Victor Duchovni:
> On Tue, Jun 14, 2011 at 08:05:24PM -0500, Noel Jones wrote:
>
> > I was thinking a setting integrated with smtp_pix_workarounds would be more
> > automatic, with little maintenance once configured.
>
> Given that the banner detection is incomplete (some pixen are not
> obvious
On Wednesday June 15 2011 05:42:36 Noel Jones wrote:
> At this time I'm inclined to set this aside. The DKIM bug
> doesn't seem to be widespread; there is no compelling case to
> add a new workaround right now.
Indeed the situation has much improved in the past year or two.
Many sites have turne
Am 15.06.2011 08:39, schrieb Ralf Hildebrandt:
> * Benny Pedersen :
>
>> fail2ban could be ones friend if postfix have this
>>
>> fail2ban then just grep logs for outgoing mails that failed pr ip,
>> and add this header ignore pr cidr maps
>
> Yeah, that's a great idea!
>
but what if there are o
On Wed, 15 Jun 2011 08:39:11 +0200, Ralf Hildebrandt wrote:
* Benny Pedersen :
fail2ban could be ones friend if postfix have this
fail2ban then just grep logs for outgoing mails that failed pr ip,
and add this header ignore pr cidr maps
Yeah, that's a great idea!
it is ?, oh thanks :-)
* Benny Pedersen :
> fail2ban could be ones friend if postfix have this
>
> fail2ban then just grep logs for outgoing mails that failed pr ip,
> and add this header ignore pr cidr maps
Yeah, that's a great idea!
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Univers
On 6/14/2011 8:22 PM, Victor Duchovni wrote:
On Tue, Jun 14, 2011 at 08:05:24PM -0500, Noel Jones wrote:
I was thinking a setting integrated with smtp_pix_workarounds would be more
automatic, with little maintenance once configured.
Given that the banner detection is incomplete (some pixen ar
On Tue, 14 Jun 2011 20:05:24 -0500, Noel Jones wrote:
That's an interesting idea in itself, but in the scope of pix
workarounds it's not a huge improvement since it still requires
manual
intervention per server/domain.
fail2ban could be ones friend if postfix have this
fail2ban then just gr
On Tue, Jun 14, 2011 at 08:05:24PM -0500, Noel Jones wrote:
> I was thinking a setting integrated with smtp_pix_workarounds would be more
> automatic, with little maintenance once configured.
Given that the banner detection is incomplete (some pixen are not
obviously such) one still needs manual
On 6/14/2011 7:42 PM, Benny Pedersen wrote:
On Tue, 14 Jun 2011 19:32:39 -0500, Noel Jones wrote:
C) use existing smtp_header_checks solution.
extend to smtp_header_checks_maps, and then use any maps
postfix support
That's an interesting idea in itself, but in the scope of pix
workarounds
On Tue, 14 Jun 2011 19:32:39 -0500, Noel Jones wrote:
C) use existing smtp_header_checks solution.
extend to smtp_header_checks_maps, and then use any maps postfix
support
is smtp_header_checks already pr recipients server ?
On 6/14/2011 5:49 PM, Benny Pedersen wrote:
On Tue, 14 Jun 2011 19:48:54 +0200, Ralf Hildebrandt wrote:
* Noel Jones :
I think I posted something almost exactly like this a while
ago
(year+?). Anyway, I can confirm that I've had this same
problem and
came up with the same workaround, still in
On Tue, 14 Jun 2011 19:48:54 +0200, Ralf Hildebrandt wrote:
* Noel Jones :
I think I posted something almost exactly like this a while ago
(year+?). Anyway, I can confirm that I've had this same problem and
came up with the same workaround, still in place.
Yeah. Maybe it would make a cool ad
* Robert Schetterer :
> make it more public , firewall admins may awake, in germany heise
> postings help sometimes *g
For that one would need large scale statistics.
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Wietse Venema:
> Hmm...
>
> % telnet mailamir.com 25
> Trying 114.31.73.44...
> Connected to mailamir.com.
> Escape character is '^]'.
> 220 **
> help
> 502 5.5.2 Error: command not recognized
FYI, this is how I quickly identify Postfix MTAs.
