Re: PSA University of Michigan research IP space

2017-12-07 Thread Viktor Dukhovni 


> On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote:
> 
> http://researchscan288.eecs.umich.edu/
> I never could find the research IP space and my email went unanswered.
> I just blocked the whole university. Link has the IP space as listed
> below:
> 141.212.121.0/24 
> 141.212.122.0/24

Seems rather an overreaction. So a few bots scan your system now and then,
for socially beneficial research purposes[1].  Does it really make sense
to block an entire university to try to avoid this?

-- 
Viktor.

[1] Full disclosure, I perform DANE/DNSSEC adoption scans of as many
DNSSEC-validated domains I can find, currently ~5.1 million, making
connections to MX hosts that publish secure TLSA records (~4 thousand
MX hosts, covering ~174 thousand domains).  Domain owners whose TLSA
records don't match reality are notified of any problems. Generally,
postmasters seem pleased to be notified and given the opportunity to
fix the problem in a timely manner. So I have some empathy for the
Michigan team, who are also by the way one of the sources from which
I gather domain names.

If some of you have deployed DANE TLSA records, but feel strongly
that I should exclude your domains from automated scans, please
drop me a note and I'll add your domains to my "ignore" list.

PSA University of Michigan research IP space

2017-12-07 Thread li...@lazygranch.com 
http://researchscan288.eecs.umich.edu/
I never could find the research IP space and my email went unanswered.
I just blocked the whole university. Link has the IP space as listed
below:
141.212.121.0/24 
141.212.122.0/24

Re: owner_request_special issue in postfix 3.2.3

2017-12-07 Thread Wietse Venema 
Laurent Frigault:
[ Charset ISO-8859-15 converted... ]
> Hi,
> 
> I have an issue with owner_request_special . It rewrites correctly the
> local part of the sender address BUT, it replaces the right part of the
> sender address with myorigin (or myhostname) instead of keeping it.
> 
> My config :
> OS: FreeBSD 11.1-RELEASE-p4
> postfix: postfix-3.2.3,1 (from freebsd package)
> 
> mail# diff main.cf.sample main.cf
> 95a96
> > myhostname = mail.agneau.org
> 102a104
> > mydomain = agneau.org
> 118a121
> > myorigin = mail.agneau.org
> 134a138
> > inet_interfaces = 127.0.1.5
> 182a187
> > mydestination = mail.agneau.org, listes2.agneau.org, listes3.agneau.org
> 311a317
> > relay_domains = agneau.org bergerie.agneau.org
> 403a410
> > alias_maps = hash:$config_directory/aliases
> 412a420
> > alias_database = hash:$config_directory/aliases
> 
> My debug aliases in $config_directory/aliases :
> 
> owner-debuglolo:  l...@agneau.org
> owner-debuglolo-outgoing: owner-debugl...@listes2.agneau.org
> debuglolo-outgoing:   :include:/usr/local/etc/postfix/lists/debuglolo
> 
> mail# cat lists/debuglolo
> lfriga...@agneau.org
> 
> 
> test command to reproduce the problem:
> 
> printf 'From: Laurent Frigault \nTo: 
> debugl...@listes2.agneau.org\nSubject: test\n\ntest\n' |sendmail -oi -oee 
> -fowner-debugl...@listes2.agneau.org debuglolo-outgo...@listes2.agneau.org
> 
> The enveloppe sender owner-debugl...@listes2.agneau.org if rewritten to
> owner-debuglolo-outgo...@mail.agneau.org instead of 
> owner-debuglolo-outgo...@listes2.agneau.org

If sending to debuglolo-outgoing, Postfix will replace the sender with
one of the following:

1) owner-debugl...@listes2.agneau.org (expand_owner_alias = yes) 

2) owner-debuglolo-outgoing (expand_owner_alias = no) which then
becomes owner-debuglolo-outgoing@$myorigin.

You appear to have configured Postfix to do 2).

Wietse

Re: owner_request_special issue in postfix 3.2.3

2017-12-07 Thread Laurent Frigault 
On Thu, Dec 07, 2017 at 03:18:40PM -0500, Wietse Venema wrote:
> Laurent Frigault:

> > I have an issue with owner_request_special . It rewrites correctly the
> > local part of the sender address BUT, it replaces the right part of the
> > sender address with myorigin (or myhostname) instead of keeping it.
> 
> Does the 'unexpected behavior' depend on the owner_request_special setting?

Yes.

If I set owner_request_special to no , the sender address is not
changed at all. No change on the local part and no change on the right
part which is expected behavior.

The problem is with owner_request_special set to yes (default). The
rewrite of the local part of the sender is correct and expected , but
the right part should not have been changed.

-- 
Laurent Frigault |

Re: owner_request_special issue in postfix 3.2.3

2017-12-07 Thread Wietse Venema 
Laurent Frigault:
> Hi,
> 
> I have an issue with owner_request_special . It rewrites correctly the
> local part of the sender address BUT, it replaces the right part of the
> sender address with myorigin (or myhostname) instead of keeping it.

