Re: warning: TLS library problem
> On Jan 24, 2018, at 9:25 PM, li...@lazygranch.com wrote: > > postfix/smtpd[14755]: warning: TLS library problem: error:140760FC:SSL > routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: > > Should I be blocking some encryption method? I thought openssl dropped > support for the hackable protocols. The error message is not what it appears. The SSLv23 functions are the generic layer that handles all protocol versions before the actual protocol is determined. -- Viktor.
warning: TLS library problem
postfix/smtpd[14755]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Should I be blocking some encryption method? I thought openssl dropped support for the hackable protocols.
Re: 4.7.0 too many connections from Tbird client
On Thu, January 25, 2018 2:58 am, Noel Jones wrote: > Instead of adding them to mynetworks, add that IP (and any other > remote offices) to smtpd_client_event_limit_exceptions. On Wed, January 24, 2018 10:59 pm, Matus UHLAR - fantomas wrote: > submission service usually does not use mynetworks. > > try adding that IP to smtpd_client_event_limit_exceptions (if you trust > that IP) or increase smtpd_client_connection_rate_limit Noel, Matus, thanks in the past, I've usually entered remote office IPs into mynetworks is putting remote office IPs into mynetworks, is that something that was done in the past, with sending on port 25, but not anymore with using submission ? I currently have old_mail_server, new_mail_server should mynetworks include other mail server IPs and 127.0.0.1; but, all remote offices go into smtpd_client_connection_rate_limit ? thanks again, V
Re: removing postgrey - reconfigring postix
On 24/01/18 19:32, john wrote: > Is there a write up of how to setup up postscreen for maximum spam control. Of course there's the official docs, POSTSCREEN_README and postscreen(8). I also recommend this: http://rob0.nodns4.us/postscreen.html Peter
Re: Self-signed TLS certificates (Minimal setup)
On Wed, Jan 24, 2018, at 08:37, Dirk Stöcker wrote: > > It's not sooo complicated: The length of your message contradicts that statement. (These days I recommend https://github.com/square/certstrap because it's easily scripted. I'm currently using it in several ansible playbooks, for example.) -- Harald
mass mailing management web interface recomendation
Hello, I would like to ask what is the best web gui to manage mass mailing with postfix? Any advices greatly appreciated. Anvar -- Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Re: Self-signed TLS certificates (Minimal setup)
On Wed, 24 Jan 2018, Viktor Dukhovni wrote: One one want to start with "umask 077", to avoid creating world-readable private key files. This should not be necessary with OpenSSL 1.1.0 and later, but older versions (e.g. OpenSSL 1.0.2) create all output files with default permissions, constrained only by the user's umask. In addition to the umask, some of the directories involved should probably be mode 0700. For long-term CA keys, one would typically want to passphrase-protect the private key (thus replace the "-nodes" in the first command -aes128 or -aes256, and then type the password again as needed to sign CSRs and certificates). Good advice! I myself have all the files in a crypted filesystem with a long key, which I only unpack/activate with loop device when needed. Ciao -- http://www.dstoecker.eu/ (PGP key available)
Re: Self-signed TLS certificates (Minimal setup)
> On Jan 24, 2018, at 11:37 AM, Dirk Stöcker wrote: > > 1) Create a new CA (only once - it is a good idea to add a date in name, in > case you have to change it later): > openssl req -new -x509 -nodes -subj > '/C=DE/ST=Germany/L=Berlin/O=Company/CN=Company Root Certificate > 2018/emailAddress=c...@companyemail.de' -newkey rsa:4096 -sha512 -keyout > data/ca.key -out data/ca.pem -extensions v3_ca -days 3653 > echo -n "01" >ca.db.serial > mkdir ca.db.certs > touch ca.db.index > > 2) Create a new key > openssl req -nodes -days 3653 -subj > '/C=DE/ST=Germany/L=Berlin/O=Company/CN=test.companyemail.de/emailAddress=c...@companyemail.de' > -newkey rsa:4096 -sha512 -keyout key.key -out key.csr A quick comment. One one want to start with "umask 077", to avoid creating world-readable private key files. This should not be necessary with OpenSSL 1.1.0 and later, but older versions (e.g. OpenSSL 1.0.2) create all output files with default permissions, constrained only by the user's umask. In addition to the umask, some of the directories involved should probably be mode 0700. For long-term CA keys, one would typically want to passphrase-protect the private key (thus replace the "-nodes" in the first command -aes128 or -aes256, and then type the password again as needed to sign CSRs and certificates). -- Viktor.
