Re: pishing from ME
On Sat, Mar 23, 2019 at 04:59:46PM -0700, Alice Wonder wrote: > > This is not necessarily true. A hashed password can be brute-forced. > > Only with a weak password and/or a weak hash algorithm, and it is harder > with just the latter. Yes, but "not weak" in the context of password hashes means something different than in the usual context of collision-resistant message fingerprints. The hash needs to be non-deterministic (randomly salted), and ideally resistant to various space-time and parallelization tradeoffs, which means irreducibly both CPU and memory intensive. Which means algorithms along the lines of Argon2, not SHA2. -- Viktor.
Re: SPF setup Temperror
On March 24, 2019 12:13:11 AM UTC, Esteban L wrote: >Hello, > >Dovecot 2.2.27 >Postfix 3.1.9 > >I had SPF setup proper, originally. Then, it stopped working properly >after some other configuration changes, as I tried to go through and >eliminate errors. > >Here is my header information. > > >Received-SPF: Temperror (mailfrom) identity=mailfrom; > client-ip=167.89.106.69; helo=o1.31qt.s2shared.sendgrid.net; > envelope-from=bounces+9243903-ab61-me=example.com@em8306.emailtester.o >rg; > receiver=m...@example.com > >My two questions: > >1. The Temperror. How do I turn that into a pass? I checked the >/var/log/mail.log, and there is no more information there. > >I changed the debug level (from 1 to 4) in: >/etc/postfix-policyd-spf-python/policyd-spf.config > > >Checked error log again, and go this tidbit. >Mar 24 01:03:57 mail policyd-spf[5581]: spfcheck: pyspf result: >"['Temperror', 'SPF Temporary Error: DNS [Errno 22] Invalid argument', >'mailfrom']" > >My best guess is that it has to do with dns configuration. > >2. Not directly related, but adjacent to this problem, is that my SPF >shows "mailfrom" in the header, which I am guess is some type of >generic header. Can I change that to be the actual receiver/sender, >like an actual email address? > >My best guess here is that I have to use canonical addresses? I am not >really sure. > >Thanks in advance, if anyone can point me in the right direction, it >would be greatly appreciated. Put this in as a question here: https://answers.launchpad.net/spf-engine Also, include a copy of your etc/postfix-policyd-spf-python/policyd-spf.config I'll have a look at it there. It's not a Postfix issue. Scott K
SPF setup Temperror
Hello, Dovecot 2.2.27 Postfix 3.1.9 I had SPF setup proper, originally. Then, it stopped working properly after some other configuration changes, as I tried to go through and eliminate errors. Here is my header information. Received-SPF: Temperror (mailfrom) identity=mailfrom; client-ip=167.89.106.69; helo=o1.31qt.s2shared.sendgrid.net; envelope-from=bounces+9243903-ab61-me=example.com@em8306.emailtester.o rg; receiver=m...@example.com My two questions: 1. The Temperror. How do I turn that into a pass? I checked the /var/log/mail.log, and there is no more information there. I changed the debug level (from 1 to 4) in: /etc/postfix-policyd-spf-python/policyd-spf.config Checked error log again, and go this tidbit. Mar 24 01:03:57 mail policyd-spf[5581]: spfcheck: pyspf result: "['Temperror', 'SPF Temporary Error: DNS [Errno 22] Invalid argument', 'mailfrom']" My best guess is that it has to do with dns configuration. 2. Not directly related, but adjacent to this problem, is that my SPF shows "mailfrom" in the header, which I am guess is some type of generic header. Can I change that to be the actual receiver/sender, like an actual email address? My best guess here is that I have to use canonical addresses? I am not really sure. Thanks in advance, if anyone can point me in the right direction, it would be greatly appreciated.
Re: pishing from ME
On 3/23/19 4:53 PM, Peter wrote: On 24/03/19 05:49, Alice Wonder wrote: I have gotten then where they displayed throwaway passwords I used only once for one site (and thus I know that site doesn't hash passwords and never use it again) This is not necessarily true. A hashed password can be brute-forced. Peter Only with a weak password and/or a weak hash algorithm, and it is harder with just the latter.
