question about envelop from.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

question about envelop from.

L.P.H. van Belle
Hai,
 
Im reading through rfc's but the following is still not clear for me.
 
E-mail is rejected base on the envelop-from adres from a mail-daemon with postfix + postfix-policyd-spf
 
I saw the following in the postfix logs.
Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection established from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND Received-SPF: none (apmcsqa01.poort: No applicable sender policy available) receiver=hostname.domain.nl; identity=mailfrom; envelope-from="[hidden email]"; helo=smtp1.xxxxxxxx.nl; client-ip=x.xx.xxx.xx]
Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8 <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]>
 
about this:
envelope-from="[hidden email]"
 
Im looking for the correct rfc where its described that the part @apmcsqa01.poort  should be @thesendingdomain.tld
where thesendingdomain.tld is also a resolvable domain, because not it does not make sence because the now mailer-daemon wil never be accepted because its non resolveable
 
If some can point me to the correct rfc. ( and chapter ) that would be great.
 
 
Thanks!
 
Louis
 
 
 
Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Matus UHLAR - fantomas
On 13.03.18 13:54, L.P.H. van Belle wrote:

>Im reading through rfc's but the following is still not clear for me.

>E-mail is rejected base on the envelop-from adres from a mail-daemon with postfix + postfix-policyd-spf

>I saw the following in the postfix logs.
>Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection established from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND Received-SPF: none (apmcsqa01.poort: No applicable sender policy available) receiver=hostname.domain.nl; identity=mailfrom; envelope-from="[hidden email]"; helo=smtp1.xxxxxxxx.nl; client-ip=x.xx.xxx.xx]
>Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8 <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]>

>about this:
>envelope-from="[hidden email]"

who and why configured non-existing domain name there?

>Im looking for the correct rfc where its described that the part @apmcsqa01.poort  should be @thesendingdomain.tld

RFC 5321, section 2.3.5.  Domain Names:

    Only resolvable, fully-qualified domain names (FQDNs) are permitted
    when domain names are used in SMTP.

>where thesendingdomain.tld is also a resolvable domain, because not it does
> not make sence because the now mailer-daemon wil never be accepted because
> its non resolveable

correct. that is the expected behaviour.
do you expect someone to accept mail from non-existing (invalid) addresses?
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Reply | Threaded
Open this post in threaded view
|

RE: question about envelop from.

L.P.H. van Belle
Hai Matus,
Thank you for the reply, most apriciated.

No, but its a "government" server, so i need to be very sure..   ;-)
Thanks, i was looking in the wrong rfc.


Best regards,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: [hidden email]
> [mailto:[hidden email]] Namens Matus UHLAR - fantomas
> Verzonden: dinsdag 13 maart 2018 14:05
> Aan: [hidden email]
> Onderwerp: Re: question about envelop from.
>
> On 13.03.18 13:54, L.P.H. van Belle wrote:
> >Im reading through rfc's but the following is still not clear for me.
> > 
> >E-mail is rejected base on the envelop-from adres from a
> mail-daemon with postfix + postfix-policyd-spf
> > 
> >I saw the following in the postfix logs.
> >Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS
> connection established from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]:
> TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> >Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy
> action=PREPEND Received-SPF: none (apmcsqa01.poort: No
> applicable sender policy available)
> receiver=hostname.domain.nl; identity=mailfrom;
> envelope-from="[hidden email]";
> helo=smtp1.xxxxxxxx.nl; client-ip=x.xx.xxx.xx]
> >Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE:
> reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8
> <[hidden email]>: Sender address rejected:
> Domain not found; from=<[hidden email]>
> > 
> >about this:
> >envelope-from="[hidden email]"
>
> who and why configured non-existing domain name there?
>
> >Im looking for the correct rfc where its described that the
> part @apmcsqa01.poort  should be @thesendingdomain.tld
>
> RFC 5321, section 2.3.5.  Domain Names:
>
>     Only resolvable, fully-qualified domain names (FQDNs) are
> permitted
>     when domain names are used in SMTP.
>
> >where thesendingdomain.tld is also a resolvable domain,
> because not it does
> > not make sence because the now mailer-daemon wil never be
> accepted because
> > its non resolveable
>
> correct. that is the expected behaviour.
> do you expect someone to accept mail from non-existing
> (invalid) addresses?
> --
> Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
>
>

Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Viktor Dukhovni
In reply to this post by L.P.H. van Belle


> On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle <[hidden email]> wrote:
>
> Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8 <[hidden email]>: Sender address rejected: Domain not found; from=<[hidden email]>
>  
> about this:
> envelope-from="[hidden email]"
>  
> Im looking for the correct rfc where its described that the part @apmcsqa01.poort  should be @thesendingdomain.tld
> where thesendingdomain.tld is also a resolvable domain, because not it does not make sence because the now mailer-daemon wil never be accepted because its non resolveable

In addition to not being resolvable, the envelope sender address here is also
problematic because "MAILER-DAEMON@" should only ever appear in the message
headers and NEVER as the envelope sender.  The correct envelope sender for
bounces is the empty (or null) sender:

        MAIL FROM:<>

not

        MAIL FROM:<[hidden email]>

Sure, some domain could in theory have an actual user mailbox named
"mailer-daemon", but that is most unlikely.  It is rather clear that
the server in question is generating backscatter with a non-empty
envelope sender address, thus potentially leading to mail loops.

It is good that your server is rejecting this traffic.

Finally, it seems you may be requesting client certificates on port 25,
(incoming TLS status is "Untrusted" rather than "Anonymous") I wonder
why...

   http://www.postfix.org/FORWARD_SECRECY_README.html#status

do you have "smtpd_tls_ask_ccert = yes"?

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: question about envelop from.

L.P.H. van Belle
Hello Victor,


> -----Oorspronkelijk bericht-----
> Van: [hidden email]
> [mailto:[hidden email]] Namens Viktor Dukhovni
> Verzonden: dinsdag 13 maart 2018 15:27
> Aan: Postfix users
> Onderwerp: Re: question about envelop from.
>
>
>
> > On Mar 13, 2018, at 8:54 AM, L.P.H. van Belle
> <[hidden email]> wrote:
> >
> > Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE:
> reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8
> <[hidden email]>: Sender address rejected:
> Domain not found; from=<[hidden email]>
> >  
> > about this:
> > envelope-from="[hidden email]"
> >  
> > Im looking for the correct rfc where its described that the
> part @apmcsqa01.poort  should be @thesendingdomain.tld
> > where thesendingdomain.tld is also a resolvable domain,
> because not it does not make sence because the now
> mailer-daemon wil never be accepted because its non resolveable
>
> In addition to not being resolvable, the envelope sender
> address here is also
> problematic because "MAILER-DAEMON@" should only ever appear
> in the message
> headers and NEVER as the envelope sender.  The correct
> envelope sender for
> bounces is the empty (or null) sender:
>
> MAIL FROM:<>
>
> not
>
> MAIL FROM:<[hidden email]>
>
> Sure, some domain could in theory have an actual user mailbox named
> "mailer-daemon", but that is most unlikely.  It is rather clear that
> the server in question is generating backscatter with a non-empty
> envelope sender address, thus potentially leading to mail loops.
>
> It is good that your server is rejecting this traffic.
>
> Finally, it seems you may be requesting client certificates
> on port 25,
> (incoming TLS status is "Untrusted" rather than "Anonymous") I wonder
> why...
>
>    http://www.postfix.org/FORWARD_SECRECY_README.html#status
>
> do you have "smtpd_tls_ask_ccert = yes"?
>
> --
> Viktor.
>


Yes, i've set smtpd_tls_ask_ccert to yes.

I do also have Anonymous messages
Anonymous TLS connection established from mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be a miss on my side after the switch from 2.10 to 3.1 postfix.

I need ssl verification, in not running a high volume site and i just enabled DKIM SPF TLSA and DANE for this server.
Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian)  ( config below )

Best regards,

Louis



### General Defaults
smtpd_banner = $myhostname ESMTP Ready
mail_version = 007
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2
mailbox_size_limit = 0
recipient_delimiter = +
empty_address_recipient = MAILER-DAEMON

### Limit the info given to outside servers
show_user_unknown_table_name = no

### no one needs to ask our server who is on it
disable_vrfy_command = yes

#### user!domain != user@domain
swap_bangpath = no

#### user%domain != user@domain
allow_percent_hack = no

### Tarpit until RCPT TO: to reject the email for nagios compatability
smtpd_delay_reject = yes

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 20
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2

