Search found 310 matches

by prisma
2014-08-29 11:06
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

1) Do not use validation certificate trust for STARTTLS. At least not as a default option. You are probably the only one in the world who use for STARTTLS certificate validation requires. You are on very thin ice. In the current version is function STARTTLS in hMailServer with this condition rather...
by prisma
2014-08-19 12:10
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Very interesting conversation :) But I think this should be clear know ;) (just kidding) But please excuse if I insist:

Would it be very complex to get header info back? It seems really to be good practise. All mailservers I know behave like this, except hmailserver.
by prisma
2014-08-18 11:47
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Correct. The implementation is not based on Bills changes. Would it be very complex to add it? All mailservers I know do add these header information. It's very useful and seems to be good practise. I see. Those entries appears to be related to a STARTTLS initiated by a client, maybe Thunderbird, a...
by prisma
2014-08-15 13:59
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Following was very helpful for testing but also for every end-email-user to check which encrypted or not encrypted way his email has taken: Add header info: by mx.mydomain.com with ESMTPS (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) or by mx.mydomain.com with ESMTPSA (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) It ...
by prisma
2014-08-15 11:16
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Question: What does Page "Security" Checkbox "Verify remote server SSL/TLS certificates" exactly configure?
Or is this checkbox for deactivation of ciphers below? I'm confused....
by prisma
2014-08-14 11:18
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Is B2052 OK for testing or are some changes in queue I should wait for?
... OK, I see you wrote: It's feature complete. Stupid question...
by prisma
2014-08-12 17:56
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Or would you consider the current funcionality 'broken' without these? No, it's definitely not broken. It's a good start. For MX-delivery we should always deliver and encrypt when possible, regardless cert is valid or not. We can increase security again later. But I would do the "soft" validation a...
by prisma
2014-08-12 11:33
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

I'm guessing I can just add the public certificate to my trusted CA root? Yes, of course. The cert will be trusted. But trust is not enough. Problems with OCSP and CRL distribution point are very very common. Therefore your suggestions are very meaningful. Could you please clarify what you mean by ...
by prisma
2014-08-11 13:04
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Sounds very good. But I think we can accumulate and slash your single steps a little bit: Untrusted certificate (self-signed) This doesn't need a hmailserver configuration at all. Trust itself is configurable with windows certificate store. To have two different possibilities of configuration increa...
by prisma
2014-08-07 17:14
Forum: Archived feature requests
Topic: Perfect Forward Secrecy Support Poll
Replies: 11
Views: 9610

Re: Perfect Forward Secrecy Support Poll

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA256 EECDH+aRSA+RC4 EDH+aRSA EECDH RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS

where RC4 is the fall back. RC4 is theoretically cracked. But AES CBC is vulnerable for BEAST...
by prisma
2014-08-05 10:31
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

@japi+mattg, I'll give a structured answer because I want to respond to multiple objections. Only for better reading, it not a sorted enumeration and I don't want to sound educational. And, as martin said, it's all fun and brainstorming here, so: We all are IT pros and do theoretically know what wou...
by prisma
2014-08-04 15:47
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

When a MX-resolved delivery is made, no actual validation of the certificate is done. That's what most users need. Very good. RFC2818 sounds very good! If you'd implement server identification along RFC2818 this could/should also mean: certificate pinning by fingerprint (...If the client has extern...
by prisma
2014-08-04 12:04
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Simple Question: Will the SSL handshake fail if a selfsigned and not trusted certificate is used from the MX-resolved server? If yes, NOK. An unencrypted connection is used where encryption would be possible. If no, OK. The server will continue encrypted although trust is not sure. The relay/rout pa...
by prisma
2014-07-31 11:34
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

If you enable it, hMailServer will do a STARTTLS if the remote server announce support for it. But if it fails, the connection will be dropped because that's how Boost/Asio/OpenSSL works which hMailServer relies on. So right this second you might not want to select this if you deal with SMTP server...
by prisma
2014-07-30 15:38
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

