NYLXS - Free Software Events

Sun Sep 24 12:55:39 2023

EVENTS

FREE
SOFTWARE
INSTITUTE

POLITICS

JOBS

MEMBERS'
CORNER

MAILING
LIST

NYLXS Members have a lot to say and share but we don't keep many secrets. Join the Hangout Mailing List and say your peice.

DATE 2022-01-01

HANGOUT

2023-09-24 | 2023-08-24 | 2023-07-24 | 2023-06-24 | 2023-05-24 | 2023-04-24 | 2023-03-24 | 2023-02-24 | 2023-01-24 | 2022-12-24 | 2022-11-24 | 2022-10-24 | 2022-09-24 | 2022-08-24 | 2022-07-24 | 2022-06-24 | 2022-05-24 | 2022-04-24 | 2022-03-24 | 2022-02-24 | 2022-01-24 | 2021-12-24 | 2021-11-24 | 2021-10-24 | 2021-09-24 | 2021-08-24 | 2021-07-24 | 2021-06-24 | 2021-05-24 | 2021-04-24 | 2021-03-24 | 2021-02-24 | 2021-01-24 | 2020-12-24 | 2020-11-24 | 2020-10-24 | 2020-09-24 | 2020-08-24 | 2020-07-24 | 2020-06-24 | 2020-05-24 | 2020-04-24 | 2020-03-24 | 2020-02-24 | 2020-01-24 | 2019-12-24 | 2019-11-24 | 2019-10-24 | 2019-09-24 | 2019-08-24 | 2019-07-24 | 2019-06-24 | 2019-05-24 | 2019-04-24 | 2019-03-24 | 2019-02-24 | 2019-01-24 | 2018-12-24 | 2018-11-24 | 2018-10-24 | 2018-09-24 | 2018-08-24 | 2018-07-24 | 2018-06-24 | 2018-05-24 | 2018-04-24 | 2018-03-24 | 2018-02-24 | 2018-01-24 | 2017-12-24 | 2017-11-24 | 2017-10-24 | 2017-09-24 | 2017-08-24 | 2017-07-24 | 2017-06-24 | 2017-05-24 | 2017-04-24 | 2017-03-24 | 2017-02-24 | 2017-01-24 | 2016-12-24 | 2016-11-24 | 2016-10-24 | 2016-09-24 | 2016-08-24 | 2016-07-24 | 2016-06-24 | 2016-05-24 | 2016-04-24 | 2016-03-24 | 2016-02-24 | 2016-01-24 | 2015-12-24 | 2015-11-24 | 2015-10-24 | 2015-09-24 | 2015-08-24 | 2015-07-24 | 2015-06-24 | 2015-05-24 | 2015-04-24 | 2015-03-24 | 2015-02-24 | 2015-01-24 | 2014-12-24 | 2014-11-24 | 2014-10-24 | 2014-09-24 | 2014-08-24 | 2014-07-24 | 2014-06-24 | 2014-05-24 | 2014-04-24 | 2014-03-24 | 2014-02-24 | 2014-01-24 | 2013-12-24 | 2013-11-24 | 2013-10-24 | 2013-09-24 | 2013-08-24 | 2013-07-24 | 2013-06-24 | 2013-05-24 | 2013-04-24 | 2013-03-24 | 2013-02-24 | 2013-01-24 | 2012-12-24 | 2012-11-24 | 2012-10-24 | 2012-09-24 | 2012-08-24 | 2012-07-24 | 2012-06-24 | 2012-05-24 | 2012-04-24 | 2012-03-24 | 2012-02-24 | 2012-01-24 | 2011-12-24 | 2011-11-24 | 2011-10-24 | 2011-09-24 | 2011-08-24 | 2011-07-24 | 2011-06-24 | 2011-05-24 | 2011-04-24 | 2011-03-24 | 2011-02-24 | 2011-01-24 | 2010-12-24 | 2010-11-24 | 2010-10-24 | 2010-09-24 | 2010-08-24 | 2010-07-24 | 2010-06-24 | 2010-05-24 | 2010-04-24 | 2010-03-24 | 2010-02-24 | 2010-01-24 | 2009-12-24 | 2009-11-24 | 2009-10-24 | 2009-09-24 | 2009-08-24 | 2009-07-24 | 2009-06-24 | 2009-05-24 | 2009-04-24 | 2009-03-24 | 2009-02-24 | 2009-01-24 | 2008-12-24 | 2008-11-24 | 2008-10-24 | 2008-09-24 | 2008-08-24 | 2008-07-24 | 2008-06-24 | 2008-05-24 | 2008-04-24 | 2008-03-24 | 2008-02-24 | 2008-01-24 | 2007-12-24 | 2007-11-24 | 2007-10-24 | 2007-09-24 | 2007-08-24 | 2007-07-24 | 2007-06-24 | 2007-05-24 | 2007-04-24 | 2007-03-24 | 2007-02-24 | 2007-01-24 | 2006-12-24 | 2006-11-24 | 2006-10-24 | 2006-09-24 | 2006-08-24 | 2006-07-24 | 2006-06-24 | 2006-05-24 | 2006-04-24 | 2006-03-24 | 2006-02-24 | 2006-01-24 | 2005-12-24 | 2005-11-24 | 2005-10-24 | 2005-09-24 | 2005-08-24 | 2005-07-24 | 2005-06-24 | 2005-05-24 | 2005-04-24 | 2005-03-24 | 2005-02-24 | 2005-01-24 | 2004-12-24 | 2004-11-24 | 2004-10-24 | 2004-09-24 | 2004-08-24 | 2004-07-24 | 2004-06-24 | 2004-05-24 | 2004-04-24 | 2004-03-24 | 2004-02-24 | 2004-01-24 | 2003-12-24 | 2003-11-24 | 2003-10-24 | 2003-09-24 | 2003-08-24 | 2003-07-24 | 2003-06-24 | 2003-05-24 | 2003-04-24 | 2003-03-24 | 2003-02-24 | 2003-01-24 | 2002-12-24 | 2002-11-24 | 2002-10-24 | 2002-09-24 | 2002-08-24 | 2002-07-24 | 2002-06-24 | 2002-05-24 | 2002-04-24 | 2002-03-24 | 2002-02-24 | 2002-01-24 | 2001-12-24 | 2001-11-24 | 2001-10-24 | 2001-09-24 | 2001-08-24 | 2001-07-24 | 2001-06-24 | 2001-05-24 | 2001-04-24 | 2001-03-24 | 2001-02-24 | 2001-01-24 | 2000-12-24 | 2000-11-24 | 2000-10-24 | 2000-09-24 | 2000-08-24 | 2000-07-24 | 2000-06-24 | 2000-05-24 | 2000-04-24 | 2000-03-24 | 2000-02-24 | 2000-01-24 | 1999-12-24

