outofsight

  • 22 days ago
  • Joined 30 Jan
  • 4 discussions
  • 12 posts
  • 0 best answers
  • Post posted... wait what?
  • In mailcow stop sending and receiving email, likely unbound issue

    There is only mailcow stack on this host.
    The stack starts and works for few days but at some later random times mail services become unreachable (SMTP/IMAP/WEB).
    Happened alredy few times.

  • In mailcow stop sending and receiving email, likely unbound issue

    Reliable DNS resolution is crucial for everythin and of course I’m not going to remove any service if it’s not supported.
    But I would like my mail server doens’t go down because unbound of mail server goes down.

  • In mailcow stop sending and receiving email, likely unbound issue

    I already found myself unable to send or receive emails with mailcow after few days of working.
    Usually I do another docker compose up -d and everything starts working again for another few days.
    Only today I noticed that unbound container was restarting but i didn’t check the logs.

    My question is: what is the purpose of unbound in mailcow stack? it is possible to remove it since I already runs adguard+unbound in my lan?

  • In Rewriting sender address if it's not a mailbox alias?

    ETNyx Yes, I remember this setting too, but I shoud try, because I think the domain is still checked, and unfortunately my service try to send email not only from a non-existant address but also from a wron mail domain.

    • In Saving mail sent by SMTP in an IMAP folder

      ETNyx always_bcc is interesting but I think it’s a server-wide settin, so all email sent by any account are forwarded to a single common address.

      What I would like is that email are forwarded to the sender, and not for all accounts, but just for a couple of them.

      Users mailbox that tipically send email with imap mail clients doesn’t need this and doesn’t want their mail forwarded to someone else.

      • In "no shared cipher" when sending email from HP LaserJet

        esackbauer yes, 10.x.y.z is my printer. I tried bot checking and unckecking the “Always use SSL” but there is still a problem. My understanding is that “Always use…” unchecked doens’t mean “never use”, so the printer still try encryption and fail.

        I searched the forum but the problems with HP seems a bit different than mine.

        I think I have to continue to use gmail for simplicity

        • In Rewriting sender address if it's not a mailbox alias?

          I just installed MailCow and I’m trying to move all notification services previously using GMail to MailCow.

          One feature of GMail I like, not present out of the box in mailcow, is the the fact that, after authentication from user@gmail.com, their SMTP sever implementation accept email with any sender address, and rewrite sender to user@gmail.com if needed.

          This could be useful sometimes, if the service trying to send email doesn’t allow to easily set the sender address.

          Mailcow, on the other hand, reject the mail if the sender is not an alias of the mailbox account.

          It is possible to configure mailcow/postfix so that, instead of rejecting, rewrite the sender address if the sender address is not a mailbox alias/extension?

        • In Saving mail sent by SMTP in an IMAP folder

          I just installed MailCow and I’m trying to move all notification services previously using GMail to MailCow. I’ll mostly use one services@mydomain.tld mailbox for all services.

          One the two features of GMail I like, not present out of the box in mailcow, is the ability to save messages sent by SMTP in a folder visible through IMAP. This turned out to be useful in few cases.

          It is possible to configure mailcow/postfix/dovecot to do that?

          For example implicitely adding services@mydomain.tld to recipients bcc list and then moving in a proper folder?

          And ideally automatically deleting after one month…

        • In "no shared cipher" when sending email from HP LaserJet

          esackbauer It seems that with my “HP LaserJet Pro MFP M428dw” this doesn’t work despite the status of the checkbox “Always use secure connection (SSL/TLS)”?

          postfix/postscreen[2390]: CONNECT from [10.x.y.z]:59806 to [172.22.1.253]:25
postfix/postscreen[2390]: ALLOWLISTED [10.x.y.z]:59806
postfix/smtpd[2397]: connect from unknown[10.x.y.z]
postfix/smtpd[2397]: lost connection after CONNECT from unknown[10.x.y.z]
postfix/smtpd[2397]: disconnect from unknown[10.x.y.z] commands=0/0
postfix/postscreen[2390]: CONNECT from [10.x.y.z]:59808 to [172.22.1.253]:25
postfix/postscreen[2390]: ALLOWLISTED [10.x.y.z]:59808
postfix/smtpd[2394]: connect from unknown[10.x.y.z]
postfix/smtpd[2394]: SSL_accept error from unknown[10.x.y.z]: -1
postfix/smtpd[2394]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220:
postfix/smtpd[2394]: lost connection after STARTTLS from unknown[10.x.y.z]
postfix/smtpd[2394]: disconnect from unknown[10.x.y.z] ehlo=1 starttls=0/1 commands=1/2
          • In "no shared cipher" when sending email from HP LaserJet

            DocFraggle

            I tried this: docs.mailcow.email Icon Re-enable TLS 1.0 and TLS 1.1 - mailcow: dockerized documentation

            docs.mailcow.email Icon docs.mailcow.email
            Re-enable TLS 1.0 and TLS 1.1 - mailcow: dockerized documentation
            None
            docs.mailcow.email
            but wasn’t enough.

            I’m not happy to soften to every client in the world, but I could do if it is possible for just some ip…

            With TLS 1.0 and 1.1 re-enabled MailCow accept this:

            465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

            On the other hand, GMail accept this:

            465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: C

            With TLS 1.0 and 1.1 re-enabled MailCow accept this:

            465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CCM (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CCM (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

            On the other hand, GMail accept this:

            465/tcp open  smtps
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: C
            • In "no shared cipher" when sending email from HP LaserJet

              Hello,

              Just installed MailCow, I’m trying to move all notification services previously attached to a GMail account,
              I have trouble with an HP LaerJet Pro M428dw.
              It seems I can only use an authenticated connection,
              I first tried on port 465 with “Always use SSL/TLS” but later I think I tried all options with no success.
              The printer cannot send test email.
              From what I understand the printer try to use a possibly outdated cipher.

              postfix-mailcow-1  | Jan 30 18:30:52 ebcfb4003597 postfix/smtps/smtpd[353]: connect from unknown[10.x.y.z]
postfix-mailcow-1  | Jan 30 18:30:52 ebcfb4003597 postfix/smtps/smtpd[353]: SSL_accept error from unknown[10.x.y.z]: -1
postfix-mailcow-1  | Jan 30 18:30:52 ebcfb4003597 postfix/smtps/smtpd[353]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220:
postfix-mailcow-1  | Jan 30 18:30:52 ebcfb4003597 postfix/smtps/smtpd[353]: lost connection after CONNECT from unknown[10.x.y.z]
postfix-mailcow-1  | Jan 30 18:30:52 ebcfb4003597 postfix/smtps/smtpd[353]: disconnect from unknown[10.x.y.z] commands=0/0

              Any idea?