SNI and Letsencrypt wildcards.

2020-02-06 Thread Nikolai Lusan 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi all,

I am having some issues getting SNI working with postfix >3.4 with errors
like:
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: connect from 
localhost[127.0.0.1]
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: key at index 1 in SNI 
data for mx1.city8ball.org.au does not match next certificate
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: 
error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing 
certificate:../ssl/ssl_rsa.c:1107:
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: error loading private 
keys and certificates from: SNI data for mx1.city8ball.org.au: aborting TLS 
handshake
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: SSL_accept error from 
localhost[127.0.0.1]: -1
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: 
error:1422E0EA:SSL routines:final_server_name:callback 
failed:../ssl/statem/extensions.c:1007:
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: lost connection after STARTTLS 
from localhost[127.0.0.1]
   Feb  7 15:43:08 lutsk postfix/smtpd[4041166]: disconnect from 
localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2

The certificate file is a wildcard certificate issued by letsencrypt. The
following are the pertinent fields from the x509 output of the certificate:


   Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   Subject: CN = city8ball.org.au

   X509v3 Subject Alternative Name:
   DNS:*.city8ball.org.au, DNS:city8ball.org.au

These files work with apache, nginx, and dovecot for SNI. Really not sure
why I can't get it working with postfix.

- From "postconf -n":

   smtp_tls_mandatory_ciphers = high
   smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, 
eNULL
   smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
   smtp_tls_protocols = !SSLv2, !SSLv3
   smtp_tls_security_level = may
   smtpd_helo_required = yes
   smtpd_tls_always_issue_session_ids = yes
   smtpd_tls_chain_files = /etc/ssl/letsencrypt/lusan.id.au/lusan.id.au.key 
/etc/ssl/letsencrypt/lusan.id.au/fullchain.cer
   smtpd_tls_eecdh_grade = strong
   smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL
   smtpd_tls_mandatory_ciphers = high
   smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, 
eNULL
   smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
   smtpd_tls_protocols = !SSLv2, !SSLv3
   smtpd_tls_security_level = may
   smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
   tls_append_default_CA = no
   tls_daemon_random_bytes = 64
   tls_high_cipherlist = 
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:!CAMELLIA128-SHA:!AES128-SHA
   tls_preempt_cipherlist = yes
   tls_random_bytes = 64
   tls_random_exchange_name = /var/lib/postfix/prng_exch
   tls_random_prng_update_period = 3600s
   tls_random_reseed_period = 3600s
   tls_random_source = dev:/dev/urandom
   tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map


Thanks

- -- 
Nikolai Lusan

Email: niko...@lusan.id.au
Phone: 0425 661 620
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl48/uAACgkQ4ZaDRV2V
L6QNGQ//boxWY3q4FjvMIG6JspSrvc6D3U86sDVUyhWf68l6Ynjz87pRmaaYcgca
9E5x04ZyjLCLmPvOsez8B8OGU39X+MP+m7e/zvB+pbnxFjvpjq8rgKhKqN5t5xC9
mUYmKD2CgAIaklGW9mIOKrn9L9MCesFaNltyYQ0XyJ/UqCgVAPc6xTDU9l9SdnTp
MYymIRhpY36/GeWpDoNZuyAN/cIDsP/NU+l03iYStv5GOd5FX7jlvflPeO/6u1Mk
AnrvWP7r0/ekOgwVuMQCayXz1Ga65LEIv3ReFEX2jL2kTLmsfCB/yrj03Nr4963s
3I1edln1yAW1THOOE94XBYCXHMA0GkY4CQXD/eiCD1H0P2mTm7L5nryhf451V2yv
fzuO6Hc8/O4sYzhDfUe8kVFeNcePN4Tp5g7sx7RxQP3sq9W+s6clyX7pu/HtIcmK
CD4XGySOiQcukoS9J2d6okxR+LJBdLRZm4sEDko6jU9APPCtMI8XpbJxOzVudqYr
MclERL1pTM0t6J/DtnXW8+PPctyln5Uq3+XWWzHzGoB7v+XfUrW9iSMVm+/+L4ce
u+91YWG84oL0OLn+zy2NxQE7q2PIYB3l7O/iooRwR1wLx1iF8OTv7ckHDrJr6XTA
re4KNPEXOkd0KXqud7Nn0GOJAbCcl9dHartzUDvpMkN5is0Keh4=
=MHqj
-END PGP SIGNATURE-

Re: Postfix LDAP pipemap lookup tables and OctetStream

2020-02-06 Thread Viktor Dukhovni 
On Thu, Feb 06, 2020 at 08:44:36AM +0100, Luca Fornasari wrote:

> I am using reject_sender_login_mismatch and I need to find out the
> owner of an email address using smtpd_sender_login_maps.
> The email address is present on a first AD server while user/owner is
> on a second AD server ... what links the two is the SID (Exchange
> linked mailbox).

You'll need a less exotic schema to make this go.  Provision a third
LDAP server on which the join is directly available in a single object
containing both the address and account name.

