Re: Check outgoing emails not using TLS

2020-04-07 Thread Viktor Dukhovni 
On Tue, Apr 07, 2020 at 07:06:41PM -0400, Wietse Venema wrote:

> Attached are an updated script, and a diff.

Looks good to me.

-- 
Viktor.

Re: Check outgoing emails not using TLS

2020-04-07 Thread Wietse Venema 
Viktor Dukhovni:
> On Tue, Apr 07, 2020 at 11:46:33AM +0200, Michael Storz wrote:
> 
> > > I should perhaps mention that the "tlstype.pl" Perl script does not
> > > handle TLS connection re-use.  I've not looked at what it would take
> > > to do that.
> > 
> > And it does not work for mixed-case hostnames:
> > 
> > - TLS connection established to lower-case-hostname
> > - relay=mixed-case-hostname
> 
> Ah, thanks. Easily enough corrected, by wrapping Perl values in
> lc($value).  If you fix this and more issues, feel free to put it up on
> github somewhere...  I am not planning to become a "maintainer" of this
> off-the-cuff script.

Attached are an updated script, and a diff.

Wietse
#! /usr/bin/env perl

use strict;
use warnings;

local $/ = "\n\n";

while (<>) {
my $qid;
my %tls;
my $smtp;
foreach my $line (split("\n")) {
if ($line =~ m{ postfix(?:\S*?)/qmgr\[\d+\]: (\w+): from=<.*>, 
size=\d+, nrcpt=\d+ [(]queue active[)]$}) {
$qid //= $1;
next;
}
if ($line =~ m{ postfix(?:\S*?)/smtp\[(\d+)\]: (\S+) TLS connection 
established to (\S+): (.*)}) {
$tls{$1}->{lc($3)} = [$2, $4];
next;
}
if ($line =~ m{.*? postfix(?:\S*?)/smtp\[(\d+)\]: (\w+): (to=.*), 
relay=(\S+), (delay=\S+, delays=\S+, dsn=2\.\S+, status=sent .*)}) {
next unless $qid eq $2;
if (defined($tls{$1}->{lc($4)}) && ($tls{$1}->{lc($4)}->[2] //= $5) 
eq $5) {
printf "qid=%s, relay=%s, %s -> %s %s\n", $qid, lc($4), $3, 
@{$tls{$1}->{lc($4)}}[0..1];
} else {
delete $tls{$1};
printf "qid=%s, relay=%s, %s -> cleartext\n", $qid, lc($4), $3;
}
}
}
}
--- tlstype.pl-posted   2020-04-07 18:13:50.0 -0400
+++ tlstype.pl  2020-04-07 18:59:44.0 -0400
@@ -15,16 +15,16 @@
next;
}
if ($line =~ m{ postfix(?:\S*?)/smtp\[(\d+)\]: (\S+) TLS connection 
established to (\S+): (.*)}) {
-   $tls{$1}->{$3} = [$2, $4];
+   $tls{$1}->{lc($3)} = [$2, $4];
next;
}
if ($line =~ m{.*? postfix(?:\S*?)/smtp\[(\d+)\]: (\w+): (to=.*), 
relay=(\S+), (delay=\S+, delays=\S+, dsn=2\.\S+, status=sent .*)}) {
next unless $qid eq $2;
-   if (defined($tls{$1}->{$4}) && ($tls{$1}->{$4}->[2] //= $5) eq $5) {
-   printf "qid=%s, relay=%s, %s -> %s %s\n", $qid, $4, $3, 
@{$tls{$1}->{$4}}[0..1];
+   if (defined($tls{$1}->{lc($4)}) && ($tls{$1}->{lc($4)}->[2] //= $5) 
eq $5) {
+   printf "qid=%s, relay=%s, %s -> %s %s\n", $qid, lc($4), $3, 
@{$tls{$1}->{lc($4)}}[0..1];
} else {
delete $tls{$1};
-   printf "qid=%s, relay=%s, %s -> cleartext\n", $qid, $4, $3;
+   printf "qid=%s, relay=%s, %s -> cleartext\n", $qid, lc($4), $3;
}
}
 }

