Postfix docs Search Results:

Looking for new york in entire archive - Found 77 matches in 9 files
Showing results 1 - 9
Postfix TLS Support, Feb 8 2008
For servers that are not public Internet MX hosts, Postfix supports configurations with no certificates. This entails the use of just the anonymous TLS ciphers, which are not supported by typical SMTP clients. Since such clients will not, as a rule, fall back to plain text after a TLS handshake failure, a certificate-less Postfix SMTP server will be unable to receive email from most TLS enabled clients. To avoid accidental configurations with no certificates, Postfix enables certificate-less operation only when the administrator explicitly sets "smtpd_tls_cert_file = none". This ensures that new Postfix SMTP server configurations will not accidentally run with no certificates.
If clients instead attempted to verify the recipient domain name, an SMTP server for multiple domains would need to list all its email domain names in its certificate, and generate a new certificate each time a new domain were added. At least some CAs set fairly low limits (20 for one prominent CA) on the number of names that server certificates can contain. This approach is not consistent with current practice and does not scale.
Historical note: while the documentation of these issues and many of the related features are new with Postfix 2.3, the issue was well understood before Postfix 1.0, when Lutz Jšnicke was designing the first unofficial Postfix TLS patch. See his original post http://www.imc.org/ietf-apps-tls/mail-archive/msg00304.html
With the Postfix 2.3 and later TLS policy table, specify the "encrypt" security level. With the obsolete per-site table, specify the "MUST_NOPEERMATCH" keyword. While the obsolete approach still works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later should use the new TLS policy settings.
Note: Avoid policy lookups with the bare hostname (for example, "example.net"). Instead, use the destination (for example, ":587"), as the per-site table lookup key (a recipient domain or MX-enabled transport nexthop with no port suffix may look like a bare hostname, but is still a suitable destination). With Postfix 2.3 and later, do not use the obsolete per-site table; use the new policy table instead.
table, specify the "MUST" keyword. While the obsolete approach still works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later should use the new TLS policy settings.
With the Postfix 2.3 and later TLS policy table, specify the "secure" security level. With the obsolete per-site table, specify the "MUST" keyword and harden the certificate verification against DNS forgery. While the obsolete approach still works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later should use the new TLS policy settings.
Note: Avoid policy lookups with the bare hostname (for example, "tls.example.com"). Instead, use the destination (for example, "") as the per-site table lookup key (a recipient domain or MX-enabled transport nexthop with no port suffix may look like a bare hostname, but is still a suitable destination). With Postfix 2.3 and later, do not use the obsolete per-site table; use the new policy table instead.
Postfix 2.3 introduces a new more flexible TLS policy table. For earlier releases, read the description of the obsolete Postfix 2.2 per-site table.
The new policy table is specified via the smtp_tls_policy_maps
While secure verification can also be achieved with manual routing overrides in Postfix transport(5) tables, that approach can deliver mail to the wrong host when domains are assigned to new gateway hosts. The "match" attribute approach avoids the problems of manual routing overrides; mail is deferred if verification of a new MX host fails.
mechanism, this uses as a policy lookup key a potentially untrusted server hostname, and lacks control over what names can appear in server certificates. Because of this, the obsolete mechanism is typically vulnerable to false DNS hostname information in MX or CNAME records. These attacks can be eliminated only with great difficulty. The new policy table
Avoid policy lookups with the bare hostname. Instead, use the full destination nexthop (enclosed in [] with a possible ":port" suffix) as the per-site table lookup key (a recipient domain or MX-enabled transport nexthop with no port suffix may look like a bare hostname, but is still a suitable destination). With Postfix 2.3 and later, use of the obsolete approach documented here is strongly discouraged: use the new policy table instead.
Starting with Postfix 2.3, the underlying TLS enforcement levels are common to the obsolete per-site table and the new policy table. The main.cf smtp_tls_mandatory_ciphers and smtp_tls_mandatory_protocols
parameters control the TLS ciphers and protocols for mandatory encryption regardless of which table is used. The smtp_tls_verify_cert_match parameter determines the match strategy for the obsolete "MUST" keyword in the same way as for the "verify" level in the new policy.
Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ....................++++++ .....++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase:whatever
% openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365
Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ........................................++++++ ....++++++ writing new private key to 'foo-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request.
State or Province Name (full name) :New York
Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'New York' localityName :PRINTABLE:'Westchester' organizationName :PRINTABLE:'Porcupine' commonName :PRINTABLE:'foo.porcupine.org' emailAddress :IA5STRING:'wietse@porcupine.org' Certificate is to be certified until Nov 21 19:40:56 2005 GMT (365 days) Sign the certificate? :y
...limit of 20 lines reached, additional matching lines are not shown...

Catching up with Wietse Venema, creator of Postfix and TCP Wrapper, Feb 8 2008
Wietse: I have been finishing things, so that I can start work on new projects. After a major documentation rewrite for the Postfix mail system, I finished the manuscript for a book on computer forensic analysis with Dan Farmer. When I finish something, I normally start reading everything that I can lay my hands on and then inspiration comes.
Wietse: It has been fairly typical here in southern New York state. We dig ourselves out from the snow a few times in January and February.
Once the snow is gone in March, we spend quality time walking up a hill or riding a bike. Many several former railroads are/were converted into trails, and riding them is fun. Unlike Europe, where I grew up, the roads in southern New York state are not really safe for riding a bicycle.
Linuxsecurity.com: You have a suite of tools available on your website. Any new ones coming out that address basic fundamental security practices that still aren't followed or are you going to add any new functionality to your existing programs?
Linuxsecurity.com: Postfix is a really good Mail Transport Agent (MTA), I've been using it for a long time and I set it up for someone any chance I get. Why did you decide to write a new MTA instead of scaling down an existing MTA? :-)
Writing a new mail system from scratch was a change from previous projects. Normally I would retrofit security features almost invisibly, either by replacing an existing server such as portmap by a hardened version that was 100% compatible, or by adding a very thin layer such as tcp_wrappers. In the case of the Postfix mail system, there was no way that the changes could be made in an invisible manner.
Wietse: We just finished a manuscript for a book on computer forensic analysis that we hope will come out this year. In this book we write about things that we learned after we released the TCT. For some experiments we used the TCT, and for other measurements we wrote a few new tools. When this book is published I will be happy to turn my attention to other projects.

Sharing Software, IBM to Release Mail Program Blueprint, Feb 8 2008
dding momentum to the open-source movement for the free sharing of software, IBM plans Monday to make available the original programmer's instructions for a new mail program that can be used to store and forward e-mail messages with a high level of security.
Netscape to Release New Browser Engine to Developers
These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability.
Help/Feedback | Classifieds | Services | New York Today
Copyright 1998 The New York Times Company

Salon.com Technology | How Big Blue fell for Linux, Feb 8 2008
Search Directory -->About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Find out more | Log in
your PDA
Salon.com headlines from My Netscape
View Salon privately with SafeWeb
The magazines may not make good marketing material right now. Collab.net, the brainchild of open-source star Brian Behlendorf,* aims to make a business out of, he says, "distilling the principles of open source." But at least half of the covers of these new-economy bibles are screaming dire, boldface warnings about the current dot-com meltdown, including Wall Street's sharp turn away from Linux-related stocks in the spring and summer.
It's a good thing the office tunes are soothing, because jangled nerves are suddenly everywhere in that strange land where free software and dot-com start-ups mix. In the summer of 1999, Red Hat's IPO, occurring right in the middle of a packed LinuxWorld convention, sent attendees into a dither of delight. But in mid-August, no less an authority than the New York Times takes advantage of another LinuxWorld convention to declaim about how Wall Street is souring on Linux.
And yet, those who take heart in a one-day surge are just as guilty of overeagerness. Both cynics and Pollyannas are like marks suckered into a New York huckster's game of three-card monte. While they busily stare, striving to follow the movements of the dealer's hand, they never notice that Times Square around them is meanwhile being transformed from pimp heaven into Disneyland. Sure, companies in the business of selling Linux may have questionable prospects -- but the open-source revolution is still in full effect, rebuilding the software industry from top to bottom, forcing everyone to adapt.
Improve eBusiness operations by quantum leaps
Let us Clean your house for a Year! FREE!
Looking for Love? Try Salon Personals
...limit of 20 lines reached, additional matching lines are not shown...

Please choose a Postfix Download Site, Feb 8 2008
USA, NY, New York
USA, NY, New York
USA, NY, New York

Please choose a Postfix Web Site, Feb 8 2008
USA, NH, New Durham
USA, NY, New York
USA, NY, New York
New Zealand, Auckland

Venema aims to make network software safe, Feb 8 2008
Venema's a good man for the job. He's worked for over a decade on a broad range of "software whose existence you don't notice because it works well": network security, inter-company financial transactions, terminal emulation, and so on. "My software rarely fails ... My claim to fame is largely based on the low incidence of error" in the infrastructural applications he's written. Now he's moved permanently to the "beautiful landscape" of central New York state from his native Netherlands to dedicate a year to VMailer.
Away from the keyboard, Venema and his wife Annita are looking forward to replacing the bicycles they sold when they moved. This will give them a chance to explore the North Country Trailway, which runs near their new home. "This is continent collision zone, with lots of weird geology. It's quite a change from the Netherlands, which is all flat and which has almost no trees."
What's New:
Prentice Hall co-authors of Java Design Pete Coad, Mark Mayfield, and Jon Kern are talking in our new forum. Join them!

Postfix in the Press, Feb 8 2008
John Markoff: "Sharing Software, IBM to Release Mail Program Blueprint". New York Times, December 1998.
This is the New York Times article that put Open Source on the radar of IBM CEO Lou Gerstner. He called around, found that IBM had no open source strategy, and tasked people to come up with one.

The Standard: Behind the Big Blue Wall, Feb 8 2008
Just over two years ago, Nick Donofrio, senior vice president for technology at IBM (IBM), received a surprise phone call from his boss, Louis Gerstner. The company's CEO had just read a New York Times article about an IBM developer who had released an e-mail program called SecureMailer, written in open-source code - freely distributed software that could be modified by anyone. Though he didn't phrase it this way, Gerstner was essentially calling to ask, "What the hell's going on here?"
* Sun, Microsoft Servers Vulnerable to New Worm

New Query: Rank by:
Search results by Webglimpse Advanced Site Search Engine