Re: saslauthd problem

Hi there, remember having a similar issue with saslauthd and cut off user names. Postfix doc has the proper info http://www.postfix.org/SASL_README.html %u -     The name of the user whose properties are being selected. %r -     The name of the realm to which the user belongs. This could be

Re: DNSSEC, DANE, Postfix for new-to-it admins?

On 4/17/20 4:29 PM, Viktor Dukhovni wrote: > More at: all links appreciated. the summary's particularly nicely readable by those of among the minion masses of normal humans ;-) > Postfix documentation covers the client side still among the best, most-exhaustively detailed s/docs/reference

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 06:59:53PM -0400, Wietse Venema wrote: > Rich Felker: > > I can see where it could be desirable to log whether delivery was made > > based on a TLSA record in a signed domain vs an unsigned one, and this > > necessitates being able to see the AD bit or equivalent. But it

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 07:27:58PM -0400, Rich Felker wrote: > > No, I have not. Read my message again, then try: > > > > dig -t mx nist.gov > > dig -t tlsa [_25._tcp.]nist-gov.mail.protection.outlook.com > > Missing the _25._tcp. Yes. > but either way it seems to be a misconfigured

Re: DNSSEC, DANE, Postfix for new-to-it admins?

On Fri, Apr 17, 2020 at 03:59:49PM -0700, PGNet Dev wrote: > Real World DANE Inter-domain email transport > > https://static.ptbl.co/static/attachments/169319/1520904692.pdf More at: https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources Specific issues:

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 07:01:26PM -0400, Viktor Dukhovni wrote: > On Fri, Apr 17, 2020 at 06:52:48PM -0400, Rich Felker wrote: > > > > There are (unsigned) domains where any attempt to look up TLSA records > > > times out or otherwise fails. If DANE is to be downgrade-resistant, and > > > if

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

Viktor Dukhovni: > On Fri, Apr 17, 2020 at 06:46:27PM -0400, Wietse Venema wrote: > > > 1) Infrastructure mail server. DNS configuration is not supposed > > to change. People who care about TLSA/DANE will provision a secure > > and stable DNS resolver. > > > > 2) Personal laptop, roaming between

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 06:52:48PM -0400, Rich Felker wrote: > > There are (unsigned) domains where any attempt to look up TLSA records > > times out or otherwise fails. If DANE is to be downgrade-resistant, and > > if logging of DANE-verified connections is to mean anything in terms of > >

DNSSEC, DANE, Postfix for new-to-it admins?

all this back-n-forth on list re: DNSSEC/DANE has resulted in a flurry of interest among colleagues etc. and i've been getting emails. lots. for the what/why i've been tossing them Viktor's now just slightly dusty preso Real World DANE Inter-domain email transport

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

Rich Felker: > I can see where it could be desirable to log whether delivery was made > based on a TLSA record in a signed domain vs an unsigned one, and this > necessitates being able to see the AD bit or equivalent. But it does > not justify dropping all protections if you can't see it, just >

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 06:46:27PM -0400, Wietse Venema wrote: > 1) Infrastructure mail server. DNS configuration is not supposed > to change. People who care about TLSA/DANE will provision a secure > and stable DNS resolver. > > 2) Personal laptop, roaming between trusted and untrusted

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 06:27:27PM -0400, Viktor Dukhovni wrote: > On Fri, Apr 17, 2020 at 06:19:18PM -0400, Rich Felker wrote: > > > This reasoning is why I consider it harmful to limit use of DANE > > records to situations where the DNS lookup is "trusted" to have been > > validated -- it just

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

Viktor Dukhovni: > > On Apr 17, 2020, at 5:21 PM, Wietse Venema wrote: > > > > Possibly, but rest assured that all such features will remain disabled > > by default for at least one year after there is wide deployment of > > code that manages the new resolv.conf flag, and there is a documented

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 06:19:18PM -0400, Rich Felker wrote: > This reasoning is why I consider it harmful to limit use of DANE > records to situations where the DNS lookup is "trusted" to have been > validated -- it just encourages flipping a switch to "trust" servers > that shouldn't be

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 08:13:52PM +0200, Florian Weimer wrote: > * Wietse Venema: > > > Florian Weimer: > >> * Wietse Venema: > >> > >> > Vladimir Lomov: > >> >> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with > >> >> 'options trust-ad' and postfix 3.5.0 or it is depend