### Tranports and slowdown delivery to per domain are set here also.
transport_maps = hash:/etc/postfix/personal/transport_maps.map
## Transports Tuning outgoing connections ! Esa max concurrent connections (polite)
## see also transport file and master.cf
# Throttle limit policy mail (global)
smtp_destination_concurrency_limit = 5
smtp_extra_recipient_limit = 2

# Polite policy
polite_destination_concurrency_limit = 3
polite_destination_rate_delay = 0
polite_destination_recipient_limit = 5

# Turtle policy
turtle_destination_concurrency_limit = 2
turtle_destination_rate_delay = 1s
turtle_destination_recipient_limit = 2
##
###

## 100 Mb size limit
message_size_limit = 102400000

# Postfix before 3.0 by default permits non-ASCII content in headers and addresses.
strict_7bit_headers = yes

2bounce_notice_recipient = [hidden email]
2bounce_notice_recipient = [hidden email]
bounce_notice_recipient = [hidden email]
delay_notice_recipient = [hidden email]
error_notice_recipient = [hidden email]
notify_classes = bounce, resource, software

## Being strict to the RFC not only stops unwanted mail,
## it also blocks legitimate mail from poorly-written mail applications.
## default = no
strict_rfc821_envelopes = yes

###############
# SASL disabled, its not use on this server.
broken_sasl_auth_clients = no
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no

################# TLS parameters
# Disable SSL compression
tls_ssl_options = NO_COMPRESSION

# cipherlists, defaults are ok.
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom

# TLS Client outgoing
smtp_tls_CAfile = /etc/ssl/certs/Intermediate.cer
smtp_tls_cert_file = /etc/ssl/certs/cert-2017-cert.pem
smtp_tls_key_file = /etc/ssl/private/key-2017.key
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
## detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555)
smtp_tls_block_early_mail_reply = yes

# only offer authentication after STARTTLS
smtpd_tls_auth_only = yes

# TLS SERVER incomming
smtpd_starttls_timeout = 300s
smtpd_use_tls=yes
smtpd_enforce_tls = no
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 2
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_always_issue_session_ids = no
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer
smtpd_tls_cert_file = /etc/ssl/certs/cert-2017-cert.pem
smtpd_tls_key_file = /etc/ssl/private/key-2017.key
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES

# Enable EECDH key exchange for Forward Security
smtpd_tls_eecdh_grade=ultra

# The 512-bit parameter file won't be used if you've disabled "EXPORT"
# ciphers by setting "smtpd_tls_ciphers = medium" as recommended above.
#smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams2048.pem
# enableing it :
# which would likely result in handshake failure if a DHE EXPORT
# cipher were negotiated, which is arguably a safety feature.
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams2048.pem

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


############### Host/Ip/ADS related
# ! see : /etc/postfix/main-mynetworks.cidr for your ipranges.
myhostname = mail.somedomain.tld
myorigin = mail.somedomain.tld
mydomain = mail.somedomain.tld
mydestination = mail.somedomain.tld, localhost
mynetworks = cidr:/etc/postfix/personal/mynetworks.cidr
inet_interfaces = all
inet_protocols = ipv4

relay_domains = hash:/etc/postfix/personal/relay_domains.map
masquerade_domains = hash:/etc/postfix/personal/masquerade_domains.map

sender_canonical_maps = hash:/etc/postfix/personal/sender_canonical.map
recipient_canonical_maps = hash:/etc/postfix/personal/recipient_canonical.map

header_checks = pcre:/etc/postfix/personal/checks_header.pcre
body_checks = pcre:/etc/postfix/personal/checks_body.pcre

alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ads2local-aliases.cf
alias_database = hash:/etc/aliases
virtual_alias_maps = ldap:/etc/postfix/ads2local-redirects.cf

################################

### Reject codes == 554
access_map_reject_code = 554
#invalid_hostname_reject_code = 554
#maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 554
#non_fqdn_reject_code = 554
#plaintext_reject_code = 554
#reject_code = 554
relay_domains_reject_code = 554
#unknown_address_reject_code = 554
#unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554


# SPF Policy
policyd-spf_time_limit = 3600s

# For dualdelivery - double delivery to multiple mail servers
# dualdelivery in the variable name is the name of the transport from master.cf
# without this setting, mail will not be delivered if the email was sent immediately
# multiple users
dualdelivery_destination_recipient_limit = 1


