TLS cert - bug in documentation or bug in my understanding ??

MODORSAAddTrustCA.crt \ COMODORSADomainValidationSecureServerCA.crt \ librelamp_com.crt > test.crt Now it verifies : openssl verify -purpose sslserver test.crt test.crt: OK -=-=- Am I not understanding something or is the documentation off? Thank you, Alice

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 03:09 AM, L.P.H. van Belle wrote: Hai, Try it like this, there is no need for combining the certificates. # TLS parameters smtp_tls_cert_file = /etc/ssl/certs/certificate.cer smtp_tls_key_file = /etc/ssl/private/certificate.key smtpd_tls_cert_file = /etc/ssl/certs/certificate.c

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 07:51 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 12:09:13PM +0200, L.P.H. van Belle wrote: Try it like this, there is no need for combining the certificates. Actually, there is. It avoids the need to worry about the CApath, which can then be left empty. if [ -d /etc

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 08:59 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 08:46:03AM -0700, Alice Wonder wrote: if [ -d /etc/ssl/private ]; then mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private fi I ended up specifying smtpd_tls_CAfile which has both the intermediary certs

Re: TLS cert - bug in documentation or bug in my understanding ??

On 08/19/2015 10:08 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 09:57:37AM -0700, Alice Wonder wrote: smtpd_tls_exclude_ciphers = RC4, 3DES, IDEA I still have to go through. It is not (yet) a good idea to disable RC4 or 3DES on the server side. IDEA is essentially unused, so

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 08/19/2015 12:11 PM, Michael Grimm wrote: On 19.08.2015, at 20:21, Michael Grimm wrote: I will revert to OpenSSL my primary mx, first. Done. BTW: LibreSSL 2.2.2 broke unbound 1.5.4 as well. Already fixed in unbound upstream, they (unbound) were doing an improper version check if I re

Re: trying to figure out regex for custom_header checks

On 08/19/2015 01:14 PM, Ben Greenfield wrote: On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote: /^Received:\b.*\.eu\b REJECT Is that correct or could someone point out what I'm doing wrong. What you're doing wrong decidi

DANE, Certificate Authorities, Port 25 confusion

I received a rather weird e-mail, it seems to have been generated by an MTA because it was sent to the e-mail listed as the contact in my certificate, the e-mail listed in whois for my domain, and the postmaster e-mail. It claims: --- Only certificate usages DANE-TA(2) and DANE-EE(3) are supp

Re: DANE, Certificate Authorities, Port 25 confusion

ith signed certificates as long as hostname validation is all that is needed for the provided port and protocol. On 08/21/2015 10:41 PM, Alice Wonder wrote: I received a rather weird e-mail, it seems to have been generated by an MTA because it was sent to the e-mail listed as the contact in my certific

Re: DANE, Certificate Authorities, Port 25 confusion

On 08/22/2015 05:20 AM, Viktor Dukhovni wrote: --- The certificate is a 1 0 1 and not a 3 0 1 It seems to suggest that I change the TLSA record to 3 0 1 Or even better a "3 1 1". Why is hash of SubjectPublicKeyInfo preferred over hash of the actual certificate?

Re: DANE, Certificate Authorities, Port 25 confusion

On 08/22/2015 05:27 AM, Viktor Dukhovni wrote: On Sat, Aug 22, 2015 at 05:24:03AM -0700, Alice Wonder wrote: The certificate is a 1 0 1 and not a 3 0 1 It seems to suggest that I change the TLSA record to 3 0 1 Or even better a "3 1 1". Why is hash of SubjectPublicKeyInfo pref

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 08/22/2015 06:08 AM, Viktor Dukhovni wrote: On Wed, Aug 19, 2015 at 12:58:38PM -0700, Alice Wonder wrote: ``You also turn on thousands and thousands of lines of OpenSSL library code. Assuming that OpenSSL is written as carefully as Wietse's own code, every 1000 lines introduc

Re: Importance of keeping DANE TLSA records correct.

