Re: Upgrade postfix 2.11 to 3.1

[yahoogroups]

The upgrade to 3.1 was uneventful. I noticed you don't need to select an option 
for Dovecot. 

Nice work. 

As an FYI, I ran the online DROWN test without blocking SSLv2 but using the 
updated openssl. No DROWN issue detected.

Apologies for the top post due to use of a smartphone. 


  Original Message  
From: Wietse Venema
Sent: Thursday, March 3, 2016 9:58 AM
To: Postfix users
Reply To: Postfix users
Cc: Wietse Venema; u...@porcupine.org
Subject: Re: Upgrade postfix 2.11 to 3.1

Matthias Fechner:
> Does this mean, I do not have to modify anything in the config?
> Regarding the page http://www.postfix.org/COMPATIBILITY_README.html
> postfix would log explicit lines if I have to touch anything.

Wietse:
> If you don't want those lines to be logged, set the parameter
> (relayhost, or whatever it is that needs to be kept), and set
> "compatibility_level = 2".

yahoogro...@lazygranch.xyz:
> I hate to bug you gurus, but can you guys mention which config
> file parameters go in, that is main or master. I simply don't know
> postfix that well, and RTFMing requires knowing which document to
> read.

These parameters go in main.cf, see COMPATIBILITY_README for
instructions.

> I've been hesitant to upgrade to postfix 3 given that everything
> is working on 2.11, but the handwriting is on the wall. I gather
> you just do the upgrade and see what breaks?

Nothing is supposed to break. Postfix is unlike some projects
that don't give a damn about breaking other people's system. 

I added the compatibility level stuff so that you get to choose.


Wietse

Re: Upgrade postfix 2.11 to 3.1

[yahoogroups]

I hate to bug you gurus, but can you guys mention which config file parameters 
go in, that is main or master. I simply don't know postfix that well, and 
RTFMing requires knowing which document to read.

I've been hesitant to upgrade to postfix 3 given that everything is working on 
2.11, but the handwriting is on the wall. I gather you just do the upgrade and 
see what breaks?

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Wietse Venema
Sent: Thursday, March 3, 2016 4:26 AM
To: Postfix users
Reply To: Postfix users
Subject: Re: Upgrade postfix 2.11 to 3.1

Matthias Fechner:
> Does this mean, I do not have to modify anything in the config?
> Regarding the page http://www.postfix.org/COMPATIBILITY_README.html
> postfix would log explicit lines if I have to touch anything.

If you don't want those lines to be logged, set the parameter
(relayhost, or whatever it is that needs to be kept), and set
"compatibility_level = 2".

Re: Security: How to limit authentication attempts?

[yahoogroups]

‎Sorry about the top posting, but I'm on my phone. 

Is this supposed to be 2 and 3 also rather than 20 and 30?

in master.cf submission and smtps
-o smtpd_soft_error=20
-o smtpd_hard_error=30


  Original Message  
From: Benny Pedersen
Sent: Sunday, February 21, 2016 4:13 AM
To: postfix-users@postfix.org
Subject: Re: SV: Security: How to limit authentication attempts?

On 2016-02-21 13:00, Kiss Gábor wrote:
>> > My colleagues need authenticated channel to submit mails when traveling.
>> > So disabling sasl is not an option.
>> read again i just say disalbe it on port 25
>> and convense users to use submission port 587, or 465 as users se fits
> Can you guarantee that hotel firewalls allows to reach my port 587? :->

if thay block port 25 then use port 26 :=)

but stop sasl auth on port 25, in case it breaks anything for users thay 
can still send postmaster a email, but not relay

>>> The problem is already solved by Allen Coates. :-)
>> what problem ?
> "how to configure smtpd to close connection after 3 authentication 
> error"?
> http://article.gmane.org/gmane.mail.postfix.user/254364

change _error smtpd settings

in main.cf
smtpd_soft_error = 2
smtpd_hard_error = 3

in master.cf submission and smtps
-o smtpd_soft_error=20
-o smtpd_hard_error=30

but the master.cf does not matter, just a how to learn more postfix

untested here with the master.cf, so if it works be happy

Re: Blocking TLDs

[yahoogroups]

Actually I have a xyz domain that mirrors my com domain. I use it for test 
purposes. 

