unused parameter: policy-spf_time_limit=3600s

2015-04-18 Thread Juan Pablo 

Hello,

I am having a new Ubuntu 14.04 server set up with postfix.  When using 
postfix check I am seeing warning about unused parameter


  /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
policy-spf_time_limit=3600s
  /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
policy-spf_time_limit=3600s
  /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
policy-spf_time_limit=3600s

  repeat 10 more time

policy-spf_time_limit = 3600s

is defined in my main.cf at the bottom

I have the following installed:

  # dpkg -l | grep postfix
  ii  postfix   2.11.0-1ubuntu1   amd64High-performance mail 
transport agent
  ii  postfix-pcre  2.11.0-1ubuntu1  amd64PCRE map support 
for Postfix
  ii  postfix-policyd-spf-python 1.2-1   all  Postfix policy 
server for SPF checking


Can any person tell me if this entry has been depreciated or if it is 
some other problem?


Thanks

JP

receiving duplicate (or more) copies of email

2014-06-12 Thread Juan Pablo 

Hello,

I am wondering if someone can point me in direction of troubleshooting 
this.


For the past week we have been receiving some emails as duplicates or 
more, some times up to 6 or 7 times.
These multiple copes can be received from any host (eg, skype.com, 
linkedin.com, yahoo, gmail or some corporate services).


From what I can see in the logs, the remote mail server is connecting 
multiple times but for what reason I am not sure


I only have one MX accessible, so it's not coming in via multiple 
sources


Logs for a yahoo.fr email as an example is the following (logs have been 
sanitized):


Jun 11 21:34:13 mailsrv postfix/smtpd[30440]: connect from 
nm11-vm3.bullet.mail.ir2.yahoo.com[212.82.96.164]
Jun 11 21:34:13 mailsrv postfix/smtpd[30440]: setting up TLS connection 
from nm11-vm3.bullet.mail.ir2.yahoo.com[212.82.96.164]
Jun 11 21:34:13 mailsrv postfix/smtpd[30488]: connect from 
nm11-vm8.bullet.mail.ir2.yahoo.com[212.82.96.169]
Jun 11 21:34:14 mailsrv postfix/smtpd[30488]: setting up TLS connection 
from nm11-vm8.bullet.mail.ir2.yahoo.com[212.82.96.169]
Jun 11 21:34:14 mailsrv postfix/smtpd[30440]: Anonymous TLS connection 
established from nm11-vm3.bullet.mail.ir2.yahoo.com[212.82.96.164]: 
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jun 11 21:34:14 mailsrv postfix/smtpd[30488]: Anonymous TLS connection 
established from nm11-vm8.bullet.mail.ir2.yahoo.com[212.82.96.169]: 
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jun 11 21:34:14 mailsrv postfix/smtpd[30440]: 264B6B11D: 
client=nm11-vm3.bullet.mail.ir2.yahoo.com[212.82.96.164]
Jun 11 21:34:14 mailsrv postfix/cleanup[30492]: 264B6B11D: 
message-id=<1402568771.40464.yahoomail...@web172301.mail.ir2.yahoo.com>
Jun 11 21:34:14 mailsrv postfix/smtpd[30488]: C49551042: 
client=nm11-vm8.bullet.mail.ir2.yahoo.com[212.82.96.169]
Jun 11 21:34:15 mailsrv postfix/cleanup[30491]: C49551042: 
message-id=<1402568771.40464.yahoomail...@web172301.mail.ir2.yahoo.com>
Jun 11 21:34:16 mailsrv postfix/qmgr[29330]: 264B6B11D: 
from=, size=608582, nrcpt=1 (queue active)
Jun 11 21:34:16 mailsrv postfix/smtpd[30440]: disconnect from 
nm11-vm3.bullet.mail.ir2.yahoo.com[212.82.96.164]
Jun 11 21:34:16 mailsrv postfix/smtpd[30500]: connect from 
localhost[127.0.0.1]
Jun 11 21:34:16 mailsrv postfix/smtpd[30500]: D12E6C045: 
client=localhost[127.0.0.1]
Jun 11 21:34:16 mailsrv postfix/cleanup[30493]: D12E6C045: 
message-id=<1402568771.40464.yahoomail...@web172301.mail.ir2.yahoo.com>
Jun 11 21:34:16 mailsrv postfix/qmgr[29330]: D12E6C045: 
from=, size=609073, nrcpt=1 (queue active)
Jun 11 21:34:16 mailsrv postfix/smtpd[30500]: disconnect from 
localhost[127.0.0.1]
Jun 11 21:34:16 mailsrv postfix/smtp[30497]: 264B6B11D: 
to=, relay=127.0.0.1[127.0.0.1]:10024, 
delay=2.5, delays=2/0/0/0.51, dsn=2.6.0, status=sent (250 2.6.0 Ok, 
id=30520-03, from MTA: 250 2.0.0 Ok: queued as D12E6C045)