No, you cannot set up a route with empty target host name. So that would not work. Hmm... possibly you keep this idea at the back of your mind for a later version?.?... Putting the MX with the highest priority manually into "target server" should help in the meantime... As for certificates, I'm loo...
by prisma
2014-07-30 12:50
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Here's the plan for version 1 of STARTTLS Sounds like a wonderful V1 and like covering 3 of my first 4 points +1 extra point (IP ranges). Great! Only encryption enforcement after MX lookup is skipped. And, I must confess, this would be only necessary for intranet purposes or scenarios where undeliv...
by prisma
2014-07-29 17:52
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 52444

Re: STARTTLS feedback?

Some of this was discussed in other posts but would have to find them. There almost needs to be rules available for each route and general delivery so it can be flexible enough for all the scenarios. In some cases admin may want to stop all mail unless it's secure in other cases admin may want to a...
by prisma
2014-07-29 09:51
Forum: Development & alpha discussions
Topic: Weak SSL Ciphers
Replies: 51
Views: 19143

Re: Weak SSL Ciphers

martin wrote:hMailServer is also built off Git......
The misunderstanding was, Bill wrote he doesn't know GIT very well. For this reason I assumed (wrong) GIT is not used. Sorry.
Yeah, then the idea with feature branches is very discussable...
by prisma
2014-07-10 11:53
Forum: Development & alpha discussions
Topic: Weak SSL Ciphers
Replies: 51
Views: 19143

Re: Weak SSL Ciphers

I see it as a code smell rather than something good. The situation is how it is. My suggestions how to handle the situation in a better way has nothing to do with the basic situation. But one thing is clear now and in future, you're the master. Linus Trovalds decides also nearly alone which improve...
by prisma
2014-07-09 10:30
Forum: Development & alpha discussions
Topic: Weak SSL Ciphers
Replies: 51
Views: 19143

Re: Weak SSL Ciphers

GIT does not imperatively mean github. We prefer local installations. GIT is not a centralizing system. There is no real master repository. Nothing feels more risky than a migration to another code management system. But github could do this work. I think they have SVN and GIT access the same time. ...
by prisma
2014-07-08 17:59
Forum: Development & alpha discussions
Topic: Weak SSL Ciphers
Replies: 51
Views: 19143

Re: Weak SSL Ciphers

@Bill: Only because I'm curious: I don't know SVN very well, I only now GIT. With GIT I'd do following: In GIT you have branches and local and remote masters/origins. If I would program a fork (that's what you actually do) I would put every improvement and new feature in an own branch. These branche...
by prisma
2014-07-07 13:31
Forum: Development & alpha discussions
Topic: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501
Replies: 228
Views: 143332

Re: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501

Addresses that auto-replies have been sent to are stored in an array/vector so are volatile. I had talked to martin about making them non-volatile but there were concerns both with performance & confusion since people are told to restart hmail to clear the list. yeah ideally database table would ju...
by prisma
2014-06-30 16:23
Forum: General discussions
Topic: Out of memory error
Replies: 4
Views: 1095

Re: Out of memory error

In this case I have no idea then restarting hmailserver for a quick fix. But this is no real solution. And if the behaviour disappears we got no chance to locate the problem and it can always happen again... The questions are, is it normal for your server to have so much mail in queue? Why they can'...
by prisma
2014-06-30 13:05
Forum: General discussions
Topic: Out of memory error
Replies: 4
Views: 1095

Re: Out of memory error

I assume hmailserver.exe consumes 2-3 GB memory (32-bit application limit, depending on optimization and x86/x64 OS)? You checked this? Or is it another process?
by prisma
2014-06-24 15:26
Forum: General discussions
Topic: Greylist white listing not working
Replies: 19
Views: 3253

Re: Greylist white listing not working

I'll shut up. Sorry, have read to fast...
by prisma
2014-06-24 14:41
Forum: General discussions
Topic: Greylist white listing not working
Replies: 19
Views: 3253

Re: Greylist white listing not working

uhm, I see upper an lower address, but no documentation about wildcards... are you sure? Upper and lower should reach the same.
by prisma
2014-06-24 14:10
Forum: Development & alpha discussions
Topic: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501
Replies: 228
Views: 143332

Re: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501

Feature Request: Remember already sent auto-reply recipients after restart. Reason: We use your experimental builds in semi-productive environment. That's our way to proof stability. Because of frequent SSL-testing and SSL-bugfixing we often had to restart the server lately and will have to do this ...
by prisma
2014-06-24 13:41
Forum: General discussions
Topic: Autoresponder: change of behaviour? Bug or by design?
Replies: 3
Views: 1085

Re: Autoresponder: change of behaviour? Bug or by design?

Thank you for answering. I'll submit a feature request (for Bill and his experimental builds. Not in issues, nobody solves these requests).
We use Bills betas. Because of frequent testing and SSL-bugfixing we often had to restart the server lately and will have to do this in future...
by prisma
2014-06-24 12:19
Forum: Development & alpha discussions
Topic: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501
Replies: 228
Views: 143332

Re: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501

Possibly a stupid question: Why is RETURN-PATH used? [Settings] AutoReplyReturnPath=noreply@my-internal-hmail-domain.net Has it to do with anti-spam actions? Return-Path is not used by some email clients for answering. This leads to answers to FROM instead of answers to RETURN-PATH. What was the aim...
by prisma
2014-06-24 11:35
Forum: General discussions
Topic: Autoresponder: change of behaviour? Bug or by design?
Replies: 3
Views: 1085

Re: Autoresponder: change of behaviour? Bug or by design?

Aaaah, is it possible hmailserver remembers already noticed addresses only in memory not in database? A restart of hmailserver will cause a re-send of auto-replies?
by prisma
2014-06-24 10:55
Forum: General discussions
Topic: Autoresponder: change of behaviour? Bug or by design?
Replies: 3
Views: 1085

Autoresponder: change of behaviour? Bug or by design?

In earlier versions of hmailserver an autoresponder was send only one time back to sender until the autoresponder expires. In the latest experimental build I noticed that an autoresponder mail is always send back in the moment a message arrives. I saw there where a change regarding autoresponder and...
by prisma
2014-06-16 10:41
Forum: Development & alpha discussions
Topic: BUG: memory leak
Replies: 10
Views: 6929

Re: BUG: memory leak

Hi percepts, good idea, I thought already into the same direction. And I little bit waited for somebody asking about it :) Connections to postgres are very very easy to see. Every connection creates an own server working process. Unix style. I have seen nothing noticeable in taskmgr during monitorin...
by prisma
2014-06-13 11:08
Forum: Development & alpha discussions
Topic: BUG: memory leak
Replies: 10
Views: 6929

Re: BUG: memory leak

Yes.
by prisma
2014-06-12 23:35
Forum: Development & alpha discussions
Topic: BUG: memory leak
Replies: 10
Views: 6929

Re: BUG: memory leak

When I see 1950 growing a few KB and I see an experimental build growing multiple MB, I have to report it truthfully. Maybe that's a fault?
by prisma
2014-06-12 17:08
Forum: Development & alpha discussions
Topic: BUG: memory leak
Replies: 10
Views: 6929

Re: BUG: memory leak

Always. No errors on client side nor on server side (until the crash). I'd say, give it 15 minutes. If you aren't able to reproduce it within this time (no debugging, just trying) I'll take a really big spate to dig deeper :) Don't know, but only 36 people use the experimental builds (and voted for ...
by prisma
2014-06-12 11:41
Forum: Development & alpha discussions
Topic: BUG: memory leak
Replies: 10
Views: 6929

Re: BUG: memory leak

Right Bill, some information are missing: * It happens with thunderbird not with roundcube. * It's a 32-bit Server 2008 core with 2 Gig memory * Memory is not freed after client disconnect If the client disconnects and the memory is not freed, this is a memory leak and has nothing to do with optiona...
by prisma
2014-06-11 12:34
Forum: Development & alpha discussions
Topic: BUG: memory leak
Replies: 10
Views: 6929

