Re: some questions and problems with postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: some questions and problems with postfix

Alef Veld
Hi postfix users,
I’m new here. I have setup postfix recently on my AWS instance and things work pretty well. I can read (dovecot) and sent (postfix) and all works well. I experienced some uncertainty lately and i was hoping maybe one of you could assist me, or maybe you experienced this before, yourself.

1. DKIM. This is not really postfix related but if anyone knows i’d appreciate it. When i send mail from my domain to another domain (say outlook) it adds the signature field and is fine.
Aug 16 08:58:56 www postfix/cleanup[12690]: 4A61A63F61: message-id=<[hidden email]>
Aug 16 08:58:56 www opendkim[13789]: 4A61A63F61: DKIM-Signature field added (s=default, d=mydomain.com)
Aug 16 08:58:56 www postfix/qmgr[14386]: 4A61A63F61: from=<[hidden email]>, size=778, nrcpt=1 (queue active)

When i get an email from outlook.com i see this. Is that normal ? Worried slightly about the not authenticated and failed to parse messages.
Aug 16 09:01:47 www postfix/cleanup[12710]: B609463F61: message-id=<[hidden email]>
Aug 16 09:01:47 www opendkim[13789]: B609463F61: mail-oln040092068076.outbound.protection.outlook.com [40.92.68.76] not internal
Aug 16 09:01:47 www opendkim[13789]: B609463F61: not authenticated
Aug 16 09:01:47 www opendkim[13789]: B609463F61: failed to parse authentication-results: header field
Aug 16 09:01:47 www opendkim[13789]: B609463F61: DKIM verification successful
Aug 16 09:01:47 www postfix/qmgr[14386]: B609463F61: from=<[hidden email]>, size=5355, nrcpt=1 (queue active)

2. Why do i sometimes get a anonymous TLS connection.
Aug 16 09:01:47 www postfix/smtpd[12706]: SSL_accept:SSLv3 flush data
Aug 16 09:01:47 www postfix/smtpd[12706]: Anonymous TLS connection established from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLSv1.2 with cipher AES256-SHA256 (256/256 bits)

And sometimes a regular TLS connection ? Same ip and same cipher as well.
Aug 16 09:01:47 www postfix/smtpd[12706]: initializing the server-side TLS engine
Aug 16 09:01:47 www postfix/smtpd[12706]: connect from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]
Aug 16 09:01:47 www postfix/smtpd[12706]: setting up TLS connection from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]
Aug 16 09:01:47 www postfix/smtpd[12706]: mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLS cipher list "ALL:+RC4:@STRENGTH"

Aug 16 09:01:47 www postfix/smtpd[12706]: Anonymous TLS connection established from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLSv1.2 with cipher AES256-SHA256 (256/256 bits)

3. Finally, i have this bizarre problem where 2 of my iMacs at home cannot connect to my mail server anymore. MacBook and iPhone work fine (although i had some problems with iPhone as well). It seems like a local issue (as i’m sure anyone would say) but i can’t for the life figure out what it is. All i get on the maillog is this:
Aug 16 09:01:47 www postfix/smtpd[12706]: read from 5565938E6820 [556593910343] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))

I tried deleting the accounts and re-adding, but it just says cannot verify mail server, and then just waits for a long time. Is this certificate/SSL related? It sure feels like it. Should i turn off SSL to test ?

4. Finally, does anyone know what to do to get through to outlook.com addresses? Smartscreen filters all the email into junk. I added SPF, DKIM, DMARC, a PTR record, SenderID etc but when i contact the microsoft delivery team all i get is : "Not eligible for mitigation”.
My address is, while in the Amazon AWS pool, an elastic ip address and it is not on any spam or RBL’s. I owned it for 6 months or so, including the domain. 

Gmail or yahoo has no problem receiving it in the normal mailbox. And as microsoft is not giving me any real pointers as to why it is being filtered, i’m not sure what else to do.
I can send the postconf -n upon request.
Alef
Reply | Threaded
Open this post in threaded view
|

Re: some questions and problems with postfix

Viktor Dukhovni

> On Aug 16, 2017, at 8:11 AM, Alef Veld <[hidden email]> wrote:
>
> 2. Why do i sometimes get a anonymous TLS connection.

