NYLXS - Free Software Events

Thu Nov 21 23:29:37 2024

EVENTS

FREE
SOFTWARE
INSTITUTE

POLITICS

JOBS

MEMBERS'
CORNER

MAILING
LIST

NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2022-01-01

HANGOUT

2024-11-21 | 2024-10-21 | 2024-09-21 | 2024-08-21 | 2024-07-21 | 2024-06-21 | 2024-05-21 | 2024-04-21 | 2024-03-21 | 2024-02-21 | 2024-01-21 | 2023-12-21 | 2023-11-21 | 2023-10-21 | 2023-09-21 | 2023-08-21 | 2023-07-21 | 2023-06-21 | 2023-05-21 | 2023-04-21 | 2023-03-21 | 2023-02-21 | 2023-01-21 | 2022-12-21 | 2022-11-21 | 2022-10-21 | 2022-09-21 | 2022-08-21 | 2022-07-21 | 2022-06-21 | 2022-05-21 | 2022-04-21 | 2022-03-21 | 2022-02-21 | 2022-01-21 | 2021-12-21 | 2021-11-21 | 2021-10-21 | 2021-09-21 | 2021-08-21 | 2021-07-21 | 2021-06-21 | 2021-05-21 | 2021-04-21 | 2021-03-21 | 2021-02-21 | 2021-01-21 | 2020-12-21 | 2020-11-21 | 2020-10-21 | 2020-09-21 | 2020-08-21 | 2020-07-21 | 2020-06-21 | 2020-05-21 | 2020-04-21 | 2020-03-21 | 2020-02-21 | 2020-01-21 | 2019-12-21 | 2019-11-21 | 2019-10-21 | 2019-09-21 | 2019-08-21 | 2019-07-21 | 2019-06-21 | 2019-05-21 | 2019-04-21 | 2019-03-21 | 2019-02-21 | 2019-01-21 | 2018-12-21 | 2018-11-21 | 2018-10-21 | 2018-09-21 | 2018-08-21 | 2018-07-21 | 2018-06-21 | 2018-05-21 | 2018-04-21 | 2018-03-21 | 2018-02-21 | 2018-01-21 | 2017-12-21 | 2017-11-21 | 2017-10-21 | 2017-09-21 | 2017-08-21 | 2017-07-21 | 2017-06-21 | 2017-05-21 | 2017-04-21 | 2017-03-21 | 2017-02-21 | 2017-01-21 | 2016-12-21 | 2016-11-21 | 2016-10-21 | 2016-09-21 | 2016-08-21 | 2016-07-21 | 2016-06-21 | 2016-05-21 | 2016-04-21 | 2016-03-21 | 2016-02-21 | 2016-01-21 | 2015-12-21 | 2015-11-21 | 2015-10-21 | 2015-09-21 | 2015-08-21 | 2015-07-21 | 2015-06-21 | 2015-05-21 | 2015-04-21 | 2015-03-21 | 2015-02-21 | 2015-01-21 | 2014-12-21 | 2014-11-21 | 2014-10-21 | 2014-09-21 | 2014-08-21 | 2014-07-21 | 2014-06-21 | 2014-05-21 | 2014-04-21 | 2014-03-21 | 2014-02-21 | 2014-01-21 | 2013-12-21 | 2013-11-21 | 2013-10-21 | 2013-09-21 | 2013-08-21 | 2013-07-21 | 2013-06-21 | 2013-05-21 | 2013-04-21 | 2013-03-21 | 2013-02-21 | 2013-01-21 | 2012-12-21 | 2012-11-21 | 2012-10-21 | 2012-09-21 | 2012-08-21 | 2012-07-21 | 2012-06-21 | 2012-05-21 | 2012-04-21 | 2012-03-21 | 2012-02-21 | 2012-01-21 | 2011-12-21 | 2011-11-21 | 2011-10-21 | 2011-09-21 | 2011-08-21 | 2011-07-21 | 2011-06-21 | 2011-05-21 | 2011-04-21 | 2011-03-21 | 2011-02-21 | 2011-01-21 | 2010-12-21 | 2010-11-21 | 2010-10-21 | 2010-09-21 | 2010-08-21 | 2010-07-21 | 2010-06-21 | 2010-05-21 | 2010-04-21 | 2010-03-21 | 2010-02-21 | 2010-01-21 | 2009-12-21 | 2009-11-21 | 2009-10-21 | 2009-09-21 | 2009-08-21 | 2009-07-21 | 2009-06-21 | 2009-05-21 | 2009-04-21 | 2009-03-21 | 2009-02-21 | 2009-01-21 | 2008-12-21 | 2008-11-21 | 2008-10-21 | 2008-09-21 | 2008-08-21 | 2008-07-21 | 2008-06-21 | 2008-05-21 | 2008-04-21 | 2008-03-21 | 2008-02-21 | 2008-01-21 | 2007-12-21 | 2007-11-21 | 2007-10-21 | 2007-09-21 | 2007-08-21 | 2007-07-21 | 2007-06-21 | 2007-05-21 | 2007-04-21 | 2007-03-21 | 2007-02-21 | 2007-01-21 | 2006-12-21 | 2006-11-21 | 2006-10-21 | 2006-09-21 | 2006-08-21 | 2006-07-21 | 2006-06-21 | 2006-05-21 | 2006-04-21 | 2006-03-21 | 2006-02-21 | 2006-01-21 | 2005-12-21 | 2005-11-21 | 2005-10-21 | 2005-09-21 | 2005-08-21 | 2005-07-21 | 2005-06-21 | 2005-05-21 | 2005-04-21 | 2005-03-21 | 2005-02-21 | 2005-01-21 | 2004-12-21 | 2004-11-21 | 2004-10-21 | 2004-09-21 | 2004-08-21 | 2004-07-21 | 2004-06-21 | 2004-05-21 | 2004-04-21 | 2004-03-21 | 2004-02-21 | 2004-01-21 | 2003-12-21 | 2003-11-21 | 2003-10-21 | 2003-09-21 | 2003-08-21 | 2003-07-21 | 2003-06-21 | 2003-05-21 | 2003-04-21 | 2003-03-21 | 2003-02-21 | 2003-01-21 | 2002-12-21 | 2002-11-21 | 2002-10-21 | 2002-09-21 | 2002-08-21 | 2002-07-21 | 2002-06-21 | 2002-05-21 | 2002-04-21 | 2002-03-21 | 2002-02-21 | 2002-01-21 | 2001-12-21 | 2001-11-21 | 2001-10-21 | 2001-09-21 | 2001-08-21 | 2001-07-21 | 2001-06-21 | 2001-05-21 | 2001-04-21 | 2001-03-21 | 2001-02-21 | 2001-01-21 | 2000-12-21 | 2000-11-21 | 2000-10-21 | 2000-09-21 | 2000-08-21 | 2000-07-21 | 2000-06-21 | 2000-05-21 | 2000-04-21 | 2000-03-21 | 2000-02-21 | 2000-01-21 | 1999-12-21