On 08/22/2015 06:23 AM, Viktor Dukhovni wrote: Until now, most DANE deployments have been on small hobbyist machines, by people who mostly don't correspond with each other. So if a particular domain's TLSA RRs were broken, nobody noticed. This is about to change. The German email providers we

Re: Importance of keeping DANE TLSA records correct.

On 08/22/2015 07:42 AM, Alice Wonder wrote: On 08/22/2015 06:23 AM, Viktor Dukhovni wrote: Until now, most DANE deployments have been on small hobbyist machines, by people who mostly don't correspond with each other. So if a particular domain's TLSA RRs were broken, nobody noticed

Re: Importance of keeping DANE TLSA records correct.

On 08/22/2015 08:30 AM, Viktor Dukhovni wrote: It is best to hold off on posting gut instict reactions. Get acquainted with the problem, think about the issues for some weeks or months, come back later and share what you've learned. Quit being so damn arrogant. Seriously. Geez and I tho

Confusion about DANE

Ever since I got that automated e-mail telling me my 1 0 1 hash LSA record was not usable, I have been confused, because that conformed to the DANE / TLSA RFC. I suggested that maybe SMTP servers, which are only doing hostname validation and can't be expected to CA validate, should treat a 1

Re: Confusion about DANE

hould accomodate valid TLSA records and treat a 1 x x as a 3 x x - in my not so humble opinion. That way servers that do want to care can still have the option to care. On 08/26/2015 07:32 PM, Alice Wonder wrote: Ever since I got that automated e-mail telling me my 1 0 1 hash LSA record w

Re: Confusion about DANE

On 08/26/2015 09:03 PM, Viktor Dukhovni wrote: Postfix implements a PKIX-EE(1) to DANE-EE(3) mapping that is ad-hoc and not standardized by any IETF document. That mapping has been mostly harmless, but should perhaps be withdrawn in a future release. The mapping predates the finalization of

Re: Confusion about DANE

On 08/26/2015 09:52 PM, Viktor Dukhovni wrote: On Wed, Aug 26, 2015 at 09:43:39PM -0700, Alice Wonder wrote: Furthermore, support for 1->3 mappings might lead users to erroneously expect 0->2 mappings, but the latter are in fact problematic. So supporting neither of the potential ma

Re: Deliver mail from ssmtp without authenticating?

On 08/31/2015 06:04 PM, Grant wrote: Can I have ssmtp send mail from my laptop to my remote postfix mail server without authenticating if the mail is to be delivered to dovecot on the same server? Yes, if the ISP for the network you're connected todoes not block port 25, and for some reason y

spf/dkim authentication-failure

I have started to get a lot of those when I send messages to some lists. I understand what is happening, dmarc identifies my domain as DKIM/SPIF enabled but when sending a message to a list, both of those will fail. I don't think there is anything I can do about that in my dmarc configuration

Re: force to use SSL port for delivery

On 09/13/2015 06:07 PM, Ken Peng wrote: Hi, For security transfer, can I have the setup in Postfix to force peer MTA using SMTP/SSL port (465) for email delivery only? Thx. Port 465 is deprecated. It should not be used. 25 is what your server should use to accept mail from other MTAs. If y

Re: force to use SSL port for delivery

On 09/13/2015 06:34 PM, Ken Peng wrote: On 2015/9/14 星期一 9:23, Alice Wonder wrote: On 09/13/2015 06:07 PM, Ken Peng wrote: Hi, For security transfer, can I have the setup in Postfix to force peer MTA using SMTP/SSL port (465) for email delivery only? Thx. Port 465 is deprecated. It

Re: Weak Ciphers

To be RFC compliant port 25 must accept MTA to MTA connections with no encryption. When another server can't connect with encryption, it will try without. Allowing weak ciphers is better than the result where ciphers are not used because the other server only supports older ciphers in my opini

Re: TLSA and .mil dns servers

On 11/10/2015 04:30 AM, Phil Stracchino wrote: On 11/09/15 22:55, Viktor Dukhovni wrote: I would also like to encourage more of the administrators on this list to publish TLSA records, but keep in mind that this is an operational commitment, not a fashion statement. Once you publish TLSA reco

Re: postfix and multiple TLS certificates (SNI support?)

