cisco pix TLS is required, but was not offere STARTTLS issue

Dear Users, we trying to deliver mail to remote party with enforced encrcyption. 63FFB80805: TLS is required, but was not offered by host mx0.esb.de [194.77.230.138] But looks like, remote device is announcing TLS and can handle it: # telnet mx0.esb.de 25 Trying 194.77.230.138... Connected to m

Re: cisco pix TLS is required, but was not offered STARTTLS issue

On Mon, Nov 26, 2018, Stefan Bauer wrote: > ehlo test > 250-mx0.esb.de > 250-8BITMIME > 250-SIZE 52428800 > 250 STARTTLS > But the minus "-" is missing in STARTTLS correct? No: it's the last line, hence no "-". > Is there a known workaround available? Looks like it should work... seems you hav

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Hi. 2018年11月26日(月) 17:43 Stefan Bauer : > # telnet mx0.esb.de 25 > Trying 194.77.230.138... > Connected to mx0.esb.de. > Escape character is '^]'. > 220 > ehlo test > 250-mx0.esb.de > 250-8BITMIME > 250-SIZE 52428800 > 250 STARTTLS > starttls > 220 Go ahead with TLS > > But the mi

Re: cisco pix TLS is required, but was not offere STARTTLS issue

* Stefan Bauer : > Dear Users, > > we trying to deliver mail to remote party with enforced encrcyption. > > 63FFB80805: TLS is required, but was not offered by host mx0.esb.de > [194.77.230.138] > > But looks like, remote device is announcing TLS and can handle it: > > # telnet mx0.esb.de 25 >

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Hi, log shows: enabling PIX workarounds: disable_esmtp delay_dotcrlf for mx0.esb.de But the specific workaround 'disable_esmtp' looks like to be the reason for downgrading to plain smtp and disallowing any STARTTLS right? Am Mo., 26. Nov. 2018 um 10:20 Uhr schrieb Patrick Ben Koetter : > * Ste

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Yes and confirmed. Thank you. Setting smtp_pix_workarounds = delay_dotcrlf (so that default setting disable_esmtp has no effect) delivers mail correctly with STARTTLS. 95EB580805: enabling PIX workarounds: delay_dotcrlf for mx1.esb.de [194.77.230.139]:25 Untrusted TLS connection established to mx

Re: cisco pix TLS is required, but was not offere STARTTLS issue

Patrick Ben Koetter: > Something ? quite likely a Cisco ASA/PIX ? manipulates the SMTP server banner > and the STARTTLS capability announcement. This is what it should look like: > > 220 mail.sys4.de ESMTP Submission That's what I thought, too, but RFC 1651 (SMTP Service Extensions) disagrees. T

DKIM on submission

Hello, currently I enable OpenDKIM vi main.cf : # OpenDKIM smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept Since that server is both MX and Submission for the mailbox domain I am tempted to instead define those parameters

Postfix 3.3.2, 3.2.7, 3.1.10, 3.0.14

[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-3.3.2.html] Changes for all supported stable releases: * Support for OpenSSL 1.1.1, and support for TLSv1.3-specific features. - Updated Postfix TLS documentation examples for T

Re: DKIM on submission

> On Nov 26, 2018, at 8:44 AM, Alice Wonder wrote: > > I realize it would mean mail sent by the host itself via sendmail command is > not DKIM signed but I'm not really worried about that. > > It appears that when e-mail is sent from a user to a mail list that is set up > in a way to break DKI

Re: DKIM on submission

On 11/26/2018 07:46 AM, Viktor Dukhovni wrote: On Nov 26, 2018, at 8:44 AM, Alice Wonder wrote: I realize it would mean mail sent by the host itself via sendmail command is not DKIM signed but I'm not really worried about that. It appears that when e-mail is sent from a user to a mail list th

Re: DKIM on submission

On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote: > On 11/26/2018 07:46 AM, Viktor Dukhovni wrote: > >> On Nov 26, 2018, at 8:44 AM, Alice Wonder wrote: > >> > >> I realize it would mean mail sent by the host itself via sendmail command > >> is not DKIM signed but I'm not really worrie

Re: DKIM on submission

On 11/26/2018 08:40 AM, Scott Kitterman wrote: On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote: On 11/26/2018 07:46 AM, Viktor Dukhovni wrote: On Nov 26, 2018, at 8:44 AM, Alice Wonder wrote: I realize it would mean mail sent by the host itself via sendmail command is not DKIM sig

Is this behavior an open relay or not ?