Re: pishing from ME
On 24/03/19 05:49, Alice Wonder wrote: I have gotten then where they displayed throwaway passwords I used only once for one site (and thus I know that site doesn't hash passwords and never use it again) This is not necessarily true. A hashed password can be brute-forced. Peter
Re: SSL_CTX_set_mode(client_ctx, SSL_MODE_RELEASE_BUFFERS);
Michael Str?der: > HI! > > Could someone please have a look at this RPM patch: > > https://build.opensuse.org/package/view_file/server:mail/postfix/postfix-ssl-release-buffers.patch?expand=1 > > I'm currently trying to update the RPM to 3.4.4 and I'd like to know > whether the above makes sense or whether it might even cause issues > especially with the new TLS connection handling in 3.4.x. > > (Personally I hate obscure package patches anyway...) According to the documentation: SSL_MODE_RELEASE_BUFFERS When we no longer need a read buffer or a write buffer for a given SSL, then release the memory we were using to hold it. Using this flag can save around 34k per idle SSL connection. This flag has no effect on SSL v2 connections, or on DTLS connections. If that description is accurate, then this patch just wastes some CPU cycles. Postfix does not have idle TLS connections, except for a fraction of a second when a TLS-encrypted connection is saved to the connection cache. Such conections are saved only when there is a steady flow of mail to the same destionstion, so they are reused immediately. Wietse
SSL_CTX_set_mode(client_ctx, SSL_MODE_RELEASE_BUFFERS);
HI! Could someone please have a look at this RPM patch: https://build.opensuse.org/package/view_file/server:mail/postfix/postfix-ssl-release-buffers.patch?expand=1 I'm currently trying to update the RPM to 3.4.4 and I'd like to know whether the above makes sense or whether it might even cause issues especially with the new TLS connection handling in 3.4.x. (Personally I hate obscure package patches anyway...) Ciao, Michael.
Re: Postfix hooking Dovecot quota (correct syntax)
> On Mar 23, 2019, at 3:59 AM, Davide Marchi wrote: > > tpd_recipient_restrictions = >... >check_policy_service inet:mailstore.example.com:12340 > > > I've a doubt: is it correct the space between "[..]service" > and "inet[..]"? Yes, that's what should appear in the file. > I've run: > > postconf smtpd_recipient_restrictions=check_policy_service > inet:mailstore.example.com:12340 This is not the right way to make the recommended change. Edit the file with an editor and add: check_policy_service inet:mailstore.example.com:12340 at the appropriate point in the recipient restrictions (depending on what's already there). -- Viktor.
Re: pishing from ME
Greetings, Christian Schmitz! > 3)Dear Andrei >> mmu.ac.ug. 86400 IN TXT "v=spf1 include:_spf.google.com ~all" >> See, ~all was your undoing. > My domain is **schweb.com.ar** and the email come from **mmu.ac.ug** > My spf is: > v=spf1 mx a ip4:24.232.174.73 mx:schweb.com.ar a:schlabs.com.ar > a:sys-arquitectura.cl -all > Maybe i need remove -all? Ok, I misread the message. Then the answer is even simpler, the original MAIL FROM: wasn't what was in the "From" header field. So, it's just your usual scaremail. -- With best regards, Andrey Repin Saturday, March 23, 2019 19:34:07 Sorry for my terrible english...
Re: pishing from ME
On 3/22/19 5:54 PM, Kevin A. McGrail wrote: On 3/22/2019 7:55 PM, Viktor Dukhovni wrote: No. The scareware alerts are generally completely fake. They are spammed indiscriminately to users the scammer knows nothing about. Viktor, that does not agree with my significant experience studying this particular spam threat. Yes, they are "fake" alerts in that they haven't hacked your PC but they do in fact have some information that they are extrapolating to scare people. When they have information they sometimes use it, otherwise they often just pretend they have information when they don't. I have gotten then where they displayed throwaway passwords I used only once for one site (and thus I know that site doesn't hash passwords and never use it again) and I have also gotten them when they didn't share what password of mine they supposedly compromised. I've also gotten then with e-mail accounts that never were used for a login on any site.