BUG: memory leak

Server: 5.4-B2014042101 + postgresql 9.2 Client: Thunderbird 24.6.0 message indexing default (on) When the user moves a huge number of files around, especially when he does this in an asynchronous way (*), hmailserver memory usage crows permanently. A user let our server run out of memory by doing t...
by prisma
2014-06-06 16:46
Forum: General discussions
Topic: OpenSSL 1.0.1h Fixes Serious Bug
Replies: 18
Views: 8879

Re: OpenSSL 1.0.1h Fixes Serious Bug

THX Bill for your fast response. I'll test it too.
by prisma
2014-06-02 15:44
Forum: Archived feature requests
Topic: ssl/tls and starttls [50%]
Replies: 145
Views: 92310

Re: ssl/tls and starttls [50%]

A few weeks ago I added outbound STARTTLS to a test build here just for routes but does not work. Always gives handshake errors. I suspect it's an openssl related issue but been unable to debug it. I'll share the build if someone wants to test but realize it'd require advanced low-level testing. Li...
by prisma
2014-06-02 15:40
Forum: Archived feature requests
Topic: ssl/tls and starttls [50%]
Replies: 145
Views: 92310

Re: ssl/tls and starttls [50%]

Bills experimental build supports STARTTLS for incoming SMTP. Still nothing more. But works very well for me. I'm waiting also for further enhancements regarding STARTTLS for outgoing SMTP. Some people in this forum need it e.g. for ISPs smarthosts. As far as I know they use "stunnel" for workaround...
by prisma
2014-05-30 21:18
Forum: General discussions
Topic: External Network
Replies: 12
Views: 2062

Re: External Network

Are you sure dab.servebeer.com does always resolve to the same ip? Inside and outside your network? And if you telnet SMTP you see the banner you configured?
by prisma
2014-05-30 14:58
Forum: General discussions
Topic: Forwarded Messages Using SSL?
Replies: 3
Views: 1125

Re: Forwarded Messages Using SSL?

Please allow me to make 2 annotations: Most server-to-server traffic is NOT SLL ...that's right, but in some countries of the old world MOST server-to-server traffic IS currently encrypted. With good reason. It doesn't secure ANY message content Completely implemented with DANE for SMTP server-to-se...
by prisma
2014-05-23 12:48
Forum: Development & alpha discussions
Topic: DANE for SMTP
Replies: 1
Views: 1834

DANE for SMTP

This post is for your early information. DANE for SMTP will be the solution and a clear definition what to do with certificates for STARTTLS. http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-01 It's a solution using common techniques DNSSEC, STARTTLS, MX and TLSA records and, if you want, e...
by prisma
2014-04-28 10:24
Forum: Archived feature requests
Topic: Compile hMail to use OpenSSL DLL's
Replies: 6
Views: 6599

Re: Compile hMail to use OpenSSL DLL's

+1 BUT: this is a low priority item. It's only a question of good practise to be able to update security components separately. One technical question: When openssl is dynamically linked, you're also rather bound to one specific version, aren't you? Thinking about headers e.g...
by prisma
2014-04-10 10:44
Forum: Archived feature requests
Topic: ssl/tls and starttls [50%]
Replies: 145
Views: 92310

Re: ssl/tls and starttls [50%]

FYI: server2server STARTTLS works for incoming connections with lastest experimental build. We use it without any problems. For outgoing STARTTLS for MX-looked-up hosts, smarthosts and routes (with detailed configuration for encryption enforcement and certificate validation) there is another poll. F...
by prisma
2014-03-28 13:43
Forum: Archived feature requests
Topic: STARTTLS - Next area needed most POLL
Replies: 20
Views: 12710

Re: STARTTLS - Next area needed most POLL

@japi: I tried to post a more structured and detailed wish-list for startTLS here: http://hmailserver.com/forum/viewtopic.php?f=2&t=26118