Key: Value:

MESSAGE

DATE	2022-01-05
FROM	Ruben Safir
SUBJECT	Re: [Hangout - NYLXS] Adding Additional domains and outgoing email
> > > > > > /etc/postfix/main.cf: > > > smtpd_sasl_type = dovecot > > > smtpd_sasl_path = private/auth > > > > Can't this be done with tls withouth dovecot or sasl? > > Authentication is needed by Dovecot for IMAP access > to read email. So it should be available for use by > Postfix as well. > > Authentication should also be required by Postfix for > submission of email from remote clients like > Thunderbird. The only typical exception to that would > be when the Thunderbird clients are on a "trusted" > network, and so their IP address can take the place of > SASL authentication in order for Postfix to decide that > it's OK to accept mail from them to be relayed to the > outside world. Some would argue that SASL > authentication should always be used whenever possible. > > However, even though TLS (usually) only verifies the > identity of the server, rather than authenticating the > client, it can do that as well, by using client > certificates in addition to the server certificate. See > http://www.postfix.org/TLS_README.html for details. > Thank you > So yes, you should be able to replace uses of > permit_sasl_authenticated in various parameters > with "smtpd_tls_req_ccert = yes" as -o option > override in master.cf for your submission service. > I'm sure there's more to it, but the TLS_README > should help. > smtpd_tls_ask_ccert = yes is on - so it is asking for client certificates? But that is really not authetication, if I understand things. > > I tried to do this and I get this error > > > > > > An error occurred while sending mail: Outgoing server (SMTP) error. The > > server responded: TLS not available due to local problem. > > The Postfix server's logfile should contain more information > about what the local problem was. FWIW, the error ended up being that there was no cache database First I needed to create a pem file /etc/postfix/tls/smtpd.pem which is a selft signed certificate and key root readable only www2:/etc/postfix/tls # ls -al total 12 drwx------ 2 root postfix 4096 Jan 3 14:06 . drwxr-xr-x 4 root root 4096 Jan 3 14:47 .. -r-------- 1 root root 1998 Jan 3 11:27 smtpd.pem and I had to create the cache database in /var/spool/postfix queue_directory = /var/spool/postfix smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > > You can also use openssl to connect to the server and examine > the certificate details, with a command like this for port 25 or 587: > > DOMAIN=example.com > SERVER=example.com > PORT=25 > echo \| \ > openssl s_client -starttls smtp -showcerts -servername $SERVER -connect $DOMAIN:$PORT 2>/dev/null \| \ > openssl x509 -inform pem -noout -text \| less > > Or like this for port 465: > > DOMAIN=example.com > SERVER=example.com > PORT=465 > echo \| \ > openssl s_client -showcerts -servername $SERVER -connect $DOMAIN:$PORT 2>/dev/null \| \ > openssl x509 -inform pem -noout -text \| less > > But will probably just confirm the local problem. > The mail logs are more likely to help you identify > the cause. > > > I have this in the config file now: > > > > /etc/postfix/main.cf > > > > > > smtpd_sender_restrictions = hash:/etc/postfix/access, > > reject_unknown_sender_domain > > > > smtpd_recipient_restrictions = > > check_client_access hash:/etc/postfix/helo_client_exceptions > > check_sender_access hash:/etc/postfix/sender_checks, > > reject_invalid_hostname, > > ### Can cause issues with Auth SMTP, so be weary! > > reject_non_fqdn_hostname, > > ################################## > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > permit_mynetworks, > > reject_unauth_destination, > > permit_mynetworks, reject_unauth_destination, > > reject_invalid_hostname, > > reject_non_fqdn_hostname, > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net > > reject_rbl_client cbl.abuseat.org, > > permit > > smtpd_data_restrictions = reject_unauth_pipelining, permit > > > > ############################################################ > > # SASL stuff > > ############################################################ > > smtp_sasl_auth_enable = no > > smtp_sasl_security_options = > > smtp_sasl_password_maps = > > smtpd_sasl_auth_enable = no > > ############################################################ > > # TLS stuff > > ############################################################ > > #tls_append_default_CA = no > > relay_clientcerts = > > It looks like the relay_clientcerts parameter would do > what you want, if you point it at a lookup table > containing your client TLS certificate fingerprints. > You'd need to use permit_tls_clientcerts in place of > permit_sasl_authenticated in the appropriate > smtp_*_restrictions parameter for the submission > service in master.cf. See > http://www.postfix.org/postconf.5.html#relay_clientcerts > http://www.postfix.org/postconf.5.html#permit_tls_clientcerts > > However, it's probably much easier to use SASL authentication > instead since you already have dovecot. > > > #tls_random_source = dev:/dev/urandom > > > > smtp_use_tls = yes > > smtp_tls_loglevel = 1 > > smtp_enforce_tls = no > > smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem > > #smtp_tls_CApath = > > smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem > > smtp_tls_key_file = /etc/postfix/tls/smtpd.pem > > I don't think the above two parameters should be pointing > to the same file. But I might be wrong about that. I've > never had the Postfix server use a client certificate > when sending mail out. But it really doesn't look right. > Normally, the server would only use a specific client > certificate for outgoing mail when sending to a particular > transport that required it, not to all potential recipient > servers as would be the case when putting those parameters > in main.cf. It might be sensible to just replace the above > with: > > smtp_tls_security_level = may > smtp_tls_loglevel = 1 > > > #smtp_tls_session_cache_timeout = 3600s > > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > > The above should probably use ${data_directory} rather > than ${queue_directory}. But maybe that depends on the system. > I think I had queue_directory originally but got warning messages > in the logfile about it. If you aren't seeing those warnings, > it's probably fine. > > > smtpd_use_tls = yes > > smtpd_tls_loglevel = 1 > > smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem > > #smtpd_tls_CApath =/etc/postfix/tls/smtpd.pem > > smtpd_tls_cert_file =/etc/postfix/tls/smtpd.pem > > smtpd_tls_key_file =/etc/postfix/tls/smtpd.pem > > The same pem file as above is being used as the server > certificate as well. And the cert and key parameters > are pointing to the same file again which looks unusual > to me. Does it contain both the private key and the > full chain? If so, you could use the > smtpd_tls_chain_files parameter instead of > smtpd_tls_cert_file and smtpd_tls_key_file. > > Using the same file for smtpd_tls_CAfile as well looks > odd to me, but I'm not an expert. Maybe it's OK. > > > smtpd_tls_ask_ccert = yes > > Having the above in main.cf makes it apply to all > incoming SMTP connections. I don't think you want that. > You only want it for your own users whose client > certificates you know about. It should be in master.cf > where the submission/submissions services are defined. > And it should be "smtpd_tls_req_ccert = yes" instead, > so that the Thunderbird clients are required to possess > a known client certificate (if SASL authentication is > not going to be used). > > I hope what I've said makes sense. > > cheers, > raf -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout