Quantcast

Another yahoo problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Another yahoo problem

Birta Levente
Hi

I have a problem with getting mails from yahoo, only from yahoo but now
from all servers.
here is the log:

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from
[98.137.64.231]:33591 in tests after SMTP handshake
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: CONNECT from
[98.137.64.231]:37770 to [176.223.199.38]:25
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: NOQUEUE: reject: RCPT
from [98.137.64.231]:37770: 450 4.3.2 Service currently unavailable;
from=<[hidden email]>,
to=<[hidden email]>, proto=ESMTP,
helo=<sonic303-49.consmr.mail.gq1.yahoo.com>
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: PASS NEW
[98.137.64.231]:37770
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: DISCONNECT
[98.137.64.231]:37770

...
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: connect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: SSL_accept error from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]: 0
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: warning: TLS library problem:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: lost connection after
STARTTLS from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: disconnect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 starttls=0/1
commands=1/2
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: CONNECT from
[98.137.64.231]:33638 to [my.ip.add.ress]:25
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: PASS OLD
[98.137.64.231]:33638
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: connect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result:
"['None', '', 'helo']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: None; identity=no SPF record;
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result:
"['Pass', 'sender SPF authorized', 'mailfrom']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: Pass; identity=mailfrom;
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Mar 30 14:18:39 wsrv policyd-spf[41310]: prepend Authentication-Results:
host.server.host; spf=pass (mailfrom) smtp.mailfrom=yahoo.com
(client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>)
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: 3vv2FC6QJmz53Nc7n:
client=sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:40 wsrv postfix/cleanup[37513]: 3vv2FC6QJmz53Nc7n:
message-id=<[hidden email]>
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n:
sonic303-49.consmr.mail.gq1.yahoo.com [98.137.64.231] not internal
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: not authenticated
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: DKIM
verification successful
Mar 30 14:18:40 wsrv opendmarc[2140]: 3vv2FC6QJmz53Nc7n: yahoo.com pass
Mar 30 14:18:40 wsrv postfix/qmgr[1771]: 3vv2FC6QJmz53Nc7n:
from=<[hidden email]>, size=3486, nrcpt=1 (queue
active)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) ESMTP :10024
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ:
<[hidden email]> -> <[hidden email]>
SIZE=3486 Received: from host.server.host ([127.0.0.1]) by localhost
(host.server.host
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
<[hidden email]>; Thu, 30 Mar 2017 14:18:40 +0300 (EEST)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) Checking: OBTvTMhgT_kq
[98.137.64.231] <[hidden email]> ->
<[hidden email]>
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p003 1 Content-Type:
multipart/alternative
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p001 1/1 Content-Type:
text/plain, size: 118 B, name:
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p002 1/2 Content-Type:
text/html, size: 675 B, name:
Mar 30 14:18:40 wsrv clamd[41770]:
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p004: OK
Mar 30 14:18:40 wsrv clamd[41770]:
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p001: OK
Mar 30 14:18:40 wsrv clamd[41770]:
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p002: OK
Mar 30 14:18:40 wsrv postfix/smtpd[41303]: disconnect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 mail=1
rcpt=1 data=1 quit=1 commands=5

At the end I think the mail is received in plain text
Could be the problem at my side?
As I see the alert number 46 is unacceptable certificate .. so the
problem is at the sender side? Can I apply a workaround at my side?