################## Restrictions/anti-spam Strict RFC !
## in order of processing.
## Restrictions/anti-spam Strict RFC !
#
smtpd_delay_reject = yes
#
smtpd_client_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_client_access cidr:/etc/postfix/personal/check_client_access-allow.cidr,
    check_client_access cidr:/etc/postfix/personal/check_client_access-reject.cidr,
    reject_non_fqdn_hostname,
    reject_unknown_hostname,
    reject_invalid_hostname,
    reject_unauth_pipelining
##
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_helo_access pcre:/etc/postfix/personal/check_helo_access-hostname-checks.pcre,
    check_helo_access hash:/etc/postfix/personal/check_helo_access-allow.map,
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_pipelining
##
smtpd_sender_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_sender_access hash:/etc/postfix/personal/check_sender_access-allow.map
    check_sender_access hash:/etc/postfix/personal/check_sender_access-deny.map
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_address,
    reject_unauth_pipelining
##
smtpd_recipient_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    check_policy_service unix:private/policyd-spf,
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-deny.map
    check_recipient_access pcre:/etc/postfix/personal/check_recipient_access-deny-syntax.pcre
    reject_multi_recipient_bounce,
    reject_unlisted_recipient,
    reject_unverified_recipient
##
smtpd_relay_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf,
    check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
    reject_multi_recipient_bounce,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_invalid_helo_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    defer_unauth_destination
##
smtpd_data_restrictions =
    reject_unauth_pipelining,
    reject_multi_recipient_bounce
##
smtpd_etrn_restrictions =
    permit_mynetworks,
    reject
##

### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner =
    $myhostname, checking blacklists, please wait.
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
#postscreen_greet_action = enforce #testing actioin = drop.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list =
    permit_mynetworks,
    cidr:/etc/postfix/personal/postscreen_access_list.cidr,
    pcre:/etc/postfix/personal/postscreen_access_list-reject.fqrdns.pcre
    cidr:/etc/postfix/personal/postscreen_access_list-drop.spamhaus-lasso.cidr
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action     = drop
postscreen_dnsbl_reply_map      = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_action         = enforce
postscreen_dnsbl_ttl            = 2h
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        zen.spamhaus.org*4
        b.barracudacentral.org*4
        bad.psky.me*4
        dnsbl.cobion.com*2
        bl.spameatingmonkey.net*2
        fresh.spameatingmonkey.net*2
        cbl.anti-spam.org.cn=127.0.8.2*2
        dnsbl.kempt.net*1
        dnsbl.inps.de*2
        bl.spamcop.net*2
        srn.surgate.net=127.0.0.2
        spam.dnsbl.sorbs.net*2
        rbl.rbldns.ru*2
        psbl.surriel.com*2
        bl.mailspike.net*2
        rep.mailspike.net=127.0.0.[13;14]*1
        bl.suomispam.net*2
        bl.blocklist.de*2
        ix.dnsbl.manitu.net*2
        dnsbl-2.uceprotect.net
        dnsbl.justspam.org=127.0.0.2*2
        all.s5h.net=127.0.0.2*2
        hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
        rbl.abuse.ro=127.0.0.[2;4]*2
        dnsbl.spfbl.net=127.0.0.[2;4]*2
        # No RDNS
        dnsbl.spfbl.net=127.0.0.3*1
        hostkarma.junkemailfilter.com=127.0.0.3*1
        # whitelists
        swl.spamhaus.org*-6
        dnswl.spfbl.net=127.0.0.[2;3;4]*-3
        list.dnswl.org=127.0.[0..255].[2;3]*-4
        rep.mailspike.net=127.0.0.[17;18]*-1
        rep.mailspike.net=127.0.0.[19;20]*-2
        hostkarma.junkemailfilter.com=127.0.0.1*-4
        nobl.junkemailfilter.com=127.0.0.5*-4
#
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests! This basically enables some kind of greylisting!
#postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.

###### Added for OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892



Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Viktor Dukhovni


> On Mar 13, 2018, at 10:53 AM, L.P.H. van Belle <[hidden email]> wrote:
>
> Yes, i've set smtpd_tls_ask_ccert to yes.

You almost certainly don't need this.

> Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be a miss on my side after the switch from 2.10 to 3.1 postfix.