Re: Self-signed TLS certificates (Minimal setup)
On Wed, 24 Jan 2018, Danny Horne wrote: On 22/01/2018 3:52 pm, Viktor Dukhovni wrote: On Jan 22, 2018, at 10:06 AM, Danny Horne wrote: Private CA sounds interesting, will have to read up about it You can get away with a lot less complexity than the usual OpenSSL CA. See, for example: https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh which creates certificates via "openssl x509 -req" without all the overhead of a stateful CA. What you'd do differently is password-protect the CA key, and perhaps issue certificates with a somewhat shorter lifetime than the 100 years in that script. I'll stick with what I have for now. Read up about creating a private CA and it went over my head, I also couldn't figure out what input that script needed from me It's not sooo complicated: Short guide for UNIXoid systems: Create a directory and in there a directory "data" create 2 files: --- ca.config [ ca ] default_ca= CA_own [ CA_own ] dir= . certs= ./data new_certs_dir= ./ca.db.certs database= ./ca.db.index serial= ./ca.db.serial RANDFILE= ./ca.db.rand certificate= ./data/ca.pem private_key= ./data/ca.key default_days= 3653 default_crl_days= 30 default_md= sha512 preserve= no policy= policy_anything [ policy_anything ] countryName= optional stateOrProvinceName= optional localityName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional --- end --- ca3.config [ ca ] default_ca= CA_own [ CA_own ] dir= . certs= ./data new_certs_dir= ./ca.db.certs database= ./ca.db.index serial= ./ca.db.serial RANDFILE= ./ca.db.rand certificate= ./data/ca.pem private_key= ./data/ca.key default_days= 3653 default_crl_days= 30 default_md= sha512 preserve= no policy= policy_anything x509_extensions = v3_req [ policy_anything ] countryName= optional stateOrProvinceName= optional localityName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ v3_req ] subjectAltName=$ENV::SUBJALTNAME --- end Then: 1) Create a new CA (only once - it is a good idea to add a date in name, in case you have to change it later): openssl req -new -x509 -nodes -subj '/C=DE/ST=Germany/L=Berlin/O=Company/CN=Company Root Certificate 2018/emailAddress=c...@companyemail.de' -newkey rsa:4096 -sha512 -keyout data/ca.key -out data/ca.pem -extensions v3_ca -days 3653 echo -n "01" >ca.db.serial mkdir ca.db.certs touch ca.db.index 2) Create a new key openssl req -nodes -days 3653 -subj '/C=DE/ST=Germany/L=Berlin/O=Company/CN=test.companyemail.de/emailAddress=c...@companyemail.de' -newkey rsa:4096 -sha512 -keyout key.key -out key.csr 3) To sign a csr openssl ca -config ca.config -out key.pem -infiles key.csr 4) To sign a csr with more than one name [altname] (must contain original name!): SUBJALTNAME='DNS:test.companyemail.de,DNS:*.hallo.companyemail.de' openssl ca -config ca3.config -out key.pem -infiles key.csr NOTE: serial number must increase always! 5) To revoke a certificate (e.g. when recreating same target, there is also an option to allow multiple certs for one domain): openssl ca -config ca.config -revoke certs/whatever.pem I always copy my resulting files under proper name to data directory to keep them. See also http://www.madboa.com/geek/openssl/#cert-self Play around with the settings, timeouts, ... Verify the results with "openssl x509 -text" (you wont get it all right one first try, some typos are always there in the values (either in the specified fields or in the domain name or ... :-) In point 4 you also can create certs for "IP:" (instead of DNS:) addresses. Ciao -- http://www.dstoecker.eu/ (PGP key available)
Re: Self-signed TLS certificates
> On Jan 24, 2018, at 9:21 AM, Danny Horne wrote:
>
>> You can get away with a lot less complexity than the usual OpenSSL CA.
>> See, for example:
>>
>>
>> https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh
>>
>> which creates certificates via "openssl x509 -req" without all the overhead
>> of
>> a stateful CA. What you'd do differently is password-protect the CA key, and
>> perhaps issue certificates with a somewhat shorter lifetime than the 100
>> years
>> in that script.
>>
> I'll stick with what I have for now. Read up about creating a private
> CA and it went over my head, I also couldn't figure out what input that
> script needed from me
It contains sample code that creates keys, root CAs, intermediate CAs,
CA-issued leaf certificates, and self-signed certificates. It was used
to create the certificates for the OpenSSL test-suite, and is not as-is
intended to be used for other purposes, though enough knobs are likely
there to make that possible. Usage examples can be found in:
https://raw.githubusercontent.com/openssl/openssl/master/test/certs/setup.sh
if anyone wants to take a closer look. That said, it sounds like the
path forward is for Postfix to add support for 2-level (private CA and
server cert, not just self-signed) certificate chains to the "postfix tls"
command. That'll have to wait for 3.4, as 3.3 is almost done at this
point, too late to be adding new features, and in any case my cycles are
presently too limited.
--
Viktor.
P.S. A quick overview of mkcert.sh internals (uses some
bash-specific features):
The key() function generates RSA, DSA, ECDSA, DH or ED25519 keys
(if the output file is not already present):
key() {
local key=$1; shift
local alg=rsa
if [ -n "$OPENSSL_KEYALG" ]; then
alg=$OPENSSL_KEYALG
fi
local bits=2048
if [ -n "$OPENSSL_KEYBITS" ]; then
bits=$OPENSSL_KEYBITS
fi
if [ ! -f "${key}.pem" ]; then
args=(-algorithm "$alg")
case $alg in
rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
dsa) args=(-paramfile "$bits");;
ed25519) ;;
*) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
esac
stderr_onerror \
openssl genpkey "${args[@]}" -out "${key}.pem"
fi
}
the req() function generates a certificate signing request (CSR) after
generating a key (if not already present) and list of DN components of
the form "name = value":
req() {
local key=$1; shift
key "$key"
local errs
stderr_onerror \
openssl req -new -"${OPENSSL_SIGALG}" -key "${key}.pem" \
-config <(printf "string_mask=%s\n[req]\n%s\n%s\n[dn]\n" \
"$REQMASK" "prompt = no" "distinguished_name = dn"
for dn in "$@"; do echo "$dn"; done)
}
The cert() function reads a CSR from standard input and creates a
signed certificate:
cert() {
local cert=$1; shift
local exts=$1; shift
stderr_onerror \
openssl x509 -req -"${OPENSSL_SIGALG}" -out "${cert}.pem" \
-extfile <(printf "%s\n" "$exts") "$@"
}
The various gen* functions, put these together to create various certificates.
Specifically genroot(), genca() and genee() create root CAs, intermediate CAs
and End-Entity certificates. This "CA" is stateless, no record is kept of
issued certificates, so OCSP and CRLs are not possible.
Re: Postfix sometimes does not write all the data to maillog
24.01.2018 15:34, Stephen Satchell пишет: > My colleague found that there is a rate-limit parameter in the > implementation of syslog we were using, and he was exceeding that limit. > It's a knob you can turn. > > http://www.rsyslog.com/changing-the-settings/ Thank you, Stephen I hope it will help... -- Vyacheslav
Re: 4.7.0 too many connections from Tbird client
On 1/24/2018 5:50 AM, Voytek wrote: > On Wed, January 24, 2018 9:34 am, Noel Jones wrote: > >> and a few seconds later STARTTLS succeeds, and that IP successfully sends >> mail from user hr@ to 10 recipients. >> >> Are there many users on that same IP via a NAT? > > Noel, > > just noticed I do NOT have that IP entered in 'mynetworks =', it used to > be, somehow, it;s missing, just adding it back > > is that my problem, or, part of my problem, or ? > > > Jan 24 20:22:13 geko postfix/smtpd[4706]: warning: Connection rate limit > exceeded: 21 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for > service submission > Jan 24 20:26:01 geko postfix/smtpd[6816]: warning: Connection rate limit > exceeded: 22 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for > service submission > Jan 24 20:26:45 geko postfix/smtpd[6816]: warning: Connection rate limit > exceeded: 23 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for > service submission > > Instead of adding them to mynetworks, add that IP (and any other remote offices) to smtpd_client_event_limit_exceptions. -- Noel Jones
Re: Self-signed TLS certificates
On 22/01/2018 3:52 pm, Viktor Dukhovni wrote: > >> On Jan 22, 2018, at 10:06 AM, Danny Horne wrote: >> >> Private CA sounds interesting, will have to read up about it > You can get away with a lot less complexity than the usual OpenSSL CA. > See, for example: > > > https://raw.githubusercontent.com/openssl/openssl/master/test/certs/mkcert.sh > > which creates certificates via "openssl x509 -req" without all the overhead of > a stateful CA. What you'd do differently is password-protect the CA key, and > perhaps issue certificates with a somewhat shorter lifetime than the 100 years > in that script. > I'll stick with what I have for now. Read up about creating a private CA and it went over my head, I also couldn't figure out what input that script needed from me
Re: Postfix sometimes does not write all the data to maillog
