[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users
Ahem, .. i however have to add one more sentence.. Steffen Nurpmeso wrote in <20230324193739.s-qco%stef...@sdaoden.eu>: ... ||reading, programming, and nature impressions, four to five hours ||a day, all in all, for caring for the (other) animal friends ||alone, sorry. Please .. that

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users
Steffen Nurpmeso wrote in <20230324185751.jdgjq%stef...@sdaoden.eu>: |Bernardo Reino wrote in | <10n74127-037p-o42n-6617-3po1sq231...@oozx.bet>: ||On Fri, 24 Mar 2023, Steffen Nurpmeso wrote: ||> Bernardo Reino wrote in ||> <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>: ||>|On Thu, 23 Mar

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users
Steffen Nurpmeso wrote in <20230324175540.o_vn-%stef...@sdaoden.eu>: |Bernardo Reino wrote in | <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>: ||On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: | ... ||> (That is pretty off-topic for postfix; except maybe for fun ||> posting

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-24 Thread Steffen Nurpmeso via Postfix-users
Bernardo Reino wrote in <79552717-5p3o-8q26-r963-124or6r66...@oozx.bet>: |On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: ... |> (That is pretty off-topic for postfix; except maybe for fun |> posting my SMTP related firewall ... |> add_rule -p tcp --src

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-23 Thread Bernardo Reino via Postfix-users
On Thu, 23 Mar 2023, Steffen Nurpmeso via Postfix-users wrote: [...] (That is pretty off-topic for postfix; except maybe for fun posting my SMTP related firewall [...] add_rule -p tcp --src ${addr}${mask} \ --dport ${p_smtp} -m limit --limit 60/m -j

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-23 Thread Jaroslaw Rafa via Postfix-users
Dnia 23.03.2023 o godz. 19:08:53 Steffen Nurpmeso pisze: > You are unlocked again. (But as it periodically came back > every few minutes yesterday evening, it likely will now, too.) > > This cannot be if you do normal SMTP or HTTP, not from the > firewall side. These rules only lowers

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-23 Thread Steffen Nurpmeso via Postfix-users
Jaroslaw Rafa wrote in <20230322230223.ga17...@rafa.eu.org>: |Dnia 22.03.2023 o godz. 23:05:59 Steffen Nurpmeso via Postfix-users pisze: |> I have very strict firewall rules, and you have become blocked for |> last access + 84000 seconds. |> Should work again. | |I again got blocked... As I

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Jaroslaw Rafa via Postfix-users
Dnia 22.03.2023 o godz. 23:05:59 Steffen Nurpmeso via Postfix-users pisze: > I have very strict firewall rules, and you have become blocked for > last access + 84000 seconds. > Should work again. I again got blocked... As I wrote you off-list, I'm running now tcpdump with filter set to "host

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Steffen Nurpmeso via Postfix-users
Steffen Nurpmeso wrote in <2023030559.mn7ux%stef...@sdaoden.eu>: |Jaroslaw Rafa wrote in | <20230322104345.ga10...@rafa.eu.org>: ||Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: ||> Luckily here a couple of shops remain, even for clothes and ||> electronics

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Steffen Nurpmeso via Postfix-users
Jaroslaw Rafa wrote in <20230322104345.ga10...@rafa.eu.org>: |Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: |> Luckily here a couple of shops remain, even for clothes and |> electronics (mostly household). It is much uglier a bit further |[...] | |I replied to

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Benny Pedersen via Postfix-users
Viktor Dukhovni via Postfix-users skrev den 2023-03-22 16:36: On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via Postfix-users wrote: >> mx ~ # posttls-finger sdaoden.eu >> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 >> posttls-finger: < 220 sdaoden.eu ESMTP Postfix >

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Viktor Dukhovni via Postfix-users
On Wed, Mar 22, 2023 at 04:28:36PM +0100, Benny Pedersen via Postfix-users wrote: > >> mx ~ # posttls-finger sdaoden.eu > >> posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 > >> posttls-finger: < 220 sdaoden.eu ESMTP Postfix > > > > I can't even get the connection. I can't even ping

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Varadi Gabor via Postfix-users
2023. 03. 22. 16:18 keltezéssel, Benny Pedersen via Postfix-users írta: Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 11:43: mx ~ # posttls-finger sdaoden.eu posttls-finger: Connected to sdaoden.eu[217.144.132.164]:25 posttls-finger: < 220 sdaoden.eu ESMTP Postfix posttls-finger: > EHLO

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Benny Pedersen via Postfix-users
Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 16:22: Dnia 22.03.2023 o godz. 16:18:11 Benny Pedersen via Postfix-users pisze: >raj@rafa:~$ mailq >-Queue ID- --Size-- Arrival Time -Sender/Recipient--- >5508C41121 8652 Mon Mar 20 23:35:40 r...@rafa.eu.org >

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Jaroslaw Rafa via Postfix-users
Dnia 22.03.2023 o godz. 16:18:11 Benny Pedersen via Postfix-users pisze: > >raj@rafa:~$ mailq > >-Queue ID- --Size-- Arrival Time -Sender/Recipient--- > >5508C41121 8652 Mon Mar 20 23:35:40 r...@rafa.eu.org > > (connect to sdaoden.eu[217.144.132.164]:25: > >Connection

