Re: part 2 of: SSL not working after unwanted server migration

Hello Viktor, and thanks for this: > The syntax is wrong, the "-o" is not followed by any valid main.cf parameter > override. The "flags=" parameter to pipe(8) is not a main.cf parameter. > > The solution is to remove the dangling "-o". I confirm that doing so removes the warning in postconf -n,

Re: part 2 of: SSL not working after unwanted server migration

the 47.53.. address is only the current address of my home laptop. The server we are talking about is a VPS in a datacentre. And reverse lookup of the IPv4 and v6 addresses of that server already both return the domain name "example.com", which as I said is not exactly the same as the value of $myh

Re: part 2 of: SSL not working after unwanted server migration

OK, let's wait for the PTR record. After all, one of the advantages of email is that it is not real time, right? One thing I still have not clear, however, is what I reported about the mismatch between example.com in the DNS records, and a.mx.example.com as value of $myhostname. Comments on that?

Re: part 2 of: SSL not working after unwanted server migration

> On Dec 11, 2018, at 10:49 AM, Marco Fioretti wrote: > > procmail unix - n n - - pipe -o > flags=D user=myvmail_user argv=/usr/bin/procmail -t -m > USER=${recipient} EXTENSION=${extension} > /usr/local/etc/procmailrc.common The syntax is wrong, the "-o" is not f

Re: part 2 of: SSL not working after unwanted server migration

Ok, I see no warnings in your postconf -Mf ??? It looks good to me. If that ip address you show is your’s, then you will never have a valid PTR record on it, because it belongs to your ISP. host 47.53.159.60 60.159.53.47.in-addr.arpa domain name pointer net-47-53-159-60.cust.vodafonedsl.it

Re: part 2 of: SSL not working after unwanted server migration

Il giorno mar 11 dic 2018 alle ore 17:03 Matus UHLAR - fantomas ha scritto: > the "flags" is supposed to be indented, since it is continuation of > "procmail" line: > > > procmail unix - n n - - pipe -o > flags=D user=myvmail_user argv=/usr/bin/procmail -t

Re: part 2 of: SSL not working after unwanted server migration

OK, I removed that part of the procmail line, and restarted. Here is output of postconf -Mf and, respectively, postconf -n (just for my own knowledge: this has nothing to do with the ipv6 complaints from google, or has it?) Thanks, Marco ### smtp

Re: part 2 of: SSL not working after unwanted server migration

Hi I misread the output of postconf above returns ~10 warnings all equal to " /etc/postfix/master.cf: unused parameter: flags=D" Remove the ‘flags=D’ and restart. Then do a post one -MF again Remember, you have to restart postfix to load master, not just reload. Robert __ Robert Chal

Re: part 2 of: SSL not working after unwanted server migration

I confess I do not know how to check that. The output of which command should I turn verbose? Thanks Il giorno mar 11 dic 2018 alle ore 16:57 Robert Chalmers ha scritto: > > > No no. That line is quite different. > > -D is not it. > Are you starting master with a -D maybe. > > Like /use/sbin/mast

Re: part 2 of: SSL not working after unwanted server migration

On 11.12.18 16:49, Marco Fioretti wrote: there is no "-D" in master.cf, only "=D". IN any case... I don't know what to answer. By this I mean that I put together this procmail line in master.cf: procmail unix - n n - - pipe -o flags=D user=myvmail_user argv=/usr

Re: part 2 of: SSL not working after unwanted server migration

No no. That line is quite different. -D is not it. Are you starting master with a -D maybe. Like /use/sbin/master -D type of thing? Turn on verbose output with a -v and see if you can catch it. - > On 11 Dec 2018, at 3:49 pm, Marco Fioretti wrote: > > Hello Robert, > there is no "

Re: part 2 of: SSL not working after unwanted server migration

Hello Robert, there is no "-D" in master.cf, only "=D". IN any case... I don't know what to answer. By this I mean that I put together this procmail line in master.cf: procmail unix - n n - - pipe -o flags=D user=myvmail_user argv=/usr/bin/procmail -t -m USER=${re

Re: part 2 of: SSL not working after unwanted server migration

You may actually have a -D where you should have a -d > On 11 Dec 2018, at 14:57, Marco Fioretti wrote: > > here it is: > > postconf -Mf > smtp inet n - n - - smtpd > submission inet n - n - - smtpd >-o smtpd_enfor

Re: part 2 of: SSL not working after unwanted server migration

So if you look carefully at master.cf, you will see that somewhere you have a stray “-D” attached to something. Do you use vi to edit? Open master.cf and use /-D That will search for it? Robert > On 11 Dec 2018, at 14:57, Marco Fioretti wrote: > > here it is: > > postconf -Mf > smtp

Re: part 2 of: SSL not working after unwanted server migration

here it is: postconf -Mf smtp inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject smt

Re: part 2 of: SSL not working after unwanted server migration

Do a postconf -Mf to show your master.cf file configuration. > On 11 Dec 2018, at 14:47, Robert Chalmers wrote: > > Where/what is the -D in your master.cf file > > > > >> On 11 Dec 2018, at 14:35, Marco Fioretti > > wrote: >> >> /etc/postfix/master.