On 12/12/2015 04:26 AM, Dirk Stöcker wrote: On Fri, 11 Dec 2015, Viktor Dukhovni wrote: Over the years there have from time to time been requests for server-side SNI support in Postfix, but most users have found workable alternatives, such as above. A key reason that SNI support is not there

Re: postfix and multiple TLS certificates (SNI support?)

On 12/13/2015 11:55 AM, Dirk Stöcker wrote: On Sat, 12 Dec 2015, Viktor Dukhovni wrote: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. Simply wait a bit longer and maybe t

Re: postfix and multiple TLS certificates (SNI support?)

On 12/15/2015 07:40 AM, Michael Storz wrote: Sorry for not writing it explicitly. In the case I described, you use the domain of the recipient address, because this is the only information you can trust (and this domain must be included in the SAN). Since you have more than one recipient doma

Re: postfix and multiple TLS certificates (SNI support?)

On 12/15/2015 11:34 AM, Michael Ströder wrote: Yes. It's your choice. With DNSSEC I don't have a choice at all. It's a single root key controlled by the entity which was the cause for RFC 7258 (besides the horrible key management practice out in the wild). And frankly I don't trust anybody

Re: postfix and multiple TLS certificates (SNI support?)

On 12/16/2015 02:03 AM, Michael Storz wrote: Am 2015-12-15 20:36, schrieb Viktor Dukhovni: On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote: So, we've managed to hold off on offering SNI support for a decade since TLS was integrated into Postfix 2.2. I just wanted to see whet

Re: postfix and multiple TLS certificates (SNI support?)

On 12/16/2015 09:06 AM, Michael Storz wrote: Am 2015-12-16 16:26, schrieb Alice Wonder: But with port 25, certificate authorities do not matter, so an admin running the same smtp server on multiple hostnames can generate a new self-signed cert at no cost every time they add a domain that

Re: How to configure postfix so that mail are received using time from the server

On 01/15/2016 11:10 PM, Robert Schetterer wrote: Am 16.01.2016 um 08:05 schrieb Eric Kom: Good day folk, I ran Postfix with Dovecot as a mailbox for years now. I noticed that, when a sender sent mails, the mailbox received it using the date and time from the sender machine not a server one. Whic

Re: RHEL / CentOS 7 RPMs

On 03/12/2016 05:04 AM, Nikolaos Milas wrote: Hello, I would like to ask whether someone has worked on J. Mudd's RPMs (http://postfix.wl0.org/) to produce RHEL / CentOS 7 versions. https://librelamp.com/Mail I stick with 2.11.x and probably will as long as it is maintained, and I build again

Re: RHEL / CentOS 7 RPMs

On 03/12/2016 10:50 AM, Viktor Dukhovni wrote: On Sat, Mar 12, 2016 at 10:31:44AM -0800, Alice Wonder wrote: I stick with 2.11.x and probably will as long as it is maintained, and I build against LibreSSL which is controversial to some, and a devel branch of LibreSSL - but it works for me

Re: Is /usr/bin/mail a link to sendmail/postfix

On 03/12/2016 11:58 PM, rob...@chalmers.com.au wrote: Let me explain what's happening, or what happened. I rebuilt Postfix, to install in /user/local/etc/postfix and set the command to be in /user/local/sbin and so on, and it all works fine, as it should. The reason I moved it, is because each

Is this sane submission setup?

submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_relay_restrictions=perm

Re: Is this sane submission setup?

On 04/29/2016 06:34 AM, Charles Marcus wrote: On 4/29/2016 3:02 AM, Alice Wonder wrote: submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o

Re: bad-bots: REJECT (no accept + bounce) vs DISCARD (accept + trash) ? (for the millionth time ...)