Key: Value:

MESSAGE

DATE	2022-01-05
FROM	Ruben Safir
SUBJECT	Re: [Hangout - NYLXS] Adding Additional domains and outgoing email
From hangout-bounces-at-nylxs.com Fri Jan 7 05:08:23 2022 Return-Path: X-Original-To: archive-at-mrbrklyn.com Delivered-To: archive-at-mrbrklyn.com Received: from www2.mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) by mrbrklyn.com (Postfix) with ESMTP id 9E5EB16401B; Fri, 7 Jan 2022 05:08:21 -0500 (EST) X-Original-To: hangout-at-www2.mrbrklyn.com Delivered-To: hangout-at-www2.mrbrklyn.com Received: by mrbrklyn.com (Postfix, from userid 1000) id 4A67B163FB5; Fri, 7 Jan 2022 05:07:43 -0500 (EST) Resent-From: Ruben Safir Resent-Date: Fri, 7 Jan 2022 05:07:43 -0500 Resent-Message-ID: <20220107100743.GF20897-at-www2.mrbrklyn.com> Resent-To: hangout-at-mrbrklyn.com X-Original-To: ruben-at-mrbrklyn.com Delivered-To: ruben-at-mrbrklyn.com Received: from english-breakfast.cloud9.net (english-breakfast.cloud9.net [168.100.1.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.cloud9.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mrbrklyn.com (Postfix) with ESMTPS id 98966163FEF for ; Wed, 5 Jan 2022 04:11:03 -0500 (EST) Received: by english-breakfast.cloud9.net (Postfix) id E1C0333A8B6; Wed, 5 Jan 2022 04:10:27 -0500 (EST) Delivered-To: postfix-users-outgoing-at-cloud9.net Received: from localhost (localhost [127.0.0.1]) by english-breakfast.cloud9.net (Postfix) with ESMTP id E070D33A8B4 for ; Wed, 5 Jan 2022 04:10:27 -0500 (EST) X-Virus-Scanned: amavisd-new at cloud9.net Received: from english-breakfast.cloud9.net ([127.0.0.1]) by localhost (english-breakfast.cloud9.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJpuP5RMPVRj for ; Wed, 5 Jan 2022 04:10:27 -0500 (EST) Received: by english-breakfast.cloud9.net (Postfix, from userid 54) id BF02033A8B7; Wed, 5 Jan 2022 04:10:27 -0500 (EST) Delivered-To: postfix-users-at-cloud9.net Received: from localhost (localhost [127.0.0.1]) by english-breakfast.cloud9.net (Postfix) with ESMTP id A518E33A8B6 for ; Wed, 5 Jan 2022 04:10:27 -0500 (EST) X-Virus-Scanned: amavisd-new at cloud9.net Received: from english-breakfast.cloud9.net ([127.0.0.1]) by localhost (english-breakfast.cloud9.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 702bxiI1uGKc for ; Wed, 5 Jan 2022 04:10:27 -0500 (EST) Received: from mrbrklyn.com (www2.mrbrklyn.com [96.57.23.82]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by english-breakfast.cloud9.net (Postfix) with ESMTPS id 7A89933A8B4 for ; Wed, 5 Jan 2022 04:10:27 -0500 (EST) Received: by mrbrklyn.com (Postfix, from userid 1000) id 92D41163FF9; Wed, 5 Jan 2022 04:10:26 -0500 (EST) Date: Wed, 5 Jan 2022 04:10:26 -0500 From: Ruben Safir To: postfix-users-at-postfix.org Message-ID: <20220105091026.GA30311-at-www2.mrbrklyn.com> References: <8e8e3633-1574-aea2-ef68-bb6cea73e751-at-mrbrklyn.com> <20211222052031.GA4914-at-www2.mrbrklyn.com> <20220103182959.GA9594-at-www2.mrbrklyn.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Precedence: bulk Subject: Re: [Hangout - NYLXS] Adding Additional domains and outgoing email X-BeenThere: hangout-at-nylxs.com X-Mailman-Version: 2.1.30rc1 List-Id: NYLXS Tech Talk and Politics List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: hangout-bounces-at-nylxs.com Sender: "Hangout" > > > > > > /etc/postfix/main.cf: > > > smtpd_sasl_type = dovecot > > > smtpd_sasl_path = private/auth > > > > Can't this be done with tls withouth dovecot or sasl? > > Authentication is needed by Dovecot for IMAP access > to read email. So it should be available for use by > Postfix as well. > > Authentication should also be required by Postfix for > submission of email from remote clients like > Thunderbird. The only typical exception to that would > be when the Thunderbird clients are on a "trusted" > network, and so their IP address can take the place of > SASL authentication in order for Postfix to decide that > it's OK to accept mail from them to be relayed to the > outside world. Some would argue that SASL > authentication should always be used whenever possible. > > However, even though TLS (usually) only verifies the > identity of the server, rather than authenticating the > client, it can do that as well, by using client > certificates in addition to the server certificate. See > http://www.postfix.org/TLS_README.html for details. > Thank you > So yes, you should be able to replace uses of > permit_sasl_authenticated in various parameters > with "smtpd_tls_req_ccert = yes" as -o option > override in master.cf for your submission service. > I'm sure there's more to it, but the TLS_README > should help. > smtpd_tls_ask_ccert = yes is on - so it is asking for client certificates? But that is really not authetication, if I understand things. > > I tried to do this and I get this error > > > > > > An error occurred while sending mail: Outgoing server (SMTP) error. The > > server responded: TLS not available due to local problem. > > The Postfix server's logfile should contain more information > about what the local problem was. FWIW, the error ended up being that there was no cache database First I needed to create a pem file /etc/postfix/tls/smtpd.pem which is a selft signed certificate and key root readable only www2:/etc/postfix/tls # ls -al total 12 drwx------ 2 root postfix 4096 Jan 3 14:06 . drwxr-xr-x 4 root root 4096 Jan 3 14:47 .. -r-------- 1 root root 1998 Jan 3 11:27 smtpd.pem and I had to create the cache database in /var/spool/postfix queue_directory = /var/spool/postfix smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > > You can also use openssl to connect to the server and examine > the certificate details, with a command like this for port 25 or 587: > > DOMAIN=example.com > SERVER=example.com > PORT=25 > echo \| \ > openssl s_client -starttls smtp -showcerts -servername $SERVER -connect $DOMAIN:$PORT 2>/dev/null \| \ > openssl x509 -inform pem -noout -text \| less > > Or like this for port 465: > > DOMAIN=example.com > SERVER=example.com > PORT=465 > echo \| \ > openssl s_client -showcerts -servername $SERVER -connect $DOMAIN:$PORT 2>/dev/null \| \ > openssl x509 -inform pem -noout -text \| less > > But will probably just confirm the local problem. > The mail logs are more likely to help you identify > the cause. > > > I have this in the config file now: > > > > /etc/postfix/main.cf > > > > > > smtpd_sender_restrictions = hash:/etc/postfix/access, > > reject_unknown_sender_domain > > > > smtpd_recipient_restrictions = > > check_client_access hash:/etc/postfix/helo_client_exceptions > > check_sender_access hash:/etc/postfix/sender_checks, > > reject_invalid_hostname, > > ### Can cause issues with Auth SMTP, so be weary! > > reject_non_fqdn_hostname, > > ################################## > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > permit_mynetworks, > > reject_unauth_destination, > > permit_mynetworks, reject_unauth_destination, > > reject_invalid_hostname, > > reject_non_fqdn_hostname, > > reject_non_fqdn_sender, > > reject_non_fqdn_recipient, > > reject_unknown_sender_domain, > > reject_unknown_recipient_domain, > > reject_rbl_client zen.spamhaus.org, > > reject_rbl_client bl.spamcop.net > > reject_rbl_client cbl.abuseat.org, > > permit > > smtpd_data_restrictions = reject_unauth_pipelining, permit > > > > ############################################################ > > # SASL stuff > > ############################################################ > > smtp_sasl_auth_enable = no > > smtp_sasl_security_options = > > smtp_sasl_password_maps = > > smtpd_sasl_auth_enable = no > > ############################################################ > > # TLS stuff > > ############################################################ > > #tls_append_default_CA = no > > relay_clientcerts = > > It looks like the relay_clientcerts parameter would do > what you want, if you point it at a lookup table > containing your client TLS certificate fingerprints. > You'd need to use permit_tls_clientcerts in place of > permit_sasl_authenticated in the appropriate > smtp_*_restrictions parameter for the submission > service in master.cf. See > http://www.postfix.org/postconf.5.html#relay_clientcerts > http://www.postfix.org/postconf.5.html#permit_tls_clientcerts > > However, it's probably much easier to use SASL authentication > instead since you already have dovecot. > > > #tls_random_source = dev:/dev/urandom > > > > smtp_use_tls = yes > > smtp_tls_loglevel = 1 > > smtp_enforce_tls = no > > smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem > > #smtp_tls_CApath = > > smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem > > smtp_tls_key_file = /etc/postfix/tls/smtpd.pem > > I don't think the above two parameters should be pointing > to the same file. But I might be wrong about that. I've > never had the Postfix server use a client certificate > when sending mail out. But it really doesn't look right. > Normally, the server would only use a specific client > certificate for outgoing mail when sending to a particular > transport that required it, not to all potential recipient > servers as would be the case when putting those parameters > in main.cf. It might be sensible to just replace the above > with: > > smtp_tls_security_level = may > smtp_tls_loglevel = 1 > > > #smtp_tls_session_cache_timeout = 3600s > > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache > > The above should probably use ${data_directory} rather > than ${queue_directory}. But maybe that depends on the system. > I think I had queue_directory originally but got warning messages > in the logfile about it. If you aren't seeing those warnings, > it's probably fine. > > > smtpd_use_tls = yes > > smtpd_tls_loglevel = 1 > > smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem > > #smtpd_tls_CApath =/etc/postfix/tls/smtpd.pem > > smtpd_tls_cert_file =/etc/postfix/tls/smtpd.pem > > smtpd_tls_key_file =/etc/postfix/tls/smtpd.pem > > The same pem file as above is being used as the server > certificate as well. And the cert and key parameters > are pointing to the same file again which looks unusual > to me. Does it contain both the private key and the > full chain? If so, you could use the > smtpd_tls_chain_files parameter instead of > smtpd_tls_cert_file and smtpd_tls_key_file. > > Using the same file for smtpd_tls_CAfile as well looks > odd to me, but I'm not an expert. Maybe it's OK. > > > smtpd_tls_ask_ccert = yes > > Having the above in main.cf makes it apply to all > incoming SMTP connections. I don't think you want that. > You only want it for your own users whose client > certificates you know about. It should be in master.cf > where the submission/submissions services are defined. > And it should be "smtpd_tls_req_ccert = yes" instead, > so that the Thunderbird clients are required to possess > a known client certificate (if SASL authentication is > not going to be used). > > I hope what I've said makes sense. > > cheers, > raf -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 _______________________________________________ Hangout mailing list Hangout-at-nylxs.com http://lists.mrbrklyn.com/mailman/listinfo/hangout