DevHeads.net

Postings by J Doe

Best place for DNSBL restrictions

Hello,

I manage a small mail server and have been using Spamcop as a DNSBL’s via postscreen:

/etc/postfix/main.cf
postscreen_dnsbl_sites = bl.spamcop.net
postscreen_dnsbl_action = drop

After reading RFC 5782 “DNS Blacklists and Whitelists”, I decided to add some more
DNSBL’s and specify filters and weighting. While looking at various samples of main.cf
using DNSBL’s, I came back to an old question - where should I implement DNSBL restrictions ?

On this list I seem to recall that using a DNSBL via postscreen is discouraged.

Question regarding OpenDKIM milter with Postfix 3.1.0

Hi,

I apologize for asking a question that is only tangentially related to Postfix, however the OpenDKIM mailing lists do not appear to be accessible.

I am using Postfix 3.1.0 and OpenDKIM 2.10.3.

Postfix, milters and quarantine actions

Hello,

I had some questions regarding milters in general, with the questions initially focused on the OpenDKIM milter (version 2.10.3), on Postfix 3.1.0

In man 5 opendkim.conf, under the CaptureUnknownErrors parameter, it specifies:

When set, and on systems where MTA quarantine is available, the
filter will request quarantine of a message that results in an internal
error or resource exhaustion.

My questions are:

1. Is this supported on Postfix 3.1.0 and later ?

2.

Forcing TLS 1.2 on submission

Hi,

I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d clients on the submission service.

In master.cf I have added the following to the submission service:

-o smtpd_tls_ciphers=high
-o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2

…however, when I test via the OpenSSL client:

openssl s_client -connect example.com:587 -starttls smtp -tls1

…it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS 1.2 on successive tests.

What am I doing wrong ?

Thanks,

- J

Question regarding 8BITMIME / BINARYMIME

Hi,

I have a question regarding 8BITMIME.

I know Postfix supports 8BITMIME and does not support BINARYMIME, but I am wondering why both 8BITMIME and BINARYMIME are ESMTP extensions. It would appear that 8BITMIME solves the same problem as BINARYMIME (allow 8-bit encoding of MIME), so why wasn’t BINARYMIME made obsolete in the RFC’s ?

Also - because 8BITMIME seems to solve the problem without CHUNKING, is that why Postfix supports it over BINARYMIME ?

Thanks,

- J

Removing trace records on submission MSA

Hi,

I have a question in regards to removing some trace records when providing submission on Postfix 3.1.x and later.

While reading RFC 6409 (“Message Submission for Mail”), I note that the RFC observes that:

"Even when submitted messages are complete, local site policy may dictate that the message text be
examined or modified in some way, e.g., to conceal local name or address spaces.”

By this I take it that I could remove perhaps the initial trace message that returns information about internal addresses
and network names.

ESMTP CHUNKING

Hi,

I have been reading about the ESMTP CHUNKING extension (RFC 3030), after noticing that both Hotmail and Gmail advertise it on EHLO.

ETRN use and Postfix configuration

Hello,

I read the “Postfix ETRN Howto” [1] as well as man 5 postconf with regards to:

postscreen_discard_ehlo_keywords
smtpd_discard_ehlo_keywords

...

Question regarding VRFY

Hi,

I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis.

I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ?

General websites on e-mail administration that also cover Postfix ?

Hi,

I was looking for some websites that covered e-mail administration in general and that also mentioned Postfix.

I checked the Postfix homepage [1] and on the link “Howtos and FAQs” there are two links at the bottom under the heading “General E-mail/System Administration”. Unfortunately the first link appears to be dead and the second link is more of a discussion of the C10K problem, which appears to be more of use to people writing software on the scale of Postfix.

Can anyone recommend any good sites that cover e-mail administration in general ?

IP ACL’s for smtpd port 25 and not submission

Hi,

I currently use postscreen on my Postfix version 3.1.0 mail server. I implement IP ACL’s via it to ban malicious connections (generally from xDSL IP blocks), against smtpd running on port 25.

I have recently configured and turned on submission with SASL. With submission available, I don’t want to ban any particular xDSL IP blocks as clients that are travelling around the world may make use of Internet in cafes, hotels, etc.

Diffing man 5 postconf changes between releases

Hi,

I currently use Postfix version 3.1.0. I know that there are announcements of feature changes between each release of Postfix via e-mail and I read these, but I was wondering if there was an easy way to see the changes to the main.cf configuration parameters between versions ?

For example, can I somehow diff the difference between man 5 postconf on version 3.1.0 and the current release of Postfix ?

Question regarding smtpd DNS resolution

Hello,

I had a question about Postfix’s smtpd DNS resolution.

In my logs (generally from spam sources), I see the following:

Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not known

Does this mean that:

1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
3. If the IP addresses don’t match it reports this error

...

submission configuration in master.cf

Hi,

I was wondering about a configuration parameter listed with the default submission configuration in master.cf.

One of the parameters that overrides the settings in main.cf “milter_macro_daemon_name” is set to “ORIGINATING” instead of the default value in main.cf.

Why is this done ?

Thanks,

- J

Request for feedback on SMTPD restrictions

Hi,

I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions.

Question regarding SASL auth only over TLS in SMTP server

Hi,

I have a question about enabling SASL authentication in the Postfix SMTP server *ONLY* over TLS.

In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it lists recommended configurations for SASL auth that restrict the SASL mechanisms to noanonymous and noplaintext:

A more sophisticated policy . . .

