[pfx] Re: SSL_accept error for smtpd

[Viktor Dukhovni via Postfix-users]

On Tue, Jun 11, 2024 at 09:55:56AM +0800, Jeff Peng via Postfix-users wrote:

> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning:
> TLS library problem:error:1417A0C1:SSL routines:
> tls_post_process_client_hello:no shared cipher:
> ../ssl/statem/statem_srvr.c:2283:
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: lost connection after
> STARTTLS from unknown[172.210.47.140]

The client IP address is question is assigned to Microsoft, perhaps an
Azure cloud IP (so a probe from someone running a TLS scan), or perhaps
an actual Microsoft outbound MTA.  Hard to tell without inspecting their
SPF records.

For maximal compatibility, use an RSA 2048-bit certificate on your end,
and don't overly restrict the choice of ciphers.  Defaults are best.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Noel Jones via Postfix-users]

On 6/10/2024 12:10 PM, Gilgongo via Postfix-users wrote:
On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via 
Postfix-users > wrote:



3.
smtpd_recipient_restrictions = permit_mx_backup

avoid this whenever possible. Or at least define
permit_mx_backup_networks


Thanks - I forgot to ask about this. Am I right in saying that the 
relay_domains configuration will take care of secondary MX relaying 
(if that's what permit_mx_backup was originally for?), and I can 
remove permit_mx_backup?


You should remove permit_mx_backup.

This feature is intended for ISP-scale users that may not have a 
complete list of domains that use their server as a backup MX. In 
this case, permit_mx_backup_networks would define the ISP's customer 
network space.




  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] DKIM policy question

[Jeff Peng via Postfix-users]

Hello

spf, dmarc have the policy to reject a message.
My question is, why dkim has no choice for rejecting messages?
for example, if dkim signature failed, where to instruct this message 
can be rejected?


Thank you.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SSL_accept error for smtpd

[Jeff Peng via Postfix-users]

Thanks Wietse. The request is not maken by our client, so I am safe to 
ignore the error.



If this does not happen with a legitimate client, then this could
be someone who is looking for trouble (they failed) and you can
ignore the problem.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SSL_accept error for smtpd

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello
> 
> what's this error in mail.log?
> 
> Jun 11 01:52:15 tls-mail postfix/smtpd[67409]: connect from 
> unknown[172.210.47.140]
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: SSL_accept error from 
> unknown[172.210.47.140]: -1
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning: TLS library 
> problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no  <<
> shared cipher:../ssl/statem/statem_srvr.c:2283: <
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: lost connection after 
> STARTTLS from unknown[172.210.47.140]
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: disconnect from 
> unknown[172.210.47.140] ehlo=1 starttls=0/1 commands=1/2
> 
> I have only port 465 opened for sending mail. port 587 is shutdown.

The lines with  show the error message (no shared cipher).

If this does not happen with a legitimate client, then this could
be someone who is looking for trouble (they failed) and you can
ignore the problem.

If this does happen with a legitimate client, then the client or
server needs to adjust their TLS settings.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SSL_accept error for smtpd

[Jeff Peng via Postfix-users]

Hello

what's this error in mail.log?

Jun 11 01:52:15 tls-mail postfix/smtpd[67409]: connect from 
unknown[172.210.47.140]
Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: SSL_accept error from 
unknown[172.210.47.140]: -1
Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning: TLS library 
problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no 
shared cipher:../ssl/statem/statem_srvr.c:2283:
Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: lost connection after 
STARTTLS from unknown[172.210.47.140]
Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: disconnect from 
unknown[172.210.47.140] ehlo=1 starttls=0/1 commands=1/2


I have only port 465 opened for sending mail. port 587 is shutdown.

Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users <
postfix-users@postfix.org> wrote:

>
> 3.
> smtpd_recipient_restrictions = permit_mx_backup
>
> avoid this whenever possible. Or at least define permit_mx_backup_networks
>
>
Thanks - I forgot to ask about this. Am I right in saying that the
relay_domains configuration will take care of secondary MX relaying (if
that's what permit_mx_backup was originally for?), and I can remove
permit_mx_backup?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Bill Cole via Postfix-users]

On 2024-06-10 at 10:34:09 UTC-0400 (Mon, 10 Jun 2024 16:34:09 +0200)
Matus UHLAR - fantomas via Postfix-users 
is rumored to have said:

>>> On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, <
>>> postfix-users@postfix.org> wrote:
 why not postscreen for this purpose?
>
>> On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100)
>> Gilgongo via Postfix-users 
>> is rumored to have said:
>>> Thanks - I thought about postscreen, but wasn't sure if it would be
>>> overkill for such a small server? Could look again though.
>
> On 10.06.24 10:11, Bill Cole via Postfix-users wrote:
>> Postscreen is not 'overkill' in any sense. It is designed to shed load from 
>> spambots, so as long as you don't enable the after-greeting tests, it will 
>> be a lighter load than a Perl policy filter.
>
> Not mentioning pregreet test which is AFAIK impossible with policy server.

