P
piperino

  • Oct 20, 2024
  • Joined Nov 5, 2023
  • 2 discussions
  • 79 posts
  • 3 best answers
  • Post posted... wait what? You got the answer! You got likes! Starter I have something to say.
  • DocFraggle tls_preempt_cipherlist = yes hatte ich nicht gesetzt.

    geprüft habe ich mit
    nmap -sV --script ssl-enum-ciphers -p 587 mail.server.de
    und halt eben auch auf smtp
    nmap -sV --script ssl-enum-ciphers -p 25 mail.server.de

    Dann ist mir der unterschied aufgefallen.
    Gleich noch einen Test mit tls_preempt_cipherlist = yes gemacht. Aber gleiches Ergebnis.

    nmap -sV –script ssl-enum-ciphers -p 587 mail.mydomain.abc
    Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-20 10:53 CEST
    Nmap scan report for mail.mydomain.abc (1.2.3.4)
    Host is up (0.016s latency).
    Other addresses for mail.mydomain.abc (not scanned):

    PORT STATE SERVICE VERSION
    587/tcp open smtp Postfix smtpd
    | ssl-enum-ciphers:
    | TLSv1.2:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
    | compressors:
    | NULL
    | cipher preference: server
    | warnings:
    | Key exchange (dh 2048) of lower strength than certificate key
    | Key exchange (ecdh_x25519) of lower strength than certificate key
    | TLSv1.3:
    | ciphers:
    | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
    | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    | cipher preference: server
    |_ least strength: A

    Service detection performed. Please report any incorrect results at nmap.org Icon Nmap OS/Service Fingerprint and Correction Submission Page

    .
    Nmap done: 1 IP address (1 host up) scanned in 28.75 seconds

    und

    nmap -sV –script ssl-enum-ciphers -p 25 mail.mydomain.abc
    Starting Nmap 7.94 ( https://nmap.org ) at 2024-10-20 10:54 CEST
    Nmap scan report for mail.mydomain.abc (1.2.3.4)
    Host is up (0.016s latency).
    Other addresses for mail.mydomain.abc (not scanned):

    PORT STATE SERVICE VERSION
    25/tcp open smtp Postfix smtpd
    | ssl-enum-ciphers:
    | TLSv1.2:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_256_CCM_8 (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_256_CCM (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A
    | TLS_RSA_WITH_AES_256_CCM_8 (rsa 4096) - A
    | TLS_RSA_WITH_AES_256_CCM (rsa 4096) - A
    | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 4096) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A
    | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 4096) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
    | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
    | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CCM_8 (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CCM (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A
    | TLS_RSA_WITH_AES_128_CCM_8 (rsa 4096) - A
    | TLS_RSA_WITH_AES_128_CCM (rsa 4096) - A
    | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 4096) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A
    | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 4096) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
    | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A
    | compressors:
    | NULL
    | cipher preference: server
    | warnings:
    | Key exchange (dh 2048) of lower strength than certificate key
    | Key exchange (ecdh_x25519) of lower strength than certificate key
    | TLSv1.3:
    | ciphers:
    | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
    | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
    | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
    | cipher preference: server
    |_ least strength: A

    Service detection performed. Please report any incorrect results at nmap.org Icon Nmap OS/Service Fingerprint and Correction Submission Page

    .
    Nmap done: 1 IP address (1 host up) scanned in 30.09 seconds

    Möchte aber noch erwähnen das in der Postfix Doku folgendes zu finden ist.
    You are strongly encouraged not to change this setting.

  • ``Thor Ich habe das spasseshalber auch mal probiert. Auf meiner Instanz wird

    tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384😃HE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    auf port 25 komplett ignoriert.

    Submission/587 funktioniert aber mit dem konfigurierten ciphern.

    Ich habe in der extra.cf nur das drin.

    tls_high_cipherlist = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384😃HE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    Falls Du das auch so nachstellen kannst, ist es evtl. ein Bug in Postfix. Oder halt ein Schalter in Postfix der gefunden werden muss.

    • Thor replied to this.
    • Hello

      Have you ever found a solution?
      Having the same issue after upgraded to Ubuntu 24.04.
      A force renewal fixes the issues but it’s a bit annoying.

      not sure if it’s a combination with DNS and IPv6.

      watchdog sends me

      Tue Oct 8 10:38:20 CEST 2024 - enable_ipv6 is true in docker-compose.yml, but an IPv6 link could not be established. Please verify your IPv6 connection.
      even though ipv6 is up and running.

      this one is also weird.

      acme-mailcow-1 | Tue Oct 8 10:38:02 CEST 2024 - Cannot match your IP 0000:0000:0000:0000:0000:0000:0000:0000 against hostname autoconfig.mydomain.abc (DNS returned 2a02:c207:2149:2862:0000:0000:0000:0001)
      acme-mailcow-1 | Tue Oct 8 10:38:02 CEST 2024 - Found AAAA record for autodiscover.mydomain.abc: 2a02:c207:2149:2862::1 - skipping A record check

      looks like ipv6 is not ready at this point.
      any help appreciated

      tnx.

