Re: BCP on throttling outbound mail
On 25 Jul 2012, at 08:20, Ansgar Wiechers wrote: On 2012-07-25 mouss wrote: Le 24/07/2012 08:37, Stan Hoeppner a écrit : You'd think humans beings would be smart enough to follow directions and use strong passwords, AV software, etc, and not fall for phishing scams. Your adversary in this war isn't the spammers, it's not the technology, but your users. oh come on! the users excuse is wa too old. if your software accepts weak passwords, then the problem is with the software, not the user. I'd have to disagree on this one. How do you measure strength or weakness of a password? Length? Is aa strong? Complexity? Is Passw0rd strong? A combination of the above? Is JosephAverage4/1/1999 strong? Frequent password changes? Is simplepassword## strong? (## being a sequential number) How do you effectively protect your infrastructure against users or (worse) customers writing their passwords on PostIts and leaving them around? How do you effectively protect your infrastructure against customers getting their own systems compromised? If you happen to have a solution for this problem, I'm honestly interested in learning about it, because I don't see any. Isn't the conventional wisdom that a long password consisting of 3 or 4 common but longer words is sufficient and memorable, along the lines of the famous XKCD panel? Obviously there's more to it than that, but I didn't think there was much disagreement about the ideal form of a memorable and strong password. It's a given that your attacker will have an idea what form of password to test for, if not the actual password. Mark
Re: BCP on throttling outbound mail
On 25 Jul 2012, at 10:09, Ansgar Wiechers wrote: Mark, Please re-read what I wrote, particularly the second half of it. Is Joseph Zebediah Average 4/1/1999 really a strong password? It is a strong password, unless you believe attackers would regard that format as a promising format to exploit. I think that's unlikely to be a promising format to exploit at the moment. If not: how do you prevent users/customers from using a password like that? Well, if you really believe that format is likely, you test for it. And how do you prevent a customer's system from being compromised with, say, a keylogger? Keyloggers are a completely separate question from passwords and operate on a different level. Obviously there's more to it than that, but I didn't think there was much disagreement about the ideal form of a memorable and strong password. It's a given that your attacker will have an idea what form of password to test for, if not the actual password. Indeed there isn't much disagreement on what forms a strong password (in principle). I do fail to see how this could be enforced on a technical level, though. You can readily enforce minimum length of say 12-16 characters which is a great place to start and of course that says nothing about keyloggers or other infiltrations. If you're assuming that keyloggers are omnipresent, then you've already given up on security. Mark
Re: assistance with a CIDR issue
Jack wrote: Hello All, I am using CIDR lookups and am getting some warnings when it doesn't like certain IP blocks in my CIDR list. The error message seems reasonably clear. You shouldn't have any non-zero bits after the bit position indicated by the network size (/23 below). I.e. those CIDR entries are inconsistent with CIDR notation. /etc/postfix/CIDR, line 4151: non-null host address bits in 194.149.65.0/23, perhaps you should use 194.149.64.0/23 instead: skipping this rule
Re: adding digital signature to email?
On 27 Oct 2010, at 13:02, Tomasz Chmielewski wrote: Is it somehow possible to make Postfix add a digital signature to outgoing emails? Most likely Postfix itself can't do it, but maybe there is some filter (similar to amavis, or dkimproxy) which can be used with Postfix, which lets digitally sign email (i.e. if From: is X1, sign with key K1)? That's a job for the MUA, not the MTA. There's no fraud-proof way for postfix to know who is sending the email. - Mark
Re: adding digital signature to email?
On 27 Oct 2010, at 13:11, lst_ho...@kwsoft.de wrote: Zitat von Mark Blackman m...@exonetric.com: On 27 Oct 2010, at 13:02, Tomasz Chmielewski wrote: Is it somehow possible to make Postfix add a digital signature to outgoing emails? Most likely Postfix itself can't do it, but maybe there is some filter (similar to amavis, or dkimproxy) which can be used with Postfix, which lets digitally sign email (i.e. if From: is X1, sign with key K1)? That's a job for the MUA, not the MTA. There's no fraud-proof way for postfix to know who is sending the email. If username/password with TLS is enough there are fraud-proof ways do it Postfix content-filter, if not be sure to use at least ID-cards class3 with your MUA. You're right, of course. I was overlooking that case and thinking of the more general internal unauthenticated relay case. I still suspect that's better done at the MUA level though, as the digital signature requires the use of a private key which should have a passphrase that only an interactive session can ask for. OTOH, you can imagine uses of digital signatures that are slightly less demanding than the case of an individual making legally-binding statements. - Mark
Re: OT: need some advice as to distro
On 01/12/2009 14:09, John wrote: Sorry to bring this here, but we are having trouble setting up a Postfix/dovecot mail system. Background: We are a bunch of retirees, so cost is a factor in any decision. We all have IT experience, some of going back decades, however the world of Linux and its software is new to us all. We used the cook book approach to setting up our first mail system. It uses Postfix/Dovecot on top of Fedora 8 and so far it works like a charm. While the cook-book approach got up and running fairly easily I think we missed out on the learning side of things. However, there is a growing concern about the basic OS slipping too far behind on important changes, the same goes for some of the packages we are planning on using, so we have started looking at alternatives. Try FreeBSD. http://www.freebsd.org/where.html - Mark
Re: outgoing spam
On 19 Oct 2009, at 13:41, Paul Cockings wrote: What are you trying to achieve? - why do you want anti-spam on outbound mail? I'd guess he has little or no control over the configuration of the internal machines and so he's concerned about malware/botnets perhaps. - Mark smime.p7s Description: S/MIME cryptographic signature
Re: Looking for opinions on FreeBSD OS for Postfix
On 17/08/2009 17:01, Guy wrote: Hi, I'm using Postfix 2.5.5 with Amavis/CLAM. Also looking at adding SpamAssassin in the near future. I've also got Postfix Policyd V2 on my gateways. I've currently got this all running on Ubuntu (Hardy 8.04) and it's been fine so far. I have had one or two problems along the way, not with Postfix itself, but things like NFS at one stage (mail stores are on NFS mounts) so I'm considering moving away from Ubuntu as and when servers get replaced by newer hardware. This may be in the next 6 to 12 months as our current hardware is nearing it's limits. I'm considering FreeBSD as an alternative, but I was wondering what people think of FreeBSD as a platform for Postfix. It's obviously not as easy to maintain as Ubuntu, but it does have a reputation for stability. Any thoughts, recommendations or experiences would be appreciated. FreeBSD is an excellent platform to run Postfix on and I think it's probably as easy to maintain as Ubuntu for the common cases and you'll find the NFS implementation on FreeBSD very good, although you should probably expect to do a little tuning if you have a FreeBSD server and Linux clients. FreeBSD as a client is quite good, but the NFS server implementation is probably more important in your case. - Mark
Re: temporary errors for DNS
On 14/7/09 12:10, Keld Jørn Simonsen wrote: OK, here goes: 1) The server replies with good news. Postfix replies with good news. 2) The server replies with bad news. Postfix replies with 5xx. 3) No server reply. Postfix replies with 4xx. Is this finally clear? Yes, thanks. But it seems that my postfix reacts differently on a NXDOMAIN and SVRFAIL, although they both should lead to 5xx error codes. That is why I am so thick to not understand. I think the distinction here is between a DNS server (what you're referring to) and an SMTP server (what Wietse is referring to). DNS server response failure implies no SMTP server reply, thus 4xx. seem reasonable? - Mark