On 05/01/2016 07:20 AM, jaso...@mail-central.com wrote: I'm clear this has been asked a gazillion times; feels like I've now read half the posts. For incoming mail that matches with high-confidence a known bot/mass-mailer restriction, is it 'best' to DISCARD or REJECT? If the IP is on a

Re: bad-bots: REJECT (no accept + bounce) vs DISCARD (accept + trash) ? (for the millionth time ...)

On 05/01/2016 03:32 PM, Noel Jones wrote: have false positives. Reserve firewall blocks for persistent offenders since debugging a firewalled false positive is far more difficult. And when you firewall make it short-lived. IP addresses change, and long-lived firewall rules have unintended

Re: Mail is not being rejected with check_policy_server when SPF fails?

On 05/11/2016 03:51 PM, Noel Jones wrote: On 5/11/2016 5:18 PM, list...@tutanota.com wrote: I installed the policyd-spf milter with Postfix 3.1. It also has postscreen. I want to reject email that does not pass the SPF check. In the main.cf configuration I added smtpd_relay_restriction

Re: Blocking email from specific IPs

On 05/14/2016 10:37 AM, Noah wrote: Hi there, I am hoping to have a blacklist file that stops postfix from accepting email from specific IP or IP ranges. I follow this tutorial and it does not working. I still receive email from the IP addresses in the range: http://www.linuxlasse.net/linux/h

Re: Test DANE

On 06/06/2016 07:46 AM, Viktor Dukhovni wrote: On Mon, Jun 06, 2016 at 03:58:51PM +0200, Alexandre Ellert wrote: I�ve juste enable DANE and https://dane.sys4.de is green when I test my domain numeezy.com . Also postfix SMTP client says "Verified T

Re: (ot) beware libressl on Freebsd

On 09/12/2016 03:13 PM, li...@lazygranch.com wrote: Freebsd 10.3 I ran freebsd "pkg" ‎and didn't see any of the mail suite or openssl in the list of files to update, so I figured it was safe to run. (I've been burnt by pkg messing up dovecot or postfix, so I always use the ports). Some progra

Re: TLD blocking revisited

On 09/19/2016 05:29 PM, li...@lazygranch.com wrote: The last time TLD blocking came up, the consensus of the hive was not to block based on TLD. (You may recall .xyz being used by Alphabet.) However lately I'm getting a ridiculous number of .stream SPAM coming through. The RBLs are getting abou

Re: WoSign/StartCom CA in the news

On 09/28/2016 01:25 AM, li...@lazygranch.com wrote: I don't want take this thread off course, but suggestions for low cost certs would be appreciated. I don't like how Let's Encrypt works, else that would be the obvious solution. Domain registration isn't free. Server time isn't free. Someth

Re: WoSign/StartCom CA in the news

On 09/30/2016 06:52 AM, John @ KLaM wrote: Yes, I understand DANE can be used for MTAs. My musing is could it completely replace the existing CA mess, and I suppose the follow up is how? I do not see it as a replacement for the CA mess but rather as a form of 2-factor authentication. There

Re: bits of encryption

On 11/11/2016 03:21 AM, li...@lazygranch.com wrote: So is this level of encryption something openssl sets up? ‎That is where do I set the parameter? Original Message From: Sven Schwedas Sent: Friday, November 11, 2016 3:15 AM To: li...@lazygranch.com; postfix-users@postfix.org Subject: Re: bi

Re: bits of encryption

On 11/11/2016 11:00 AM, Alice Wonder wrote: On 11/11/2016 03:21 AM, li...@lazygranch.com wrote: So is this level of encryption something openssl sets up? ‎That is where do I set the parameter? Original Message From: Sven Schwedas Sent: Friday, November 11, 2016 3:15 AM To: li

Re: bits of encryption

On 11/12/2016 10:55 PM, li...@lazygranch.com wrote: On Sun, 13 Nov 2016 01:43:17 -0500 "Bill Cole" wrote: If the NSA/GCHQ capturing all of your SMTP traffic and saving it for hypothetical future decryption is a realistic and significant scenario in your threat model, you should reconsider your

Re: Full encryption

On 11/13/2016 05:38 PM, @lbutlr wrote: While I know this would result in lost mail, would it be possible with postfix to setup a mail server that: 1) Only accepts encrypted connections 2) Only sends encrypted emails 3) Keeps mail encrypted throughout, including only writing encrypted blobs. I

Re: How to encrypt the mail content?