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

> On Apr 17, 2020, at 5:21 PM, Wietse Venema wrote: > > Possibly, but rest assured that all such features will remain disabled > by default for at least one year after there is wide deployment of > code that manages the new resolv.conf flag, and there is a documented > record of the new failure

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

Florian Weimer: > If the administrator has enabled DANE, you could check whether > RES_TRUSTAD is enabled, and if not, complain loudly that the > configured name servers are not marked as trusted (and may not even > support DNSSEC validation). This why we expose the RES_TRUSTAD flag > via

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 10:17:47PM +0200, Florian Weimer wrote: > > With the Glibc change as the first step, we have no choice but to > > restore the status quo ante. > > True, but there are different approaches. > > If the administrator has enabled DANE, you could check whether > RES_TRUSTAD

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

* Viktor Dukhovni: > The RFC requirement is more than optional, it is unrealistic. Doing > DNSSEC-validation in each application is not practical, there is no > broadly deployed (on all the BSDs, Linux, Solaris, ...) library that > does this, and each application would potentially need its own >

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

> On Apr 17, 2020, at 3:59 PM, Florian Weimer wrote: > > I don't think it's a gaping security hole. The scope of the flags > change in dns_query is really small, so it affects that one query > only. If some library used by Postfix depends on RES_TRUSTAD in its > intended meaning, it will not

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

* Wietse Venema: > Florian Weimer: >> > My patch does not make security any worse than it was prior to >> > GLIBC 2.31. This is all I can do for stable Postfix releases: >> > ensure that shit does not stop working after an OS update. >> > >> > Any 'improvements' in Postfix DNSSEC support will

saslauthd problem

Hi, I'm setting up a mail server with postfix and dovecot. For SMTP, I want to use saslauthd with a MySQL backend for which I installed the pam_mysql library, I'm trying to configure it but there's no luck. My table schema (users) has 3 columns: e-mail, password, quota My /etc/pam.d/smtp

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Fri, Apr 17, 2020 at 08:13:52PM +0200, Florian Weimer wrote: > > Correct. Until now, Postfix asserts RES_USE_DNSSEC to request > > validation in a resolver. > > RES_USE_DNSSEC is unfortunately misnamed. [...] Thanks, but neither Wietse nor I need a refresher on DNSSEC. > > The sysadmin has

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

Florian Weimer: > > My patch does not make security any worse than it was prior to > > GLIBC 2.31. This is all I can do for stable Postfix releases: > > ensure that shit does not stop working after an OS update. > > > > Any 'improvements' in Postfix DNSSEC support will have to be developed > > in

Re: postfix and bounced email (loops back to myself)

Viktor Dukhovni: > On Fri, Apr 17, 2020 at 02:28:10PM +0200, Vieri Di Paola wrote: > > > One of these mailbox servers has indeed the same "SMTP name" as one of > > the Postfix servers. In this case, I do get a message like this in the > > log: host XXX greeted me with my own hostname YYY > > > >

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

* Wietse Venema: > Florian Weimer: >> * Wietse Venema: >> >> > Vladimir Lomov: >> >> I'm a bit bewildered. Does this mean that all is Ok with glibc 2.31 with >> >> 'options trust-ad' and postfix 3.5.0 or it is depend strongly on used >> >> 'options'? >> > >> > This patch avoids the need to add

Re: postfix and bounced email (loops back to myself)

On Fri, Apr 17, 2020 at 02:28:10PM +0200, Vieri Di Paola wrote: > One of these mailbox servers has indeed the same "SMTP name" as one of > the Postfix servers. In this case, I do get a message like this in the > log: host XXX greeted me with my own hostname YYY > > However, it's only a WARNING,

Re: How to debug "smtp: bad command startup -- throttling" error?

> On Apr 15, 2020, at 9:39 PM, Viktor Dukhovni > wrote: > > On Wed, Apr 15, 2020 at 09:25:29PM -0400, Bobby Mozumder wrote: > >> My Postfix SMTP client, when it sends to my external relay server >> (connecting to port 587), does a core dump and outputs the following message: >> >> Apr 15

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra: > On Fri, 17 Apr 2020 15:21:49 +0200 Jan Ceuleers > wrote: > > > On 17/04/2020 15:08, Ranjan Maitra wrote: > > > Btw, for me, when ifconfig is DOWN, I do not get a down. > > > > ifconfig -a fixes that. > > > > Sorry, but not for me: > > When down: > > $ifconfig -a | egrep

