DevHeads.net

Postings by J Doe

Question about CA’s for the smtp client

Hi,

I have a question regarding specifying where the list of trusted CA’s are in regards to the smtp client.

In man 5 postconf, I can see there are two configuration parameters regarding this:

smtp_tls_CAfile
smtp_tls_CApath

The documentation (as I understand it), notes that:

1. smtp_tls_CAfile

— Specifies file that contains CA certs of root CA’s trusted to sign either remote SMTP server certificates or intermediate CA certificates

2.

Determine if Ubuntu 17.10 (desktop) is using Wayland

Hi,

If I recall correctly, Ubuntu 17.10 (desktop version), uses Wayland if the computer’s hardware supports it. Is there an easy way for me to determine on a running 17.10 machine if Wayland is being used or if the OS is falling back to X ?

Thanks,

- J

Question regarding smtp_per_record_deadlne parameter

Hello,

I currently have a server that is configured as a mail forwarding domain [1]. Using example.com as an example:

/etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual
<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto:users-gmail- ... at gmail dot com">users-gmail- ... at gmail dot com</a>

As such, the SMTP client is used to forward the messages to each user’s existing Gmail addresses.

I was reading more about the smtp client parameters and read about smtp_per_record_deadline.

Question about postscreen_cache.db

Hello,

I have an admittedly basic question, but I have been trying to troubleshoot this for a while with no success.

I have enabled postscreen(8) on Postfix 3.1 and receive a warning in mail.log:

“close database /var/spool/postfix/var/lib/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)”

A quick Google of this returns that this is caused on Debian systems that run Postfix in a jail (which matches my system).

Question about message_drop_headers and DKIM

Hi,

I have a question regarding the message_drop_headers main.cf configuration parameter.

The man page states that it:

“[specifies] names of message headers that the cleanup(8) daemon will
remove after applying header_checks(5) and *BEFORE* invoking Milter
applications...”

Checking man 8 cleanup I note this relates to:

“...inbound mail...inserting into incoming mail queue...”

On the smtpd(8) server process, I have OpenDKIM configured to run as a Miller.

Removal or obfuscation of mail_name

Hello,

I was reading about the mail_name parameter in main.cf.

I was wondering (and I know the gains would be minor given that this falls into security through obscurity), is there anything to gain by either removing this or specifying something false ?

Is there any third-party servers or tools in the e-mail ecosystem that would depend on this being “Postfix” ?

Thanks,

- J

Question about relay_domains parameter

Hello,

I currently have my server configured to perform virtual domain hosting. It forwards mail addressed to addresses for my virtual domain (ex: example.com), to Gmail accounts.

Mail —> <a href="mailto: ... at example dot com"> ... at example dot com</a> —> <a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>

I was reading more about the relay_domains parameter in “man 5 postconf”. It states:

“[specifies] destination domains (and subdomains thereof) this system
will relay mail *TO*”

I note that on Postfix 3.0 and later (my server is Postfix 3.1.0), this value defaults to an empty value.

Eliminating backscatter

Hi,

One of my mail servers (Postfix 3.1.0), is configured to perform virtual domain hosting. It forwards mail to the virtual domain to mailboxes of users on Gmail.

I can see in my mail log that spam with forged origin addresses sometimes comes into my server that is addressed to virtual domain addresses. My server rejects some of this spam and then generates a non-delivery e-mail to the origin address of the spam.

Question about default_destination_concurrency_limit

Hi,

I had a question regarding the main.cf parameter “default_destination_concurrency_limit”. The man page (man 5 postconf), states it is: “The default maximal number of parallel deliveries to the same destination.” and that this applies to the smtp(8) delivery agent.

This got me wondering . . . how would one adjust this parameter ? I am thinking it is only through benchmarking trial and error, as a number of factors would seem to affect this (server load, bandwidth, etc.).

