On 26/05/24 09:58, Mike via Postfix-users wrote:
Hello,
My setup like below:
I have Postfix setup and use dovecot as SASL. Now, all email accounts
can use the smtp server to send emails. I want to allow only one email
account to send out emails and rest of others can only use POP3 or IMAP.
On 25/05/24 01:37, Matus UHLAR - fantomas via Postfix-users wrote:
He mentioned that on postfix with "smtpd_tls_auth_only=yes" (the
default) authentication is only available when TLS is active
The default is no, but it is very common to have it set to yes.
Peter
On 25/05/24 09:50, Northwind via Postfix-users wrote:
just to clarify, submissions is not required to set for enabling
sasl_auth on port 465/587. i have tested it, no need to set a separated
submissions.
Incorrect. submission is *only* port 587, submissions is port 465.
my postfix
On 25/05/24 01:12, Benny Pedersen via Postfix-users wrote:
Stephan Seitz via Postfix-users skrev den 2024-05-24 15:01:
Carefull, if you have „smtpd_tls_auth_only = yes” (I think), then
you’ll see AUTH after STARTTLS…
port 25 must not be tls only
Since authentication should never be done on
On 25/05/24 00:43, Benny Pedersen via Postfix-users wrote:
Northwind via Postfix-users skrev den 2024-05-24 14:37:
and restarted postfix.
now I think it should be working.
telnet localhost 25
ehlo localhost
if you see AUTH in ehlo results it not done yet
no AUTH results take another beer
On 25/05/24 00:29, Benny Pedersen via Postfix-users wrote:
Northwind via Postfix-users skrev den 2024-05-24 14:17:
so, in main.cf:
smtpd_sasl_auth_enable=no
comment this out in main.cf, it already default no
It's fine to have it, it's simply redundant.
Peter
On 25/05/24 00:17, Northwind via Postfix-users wrote:
so, in main.cf:
smtpd_sasl_auth_enable=no
Yes, although the setting is redundant here since it defaults to no
anyways it's fine to explicitly state it if you want.
then in master.cf:
submission inet n - y - -
On 24/05/24 21:32, Matus UHLAR - fantomas via Postfix-users wrote:
On 24.05.24 12:00, Peter via Postfix-users wrote:
And the OP is referring to SASL AUTH attacks which are for submission,
not MX connections.
But some of those log lines mention postfix/smtpd, which means they
happen on port
On 24/05/24 13:08, Northwind via Postfix-users wrote:
do you mean since I have been using postscreen, there is no need to
manually disable authentication on port 25? since postscreen doesn't
have auth support.
No you definately should disable auth on port 25 regardless. It is
possible for
On 24/05/24 01:42, Bill Cole via Postfix-users wrote:
Likely brute force.
Not exactly.
"Brute force" password cracking is almost never seen today, as it has
been replaced by a practice commonly called "credential stuffing" where
the attacker has some large collection of known-good
On 24/05/24 02:12, Matus UHLAR - fantomas via Postfix-users wrote:
Zen includes the "PBL" component, which consists largely of
residential and mobile consumer IPs.
Yes, but these are (usually) not considered valid clients, these should
use submission/submissions(smtps) ports where
On 23/05/24 19:02, Jaroslaw Rafa via Postfix-users wrote:
In addition I can add one idea:
I have had quite a success with a policy server that rejects all connections
on submission ports IF it doesn't find a currently established IMAP session
from the same IP address. All "normal" mail clients
On 23/05/24 16:51, Viktor Dukhovni via Postfix-users wrote:
Dovecot has its own mechanism list, while Postfix has a mechanism list
filter. You should be able to set:
smtp_sasl_mechanism_filter = plain
He's trying to prevent login on smtpd, so the setting should be
On 23/05/24 10:55, Wietse Venema via Postfix-users wrote:
2. How to strengthen email system security to stop this?
Don't accept mail from home networks. For example, use "reject_dbl_client
zen.spamhaus.org". For this you must use your own DNS resolver,
not the DNSresolver from your ISP.