Inbound SMTP email is "always" anonymous, as servers generally
don't and should not request client certificates, and even if
they did, clients wouldn't generally be configured to present
such certificates.  See:

    http://www.postfix.org/FORWARD_SECRECY_README.html#status

> Aug 16 09:01:47 www postfix/smtpd[12706]: SSL_accept:SSLv3 flush data

Your log level is too high, set it to 1, and you'll get better
performance, and fewer debugging messages that you find confusing.
It may even be that with all debugging logging flooding the log
server, some messages are getting lost.  Though in this case both
the first connection:

> Aug 16 09:01:47 www postfix/smtpd[12706]: Anonymous TLS connection established from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLSv1.2 with cipher AES256-SHA256 (256/256 bits)
>
> And sometimes a regular TLS connection ? Same ip and same cipher as well.

(actually also anonymous, just a few extra lines you happened to cut/paste)

> Aug 16 09:01:47 www postfix/smtpd[12706]: initializing the server-side TLS engine
> Aug 16 09:01:47 www postfix/smtpd[12706]: connect from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]
> Aug 16 09:01:47 www postfix/smtpd[12706]: setting up TLS connection from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]
> Aug 16 09:01:47 www postfix/smtpd[12706]: mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLS cipher list "ALL:+RC4:@STRENGTH"

and the second connection:

>
> Aug 16 09:01:47 www postfix/smtpd[12706]: Anonymous TLS connection established from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLSv1.2 with cipher AES256-SHA256 (256/256 bits)

are anonymous.  The above log entries are all for the same inbound
TLS session.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: some questions and problems with postfix

Alef Veld
Hi Victor, thank you for your kind reply.
That explains a lot, i did not know. Also i now realize looking at the timestamps that it is indeed one and the same message. I feel stupid now.
But i will remember that inbound smtp is anonymous.

Thanks.

> On 16 Aug 2017, at 13:40, Viktor Dukhovni <[hidden email]> wrote:
>
>
>> On Aug 16, 2017, at 8:11 AM, Alef Veld <[hidden email]> wrote:
>>
>> 2. Why do i sometimes get a anonymous TLS connection.
>
> Inbound SMTP email is "always" anonymous, as servers generally
> don't and should not request client certificates, and even if
> they did, clients wouldn't generally be configured to present
> such certificates.  See:
>
>    http://www.postfix.org/FORWARD_SECRECY_README.html#status
>
>> Aug 16 09:01:47 www postfix/smtpd[12706]: SSL_accept:SSLv3 flush data
>
> Your log level is too high, set it to 1, and you'll get better
> performance, and fewer debugging messages that you find confusing.
> It may even be that with all debugging logging flooding the log
> server, some messages are getting lost.  Though in this case both
> the first connection:
>
>> Aug 16 09:01:47 www postfix/smtpd[12706]: Anonymous TLS connection established from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLSv1.2 with cipher AES256-SHA256 (256/256 bits)
>>
>> And sometimes a regular TLS connection ? Same ip and same cipher as well.
>
> (actually also anonymous, just a few extra lines you happened to cut/paste)
>
>> Aug 16 09:01:47 www postfix/smtpd[12706]: initializing the server-side TLS engine
>> Aug 16 09:01:47 www postfix/smtpd[12706]: connect from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]
>> Aug 16 09:01:47 www postfix/smtpd[12706]: setting up TLS connection from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]
>> Aug 16 09:01:47 www postfix/smtpd[12706]: mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLS cipher list "ALL:+RC4:@STRENGTH"
>
> and the second connection:
>
>>
>> Aug 16 09:01:47 www postfix/smtpd[12706]: Anonymous TLS connection established from mail-oln040092068076.outbound.protection.outlook.com[40.92.68.76]: TLSv1.2 with cipher AES256-SHA256 (256/256 bits)
>
> are anonymous.  The above log entries are all for the same inbound
> TLS session.
>
> --
> Viktor.
>