On 11/18/2016 08:14 PM, vod vos wrote: Yes, I had sent the messages to myself, so I found the problem. The header from yahoo mail server to my server shows: Message-ID: <1986254504.2695776.147946658...@mail.yahoo.com> Subject: linoookk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 C

quick DANE question

When an SMTP server publishes a TLSA record, will DANE enforcing SMTP servers refuse to connect if the TLSA record matches the certificate but the certificate has expired?

Avoiding spam blacklists

Virtual machine for a web application, it is still in testing. reverse DNS is properly set up. Postfix only listens on the local host. Linux firewall drops anything not to port 80, 443, or a custom high number port I use for SSH. This postfix is not an open relay, or a relay for anything on th

Re: Avoiding spam blacklists

On 12/28/2016 12:28 AM, John Fawcett wrote: On 12/28/2016 08:32 AM, Alice Wonder wrote: Virtual machine for a web application, it is still in testing. reverse DNS is properly set up. Postfix only listens on the local host. Linux firewall drops anything not to port 80, 443, or a custom high

Re: Avoiding spam blacklists

x27;s ip (which will be static), not yours. On 28 December 2016 at 07:32, Alice Wonder wrote: Virtual machine for a web application, it is still in testing. reverse DNS is properly set up. Postfix only listens on the local host. Linux firewall drops anything not to port 80, 443, or a custom high n

Re: how to check what cipher was used to connect

On 01/13/2017 06:30 AM, Bastian Blank wrote: On Thu, Jan 12, 2017 at 09:00:20PM +, Dominic Raferd wrote: Just for amusement (it's been a long day) I had a look at the selected encryption for incoming mails on one of our servers over the last few months. One cipher and one protocol predominat

DKIM on submission

Hello, currently I enable OpenDKIM vi main.cf : # OpenDKIM smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept Since that server is both MX and Submission for the mailbox domain I am tempted to instead define those parameters

Re: DKIM on submission

On 11/26/2018 07:46 AM, Viktor Dukhovni wrote: On Nov 26, 2018, at 8:44 AM, Alice Wonder wrote: I realize it would mean mail sent by the host itself via sendmail command is not DKIM signed but I'm not really worried about that. It appears that when e-mail is sent from a user to a mail

Re: DKIM on submission

On 11/26/2018 08:40 AM, Scott Kitterman wrote: On Monday, November 26, 2018 08:24:29 AM Alice Wonder wrote: On 11/26/2018 07:46 AM, Viktor Dukhovni wrote: On Nov 26, 2018, at 8:44 AM, Alice Wonder wrote: I realize it would mean mail sent by the host itself via sendmail command is not DKIM

Re: Compiler error on 3.3.2. Mac Mojave (3.3.2)

On 11/27/2018 10:47 AM, Viktor Dukhovni wrote: On Nov 27, 2018, at 10:33 AM, Robert Chalmers wrote: set -- '-DUSE_TLS -I/usr/local/Cellar/openssl/1.0.2p/include' set -- "$@" '-I/usr/local/opt/icu4c/include' set -- "$@" '-DHAS_MYSQL -I/usr/local/include/mysql' set -- '-DHAS_PCRE -I/usr/local/inc

Re: SSL not working after unwanted server migration

When trouble shooting on systems with SELinux I put it in permissive mode - setenforce 0 Personally I prefer to disable it, it gets in the way too often and so far has never prevented an actual attack on any of my systems, and just when I start to figure things out - they change how it works o

