Re: postfix and multiple TLS certificates (SNI support?)
On Fri, 11 Dec 2015, Viktor Dukhovni wrote: Over the years there have from time to time been requests for server-side SNI support in Postfix, but most users have found workable alternatives, such as above. A key reason that SNI support is not there yet, is that we like to do things right(TM) in Postfix or not at all, and it is not entirely clear what the "right" configuration interface for server-side SNI might me (we can ignore implementation difficulties for now). I hope that SNI is dying long term. E.g. for IPv6 I again use the one IP for one service so SNI is not needed anymore. This has a lot of benefits, but sadly you need to still have the all-in-one approach for the parallel IPv4 (my reason why I hope IPv4 is also dying soon, probably unrealistic, I know). And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. Simply wait a bit longer and maybe that issue solves itself :-) Ciao -- http://www.dstoecker.eu/ (PGP key available)
Re: postfix and multiple TLS certificates (SNI support?)
On 12/12/2015 04:26 AM, Dirk Stöcker wrote: On Fri, 11 Dec 2015, Viktor Dukhovni wrote: Over the years there have from time to time been requests for server-side SNI support in Postfix, but most users have found workable alternatives, such as above. A key reason that SNI support is not there yet, is that we like to do things right(TM) in Postfix or not at all, and it is not entirely clear what the "right" configuration interface for server-side SNI might me (we can ignore implementation difficulties for now). I hope that SNI is dying long term. E.g. for IPv6 I again use the one IP for one service so SNI is not needed anymore. This has a lot of benefits, but sadly you need to still have the all-in-one approach for the parallel IPv4 (my reason why I hope IPv4 is also dying soon, probably unrealistic, I know). I do not want SNI to die but IMHO SNI is not for mail servers. Even with IPv6 I like SNI for web hosting. But it is not for mail servers. I do however want to see IPv4 go away.
Re: postfix and multiple TLS certificates (SNI support?)
On Sat, Dec 12, 2015 at 06:42:03AM -0800, Alice Wonder wrote: > I do not want SNI to die but IMHO SNI is not for mail servers. On Sat, Dec 12, 2015 at 01:26:06PM +0100, Dirk Stöcker wrote: > And SMTP has the big advantage, that you can define the name of the host in > MX, so the name of the mail server can be independent from the domain of the > email address. > > Simply wait a bit longer and maybe that issue solves itself :-) Thanks for the moral support. I agree that SNI is not particularly compelling for port 25. The more strongest arguments for SNI that I've seen are for port 587 submission, where there's no MX indirection, users' MUAs have statically configured SMTP servers. So if someone has feedback on either of the candidate interfaces, or even a better suggestion, I'd still like to hear it. Or is it the case that all the users who wanted SNI support in Postfix, but did not get it, are on the Exim list now? -- Viktor.
Re: postfix and multiple TLS certificates (SNI support?)
Dirk Stöcker wrote on 12/12/2015 13:26: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. I use this method. Just one cert to manage/renew and no exotic configuration. KISS procedure. -- Ciao, luigi / +--[Luigi Rosa]-- \ Do you know the one... "All I ask is a tall ship... and a star to steer her by..." You could feel the wind at your back, about you... the sounds of the sea beneath you. And even if you take away the wind and the water, it's still the same. The ship is yours... you can feel her... and the stars are still there. --James Kirk, "The Ultimate Computer"
Is this a correct way to define PCRE lists?
I have a check_sender_access to weed out spam from spam domains. The check_sender_access is a pcre: list. And the pcre list is: /mediablueinc.cf$/i DISCARD /mediablueinc.com$/i DISCARD /mediablueinc.ga$/i DISCARD /abstreeltg.eu$/i DISCARD /\.top$/i DISCARD (Yeah, the .top domain is a spam hole. Got over 100 spam mails from that TLD with random words in the domain like psoraris-doctor.top and so on, and I will never get a legit mail from that spam hole) Or are im doing something wrong? smime.p7s Description: S/MIME Cryptographic Signature
Re: Is this a correct way to define PCRE lists?
I don't see anything "wrong". The default for .pcre is case independence. I use "REJECT Spam not allowed." instead of DISCARD. You're not escaping your period (\.com). You can combine some of these into a single rule: /mediablueinc\.(cf|com|ga)$/REJECT Spam not allowed (1). /\.(top|ninja|download)$/ REJECT Spam not allowed (2). If you number them you'll see in the log file which rule matched. You have to use the table in main.cf. Something like: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/my.tables/sender_access.pcre reject_rbl_client zen.spamhaus.org reject_rbl_client dnsbl.sorbs.net Bill On 12/12/2015 2:47 PM, Sebastian Nielsen wrote: I have a check_sender_access to weed out spam from spam domains. The check_sender_access is a pcre: list. And the pcre list is: /mediablueinc.cf$/i DISCARD /mediablueinc.com$/i DISCARD /mediablueinc.ga$/i DISCARD /abstreeltg.eu$/i DISCARD /\.top$/i DISCARD (Yeah, the .top domain is a spam hole. Got over 100 spam mails from that TLD with random words in the domain like psoraris-doctor.top and so on, and I will never get a legit mail from that spam hole) Or are im doing something wrong?
