[pfx] Re: How to hide Exim behind Postfix (Configuring Postfix as a proxy in front of Exim MTAs) (was: Possible (indirect) libspf2 security issues)
On Sun, Oct 01, 2023 at 05:41:22AM +0200, Paul Menzel wrote: > Am 30.09.23 um 22:47 schrieb Viktor Dukhovni via Postfix-users: > > Recent news of security issues in Exim appear to in part implicate > > libspf2. > > Off-topic for Postfix users, but Tobias Fiebig published the article > *Configuring Postfix as a proxy in front of Exim MTAs* [1]. > > [1]: > https://doing-stupid-things.as59645.net/mail/2023/09/30/postfix-proxy-setup.html This fails to impelement recipient verification, so prone to get clogged with backscatter. Also TLS settings not ideal, should use explicit set of match patterns for the hidden MX hosts, not "hostname". Various other nits. And of course unclear whether the Exim systems behind such a Postfix really expect to be proxies this way. They might, for example, reject mail due to SPF policy failures... Rearchitecting a mail flow is not a simple matter of following an off-the-shelf HOWTO, hastily written. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] How to hide Exim behind Postfix (Configuring Postfix as a proxy in front of Exim MTAs) (was: Possible (indirect) libspf2 security issues)
Dear Postfix, Am 30.09.23 um 22:47 schrieb Viktor Dukhovni via Postfix-users: Recent news of security issues in Exim appear to in part implicate libspf2. […] Off-topic for Postfix users, but Tobias Fiebig published the article *Configuring Postfix as a proxy in front of Exim MTAs* [1]. Kind regards, Paul [1]: https://doing-stupid-things.as59645.net/mail/2023/09/30/postfix-proxy-setup.html ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Possible (indirect) libspf2 security issues
On Sat, Sep 30, 2023 at 01:58:17PM -0800, Mike via Postfix-users wrote: > This is probably obvious to most, but not being a current user of > DKIM/DMARC, why don't you verify DKIM, or enforce DMARC for inbound > mail? The "problems" that DMARC attempts to solve aren't an issue on my end. I don't have a stake in reducing the email abuse complaint volume at the major free email providers, nor protecting anyone's brand reputation. I don't see DMARC as a particularly effective defense again phishing, and my server's users have good awareness of the fact that you never know who an email is really from, or where its links might take you. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Possible (indirect) libspf2 security issues
Mike via Postfix-users: > > Quoting Viktor Dukhovni via Postfix-users : > > > On Sun, Oct 01, 2023 at 12:00:25AM +0300, mailmary--- via > > Postfix-users wrote: > > > >> In my case, libspf2 is a dependent package of OpenDMARC > > > > Not surprising, since DMARC takes both DKIM and SPF into account. > > > > On my system, I sign outgoing mail with DKIM, but neither verify DKIM > > signatures, nor attempt to enforce DMARC for inbound mail. So, FWIW, > > there is no libspf2 in my Postfix stack, and the library is not > > installed on my system. > > > > -- > > Viktor. > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org > > This is probably obvious to most, but not being a current user of > DKIM/DMARC, why don't you verify DKIM, or enforce DMARC for inbound > mail? > > I'm going to make a guess that since it isn't implemented consistently > across platforms, the problems it creates outweigh the benefits. My system signs mail with DKIM and verifies but ignores the result. Signatures are too fragile to be useful, and signatures from random strangers are even less useful, whether or not they do verify. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Possible (indirect) libspf2 security issues
Quoting Viktor Dukhovni via Postfix-users : On Sun, Oct 01, 2023 at 12:00:25AM +0300, mailmary--- via Postfix-users wrote: In my case, libspf2 is a dependent package of OpenDMARC Not surprising, since DMARC takes both DKIM and SPF into account. On my system, I sign outgoing mail with DKIM, but neither verify DKIM signatures, nor attempt to enforce DMARC for inbound mail. So, FWIW, there is no libspf2 in my Postfix stack, and the library is not installed on my system. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org This is probably obvious to most, but not being a current user of DKIM/DMARC, why don't you verify DKIM, or enforce DMARC for inbound mail? I'm going to make a guess that since it isn't implemented consistently across platforms, the problems it creates outweigh the benefits. Thanks. Mike ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Possible (indirect) libspf2 security issues
On Sun, Oct 01, 2023 at 12:00:25AM +0300, mailmary--- via Postfix-users wrote: > In my case, libspf2 is a dependent package of OpenDMARC Not surprising, since DMARC takes both DKIM and SPF into account. On my system, I sign outgoing mail with DKIM, but neither verify DKIM signatures, nor attempt to enforce DMARC for inbound mail. So, FWIW, there is no libspf2 in my Postfix stack, and the library is not installed on my system. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Possible (indirect) libspf2 security issues
In my case, libspf2 is a dependent package of OpenDMARC (Alma Linux, Rocky Linux, Oracle Linux) On Sat, 30 Sep 2023 16:47:30 -0400 Viktor Dukhovni via Postfix-users wrote: > Recent news of security issues in Exim appear to in part implicate > libspf2. > > While Postfix does not directly use libspf2, and the issues could > perhaps be in part related to how libspf2 is integrated into Exim, it > may be prudent for Postfix administrators to audit their MTA software > stack for plugin components (milters, ...) that use libspf2, and keep an > eye out for updates. It may also be prudent to disable such components > in the meantime, if possible. > > https://lists.exim.org/lurker/message/20230930.083414.4e1a37f5.en.html > https://seclists.org/oss-sec/2023/q3/254 > https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Possible (indirect) libspf2 security issues
Recent news of security issues in Exim appear to in part implicate libspf2. While Postfix does not directly use libspf2, and the issues could perhaps be in part related to how libspf2 is integrated into Exim, it may be prudent for Postfix administrators to audit their MTA software stack for plugin components (milters, ...) that use libspf2, and keep an eye out for updates. It may also be prudent to disable such components in the meantime, if possible. https://lists.exim.org/lurker/message/20230930.083414.4e1a37f5.en.html https://seclists.org/oss-sec/2023/q3/254 https://www.zerodayinitiative.com/advisories/ZDI-23-1472/ -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org