P
piperino

Ppiperino · Oct 20, 2024

DocFraggle tls_preempt_cipherlist = yes hatte ich nicht gesetzt.

geprüft habe ich mit
nmap -sV --script ssl-enum-ciphers -p 587 mail.server.de
und halt eben auch auf smtp
nmap -sV --script ssl-enum-ciphers -p 25 mail.server.de

Dann ist mir der unterschied aufgefallen.
Gleich noch einen Test mit tls_preempt_cipherlist = yes gemacht. Aber gleiches Ergebnis.

nmap -sV –script ssl-enum-ciphers -p 587 mail.mydomain.abc
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-20 10:53 CEST
Nmap scan report for mail.mydomain.abc (1.2.3.4)
Host is up (0.016s latency).
Other addresses for mail.mydomain.abc (not scanned):

Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page

nmap.org

Nmap OS/Service Fingerprint and Correction Submission Page

.
Nmap done: 1 IP address (1 host up) scanned in 28.75 seconds

und

nmap -sV –script ssl-enum-ciphers -p 25 mail.mydomain.abc
Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-20 10:54 CEST
Nmap scan report for mail.mydomain.abc (1.2.3.4)
Host is up (0.016s latency).
Other addresses for mail.mydomain.abc (not scanned):

PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 2048) of lower strength than certificate key
| Key exchange (ecdh_x25519) of lower strength than certificate key
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A

Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page

nmap.org

Nmap OS/Service Fingerprint and Correction Submission Page

.
Nmap done: 1 IP address (1 host up) scanned in 30.09 seconds

Möchte aber noch erwähnen das in der Postfix Doku folgendes zu finden ist.
You are strongly encouraged not to change this setting.

Ppiperino · Oct 19, 2024

``Thor Ich habe das spasseshalber auch mal probiert. Auf meiner Instanz wird

tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

auf port 25 komplett ignoriert.

Submission/587 funktioniert aber mit dem konfigurierten ciphern.

Ich habe in der extra.cf nur das drin.

tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

Falls Du das auch so nachstellen kannst, ist es evtl. ein Bug in Postfix. Oder halt ein Schalter in Postfix der gefunden werden muss.

Ppiperino · Oct 8, 2024

Hello

Have you ever found a solution?
Having the same issue after upgraded to Ubuntu 24.04.
A force renewal fixes the issues but it’s a bit annoying.

not sure if it’s a combination with DNS and IPv6.

watchdog sends me

Tue Oct 8 10:38:20 CEST 2024 - enable_ipv6 is true in docker-compose.yml, but an IPv6 link could not be established. Please verify your IPv6 connection.
even though ipv6 is up and running.

this one is also weird.

acme-mailcow-1 | Tue Oct 8 10:38:02 CEST 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autoconfig.mydomain.abc (DNS returned 2a02:c207:2149:2862:0000:0000:0000:0001)
acme-mailcow-1 | Tue Oct 8 10:38:02 CEST 2024 - Found AAAA record for autodiscover.mydomain.abc: 2a02:c207:2149:2862::1 - skipping A record check

looks like ipv6 is not ready at this point.
any help appreciated

tnx.

Ppiperino · Jun 24, 2024

If you guy’s suspecting that postfix acting as an Open-Relay on ipv6, i highly recommend file a Bugreport with all the evidence.
At least on my end i can’t reproduce.

 telnet 2...................::1 25
Trying 2...................::1
Connected to 2...................::1
Escape character is '^]'.
220 mydomain.xyz ESMTP Postcow
ehlo vlah.com
250-mydomain.xyz
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: nlah.com
250 2.1.0 Ok
rcpt to: something.xyz
554 5.7.1 <something.xyz>: **Relay access denied**

Ppiperino · Jun 22, 2024

maybl8
have you done a:

docker compose down
docker compose up -d

if you’re not using the plugin do docker-compose instead
followed by a reboot

Ppiperino · Jun 21, 2024

maybl8
ipset looks okay

somewhere traffic is getting blocked.
try to put your mailcow internal IP in some sort of DMZ mode on your router where traffic is directly routed do it with no rules.
-check logs on your router for any blocks and make sure you see traffic on ports 80 and 443
-make sure you don’t have a firewall running on mailcow host.
-do you see traffic from your router in mailcow logs.

this is what nmap shows and most likely nmap doesn’t lie.

