Re: generating the TLS cert

On 12/20/2012 08:29 PM, Wietse Venema wrote: Robert Moskowitz: With the "-nodes" option in most cases: $ tmp=$(mktemp smtpd.pem.XX) && openssl req -new \ -newkey rsa:1280 -nodes -keyout /dev/stdout \ -x509 -days $((365 * 10)) -subj "/CN=$(uname -

Re: generating the TLS cert

On 12/20/2012 08:29 PM, Wietse Venema wrote: Robert Moskowitz: With the "-nodes" option in most cases: $ tmp=$(mktemp smtpd.pem.XX) && openssl req -new \ -newkey rsa:1280 -nodes -keyout /dev/stdout \ -x509 -days $((365 * 10)) -subj "/CN=$(uname -

Re: generating the TLS cert

Oh, and thank you for answering my questions, helping me work through understanding this small portion of the problem space, and adding the lessons I am taking away from the exchanges to the documentation. On 12/20/2012 10:30 AM, Viktor Dukhovni wrote: On Thu, Dec 20, 2012 at 10:02:19AM -0500,

Re: generating the TLS cert

On 12/20/2012 10:30 AM, Viktor Dukhovni wrote: On Thu, Dec 20, 2012 at 10:02:19AM -0500, Wietse Venema wrote: Viktor Dukhovni: People who want a more compact recipe for a self-signed cert on a single SMTP server can use my "one-liner" (for machines whose hostname is an FQDN): ... With the "

Re: generating the TLS cert

Robert Moskowitz: > > With the "-nodes" option in most cases: > > > > $ tmp=$(mktemp smtpd.pem.XX) && > > openssl req -new \ > > -newkey rsa:1280 -nodes -keyout /dev/stdout \ > > -x509 -days $((365 * 10)) -subj "/CN=$(uname -n)" >> "$tmp" && > >

Re: generating the TLS cert

On 12/20/2012 10:02 AM, Wietse Venema wrote: Viktor Dukhovni: People who want a more compact recipe for a self-signed cert on a single SMTP server can use my "one-liner" (for machines whose hostname is an FQDN): ... With the "-nodes" option in most cases: $ tmp=$(mktemp smtpd.pem.XX

Re: generating the TLS cert

On 12/20/2012 09:32 AM, Viktor Dukhovni wrote: On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote: People who want a more compact recipe for a self-signed cert on a single SMTP server can use my "one-liner" (for machines whose hostname is an FQDN): $ tmp=$(mktemp smtpd.pem.X

What am I missing

I am doing the admin work for a small group, about 30 people. While this setup works I have the feeling that I am missing something in the Submission stanza of master.cf which might leave me vulnerable. Another thing I wondering about is the order of the various tests in the smtpd_*_ restrict

Re: body_check and content filtering

On Thu, Dec 20, 2012 at 08:52:05PM +, Jim Nalepa - US wrote: > Would like to know if there is a way of modifying the ACTION in body_checks > > Currently have in main.cf > body_checks = regexp:/etc/postfix/body_checks Postfix does not support the BCC action via header_checks/body_

body_check and content filtering

Would like to know if there is a way of modifying the ACTION in body_checks Currently have in main.cf body_checks = regexp:/etc/postfix/body_checks Currently have in /etc/postfix/body_checks /oranges/ REDIRECT secur...@example.com

Re: generating the TLS cert

On 12/20/2012 10:30 AM, Viktor Dukhovni wrote: We could follow the herd and recommend 2048 bits, since SMTP servers rarely do enough RSA-ops for RSA performance to be a bottleneck. On the other-hand, for people wielding self-signed certs almost certainly 1024 is plenty strong at 2^80, and 1280

Re: Reg. Postfix bounce email

On Thu, Dec 20, 2012 at 10:58:01PM +0530, Sreenivas Reddy T wrote: > I have set up the postfix server for catch-all email address. > Whenever an email arrives, my script (Command Based Filter) will do headers > parsing and store it in the database, But whenever some error occurs in > the s

Re: delivering mail to separate users

On Thu, Dec 20, 2012 at 01:39:07PM -0500, Simon Brereton wrote: > >> > To check that the result of the expansion of the user via > >> > $virtual_alias_maps. > >> > >> Here I ran into problems. > >> mail:/etc/postfix# postmap -fq newu...@example.org $maps > >> postmap: fatal: usage

Re: delivering mail to separate users

On 20 December 2012 12:44, Viktor Dukhovni wrote: > On Thu, Dec 20, 2012 at 12:25:03PM -0500, Simon Brereton wrote: > >> >> I did postmap the virtual_alias_maps. Is there something else I should I >> >> do? >> > >> > No, but you've likely misconfigured other elements of the system. >> >> I think

Re: delivering mail to separate users

On Thu, Dec 20, 2012 at 12:25:03PM -0500, Simon Brereton wrote: > >> I did postmap the virtual_alias_maps. Is there something else I should I > >> do? > > > > No, but you've likely misconfigured other elements of the system. > > I think this is ok. Output is: > mail:/etc/postfix# postconf -h vi

Re: delivering mail to separate users

On 20 December 2012 08:07, Viktor Dukhovni wrote: > On Thu, Dec 20, 2012 at 12:24:30AM -0500, Simon Brereton wrote: > >> >> newu...@example.org direc...@example.org, newu...@example.org >> >> >> >> But it occurs to me that this will create a loop - no? >> > >> > No, there is no loop, virtual ali