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Benny Pedersen via Postfix-users
Jaroslaw Rafa via Postfix-users skrev den 2023-03-22 11:43: Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: Luckily here a couple of shops remain, even for clothes and electronics (mostly household). It is much uglier a bit further [...] I replied to you off-list

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-22 Thread Jaroslaw Rafa via Postfix-users
Dnia 20.03.2023 o godz. 21:46:59 Steffen Nurpmeso via Postfix-users pisze: > Luckily here a couple of shops remain, even for clothes and > electronics (mostly household). It is much uglier a bit further [...] I replied to you off-list (as it's mostly off-topic with regard to Postfix), but the

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-20 Thread Steffen Nurpmeso via Postfix-users
Jaroslaw Rafa wrote in <20230318234124.ga32...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze: |> Eh, no. I do not do either. (Granted i use PayPal one, two times |> a month, but my bank account is not online-enabled.) |> I _never_ shopped online.

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Jaroslaw Rafa via Postfix-users
Dnia 18.03.2023 o godz. 23:54:28 Steffen Nurpmeso via Postfix-users pisze: > Eh, no. I do not do either. (Granted i use PayPal one, two times > a month, but my bank account is not online-enabled.) > I _never_ shopped online. This destroys local pharmacies, shops, > small (hopefully) good jobs

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Steffen Nurpmeso via Postfix-users
Jaroslaw Rafa wrote in <20230318203334.ga31...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: |> I still have no problems with |> |> smtpd_tls_mandatory_protocols = >=TLSv1.2 |> smtpd_tls_protocols = $smtpd_tls_mandatory_protocols |> # super

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Peter via Postfix-users
On 19/03/23 07:44, Matus UHLAR - fantomas via Postfix-users wrote: I would generally allow the printer to use port 25. Port 25 is not a submission port and should not be used as such. Keep your submission separate from your MX traffic and you will avoid a whole heap of issues down the road.

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Peter via Postfix-users
On 19/03/23 02:54, Gerd Hoerst via Postfix-users wrote: I setup my postfix for the clients to use only  protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 A better way to do this is: smtpd_tls_protocols = >=TLSv1.1 smtpd_tls_protocols   =

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Peter via Postfix-users
On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote: I still have no problems with smtpd_tls_mandatory_protocols = >=TLSv1.2 This is fine, so long as you don't have a user that can't support at least TLSv1.2 that needs to use submission. smtpd_tls_protocols =

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Jaroslaw Rafa via Postfix-users
Dnia 18.03.2023 o godz. 21:08:17 Steffen Nurpmeso via Postfix-users pisze: > I still have no problems with > > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtpd_tls_protocols = $smtpd_tls_mandatory_protocols > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. >

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Steffen Nurpmeso via Postfix-users
Jaroslaw Rafa wrote in <20230318191215.gb30...@rafa.eu.org>: |Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze: |> I setup my postfix for the clients to use only  protocols > TLSv1 with |> |> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 |> smtpd_tls_protocols   

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Jaroslaw Rafa via Postfix-users
Dnia 18.03.2023 o godz. 14:54:15 Gerd Hoerst via Postfix-users pisze: > I setup my postfix for the clients to use only  protocols > TLSv1 with > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 > smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 While the former makes some sense

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Viktor Dukhovni via Postfix-users
On Sat, Mar 18, 2023 at 07:32:18PM +0100, Gerd Hoerst via Postfix-users wrote: > I read a tutorial to harden postfix and there they trew out TLSv1 The tutorial is mostly misguided. Though in practice, TLS 1.0 is increasingly rare on the public Internet, so the damage from disabling it is fairly

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Matus UHLAR - fantomas via Postfix-users
Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 in main.cf in main.cf put a # in this lines, so its default from postconf -d but unfortunately i have a sender (its a

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Benny Pedersen via Postfix-users
Gerd Hoerst via Postfix-users skrev den 2023-03-18 14:54: smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1 in main.cf in main.cf put a # in this lines, so its default from postconf -d but unfortunately i have a sender (its a

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Gerd Hoerst via Postfix-users
Hi ! I read a tutorial to harden postfix and there they trew out TLSv1 Ciao Gerd Am 18.03.2023 um 16:07 schrieb Bill Cole via Postfix-users: On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100) Gerd Hoerst via Postfix-users is rumored to have said: Hi ! I setup my postfix

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Wietse Venema via Postfix-users
If you must (not necessariy a god idea), your options are: - Multiple Posifix instances on different IP addresses. Each instance has its own main.cf and master.cf. - Single Postfix instance with different smtpd configurations in master.cf on different server IP addresses, using main.cf only for

[pfx] Re: Allow TLSv1 only for internal senders

2023-03-18 Thread Bill Cole via Postfix-users
On 2023-03-18 at 09:54:15 UTC-0400 (Sat, 18 Mar 2023 14:54:15 +0100) Gerd Hoerst via Postfix-users is rumored to have said: Hi ! I setup my postfix for the clients to use only  protocols > TLSv1 with smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 smtpd_tls_protocols   =