Re: pishing from ME
On 23 Mar 2019, at 11:32, Christian Schmitz wrote: 3)Dear Andrei mmu.ac.ug. 86400 IN TXT "v=spf1 include:_spf.google.com ~all" See, ~all was your undoing. My domain is **schweb.com.ar** and the email come from **mmu.ac.ug** My spf is: v=spf1 mx a ip4:24.232.174.73 mx:schweb.com.ar a:schlabs.com.ar a:sys-arquitectura.cl -all Maybe i need remove -all? No. Nothing you do regarding your own domain can fix this SPF issue. Ending with "-all" indicates a default "hard" failure, so if you enforce that, SPF failures for your own domain will result in rejection. SPF operates on the envelope sender of a message, NOT the From header. Your log shows that the envelope sender was d...@mmu.ac.ug: 2019-03-22T07:42:00.178966-03:00 schweb postfix/policy-spf[16235]: : SPF softfail (Mechanism '~all' matched): Envelope-from: d...@mmu.ac.ug -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Available For Hire: https://linkedin.com/in/billcole
Re: Postfix hooking Dovecot quota (correct syntax)
* Davide Marchi: > it is suggested to add in "main.cf" > > smtpd_recipient_restrictions = > ... > check_policy_service inet:mailstore.example.com:12340 Add this using a text editor, keeping leading whitespaces for line continuation, instead of using postconf in a shell. See http://www.postfix.org/postconf.5.html for an explanation of the main.cf format. -Ralph
Re: pishing from ME
Wow !! how many answers. First to deep into matter i want give the thanks you to all. While i was reading (and read all answers)i was taking note of some items that require my answer o clarification. 1) My topology 1.0)My server is in my office phisically and is located at 1 meter of me (3ft) 1.1)My connection topology is internet <-public ip-> my server schweb <-internal ip-> my computer with mua. So my email password never touch internet. 1.2)Fail2ban, i have fail2ban to ban permanently (even if reboot) the bruteforce attacks 1.3) Have not ssh,ftp or any login from outside open the only administration way is inside of my office. 1.4) I have not administration sowftware ( webmin and etc) 1.5) The passwords are in userDB format with root owned file and cannot be changed with any frontend, only root ( with real acess to my office) 2)Dear Kevin: I think that the sender dont know my password because do not identify SASL loocking the logfile /var/log/mail Postfix managed the email as regular incoming email. 3)Dear Andrei >mmu.ac.ug. 86400 IN TXT "v=spf1 include:_spf.google.com ~all" >See, ~all was your undoing. My domain is **schweb.com.ar** and the email come from **mmu.ac.ug** My spf is: v=spf1 mx a ip4:24.232.174.73 mx:schweb.com.ar a:schlabs.com.ar a:sys-arquitectura.cl -all Maybe i need remove -all? 4)I perform the check on https://haveibeenpwned.com/ Good news — no pwnage found! 5)I add the missing part of log at end of email 6)SpamAssasin, i never used. I will read how install it. Normally i block the entire ISP when i receive a spam, scam, pishing email. 7) "@lbutlr" About /etc/postfix/sender_access.pcre, Thanks you i will do 8) Dear Mick: header checks I will test, i cannot close the port 25 because my sister use it and she lives in other country ( i am on Argentine she is in Chile). I will look for use only for incoming emails 9) i have configured to block words like BIT COIN (all together), but the email was base64 coded and postfix cant decrypt and check the content. Is possible? Best Regards Christian Anex 1: 2019-03-22T07:41:56.930185-03:00 schweb postfix/smtpd[16228]: connect from mmu.ac.ug[62.75.235.12] 2019-03-22T07:41:57.912905-03:00 schweb postfix/smtpd[16228]: Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 2019-03-22T07:42:00.178966-03:00 schweb postfix/policy-spf[16235]: : SPF softfail (Mechanism '~all' matched): Envelope-from: d...@mmu.ac.ug 2019-03-22T07:42:00.180439-03:00 schweb postfix/policy-spf[16235]: handler sender_policy_framework: is decisive. 2019-03-22T07:42:00.181631-03:00 schweb postfix/policy-spf[16235]: : Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not authorized by default to use 'd...