Re: part 2 of: SSL not working after unwanted server migration

Where/what is the -D in your master.cf file > On 11 Dec 2018, at 14:35, Marco Fioretti wrote: > > /etc/postfix/master.cf: unused > parameter: flags=D" Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers

Re: part 2 of: SSL not working after unwanted server migration

Hello, all. I have added or edited as suggested in main.cf all the settings that Robert mentions in his reply below. Right now, "postfix check" only returns ~10 warnings all equal to " /etc/postfix/master.cf: unused parameter: flags=D" everything is working OK on the imap/dovecot side (except so

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti: > : host > gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1 > [] Our system has detected that this message does > 550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and > 550-5.7.1 authentication. Please review 550-5.7.1 >

Re: part 2 of: SSL not working after unwanted server migration

oh, and run “postfix check” as the superuser. That will show up any obvious errors. > On 11 Dec 2018, at 10:35, Marco Fioretti wrote: > > hello all, > this is the same server, same situation for which I asked for help > yesterday. Right now, after trying to test and follow up the advice > r

Re: part 2 of: SSL not working after unwanted server migration

that problem with Dovecot is solved. It was caused by missing (not sure why/how) the "include conf.d/*" line in dovecot.conf, so the ssl configuration simply was not loaded. Now with dovecot, if anybody is interested, I have this other question about how to configure permissions properly between do

Re: part 2 of: SSL not working after unwanted server migration

Hi again. The following settings are from my server. They may not necessarily work with yours. # Smtpd means mails you receive from outside, smtp covers mails you send to other servers. The notification from Google is telling you that your Reverse DNS does not point to your server. Are y

Re: part 2 of: SSL not working after unwanted server migration

Marco Fioretti skrev den 2018-12-11 11:35: IMAPS: not working yet because of SSL "no shared cipher". Details here: https://dovecot.org/pipermail/dovecot/2018-December/113862.html current SSL dovecot settings in conf.d/10-ssl.conf is missing in dovecot -n ask a centos maintainer for dovecot t

part 2 of: SSL not working after unwanted server migration

hello all, this is the same server, same situation for which I asked for help yesterday. Right now, after trying to test and follow up the advice received, this is the status: IMAPS: not working yet because of SSL "no shared cipher". Details here: https://dovecot.org/pipermail/dovecot/2018-Decembe

Re: SSL not working after unwanted server migration

On 12/10/18 6:58 PM, Alice Wonder wrote: It is the responsibility of the client to not send if the connection is not secure, if the client wants to guarantee security for those it sends for. Using a reduced cipher lists means there is less illusion of security where it doesn't actually exist

Re: SSL not working after unwanted server migration

On 12/10/18 6:11 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote: Even in this thread someone pointed out that Debian defaults to 1024-bit RSA. You end up with things like SHA1 still enabled because upstream thought the compatibility mattered more than the security.

Re: SSL not working after unwanted server migration

> On Dec 10, 2018, at 8:19 PM, Alice Wonder wrote: > > Even in this thread someone pointed out that Debian defaults to 1024-bit RSA. > You end up with things like SHA1 still enabled because upstream thought the > compatibility mattered more than the security. > > So yes, I made a typo, and may

Re: SSL not working after unwanted server migration

On 12/10/18 5:19 PM, Alice Wonder wrote: On 12/10/18 12:25 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ci

Re: SSL not working after unwanted server migration

On 12/10/18 12:25 PM, Viktor Dukhovni wrote: On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: ssl_min_protocol = TLSv1.2 ssl_cipher_list = EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH ssl_prefer_server_ciphers = yes The cipherlist syntax is wrong,

Re: SSL not working after unwanted server migration

Greetings, Alice Wonder! > This is what I use in dovecot: > ssl_min_protocol = TLSv1.2 > ssl_cipher_list = > EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = yes Don't touch SSL chipherlist unless you 100% know what you are

Re: SSL not working after unwanted server migration

Marco Post your logs showing the errors. __ Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers On 10 Dec 2018, at 8:25 pm, Viktor Dukhovni wrote: >> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: >> >> ssl_min_protocol = TLSv1.2 >> ssl_cipher_li