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Sebastian Nielsen
Sent: Friday, February 19, 2016 3:53 PM
To: postfix-users@postfix.org
Subject: SV: SV: Blocking TLDs

1: REJECT tells the spammer "Hey, your spam got stuck in the spam filter. Wanna 
try again?".
Better to DISCARD it so the spammer think they got the spam through, then they 
won't switch to a new domain.

I don't think anyone ever will receive legitimate mail from any of those spammy 
TLDs listed in the rules file I gave.

2: Its just a habit, everytime some process complains of not able to access a 
file, "666" is the universal solution. Of course, this isn't recommended in a 
web hosting setup, but if you're hosting for example a mail server for a 
company, and only you as a sysadmin has shell access to the server, its no 
danger 666'ing files that throw permission errors. Then the file isn't really 
"world writable", since only you have a account on the server anyways.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För A. Schulze
Skickat: den 19 februari 2016 23:52
Till: postfix-users@postfix.org
Ämne: Re: SV: Blocking TLDs


Sebastian Nielsen:

> Then paste all the DISCARD lines into a new file called 
> /etc/postfix/banned_tlds (and also add some own TLDs there, its just 
> to copy paste one line and then change the TLD), and also remove lines 
> for TLDs you don’t want to block.
>
> Chmod the banned_tlds file to 666 to ensure the postfix process can read it.

two annotations:
- I would not suggest DISCARD but REJECT
- mode 666 (world writable) is generally not needed. 644 is enough

Andreas

>
>
>
>
> Then do “service postfix restart”
>
> Then you should be all set.
>
>
>
> Test the permission by sending a email using a spoofed address in your 
> email software, to yourself. The mail will always be successfully sent, but:
>
> If all goes well, you should see in the logs that “DISCARD” action was 
> triggered, which means the mail will be tossed in the dustbin without 
> delivering it to you.
>
> Remember to return your email client to non-spoofed state after that, 
> for obvious reasons.
>
>
>
> Från: Wolfe, Robert [mailto:robert.wo...@robertwolfe.org]
> Skickat: den 19 februari 2016 23:19
> Till: 'Sebastian Nielsen' ; 
> postfix-users@postfix.org
> Ämne: RE: Blocking TLDs
>
>
>
> Just copy and passed the DISCARD contents into banned_tlds?
>
>
>
> From: owner-postfix-us...@postfix.org
> 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Sebastian 
> Nielsen
> Sent: Friday, February 19, 2016 3:50 PM
> To: postfix-users@postfix.org 
> Subject: SV: Blocking TLDs
>
>
>
> smtpd_sender_restrictions = check_sender_access 
> pcre:/etc/postfix/banned_tlds
>
>
>
> banned_tlds:
>
> /\.bid$/ DISCARD
>
> /\.top$/ DISCARD
>
> /\.xyz$/ DISCARD
>
> /\.date$/ DISCARD
>
> /\.faith$/ DISCARD
>
> /\.download$/ DISCARD
>
>
>
>
>
> Problem solved.
>
>
>
>
>
> Från: owner-postfix-us...@postfix.org
> 
> [mailto:owner-postfix-us...@postfix.org] För Wolfe, Robert
> Skickat: den 19 februari 2016 22:36
> Till: postfix-users@postfix.org 
> Ämne: Blocking TLDs
>
>
>
> Greetings all!
>
>
>
> This is actually my first posting to the mailing list, but have 
> actually been following along on a regular basis and have learned 
> quite a bit of good things (and bad things *smiles*) about Postfix. 
> Unfortunately, I have one question that I am hoping someone here on the 
> mailing list can answer.
>
>
>
> I get a LOT of emails from domains that have *.download and *.xyz and 
> their TLDs and I was wondering if there was a way in Postfix that I 
> could block emails that are coming in from these (and other) TLDs at 
> the connection level?

Re: Feedback on Postscreen Whitelist Article

[yahoogroups]

‎If wishes were horses. ;-) 

My xyz domain is on the VPS. I'm going to switch systems in a few days.
  Original Message  
From: Viktor Dukhovni
Sent: Monday, November 23, 2015 2:45 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: Feedback on Postscreen Whitelist Article

On Mon, Nov 23, 2015 at 02:29:45PM -0800, yahoogro...@lazygranch.xyz wrote:

>�Regarding Spamhaus, I am periodically blacklisted on my hosted Web service
> provider because somebody �sets up an account on the same service, then
> spews spam. Because I share the same IP, I'm declared toxic. 