Does the 'unexpected behavior' depend on the owner_request_special setting?

Wietse

owner_request_special issue in postfix 3.2.3

2017-12-07 Thread Laurent Frigault 
Hi,

I have an issue with owner_request_special . It rewrites correctly the
local part of the sender address BUT, it replaces the right part of the
sender address with myorigin (or myhostname) instead of keeping it.

My config :
OS: FreeBSD 11.1-RELEASE-p4
postfix: postfix-3.2.3,1 (from freebsd package)

mail# diff main.cf.sample main.cf
95a96
> myhostname = mail.agneau.org
102a104
> mydomain = agneau.org
118a121
> myorigin = mail.agneau.org
134a138
> inet_interfaces = 127.0.1.5
182a187
> mydestination = mail.agneau.org, listes2.agneau.org, listes3.agneau.org
311a317
> relay_domains = agneau.org bergerie.agneau.org
403a410
> alias_maps = hash:$config_directory/aliases
412a420
> alias_database = hash:$config_directory/aliases

My debug aliases in $config_directory/aliases :

owner-debuglolo:l...@agneau.org
owner-debuglolo-outgoing:   owner-debugl...@listes2.agneau.org
debuglolo-outgoing: :include:/usr/local/etc/postfix/lists/debuglolo

mail# cat lists/debuglolo
lfriga...@agneau.org


test command to reproduce the problem:

printf 'From: Laurent Frigault \nTo: 
debugl...@listes2.agneau.org\nSubject: test\n\ntest\n' |sendmail -oi -oee 
-fowner-debugl...@listes2.agneau.org debuglolo-outgo...@listes2.agneau.org

The enveloppe sender owner-debugl...@listes2.agneau.org if rewritten to
owner-debuglolo-outgo...@mail.agneau.org instead of 
owner-debuglolo-outgo...@listes2.agneau.org

both mail.agneau.org and listes2.agneau.org are in mydestination so
there is no reason to rewrite the right part of the sender from
listes2.agneau.org to mail.agneau.org

/var/log/maillog :

Dec  7 15:34:08 mail postfix/pickup[6509]: AA6114D16: uid=0 
from=
Dec  7 15:34:08 mail postfix/cleanup[6515]: AA6114D16: 
message-id=<20171207143408.aa6114...@mail.agneau.org>
Dec  7 15:34:08 mail postfix/qmgr[6510]: AA6114D16: 
from=, size=314, nrcpt=1 (queue active)
Dec  7 15:34:08 mail postfix/cleanup[6515]: AF13E4D17: 
message-id=<20171207143408.aa6114...@mail.agneau.org>
Dec  7 15:34:08 mail postfix/local[6517]: AA6114D16: 
to=, relay=local, delay=0.07, 
delays=0.05/0/0/0.01, dsn=2.0.0, status=sent (forwarded as AF13E4D17)
Dec  7 15:34:08 mail postfix/qmgr[6510]: AF13E4D17: 
from=, size=461, nrcpt=1 (queue 
active)
Dec  7 15:34:08 mail postfix/qmgr[6510]: AA6114D16: removed
Dec  7 15:34:08 mail postfix/smtp[6518]: AF13E4D17: to=, 
relay=obelix.agneau.org[88.173.248.15]:25, delay=0.24, 
delays=0.01/0.01/0.07/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 
CBF4F1D674F)
Dec  7 15:34:08 mail postfix/qmgr[6510]: AF13E4D17: removed

I attached 2 files:

postconf.txt.gz result of postconf
maillog-verbose.txt.gz  maillog content with -v flags added to local

It looks like a bug in owner_request_special handling to me, because I
have a very similar configuration on an old postfix 2.8.1 that does not
alter the right part of the sender but I may have missed something.

I reproduce the same problem in an other jail with postfix 2.11.10 so
this is probably not a postfix 2 vs postfix 3 difference.

man 8 local is not very verbose about owner_request_special :

   owner_request_special (yes)
  Give special treatment to owner-listname and listname-request
  address localparts: don't split such addresses when the
  recipient_delimiter is set to "-".

It is only about localparts, nothing about right(domain) part .

Any idea on how to prevent owner_request_special from altering the right
part of the sender ? This is needed if you want to host lists in many
domains on the same postfix. 

Is it a bug in local or in my configuration ?

Regards,

-- 
Laurent Frigault | 
Quand on parle pognon, à partir d'un certain chiffre, tout le monde
écoute. (Michel Audiard)


postconf.txt.gz
Description: application/gzip


maillog-verbose.txt.gz
Description: application/gzip

Re: Outbound opportunistic TLS by default?

2017-12-07 Thread Eray Aslan 
On Wed, Dec 06, 2017 at 05:22:19PM -0600, Noel Jones wrote:
> I was thinking "make install" rather than "make upgrade" is a good
> enough indicator of first time install. Deciding if TLS is available
> might be trickier.

Source based distros like Gentoo make install to a seperate destination
dir and then transfer the resulting image to real root during upgrades.
Determining first-time installation should be left to the package
manager.

-- 
Eray