Re: Most users local, some users (same domain) rerouted via transport

On Thu, Dec 20, 2012 at 04:05:26PM +0100, Ignacio Vazquez wrote: > 2012/12/20 Viktor Dukhovni : > > > Instead of resolving an unmodified rfc822 address to a different > > transport:nexthop, rewrite the rfc822 address (via virtual_alias_maps) > > to a domain which is routed (via MX records or per-n

Re: generating the TLS cert

On Thu, Dec 20, 2012 at 10:02:19AM -0500, Wietse Venema wrote: > Viktor Dukhovni: > > > People who want a more compact recipe for a self-signed cert on > > > a single SMTP server can use my "one-liner" (for machines whose > > > hostname is an FQDN): > ... > > With the "-nodes" option in most cases

Re: Most users local, some users (same domain) rerouted via transport

Thank you for your interest, Viktor. 2012/12/20 Viktor Dukhovni : > Instead of resolving an unmodified rfc822 address to a different > transport:nexthop, rewrite the rfc822 address (via virtual_alias_maps) > to a domain which is routed (via MX records or per-nexthop transport > table entries) to t

Re: generating the TLS cert

Viktor Dukhovni: > > People who want a more compact recipe for a self-signed cert on > > a single SMTP server can use my "one-liner" (for machines whose > > hostname is an FQDN): ... > With the "-nodes" option in most cases: > > $ tmp=$(mktemp smtpd.pem.XX) && > openssl req -new \

Re: generating the TLS cert

On Thu, Dec 20, 2012 at 02:15:35PM +, Viktor Dukhovni wrote: > People who want a more compact recipe for a self-signed cert on > a single SMTP server can use my "one-liner" (for machines whose > hostname is an FQDN): > > $ tmp=$(mktemp smtpd.pem.XX) && > openssl req -new \ >

Re: How to modify the subject line of bounce messages?

Wietse Venema: > > I use gmail and I'm getting really annoyed with these messages being > > grouped into one thread because of the generic "Undelivered Mail Returned > > to Sender" subject.. > > 1) The people who provide Gmail should be clever enough to extract > the original subject from the retu

Re: generating the TLS cert

On Thu, Dec 20, 2012 at 08:40:42AM -0500, Robert Moskowitz wrote: > That is the only place in the documentation where I have found > openssl command examples. Are there other place(s) that I have > missed? What would you like to see in the documentation? Instructions for creating a self-signed s

Re: How to modify the subject line of bounce messages?

Paul: > Hi, > > I've seen the tutorials on how to create your own bounce templates and that > any option/variable form the main.cf can be put in there... but what I'd > like to have, is the subject line contain a date/timestamp of the failure > as well as the failed email address... Are there vari

How to modify the subject line of bounce messages?

Hi, I've seen the tutorials on how to create your own bounce templates and that any option/variable form the main.cf can be put in there... but what I'd like to have, is the subject line contain a date/timestamp of the failure as well as the failed email address... Are there variables I can put in

Re: Most users local, some users (same domain) rerouted via transport

On Thu, Dec 20, 2012 at 01:57:43PM +0100, Ignacio Vazquez wrote: > I have a mailhost with most of the domain users delivered locally and > some users (same domain) residing in other machines. Instead of resolving an unmodified rfc822 address to a different transport:nexthop, rewrite the rfc822 ad

Re: generating the TLS cert

On 12/20/2012 08:08 AM, /dev/rob0 wrote: BTW Reply-To: is set, and the offlist Cc: is not necessary. On Wed, Dec 19, 2012 at 07:40:10PM -0500, Robert Moskowitz wrote: On 12/19/2012 06:31 PM, /dev/rob0 wrote: On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote: I am looking at a

Re: generating the TLS cert

BTW Reply-To: is set, and the offlist Cc: is not necessary. On Wed, Dec 19, 2012 at 07:40:10PM -0500, Robert Moskowitz wrote: > On 12/19/2012 06:31 PM, /dev/rob0 wrote: > >On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote: > >>I am looking at a number of tutorials for setup. > >This

Re: delivering mail to separate users

On Thu, Dec 20, 2012 at 12:24:30AM -0500, Simon Brereton wrote: > >> newu...@example.org direc...@example.org, newu...@example.org > >> > >> But it occurs to me that this will create a loop - no? > > > > No, there is no loop, virtual alias expansion eliminates exactly > > this kind of loop and d

Most users local, some users (same domain) rerouted via transport

I have a mailhost with most of the domain users delivered locally and some users (same domain) residing in other machines. The relevant configuration: mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain local_recipient_maps = proxy:unix:passwd.byname, $alias_maps, ldap:/etc/postf

Re: generating the TLS cert

On 12/19/2012 11:58 PM, John Hinton wrote: On 12/19/2012 6:40 PM, Reindl Harald wrote: [root@buildserver:~]$ cat /buildserver/ssl-cert/openssl.conf.template [ req ] prompt = yes default_bits= 1024 I have heard some reports that browsers such as Chro

Re: generating the TLS cert

On 12/19/2012 06:31 PM, /dev/rob0 wrote: On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote: I am looking at a number of tutorials for setup. This is a formula for failure. :) Stick to the documentation. http://www.postfix.org/documentation.html I asked some questions over on

Re: generating the TLS cert

On Wed, 19 Dec 2012 23:58:49 -0500 John Hinton articulated: > I have heard some reports that browsers such as Chrome and MSIE balk > at 1024 bit certs and that one should use 2048. I wonder if this is > now a good idea when generating mailserver certs as well? Try to be > more future proof? Or am