Sounds like the listing is entirely appropriate... You might want
hosting from a provider that does a better job of controlling
outbound spam.

-- 
Viktor.

Re: Feedback on Postscreen Whitelist Article

[yahoogroups]

‎Regarding Spamhaus, I am periodically blacklisted on my hosted Web service 
provider because somebody ‎sets up an account on the same service, then spews 
spam. Because I share the same IP, I'm declared toxic. 

I have set up a VPS, which of course has its own IP, not to get in this boat. 
But I am so negative regarding Spamhaus due to unwarranted blocking that I 
refuse to use it.
‎

Re: DKIM Signature fails

[yahoogroups]

Ignore my comment. I was thinking s/mime.‎ Sorry about that. 


  Original Message  
From: Wietse Venema
Sent: Thursday, November 19, 2015 12:33 PM
To: Postfix users
Reply To: Postfix users
Subject: Re: DKIM Signature fails

yahoogro...@lazygranch.xyz:
> I get the body hash failure on plain text.

To send 8bit mail, you must provide appropriate MIME headers and
ESMTP attributes, otherwise you violate email RFCs, and there is
no guarantee whatsoever.

In addition, it is wise to convert 8bit mail to quoted-printable
before signing it, unless you are 100% certain that all MTAs in
the path announce support for 8BITMIME. Otherwise a MIME-compliant
MTA will break your DKIM signatures.

Wietse

Re: DKIM Signature fails

[yahoogroups]

I get the body hash failure on plain text. ‎
  Original Message  
From: Wietse Venema
Sent: Thursday, November 19, 2015 10:24 AM
To: Postfix users
Reply To: Postfix users
Subject: Re: DKIM Signature fails

Andy A:
>Following is the original message which?fails?the DKIM verification
>at the verifier's end. As you can see, the lines have been chopped
>off and a '=' has been added towards the end of the line where the
>lines have been longer than 74 characters.
>
>Hi? ,
>
>An account has been created for you to access our network.
>
>Once you will be on-site, authenticate using the following credentials
>to= ?our captive portal:

You are sending an 8BITMIME message to an SMTP server that does not
announce 8BITMIME support. 

To quote from an earlier thread on this topic

[begin quote]

As required by the MIME RFCs, an MTA must either bounce mail or 
convert it to quoted-printable when it needs to deliver 8BITMIME 
mail to an SMTP server that does not announce 8BITMIME support. 

DKIM signatures of 8BITMIME mail may break unless all SMTP servers 
in the path implement and announce 8BITMIME support. Otherwise, it 
is better to down-convert to quoted-printable before DKIM signing. 

[end quote]

See also: http://comments.gmane.org/gmane.ietf.dkim/11640

Wietse

Re: DKIM Signature fails

[yahoogroups]

FWIW, I have the same problem. I saw it  as intermittent, but now that you 
tracked it down to the width of the lines , this makes sense. I do have access 
to my server console at the moment, but I'm running the highest rev of postfix 
2. I believe it is rev 11. 

So is this problem present in postfix 3?

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Andy A
Sent: Thursday, November 19, 2015 9:23 AM
To: postfix-users@postfix.org
Subject: DKIM Signature fails

Hello. 

We have Postfix 2:2.6.6-6.el6_5 running locally with opendkim, opendmarc on 
Centos 6.x. All the emails are sent via the local MTA (postfix)

The mails are being delivered and are signed as they have DKIM signature, but 
the body hash fails. DNS TXT records for dmarc, dkim and spf are all valid and 
present. We have figured out what the issue is. Postfix is chopping certain 
lines of the messages after a total of 74 characters. This is quite strange as 
the line length limit for Postfix is 998 characters and SMTP protocol line 
length limit is 1000 characters. But, what's even more puzzling is that the 
messages which are being sent out as text/plain are also being subjected to 
this chopping. 

Thus, the messages which have lines longer than 74 characters get chopped and 
split into two lines after DKIM signature is applied to the mail message. This 
results in incorrect body hash on the verifier's end. I have tested this with 
two different messages stated below. 

Following is the original message which fails the DKIM verification at the 
verifier's end. As you can see, the lines have been chopped off and a '=' has 
been added towards the end of the line where the lines have been longer than 74 
characters.