"Verified" is not possible with smtpd(8).  "Trusted" could happen when the client
certificate is signed by a trusted CA:

   http://www.postfix.org/FORWARD_SECRECY_README.html#status

but, typically, you should not be requesting client certificates that
serve no purpose.

> I need ssl verification

Not for incoming traffic, there just supporting STARTTLS is all you need.

> smtpd_starttls_timeout = 300s

Don't duplicate default settings.

> smtpd_use_tls=yes
> smtpd_enforce_tls = no

These are obsolete

> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 2

You don't need these.  I see no evidence of any meaningful use of
client certs.  At least not on port 25 via main.cf.

> smtpd_tls_always_issue_session_ids = no

This is the default.

> smtpd_tls_received_header = yes

Second time this is set.

> smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer

It is much better to have all the required intermediates in
your certfile, and leave this field empty.

> smtpd_tls_ciphers = high

This is unwise, the (default in supported releases) "medium" is better, see:

   https://tools.ietf.org/html/rfc7435

> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES

This too is unwise.  Remove this setting.

> # Enable EECDH key exchange for Forward Security
> smtpd_tls_eecdh_grade=ultra

With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far
better off with the default of "auto".

   http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

@lbutlr
On Mar 13, 2018, at 09:17, Viktor Dukhovni <[hidden email]> wrote:
>> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
>
> This too is unwise.  Remove this setting.

In general, or these specific exclusions?

I've had

smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4

For a pretty long time now

--
My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.


Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Matus UHLAR - fantomas
On 13.03.18 09:36, LuKreme wrote:

>On Mar 13, 2018, at 09:17, Viktor Dukhovni <[hidden email]> wrote:
>>> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
>>
>> This too is unwise.  Remove this setting.
>
>In general, or these specific exclusions?
>
>I've had
>
>smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4
>
>For a pretty long time now

I have:

smtpd_tls_ciphers=high
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers=aNULL
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Viktor Dukhovni
In reply to this post by @lbutlr


> On Mar 13, 2018, at 11:36 AM, LuKreme <[hidden email]> wrote:
>
> In general, or these specific exclusions?

Mostly in general.  Why do cleartext with clients that can't do strong ciphers,
let them encrypt with their medium ciphers.

> I've had
>
> smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4
>
> For a pretty long time now

That said, the above are fine to exclude, they are just unnecessary
attack surface, with the exception of "RC4" nobody needs these for
interoperability at this time.  And even "RC4" use is vanishingly
small.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Viktor Dukhovni
In reply to this post by Matus UHLAR - fantomas


> On Mar 13, 2018, at 12:00 PM, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> smtpd_tls_ciphers=high
> smtpd_tls_mandatory_ciphers=high
> smtpd_tls_exclude_ciphers=aNULL

My recommendation is:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = high

There's not much need to exclude any additional ciphers, but if you must,
see the previous post...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

John Allen
In reply to this post by Viktor Dukhovni
Too complicated? How could this be improved?

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK,
aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high
smtp_tls_protocols = !SSLv2, !SSLv3

smtpd_sasl_auth_enable = no

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols

Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

Viktor Dukhovni


> On Mar 14, 2018, at 10:48 PM, John <[hidden email]> wrote:
>
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane

Fine.

> smtp_tls_ciphers = high

OK, but medium is perhaps sufficient.

> smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK, aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT

With "high" or "medium" you don't need to exclude "EXPORT" or "LOW".
You're also misspelling some of the cipher names, they are case-sensitive.
Try:

   smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr, kDHd, kDHr

You can exclude RC4 and 3DES, but it is not essential, and some very
small number of systems will now only be able to receive from you in
the clear.


> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high

Where did you get the idea that "high" was a TLS protocol version?

> smtpd_tls_security_level = may
> smtpd_tls_auth_only = yes
> smtpd_tls_ciphers = high

I would also suggest "medium" here.

> smtpd_tls_eecdh_grade = auto

This requires (and is recommended for) Postfix 3.2 or later.

> smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers

Not necessarily a good idea.  The server should perhaps be more
liberal.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: question about envelop from.

John Allen
Thanks for the help.


>> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high
> Where did you get the idea that "high" was a TLS protocol version?
>
>
I think this got in there by mistake, its not in my postfiix
configuration. My guess is that I started typing before moving cursor.
ooops!
Sorry.

John A