        Thanks
        Levi




postfix version 3.2-20170122

#postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
append_at_myorigin = no
append_dot_mydomain = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_destination_recipient_limit = 30
dk_milter = inet:localhost:8892
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 8000s
message_size_limit = 0
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 6
mime_header_checks = regexp:/etc/postfix/mime_header_checks
minimal_backoff_time = 1800s
mydestination = localhost, $myhostname, localhost.$mydomain
mydomain = d.d.d.com
myhostname = wsrv.d.d.d.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
nested_header_checks = regexp:/etc/postfix/nested_header_checks
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $dk_milter,$dkim_milter,$dmarc_milter
policy-spf_time_limit = 3600s
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr,
cidr:/etc/postfix/postscreen_spamhaus.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_retention_time = 14d
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = rbl.abuse.ro*2 zen.spamhaus.org*3
b.barracudacentral.org*3 bl.spameatingmonkey.net*2 bl.mailspike.net*1
bl.spamcop.net*1 swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner/Postscreen enabled
postscreen_non_smtp_command_action = ignore
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = ignore
postscreen_pipelining_enable = yes
proxy_read_maps = $local_recipient_maps, $mydestination,
$virtual_alias_maps, $virtual_alias_domains, $sender_bcc_maps,
$virtual_mailbox_maps, $virtual_mailbox_domains, $relay_recipient_maps
$relay_domains, $canonical_maps, $sender_canonical_maps,
$recipient_canonical_maps, $relocated_maps, $transport_maps,
$mynetworks, $smtpd_sender_login_maps
queue_directory = /var/spool/postfix
queue_run_delay = 1200s
readme_directory = no
receive_override_options = no_address_mappings
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps =
mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
sample_directory = /etc/postfix
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = no
smtp_sasl_tls_security_options = noanonymous
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access
mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
regexp:/etc/postfix/helo_access, reject_invalid_hostname,
reject_non_fqdn_hostname, check_helo_access
regexp:/etc/postfix/blacklist_helo
smtpd_milters = $dkim_milter,$dmarc_milter
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, check_policy_service unix:private/policy-spf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_unlisted_sender, reject_rbl_client
zen.spamhaus.org, check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/d.d.d.com/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/d.d.d.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
transport_maps = hash:/etc/postfix/transport,
hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = hash:/etc/mailman/virtual-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf




--
            Levi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Another yahoo problem

Benny Pedersen-2
Levente Birta skrev den 2017-03-30 14:27:

> Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
> [98.137.64.231]:33591
> Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
> problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> certificate unknown:s3_pkt.c:1275:SSL alert number 46:
> Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT
> [98.137.64.231]:33591
> Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from
> [98.137.64.231]:33591 in tests after SMTP handshake
> Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT
> [98.137.64.231]:33591

> At the end I think the mail is received in plain text
> Could be the problem at my side?

your problem is that you miss ssl3 support with yahoo still use :(

> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3

this makes it worse or have no effect if you dont have a ssl library
that support it anymore, yahoo should upgrade to a working tls to solve
it

you can disable starttls for there client ips, if thats solve it, write
to yahoo about it
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Another yahoo problem

lists@lazygranch.com
In reply to this post by Birta Levente
Perhaps sslv3 related.
http://disablessl3.com/

  Original Message  
From: Levente Birta
Sent: Thursday, March 30, 2017 5:28 AM
To: Postfix users
Subject: Another yahoo problem

Hi

I have a problem with getting mails from yahoo, only from yahoo but now
from all servers.
here is the log:

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from
[98.137.64.231]:33591 in tests after SMTP handshake
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT
[98.137.64.231]:33591
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: CONNECT from
[98.137.64.231]:37770 to [176.223.199.38]:25
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: NOQUEUE: reject: RCPT
from [98.137.64.231]:37770: 450 4.3.2 Service currently unavailable;
from=<[hidden email]>,
to=<[hidden email]>, proto=ESMTP,
helo=<sonic303-49.consmr.mail.gq1.yahoo.com>
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: PASS NEW
[98.137.64.231]:37770
Mar 30 13:48:17 wsrv postfix/postscreen[15245]: DISCONNECT
[98.137.64.231]:37770