On 01/24/2018 02:54 AM, Bastian Blank wrote: On Wed, Jan 24, 2018 at 12:19:39PM +0200, Sohin Vyacheslav wrote: Sometimes when server is busy Postfix does not write all the data to maillog. Postfix does never write directly to the maillog. This is delegated to your syslog server. If this one drops messages you have to fix it. +1 My colleague found that there is a rate-limit parameter in the implementation of syslog we were using, and he was exceeding that limit. It's a knob you can turn. http://www.rsyslog.com/changing-the-settings/
Re: Postfix sometimes does not write all the data to maillog
24.01.2018 14:06, Wietse Venema пишет: >> i.e. need to adjust systemd logging settings? > Unfortunately, systemd is not part of Postfix. Fortunately, there > are excellent web search engines that can help you find the answer. it's seems that rsyslogd writes a postfix log: $ sudo lsof /var/log/maillog COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 433 root9w REG 253,1 177428716 261519 /var/log/maillog -- Vyacheslav
Re: Postfix sometimes does not write all the data to maillog
Wietse: > As others have pointed out, Postfix does not write syslog files. > Depending on your OS, logging is handled by system-effing-d, which > by default unhelpfully rate-limits logging. Sohin Vyacheslav: > i.e. need to adjust systemd logging settings? Unfortunately, systemd is not part of Postfix. Fortunately, there are excellent web search engines that can help you find the answer. Wietse
Re: Postfix sometimes does not write all the data to maillog
24.01.2018 13:56, Wietse Venema пишет: > As others have pointed out, Postfix does not write syslog files. > Depending on your OS, logging is handled by system-effing-d, which > by default unhelpfully rate-limits logging. i.e. need to adjust systemd logging settings? -- Vyacheslav
Re: 4.7.0 too many connections from Tbird client
On Wed, January 24, 2018 9:34 am, Noel Jones wrote: and a few seconds later STARTTLS succeeds, and that IP successfully sends mail from user hr@ to 10 recipients. Are there many users on that same IP via a NAT? On 24.01.18 22:50, Voytek wrote: just noticed I do NOT have that IP entered in 'mynetworks =', it used to be, somehow, it;s missing, just adding it back you usually should not need nor do that. is that my problem, or, part of my problem, or ? Jan 24 20:22:13 geko postfix/smtpd[4706]: warning: Connection rate limit exceeded: 21 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for service submission submission service usually does not use mynetworks. try adding that IP to smtpd_client_event_limit_exceptions (if you trust that IP) or increase smtpd_client_connection_rate_limit -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Re: using two different sending domains and IP addresses on one postfix server
Anvar Kuchkartaev: > Hello, > > I am configuring postfix send only mail server with 2x sending domain > lets say mail.domain1.com and mail.domain2.com. I have configured almost If you want multiple mail sending and receiving personalities, see http://www.postfix.org/MULTI_INSTANCE_README.html Wietse
Re: Postfix sometimes does not write all the data to maillog
Sohin Vyacheslav: > Hi, > > Sometimes when server is busy Postfix does not write all the data to > maillog. I see difference between data from maillog and content of file > with data in format: Date --From email --To email > > It's seems that drops some info before writing to maillog i.e. maillog > does not contain every activity that Postfix does. > > Maybe need to add some parameter in main.cf to force logging all info to > maillog? As others have pointed out, Postfix does not write syslog files. Depending on your OS, logging is handled by system-effing-d, which by default unhelpfully rate-limits logging. Wietse
Re: 4.7.0 too many connections from Tbird client
On Wed, January 24, 2018 9:34 am, Noel Jones wrote: > and a few seconds later STARTTLS succeeds, and that IP successfully sends > mail from user hr@ to 10 recipients. > > Are there many users on that same IP via a NAT? Noel, just noticed I do NOT have that IP entered in 'mynetworks =', it used to be, somehow, it;s missing, just adding it back is that my problem, or, part of my problem, or ? Jan 24 20:22:13 geko postfix/smtpd[4706]: warning: Connection rate limit exceeded: 21 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for service submission Jan 24 20:26:01 geko postfix/smtpd[6816]: warning: Connection rate limit exceeded: 22 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for service submission Jan 24 20:26:45 geko postfix/smtpd[6816]: warning: Connection rate limit exceeded: 23 from 110-170-19-146.static.asianet.co.th[110.170.19.146] for service submission
Re: Postfix sometimes does not write all the data to maillog
24.01.2018 12:54, Bastian Blank пишет:
>> I see difference between data from maillog and content of file
>> with data in format: Date --From email --To email
> I have no idea what you are telling me. Postfix does not log the
> contents ot the From or To headers.