On 23/05/24 10:33, Northwind via Postfix-users wrote:
Hello list,
In the last two days, my mail system (small size) met attacks.
mail.log shows a lot of this stuff:
May 23 06:24:29 mx postfix/smtpd[2655149]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May
On 16/05/24 23:40, Jaroslaw Rafa via Postfix-users wrote:
Dnia 16.05.2024 o godz. 12:05:52 Peter via Postfix-users pisze:
On my side the email is accepted from here, and relayed, Rspamd
does sign it, and Postfix's last message in the log is a message
sent delivered, and removed from my queue. I
On 16/05/24 11:54, David Mehler via Postfix-users wrote:
Hello,
I'm not sure if this is a Postfix or an Rspamd problem or a Gmail
problem, the first two I can do something about the third one not so sure.
I'm running a personal E-mail server running on a VPS via a2hosting. I'm
using
Greetings,
I've been running an ipv4-only postfix system for years, and have dialed
in a set of SMTP access/relay controls that work well for my use case.
I've avoided enabling ipv6 because its lack had yet to cause an issue,
and due to what I'm given to understand has been the wild-west
On 25/04/24 19:42, Benny Pedersen via Postfix-users wrote:
Peter via Postfix-users skrev den 2024-04-25 09:19:
On 15/04/24 10:14, Benny Pedersen via Postfix-users wrote:
Authentication-Results list.sys4.de; dkim=pass
header.d=porcupine.org; arc=none (Message is not ARC signed);
dmarc=pass
On 25/04/24 14:34, Benny Pedersen via dovecot wrote:
+1, thanks for dovecot maillist do it right, postfix maillist fails on spf
You make a confusing, factually incomplete post with claims that are
incorrect and then complain about a lack of clear response on a
different list? If you're
On 15/04/24 10:14, Benny Pedersen via Postfix-users wrote:
Authentication-Results list.sys4.de; dkim=pass
header.d=porcupine.org; arc=none (Message is not ARC signed); dmarc=pass
(Used From Domain Record) header.from=porcupine.org policy.dmarc=none
What does this have to to with Postfix,
On 21/02/24 12:40, Wietse Venema via Postfix-users wrote:
Peter via Postfix-users:
A quick status update.
First, several features have been logging warnings that they would
be removed for 10 years or more, so we could delete them in good
conscience (perhaps keeping the warning
On 19/02/24 14:00, Wietse Venema via Postfix-users wrote:
Viktor Dukhovni via Postfix-users:
On Tue, Feb 13, 2024 at 12:23:32PM -0500, Wietse Venema via Postfix-users wrote:
Over 25 years, Postfix has accumulated some features that
are essentially obsolete.
A quick status update.
First,
On 12/02/24 11:47, Alex via Postfix-users wrote:
My concern would be with multiple MX records for the same domain - is it
possible it would come back to try again with another MX and be delayed
yet again?
Unless you're referring to your own MX records these are not relevant.
That said, many
On 11/02/24 13:51, Doug Hardie via Postfix-users wrote:
If I am understanding correctly, that means that if I set smtp_skip_5xx_greeting to
"no", then postfix would stop after the first 5xx and terminate the email.
That seems like it might open up some issues where a provider with multiple
On 10/02/24 02:50, Matus UHLAR - fantomas via Postfix-users wrote:
On 08.02.24 13:05, Doug Hardie via Postfix-users wrote:
I implemented postscreen quite a while ago. I don't see where or how
it introduces a delay to force the originating MTA to queue and try
later.
It does not introduce
On 8/02/24 21:38, Kees van Vloten via Postfix-users wrote:
A little addition that also helps a bit: move the content of the From:
header to the Reply-To: header and replace From: with the local account
that is forwarding the message. All mail then originates from your
domain and a reply to a
On 8/02/24 14:23, Alex via Postfix-users wrote:
I'm hoping I could ask for some advice. We have a pretty
large percentage of users who forward mail through our systems to
personal Gmail accounts. Sometimes it is mail from bulk senders like
mailgun and lanyon/cvent.
