> On Dec 10, 2019, at 12:40 PM, Fred Morris wrote:
>
> "Am I secure?" That's a philosophical question. Will I have enough for
> retirement? Can I ever feel secure as long as there is a dolphin in danger on
> the planet? Or... there's no point in trying, because a meteoroid will wipe
> us all
There is a lot of flawed reasoning about security ...take for example:
On Mon, 9 Dec 2019, LuKreme wrote:
On Dec 9, 2019, at 12:58, Viktor Dukhovni wrote
[...]
unauthenticated loopback (and other "mynetworks")
traffic is normal.
The configuration as posted, and specifically the line I
On 09/12/2019 20:54, Viktor Dukhovni wrote:
On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
The configuration as posted, and specifically the line I quoted directly above
my comment, allowed unauthenticated traffic from anything on the LAN. This
means random printers, IOT devices, android
On 12/9/19 2:29 PM, @lbutlr wrote:
On 09 Dec 2019, at 13:54, Viktor Dukhovni wrote:
On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
The configuration as posted, and specifically the line I quoted directly above
my comment, allowed unauthenticated traffic from anything on the LAN. This
means
On 09 Dec 2019, at 13:54, Viktor Dukhovni wrote:
> On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
>> The configuration as posted, and specifically the line I quoted directly
>> above my comment, allowed unauthenticated traffic from anything on the LAN.
>> This means random printers, IOT devices,
> On Dec 9, 2019, at 3:38 PM, LuKreme wrote:
>
> The configuration as posted, and specifically the line I quoted directly
> above my comment, allowed unauthenticated traffic from anything on the LAN.
> This means random printers, IOT devices, android phones, etc were allowed to
> send mail
On Dec 9, 2019, at 12:58, Viktor Dukhovni wrote
> Please don't impute false crises. There is no "security hole", though the
> configuration is a mess, unauthenticated loopback (and other "mynetworks")
> traffic is normal.
The configuration as posted, and specifically the line I quoted directly
On Mon, Dec 09, 2019 at 01:02:23PM +, Felix Rubio wrote:
> Thank you very much for your answer. I really appreciate the time you
> took to go through it. The reason for having the tls/auth parameters
> configured was, actually, a requirement I did not write (sorry for that,
> I wrote
On Mon, Dec 09, 2019 at 06:15:16AM -0700, @lbutlr wrote:
> > On 09 Dec 2019, at 00:17, Felix Rubio wrote:
> >
> > Allow unencrypted/unauthenticated users to submit mail from local
> > (127.0.0.x) connections
Whether or not one is willing (or needs) to allow unauthenticated connections
from
Yes, because those ranges belonged to virtual interfaces I previously
had on my machine. I removed that already. Thank you for the comment,
though!
On 2019-12-09 13:15, @lbutlr wrote:
On 09 Dec 2019, at 00:17, Felix Rubio wrote:
Allow unencrypted/unauthenticated users to submit mail from
> On 09 Dec 2019, at 00:17, Felix Rubio wrote:
>
> Allow unencrypted/unauthenticated users to submit mail from local
> (127.0.0.x) connections
There is no need for this, and it is dangerous. Just because a connection is
local doesn’t mean it is trustworthy.
>mynetworks =
Hi Viktor,
Thank you very much for your answer. I really appreciate the time you
took to go through it. The reason for having the tls/auth parameters
configured was, actually, a requirement I did not write (sorry for that,
I wrote the mail in a hurry :-/):
- Require encrypted and
On Mon, Dec 09, 2019 at 07:17:46AM +, Felix Rubio wrote:
> My requirements are:
> - Require encrypted and authenticated user to submit mail from non-local
> (other than 127.0.0.x) connections
> - Allow unencrypted/unauthenticated users to submit mail from local
> (127.0.0.x) connections
>
Hi all,
I have been running a postfix server for a while. Though I think I
have come with a sensible configuration, I have not been able to check
if it is really sound. Can somebody give it a look, security-wise?
My requirements are:
- Require encrypted and authenticated user to submit
I know there is a postfix check that will do some basic checks of
permissions and directories, but is there a command that will check config
file syntax? For example, if an IP address is fat-fingered in the
mynetworks line, postfix will reload and run but gives Temporary lookup
failure errors in
Dave Jones:
I know there is a postfix check that will do some basic checks of
permissions and directories, but is there a command that will check config
file syntax? For example, if an IP address is fat-fingered in the
mynetworks line, postfix will reload and run but gives Temporary lookup
I have a working solution for a submission-only system I’m setting up. It
seems to be doing what I need.
There will be no local delivery. Even the cronjobs on this system will be sent
elsewhere.
The configuration is shown below. I’ve disabled several services; I think they
won’t be
you don't want reject_unknown_recipient_domain for submissions because
a MUA can't handle a 4xx reject and the same for
reject_unknown_sender_domain
smtpd_sender_restrictions is not needed at all if you enforce auth and
reject_authenticated_sender_login_mismatch
for a submission-only server
Greetings!