Hi people, suppose my domain is "company.com". My email users are as this: u...@company.com Is normal that I can send a mail from rob...@company.com to rob...@company.com, from a public IP not belonging to my company? In my case, I am at home and I execute: $ telnet smtp.company.com 25 ehlo com

Re: Is this behavior an open relay or not ?

On 11/26/2018 1:34 PM, Roberto Carna wrote: > Hi people, suppose my domain is "company.com ". > > My email users are as this: u...@company.com > > Is normal that I can send a mail from rob...@company.com > to rob...@company

"Unsupported Berkeley DB version" coming up again on Mac

I’m on a Mac.. cc -I. -I../../include -DHAS_MYSQL -I/usr/local/include/mysql -I/usr/local/include -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" -D

hostnames in postscreen_access_list

Hi I was recently trying to whitelist a client hostname that frequently changes ip. >From the documentation check_client_access restriction for use with smtpd allows to specify access table lookups which contains hostnames. postscreen_access_list does not seem to allow hostnames in lookup tables

Re: Is this behavior an open relay or not ?

Dear Noel, thanks for your help. In the case of rejecting incoming mail from my own domain, do I have to use just SPF? Or is it possible to use an ACL defined in main.cf ? Thanks again, good bye !!! El lun., 26 nov. 2018 a las 16:47, Noel Jones () escribió: > On 11/26/2018 1:34 PM, Roberto Carn

Re: where is the fqdn coming from

On Wed, Nov 21, 2018 at 5:42 PM Viktor Dukhovni wrote: > > On Nov 21, 2018, at 6:25 PM, Scott Kitterman > wrote: > > > >>> Where is the ".localdomain" coming from? > >> > >> It might be read from a file, or it might be set at compile time? The > >> person packaging Postfix for Debian should know

Re: Is this behavior an open relay or not ?

On 11/26/2018 2:00 PM, Roberto Carna wrote: > Dear Noel, thanks for your help. > > In the case of rejecting incoming mail from my own domain, do I have > to use just SPF? Or is it possible to use an ACL defined in main.cf > ? > > Thanks again, good bye !!! Yes, you can find exam

Re: hostnames in postscreen_access_list

On 11/26/2018 1:53 PM, John Fawcett wrote: > Hi > > I was recently trying to whitelist a client hostname that frequently > changes ip. > > From the documentation check_client_access restriction for use with > smtpd allows to specify access table lookups which contains hostnames. > > postscreen_a

Re: Is this behavior an open relay or not ?

On 26 Nov 2018, at 17:08, Noel Jones wrote: On 11/26/2018 2:00 PM, Roberto Carna wrote: Dear Noel, thanks for your help. In the case of rejecting incoming mail from my own domain, do I have to use just SPF? Or is it possible to use an ACL defined in main.cf ? Thanks again, go

Re: hostnames in postscreen_access_list

John Fawcett: > Hi > > I was recently trying to whitelist a client hostname that frequently > changes ip. > > >From the documentation check_client_access restriction for use with > smtpd allows to specify access table lookups which contains hostnames. > > postscreen_access_list does not seem to

Re: Is this behavior an open relay or not ?

Roberto Carna skrev den 2018-11-26 20:34: and finally the message arrives to may Inbox. Because I suppose that the normal behavior is sending mail from local address just from an internal IP...not from external. its not open relay if mail is delivered local it will be open ralay if its deliv

Re: Is this behavior an open relay or not ?

Roberto Carna skrev den 2018-11-26 21:00: Dear Noel, thanks for your help. In the case of rejecting incoming mail from my own domain, do I have to use just SPF? Or is it possible to use an ACL defined in main.cf [3] ? its safe to reject rcpt to domains as senders on port 25, spf is just more

Re: where is the fqdn coming from

> On Nov 26, 2018, at 3:37 PM, Matt Zagrabelny wrote: > > It feels unnecessarily nonintuitive to have Postfix "decide" to use a compiled > in domain when there exists a domain in the system. No, Postfix only uses the compiled-in domain when the system hostname is not fully qualified, and there's