February 4, 2017 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | >
February 4, 2017 [00:00:35] *** angryjohnnie <angryjohnnie!~textual@static-173-49-3-242.phlapa.fios.verizon.net> has quit IRC (Ping timeout: 240 seconds)[00:01:35] <pj> definately get rid of this unless you have a very specific need, and I'm quite certain that opendkim does not need this line: milter_protocol = 2[00:01:40] <pj> luxifer: ^^^^[00:02:18] <luxifer> pj the latest upstream defaults might not be the ones that apply in any given distribution... and since I'm using Debian, chances are, the defaults there are a bit dusty already... my intention was to only allow algos to be used that are currently still considered to be secure[00:02:48] <luxifer> I know that might throw off some older clients and other MTAs but I also enforce starttls, which also locks out some other MTAs[00:03:04] *** daynaskully <daynaskully!~digifiv5e@unaffiliated/daynaskully> has quit IRC (Ping timeout: 255 seconds)[00:03:05] *** guyz is now known as daynaskully[00:03:24] <pj> luxifer: That's also a mistake, because you have this: smtpd_tls_security_level = may[00:04:01] <pj> you're telling postfix to fall back to plain text if it cannot establish a TLS connection, and then limiting the ciphers that can be used in that TLS connection.[00:04:14] <pj> even broken encryption is better than no encryption.[00:04:37] <luxifer> pj got rid of that milter protocol setting[00:05:48] <luxifer> pj oops, you're right... I'm only enforcing it in outgoing emails... I've had it set otherwise though... probably needed to receive an email from such an MTA at some point :/[00:06:51] <luxifer> set back to enforce...[00:06:53] <pj> luxifer: separate your submission from your MX, then you can have completely separate settings for those in master.cf which makes things much easier to work with.[00:07:05] <pj> and it should be set to "may" for port 25[00:07:05] <rob0> qtch, hmm, I am not sure why that was accepted.[00:07:21] <pj> otherwise you will not be able to receive mail from older servers.[00:07:32] *** zokum_ <zokum_!~zokum@188.51-174-52.customer.lyse.net> has quit IRC ()[00:07:38] <qtch> rob0: I'll try without alias[00:07:46] <luxifer> pj why should it be set to "may" other than for getting mail from MTAs that will not encrypt?[00:08:04] <pj> luxifer: that's exactly why[00:08:48] <luxifer> ah... ok, so it's more like a personal preference if I'd be the only person to not get a mail because of this? ;-)[00:08:48] <pj> and it's false security anyways, even encrypt does not verify the cert so even on the most recent secure cipher you are still vulnerable to a MITM attack.[00:09:06] <qtch> rob0: if I submit message to root via sendmail it fails causing mail loop[00:09:12] <luxifer> uh, I disagree here[00:09:22] <thumbs> luxifer: you're wrong, then.[00:09:33] <luxifer> the sender is vulnerable to a MITM if their MTA does not verify the cert[00:09:44] <qtch> rob0: what is ok probably since there's no mydestination[00:09:56] <pj> ahhh, you're right about that, and senders do not verify the cert.[00:10:07] <pj> well both sides are vulnerable because of that.[00:10:20] <qtch> but it can be bypassed in SMTP via rcpt to:root at [127 dot 0.0.1][00:10:58] <luxifer> well but the sender produced the information that would be snooped so... but I don't get it: why would the sender not check the cert? this makes no sense[00:11:31] <pj> luxifer: the vast number of senders will not verify the cert...[00:11:58] <rob0> line 38 you have a problem: I don't know what is looked up in that defer-noreply hash file.[00:12:02] <pj> the reason is that many servers use self-signed certs, so many that it would cause a lot of problems for the sender to verifity it.[00:12:33] <pj> and since the sender does not verify it, it makes you vulnerable.[00:13:06] <pj> luxifer: I'm referring to sending submission servers here, not MUAs, email clients such as thunderbird *do* verify the cert.[00:13:17] <luxifer> pj, are there any statistics or studies on that? this would be devastating... and again: it makes the sender vulnerable... granted: an attacker gets the same information that I get but I'm at the receiving end so technically there is no information leaking from me[00:13:34] <rob0> qtch, for all other "mumble" of smtpd_mumble_restrictions, a "hash:whatever" lookup is a check_mumble_access[00:13:35] <luxifer> pj, I know... that's what makes it so scary[00:13:47] <pj> luxifer: sorry I don't have statistics on this.[00:14:04] <pj> check with google, you might find some.[00:14:06] <rob0> in relay restrictions, I don't know. MAYBE a recipient lookup, but it is not documented AFAIK[00:14:29] *** daynaskully <daynaskully!~digifiv5e@unaffiliated/daynaskully> has quit IRC (Quit: quit)[00:14:34] <rob0> so, precede that lookup with what you intend to do[00:15:01] <luxifer> then what do you base that info on? anecdotal evidence does not count ;) and google doesn't really spit out any relevant on "mtas not checking certificates" :/[00:15:35] <rob0> qtch, also note it's unusual to have such lookups in relay restrictions. Why are they there?[00:15:46] <rob0> see also:[00:15:52] <rob0> !tell qtch access[00:15:52] <knoba> qtch: "access" : http://www.postfix.org/SMTPD_ACCESS_README.html : An overview of access(5) controls in the Postfix smtpd(8) SMTP server.[00:16:28] *** daynaskully <daynaskully!~digifiv5e@unaffiliated/daynaskully> has joined #postfix[00:16:34] <luxifer> anyway... I need to go to bed... it's 0:15 here *yawn*[00:17:00] <honestly> "We found that 76% of unique MX hostnames that receive our emails support STARTTLS. As a result, 58% of notification emails are successfully encrypted. Additionally, certificate validation passes for about half of the encrypted email, and the other half is opportunistically encrypted. 74% of hosts that support STARTTLS also provide Perfect Forward Secrecy."[00:17:01] <rob0> luxifer, it's just a fact, in mail exchange, certificates are not checked.[00:17:05] <honestly> https://www.facebook.com/notes/protect-the-graph/the-current-state-of-smtp-starttls-deployment/1453015901605223/[00:17:41] <pj> luxifer: it doesn't matter, the point is that the smtp clients don't check.