Cyrus vs Dovecot for SASL AUTH and IMAP

Hi,

I am looking to use either Cyrus or Dovecot for both SASL authentication and IMAP. While Postfix 3.1.0 supports both, I was wondering which to prefer if security is my most important deciding factor ? Does one have a better track record than the other ?

Thanks,

- J

Questions about auto replying in VIRTUAL_README

Hi,

I have two questions about the “Autoreplies” section in the VIRTUAL_README [1].

If I was setting up auto replies for the virtually hosted domain of “example.com”, would the correct configuration be:

/etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport

/etc/postfix/virtual
<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto: ... at example dot com"> ... at example dot com</a>,
... at example dot ... at autoreply dot example.com

/etc/postfix/transport
autoreply.example.com autoreply:

/etc/postfix/master.cf
autoreply unix - n n - - pipe

Questions regarding ecliptic curve support

Hi,

I had two short questions regarding Postfix’s elliptic curve support for the SMTP server.

1. Under the man documentation for: tls_eecdh_strong_curve the documentation states “...approximately 128-bit security...”. Is that saying that it is equivalent to 128-bits RSA or it provides an elliptic curve key size of nearly 128-bits ?

2. To make use of ecliptic curve encryption a TLS certificate must have been made with support for ecliptic curves, correct ? A TLS certificate using RSA keys will not work ?

Thanks,

- J

Minor grammar mistake in man 5 postconf

Hi,

I noticed a very small grammatical error under: man 5 postconf

Under the configuration parameter: tls_dane_digest_agility under the “maybe” option, the second last sentence states:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will disabled.”

This should be changed to:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will *BE* disabled”

- J

TLS session tickets versus TLS session cache

Hi,

I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:

“As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”

I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?

Thanks,

- J

Question regarding smtpd_recipient_restrictions

Hi,

I have a basic question regarding the smtpd_recipient_restrictions parameter.

From what I understand, these are restrictions applied to the SMTP RCP TO command.

In the case of a server that receives mail for a domain and also allows clients to send mail through it (via AUTH’d clients), does smtpd_recipent_restrictions apply to recipients at the domain or to recipients of mail sent by the AUTH’d clients or both ?

So, as an example, if the server handles mail for example.com, do the restrictions apply to:

1. Recipients at example.com (example: <a href="mailto: ... at example dot com"> ... at example dot com</a> is recipient)

2.

Distinction between next-hop and nexthop ?

Hi,

I was reading the documentation for the smtp_tls_verify_cert_match parameter in man 5 postconf and noted under the “nexthop” strategy that both next-hop and nexthop are specified.

Example:

“Match against the next-hop domain...”

“When MX lookups are not suppressed, this is the original nexthop domain...”

Up until this point, I had been viewing them as interchangeable, but are they in fact referring to two different things/terms ?

Thanks,

- J

Question regarding use of amavisd-new

Hi,

I was wondering if fellow Postfix users would still recommend using amavisd-new when integrating AV (ClamAV), and spam filtering (SpamAssasin) ?

The site I have this in mind for receives a moderate amount of e-mail per day.

This appears to be the most mentioned configuration via web searches, but I was wondering if this still held true for 2017/2018 (amavisd-new’s last release was 2016/04/26) ?

Thanks,

- J

Question about CA’s for the smtp client

Hi,

I have a question regarding specifying where the list of trusted CA’s are in regards to the smtp client.

In man 5 postconf, I can see there are two configuration parameters regarding this:

smtp_tls_CAfile
smtp_tls_CApath

The documentation (as I understand it), notes that:

1. smtp_tls_CAfile

— Specifies file that contains CA certs of root CA’s trusted to sign either remote SMTP server certificates or intermediate CA certificates

2.

Determine if Ubuntu 17.10 (desktop) is using Wayland

Hi,

If I recall correctly, Ubuntu 17.10 (desktop version), uses Wayland if the computer’s hardware supports it. Is there an easy way for me to determine on a running 17.10 machine if Wayland is being used or if the OS is falling back to X ?

Thanks,

- J

Question regarding smtp_per_record_deadlne parameter

Hello,

I currently have a server that is configured as a mail forwarding domain [1]. Using example.com as an example:

/etc/postfix/main.cf
virtual_alias_domains = example.com
virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual
<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto:users-gmail- ... at gmail dot com">users-gmail- ... at gmail dot com</a>

As such, the SMTP client is used to forward the messages to each user’s existing Gmail addresses.

I was reading more about the smtp client parameters and read about smtp_per_record_deadline.

Question about postscreen_cache.db

Hello,

I have an admittedly basic question, but I have been trying to troubleshoot this for a while with no success.

I have enabled postscreen(8) on Postfix 3.1 and receive a warning in mail.log:

“close database /var/spool/postfix/var/lib/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)”

A quick Google of this returns that this is caused on Debian systems that run Postfix in a jail (which matches my system).

Question about message_drop_headers and DKIM

Hi,

I have a question regarding the message_drop_headers main.cf configuration parameter.

The man page states that it:

“[specifies] names of message headers that the cleanup(8) daemon will
remove after applying header_checks(5) and *BEFORE* invoking Milter
applications...”

Checking man 8 cleanup I note this relates to:

“...inbound mail...inserting into incoming mail queue...”

On the smtpd(8) server process, I have OpenDKIM configured to run as a Miller.

Removal or obfuscation of mail_name

Hello,

I was reading about the mail_name parameter in main.cf.

I was wondering (and I know the gains would be minor given that this falls into security through obscurity), is there anything to gain by either removing this or specifying something false ?

Is there any third-party servers or tools in the e-mail ecosystem that would depend on this being “Postfix” ?

Thanks,

- J