Re: Check outgoing emails not using TLS

2020-04-07 Thread Wietse Venema 
Viktor Dukhovni:
> On Tue, Apr 07, 2020 at 11:46:33AM +0200, Michael Storz wrote:
> 
> > > I should perhaps mention that the "tlstype.pl" Perl script does not
> > > handle TLS connection re-use.  I've not looked at what it would take
> > > to do that.
> > 
> > And it does not work for mixed-case hostnames:
> > 
> > - TLS connection established to lower-case-hostname
> > - relay=mixed-case-hostname
> 
> Ah, thanks. Easily enough corrected, by wrapping Perl values in
> lc($value).  If you fix this and more issues, feel free to put it up on
> github somewhere...  I am not planning to become a "maintainer" of this
> off-the-cuff script.

Also I'd be happy to bundle an uipdated version under $postfix/auxiliary.

Wietse

Re: Check outgoing emails not using TLS

2020-04-07 Thread Viktor Dukhovni 
On Tue, Apr 07, 2020 at 11:46:33AM +0200, Michael Storz wrote:

> > I should perhaps mention that the "tlstype.pl" Perl script does not
> > handle TLS connection re-use.  I've not looked at what it would take
> > to do that.
> 
> And it does not work for mixed-case hostnames:
> 
> - TLS connection established to lower-case-hostname
> - relay=mixed-case-hostname

Ah, thanks. Easily enough corrected, by wrapping Perl values in
lc($value).  If you fix this and more issues, feel free to put it up on
github somewhere...  I am not planning to become a "maintainer" of this
off-the-cuff script.

-- 
Viktor.

Re: modifying outbound email headers

2020-04-07 Thread Stefan Claas 
Wietse Venema wrote:

> One correction:
> > > Anyway, if you can identify all the the mail2news gateways AND your users
> > > must use your server set up a transport map:
> > > 
> > > /etc/postfix/main.cf
> > > transport_maps = hash:/etc/postfix/transport
> > > 
> > > /etc/postfix/transport:
> > > mail2n...@axample.com newsgateway:
> > > mail2news@other.example   newsgateway:
> > > 
> > > (or use a pcre: map if you want broader coverage). 
> > > 
> > > /etc/postfix/master.cf:
> > > newsgateway  unix  -   -   n   -   -   smtp
> > >   -o header_checks=pcre:/etc/postfix/news-header-checks.pcre
> 
> That should be smtp_header_checks (make changes while delivering),
> not header_checks (make changes while receiving).

Thanks for the correction!

Best regards
Stefan

-- 
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas

Re: modifying outbound email headers

2020-04-07 Thread Wietse Venema 
One correction:
> > Anyway, if you can identify all the the mail2news gateways AND your users
> > must use your server set up a transport map:
> > 
> > /etc/postfix/main.cf
> > transport_maps = hash:/etc/postfix/transport
> > 
> > /etc/postfix/transport:
> > mail2n...@axample.com   newsgateway:
> > mail2news@other.example newsgateway:
> > 
> > (or use a pcre: map if you want broader coverage). 
> > 
> > /etc/postfix/master.cf:
> > newsgateway  unix  -   -   n   -   -   smtp
> > -o header_checks=pcre:/etc/postfix/news-header-checks.pcre

That should be smtp_header_checks (make changes while delivering),
not header_checks (make changes while receiving).

