Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Wietse Venema
Dirk St?cker:
> On Mon, 28 May 2018, Viktor Dukhovni wrote:
>
> >> It might be useful, but probably not, to have a version of postconf -n that showed the default value along sinde the changed value:
> >
> > join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/')
>
> Do you maybe also have a command to show only changed parameters?
>
> Something like postconf -n, but dropping everything identical to default.

There is a shell pipeline for that, too...

> This is a task which I need something to change a vendor supplied main.cf
> into the better understandable minimum configuration which does not
> contain legacy settings.
>
> Could "postconf" get a new "-N" paramater for that maybe ;-)

My Postfix cycles are consumed by TLS connection reuse.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

@lbutlr
In reply to this post by Dirk Stöcker
On 2018-05-29 (02:35 MDT), Dirk Stöcker <[hidden email]> wrote:
>
> Do you maybe also have a command to show only changed parameters?

This is doable, but it takes a bit more processing than a single line. Basically, a shell script that parses the output of

join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/') | grep -v "(default:)"

and filters it with the output of

comm -1 -2 <(postconf -n) <(postconf -d)

as Stefan provided. I mean, it's probably possible in awk, but then again, what isn't?

I do have one question that I've never noticed before. The settings for mydomain and myhostname show that they are at the default values. Where is postfix getting the defaults for this and does it mean the settings really aren't needed unless your hostname is, for some reason, different?

(Not sure I could bring myself to not specify them).

-
Because you can't cotton to evil. No Sir. You have to smack evil on the
nose with the rolled-up newspaper of justice and say, 'Bad evil. Bad BAD
evil"'


Reply | Threaded
Open this post in threaded view
|

Re: [Postfix] Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Jim P.
In reply to this post by Stefan Förster-4
On Tue, 2018-05-29 at 10:49 +0200, Stefan Förster wrote:

> * Dirk Stöcker <[hidden email]>:
> > On Mon, 28 May 2018, Viktor Dukhovni wrote:
> >
> > > > It might be useful, but probably not, to have a version of
> > > > postconf -n that showed the default value along sinde the
> > > > changed value:
> > >
> > > join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/')
> >
> > Do you maybe also have a command to show only changed parameters?
> >
> > Something like postconf -n, but dropping everything identical to
> > default.
>
> You can get changed parameters that are at their default value with:
>
> comm -1 -2 <(postconf -n) <(postconf -d)

FWIW, I had to use this:

comm -1 -2 <(postconf -n|sort) <(postconf -d|sort)

-Jim P.
Reply | Threaded
Open this post in threaded view
|

Re: [Postfix] Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Viktor Dukhovni


> On May 29, 2018, at 12:28 PM, Jim P. <[hidden email]> wrote:
>
> FWIW, I had to use this:
>
> comm -1 -2 <(postconf -n|sort) <(postconf -d|sort)

That'd only be needed if you have a funny collation locale.
Try:

     env -i "PATH=$PATH" LANG=C LC_COLLATE=C bash -c '
         comm -1 -2 <(postconf -n) <(postconf -d)
     '

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: [Postfix] Re: [Postfix] Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Jim P.
On Tue, 2018-05-29 at 13:32 -0400, Viktor Dukhovni wrote:

> > On May 29, 2018, at 12:28 PM, Jim P. <[hidden email]> wrote:
> >
> > FWIW, I had to use this:
> >
> > comm -1 -2 <(postconf -n|sort) <(postconf -d|sort)
>
> That'd only be needed if you have a funny collation locale.
> Try:
>
>      env -i "PATH=$PATH" LANG=C LC_COLLATE=C bash -c '
>          comm -1 -2 <(postconf -n) <(postconf -d)
>      '
>

It's more of a language "feature".  This works:

LANG=C comm -1 -2 <(postconf -n) <(postconf -d)

this doesn't:

LANG=en_US comm -1 -2 <(postconf -n) <(postconf -d)

-Jim P.
Reply | Threaded
Open this post in threaded view
|

Re: [Postfix] Re: [Postfix] Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Viktor Dukhovni


> On May 29, 2018, at 1:54 PM, Jim P. <[hidden email]> wrote:
>
> It's more of a language "feature".  This works:
>
> LANG=C comm -1 -2 <(postconf -n) <(postconf -d)
>
> this doesn't:
>
> LANG=en_US comm -1 -2 <(postconf -n) <(postconf -d)