Before answering your
On 25/01/24 04:38, Bill Gee via Postfix-users wrote:
Oops! I just realized that I sent this instead of saving it. Dang!
I've re-organized the quoted section to put your questions in their
intended order.
The time is finally coming when I have to do something with my Postfix
server. I
On 16/01/24 17:26, Scott Kitterman via Postfix-users wrote:
As many are aware Ghettoforge builds these for EL. To me the simplest way for
Debian and other distros is for a community member to take up the mantle and
build Postfix in a similar way. It's not that difficult to do and it puts the
On 12/01/24 04:08, Wietse Venema via Postfix-users wrote:
Viktor Dukhovni via Postfix-users:
On Thu, Jan 11, 2024 at 03:53:35PM +0100, natan via Postfix-users wrote:
Hi Wietse Have you thought about postfix repo for Debian, just like dovecot
has for his relase ?
What is a "Postfix repo for
On 3/01/24 01:27, Peter via Postfix-users wrote:
There is a link at the bottom to the postfix-specific lmtp configuration
page which is broken, it means that page was not properly ported. Please
post to the dovecot mailing list and let them know as this is something
they need to fix
On 1/01/24 07:52, Togan Muftuoglu via Postfix-users wrote:
The good old Dovecot Wiki is gone.
The pages have been ported over to doc.dovecot.org:
https://doc.dovecot.org/configuration_manual/protocols/lmtp_server/
There is a link at the bottom to the postfix-specific lmtp configuration
On 1/01/24 06:25, toganm--- via Postfix-users wrote:
The master.cf has already the following so what am I adding?
lmtp unix - - n - - lmtp
Nothing, that is all that is required. The docs simply mean that entry
is required but you don't have to change or
This doesn't help much, except to show that things look good for protonmail.
Protonmail doesn't appear to have IPv6 support while google does. It is
entirely possible that you're trying to send to google via IPv6 and you
don't have an record for mail.bristolweb.net. This would result in
On 24/11/23 19:52, Peter via Postfix-users wrote:
It's not the distro. It's common for Linux distros to fully support
ARM, but that does not put any obligation on 3rd-party distros, just
like if someone were to create a 3rd-party distro for BSD it would be up
to them to decide which arches
On 23/11/23 21:08, Charles Sprickman via Postfix-users wrote:
This ^. Specifically if you want to run an EL distro there are good
choices that offer ARM support and come with stock postfix and dovecot
packages, but if you want to run the GhettoForge packages (which have newer
versions of
On 23/11/23 14:22, Gerald Galster via Postfix-users wrote:
Q2:
given the minuscule work-load, is there any preference/preclusion
between employing the 'usual' x86 processor or 2 Arm Ampere
processors? Both offer Linux. Cost is effectively same.
You should check if the software you want to
On 30/10/23 05:43, Robert Inder via Postfix-users wrote:
For 10 years now I've been running a Linux (CentOS 7) server, using
Postfix to handle mail for a handful of users.
Specifically, I'm running Postfix 2.2, because that is the most recent
version yum will fetch
from the current/default set
On 13/09/23 12:54, DL Neil via Postfix-users wrote:
Have been updating the .cf files (mostly ciphers, but also...)
Our old friend "UGFzc3dvcmQ6" is back.
This is simply base64 for "Password", all it indicates is an invalid
login attempt using the LOGIN mech.
What is the setting to get rid
On 11/09/23 19:59, François Patte via Postfix-users wrote:
And updated the security level to "secure".
If I turn this to "secure", I get in maillog file:
server certificate verification failed for
smtp.gmx.com[212.227.17.174]:465: num=62:hostname mismatch
The cert is signed for
On 23/08/23 11:58, Steffen Nurpmeso via Postfix-users wrote:
"The problem" (i have given up and did not try it for long) is the
configuration directory. Does this work without configuration
directory? I had to try again.