Wietse

> > Then populate news-header-checks.pcre with all the patterns that
> > you need to modify or discard information. It will of course break
> > DKIM signatures so be aware of that in your DMARC policies.
> > 
> > Wietse
> 
> Thanks a lot for your help, much appreciated!
> 
> Best regards
> Stefan
> 
> -- 
> Signal (Desktop) +4915172173279
> https://keybase.io/stefan_claas
>
>

Re: modifying outbound email headers

2020-04-07 Thread Stefan Claas 
Wietse Venema wrote:

> Stefan Claas:
> > Wietse Venema wrote:
> > 
> > > Stefan Claas:
> > > > Hi,
> > > > 
> > > > my postfix mail server works perfectly so far.
> > > > 
> > > > However, I am now facing the following problem and have tried as best
> > > > as I can to find a solution to this.
> > > > 
> > > > I run an anonymous remailer, which also allows sending emails to
> > > > mail2news gateways for Usenet postings. So far so good.
> > > > 
> > > > I would like to achieve the following:
> > > > 
> > > > postfix should modify outgoing email headers that *only* go to mail2news
> > > > gateways, using the email gateway addresses for parsing, so that the
> > > > right part of the message ID, after the @ charachter, will be modified
> > > > with a defined string.
> > > 
> > > Do it in the mail2news gateway.
> > 
> > Oh ... I would have expected a different answer from you.
> > 
> > Like I previously replied in this thread, users are using often multiple
> > mail2news gateways when posting messages to Usenet and this would then
> > result in different message-ids for the same posting.
> 
> Who said that users can only use your Postfix system to post
> to news gateways?

Nobody, sorry if it sounded like that!
 
> Anyway, if you can identify all the the mail2news gateways AND your users
> must use your server set up a transport map:
> 
> /etc/postfix/main.cf
> transport_maps = hash:/etc/postfix/transport
> 
> /etc/postfix/transport:
> mail2n...@axample.com newsgateway:
> mail2news@other.example   newsgateway:
> 
> (or use a pcre: map if you want broader coverage). 
> 
> /etc/postfix/master.cf:
> newsgateway  unix  -   -   n   -   -   smtp
>   -o header_checks=pcre:/etc/postfix/news-header-checks.pcre
> 
> Then populate news-header-checks.pcre with all the patterns that
> you need to modify or discard information. It will of course break
> DKIM signatures so be aware of that in your DMARC policies.
> 
>   Wietse

Thanks a lot for your help, much appreciated!

Best regards
Stefan

-- 
Signal (Desktop) +4915172173279
https://keybase.io/stefan_claas

Re: modifying outbound email headers

2020-04-07 Thread Wietse Venema 
Stefan Claas:
> Wietse Venema wrote:
> 
> > Stefan Claas:
> > > Hi,
> > > 
> > > my postfix mail server works perfectly so far.
> > > 
> > > However, I am now facing the following problem and have tried as best as I
> > > can to find a solution to this.
> > > 
> > > I run an anonymous remailer, which also allows sending emails to mail2news
> > > gateways for Usenet postings. So far so good.
> > > 
> > > I would like to achieve the following:
> > > 
> > > postfix should modify outgoing email headers that *only* go to mail2news
> > > gateways, using the email gateway addresses for parsing, so that the right
> > > part of the message ID, after the @ charachter, will be modified with a
> > > defined string.
> > 
> > Do it in the mail2news gateway.
> 
> Oh ... I would have expected a different answer from you.
> 
> Like I previously replied in this thread, users are using often multiple
> mail2news gateways when posting messages to Usenet and this would then
> result in different message-ids for the same posting.

Who said that users can only use your Postfix system to post
to news gateways?

Anyway, if you can identify all the the mail2news gateways AND your users
must use your server set up a transport map:

/etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
mail2n...@axample.com   newsgateway:
mail2news@other.example newsgateway:

(or use a pcre: map if you want broader coverage). 

/etc/postfix/master.cf:
newsgateway  unix  -   -   n   -   -   smtp
-o header_checks=pcre:/etc/postfix/news-header-checks.pcre

Then populate news-header-checks.pcre with all the patterns that
you need to modify or discard information. It will of course break
DKIM signatures so be aware of that in your DMARC policies.