I have 3 servers connected via lan vpn.
SERVER-1 is a hosted VM in the cloud
EXTIF eth0 (198.51.100.1, 198.51.100.2, 10.0.1.1)
TUNIF tun1 (192.168.1.1)
SERVER-2 is my LAN's router/firewall
EXTIF eth0 (203.0.113.1)
TUNIF tun1 (192.168.1.2)
INTIF eth1 (10.0.2.1,
On 8/11/2014 11:04 AM, terrygalant.li...@fastest.cc wrote:
Greetings!
I have 3 servers connected via lan vpn.
SERVER-1 is a hosted VM in the cloud
EXTIF eth0 (198.51.100.1, 198.51.100.2, 10.0.1.1)
TUNIF tun1 (192.168.1.1)
SERVER-2 is my LAN's router/firewall
EXTIF eth0
Hi Noel
On Mon, Aug 11, 2014, at 09:11 AM, Noel Jones wrote:
proxy_interfaces should list any external IPs that *this* postfix is
connected to on the other side of a NAT. Any IPs that are not
local on this box that connect to postfix should be listed here.
By 'connect' you do mean 'reponds
On 8/11/2014 11:19 AM, terrygalant.li...@fastest.cc wrote:
Hi Noel
On Mon, Aug 11, 2014, at 09:11 AM, Noel Jones wrote:
proxy_interfaces should list any external IPs that *this* postfix is
connected to on the other side of a NAT. Any IPs that are not
local on this box that connect to
Perfect, thanks!
On Mon, Aug 11, 2014, at 09:26 AM, Noel Jones wrote:
Yes, that sounds right.
Am 05.11.2013 12:41, schrieb mark hardwick:
For this I followed some short instructions for postfix + amavisd-new here :
http://blog.purrdeta.com/2012/06/guide-to-dkim-signing-with-amavisd-new-and-postfix/
This setup works only if the mail is delivered on the submission-port.
If you would
Hi All
I'm setting up a new email server and I'm fairly green so I just wanted someone
to confirm I'm not doing anything stupid.
First I've followed the instructions from Falco here:
http://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-debian-wheezy
On 11/5/2013 5:41 AM, mark hardwick wrote:
Hi All
I'm setting up a new email server and I'm fairly green so I just wanted
someone to confirm I'm not doing anything stupid.
First I've followed the instructions from Falco here:
On 2011-10-27 01:35, IT geek 31 wrote:
I guess what I'm after is a way to whitelist certain senders. ie. if
they're okay, then no further processing is needed - just deliver. Is
this possible? If so, presumably smtpd_sender_restrictions =
check_sender_access hash:/sender_access is the place
No, since that will only whitelist the sender part;
smtpd_recipient_restrictions may still reject the message or the
recipient(s).
Put the sender check in smtpd_recipient_restrictions instead.
So would this work:
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_sender_access
So would this work:
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_sender_access hash:/usr/pkg/etc/postfix/sender_access,
reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client
zen.spamhaus.org, check_policy_service inet:127.0.0.1:10023, permit
As in the minute
On Thursday 27 October 2011 03:43:26 IT geek 31 wrote:
No, since that will only whitelist the sender part;
smtpd_recipient_restrictions may still reject the message or the
recipient(s).
Put the sender check in smtpd_recipient_restrictions instead.
So would this work:
Hi,
I'm trying to achieve the following:
Stop spammers (obviously)
Permit relaying when I'm outside the network (using SASL)
After reading through postconf, to prevent duplicate checks I removed
a number of checks from smtpd_sender_restrictions, so that it now
looks like this:
On Wednesday 26 October 2011 16:28:43 IT geek 31 wrote:
I'm trying to achieve the following:
Stop spammers (obviously)
Permit relaying when I'm outside the network (using SASL)
After reading through postconf, to prevent duplicate checks I
removed a number of checks from
Hi Rob
Thanks for your reply - that's certainly cleared a few things up!
check_recipient_access hash:/usr/pkg/etc/postfix/access,
access is a bad name for this. Since you're checking recipient
addresses, I would suggest a name of rcpt_access, or similar.
I've renamed this to sender_access
I couldn't find any 2.8.0-1 SRPMS.
take the latest srpm of your distributions version
as base and remove patches from the SPEC-File
Am 24.01.2011 10:01, schrieb Walter Pinto:
I couldn't find any 2.8.0-1 SRPMS.