[00:17:57] <rob0> Postfix definitely does not check unless you tell it to.[00:18:21] <honestly> if in the first half of 2014 half of email passes certification, I think in 2017 someone should start lobbying for making verification the default.[00:18:53] <luxifer> pj, rob0, lunaphyte, JPT thanks for all your inputs... gives me lots of stuff to think about.... honestly: thanks for that... they should rerun that, yeah... would be interesting to see how that changed over the last 3 years... given all the things that happened since then[00:19:09] <rob0> Bring that up on the mailing list if you're interested[00:19:10] <qtch> rob0: hmm ok it these lookups should be in recipient_restrictions[00:19:13] <honestly> well, 25%.[00:19:46] <honestly> also I'm apparently too tired to write coherently.[00:20:17] <rob0> restrictions can go wherever you need them, but it's unusual to need lookups in relay restrictions[00:21:05] <luxifer> rob0, good to know... I will check that as well... and I agree with honestly that verifying those certs should be the default... the fact that it's the other way around is just insane[00:21:06] <rob0> I guess no answer about why you put them there means you don't know why :)[00:21:06] *** zokum <zokum!~zokum@188.51-174-52.customer.lyse.net> has joined #postfix[00:21:47] <luxifer> till then... good night[00:21:52] <qtch> rob0: I'm preventing sending messages to local(8) recipients from external SMTP senders in this way[00:22:00] *** luxifer <luxifer!~luxifer@94.16.85.141> has quit IRC (Quit: Leaving)[00:23:45] <qtch> rob0: is it "wild"?[00:26:45] <qtch> rob0: anyway, I think that these are accepted rightly because in the documentation is written: "The $local_transport delivery method is also selected for mail addressed to user at [the dot net.work.address] of the mail system"[00:27:14] <qtch> these messages* - sorry 00:27 here[00:30:22] *** NwS <NwS!~NwS@unaffiliated/nws> has joined #postfix[00:30:50] <qtch> rob0: yes - I wanted rather put them into recipient restrincions :)[00:34:08] <qtch> rob0: hmm I can set "local_recipient_maps " to null - then no way to accept such messages, but then I get rid of local(8) facility[00:36:48] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Ping timeout: 240 seconds)[00:37:07] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Ping timeout: 240 seconds)[00:41:11] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[00:44:19] <rob0> did you say what version this is? Obviously at least 2.10 ...[00:44:43] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[00:57:56] <qtch> 3.1[01:07:23] <rob0> you'll want postscreen[01:07:47] <rob0> !cheatsheet[01:07:47] <knoba> rob0: "cheatsheet" : (#1) http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt : A HOWTO for pre-DATA spam control., or (#2) A postscreen cheatsheet can be seen at http://rob0.nodns4.us/postscreen.html (updated 2016-01-16, now requires Postfix 2.11+)[01:16:28] *** traptrip <traptrip!~traptrip@brigaid.xs4all.nl> has quit IRC (Ping timeout: 240 seconds)[01:25:49] *** fling <fling!~fling@fsf/member/fling> has joined #postfix[01:30:13] *** dskull <dskull!~dskull@drmons0544w-156057168163.dhcp-dynamic.FibreOp.ns.bellaliant.net> has joined #postfix[01:30:36] *** dskull is now known as Guest86908[01:30:45] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Remote host closed the connection)[01:33:43] *** daynaskully <daynaskully!~digifiv5e@unaffiliated/daynaskully> has quit IRC (Quit: quit)[01:33:43] *** Guest86908 <Guest86908!~dskull@drmons0544w-156057168163.dhcp-dynamic.FibreOp.ns.bellaliant.net> has quit IRC (Client Quit)[01:34:13] *** daynaskully <daynaskully!~dskull@unaffiliated/daynaskully> has joined #postfix[01:35:44] *** guyz <guyz!~dskull@unaffiliated/daynaskully> has joined #postfix[01:35:48] *** Robby <Robby!robby@2001:470:d19b::701> has quit IRC (Ping timeout: 256 seconds)[01:37:05] *** daynaskully <daynaskully!~dskull@unaffiliated/daynaskully> has quit IRC (Client Quit)[01:37:15] *** guyz is now known as daynaskully[01:41:45] *** Robby <Robby!robby@2001:470:d19b::701> has joined #postfix[01:43:16] *** daynaskully <daynaskully!~dskull@unaffiliated/daynaskully> has quit IRC (Quit: quit)[01:43:44] *** daynaskully <daynaskully!~dskull@unaffiliated/daynaskully> has joined #postfix[01:55:02] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[01:55:02] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[02:02:44] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[02:02:47] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[02:07:08] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Ping timeout: 240 seconds)[02:07:08] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Ping timeout: 240 seconds)[02:09:15] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[02:22:43] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[02:24:49] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[02:29:38] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Remote host closed the connection)[02:46:49] *** mroe <mroe!~roe@unaffiliated/roe> has joined #postfix[02:53:46] *** froz-gab <froz-gab!~froz-gab@host55-138-dynamic.52-79-r.retail.telecomitalia.it> has quit IRC (Ping timeout: 264 seconds)[03:03:51] *** mactimes is now known as mactimes_[03:06:07] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has joined #postfix[03:07:11] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has quit IRC (Remote host closed the connection)[03:11:08] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has quit IRC (Read error: Connection reset by peer)[03:31:43] *** mroe <mroe!~roe@unaffiliated/roe> has quit IRC (Remote host closed the connection)[04:43:37] *** froz-gab <froz-gab!~froz-gab@host55-138-dynamic.52-79-r.retail.telecomitalia.it> has joined #postfix[04:49:19] *** chachasmooth <chachasmooth!~chachasmo@unaffiliated/chachasmooth> has quit IRC (Ping timeout: 260 seconds)[04:49:47] *** chachasmooth <chachasmooth!~chachasmo@unaffiliated/chachasmooth> has joined #postfix[04:51:04] *** froz-gab <froz-gab!~froz-gab@host55-138-dynamic.52-79-r.retail.telecomitalia.it> has quit IRC (Ping timeout: 260 seconds)[04:54:37] *** Spun1 <Spun1!