So last i tried.
If you do not compile custom, but still want a custom
On 22/08/23 22:59, Peter via Postfix-users wrote:
You forgot:
smtpd_tls_auth_only = no
Sorry, scratch this last bit, it's only if you need to do AUTH without
TLS, and I don't think you're trying to do AUTH here.
Peter
___
Postfix-users mailing
On 22/08/23 15:42, Bruce Dubbs via Postfix-users wrote:
I have built postfix-3.8.1 from source and want to use it only on the
local system. That is, I really only want it to receive messages from
applications like sudo, cron, or some simple scripts using mailx and
post it to the local user's
On 15/08/23 21:08, Benny Pedersen via Postfix-users wrote:
Peter via Postfix-users skrev den 2023-08-15 10:44:
This is a bad idea for several reasons. If you want submission use
ports 465 and/or 587 as they are intended. Don't try to use a service
that is meant for a different purpose
On 15/08/23 12:15, Jon Smart via Postfix-users wrote:
I have disabled port 587/465 to be accessed publicly.
These are the submission and submissions ports, for user submission of mail.
but port 25 must be open to internet for MTA communications.
Port 25 is for MX to MX communication, for a
On 14/07/23 16:26, Aban Dokht via Postfix-users wrote:
https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
check_sender_access type:table
...
Any hints how smtpd_sender_restrictions can be overridden with an IP
based hash or cidr table?
/etc/postfix/sender_override.cidr:
On 23/06/23 07:05, André Rodier via Postfix-users wrote:
Is there any way, with postfix, to run a script on authentication
failure, with information like the IP address and the
username passed, for instance.
You can write your script up as a policy daemon and have it listen on an
inet or
Technically it's an invalid MX record because MX records must point to a
hostname, not an IP address.
They are probably trying (but failing) to implement a null MX record:
https://www.rfc-editor.org/rfc/rfc7505
Peter
On 12/06/23 19:50, wesley--- via Postfix-users wrote:
Note there is
On 17/05/23 00:14, mailmary--- via Postfix-users wrote:
I am talking about the authentication email, not MAIL FROM or RCPT TO.
There is no "authentication email". There is a login username which can
be just about anything and in your case likely just happens to match the
user's email
On 8/05/23 00:27, Wietse Venema via Postfix-users wrote:
After multiple such connnections, postscreen could theoretically
decide that the client is unlikely to ever connect to the primary
MX, but by then the client will likely already have given up, and
postscreen has done no harm.
Postscreen
On 5/05/23 11:33, Wietse Venema via Postfix-users wrote:
An empty inet_interfaces means that there is no constraint for the
SMTP client source IP address. I am adding some text for that.
I think the question is, what effect does it have on the server
listening address. This is from
On 4/05/23 08:31, Wietse Venema via Postfix-users wrote:
Peter via Postfix-users:
Is this behavior of inet_interfaces overridden by smtp_bind_address?
From the way it's worded it looks to me like the inet_interfaces
setting overrides smtp_bind_address but this isn't clear to me. Can
On 4/05/23 08:31, Wietse Venema via Postfix-users wrote:
Peter via Postfix-users:
Is this behavior of inet_interfaces overridden by smtp_bind_address?
From the way it's worded it looks to me like the inet_interfaces
setting overrides smtp_bind_address but this isn't clear to me. Can
Is this behavior of inet_interfaces overridden by smtp_bind_address?
From the way it's worded it looks to me like the inet_interfaces
setting overrides smtp_bind_address but this isn't clear to me. Can
that be clarified (one way or the other)?
Peter
On 4/05/23 04:48, Wietse Venema via
On 3/05/23 17:51, Ken Peng via Postfix-users wrote:
But anybody can use our (even setup correctly) mailserver as backscatter source?
Not if you configure postfix properly.
Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To
On 28/04/23 03:59, Sebastian Wiesinger via Postfix-users wrote:
Hi everyone,
I'm not sure if I'm missing something but I can't find out why my
body_checks doesn't catch all the backscatter I'm getting right now.
Oh yuck.
I've found that the best way to block backscatter is by using the
On 28/04/23 21:19, Andreas Cieslak via Postfix-users wrote:
Why are To and From replaced in the header but not the subject?
Am I perhaps missing the right expression here and could someone give me
some advice?
Or is there really no way around Mailmunge or MimeDefang etc.?
Any hints would be
On 22/04/23 22:18, Ralph Seichter via Postfix-users wrote:
* Peter Ajamian via Postfix-users:
Verify return code: 10 (certificate has expired)
Thanks. For some reason, the web server had not been restarted after the
last certificate update, which normally happens automatically. I just
On 10/04/23 16:52, tom--- via Postfix-users wrote:
The default_action here actually defines what action postfix will take
if the policyd errors out (e.g. not running). By default this is "451
4.3.5 Server configuration problem" which results in a deferral, so it
would not cause the message to
On 10/04/23 14:21, tom--- via Postfix-users wrote:
I have resolved the issue by:
1. install unbound as dns resolver locally
This is good.
2. change this statement:
check_policy_service unix:private/policyd-spf,
to this one:
check_policy_service { unix:private/policyd-spf,
On 9/04/23 23:02, Peter via Postfix-users wrote:
On 9/04/23 21:23, tom--- via Postfix-users wrote:
I am using the policyd-spf by default configuration (never changed a
line), and this is the doc:
https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html
On 9/04/23 21:23, tom--- via Postfix-users wrote:
I am using the policyd-spf by default configuration (never changed a
line), and this is the doc:
https://manpages.debian.org/testing/postfix-policyd-spf-python/policyd-spf.conf.5.en.html
But the doc says noting about "OK" and "DUNNO". so how?
On 9/04/23 19:51, tom--- via Postfix-users wrote:
First off make sure that policyd isn't somehow returning an OK (or
equivalent) response, if you're not sure temporarily remove
"check_policy_service unix:private/policyd-spf," from your
restrictions above and see if it makes a difference.
On 9/04/23 18:18, tom--- via Postfix-users wrote:
Secondly, and this is *very* important, make certain you are not using
your ISP's or another public DNS resolver (such as 8.8.8.8). You
*must* run your own DNS resolver for DNSRBLs to work properly.
I was exactly using google DNS. Do u mean
On 9/04/23 14:02, tom--- via Postfix-users wrote:
I have this setting in main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
reject_rbl_client zen.spamhaus.org,
On 2/04/23 09:03, Jaroslaw Rafa via Postfix-users wrote:
Dnia 1.04.2023 o godz. 13:04:30 Peter via Postfix-users pisze:
Secondary, or backup MXes are almost never recommended in the modern
internet and tend to be a relic of the 1990s dialup internet.
[...]
None of this is what you
On 1/04/23 00:36, Corey Hickman via Postfix-users wrote:
Since almost every sending MTA has the queues, do I need a secondary MX
for my domain email?
Secondary, or backup MXes are almost never recommended in the modern
internet and tend to be a relic of the 1990s dialup internet. What is
On 26/03/23 18:37, Benny Pedersen via Postfix-users wrote:
Peter via Postfix-users skrev den 2023-03-26 06:15:
DKIM and ARC signatures need to be checked right after the message is
received,
not really, all that is needed is to frezze stata of dkim, arc, dmarc at
recieve state,
which
On 26/03/23 13:55, Benny Pedersen via Postfix-users wrote:
Peter via Postfix-users skrev den 2023-03-26 01:05:
Mailman has a setting that addresses this, reply_goes_to_list.