--
Mit besten Grüßen, Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO /
I used the following to build from source after backing up my config dir:
make makefiles \
CCARGS='-fPIC -DUSE_TLS -DUSE_SSL \
-DHAS_MYSQL -I/usr/include/mysql -DPREFIX=\/usr\ \
-DSNAPSHOT -I/usr/include/openssl \
-I/usr/include' \
AUXLIBS='-L/usr/lib64 -L/usr/lib/openssl -lssl -lcrypto \
-lz -lm
On Sun, Jan 23, 2011 at 06:56:09PM -0800, Walter Pinto wrote:
make makefiles \
CCARGS='-fPIC -DUSE_TLS -DUSE_SSL \
-DHAS_MYSQL -I/usr/include/mysql -DPREFIX=\/usr\ \
-DSNAPSHOT -I/usr/include/openssl \
-I/usr/include' \
AUXLIBS='-L/usr/lib64 -L/usr/lib/openssl -lssl -lcrypto \
-lz -lm
This is the config for my SMTP server, anything stand out?
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 5
disable_vrfy_command = yes
header_checks =
On 1/22/2011 2:58 AM, Walter Pinto wrote:
This is the config for my SMTP server, anything stand out?
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 5
disable_vrfy_command
Walter Pinto put forth on 1/21/2011 10:57 PM:
I used the following command to determine what needed to be removed
from my main.cf:
postconf -d defaultcfg postconf -n customcfg perl -ne 'print
if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg
Then I made the suggested changes and
On 1/22/2011 11:10 AM, Stan Hoeppner wrote:
Walter Pinto put forth on 1/21/2011 10:57 PM:
I used the following command to determine what needed to be removed
from my main.cf:
postconf -d defaultcfg postconf -n customcfg perl -ne 'print
if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg
Thanks guys.
My relay server has been upgraded to 2.7.2 and smtp server to 2.4.13
inet_protocols = all Had to add this due to some SPF records
now using ip6: entries
reject_sender_login_mismatch before permit_sasl_authenticated ---
Results in the following unwanted result:
Jan 22
On 1/22/2011 4:46 PM, Walter Pinto wrote:
Thanks guys.
My relay server has been upgraded to 2.7.2 and smtp server to 2.4.13
inet_protocols = all Had to add this due to some SPF records
now using ip6: entries
reject_sender_login_mismatch before permit_sasl_authenticated---
Results in the
Noel,
You're correct about reject_sender_login_mismatch , the problem is
with my smtpd_sender_login_maps query and not the restriction itself.,
I'll have to revisit that at a later time. Thanks for all your help.
On Fri, Jan 21, 2011 at 6:50 PM, Walter Pinto wal...@amhosting.com wrote:
CentOS 5.5
mail_version = 2.3.3
Hi Walter,
I realize that 2.3.3 is the version of Postfix that is installed by
the default CentOS repos, but as already recommended on this thread,
you may want to consider the jump to a
I've been somewhat satisfied with the config I've had in place for a
while, but I thought it wouldn't hurt to have the experts take a look
and see if I've fubared something. Would the preferred method be a
postconf -n or snippets from main.cf?
On 1/21/2011 7:11 PM, Walter Pinto wrote:
I've been somewhat satisfied with the config I've had in place for a
while, but I thought it wouldn't hurt to have the experts take a look
and see if I've fubared something. Would the preferred method be a
postconf -n or snippets from main.cf?
You're
Thanks Noel. Let me know if I'm missing anything. This server is
supposed to act just as a relay.
postconf -n
alias_maps =
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
Walter Pinto put forth on 1/21/2011 7:42 PM:
Thanks Noel. Let me know if I'm missing anything. This server is
supposed to act just as a relay.
It sure would read a lot easier if you didn't manually declare all those default
settings. Which Linux distro is this? Whoever packages Postfix with
CentOS 5.5
mail_version = 2.3.3
On 1/21/2011 7:42 PM, Walter Pinto wrote:
Thanks Noel. Let me know if I'm missing anything. This server is
supposed to act just as a relay.
postconf -n
alias_maps =
anvil_rate_time_unit = 180s
body_checks = regexp:/etc/postfix/body_checks
bounce_size_limit = 1500
broken_sasl_auth_clients = yes
Thanks Noel, I will make the suggested changes along with cleaning out
the defaults. As far as the check policy goes, I shouldnt have any
issues moving it on this server because all I have enabled is HELO and
SPF checking. Now on my SMTP server, I have to have it before or else
the quota checking
On 1/21/2011 9:46 PM, Walter Pinto wrote:
Thanks Noel, I will make the suggested changes along with cleaning out
the defaults. As far as the check policy goes, I shouldnt have any
issues moving it on this server because all I have enabled is HELO and
SPF checking. Now on my SMTP server, I have
On Fri, 2011-01-21 at 20:57:18 -0800, Walter Pinto wrote:
I used the following command to determine what needed to be removed
from my main.cf:
postconf -d defaultcfg postconf -n customcfg perl -ne 'print
if ($seen{$_} .= @ARGV) =~ /10$/' customcfg defaultcfg
FWIW, an untested, less
Sahil,
I tested your command and it worked, thanks for that.
55 matches
Mail list logo