> The idea is to use a pipemap of LDAP queries; the first LDAP query
> using the email address as a key to retrieve the
> msExchMasterAccountSid on the first AD and pipe it as input key as
> objectSid to a second LDAP query to retrieve the SamAccountName.
> 
> Since msExchMasterAccountSid is an OctetStream, I am wondering if this
> will work ... does anyone already have experience on this?

In Postfix, table lookup keys and result data are NUL-terminated
C strings.  So binary keys and values are not possible.

const char *dict_lookup(dict_name, member)
const char *dict_name;
const char *member;

Internally, the Postfix LDAP table assumes that all attributes returned
in an LDAP query are NUL-terminated C-strings.  OpenLDAP appends a final
NUL even to binary data, but we don't check for absence of internal
NULs.

Also, the Postfix LDAP table folds keys to lower-case by default, and
IIRC you don't generally get to disable that when defining tables.

Bottom-line.  Sorry, no non-textual keys or values.

-- 
Viktor.

Re: Postfix LDAP pipemap lookup tables and OctetStream

2020-02-06 Thread Fulvio Scapin 

Hello Luca


sadly I am stuck to a version of Postfix that not yet support
"pipemap" lookup table, so I am forced to ask here instead of simply
trying ...


Well you can always compile the latest version of postfix on your 
machine and/or on the server in question, create the ldap files needed 
and test the pipemap using postmap -q.


E.g.

$ /path/to/postfix_bin/postmap -q em...@domain.tld 'pipemap:{ 
ldap:/path/to/first_map, ldap:/path/to/second_map, }'


Of course you should be able to reach the LDAP servers from the machine 
you run postmap from, although a few well-placed ssh-forwarded 
connections would get you there anyway.



I am using reject_sender_login_mismatch and I need to find out the
owner of an email address using smtpd_sender_login_maps.
The email address is present on a first AD server while user/owner is
on a second AD server ... what links the two is the SID (Exchange
linked mailbox).

The idea is to use a pipemap of LDAP queries; the first LDAP query
using the email address as a key to retrieve the
msExchMasterAccountSid on the first AD and pipe it as input key as
objectSid to a second LDAP query to retrieve the SamAccountName.
Be aware that creative combinations of unionmap, pipemap and pcre tables 
(the latter to rewrite/combine outputs from other maps) can get you 
pretty far, so if you have other keys or combinations of them which 
might provide you a different join field through some degree of 
rewriting it could be possible to use them.

Since msExchMasterAccountSid is an OctetStream, I am wondering if this
will work ... does anyone already have experience on this?
ldap_table(5) says the RFC 2254 quoting is used when expanding %s in the 
search filter, but although I've made pipemap/unionmap combinations a 
few levels deep I've never used binary values as keys, so I guess you 
should just try.


Anyone did it with a custom script? What about performances?


Performances are not usually an issue in my experience, but it depends 
on the size of your infrastructure/mailflow and on how often the ldap 
lookups are performed in your final flow.


Never tried a custom script.


Regards,

Fulvio

Re: Same QueueID if recipients belong to the same domain?

2020-02-06 Thread ego...@gmail.com 
FYI I solved adding

fixcc_destination_recipient_limit=1

in main.cf

Bye

Il giorno mer 5 feb 2020 alle ore 13:12 Wietse Venema 
ha scritto:

> ego...@gmail.com:
> > Feb  5 11:35:48 AZN-POSTIFX postfix/smtpd[55568]: connect from
> > mail-am5eur03lp2053.outbound.protection.outlook.com[104.47.8.53]
> > Feb  5 11:35:48 AZN-POSTIFX postfix/smtpd[55568]: 641C6401EF: client=
> > mail-am5eur03lp2053.outbound.protection.outlook.com[104.47.8.53]
> > Feb  5 11:35:48 AZN-POSTIFX postfix/cleanup[55571]: 641C6401EF:
> message-id=<
> >
> am0p195mb074014bc4ed377dba3bacdde89...@am0p195mb0740.eurp195.prod.outlook.com
> > >
> > Feb  5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 641C6401EF: from=<
> > us...@senderdomain.com>, size=10524, nrcpt=2 (queue active)
> > Feb  5 11:35:48 AZN-POSTIFX postfix/smtpd[55568]: disconnect from
> > mail-am5eur03lp2053.outbound.protection.outlook.com[104.47.8.53]
>
> Postfix received a message with TWO RECIPIENTS.
>
> > Feb  5 11:35:48 AZN-POSTIFX postfix/pickup[55478]: 7738740269: uid=1001
> > from=
> > Feb  5 11:35:48 AZN-POSTIFX postfix/pipe[55572]: 641C6401EF: to=<
> > recipie...@gmail.com>, relay=fixcc, delay=0.09, delays=0.03/0.01/0/0.05,
> > dsn=2.0.0, status=sent (delivered via fixcc service)
> > Feb  5 11:35:48 AZN-POSTIFX postfix/pipe[55572]: 641C6401EF: to=<
> > recipie...@gmail.com>, relay=fixcc, delay=0.09, delays=0.03/0.01/0/0.05,
> > dsn=2.0.0, status=sent (delivered via fixcc service)
> > Feb  5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 641C6401EF: removed
>
> Postfix delivered a message with TWO RECIPIENTS to the fixcc service.
>
> > Feb  5 11:35:48 AZN-POSTIFX postfix/cleanup[55571]: 7738740269:
> message-id=<
> >
> am0p195mb074014bc4ed377dba3bacdde89...@am0p195mb0740.eurp195.prod.outlook.com
> > >
> > Feb  5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 7738740269: from=<
> > us...@senderdomain.com>, size=10642, nrcpt=1 (queue active)
> > Feb  5 11:35:48 AZN-POSTIFX postfix/smtp[55578]: 7738740269: to=<
> > recipie...@gmail.com>, relay=gmail-smtp-in.l.google.com
> [173.194.79.26]:25,
> > delay=0.39, delays=0.02/0.02/0.14/0.21, dsn=2.0.0, status=sent (250 2.0.0
> > OK  1580898948 cn3si15321822edb.537 - gsmtp)
> > Feb  5 11:35:48 AZN-POSTIFX postfix/qmgr[55479]: 7738740269: removed
>
> The fixcc service fucked up and lost the second recipient.
>
> Wietse
>