Wietse
Am 14.06.2011 20:48, schrieb Ralf Hildebrandt:
> * Mark Martinec :
>
>> I think the newer versions of ASA can be configured to let ESMTP pass
>> through without censoring the greeting, while still exhibiting one of
>> the header parsing bugs - which can lead to dropping the TCP session
>> without
Am 14.06.2011 15:34, schrieb Ralf Hildebrandt:
> Today I found that some sites behind a PIX/ASA firewall with "smtp
> protocol fixup" would not accept DKIM signed mails.
>
> Solution:
> =
>
> master.cf:
> nodkimunix - - - - - smtp -o
> smtp_header_check
* Mark Martinec :
> I think the newer versions of ASA can be configured to let ESMTP pass
> through without censoring the greeting, while still exhibiting one of
> the header parsing bugs - which can lead to dropping the TCP session
> without a RST (but with a message in the log ... which noone re
> > How does an SMTP client recognize an ASA box before it breaks email?
>
> Only from the /^[02 *]+$/ banner.
> # telnet mx.interfree.it 25
> 220 **
I think the newer versions of ASA can be configured to let ESMTP pass through
with
* Mark Martinec :
> Ralf wrote:
> > Today I found that some sites behind a PIX/ASA firewall with "smtp
> > protocol fixup" would not accept DKIM signed mails.
>
> But you already knew that! :)
Yes I know.
> ASA bug CSCsy28792 and a couple of related header-parsing bugs,
> triggered by encounter
* Victor Duchovni :
> A Postfix system with a PIX in front of it and STARTTLS censored as
> "XXXA" (same length).
Yes, thought so too.
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-122
Ralf wrote:
> Today I found that some sites behind a PIX/ASA firewall with "smtp
> protocol fixup" would not accept DKIM signed mails.
But you already knew that! :)
ASA bug CSCsy28792 and a couple of related header-parsing bugs,
triggered by encountering a "content-type" or "content-transfer-enc
On Tue, Jun 14, 2011 at 02:18:43PM -0400, Wietse Venema wrote:
> > # telnet mailamir.com 25
> > Trying 114.31.73.44...
> > Connected to mailamir.com.
> > Escape character is '^]'.
> > 220 **
>
> Hmm...
>
> % telnet mailamir.com 25
> Trying 114.31.73.44...
> Connected to m
Ralf Hildebrandt:
> * Wietse Venema :
>
> > > Yeah. Maybe it would make a cool addition to smtp_pix_workarounds!
> >
> > How does an SMTP client recognize an ASA box before it breaks email?
>
> Only from the /^[02 *]+$/ banner.
>
> # telnet mx.interfree.it 25
> Trying 213.158.72.46...
> Connec
* Wietse Venema :
> > Yeah. Maybe it would make a cool addition to smtp_pix_workarounds!
>
> How does an SMTP client recognize an ASA box before it breaks email?
Only from the /^[02 *]+$/ banner.
# telnet mx.interfree.it 25
Trying 213.158.72.46...
Connected to mx.interfree.it.
Escape character
Ralf Hildebrandt:
> * Noel Jones :
>
> > I think I posted something almost exactly like this a while ago
> > (year+?). Anyway, I can confirm that I've had this same problem and
> > came up with the same workaround, still in place.
>
> Yeah. Maybe it would make a cool addition to smtp_pix_workaro
On Tue, Jun 14, 2011 at 07:48:54PM +0200, Ralf Hildebrandt wrote:
> * Noel Jones :
>
> > I think I posted something almost exactly like this a while ago
> > (year+?). Anyway, I can confirm that I've had this same problem and
> > came up with the same workaround, still in place.
>
> Yeah. Maybe
* Noel Jones :
> I think I posted something almost exactly like this a while ago
> (year+?). Anyway, I can confirm that I've had this same problem and
> came up with the same workaround, still in place.
Yeah. Maybe it would make a cool addition to smtp_pix_workarounds!
--
Ralf Hildebrandt
Ge
On 6/14/2011 8:34 AM, Ralf Hildebrandt wrote:
Today I found that some sites behind a PIX/ASA firewall with "smtp
protocol fixup" would not accept DKIM signed mails.
Solution:
=
master.cf:
nodkimunix - - - - - smtp -o
smtp_header_checks=pcre:/etc/postf
Today I found that some sites behind a PIX/ASA firewall with "smtp
protocol fixup" would not accept DKIM signed mails.
Solution:
=
master.cf:
nodkimunix - - - - - smtp -o
smtp_header_checks=pcre:/etc/postfix/no_dkim.pcre
main.cf:
transport_maps = cdb:/
29 matches
Mail list logo