The collation rules for "en_US" are abominable.  I always set:

  LC_CTYPE=en_US.UTF-8 LANG=C

but if you just want sensible collation, with everything else
using "en_US", you can just set LC_COLLATE=C.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: [Postfix] Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

@lbutlr
On 29 May 2018, at 11:57, Viktor Dukhovni <[hidden email]> wrote:
> The collation rules for "en_US" are abominable.  I always set:
>
>  LC_CTYPE=en_US.UTF-8 LANG=C

Yep, strongly agree with this. I foolishly had LANG=en_US some time back thinking it was sensible. It is not. Everything breaks.


Reply | Threaded
Open this post in threaded view
|

Re: [Postfix] Re: [Postfix] Re: [Postfix] Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Jim P.
In reply to this post by Viktor Dukhovni
On Tue, 2018-05-29 at 13:57 -0400, Viktor Dukhovni wrote:

> > On May 29, 2018, at 1:54 PM, Jim P. <[hidden email]> wrote:
> >
> > It's more of a language "feature".  This works:
> >
> > LANG=C comm -1 -2 <(postconf -n) <(postconf -d)
> >
> > this doesn't:
> >
> > LANG=en_US comm -1 -2 <(postconf -n) <(postconf -d)
>
> The collation rules for "en_US" are abominable.  I always set:
>
>   LC_CTYPE=en_US.UTF-8 LANG=C
>
> but if you just want sensible collation, with everything else
> using "en_US", you can just set LC_COLLATE=C.

Ahh, sounds good.  Thanks for that.

-Jim P.

Reply | Threaded
Open this post in threaded view
|

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Wietse Venema
In reply to this post by @lbutlr
@lbutlr:
> I do have one question that I've never noticed before. The settings for =
> mydomain and myhostname show that they are at the default values. Where =
> is postfix getting the defaults for this and does it mean the settings =
> really aren't needed unless your hostname is, for some reason, =
> different?

On my servers, I don't sent these. myhostname comes from the kernel,
and mydomain is derived from myhostname.

On laptops I may set these just to get consistent results.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Dirk Stöcker
In reply to this post by Wietse Venema
On Tue, 29 May 2018, Wietse Venema wrote:

>> This is a task which I need something to change a vendor supplied main.cf
>> into the better understandable minimum configuration which does not
>> contain legacy settings.
>>
>> Could "postconf" get a new "-N" paramater for that maybe ;-)
>
> My Postfix cycles are consumed by TLS connection reuse.

Probably adding the join and comm example commands of this thread to the
man page is better :-)

Even after years of UNIX experience there are commands and syntaxes I've
newer seen before. That <(...) is surely helpful elsewhere, when I can
remember it...

Ciao
--
http://www.dstoecker.eu/ (PGP key available)
Reply | Threaded
Open this post in threaded view
|

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Viktor Dukhovni


> On May 31, 2018, at 8:04 AM, Dirk Stöcker <[hidden email]> wrote:
>
> Even after years of UNIX experience there are commands and syntaxes I've newer seen before. That <(...) is surely helpful elsewhere, when I can remember it...

It is of course a "bashism" and not a POSIX-shell feature, so you
won't find in /bin/sh on most systems or in /bin/ksh.  It is the
primary reason I use bash as my shell, <(cmd) is just way too
convenient, I use it dozens of times a day.

I don't think that the "comm" or "join" tricks belong in postconf(1)
documentation, but they could be in a Postfix-related Wiki, or
HOWTO document.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Wietse Venema
Viktor Dukhovni:

>
>
> > On May 31, 2018, at 8:04 AM, Dirk St?cker <[hidden email]> wrote:
> >
> > Even after years of UNIX experience there are commands and syntaxes I've newer seen before. That <(...) is surely helpful elsewhere, when I can remember it...
>
> It is of course a "bashism" and not a POSIX-shell feature, so you
> won't find in /bin/sh on most systems or in /bin/ksh.  It is the
> primary reason I use bash as my shell, <(cmd) is just way too
> convenient, I use it dozens of times a day.
>
> I don't think that the "comm" or "join" tricks belong in postconf(1)
> documentation, but they could be in a Postfix-related Wiki, or
> HOWTO document.

I see no problem, just need to add a note that it is non-portable dialect.

        Wietse
12