Re: message-id empty

2020-02-06 Thread Matus UHLAR - fantomas 

On 05.02.20 04:25, mami64 wrote:
>Some times i found in logs (smtp outgoing) empty message-id like
>
>Feb  5 12:20:18 smtp1 postfix/cleanup[21270]: 48CJy70T20z3xcS: message-id=<>
>Feb  5 12:20:20 smtp1 postfix/cleanup[21265]: 48CJyD3tzNz3y0m: message-id=<>
>Feb  5 12:20:20 smtp1 postfix/cleanup[19334]: 48CJyD4yKCz3xvB: message-id=<>
>Feb  5 12:20:23 smtp1 postfix/cleanup[19285]: 48CJyH2nYjz3y1b: message-id=<>
>Feb  5 12:20:24 smtp1 postfix/cleanup[17592]: 48CJyH6tV0z3xNL: message-id=<>
>Feb  5 12:20:25 smtp1 postfix/cleanup[19334]: 48CJyK1Yg7z3y2C: message-id=<>
>
>In rfc 822 message-id is not required but I dont known why some times i get
>message-id and sometimes not and what it depends on



On Wed, Feb 5, 2020 at 12:41 PM Matus UHLAR - fantomas
 wrote:

apparently the client did not create Message-Id: header.
it's up to the client to generate it.


On 06.02.20 09:31, Luca Fornasari wrote:

You can use "always_add_missing_headers = yes" in main.cf in case you
need to reproduce older Postfix behaviour


note that this can break DKIM, spam scanning etc.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.

send alternate destination based on Cc / Subject / body

2020-02-06 Thread Fazekas Mihály 
Hi,

My name is Mihaly Fazekas.
Sorry, my english is not good.

Ho can i do this:
Send mail to Cc insted of To?
(replace To with Cc for specified Cc/Subject,
then remove origial Cc)


With header_checks can change To field,
but send mail to original destination.
Inside header_checks: can use option REDIRECT, but this
option is not perfect. (RT use To field, not the Return-Path?)


My "original problem" is:
We are using RT (Request Tracker), and i want to controlling
RT vie email, but evolution mailer templates not replace
the To filed (can replace: Cc, Subject, body,...
BUT cannot replace To field. -> brrr.).

-- 
mailto:mich...@telkp.bme.hu

Re: message-id empty

2020-02-06 Thread Luca Fornasari 
On Wed, Feb 5, 2020 at 12:41 PM Matus UHLAR - fantomas
 wrote:
>
> On 05.02.20 04:25, mami64 wrote:
> >Some times i found in logs (smtp outgoing) empty message-id like
> >
> >Feb  5 12:20:18 smtp1 postfix/cleanup[21270]: 48CJy70T20z3xcS: message-id=<>
> >Feb  5 12:20:20 smtp1 postfix/cleanup[21265]: 48CJyD3tzNz3y0m: message-id=<>
> >Feb  5 12:20:20 smtp1 postfix/cleanup[19334]: 48CJyD4yKCz3xvB: message-id=<>
> >Feb  5 12:20:23 smtp1 postfix/cleanup[19285]: 48CJyH2nYjz3y1b: message-id=<>
> >Feb  5 12:20:24 smtp1 postfix/cleanup[17592]: 48CJyH6tV0z3xNL: message-id=<>
> >Feb  5 12:20:25 smtp1 postfix/cleanup[19334]: 48CJyK1Yg7z3y2C: message-id=<>
> >
> >In rfc 822 message-id is not required but I dont known why some times i get
> >message-id and sometimes not and what it depends on
>
> apparently the client did not create Message-Id: header.
> it's up to the client to generate it.

You can use "always_add_missing_headers = yes" in main.cf in case you
need to reproduce older Postfix behaviour

Luca