Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure
> On Jan 16, 2019, at 3:24 PM, Stefan Bauer wrote: > > "Some sites may blacklist you when you are probing them too often (a probe is > an SMTP session that does not deliver mail), or when you are probing them too > often for a non-existent address. This is one reason why you should use > sender address verification sparingly, if at all, when your site receives > lots of email." > > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#limitations > > As our user may do mailings from time to time, i do not want to get bad > reputation by probing microsoft,yahoo whatever too often. :) for remote site, > i see no difference between sender and recipient verification. in both cases, > im doing a 'half delivery' of a mail. But there is a big difference. With sender verification complete strangers can get your MTA to probe address validity at sites you never send email to. With recipient verification, you're at most doubling the number of RCPT TO commands sent to a site, because you'd otherwise just send the message, perhaps repeatedly, if it enters your queue and then soft-fails on each delivery attempt before ultimately bouncing. If you have bulk senders, you could opt them out of recipient verification, and perhaps also TLS enforcement. -- Viktor.
Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure
"Some sites may blacklist you when you are probing them too often (a probe is an SMTP session that does not deliver mail), or when you are probing them too often for a non-existent address. This is one reason why you should use sender address verification sparingly, if at all, when your site receives lots of email." http://www.postfix.org/ADDRESS_VERIFICATION_README.html#limitations As our user may do mailings from time to time, i do not want to get bad reputation by probing microsoft,yahoo whatever too often. :) for remote site, i see no difference between sender and recipient verification. in both cases, im doing a 'half delivery' of a mail. Am Mittwoch, 16. Januar 2019 schrieb Viktor Dukhovni < postfix-us...@dukhovni.org>: >> On Jan 16, 2019, at 9:56 AM, Wietse Venema wrote: >> >>> reject_unverified_recipient is no option as remote sites don't like >>> probing/verify requests. After rechecking, i had a typo in my regex. >> >> reject_unverified RECIPIENT, not reject_unverified_SENDER > > Specifically, because it would be used on the submission port or > only for clients in trusted networks, it would not be open to abuse > by random strangers. The same users allowed to send email to the > remote site, are the ones who would initially trigger a verification > probe occasionally as part of submitting an outbound message. > > It is fairly safe, and should not raise any issue with remote > receiving systems. You can monitor your logs for signs of > misuse by trusted clients. > > -- > Viktor. > >
Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure
> On Jan 16, 2019, at 9:56 AM, Wietse Venema wrote: > >> reject_unverified_recipient is no option as remote sites don't like >> probing/verify requests. After rechecking, i had a typo in my regex. > > reject_unverified RECIPIENT, not reject_unverified_SENDER Specifically, because it would be used on the submission port or only for clients in trusted networks, it would not be open to abuse by random strangers. The same users allowed to send email to the remote site, are the ones who would initially trigger a verification probe occasionally as part of submitting an outbound message. It is fairly safe, and should not raise any issue with remote receiving systems. You can monitor your logs for signs of misuse by trusted clients. -- Viktor.
Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure
Stefan Bauer: > reject_unverified_recipient is no option as remote sites don't like > probing/verify requests. After rechecking, i had a typo in my regex. reject_unverified RECIPIENT, not reject_unverified_SENDER Wietse > Damn! It was working as documented. Sorry. > > > Am Mi., 16. Jan. 2019 um 13:17 Uhr schrieb Wietse Venema < > wie...@porcupine.org>: > > > Stefan Bauer: > > > Hi, > > > > > > how can the following error be detected and an instant bounce/reject will > > > be send to the sender? > > > > > > -- 880 Kbytes in 3 Requests. > > > root@mx1:~# mailq > > > -Queue ID- --Size-- Arrival Time -Sender/Recipient--- > > > A97288008B 776694 Sun Jan 13 13:14:29 sender@sender > > > (Cannot start TLS: handshake > > > failure) > > > > http://www.postfix.org/postconf.5.html#reject_unverified_recipient. > > > > > Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to > > recipient.tld[ip]:25: > > > -1 > > > Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem: > > > error:141A318A:SSL routines:tls_process_ske_dhe:dh key too > > > small:../ssl/statem/statem_clnt.c:1472: > > > Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=, > > > relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, > > dsn=4.7.5, > > > status=deferred (Cannot start TLS: handshake failure) > > > > > > smtp_delivery_status_filter does not seem to have any effect. > > > > Then you made a mistake. Which mistake? Insufficient data. > > > > Wietse > >
Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure
reject_unverified_recipient is no option as remote sites don't like probing/verify requests. After rechecking, i had a typo in my regex. Damn! It was working as documented. Sorry. Am Mi., 16. Jan. 2019 um 13:17 Uhr schrieb Wietse Venema < wie...@porcupine.org>: > Stefan Bauer: > > Hi, > > > > how can the following error be detected and an instant bounce/reject will > > be send to the sender? > > > > -- 880 Kbytes in 3 Requests. > > root@mx1:~# mailq > > -Queue ID- --Size-- Arrival Time -Sender/Recipient--- > > A97288008B 776694 Sun Jan 13 13:14:29 sender@sender > > (Cannot start TLS: handshake > > failure) > > http://www.postfix.org/postconf.5.html#reject_unverified_recipient. > > > Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to > recipient.tld[ip]:25: > > -1 > > Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem: > > error:141A318A:SSL routines:tls_process_ske_dhe:dh key too > > small:../ssl/statem/statem_clnt.c:1472: > > Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=, > > relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, > dsn=4.7.5, > > status=deferred (Cannot start TLS: handshake failure) > > > > smtp_delivery_status_filter does not seem to have any effect. > > Then you made a mistake. Which mistake? Insufficient data. > > Wietse >
Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure
Stefan Bauer: > Hi, > > how can the following error be detected and an instant bounce/reject will > be send to the sender? > > -- 880 Kbytes in 3 Requests. > root@mx1:~# mailq > -Queue ID- --Size-- Arrival Time -Sender/Recipient--- > A97288008B 776694 Sun Jan 13 13:14:29 sender@sender > (Cannot start TLS: handshake > failure) http://www.postfix.org/postconf.5.html#reject_unverified_recipient. > Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25: > -1 > Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem: > error:141A318A:SSL routines:tls_process_ske_dhe:dh key too > small:../ssl/statem/statem_clnt.c:1472: > Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=, > relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, dsn=4.7.5, > status=deferred (Cannot start TLS: handshake failure) > > smtp_delivery_status_filter does not seem to have any effect. Then you made a mistake. Which mistake? Insufficient data. Wietse
detecting TLS issues in delivery - Cannot start TLS: handshake failure
Hi, how can the following error be detected and an instant bounce/reject will be send to the sender? -- 880 Kbytes in 3 Requests. root@mx1:~# mailq -Queue ID- --Size-- Arrival Time -Sender/Recipient--- A97288008B 776694 Sun Jan 13 13:14:29 sender@sender (Cannot start TLS: handshake failure) recipient@recipient Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25: -1 Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:1472: Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=, relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) smtp_delivery_status_filter does not seem to have any effect. thank you. Stefan