Nmap scan report for mail.dccathome.com (47.200.55.89)
Host is up (0.14s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
21/tcp   closed ftp
25/tcp   open   smtp
80/tcp   closed http
443/tcp  closed https
587/tcp  open   submission
993/tcp  open   imaps
4000/tcp open   remoteanything

Ppiperino · Jun 21, 2024

maybl8
please post output of
sudo ipset list
you could try as well
sudo ipset flush
just to check if it makes any difference.

but i still don’t think ipset/iptables are the root cause.

have you check the port-forwarding rule on your internet router and also the firewall on the same.

Ppiperino · Jun 21, 2024

esackbauer
don’t think geofencing is the root cause since 25 587 etc. is open, except something weird is done with iptables or ipset.

Ppiperino · Jun 21, 2024

maybl8
you haven’t answered @esackbauer question.
“And are you accessing it from outside or inside your home network?”

If you try from outside port 80 and 443 seems to be closed.

telnet 47.200.55.89 443
Trying 47.200.55.89...
telnet: Unable to connect to remote host: Connection refused

Ppiperino · Jun 17, 2024

maybl8
outside of the mailcow container. on host level.

Ppiperino · Jun 16, 2024

maddler
you’re right, on a very busy server you might have performance issues.

@maybl8
you might want to look at this ipset script.
Just tried it. seems it works very well.

GitHub

GitHub - mkorthof/ipset-country: Block countries using iptables + ipset + ipdeny.com

Block countries using iptables + ipset + ipdeny.com - mkorthof/ipset-country

Ppiperino · Jun 13, 2024

maybl8

The correct Chain would be “MAILCOW”. But still not sure what you trying to achieve.

Just add the script I’ve posted to the crontab and good. and don’t mess around with Mailcow Iptables chains.

Ppiperino · Jun 9, 2024

maybl8

i guess you could add this to the docker chain as well.
but i think it doesn’t matter.

Ppiperino · Jun 9, 2024

maybl8

You could run something like the below. Given you have iptables on your host.

Create a file
block-russia.sh
add the content below.

#!/bin/bash
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TEMP=/etc/ip-blacklist.temp
wget -O $IP_TMP https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
cat $IP_TMP | while read IP
do
/usr/sbin/iptables -A INPUT -s $IP -j DROP
echo $IP >> $IP_BLACKLIST_TEMP
done
mv $IP_BLACKLIST_TEMP $IP_BLACKLIST
rm $IP_TMP

Ppiperino · Mar 18, 2024

Dariusz
-check logs for duplicated delivery. postfix and dovecot
-compare and check mailheader if you see something.

Ppiperino · Mar 18, 2024

run a
netstat -an | grep “:25”

from the server console. just to be sure port 25 is even listening.

an nmap to your machine shows following ports are open but 25
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3000/tcp open ppp
8010/tcp open xmpp
8080/tcp open http-proxy
8443/tcp closed https-alt

Ppiperino · Mar 18, 2024

Culottes

over which port do you expect your MTA is receiving mails?
no offense, but it looks like you don’t understand the basics of SMTP.

Ppiperino · Mar 18, 2024

Culottes
Port 25 is not available from the intern to your server.

Ppiperino · Mar 18, 2024

I would install new Docker Version on the new Server and restore data.
Or is that exactly the problem you have that you can’t restore existing data (with old docker) to the new machine?

Ppiperino · Mar 16, 2024

Is it sufficient to simply move a mail from/to the “Junk” folder to trigger the spam/junk filter to learn the change?
-AFAIK yes

Will this work with mail clients connected via IMAP and with SOGo?
-If you’ve subscribed to the correct folder, yes

Do I have to manually delete the mails in the “Junk” folder from time to time or will Mailcow do this on its own,
-end user have to do it
regarding to the settings of “Retentions per mailbox” & “Maximum age in days” as configured under Admin UI –> System –> Configuration –> Quarantine?
-Quarantined mails are not delivered to the mailbox nor junk foler

Could I delete the mails in the “Junk” folder manually without any side effects?
-AFAIK yes
If only Junk mails are moved to the “Junk” folder and there is no use of the Quarantine, will Spam Notification Mails (User UI –> System –> User Settings –> Mailbox –> Settings –> Quarantine notifications) make sense at all (if someone regularly checks the “Junk” folder)?
-Junk folder containes mail which may or may not spam. it’s up to you to decide. quarantined mails are in quarantine not on your mailbox

Is the Whitelist & Blacklist (User UI –> System –> User Settings –> Spam filöter –> Whitelist/Blacklist) only applied to Spam mails or also to Junk mails?
-in general to any mail. whitelist bypasses spamfilter and blacklist blocks the mail regardless of it’s content.

I have read multiple time here in the forum that the Spam filtering / Spam Quarantine is disabled by default. Which config option in Mailcow exactly does enable / disable the Spam filter?
-don’t know.