According to mm docs, this adds the original From: address as a CC
there will be a day when mailman dont sink ships
On 25/03/23 11:50, raf via Postfix-users wrote:
On Fri, Mar 10, 2023 at 09:11:58AM +1300, Peter via Postfix-users
wrote:
* Don't add a Reply-To:. I actually question if this is really needed as we
likely want replies to go to the list the vast majority of time anyways. I
have seen other
On 19/03/23 12:13, Steffen Nurpmeso via Postfix-users wrote:
|>smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
|
|This will simply result in clients that can't support at least TLSv1.2
|connecting in plain text instead. So rather than having (arguably not
|so) poor encryption
On 19/03/23 07:44, Matus UHLAR - fantomas via Postfix-users wrote:
I would generally allow the printer to use port 25.
Port 25 is not a submission port and should not be used as such. Keep
your submission separate from your MX traffic and you will avoid a whole
heap of issues down the road.
On 19/03/23 02:54, Gerd Hoerst via Postfix-users wrote:
I setup my postfix for the clients to use only protocols > TLSv1 with
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1
A better way to do this is:
smtpd_tls_protocols = >=TLSv1.1
smtpd_tls_protocols =
On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote:
I still have no problems with
smtpd_tls_mandatory_protocols = >=TLSv1.2
This is fine, so long as you don't have a user that can't support at
least TLSv1.2 that needs to use submission.
smtpd_tls_protocols =
On 10/03/23 11:09, Wietse Venema via Postfix-users wrote:
I am subscribed to several mailing lists that have [uppercase
abbreviation] as their tag, and that works well. None of those tags
are more than 5 characters long.
I have the opposite experience. most of the lists I'm subscribed to
On 10/03/23 10:04, Dan Mahoney via Postfix-users wrote:
I know that P-U stands for postfix users. I get it that a short subject tag
was desired, but would [postfix] have been that much more distracting, without
adding the obvious third-grader label that might better be held by qmail?
On 10/03/23 09:22, Wietse Venema via Postfix-users wrote:
This list uses Mailman configuration settings, not handcrafted code.
If people believe that it is worthwhile to change the Mailman
implementation or the DMARC spec, then I suggest that they work
with the people responsible for that.
How
On 10/03/23 09:12, Gerald Galster via Postfix-users wrote:
Many email clients have a "Reply List" option which goes to the address in the List-Post: header.
Thunderbird has a "Smart Reply" button that when displaying a message with List-Post: defaults to
"Reply List". I've found that hiding
On 10/03/23 09:07, Matthew McGehrin via Postfix-users wrote:
Hi Peter.
The Reply-To has always been the original poster for 10+ years. No sense
changing it now. :)
On the contrary, this is the perfect time to change it, if we're going
to change it. We've already made a number of changes to
On 10/03/23 08:50, Steffen Nurpmeso via Postfix-users wrote:
Wietse Venema via Postfix-users wrote in
<4pxdmb1f8fzj...@spike.porcupine.org>:
|postfix--- via Postfix-users:
|> Is it the best idea to add a reply-to header to the author on mailing \
|> list emails?
|> The problem I see is
On 10/03/23 07:34, postfix--- via Postfix-users wrote:
Is it the best idea to add a reply-to header to the author on mailing
list emails?
The problem I see is many people will hit reply in their email client
which will create an email from them to the author, bypassing the
mailing list.
Unless
On 8/03/23 10:40, postfix--- via Postfix-users wrote:
I am using RHEL8 and after checking for updates I was able to update
opendmarc to 1.4.2 (from 1.4.1) however it still has the error, only
with mail from this list.
In the mean time as suggested, I added "list.sys4.de" to the ignorelist
to
On 8/03/23 15:46, Scott Kitterman via Postfix-users wrote:
For Debian, if someone can find/test patches, I can get them into Debian's
package. I assume other distributors are similar. Feel free to update the
Debian bug with information. It's unfortunate we don't have a better
maintained
On 8/03/23 10:54, postfix--- via Postfix-users wrote:
No solution so far, I think there are 2-3 open bug reports on
github, but since the project is very dead, nobody has bothered to
fix the problem.
So what's the option for a more upto date version of DKIM milter for
debian?
And what would
85 matches
Mail list logo