Hi  ,

An account has been created for you to access our network.

Once you will be on-site, authenticate using the following credentials to=
 our captive portal:

Username: email.verify
Password: password

This username and password will be valid starting 2015-11-18. Registratio=
n must happen before 2015-11-19. Once authenticated the access will be va=
lid for 1 hour.

Please ignore this request if you have not requested network access.
--
This is a post only E-mail, please do not reply.


Following is the message which passes the DKIM verification at the verifier's 
end. I modified the message so that no lines are longer than 74 characters.

Hi  ,

An account has been created for you to access our network.

Username: email.verify
Password: password

Please ignore this request if you have not requested network access.
--
This is a post only E-mail, please do not reply 

=

Can anyone suggest what's going on and how can this be resolved?
Thank you for your time and help.

Re: rejecting email from specific domains

[yahoogroups]

FWIW, I keep an xyz tld for test purposes. Point dot com to production and dot 
xyz for test. Yes I know there are ways to do this with a subdomain, but dot 
xyz is really cheap.

I never investigated if there production users of xyz.  
  Original Message  
From: Viktor Dukhovni
Sent: Monday, November 16, 2015 10:35 PM
To: postfix-users@postfix.org
Reply To: postfix-users@postfix.org
Subject: Re: rejecting email from specific domains

On Mon, Nov 16, 2015 at 11:31:23PM -0600, Chris Boylan wrote:

> So if I build a one line /etc/postfix/access with
> .xyz  REJECT

http://www.postfix.org/postconf.5.html#parent_domain_matches_subdomains

If smtpd_acces_maps is included, then the key is "xyz" not ".xyz".
You can always list both, but I think it rather risky to block an
entire gTLD.

-- 
Viktor.

Re: Weak Ciphers

[yahoogroups]

‎http://disablessl3.com/

When I ran a series of email server checks, I was surprised that one claimed to 
disable ssl3 to avoid the poodle hack. Seems very unlikely to me. ‎ Anyway, the 
link above does suggest doing that.

  Original Message  
From: Alice Wonder
Sent: Sunday, November 8, 2015 1:23 PM
To: postfix-users@postfix.org
Subject: Re: Weak Ciphers

To be RFC compliant port 25 must accept MTA to MTA connections with no 
encryption.

When another server can't connect with encryption, it will try without.

Allowing weak ciphers is better than the result where ciphers are not 
used because the other server only supports older ciphers in my opinion.

Hopefully DANE will largely solve this, as we can instruct our mail 
servers when the other server has a TLSA record to only connect using a 
strong cipher and not connect at all otherwise.

I'm hoping eventually that becomes standard where every mail server MUST 
use TLSA records but I don't know if that will ever happen.

On 11/08/2015 04:52 AM, John Allen wrote:
> I ran the ssl-tools tests on my mail server.
> Everything seems to be OK, *BUT* it reports that i am using a weak
> cipher "ECDHE_RSA_WITH_RC4_128_SHA"!
>
> So I sat down and googled - postfix/dovecot/apache - ciphers
> suites/recommendations less than one year old.
> I gave up at about the fifteenth response. Everyone of them was
> different and gave me lists of cipher ranging in length from about eight
> to almost a full web page.
>
> Would somebody point me in the right direction. I am trying to make my
> installation secure, but manageable.
>
>

Re: OpenDKIM

[yahoogroups]

‎Note that Domain Keys is not the same as DKIM. DKIM supercedes Domain Keys.  

http://support2.constantcontact.com/articles/FAQ/2213

I'm no guru on this, so correct away if I'm wrong.

I can pass DKIM, but not Domain Keys. I don't know if it is possible to pass 
both tests in one implementation, though Constant Contact claims they can. 
‎
‎
‎

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Steve Jenkins
Sent: Saturday, November 7, 2015 6:11 AM
To: John Allen
Cc: postfix-users@postfix.org
Subject: Re: OpenDKIM

On Saturday, November 7, 2015, John Allen  wrote:
Interesting!
I tried a couple of DKIM test sites, one says I am signing my emails, the other 
says I am not!!
Mailradar say I am not signing!
DKIMValidator say I am!

My favorite "test site" for SPF, DKIM, DMARC configuration and validation is 
sending to a Gmail account and then viewing the raw message headers.


-- 
Steve Jenkins
st...@stevejenkins.com