Re: delaying postfix until/unless VPN is up/connected

On Fri, 17 Apr 2020 15:21:49 +0200 Jan Ceuleers wrote: > On 17/04/2020 15:08, Ranjan Maitra wrote: > > Btw, for me, when ifconfig is DOWN, I do not get a down. > > ifconfig -a fixes that. > Sorry, but not for me: When down: $ifconfig -a | egrep 'UP|DOWN' : error fetching interface

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

Scott Kitterman: > On Thursday, April 16, 2020 10:31:56 AM EDT Wietse Venema wrote: > > With the minnimal patch below, it looks like Postfix DANE support > > will continue to work after a breaking change in Glibc 2.31. Tested > > on Fedora 32 beta. > > > > This patch also deals with the 'multiple

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

On Thursday, April 16, 2020 10:31:56 AM EDT Wietse Venema wrote: > With the minnimal patch below, it looks like Postfix DANE support > will continue to work after a breaking change in Glibc 2.31. Tested > on Fedora 32 beta. > > This patch also deals with the 'multiple definition' errors caused >

Re: PATCH: Glibc-2.31 DNSSEC and GCC 10

@lbutlr: > On 16 Apr 2020, at 13:27, Wietse Venema wrote: > > Any 'improvements' in Postfix DNSSEC support will have to be developed > > in the Postfix 3.6 release cycle. The results from those = > 'improvements' > > will never be merged back into Postfix 3.5 and earlier. > > Is this planned for

Re: delaying postfix until/unless VPN is up/connected

On 17/04/2020 15:08, Ranjan Maitra wrote: > Btw, for me, when ifconfig is DOWN, I do not get a down. ifconfig -a fixes that.

Re: delaying postfix until/unless VPN is up/connected

On Fri, 17 Apr 2020 08:05:28 + Gregory Heytings wrote: > > Ranjan Maitra: > > > >> Wietse Venema: > >> > >> Corrected code follows (missing do/done). > >> > >> Save to file, chmod +x name-of-file, don't run this script from cron. > >> > >> It needs to be started at boot time, or before you

Re: postfix and bounced email (loops back to myself)

On Thu, Apr 16, 2020 at 7:07 PM Viktor Dukhovni wrote: > > > # postconf -Mf > > smtp unix - - n - - smtp > > relay unix - - n - - smtp > > Please add: > > smtpv unix - - n - - smtp -v >

Re: Outgoing DANE not working

* Rich Felker: > On Wed, Apr 15, 2020 at 08:27:08PM +0200, Florian Weimer wrote: >> >> I don't understand your PTR example. It seems such a fringe case that >> >> people produce larger PTR responses because they add all virtual hosts >> >> to the reverse DNS zone. Sure, it happens, but not

Re: dumbest questions about limit

>On Thu, 16 Apr 2020 at 15:40, natan maciej milaszewski wrote: >> Sorry about probably dumbest questions. What does it really mean? >> >> 552 5.3.4 Message size exceeds fixed limit >> >> Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: NOQUEUE: reject: MAIL from >>

Re: delaying postfix until/unless VPN is up/connected

Ranjan Maitra: Wietse Venema: Corrected code follows (missing do/done). Save to file, chmod +x name-of-file, don't run this script from cron. It needs to be started at boot time, or before you make a VPN connection. #!/bin/sh while : do ifconfig xxx | egrep 'UP|DOWN' sleep 2

Re: delaying postfix until/unless VPN is up/connected

On 17 Apr 2020, at 2:52, Ansgar Wiechers wrote: > On 2020-04-17 Bill Cole wrote: >> On 17 Apr 2020, at 0:57, Ranjan Maitra wrote: >>> On Mon, 23 Mar 2020 17:19:42 -0400 (EDT) Wietse Venema wrote: #!/bin/sh while : do ifconfig xxx | egrep 'UP|DOWN' sleep 2

Re: delaying postfix until/unless VPN is up/connected

On 2020-04-17 Bill Cole wrote: > On 17 Apr 2020, at 0:57, Ranjan Maitra wrote: > > On Mon, 23 Mar 2020 17:19:42 -0400 (EDT) Wietse Venema wrote: > > > #!/bin/sh > > > > > > while : > > > do > > > ifconfig xxx | egrep 'UP|DOWN' > > > sleep 2 > > > done | while read status > > > do > > >