...
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: connect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: SSL_accept error from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]: 0
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: warning: TLS library problem:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: lost connection after
STARTTLS from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:38 wsrv postfix/smtpd[41303]: disconnect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 starttls=0/1
commands=1/2
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: CONNECT from
[98.137.64.231]:33638 to [my.ip.add.ress]:25
Mar 30 14:18:39 wsrv postfix/postscreen[15245]: PASS OLD
[98.137.64.231]:33638
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: connect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result:
"['None', '', 'helo']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: None; identity=no SPF record;
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result:
"['Pass', 'sender SPF authorized', 'mailfrom']"
Mar 30 14:18:39 wsrv policyd-spf[41310]: Pass; identity=mailfrom;
client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>
Mar 30 14:18:39 wsrv policyd-spf[41310]: prepend Authentication-Results:
host.server.host; spf=pass (mailfrom) smtp.mailfrom=yahoo.com
(client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com;
envelope-from=[hidden email]; receiver=<UNKNOWN>)
Mar 30 14:18:39 wsrv postfix/smtpd[41303]: 3vv2FC6QJmz53Nc7n:
client=sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]
Mar 30 14:18:40 wsrv postfix/cleanup[37513]: 3vv2FC6QJmz53Nc7n:
message-id=<[hidden email]>
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n:
sonic303-49.consmr.mail.gq1.yahoo.com [98.137.64.231] not internal
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: not authenticated
Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: DKIM
verification successful
Mar 30 14:18:40 wsrv opendmarc[2140]: 3vv2FC6QJmz53Nc7n: yahoo.com pass
Mar 30 14:18:40 wsrv postfix/qmgr[1771]: 3vv2FC6QJmz53Nc7n:
from=<[hidden email]>, size=3486, nrcpt=1 (queue
active)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) ESMTP :10024
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ:
<[hidden email]> -> <[hidden email]>
SIZE=3486 Received: from host.server.host ([127.0.0.1]) by localhost
(host.server.host
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
<[hidden email]>; Thu, 30 Mar 2017 14:18:40 +0300 (EEST)
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) Checking: OBTvTMhgT_kq
[98.137.64.231] <[hidden email]> ->
<[hidden email]>
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p003 1 Content-Type:
multipart/alternative
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p001 1/1 Content-Type:
text/plain, size: 118 B, name:
Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p002 1/2 Content-Type:
text/html, size: 675 B, name:
Mar 30 14:18:40 wsrv clamd[41770]:
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p004: OK
Mar 30 14:18:40 wsrv clamd[41770]:
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p001: OK
Mar 30 14:18:40 wsrv clamd[41770]:
/var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p002: OK
Mar 30 14:18:40 wsrv postfix/smtpd[41303]: disconnect from
sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 mail=1
rcpt=1 data=1 quit=1 commands=5

At the end I think the mail is received in plain text
Could be the problem at my side?
As I see the alert number 46 is unacceptable certificate .. so the
problem is at the sender side? Can I apply a workaround at my side?

Thanks
Levi




postfix version 3.2-20170122

#postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
append_at_myorigin = no
append_dot_mydomain = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_destination_recipient_limit = 30
dk_milter = inet:localhost:8892
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 8000s
message_size_limit = 0
meta_directory = /etc/postfix
milter_default_action = accept
milter_protocol = 6
mime_header_checks = regexp:/etc/postfix/mime_header_checks
minimal_backoff_time = 1800s
mydestination = localhost, $myhostname, localhost.$mydomain
mydomain = d.d.d.com
myhostname = wsrv.d.d.d.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
nested_header_checks = regexp:/etc/postfix/nested_header_checks
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $dk_milter,$dkim_milter,$dmarc_milter
policy-spf_time_limit = 3600s
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr,
cidr:/etc/postfix/postscreen_spamhaus.cidr
postscreen_bare_newline_action = ignore
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = drop
postscreen_cache_retention_time = 14d
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = rbl.abuse.ro*2 zen.spamhaus.org*3
b.barracudacentral.org*3 bl.spameatingmonkey.net*2 bl.mailspike.net*1
bl.spamcop.net*1 swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner/Postscreen enabled
postscreen_non_smtp_command_action = ignore
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_action = ignore
postscreen_pipelining_enable = yes
proxy_read_maps = $local_recipient_maps, $mydestination,
$virtual_alias_maps, $virtual_alias_domains, $sender_bcc_maps,
$virtual_mailbox_maps, $virtual_mailbox_domains, $relay_recipient_maps
$relay_domains, $canonical_maps, $sender_canonical_maps,
$recipient_canonical_maps, $relocated_maps, $transport_maps,
$mynetworks, $smtpd_sender_login_maps
queue_directory = /var/spool/postfix
queue_run_delay = 1200s
readme_directory = no
receive_override_options = no_address_mappings
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps =
mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
sample_directory = /etc/postfix
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = no
smtp_sasl_tls_security_options = noanonymous
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access
mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
regexp:/etc/postfix/helo_access, reject_invalid_hostname,
reject_non_fqdn_hostname, check_helo_access
regexp:/etc/postfix/blacklist_helo
smtpd_milters = $dkim_milter,$dmarc_milter
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, check_policy_service unix:private/policy-spf,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_unlisted_sender, reject_rbl_client
zen.spamhaus.org, check_reverse_client_hostname_access
pcre:/etc/postfix/fqrdns.pcre
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_tls_cert_file = /etc/letsencrypt/live/d.d.d.com/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/d.d.d.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
transport_maps = hash:/etc/postfix/transport,
hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = hash:/etc/mailman/virtual-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf




--
Levi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Another yahoo problem

chaouche yacine
On Thursday, March 30, 2017 4:09 PM, "[hidden email]" <[hidden email]> wrote:
>Perhaps sslv3 related.
>http://disablessl3.com/


Thanks for the valuable link.