Right, and the pregreet test is really the biggest hammer of all against the 
spammiest of spam.

-- 
Bill Cole
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Matus UHLAR - fantomas via Postfix-users]

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, <
postfix-users@postfix.org> wrote:

why not postscreen for this purpose?



On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100)
Gilgongo via Postfix-users 
is rumored to have said:

Thanks - I thought about postscreen, but wasn't sure if it would be
overkill for such a small server? Could look again though.


On 10.06.24 10:11, Bill Cole via Postfix-users wrote:
Postscreen is not 'overkill' in any sense. It is designed to shed load 
from spambots, so as long as you don't enable the after-greeting 
tests, it will be a lighter load than a Perl policy filter.


Not mentioning pregreet test which is AFAIK impossible with policy server.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Bill Cole via Postfix-users]

On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100)
Gilgongo via Postfix-users 
is rumored to have said:


On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, <
postfix-users@postfix.org> wrote:


why not postscreen for this purpose?



Thanks - I thought about postscreen, but wasn't sure if it would be
overkill for such a small server? Could look again though.


Postscreen is not 'overkill' in any sense. It is designed to shed load 
from spambots, so as long as you don't enable the after-greeting tests, 
it will be a lighter load than a Perl policy filter.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, <
postfix-users@postfix.org> wrote:

> why not postscreen for this purpose?
>

Thanks - I thought about postscreen, but wasn't sure if it would be
overkill for such a small server? Could look again though.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Matus UHLAR - fantomas via Postfix-users]

On 10.06.24 12:27, Gilgongo via Postfix-users wrote:

Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4)
config is pretty old and confusing, and may not be doing things we want. So
I'd like to re-jig it. Here's how I think I'd like to have it:

1. Incoming mail (not from $mynetworks or sasl auth): RBL, SPF/DKIM
verification and SA (and maybe DMARC as not doing so currently).

2. Mail originating from $mynetworks and also from sasl-auth clients: DKIM
signing, SA, Rate/IP limiting (and maybe RBL checks? Not sure).

I think I can do that by having all our "global" settings in main.cf

https://pastebin.com/VKfNW0hu

and then specifying various extra bits and overrides in master.cf:

https://pastebin.com/Qcpt29PV


1. 
I would put smtp restrictions to main.cf as smtpd_*_restrictions and 
mua_*_restrictions


so I don't have to repeat them in master.cf



BTW I'm using a script (policyd.pl) that does weighted scoring for RBLs (as
well as SPF), which I'd prefer rather than doing that with Postfix directly.


2.
postscreen supports there and a few more, which helps against bots.

Just note that nobody should use port 25 for sending mail out.

3.
smtpd_recipient_restrictions = permit_mx_backup

avoid this whenever possible. Or at least define permit_mx_backup_networks


I've put a couple of questions in as comments in the configs - any
thoughts/suggestions very much appreciated! :-)


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sanity check/suggestions appreciated

[Jeff Peng via Postfix-users]

why not postscreen for this purpose?


BTW I'm using a script (policyd.pl ) that does 
weighted scoring for RBLs (as well as SPF), which I'd prefer rather than 
doing that with Postfix directly.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Sanity check/suggestions appreciated

[Gilgongo via Postfix-users]

Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4)
config is pretty old and confusing, and may not be doing things we want. So
I'd like to re-jig it. Here's how I think I'd like to have it:

1. Incoming mail (not from $mynetworks or sasl auth): RBL, SPF/DKIM
verification and SA (and maybe DMARC as not doing so currently).

2. Mail originating from $mynetworks and also from sasl-auth clients: DKIM
signing, SA, Rate/IP limiting (and maybe RBL checks? Not sure).

I think I can do that by having all our "global" settings in main.cf

https://pastebin.com/VKfNW0hu

and then specifying various extra bits and overrides in master.cf:

https://pastebin.com/Qcpt29PV

BTW I'm using a script (policyd.pl) that does weighted scoring for RBLs (as
well as SPF), which I'd prefer rather than doing that with Postfix directly.

I've put a couple of questions in as comments in the configs - any
thoughts/suggestions very much appreciated! :-)

Jonathan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org