Re: SSL not working after unwanted server migration

> On Dec 10, 2018, at 7:22 AM, Alice Wonder wrote: > > ssl_min_protocol = TLSv1.2 > ssl_cipher_list = > EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4:!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = yes The cipherlist syntax is wrong, you're missing a ":" between "!LOW"

RE: SSL not working after unwanted server migration

revention Mass Mailing G Suite/Gmail ang...@uconn.edu University of Connecticut,  ITS, SSG, Server Systems 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of Viktor Dukhovni Sent: Monday, December 10, 2018 10:01 AM To: Postfix users Subject: Re: SSL not

Re: SSL not working after unwanted server migration

On Mon, 2018-12-10 at 04:22 -0800, Alice Wonder wrote: > ssl_min_protocol = TLSv1.2 > ssl_cipher_list =  > EECDH+CHACHA20:EECDH+AESGCM:EECDH+SHA384:EECDH+SHA256:EECDH:!3DES:!RC4 > :!ADH:!LOW@STRENGTH > ssl_prefer_server_ciphers = yes Don't forget about ssl_dh_parameters_length, it's default on Deb

Re: SSL not working after unwanted server migration

On 12/10/18 6:46 AM, Marco Fioretti wrote: Hello Viktor, and all. This is only a partial answer to Viktor last email: Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni ha scritto: -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem -rw-r--r--. 1 root root 1704 Dec 7 11:5

Re: SSL not working after unwanted server migration

> On Dec 10, 2018, at 9:46 AM, Marco Fioretti wrote: > > This afternoon I have urgent family matters to attend, not sure if I > will able to test and report before tomorrow afternoon about all the > other advice I got so far. You can skip all the other advice. You need to post logs, specificall

Re: SSL not working after unwanted server migration

Hello Viktor, and all. This is only a partial answer to Viktor last email: Il giorno lun 10 dic 2018 alle ore 13:56 Viktor Dukhovni ha scritto: > > -r. 1 root root 3546 Dec 7 11:59 fullchain1.pem > > -rw-r--r--. 1 root root 1704 Dec 7 11:59 privkey1.pem > > This looks rather o

Re: SSL not working after unwanted server migration

On Mon, Dec 10, 2018 at 01:02:25PM +0100, Marco Fioretti wrote: > I just changed my permission in the same way, except that the files > are in another folder (does it make any difference? It shouldn't > right?), i.e. the same where letsencrypt/certbot put them: > > -r. 1 root root 35

Re: SSL not working after unwanted server migration

Sorry about the setenforce advice, I didn't see you already had that covered. The path for the certs should not matter as long as the files exist. One thing with dovecot - make sure the PEM file has the cert and the bundle in it. cat certificate.pem ca-bundle.pem > combined.pem Then set ss

Re: SSL not working after unwanted server migration

Hello Alice, see answers in line Il giorno lun 10 dic 2018 alle ore 12:09 Alice Wonder ha scritto: > > When trouble shooting on systems with SELinux I put it in permissive mode - > setenforce 0 this is already the case on the new VPS (FWIW, I personally share your feelingsabout selinux in gener

Re: SSL not working after unwanted server migration

Just looking at this again… Do you have in or remember to update…. (note the use of as a marker) dovecot/conf.d/10-ssl.conf ssl_cert = /fullchain.pem ssl_key = /privkey.pem and in postfix/main.cf #TLS parameters smtpd_use_tls=yes smtpd_tls_ciphers = medium smtpd_tls_security_level = may

Re: SSL not working after unwanted server migration

When trouble shooting on systems with SELinux I put it in permissive mode - setenforce 0 Personally I prefer to disable it, it gets in the way too often and so far has never prevented an actual attack on any of my systems, and just when I start to figure things out - they change how it works o

Re: SSL not working after unwanted server migration

Il giorno lun 10 dic 2018 alle ore 09:14 Robert Chalmers ha scritto: > > Google is refusing access because your ipv6 PTR does not map to your domain. > It’s the common (now) google reverse lookup failing. > ... thanks for the reminder. I know, but had temporarily forgotten due to how that this

Re: SSL not working after unwanted server migration

Google is refusing access because your ipv6 PTR does not map to your domain. It’s the common (now) google reverse lookup failing. - Robert Chalmers https://robert-chalmers.uk aut...@robert-chalmers.uk @R_A_Chalmers > On 10 Dec 2018, at 8:08 am, Marco Fioretti wrote: > > Greetings, > > I

SSL not working after unwanted server migration

Greetings, I had my personal postfix/dovecot server, configured for some of my own domains, running without problems on a linux VPS. For reasons totally out of my control, I had to migrate everything to another VPS two days ago, without notice, (details at the bottom if anybody is interested...),