Re: SSL not working after unwanted server migration

EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes That is small list but works with all the IMAP clients I have to support (and I think the !cipher that I have are not actually needed) On 12/10/18 4:02 AM, Marco Fioretti wrote: Hello Alice, see answers in line Il

Re: SSL not working after unwanted server migration

On 12/10/18 6:46 AM, Marco Fioretti wrote: Hello Viktor, and all. This is only a partial answer to Viktor last email: Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni ha scritto: -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem -rw-r--r--. 1 root root 1704 Dec 7 11:5

Re: SSL not working after unwanted server migration

On 12/10/18 12:25 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes The cipherlist syntax is wrong

Re: SSL not working after unwanted server migration

On 12/10/18 5:19 PM, Alice Wonder wrote: On 12/10/18 12:25 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH

Re: SSL not working after unwanted server migration

On 12/10/18 6:11 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote: Even in this thread someone pointed out that Debian defaults to 1024-bit RSA. You end up with things like SHA1 still enabled because upstream thought the compatibility mattered more than the security

Re: SSL not working after unwanted server migration

On 12/10/18 6:58 PM, Alice Wonder wrote: It is the responsibility of the client to not send if the connection is not secure, if the client wants to guarantee security for those it sends for. Using a reduced cipher lists means there is less illusion of security where it doesn't act

Re: Google blocking...again...

Google doesn't have to justify themselves to anyone, the luxury of monopoly, they can even cold shoulder their own customers. Unfortunate reality is changing IP may be only solution. I was on a google blacklist and couldn't get off because unlike other services, they wanted me to log in into a

Re: SMTP_HELO_NAME can cause Blacklist triggers

On 2/7/19 2:52 PM, Bill Cole wrote: *snip* But your core point is valid: mailing from an AWS instance (or from anywhere on an IP with a programmatically derived PTR) in general is going to work poorly. There is too little accountability for abuse from the AWS IP pool for it to merit a default

smtp tls policy map MX hostname matching?

Hello list, I gather from http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps that the match: directive really only has application to a policy of secure. If I read right, it applies to the certificate validation. I'm wondering if there is something similar but applies to MX hosts.

Re: Understanding the importance of submission

On 3/20/19 8:18 AM, Patrick Ben Koetter wrote: * Yassine Chaouche : Dear postfix, I don't seem to get the idea of submission, I know I must be wrong, b/c so many articles out there preach to use a different port for submission, but I Use submission on TCP/587 for MUA to MTA traffic. Use smtp

Re: Understanding the importance of submission

On 3/21/19 1:18 AM, Yassine Chaouche wrote: On 3/20/19 7:35 PM, Matus UHLAR - fantomas wrote: On 20.03.19 16:26, Yassine Chaouche wrote: Requiring authentication to relay on 25 will also get rid of spam. it will also get rid of incoming mail from other mail servers... Which we want anyway,

Re: pishing from ME

On 3/22/19 5:54 PM, Kevin A. McGrail wrote: On 3/22/2019 7:55 PM, Viktor Dukhovni wrote: No. The scareware alerts are generally completely fake. They are spammed indiscriminately to users the scammer knows nothing about. Viktor, that does not agree with my significant experience studying thi

Re: pishing from ME

On 3/23/19 4:53 PM, Peter wrote: On 24/03/19 05:49, Alice Wonder wrote: I have gotten then where they displayed throwaway passwords I used only once for one site (and thus I know that site doesn't hash passwords and never use it again) This is not necessarily true.  A hashed password c

Re: SSL Certificates

On 02/14/2017 11:17 PM, Viktor Dukhovni wrote: On Feb 15, 2017, at 2:10 AM, Henry wrote: When I send a message to Gmail I am informed that it could not be authenticated and will probably end in the spam folder. This is largely misinformation. Sites that send bulk mail that might get classi

