> Perhaps. This would be a reason to use the actual reply TTL,
> and to use postscreen_dnsbl_ttl as an upper bound.
Just so I'm sure I understand, then, is the following correct?
postscreen_dnsbl_ttl is the minimum period of time during which
the result of a DNS lookup will be treated as
Rich Wales:
> > That is not entirely correct - different tests have different
> > expiration times. postscreen_cache_retention_time says what
> > happens with an IP address after *all* its tests expire.
>
> So, then, if I want to be able to respond more quickly to changes in an
> SMTP client's DNS
> That is not entirely correct - different tests have different
> expiration times. postscreen_cache_retention_time says what
> happens with an IP address after *all* its tests expire.
So, then, if I want to be able to respond more quickly to changes in an
SMTP client's DNSBL status, should I be
On Thu, May 28, 2015 at 10:42:09AM -0700, Rich Wales wrote:
> [...]
> I think what might be happening in some cases is that a new spam site
> sends me something (which I accept because the site is new and hasn't
> made it onto any DNSBLs yet) -- and soon thereafter, that site gets
> picked up by Sp
On Thu, May 28, 2015 at 04:43:50PM -0400, Wietse Venema wrote:
>
> The format is not documented because it is Postfix internal and
> subject to change without warning. The table is locked for exclusive
> access; if you try to read the table anywan, then you may read
> garbage. The only exception
Bryan K. Walton:
> Hi,
>
> Is there a way to extract the information stored in the postscreen_cache
> that postscreen uses for its temporary whitelist? We'd like to
> be able to see what domains/IPs are whitelisted at a given time.
The format is not documented because it is Postfix internal and
Rich Wales:
> I'm running Postfix 2.11.0 on Ubuntu 14.04.2 LTS.
>
> I wonder whether the default value for postscreen_cache_retention_time
> (7 days) may be too high for my situation.
Making the table smaller has a negligible impact on access speed.
Garbage collection will take longer, but that i
Hi,
Is there a way to extract the information stored in the postscreen_cache that
postscreen uses for its temporary whitelist? We'd like to be able to see what
domains/IPs are whitelisted at a given time.
Thanks,
Bryan
I'm running Postfix 2.11.0 on Ubuntu 14.04.2 LTS.
I wonder whether the default value for postscreen_cache_retention_time
(7 days) may be too high for my situation.
I get a lot of spam despite using postscreen, and when I manually look
up the IP addresses of some of the sites that send me spam, I
On Thu, May 28, 2015 at 02:09:37PM +0200, DTNX Postmaster wrote:
> > I would love to see postfix smtp client reject connections to my weak
> > Server.
> >
> > And *that* is the point...
>
> Also, remember that SMTP is based on opportunistic encryption, triggered
> by the presence of 'STARTTLS'
On 28 May 2015, at 12:16, A. Schulze wrote:
>> There are several problems with your configuration. Please refer to the
>> mailinglist archive for how to configure Postfix to deal with Logjam.
>> It has been discussed extensively in this thread;
>>
>> http://marc.info/?t=14323933481&r=1&w=2
>
On Thu, May 28, 2015 at 12:21:42PM +0200, A. Schulze wrote:
> >When the server is authenticated, it is not going to send weak DH
> >keys with strong ciphers.
>
> why?
Authenticated servers don't go out of their way to present artificially
weak keys. If they relly want to disclose the session co
Viktor Dukhovni:
Indeed, because such a policy would properly be an OpenSSL feature,
not a Postfix feature. However, the whole attack is largely
irrelevant for SMTP. Unless you're authenticating the server (DANE
or Web PKI) you're subject to MiTM attacks with or without logjam.
correct.
W
DTNX Postmaster:
There are several problems with your configuration. Please refer to the
mailinglist archive for how to configure Postfix to deal with Logjam.
It has been discussed extensively in this thread;
http://marc.info/?t=14323933481&r=1&w=2
I read this as "how do I provide strong
On Thu, May 28, 2015 at 11:38:35AM +0200, A. Schulze wrote:
> The crypto weakness of the month is named "logjam".
> If you could connect to https://dhe512.zmap.io your SSL-Client / Browser
> support weak crypto.
> What does that mean for postfix?
Postfix SMTP servers should disable "export" ciphe
On 28 May 2015, at 11:38, A. Schulze wrote:
> the crypto weakness of the month is named "logjam".
> If you could connect to https://dhe512.zmap.io your SSL-Client / Browser
> support weak crypto.
> What does that mean for postfix?
>
> We setup a postfix smtp server with
>
>smtpd_tls_dh1024
Hello,
the crypto weakness of the month is named "logjam".
If you could connect to https://dhe512.zmap.io your SSL-Client /
Browser support weak crypto.
What does that mean for postfix?
We setup a postfix smtp server with
smtpd_tls_dh1024_param_file = /path/to/dh_512.pem
smtpd_tls_e
17 matches
Mail list logo