~DirtyDale@98.29.160.133> has joined #postfix[05:03:40] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has joined #postfix[05:10:53] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has joined #postfix[05:18:58] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has quit IRC (Ping timeout: 255 seconds)[05:43:16] *** Spun1 <Spun1!~DirtyDale@98.29.160.133> has quit IRC (Quit: Peace out Girlscouts)[05:56:49] *** JanC_ <JanC_!~janc@lugwv/member/JanC> has joined #postfix[05:58:08] *** JanC is now known as Guest8949[05:58:08] *** Guest8949 <Guest8949!~janc@lugwv/member/JanC> has quit IRC (Killed (sinisalo.freenode.net (Nickname regained by services)))[05:58:08] *** JanC_ is now known as JanC[06:05:29] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[06:10:37] *** dka <dka!~dka@1.52.58.230> has joined #postfix[06:14:14] *** dka <dka!~dka@1.52.58.230> has quit IRC (Excess Flood)[06:15:45] *** dka <dka!~dka@1.52.58.230> has joined #postfix[06:20:44] *** dka <dka!~dka@1.52.58.230> has quit IRC (Ping timeout: 276 seconds)[06:22:56] *** dka <dka!~dka@1.52.58.230> has joined #postfix[06:43:14] *** dtm_ <dtm_!~dtm@v2.smuckola.org> has joined #postfix[06:43:34] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has quit IRC (Ping timeout: 264 seconds)[06:44:48] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has joined #postfix[06:50:44] *** joulez <joulez!~lucifurba@pdpc/supporter/active/joulez> has quit IRC (Quit: WeeChat 1.6)[06:52:49] *** zapata <zapata!~zapata@2a02:b18:581:10:e8c6:8888:90e8:be73> has quit IRC (Quit: WeeChat 1.7)[07:13:52] *** dka <dka!~dka@1.52.58.230> has quit IRC (Ping timeout: 248 seconds)[07:17:02] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has joined #postfix[07:18:25] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has quit IRC (Max SendQ exceeded)[07:18:53] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has joined #postfix[07:31:42] *** huddy <huddy!uid16953@gateway/web/irccloud.com/x-nnfhyvovyuogemmm> has quit IRC (Quit: Connection closed for inactivity)[07:37:24] *** mcfate <mcfate!~textual@174-134-145-16.res.bhn.net> has quit IRC (Quit: Textual IRC Client: www.textualapp.com)[08:16:21] *** gu1lle_1 <gu1lle_1!~Thunderbi@190.18.11.132> has joined #postfix[08:17:08] *** gu1lle_ <gu1lle_!~Thunderbi@190.18.11.132> has quit IRC (Ping timeout: 240 seconds)[08:17:08] *** gu1lle_1 is now known as gu1lle_[08:19:02] *** Columbo0815 <Columbo0815!~foobar@HSI-KBW-078-042-130-040.hsi3.kabel-badenwuerttemberg.de> has joined #postfix[08:40:16] *** tenaglia <tenaglia!~jack@pb-d-128-141-210-120.cern.ch> has quit IRC (Ping timeout: 248 seconds)[09:54:18] *** muh2000_ <muh2000_!~quassel@prx2.ernw.net> has quit IRC (Remote host closed the connection)[09:56:54] *** muh2000_ <muh2000_!~quassel@prx2.ernw.net> has joined #postfix[09:58:52] <qtch> rob0: I thought for a long time about involve postscreen(8) - now I have a bunch of really nice getting started cheat sheets, so I'm going to to do it finally, thanks for advice[10:08:08] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has joined #postfix[10:12:29] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has quit IRC (Quit: Leaving)[10:12:39] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has joined #postfix[10:12:57] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has quit IRC (Client Quit)[10:13:06] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has joined #postfix[10:13:43] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has quit IRC (Changing host)[10:13:43] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has joined #postfix[10:15:51] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has left #postfix[10:16:02] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has joined #postfix[10:16:11] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has quit IRC (Changing host)[10:16:11] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has joined #postfix[10:22:03] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has quit IRC (Quit: Leaving)[10:22:13] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has joined #postfix[10:22:22] *** v1n4x <v1n4x!~v1n4x@138.36.57.5> has quit IRC (Changing host)[10:22:22] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has joined #postfix[10:30:26] *** sphenxes01 <sphenxes01!~sphenxes@213-147-189-50.hdsl.highway.telekom.at> has joined #postfix[10:33:28] *** sphenxes <sphenxes!~sphenxes@192-164-129-138.hdsl.highway.telekom.at> has quit IRC (Ping timeout: 240 seconds)[10:33:28] *** sphenxes02 <sphenxes02!~sphenxes@192-164-129-138.hdsl.highway.telekom.at> has quit IRC (Ping timeout: 240 seconds)[10:34:35] *** traptrip <traptrip!~traptrip@brigaid.xs4all.nl> has joined #postfix[10:34:37] *** sphenxes <sphenxes!~sphenxes@213-147-189-50.hdsl.highway.telekom.at> has joined #postfix[10:35:55] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[10:35:56] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[10:42:55] *** v1n4x <v1n4x!~v1n4x@unaffiliated/v1n4x> has quit IRC (Quit: Leaving)[10:53:22] *** pti-jean_ <pti-jean_!~quassel@232.29.124.78.rev.sfr.net> has joined #postfix[10:58:26] *** markus_e92 <markus_e92!~markus_e9@91-115-157-124.adsl.highway.telekom.at> has quit IRC (Ping timeout: 252 seconds)[10:58:38] *** sm311 <sm311!~sm311@138.36.57.5> has joined #postfix[10:58:38] *** sm311 <sm311!~sm311@138.36.57.5> has quit IRC (Client Quit)[11:00:38] *** markus_e92 <markus_e92!~markus_e9@91-115-21-174.adsl.highway.telekom.at> has joined #postfix[11:02:59] *** infides_afk <infides_afk!~infides@p4FE744AA.dip0.t-ipconnect.de> has joined #postfix[11:08:29] *** infides_afk <infides_afk!~infides@p4FE744AA.dip0.t-ipconnect.de> has quit IRC (Ping timeout: 260 seconds)[11:11:12] *** rsx <rsx!~dummy@ppp-93-104-63-239.dynamic.mnet-online.de> has joined #postfix[11:11:35] <sysmonk> f3ew: yoyo, how ya doing today?[11:11:58] <sysmonk> had a few more beers back at home, went to sleep at ~3 :) but managed to get up today[11:19:19] *** Mac_Write <Mac_Write!~Mac@d50-98-216-22.bchsia.telus.net> has joined #postfix[11:22:05] *** daynaskully <daynaskully!