@mmu.ac.ug' in 'mfrom' identity, however domain is not currently prepared for false failures (mechanism '~all' matched)) receiver=schweb; identity=mailfrom; envelope-from="d...@mmu.ac.ug"; helo=xray144.theg7.com; client-ip=62.75.235.12 2019-03-22T07:42:01.651477-03:00 schweb postfix/smtpd[16228]: 9EE12450F4: client=mmu.ac.ug[62.75.235.12] 2019-03-22T07:42:01.895647-03:00 schweb postfix/cleanup[16242]: 9EE12450F4: message-id=<5s5jp2.2trzrx165hrq...@mail.mmu.ac.ug> 2019-03-22T07:42:05.367192-03:00 schweb postfix/qmgr[32549]: 9EE12450F4: from=, size=228789, nrcpt=1 (queue active) 2019-03-22T07:42:05.604239-03:00 schweb postfix/smtpd[16228]: disconnect from mmu.ac.ug[62.75.235.12] 2019-03-22T07:42:06.429100-03:00 schweb postfix/virtual[16247]: 9EE12450F4: to=, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0, status=sent (delivered to maildir) 2019-03-22T07:42:06.431609-03:00 schweb postfix/qmgr[32549]: 9EE12450F4: removed -- Be Free, Be Linux
Re: pishing from ME
Greetings, Christian Schmitz! > Info extra 1: LOG: /var/log/mail > connect from mmu.ac.ug[62.75.235.12] > Anonymous TLS connection established from mmu.ac.ug[62.75.235.12]: TLSv1.2 > with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > : SPF softfail (Mechanism '~all' matched): Envelope-from: d...@mmu.ac.ug mmu.ac.ug. 86400 IN TXT "v=spf1 include:_spf.google.com ~all" See, ~all was your undoing. > : handler sender_policy_framework: is decisive. > : Policy action=PREPEND Received-SPF: softfail (mmu.ac.ug: Sender is not > authorized by default to use 'd...@mmu.ac.ug' in 'mfrom' identity, however > domain is not currently prepared for false failures (mechanism '~all' > matched)) receiver=schweb; identity=mailfrom; envelope-from="d...@mmu.ac.ug"; > helo=xray144.theg7.com; client-ip=62.75.235.12 > client=mmu.ac.ug[62.75.235.12] > message-id=<5s5jp2.2trzrx165hrq...@mail.mmu.ac.ug> > from=, size=228789, nrcpt=1 (queue active) > disconnect from mmu.ac.ug[62.75.235.12] > to=, relay=virtual, delay=8, delays=6.9/0.02/0/1, dsn=2.0.0, > status=sent (delivered to maildir) > removed -- With best regards, Andrey Repin Saturday, March 23, 2019 12:16:53 Sorry for my terrible english...
Re: pishing from ME
On Mar 22, 2019, at 7:34 PM, Kevin A. McGrail wrote: They do know the passwords but they didn't hack your PC. See haveibeenpwned.com. They compromised other services you use and you need better password management. On 22.03.19 19:55, Viktor Dukhovni wrote: No. The scareware alerts are generally completely fake. They are spammed indiscriminately to users the scammer knows nothing about. one of my accounts leaked some time ago too. I recommend to do that, we can't be sure if the alert is fake -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: pishing from ME
Greetings, Kevin A. McGrail! > On 3/22/2019 7:55 PM, Viktor Dukhovni wrote: > >> No. The scareware alerts are generally completely fake. They >> are spammed indiscriminately to users the scammer knows nothing >> about. > > > Viktor, that does not agree with my significant experience My significant experience says that it does not take a lot of effort sending email with identical MAIL FROM and RCPT TO addresses, if target host did not set up SPF declaration/validation. -- With best regards, Andrey Repin Saturday, March 23, 2019 12:14:42 Sorry for my terrible english...
Postfix hooking Dovecot quota (correct syntax)
Hi Friends, on Debian Stretch, Postfix 3.1.9 and Dovecot 2.2.27 I'm enabling user quota. Following this tutorial (suggested from Dovecot mailing list): https://blog.sys4.de/postfix-dovecot-mailbox-quota-en.html it is suggested to add in "main.cf" smtpd_recipient_restrictions = ... check_policy_service inet:mailstore.example.com:12340 I've a doubt: is it correct the space between "[..]service" and "inet[..]"? I've run: postconf smtpd_recipient_restrictions=check_policy_service inet:mailstore.example.com:12340 obtaining the error: postconf: fatal: missing '=' after attribute name: "inet:mailstore.example.com:12340" Please, could you confirm the right syntax? Many thanks!
