on the webmaster's SPF records:
> 
> http://www.stevejenkins.com/blog/2015/11/postscreen-whitelisting-smtp-outbound-ip-addresses-large-webmail-providers/
> 
> I'd appreciate feedback from anyone on this list generous enough to offer it, 
> so I can fix any mistakes or make the article better.
> 
> Thanks,
> 
> Steve
> 
> 
> Steve Jenkins
> st...@stevejenkins.com
> 
>