~dskull@unaffiliated/daynaskully> has quit IRC (Ping timeout: 240 seconds)[11:23:27] *** dka <dka!~dka@1.52.58.230> has joined #postfix[11:23:55] *** dka <dka!~dka@1.52.58.230> has quit IRC (Max SendQ exceeded)[11:27:16] *** daynaskully <daynaskully!~dskull@unaffiliated/daynaskully> has joined #postfix[11:39:52] *** PHPanos <PHPanos!~textual@c-192371d5.035-201-73746f28.cust.bredbandsbolaget.se> has joined #postfix[12:04:49] *** Cuzner <Cuzner!~ccuzner@192-0-132-105.cpe.teksavvy.com> has joined #postfix[12:46:10] *** sarri <sarri!~sari@unaffiliated/sarri> has quit IRC (Ping timeout: 240 seconds)[12:50:40] *** sarri <sarri!~sari@p50995cae.dip0.t-ipconnect.de> has joined #postfix[12:50:40] *** sarri <sarri!~sari@p50995cae.dip0.t-ipconnect.de> has quit IRC (Changing host)[12:50:40] *** sarri <sarri!~sari@unaffiliated/sarri> has joined #postfix[13:03:01] *** Columbo0815 <Columbo0815!~foobar@HSI-KBW-078-042-130-040.hsi3.kabel-badenwuerttemberg.de> has quit IRC (Quit: Verlassend)[13:03:03] *** Mac_Write <Mac_Write!~Mac@d50-98-216-22.bchsia.telus.net> has quit IRC (Quit: Linkinus - http://linkinus.com)[13:03:05] *** phunyguy <phunyguy!~torpedo@ubuntu/member/phunyguy> has quit IRC (Ping timeout: 240 seconds)[13:05:13] *** phunyguy <phunyguy!~torpedo@ubuntu/member/phunyguy> has joined #postfix[13:28:29] *** PHPanos <PHPanos!~textual@c-192371d5.035-201-73746f28.cust.bredbandsbolaget.se> has quit IRC (Quit: My Mac has gone to sleep. ZZZzzz…)[13:29:28] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has quit IRC (Ping timeout: 240 seconds)[13:30:45] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has joined #postfix[13:59:40] *** AnHry <AnHry!~x@a94-132-78-87.cpe.netcabo.pt> has joined #postfix[14:01:26] *** podkilla <podkilla!~pod@mail.darkmail.nz> has quit IRC (Quit: goodbye)[14:02:51] *** podkilla <podkilla!~pod@mail.darkmail.nz> has joined #postfix[15:19:48] *** AnHry <AnHry!~x@a94-132-78-87.cpe.netcabo.pt> has quit IRC (Ping timeout: 240 seconds)[15:37:16] *** LeoTh3o <LeoTh3o!~LeoTh3o@phoxden.xyz> has quit IRC (Ping timeout: 255 seconds)[15:52:04] *** LeoTh3o <LeoTh3o!~LeoTh3o@phoxden.xyz> has joined #postfix[15:55:08] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has quit IRC (Remote host closed the connection)[15:55:56] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has joined #postfix[16:18:26] *** markand <markand!~markand@unaffiliated/markand> has left #postfix[16:23:47] *** Seba_ <Seba_!~seba__@host-85-201-109-64.dynamic.voo.be> has joined #postfix[16:25:21] *** Seba_ <Seba_!~seba__@host-85-201-109-64.dynamic.voo.be> has quit IRC (Client Quit)[16:34:26] *** Hedgehog08 <Hedgehog08!~Hedgehog0@host-85-201-109-64.dynamic.voo.be> has joined #postfix[16:39:52] <Hedgehog08> Hello[16:40:35] <Hedgehog08> J'aimerais configurer un serveur mail postfix avec auth saslauthd, mais j'ai quelques soucis pour y arriver, quelqu'un sait m'aider?[16:42:44] <patdk-lap> no[16:42:49] <patdk-lap> !tell Hedgehog08 welcome[16:42:49] <knoba> Hedgehog08: "welcome" : Welcome to #postfix! If you're new here, or to IRC, first read the channel topic (/topic). It has important instructions on how to ask good questions. You will get more and better help if you follow those instructions. Good Luck![16:44:26] <Hedgehog08> !getting_help[16:44:26] <knoba> Hedgehog08: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[16:47:34] *** giesen <giesen!~ggiesen@2001:19f0:0:1019:5400:ff:fe25:bda6> has quit IRC (Remote host closed the connection)[16:47:37] <Hedgehog08> !pastebin[16:47:37] <knoba> Hedgehog08: "pastebin" : a pastebin site lets you easily share logs and configuration. Examples are dpaste.org, fpaste.org, or pastebin.ca. Please avoid ad-supported sites such as pastebin.com if possible.[16:47:56] *** graps <graps!~grapster@grapster.us> has joined #postfix[16:48:08] <graps> Hi all[16:48:11] <Hedgehog08> Hi[16:49:21] <graps> If I wanted to directly send a preformatted message via postfix, could I do something like: postfix < message.txt someone at example dot com ?[16:49:29] <patdk-lap> no[16:49:43] <patdk-lap> !sendmail[16:49:43] <knoba> patdk-lap: "sendmail" : a pretty cryptic MTA that was famous in the ancient days of UNIX and still runs on a lot of mail servers. Don't confuse it with the "sendmail" command that is offered by Postfix to send emails (for compatibility reasons).[16:49:53] <patdk-lap> oh, the other sendmail :)[16:50:02] *** giesen <giesen!~ggiesen@2001:19f0:0:1019:5400:ff:fe25:bda6> has joined #postfix[16:50:07] <patdk-lap> graps, you must use a mua[16:50:08] <graps> Oh, all right. I can install sendmail[16:50:15] <patdk-lap> why?[16:50:28] <patdk-lap> "Don't confuse it with the "sendmail" command that is offered by Postfix to send emails"[16:51:02] <JPT> graps: postfix already provides the 'sendmail' command. You need some mail user agent (thunderbird, mailx, whatever) to send mails (which then can be configured to use your postfix for submission)[16:52:01] <graps> JPT: How about on the command line, can I use something like sendmail or mail to do: <command> < message.txt someone at example dot com ?[16:52:28] <JPT> graps: Perhaps the man page for 'mail' or 'sendmail' will show you what you can use.[16:52:50] <JPT> graps: as far as i know, mailx provides the "mail" command that you can use to send mails with.[16:52:53] <graps> JPT: Okay. Thanks[16:53:23] <graps> patdk-lap: Thanks to you too[16:58:17] *** graps <graps!~grapster@grapster.us> has left #postfix[17:13:17] <rob0> Hedgehog08, why Cyrus SASL? Usually Dovecot is a better choice, especially if you're already using Dovecot IMAP.[17:15:53] <rob0> Hedgehog08, I recommend Dovecot SASL even if you don't plan to have IMAP at all.[17:16:15] <rob0> see also:[17:16:25] <rob0> !tell Hedgehog08 sasl[17:16:25] <knoba> Hedgehog08: "sasl" : SASL is 'Simple Authentication and Security Layer', necessary for SMTP AUTH, and provided to Postfix by addin software. Cyrus SASL and/or Dovecot IMAP/POP3 can provide SASL. See http://www.postfix.org/SASL_README.html for details.[17:18:39] <Hedgehog08> I already tested dovecot sasl and it works but I want to encrypt the connection[17:18:57] *** AnHry <AnHry!