 -- Yassine.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Broken opportunistic TLS senders (was: Another yahoo problem)

Viktor Dukhovni
In reply to this post by Benny Pedersen-2
On Thu, Mar 30, 2017 at 02:54:09PM +0200, Benny Pedersen wrote:

> Levente Birta skrev den 2017-03-30 14:27:
>
> > Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
> > [98.137.64.231]:33591
> > Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
> > problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> > certificate unknown:s3_pkt.c:1275:SSL alert number 46:

A "certificate unknown" alert is unlikely to be an issue with the
SSL/TLS protocol version.

> > At the end I think the mail is received in plain text
> > Could be the problem at my side?
>
> your problem is that you miss ssl3 support with yahoo still use :(

This is not correct, many Yahoo MTAs support TLSv1.2, e.g.:

    Mar 24 13:30:12 amnesiac postfix/smtpd[25034]:
        Anonymous TLS connection established from
        nm21-vm3.bullet.mail.ir2.yahoo.com[212.82.96.254]:
        TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

However, I also have:

    Feb 27 02:39:15 amnesiac postfix/smtpd[13779]: SSL_accept error from sonic326-4.consmr.mail.ne1.yahoo.com[66.163.186.123]: 0
    Feb 27 02:39:15 amnesiac postfix/smtpd[13779]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Feb 28 00:55:49 amnesiac postfix/smtpd[259]: SSL_accept error from sonic305-54.consmr.mail.ne1.yahoo.com[66.163.185.180]: 0
    Feb 28 00:55:49 amnesiac postfix/smtpd[259]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar  3 05:27:33 amnesiac postfix/smtpd[5897]: SSL_accept error from sonic315-47.consmr.mail.bf2.yahoo.com[74.6.134.221]: 0
    Mar  3 05:27:33 amnesiac postfix/smtpd[5897]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar  6 07:44:57 amnesiac postfix/smtpd[576]: SSL_accept error from sonic313-47.consmr.mail.bf2.yahoo.com[74.6.133.221]: 0
    Mar  6 07:44:57 amnesiac postfix/smtpd[576]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar  7 15:50:03 amnesiac postfix/smtpd[8740]: SSL_accept error from sonic314-47.consmr.mail.bf2.yahoo.com[74.6.132.221]: 0
    Mar  7 15:50:03 amnesiac postfix/smtpd[8740]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar 29 14:57:45 amnesiac postfix/smtpd[2319]: SSL_accept error from sonic305-3.consmr.mail.bf2.yahoo.com[74.6.133.42]: 0
    Mar 29 14:57:45 amnesiac postfix/smtpd[2319]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar 30 00:40:11 amnesiac postfix/smtpd[17880]: SSL_accept error from sonic309-27.consmr.mail.sg3.yahoo.com[106.10.244.90]: 0
    Mar 30 00:40:11 amnesiac postfix/smtpd[17880]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

This suggests some ignoramus has configured the "sonic...consmr..."
systems to drop unauthenticated TLS connections and send in cleartext
instead.  The same issue can be seen with mimecast:

    Feb 28 20:31:31 amnesiac postfix/smtpd[13789]: SSL_accept error from us-smtp-delivery-112.mimecast.com[216.205.24.112]: 0
    Feb 28 20:31:31 amnesiac postfix/smtpd[13789]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar 27 03:59:06 amnesiac postfix/smtpd[27065]: SSL_accept error from us-smtp-delivery-203.mimecast.com[216.205.24.203]: 0
    Mar 27 03:59:06 amnesiac postfix/smtpd[27065]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

    Mar 28 15:16:14 amnesiac postfix/smtpd[24429]: SSL_accept error from us-smtp-delivery-120.mimecast.com[216.205.24.120]: 0
    Mar 28 15:16:14 amnesiac postfix/smtpd[24429]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:s3_pkt.c:1493:SSL alert number 46:

Seems some folks need detention after school to copy RFC7435 in
long-hand a dozen times.

--
        Viktor.
Loading...