Wietse

Re: MTA-STS?

2020-04-07 Thread Wietse Venema 
David Mehler:
> Hello,
> 
> I just heard about this and started reading on it. Is MTA-STS
> something Postfix works with?

https://www.google.com/search?q=postfix+mta-sts

This uses the Postfix's smtp_tls_policy_maps plugin.

Wietse

Re: MTA-STS?

2020-04-07 Thread Scott Kitterman 
On Tuesday, April 7, 2020 11:15:27 AM EDT David Mehler wrote:
> Hello,
> 
> I just heard about this and started reading on it. Is MTA-STS
> something Postfix works with?

You need https://github.com/Snawoot/postfix-mta-sts-resolver and then yes.

Scott K

Re: Tracking email status - Bounced, Deferred, Over Quota, Delivered

2020-04-07 Thread Wietse Venema 
Owais Khan:
> Thanks
> 
> I knew this way of redirecting output. I thought it would produce me some
> statistics like bounced counts, etc.
> 
> But, it seems to bring chunks from original log. Is this the expected output
> of this collate.pl?

Yes. The purpose of this script is to group logfile records for
the same mail delivery transaction. 

This will help you to find out what happened with the messages that
are the subject of your investigation.

If the remote SMTP server accepted email, then Postfix will log
"status=sent" and the remote SMTP server response will contain an
identifier that the server's administrators can use in further
investigations.

Examples:

Apr  6 05:09:40 spike postfix/smtp[14214]: 48wl9F4n0dzJrNs: 
to=, 
relay=gmail-smtp-in.l.google.com[172.217.197.26]:25, delay=9.3, 
delays=6.9/0.018/1.1/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK  1586164180 
s21si9838137qte.81 - gsmtp)

Apr  6 09:10:04 spike postfix/smtp[17719]: 48wrVh2cdHzJrNt: 
to=, relay=mail.cloud9.net[2604:8d00:0:1::7]:25, 
delay=0.24, delays=0.13/0.026/0.068/0.016, dsn=2.0.0, status=sent (250 2.0.0 
Ok: queued as 8DED4336382)

If the remote SMTP server rejected email, then Postfix will log
"status=bounced" or "status=deferred" and the remote SMTP server
response will say why.

Wietse

MTA-STS?

2020-04-07 Thread David Mehler 
Hello,

I just heard about this and started reading on it. Is MTA-STS
something Postfix works with?

Thanks.
Dave.

Re: Tracking email status - Bounced, Deferred, Over Quota, Delivered

2020-04-07 Thread Owais Khan 
Thanks

I knew this way of redirecting output. I thought it would produce me some
statistics like bounced counts, etc.

But, it seems to bring chunks from original log. Is this the expected output
of this collate.pl?

Thanks & Regards,
Owais.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: Check outgoing emails not using TLS

2020-04-07 Thread Michael Storz 

Am 2020-04-06 23:53, schrieb Viktor Dukhovni:

On Mon, Apr 06, 2020 at 02:53:25PM +0100, Dominic Raferd wrote:


> whose output you'd send to the attached Perl script.  On my system for
> example:
>
> # bzip2 -dcf $(ls -tr /var/log/maillog*) | perl collate | perl tlstype.pl


I should perhaps mention that the "tlstype.pl" Perl script does not
handle TLS connection re-use.  I've not looked at what it would take
to do that.


And it does not work for mixed-case hostnames:

- TLS connection established to lower-case-hostname
- relay=mixed-case-hostname



We should perhaps consider logging some indication of TLS in the
core delivery summary line:

postfix/smtp: : to=<...>,[ orig_to=<...>,] relay=...,
[ tls=:(Anonymous|Untrusted|Verified),]

that is, perhaps just the security level and verification status?

Collating the data from the logs is tricky, and likely more so with
connection reuse (but perhaps not too bad, exercise for the reader...).


Regards,
Michael