~x@a94-132-78-87.cpe.netcabo.pt> has joined #postfix[17:19:01] <Hedgehog08> Can I encrypt the connection with postfix and authenticate with dovecot?[17:20:42] <lunaphyte> those are two completely different things[17:20:50] <lunaphyte> yes, you can[17:21:17] <rob0> !tell Hedgehog08 tls[17:21:17] <knoba> Hedgehog08: "tls" : Transport Layer Security (RFC2246). Previously known as SSL, TLS adds a layer of encryption to protocols such as SMTP, submission, IMAP or POP3 to improve security during transmission over the Internet. TLS is implemented using the STARTTLS method, while the non-standard wrapper style of implementation is deprecated at this point. See http://www.postfix.org/TLS_README.html for more info.[17:21:27] <lunaphyte> cyrus doesn't do encryption any more than dovecot does encryption[17:21:41] <rob0> Hedgehog08, see also: http://x.guimard.free.fr/postfix/[17:22:30] <rob0> all these links are there in French (not sure how current nor how accurate the translation; compare to the ones at postfix.org)[17:25:15] *** NwS <NwS!~NwS@unaffiliated/nws> has quit IRC (Quit: See you in Isla de Muerte!)[17:26:10] <rob0> !factoids search english[17:26:10] <knoba> rob0: 'english' and 'non-english'[17:26:30] <rob0> !non-english[17:26:31] <knoba> rob0: "non-english" : Links to Postfix resources in languages other than English: http://www.postfix.org/non-english.html[17:26:35] <Hedgehog08> Ok thanks, I will retry with dovecot[17:27:27] *** AnHry <AnHry!~x@a94-132-78-87.cpe.netcabo.pt> has quit IRC (Quit: Konversation terminated!)[17:32:41] *** rsx <rsx!~dummy@ppp-93-104-63-239.dynamic.mnet-online.de> has quit IRC (Remote host closed the connection)[17:46:48] *** froz-gab <froz-gab!~froz-gab@frozenstar.info> has quit IRC (Remote host closed the connection)[17:49:33] *** froz-gab <froz-gab!~froz-gab@host55-138-dynamic.52-79-r.retail.telecomitalia.it> has joined #postfix[17:52:49] *** PHPanos <PHPanos!~textual@c-192371d5.035-201-73746f28.cust.bredbandsbolaget.se> has joined #postfix[18:50:57] *** FMan <FMan!~tropyx@dsl-kvlbrasgw2-50dcc3-5.dhcp.inet.fi> has quit IRC (Quit: Nettalk6 - www.ntalk.de)[19:04:37] *** FMan <FMan!~tropyx@dsl-kvlbrasgw2-50dcc3-5.dhcp.inet.fi> has joined #postfix[19:42:01] *** namyzarc <namyzarc!~namyzarc@2601:989:4201:5921:c1da:2346:c8fe:c450> has joined #postfix[19:54:58] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has quit IRC (Ping timeout: 264 seconds)[19:58:14] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has joined #postfix[20:40:04] <Hedgehog08> postfix utilise tls par dfaut sur quel port? 465 ou 587 ou les deux?[20:40:44] <rob0> !smtps[20:40:45] <knoba> rob0: "smtps" : Port 465 is smtps, SMTP over SSL, a deprecated means of submission. This means that smtps should *not* be used, and that this factoid exists for historical purposes only and should not be implemented. See !submission for smtps' successor. That being said, Postfix can implement smtps with a separate smtpd(8) listener with \"-o smtpd_tls_wrappermode=yes\". See the commented example in master.cf.[20:42:04] <lunaphyte> n'utilisez pas 465[20:45:53] *** boubou <boubou!boubou@unaffiliated/boubou> has quit IRC (Quit: ZNC - http://znc.sourceforge.net)[20:50:10] *** sphenxes02 <sphenxes02!~sphenxes@81-5-237-55.hdsl.highway.telekom.at> has joined #postfix[20:52:54] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[20:52:58] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[20:53:10] *** sphenxes01 <sphenxes01!~sphenxes@213-147-189-50.hdsl.highway.telekom.at> has quit IRC (Ping timeout: 240 seconds)[20:53:30] *** sphenxes01 <sphenxes01!~sphenxes@81-5-237-55.hdsl.highway.telekom.at> has joined #postfix[20:53:41] *** sphenxes <sphenxes!~sphenxes@213-147-189-50.hdsl.highway.telekom.at> has quit IRC (Ping timeout: 276 seconds)[20:54:14] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Read error: Connection reset by peer)[20:54:28] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[20:54:29] *** BlubberBop <BlubberBop!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[20:54:34] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Read error: Connection reset by peer)[20:56:12] *** boubou <boubou!boubou@unaffiliated/boubou> has joined #postfix[21:09:58] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has quit IRC (Ping timeout: 264 seconds)[21:11:20] <Hedgehog08> !submission[21:11:20] <knoba> Hedgehog08: "submission" : Port 587 is submission, for user submission of mail, NOT suitable for mail exchange. See the commented example in master.cf. also see !msa, and rfc 6409. Also read http://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf[21:12:30] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has joined #postfix[21:16:20] *** stephanie92 <stephanie92!~stephanie@c-71-57-140-3.hsd1.fl.comcast.net> has joined #postfix[21:17:28] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Ping timeout: 260 seconds)[21:24:59] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[21:27:13] <Hedgehog08> I try to connect postfix to mac mail on port 587 with ssl but that don't work, however thunderbird can connect on 587 with starttls. Starttls and ssl are 2 different things?[21:29:44] <rob0> usually, yes, but MUAs use imprecise, nontechnical terms sometimes. "SSL" should mean TLS negotiation at connect time, "STARTTLS" is the SMTP command to start TLS from a plaintext connection (after EHLO.)[21:43:34] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has quit IRC (Ping timeout: 264 seconds)[21:45:48] <Hedgehog08> Ok thanks :)[21:45:52] *** johnny56_ <johnny56_!~johnny56@unaffiliated/johnny56> has joined #postfix[21:47:03] <lunaphyte> to be pedantic, i try to avoid the terms tls and ssl[21:47:31] <lunaphyte> i prefer just "encryption".[21:48:01] <lunaphyte> since an encrypted session which is initiated with the starttls command may well in fact be using ssl.[21:48:15] <lunaphyte> it would be irresponsible, and should not be done, but that is not the point[21:50:56] *** Gazoo <Gazoo!~Gazoo@207.81.151.208> has quit IRC (Remote host closed the connection)[22:00:32] *** pti-jean_ <pti-jean_!~quassel@232.29.124.78.rev.sfr.net> has quit IRC (Remote host closed the connection)[22:06:04] *** necrogami <necrogami!