    • If you guy’s suspecting that postfix acting as an Open-Relay on ipv6, i highly recommend file a Bugreport with all the evidence.
      At least on my end i can’t reproduce.

       telnet 2...................::1 25
      Trying 2...................::1
      Connected to 2...................::1
      Escape character is '^]'.
      220 mydomain.xyz ESMTP Postcow
      ehlo vlah.com
      250-mydomain.xyz
      250-PIPELINING
      250-SIZE 104857600
      250-ETRN
      250-STARTTLS
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      mail from: nlah.com
      250 2.1.0 Ok
      rcpt to: something.xyz
      554 5.7.1 <something.xyz>: **Relay access denied**
      • maybl8
        have you done a:

        docker compose down
        docker compose up -d

        if you’re not using the plugin do docker-compose instead
        followed by a reboot

      • maybl8
        ipset looks okay

        somewhere traffic is getting blocked.
        try to put your mailcow internal IP in some sort of DMZ mode on your router where traffic is directly routed do it with no rules.
        -check logs on your router for any blocks and make sure you see traffic on ports 80 and 443
        -make sure you don’t have a firewall running on mailcow host.
        -do you see traffic from your router in mailcow logs.

        this is what nmap shows and most likely nmap doesn’t lie.

        Nmap scan report for mail.dccathome.com (47.200.55.89)
        Host is up (0.14s latency).
        Not shown: 993 filtered ports
        PORT     STATE  SERVICE
        21/tcp   closed ftp
        25/tcp   open   smtp
        80/tcp   closed http
        443/tcp  closed https
        587/tcp  open   submission
        993/tcp  open   imaps
        4000/tcp open   remoteanything
      • maybl8
        please post output of
        sudo ipset list
        you could try as well
        sudo ipset flush
        just to check if it makes any difference.

        but i still don’t think ipset/iptables are the root cause.

        have you check the port-forwarding rule on your internet router and also the firewall on the same.

      • esackbauer
        don’t think geofencing is the root cause since 25 587 etc. is open, except something weird is done with iptables or ipset.

      • maybl8
        you haven’t answered @esackbauer question.
        “And are you accessing it from outside or inside your home network?”

        If you try from outside port 80 and 443 seems to be closed.

        telnet 47.200.55.89 443
        Trying 47.200.55.89...
        telnet: Unable to connect to remote host: Connection refused
        • maybl8

          The correct Chain would be “MAILCOW”. But still not sure what you trying to achieve.

          Just add the script I’ve posted to the crontab and good. and don’t mess around with Mailcow Iptables chains.

        • maybl8

          i guess you could add this to the docker chain as well.
          but i think it doesn’t matter.

        • maybl8

          You could run something like the below. Given you have iptables on your host.

          Create a file
          block-russia.sh
          add the content below.

          #!/bin/bash
          IP_TMP=/tmp/ip.tmp
          IP_BLACKLIST=/etc/ip-blacklist.conf
          IP_BLACKLIST_TEMP=/etc/ip-blacklist.temp
          wget -O $IP_TMP https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
          cat $IP_TMP | while read IP
          do
          /usr/sbin/iptables -A INPUT -s $IP -j DROP
          echo $IP >> $IP_BLACKLIST_TEMP
          done
          mv $IP_BLACKLIST_TEMP $IP_BLACKLIST
          rm $IP_TMP
          • Dariusz
            -check logs for duplicated delivery. postfix and dovecot
            -compare and check mailheader if you see something.

          • run a
            netstat -an | grep “:25”

            from the server console. just to be sure port 25 is even listening.

            an nmap to your machine shows following ports are open but 25
            PORT STATE SERVICE
            21/tcp open ftp
            22/tcp open ssh
            80/tcp open http
            110/tcp open pop3
            143/tcp open imap
            443/tcp open https
            465/tcp open smtps
            587/tcp open submission
            993/tcp open imaps
            995/tcp open pop3s
            3000/tcp open ppp
            8010/tcp open xmpp
            8080/tcp open http-proxy
            8443/tcp closed https-alt

          • Culottes

            over which port do you expect your MTA is receiving mails?
            no offense, but it looks like you don’t understand the basics of SMTP.

          • I would install new Docker Version on the new Server and restore data.
            Or is that exactly the problem you have that you can’t restore existing data (with old docker) to the new machine?

            • Is it sufficient to simply move a mail from/to the “Junk” folder to trigger the spam/junk filter to learn the change?
              -AFAIK yes

              Will this work with mail clients connected via IMAP and with SOGo?
              -If you’ve subscribed to the correct folder, yes

              Do I have to manually delete the mails in the “Junk” folder from time to time or will Mailcow do this on its own,
              -end user have to do it
              regarding to the settings of “Retentions per mailbox” & “Maximum age in days” as configured under Admin UI –> System –> Configuration –> Quarantine?
              -Quarantined mails are not delivered to the mailbox nor junk foler

              Could I delete the mails in the “Junk” folder manually without any side effects?
              -AFAIK yes
              If only Junk mails are moved to the “Junk” folder and there is no use of the Quarantine, will Spam Notification Mails (User UI –> System –> User Settings –> Mailbox –> Settings –> Quarantine notifications) make sense at all (if someone regularly checks the “Junk” folder)?
              -Junk folder containes mail which may or may not spam. it’s up to you to decide. quarantined mails are in quarantine not on your mailbox

              Is the Whitelist & Blacklist (User UI –> System –> User Settings –> Spam filöter –> Whitelist/Blacklist) only applied to Spam mails or also to Junk mails?
              -in general to any mail. whitelist bypasses spamfilter and blacklist blocks the mail regardless of it’s content.

              I have read multiple time here in the forum that the Spam filtering / Spam Quarantine is disabled by default. Which config option in Mailcow exactly does enable / disable the Spam filter?
              -don’t know.