Jun 11 21:34:16 mailsrv postfix/qmgr[29330]: 264B6B11D: removed
Jun 11 21:34:16 mailsrv postfix/qmgr[29330]: C49551042: 
from=, size=608577, nrcpt=1 (queue active)
Jun 11 21:34:17 mailsrv postfix/smtp[30502]: D12E6C045: 
to=, relay=10.10.2.2[10.10.2.2]:25, 
delay=0.2, delays=0.07/0/0/0.12, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
queued as E72551220061)

Jun 11 21:34:17 mailsrv postfix/qmgr[29330]: D12E6C045: removed
Jun 11 21:34:17 mailsrv postfix/smtpd[30488]: disconnect from 
nm11-vm8.bullet.mail.ir2.yahoo.com[212.82.96.169]
Jun 11 21:34:17 mailsrv postfix/smtpd[30500]: connect from 
localhost[127.0.0.1]
Jun 11 21:34:17 mailsrv postfix/smtpd[30500]: 32882C01D: 
client=localhost[127.0.0.1]
Jun 11 21:34:17 mailsrv postfix/cleanup[30492]: 32882C01D: 
message-id=<1402568771.40464.yahoomail...@web172301.mail.ir2.yahoo.com>
Jun 11 21:34:17 mailsrv postfix/qmgr[29330]: 32882C01D: 
from=, size=609068, nrcpt=1 (queue active)
Jun 11 21:34:17 mailsrv postfix/smtpd[30500]: disconnect from 
localhost[127.0.0.1]
Jun 11 21:34:17 mailsrv postfix/smtp[30494]: C49551042: 
to=, 
orig_to=, 
relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.3/0/0/0.3, 
dsn=2.6.0, status=sent (250 2.6.0 Ok, id=30484-10, from MTA: 250 2.0.0 
Ok: queued as 32882C01D)

Jun 11 21:34:17 mailsrv postfix/qmgr[29330]: C49551042: removed
Jun 11 21:34:17 mailsrv postfix/smtp[30507]: 32882C01D: 
to=, relay=10.10.2.2[10.10.2.2]:25, 
delay=0.19, delays=0.08/0/0/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: 
queued as 4978B1220071)

Jun 11 21:34:17 mailsrv postfix/qmgr[29330]: 32882C01D: removed

Re: Want to Improve SSL/TLS security

2014-05-31 Thread Juan Pablo 

On 2014-05-31 22:34, li...@rhsoft.net wrote:

*forget* them, they don't understand E-Mail and are too
dumb for realize the difference between http/smtp


OK forgetting them.

I will be going encrypted connections only soon (yes I realize the 
consiquences) so I would like to be able to at the very least disable 
the insecure SSLv2, as I would not want to speak to any host that can do 
this weak protocol.  Is there a reason why the following does not work


smtpd_tls_mandatory_protocols = !SSLv2

Also using checktls.com  also reports that I have an invalid 
certificate.  Any reason for this?

Want to Improve SSL/TLS security

2014-05-31 Thread Juan Pablo 
Afternoon postfix users.   I am trying to improve the encrypted 
connection to my mail server running postfix 2.7.0-1ubuntu0.2 but doing 
tests with https://starttls.info/ I am getting very low scores (E grade) 
for a number of reasons despite making what I though were necessary 
changes


1) "There is a self-signed certificate in the trust chain. It may be a 
configuration problem"


I have a 4096bit RSA cert signed by Comodo and configured in main.cf as 
follows


  smtpd_tls_cert_file=/etc/ssl/private/mydomain_org.crt
  smtpd_tls_key_file=/etc/ssl/private/mydomain_org.key
  smtp_tls_CAfile = /etc/ssl/private/mydomain_org.ca-bundle

The .key and .csr were generated by me and the .csr send to Comodo.  
Comodo sent back the .crt and the .ca-bundle


The contents of my /etc/ssl/private is:

  -rw-r--r-- 1 rootroot 4101 2014-04-12 13:17 
mydomain_org.ca-bundle

  -rw-r--r-- 1 rootroot 2108 2014-04-12 13:17 mydomain_org.crt
  -rw-r--r-- 1 rootroot 1411 2014-04-12 13:17 mydomain_org.csr
  -rw--- 1 rootroot 2994 2014-04-12 13:17 mydomain_org.key

I use the same certificate for website too and do not get "self-signed 
certificate" errors. Is there something obvious I did wrong here?



2) Protocol: Supports SSLV2

3) Key exchange: Anonymous Diffie-Hellman is accepted. This is 
suspectible to Man-in-the-Middle attacks.


I am not sure where this gets set so I can disable it

4) Cipher: Weakest accepted cipher: 0

I am not sure where to set this to a higher bit rate. Strongest is 256 
so a low of 128 would be good.


¬Juan