~necrogami@unaffiliated/necrogami> has joined #postfix[22:07:46] *** PHPanos <PHPanos!~textual@c-192371d5.035-201-73746f28.cust.bredbandsbolaget.se> has quit IRC (Quit: My Mac has gone to sleep. ZZZzzz…)[22:11:51] *** stephanie92 <stephanie92!~stephanie@c-71-57-140-3.hsd1.fl.comcast.net> has quit IRC (Quit: Leaving)[22:17:11] *** BlubberBop <BlubberBop!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[22:17:11] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[22:20:43] *** geo27 <geo27!~quassel@81.56.141.30> has quit IRC (Ping timeout: 245 seconds)[22:20:47] *** luxifer <luxifer!~luxifer@94.16.93.9> has joined #postfix[22:21:58] <luxifer> good evening... yesterdays soon-to-be-spam-victim back here with more ignorant questions on postfix configuration :D[22:23:06] <luxifer> rob0, pj, lunaphyte I see you're on as well :) I wanna tell you first off that I've stopped relaying mail to my gmail inbox for now :D[22:23:53] *** geo27 <geo27!~quassel@81.56.141.30> has joined #postfix[22:24:35] <luxifer> I'm currently looking into enabling the submission port and I am a bit puzzled... in the master.cf there's an option list after the submission service line... these options look like they could live in main.cf as well... in fact, some of them are...[22:25:02] <luxifer> does it make a difference whether I specify them with -o option=value in master.cf or just in the main.cf?[22:25:26] <lunaphyte> glad to hear it[22:25:42] <lunaphyte> yes, it makes a difference[22:25:52] <luxifer> and secondly: when I will finally have that set up does it suffice to empty my_networks in the main.cf to disable the ability for sending mail on port 25?[22:25:52] <lunaphyte> main.cf contains *global* settings.[22:26:01] <luxifer> ah[22:26:05] <luxifer> i see[22:26:29] <lunaphyte> settings applied to ALL applicable services, UNLESS there is an override [e.g. -o] for a given service in master.cf[22:27:04] <lunaphyte> so, whether or not you put things in main or master will first and foremost depend upon what you are doing with your mail server in terms of the big picture[22:27:54] <lunaphyte> if your mail is operating in a singular role [for example if it is JUST an mta], then there's likely not much reason to put much stuff in master.cf[22:28:05] <lunaphyte> same goes for if it is JUST an msa[22:28:22] <lunaphyte> however, if it is providing both of these services, then things change[22:28:51] <lunaphyte> all global settings should alwyas be the must conservative. the most constrained[22:28:54] <lunaphyte> *always[22:29:41] <luxifer> sure... question is if there is any option that I want to have set any less restrictive on submission than I would globally[22:29:50] <lunaphyte> then, as is needed/appropriate for a given service [such as submission], various settings would be defined as more relaxed, in main.cf, for ONLY that paritcular service[22:30:03] <lunaphyte> yes, there are many such settings[22:30:24] <lunaphyte> for starters, sasl shoudln[22:30:27] <lunaphyte> meh[22:30:38] <lunaphyte> *shouldn't be enabled in the global config. only for submission[22:31:20] <luxifer> I see... and that way I also disable sending mails on 25 completely because I could not even authenticate there any more, right?[22:31:56] <lunaphyte> port 25 never sends mail in the first place[22:32:11] <lunaphyte> postfix sends mail, using an ephemeral/dynamic port[22:32:30] <luxifer> sorry, my wording wasn't very precise[22:33:06] <luxifer> what I meant was disable the possibility for clients to authenticate on port 25 to use that for their mail submission[22:33:14] <lunaphyte> oh. yes.[22:33:26] <lunaphyte> smtp auth is to be disabled globally[22:33:37] <lunaphyte> so as to not inadvertently allow it[22:33:45] <lunaphyte> and only enabled for submission[22:34:13] <luxifer> and if I understood you correctly yesterday, this is what I want... so even senders on the local machine would have to authenticate *somehow*[22:34:27] <lunaphyte> well, yes and no[22:34:43] <lunaphyte> there are different methods for "submitting" mail to postfix.[22:35:03] <lunaphyte> that is a related, yet orthogonal discussion[22:35:18] <luxifer> *sigh* I was afraid that that would be the case...[22:35:52] <luxifer> qq: while authentication is to be globally disabled I can still configure my TLS settings globally, right?[22:36:01] <lunaphyte> disallowing smtp auth on port 25 does not prevent all "submission" on the local computer[22:36:29] <lunaphyte> encryption settings should also not be configured the same for smtp/mx traffic and submission traffic[22:36:50] <luxifer> oh and some tidbit I found while browsing the docs: according to those postfix *does* check another servers certificate for validity... well... at least it checks if the hostname matches the CN[22:37:10] <lunaphyte> a process on the local computer can [by default] submit mail to postfix by using the sendmail command. without making a network connection.[22:37:19] <luxifer> right[22:37:24] <lunaphyte> however, my advice is to not allow this.[22:37:35] <lunaphyte> it's what i do[22:37:44] <lunaphyte> i use a null client.[22:37:58] <lunaphyte> that way, all mail arrives at postfix via submission[22:38:16] <lunaphyte> yet software which "requires" the sendmail command can still function[22:38:21] <lunaphyte> it keeps things modular[22:38:29] <luxifer> sounds nice[22:39:06] <luxifer> which tls settings would I want to configure differently for smtp/mx and submission traffic though?[22:39:23] <luxifer> aside from smtpd_security_level maybe[22:39:54] <lunaphyte> for smtp, encryption should be offered, but must not be required. for submission, encryption should be offered, and required.[22:40:29] <lunaphyte> additionally, for smtp, as encryption cannot be mandatory, constraining cipher suites, etc. is foolish and irresponsible.[22:40:57] <lunaphyte> however, since for submission, encryption should be mandatory, allowing weak cipher suites, etc. would be foolish and irresponsible.[22:41:07] <luxifer> i see[22:42:07] <luxifer> what you're saying is I shouldn't be a jerk about encryption to other mail servers trying to send mail to me but I should be a jerk about encryption to any client trying to send mail through me?[22:42:47] <lunaphyte> i guess you could say that[22:43:38] <lunaphyte> if you demand certain ciphers when other mail servers connect, all that's going to do is increase the likelihood they just use no encryption at all.[22:43:54] <lunaphyte> the idiots putting "secure postfix configs" on their blogs are too dense to understand this[22:44:38] <luxifer> yeah... I found that there is A LOT of crap on postfix all around the internet... but the official docs aren't really all that accessible ;)[22:44:49] <lunaphyte> one of the side effects of "down with the nsa" overshadowing educating onesself and using one's brain.[22:45:06] <lunaphyte> imho, the documentation is very accessible[22:45:19] <lunaphyte> it's what i used when learning postfix, and it's what i recommend and support[22:45:44] <lunaphyte> !tutorial[22:45:44] <knoba> lunaphyte: "tutorial" : A very common problem is that some people prefer to follow a step-by-step tutorial that shows them how to setup their server w/out reading the documentation or understanding what they are doing. If something goes wrong, they have no clue whatsoever about where to find hints, and they sometimes decide to start from scratch using a different tutorial. This is not The Proper Way.[22:45:47] <lunaphyte> !google[22:45:47] <knoba> lunaphyte: "google" : Those who use Google before reading the Postfix documentation, if fortunate, end up at http://www.postfix.org/ . If not, they end up in a jumble of bad questions, misleading or wrong answers, and outdated information.[22:45:55] <lunaphyte> those factoids exist for a reason ;)[22:46:06] <luxifer> hehe[22:46:37] <luxifer> thing is a good tutorial should explain every single step and config it includes... and refer back to the original documentation[22:46:55] <lunaphyte> good tutorial is an oxymoron[22:46:57] <luxifer> people just couldn't be arsed to actually do that but instead just post what - by chance - worked for them[22:47:18] <lunaphyte> the vast majority of people who write tutorials shouldn't be writing them[22:47:29] <lunaphyte> they're doing it for the wrong reasons, and not being honest about it[22:47:36] <luxifer> true[22:47:55] <lunaphyte> people write tutorials because they want to feel better about themselves. not because they want to help others.[22:48:20] <luxifer> anyway I do think a "good tutorial" can exist... it just needs to be upfront with the fact that it will not be exhaustive and will be limited to a very specific use case which it should also define upfront[22:48:35] <lunaphyte> sure, a good tutorial can exist.[22:48:43] <lunaphyte> so can the god particle[22:49:33] <luxifer> well the "god particle" - as they called the higgs boson - has been proven to exist, now hasn't it? :P[22:49:47] <lunaphyte> quite right.[22:49:52] <luxifer> and yeah, I know... the rarity ;)[22:49:56] <lunaphyte> and very elusive ;)[22:50:10] <luxifer> indeed :D[22:50:59] <luxifer> anyway... I'll be back in half an hour or so... trying to get that submission configuration right... and maybe get dovecot running alongside for sasl auth because I'm going to need it anyway[22:51:41] <lunaphyte> if you intend on using dovecot for mail retrieval, i'd encourage you to use its lda as well, and thus the relay address class for postfix[22:52:10] <lunaphyte> this will be yet another concept which is contradicted in just about any tutorial you're likely to find[22:52:41] <lunaphyte> it's even sometimes perceived as being contradicted in the documentation - that is, until you really understand the bigger picture[22:52:44] *** mroe <mroe!~roe@unaffiliated/roe> has joined #postfix[22:53:19] <luxifer> :O how I hate rabbit holes :D[22:53:32] <lunaphyte> :)[22:53:43] <lunaphyte> well, it could be worse. you could be bored[22:54:18] <luxifer> that doesn't happen easily... especially since I've became a father it didn't :D[22:54:54] <luxifer> and yet there's even worse things than becoming bored[22:55:00] <luxifer> like... becoming indifferent[22:55:04] <lunaphyte> probably[22:55:32] <lunaphyte> it would seem to me that one of those begat the other[22:57:19] <luxifer> I'm not so sure about that... correlation is not causation ;)[23:00:15] <luxifer> the global smtp_tls_security_level should be "may" as well, right? otherwise I would not be able to deliver mail to mail servers which do not offer any encryption... or am I confusing something here?[23:00:52] <lunaphyte> correct[23:01:17] <lunaphyte> that setting isn't one you'd typically override either[23:02:00] <luxifer> because smtp_* settings do not make much sense for submission in the first place, right?[23:02:47] *** tabakhase <tabakhase!tabakhase@unaffiliated/tabakhase> has quit IRC (Ping timeout: 255 seconds)[23:03:46] <lunaphyte> !smtp!=smtpd[23:03:46] <knoba> lunaphyte: "smtp!=smtpd" : Postfix smtp_* and smtpd_* configuration parameters have different meanings. smtp_ = client and smtpd_ = server, the client-side sends mail whilst the server-side receives mail. (smtp = client = sends mail) (smtpd = server = receives mail)[23:03:57] *** tabakhase <tabakhase!tabakhase@unaffiliated/tabakhase> has joined #postfix[23:07:17] <luxifer> so based on that factoid the answer to my question would be "yes" then? I'm asking to be sure... already found to have had too much assumptions in that whole matter so far... so I'd rather ask dumb questions than to keep (probably) dumb assumptions ;)[23:10:08] <lunaphyte> taking the essence, it would probably be "yes"[23:10:41] <lunaphyte> it's not so much that smtp_* settings don't "make sense" for submission though[23:11:35] <luxifer> well, does postfix act, under any circumstances, as smtp client within the context of its submission service?[23:11:38] <lunaphyte> they do make sense, because after mail is received via submission, it is frequently sent somewhere else, thus using those settings[23:11:48] <luxifer> aha[23:12:23] <lunaphyte> as a ehole, postfix does this, but using different programs [e.g. "services"][23:12:32] <luxifer> I thought that "sent somewhere else" is then done by the smtp service[23:12:43] <lunaphyte> yes[23:13:14] <luxifer> ok[23:17:24] <luxifer> should I set smtp_tls_CApath?