Re: SSL Certificates

On 02/15/2017 12:32 AM, Dominic Raferd wrote: On 15 February 2017 at 07:58, Richard James Salts wrote: On 15 February 2017 6:47:31 PM AEDT, Viktor Dukhovni wrote: Please do not encourage novice users to configure DMARC. This does much more harm than good. DMARC is legitimately for the f

Re: SSL Certificates

On 02/15/2017 01:27 AM, Henry wrote: On Wed, Feb 15, 2017 at 6:51 PM, Viktor Dukhovni wrote: On Feb 15, 2017, at 2:47 AM, Henry wrote: So you are saying there is no point in securing outbound email in postfix? I am saying SSL certificates on the sending side have nothing (good) to do with

Re: SSL Certificates

On 02/15/2017 02:22 AM, Dominic Raferd wrote: Thanks for your answer. There may be a problem between DMARC and mailing lists - I avoid p=reject or p=quarantine on domains I use for posting to mailing lists. SPF proves sender identity but final recipient MTA cannot rely on it if there are any

Quick DANE / self-signed question

I *think* the answer to this is that I am fine. Last year I only used CA issued certificates. This year, I am wanting to move to self-signed for SMTP and for infrastructure domains that are not intended for the public where DANE can validate. I am convinced DANE does a better job at validating

Re: Quick DANE / self-signed question

On 04/05/2017 07:33 PM, Alice Wonder wrote: I *think* the answer to this is that I am fine. Last year I only used CA issued certificates. This year, I am wanting to move to self-signed for SMTP and for infrastructure domains that are not intended for the public where DANE can validate. I am

Re: Quick DANE / self-signed question

Thank you! On 04/05/2017 08:28 PM, Viktor Dukhovni wrote: On Apr 5, 2017, at 10:33 PM, Alice Wonder wrote: I just updated one of my mail servers to self-signed. The signed certificate expires in few weeks so I can switch back if I did something wrong. https://ssl-tools.net/mailservers

Re: New EFF certbot plugin for Postfix

On 06/26/2018 12:03 AM, Viktor Dukhovni wrote: The EFF announced a certbot plugin for Postfix today, which is still in beta. A couple of things to keep in mind: * If you've already deployed DANE, this stands a good chance of breaking your DANE TLSA records. For the moment do not dep

A better way to do secure SMTP

invented. MTA-STS has the same flaw as opportunistic TLS. It uses an insecure channel to determine if it should use a secure channel. If Mallory can eavesdrop and MITM the message from Alice to Bob, then Mallory can likely alter the DNS responses and thwart MTA-STS either by saying the needed

Re: A better way to do secure SMTP

On 11/01/2018 01:00 PM, Viktor Dukhovni wrote: On Nov 1, 2018, at 3:48 PM, Alice Wonder wrote: Maybe better, I do not know. I do not know right place to recommend this, I hope it is not too out of place here. Opportunistic TLS is a concept I do not like. DANE fixes the issues for system

Re: A better way to do secure SMTP

On 11/01/2018 01:35 PM, Viktor Dukhovni wrote: On Thu, Nov 01, 2018 at 01:15:04PM -0700, Alice Wonder wrote: My advice is to accept the current state as a transitional phase to to potentially more secure email in a decade or so from now. Both opportunistic TLS and DANE secured TLS could

Re: A better way to do secure SMTP

On 11/01/2018 02:40 PM, Bill Cole wrote: On 1 Nov 2018, at 15:48, Alice Wonder wrote: Maybe better, I do not know. I do not know right place to recommend this, I hope it is not too out of place here. This list reaches a minority of Postfix admins, who are a minority of mail system admins

Re: TLS X.509 certificate hygiene...

On 11/05/2018 06:58 PM, Viktor Dukhovni wrote: I've recently come across an interoperability problem between my DANE survey scan engine and some STARTTLS implementations on remote SMTP servers. The issue resulted from an upgrade of the TLS library (not OpenSSL, which does not seem to mind) on m