If some of these requests fit your needs, feel free to vote or comment.
by prisma
2014-03-12 10:53
Forum: General discussions
Topic: Backup / Restore and Domain Limits problem
Replies: 10
Views: 2129

Re: Backup / Restore and Domain Limits problem

I'd say a secure fix would be to disable or ignore all limits temporarily during restore.
Because what has been able to be backed up has to be able to be restored.
by prisma
2014-03-10 17:29
Forum: General discussions
Topic: hMailServer Backup > 15GB question
Replies: 117
Views: 27748

Re: hMailServer Backup > 15GB question

Reading http://www.hmailserver.com/forum/viewto ... 89#p155089 you'll see:
Bill48105 wrote:Obviously it's been a non issue if one person every 3 years brings it up
Hmmm, really only every 3 years? Do we have 2016? LOL Sorry, I'm quite now...
by prisma
2014-03-04 16:08
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 9682

Which further options are needed for (start)TLS

The last poll has shown that outgoing startTLS is required. To give the discussions within this forum more substance I'm interested in your opinion. What do you think? Which further options are needed for startTLS?
by prisma
2014-03-03 12:27
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

With respect to outgoing TLS validation, I came across the following: http://www.google.com/support/enterprise/static/postini/docs/admin/en/admin_ee_cu/connection_cert.html#3370078 I'd say this is outgoing (start)TLS configuration. Please see my own post above regarding postfix. If you want, open a...
by prisma
2014-02-28 18:26
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

I think it can be used to minimize spoofed emails. Don't SPF and DKIM achieve the same, do they? SPF and DKIM are voluntary domain configurations. If somebody does not use it, you can't filter spoofed mails from this domain. But using a client certificate would be also voluntarily. So... But I unde...
by prisma
2014-02-28 11:15
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

the point of view of the hMail SMTP server when it receives inbound mail from an another SMTP server I did understand you. Let's think about the mechanism behind that. The server would check the certs validity and if the reverse resolved hostname fits the CN. But what is it for? What am I able to d...
by prisma
2014-02-27 15:02
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

As a minimum I'd like to verify at least encryption exists even if not id/domain verified. If we have a mechanism to verify more we'll work on it.Bill +1 Slowly, everything step-by-step. No panic. Great work Bill, you've been really fast in implementing incoming STARTTLS. I think, this thread is a ...
by prisma
2014-02-26 16:48
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

OK, so where is the industry at with this? Is there any public system that does (or even can do) cert validation for server to server communication? Can any of the 'big' players do this? Here is the answer: http://www.postfix.org/TLS_README.html Option secure: [...]Mail is delivered only if the TLS...
by prisma
2014-02-25 22:27
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

To my knowledge, DNSSEC provides security against spoofing using a standard. DNS wrappers like DNSCrypt provide privacy, but they are following no standards... If another mailserver offers esmtps using a untrusted certificate, it'll be up to you, to configure your mailserver to close the conection. ...
by prisma
2014-02-25 13:50
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

mattg wrote:As a matter of interest do you use SSL connections to your DNS?
And if I want to have more security regarding DNS itself I'm free to use DNSSEC. This is no encryption, but regarding DNS I think ensuring integrity should be enough for the moment ;)
by prisma
2014-02-25 13:31
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

As a matter of interest do you use SSL connections to your DNS? Don't understand exactly what you mean, but the MX record of one of our domains point to hmailserver. And I have enabled STARTTLS on 25. Here is the beautiful result: Received: from wpXXX.webpack.hosteurope.de (wpXXX.webpack.hosteurope...
by prisma
2014-02-24 15:23
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 16830

Re: custom header to indicate if email was received over SSL

Yes, I love it too. The postfix guys also add cipher information, very handy for auditing security paths. Possibly Bill adds something similar to hmailserver? But, braniak, you wrote "client-cert=verified"? We're did you get this syntax from? RFC 3207 talks about client certificates and starttls: [....