[23:17:37] <lunaphyte> i generally do[23:19:04] <luxifer> I assume there is a restriction that could be applied when that verification fails, right?[23:19:32] <lunaphyte> sure[23:19:58] <lunaphyte> not too likely to be applicable in most scenarios though[23:20:29] <lunaphyte> although that is starting to change a little bit with the adoption of dane[23:20:37] <luxifer> then why bother validating a cert in the first place?[23:21:03] <lunaphyte> because there are more reasons to validate than that[23:21:18] <lunaphyte> if nothing else, simply having the information can be of interest[23:21:32] <lunaphyte> even if you do not necesarily act on the information[23:22:55] <luxifer> true... but once the mail is delivered to such a recipient I could as well have sent it in plain[23:23:33] <lunaphyte> that's not really of much relevance[23:24:35] <luxifer> is it not? the major points of encrypting the transport is for privacy and integrity[23:25:12] <lunaphyte> i'm not sure what you're after[23:26:50] <luxifer> if I bother encrypting the transport in the first place because I want my communication to be private and to ensure it does not get manipulated along the way, then why would I want to talk to a host for which I cannot verify its certificate to ultimately originate from one of my chosen trust anchors?[23:27:43] <luxifer> i mean... if I do that, then I would basically accept any man in the middle who's able to create their own self signed certificate[23:27:49] <tharkun> !db[23:27:49] <knoba> tharkun: "db" : Berkeley DB support in Postfix, required for hash: maps, see http://www.postfix.org/DB_README.html[23:28:32] <lunaphyte> luxifer: you might, you might not[23:28:37] <luxifer> in that case I could as well send plain text... because getting in the middle is way harder than creating a self signed certificate[23:30:20] <tharkun> !database[23:30:20] <knoba> tharkun: "database" : http://www.postfix.org/DATABASE_README.html provides an overview of how Postfix lookup tables work, and the various types that are implemented.[23:31:17] <luxifer> lunaphyte, do you configure everything explicitly or do you ommit config items if you agree with the defaults?[23:35:25] <luxifer> smtpd_tls_received_header that is interesting :)[23:35:48] <lunaphyte> mostly use defaults, some particulars notwithstanding[23:36:36] <luxifer> lunaphyte, the question was whether you spell out the defaults explicitly or not... or are defaults in postfix not meant to change ever?[23:37:17] <lunaphyte> i change what i need to in order for postfix to work the way i want, of course, and sometimes a few assorted settings that i might consider "high risk", i set explicitely even though it's the same value as the default. that's just in case the default happens to change without me knowing it.[23:37:35] <luxifer> ok[23:37:43] <lunaphyte> that's not too likely, and postfix now has a backwards compatibility safety net mechanism as well which helps with that[23:38:10] <luxifer> that's good to know :)[23:38:35] <lunaphyte> postfix default settings rarely [if ever] change for the worse [or to put another way, to be more permissive][23:38:50] <lunaphyte> but he who believes it will never happen is a fool. it might.[23:39:03] <lunaphyte> be it even on accident[23:39:40] <luxifer> which means... in theory... one should spell out every last configuration option and when upgrading compare those to the defaults of the newer version[23:39:45] <luxifer> hmm...[23:40:05] <luxifer> I think I might put *some* trust in the postfix developers :D[23:40:24] <lunaphyte> it would be challenging not to[23:40:58] *** pijiu <pijiu!~pijiu@unaffiliated/pijiu> has quit IRC (Quit: Leaving)[23:41:03] <luxifer> indeed[23:45:15] <luxifer> lunaphyte, what's your oppinion on smtpd_helo_required and smtpd_delay_reject?[23:45:48] *** TheFatherMind <TheFatherMind!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has quit IRC ()[23:46:02] *** mroe <mroe!~roe@unaffiliated/roe> has quit IRC (Remote host closed the connection)[23:46:48] <lunaphyte> i would never run a system without smtpd_helo_required = yes[23:47:20] <lunaphyte> i would never run a system with smtpd_delay_reject = no[23:47:21] <luxifer> (y)[23:47:44] <luxifer> I was wondering because the default for smtpd_helo_required seems to be "no" according to the docs :-O[23:47:50] <lunaphyte> it is.[23:47:54] <lunaphyte> i wish it were yes[23:48:04] <lunaphyte> maybe an rfc thing, i don't recall[23:49:15] <tharkun> I have two lookup tables, what is the correct syntax to put them in main, one per line or can it be comma separated?[23:49:25] <lunaphyte> either is fine[23:49:29] <tharkun> ok[23:49:30] <luxifer> even if it were... I mean... RFCs are important... but it's not like they're the end-all-be-all answer to everything... or even actively maintained to adjust to changes in the real world :D[23:49:35] <lunaphyte> man 5 postconf[23:49:40] <tharkun> done[23:49:47] *** MasterMerlin <MasterMerlin!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has joined #postfix[23:50:23] <lunaphyte> luxifer: i have a few rfcs with which i disagree. i'm sure there are plenty of others, if i knew of them[23:50:37] <luxifer> :)[23:51:14] <lunaphyte> there a fundamental dns rfc which refer to nameservers as "primary" and "secondary". this is stupid.[23:51:17] <lunaphyte> *are[23:51:29] *** MasterMerlin <MasterMerlin!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has left #postfix[23:51:43] <luxifer> is it possible to include separate config files in master.cf? specifying all submission config overrides in parameters in master.cf seems a bit unwieldy[23:52:17] <lunaphyte> it's not[23:52:30] *** TheFatherMind <TheFatherMind!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has joined #postfix[23:52:43] <lunaphyte> but that's where variables and restriction classes become valuable[23:59:30] <luxifer> speaking of restrictions... i should remove "permit_mynetworks" from my restrictions but I could leave "permit_sasl_authenticated" in there globally as long as I globally disable sasl authentication, correct?