>
in master.cf exists line with php script which writes data in format:
Date --From email --To email to file:
smtp inet n - n - 100 smtpd -o
content_filter=filter:dummy
filterunix - n n - - pipe flags=F
user=apache argv=/usr/local/bin/filter.php ${sender} ${size}
${recipient} ${original_recipient}
--
Vyacheslav
Re: Postfix sometimes does not write all the data to maillog
24.01.2018 12:54, Bastian Blank пишет: > On Wed, Jan 24, 2018 at 12:19:39PM +0200, Sohin Vyacheslav wrote: >> Sometimes when server is busy Postfix does not write all the data to >> maillog. > > Postfix does never write directly to the maillog. This is delegated to > your syslog server. If this one drops messages you have to fix it. sometimes in maillog exists many messages like this: postfix/smtpd[17658]: warning: Connection concurrency limit exceeded: 51 from host[ip-address] for service smtp -- Vyacheslav
Re: Response to sender when mail is put to hold queue
On 24 January 2018 at 10:52, Bastian Blank wrote: > On Wed, Jan 24, 2018 at 10:17:25AM +, Dominic Raferd wrote: >> I don't know what response is given to the sending client when postfix >> puts an incoming mail into the hold queue, say because of an access >> table HOLD action. >> At the time of actioning the hold, is sender told the mail has been >> delivered (250), or something else - or is no response given at all? > > The mail got accepted, so it gives a 250 to the client. SMTP itself > does not confirm that a mail is delivered to the recipient. > >> Is there an attempt to give any info back to original sender when the >> mail is finally released for delivery, or deleted - which may of >> course be much later? (I do not allow DSN requests from strangers, if >> this makes any difference.) > > This is all up to you. If you accepted a mail, you are accountable for > it. Thanks, I learned something!
Re: Postfix sometimes does not write all the data to maillog
On Wed, Jan 24, 2018 at 12:19:39PM +0200, Sohin Vyacheslav wrote: > Sometimes when server is busy Postfix does not write all the data to > maillog. Postfix does never write directly to the maillog. This is delegated to your syslog server. If this one drops messages you have to fix it. > I see difference between data from maillog and content of file > with data in format: Date --From email --To email I have no idea what you are telling me. Postfix does not log the contents ot the From or To headers. > It's seems that drops some info before writing to maillog i.e. maillog > does not contain every activity that Postfix does. Nope, it contains everything, apart from missconfiguration. Bastian -- Witch! Witch! They'll burn ya! -- Hag, "Tomorrow is Yesterday", stardate unknown
Re: Response to sender when mail is put to hold queue
On Wed, Jan 24, 2018 at 10:17:25AM +, Dominic Raferd wrote: > I don't know what response is given to the sending client when postfix > puts an incoming mail into the hold queue, say because of an access > table HOLD action. > At the time of actioning the hold, is sender told the mail has been > delivered (250), or something else - or is no response given at all? The mail got accepted, so it gives a 250 to the client. SMTP itself does not confirm that a mail is delivered to the recipient. > Is there an attempt to give any info back to original sender when the > mail is finally released for delivery, or deleted - which may of > course be much later? (I do not allow DSN requests from strangers, if > this makes any difference.) This is all up to you. If you accepted a mail, you are accountable for it. Bastian -- If some day we are defeated, well, war has its fortunes, good and bad. -- Commander Kor, "Errand of Mercy", stardate 3201.7
Postfix sometimes does not write all the data to maillog
Hi, Sometimes when server is busy Postfix does not write all the data to maillog. I see difference between data from maillog and content of file with data in format: Date --From email --To email It's seems that drops some info before writing to maillog i.e. maillog does not contain every activity that Postfix does. Maybe need to add some parameter in main.cf to force logging all info to maillog?
Response to sender when mail is put to hold queue
I don't know what response is given to the sending client when postfix puts an incoming mail into the hold queue, say because of an access table HOLD action. At the time of actioning the hold, is sender told the mail has been delivered (250), or something else - or is no response given at all? Is there an attempt to give any info back to original sender when the mail is finally released for delivery, or deleted - which may of course be much later? (I do not allow DSN requests from strangers, if this makes any difference.)
