[pfx] SASL username logging for failed authentications
Hi, Is there a way to get the SASL username logged for the failed authentications together with the client IP data? Postfix can log half of the information the connecting client IP address, while Cyrus saslauthd the second one the username. However there's no clear way (except the timestamp) to correlate the two together. How could one achieve to log both together? Best regards, Jozsef - E-mail : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.hu PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls and cert problem for submission
Hi, > I think I'm having a problem with my certificate for submission not > > being configured properly. I'm trying to install roundcube but having > > a problem with properly configuring the cert for submission, but when > > using openssl to check, it reports a cert problem. This is a cert from > > Digicert. > > Which, you've decided to obfuscate, for little gain. :-( Certificates > are *public* data, anyone connecting to your server gets a copy as part > of the TLS handshake... > It's more a matter of being a little embarrassed that I couldn't figure it out on my own. Especially when, after putting this all together, I realized my mistake shortly thereafter. > I'm also using tls_server_sni_maps to support multiple domains. > > That's perhaps more advanced than you need. Do you really need multiple > MX hostnames for your various domains. A common MX hostname is MUCH > easier to manage, and does not then require SNI. > The problem is that I'm forced to use the mail.example.com cert and some users would be confused seeing Example, Inc. in the cert when it is not that company providing those services. Thank you so much for your help. Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls and cert problem for submission
On Thu, Oct 05, 2023 at 04:18:35PM -0400, Alex via Postfix-users wrote: > I think I'm having a problem with my certificate for submission not > being configured properly. I'm trying to install roundcube but having > a problem with properly configuring the cert for submission, but when > using openssl to check, it reports a cert problem. This is a cert from > Digicert. Which, you've decided to obfuscate, for little gain. :-( Certificates are *public* data, anyone connecting to your server gets a copy as part of the TLS handshake... > openssl s_client -starttls smtp -connect mail.example.com:587 > CONNECTED(0003) > depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = > mail.example.com > verify error:num=20:unable to get local issuer certificate verify return:1 > verify return:1 > > Certificate chain > 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN = > mail.example.com >i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 >a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 >v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT Your configured certificate chain has only the end-entity (EE) certificate, and is missing the intermediate issuer (CA) certificates needed to construct a full certificate chain. For this, you need at least also the "DigiCert TLS RSA SHA256 2020 CA1" certificate. https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem -BEGIN CERTIFICATE- MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6 ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E A7sKPPcw7+uvTPyLNhBzPvOk -END CERTIFICATE- > Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI > cipher.example.com from cipher.example.com[209.216.111.60] not matched, > using default chain The certificate appears to be for "mail.example.com" (needlessly obfuscated), but here you're reporting "cipher.example.com" (needlessly obfuscated). > Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error > from cipher.example.com[209.216.111.60]: -1 > Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: > TLS library problem: error:0A000418: > SSL routines::tlsv1 alert unknown ca: > ssl/record/rec_layer_s3.c:1586: > SSL alert number 48: The SMTP client did not recognise the issuing CA (likely for the above stated reason). > I'm also using tls_server_sni_maps to support multiple domains. That's perhaps more advanced than you need. Do you really need multiple MX hostnames for your various domains. A common MX hostname is MUCH easier to manage, and does not then require SNI. > smtpd_tls_chain_files = > /var/www/mail.example.com-443/ssl/mail.example.com-2023.key, > /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt That certificate is still just the EE cert, sans issuer. > tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map > > /etc/postfix/vmail_ssl.map: > clients.example1.com /etc/letsencrypt/privkey.pem > /etc/letsencrypt/fullchain.cer > mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key > /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt Still missing the issuer CA cert for the second entry. The first one has a complete chain. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] tls and cert problem for submission
Hi, I think I'm having a problem with my certificate for submission not being configured properly. I'm trying to install roundcube but having a problem with properly configuring the cert for submission, but when using openssl to check, it reports a cert problem. This is a cert from Digicert. openssl s_client -starttls smtp -connect mail.example.com:587 CONNECTED(0003) depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify return:1 Certificate chain 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) Regular email client users have no problem, but it still looks like something is missing. When going through the roundcube config process, it fails to connect for what also looks like a cert problem. This is from "smtpd -v" output: Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI cipher.example.com from cipher.example.com[209.216.111.60] not matched, using default chain Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error from cipher.example.com[209.216.111.60]: -1 Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: TLS library problem: error:0A000418:SSL routines::tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1586:SSL alert number 48: I'm also using tls_server_sni_maps to support multiple domains. I've also tried concatenating the digicert crt file and the DigiCertCA.crt to create the mail.example.com-2023.crt chain file below. $ postconf -n |grep tls smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_chain_files = /var/www/mail.example.com-443/ssl/mail.example.com-2023.key, /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map /etc/postfix/vmail_ssl.map: clients.example1.com /etc/letsencrypt/privkey.pem /etc/letsencrypt/fullchain.cer mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt $ ls -l *vmail* -rw-r--r-- 1 root root 468 May 14 10:53 vmail_ssl.map -rw-r--r-- 1 root root 36864 Aug 7 06:18 vmail_ssl.map.db $ postconf -fM ... submission inet n - n - - smtpd -v -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o receive_override_options=$submission_overrides -o smtp_tls_mandatory_protocols=TLSv1 -o syslog_name=postfix/submission I've also tried using "localhost" and "mail.example.com" and the actual hostname in the roundcube config: $config['smtp_host'] = 'tls://cipher.example.com:587'; Thank you so much for any ideas. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Filterring out invalidu...@mydomain.com
On 05/10/2023 04:44, Olivier via Postfix-users wrote: Hi, How is it possible to configure Postfix to filter messages of the form: from invalidu...@mydomain.com to validu...@mydomain.com I have been receiving quite a lot recently and they are trash. Best regasrds, Olivier From the top of my hash:sender_access file:- ... ### Reject any cidercounty sender not from local network cidercounty.org.uk permit_sasl_authenticated, reject Sender is not authenticated - Snd-1 ... Anything coming in via port 25 is rejected. Hope this helps Allen C ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org