Question regarding smtpd and log of “Untrusted TLS connection”

Hello,

I currently have a Postfix 3.1.0 server with smtpd configured to use opportunistic TLS encryption:

/etc/postfix/main.cf
smtpd_tls_security_level = may

In the documentation I have noted that even if STARTTLS is enabled, mail delivery will not be stopped even if the certificate at the other server is invalid or is a self-signed certificate.

Question regarding Postfix virtual domains and SPF

Hi,

I have two questions regarding using SPF when I am using Postfix with virtual domain hosting.

I currently have an SPF record in my DNS:

example.com TXT “v=spf1 ip4:1.2.3.4/32 ip6:1:2:3::4/128 ?all”

I virtually host a domain (in this example case, example.com), that is set to forward mail to recipients on Gmail.

Syntax question for smtp mandatory TLS encryption

Hi,

I have a syntax question regarding configuring mandatory TLS encryption for the smtp process as listed on: <a href="http://www.postfix.org/TLS_README.html#client_tls" title="www.postfix.org/TLS_README.html#client_tls">www.postfix.org/TLS_README.html#client_tls</a>

In the second example on the page, square brackets are used when specifying the policy for specific destinations in the tls_policy file:

/etc/postfix/tls_policy
[example.net]:587 encrypt protocols=TLSv1 ciphers=high

Are the square brackets only required when the port to use is specified (ie: in previous example when destination was example.net with no port specified, I notice that the square brackets are left out) or is this syntax sp

Questions about mynetworks_style parameter in main.cf

Hello,

I have two questions regarding the “mynetworks_style” parameter in main.cf.

In man I see that the “subnet” option for “mynetworks_style” is listed as being supported in Postfix < 3.0.

Backscatter questions

Hello,

I recently configured Postfix 3.1.0 on a low-volume, Internet facing server. Mail operations are normal, but I had two questions regarding backscatter.

1. From what I understand, “backscatter” refers to e-mails such as non-delivery reports being sent back to the originator of a spam message. As the originator is often a forged address, the non-delivery reports is essentially junk data. Would this be a correct definition for the term ?

2. Is it possible to white-list the generation of non-delivery reports for some hosts and prevent generation for all others ?

Virtual domain hosting “catch all” e-mail address

Hi,

I am currently configuring virtual domain hosting on Postfix 3.1.0 and have a question about the “Postfix Virtual Domain Hosting Howto” document [1].

Under “Postfix virtual ALIAS example: separate domains, UNIX system accounts” there is an example of the virtual file. On line 10 it states:

# @example.com jim

This is referred to as a “catch-all address”.

My question is: does this receive ALL e-mail to: @example.com or does it only receive e-mail that is addressed to virtual users that do not exist in the virtual file ?

Thanks

Sources
[1] <a href="http://www.postfix.org/VIRTUAL_README.html" title="www.postfix.org/VIRTUAL_README.html">www.postfix.org/VIRTUAL_README.html</a>

Systemd service files

Hi,

I have Ubuntu server 16.04 LTS deployed on one of my servers. I have been working at slowly learning systemd but I ran into something that I hadn't expected.

When adding commonly used packages (Apache 2.4.x), I noticed that some of these packages have incomplete systemd service files. In the case of Apache there is a systemd stub that then calls an init.d shim script. As a result, on reboot, systemd shows a load failure (I am assuming from the incomplete service file), for Apache, but Apache is successfully started.

Kernel compiled with Stack Protector ?

Hello,

In light of the recent report from Armis about the "BlueBorne" Bluetooth vulnerabilities that affect Linux (and other OS's), I was wondering if Ubuntu compiles the kernel with Stack Protector enabled (specifically for Ubuntu 16.04 LTS desktop and to a lesser extent 16.04 LTS server) ?

Secondly, is there a page that outlines the hardening steps that Ubuntu follows for ensuring kernel security ?

Thanks,

- J

Error building nftables on Ubuntu Server 16.04.03 LTS

Hello,

I am currently attempting to build the nft user land tool from the nftables project [1][2].

On Ubuntu Server 16.04.03 LTS, nft is available via the nftables package, however the version of nft that is installed is version 0.5 whereas the most current version of nft is 0.7.