[pfx] Re: removing Authentication-Results, how?

On Tue, Feb 20, 2024 at 06:02:22PM -0500, Wietse Venema via Postfix-users wrote: > - You'd better add $$ at the end of the pattern, to anchor the regular > expression. Actually, that hostname is typically followed by additional data separated by whitespace or a ';'. > header_checks = pcre:{

[pfx] Re: What features to deprecate

On Tue, Feb 13, 2024 at 01:20:00PM -0500, Wietse Venema via Postfix-users wrote: > > Obsoleted by automatic negotiation in the SSL code: > > > > - smtpd_tls_dh1024_param_file = auto > > - smtpd_tls_eecdh_grade = auto > > > > [ We could delete the underlying support code for the explicit

[pfx] Re: What features to deprecate

On Tue, Feb 13, 2024 at 06:32:14PM +0100, Geert Hendrickx via Postfix-users wrote: > On Tue, Feb 13, 2024 at 12:23:32 -0500, Wietse Venema via Postfix-users wrote: > > - masquerade_domains complicates table-driven address validation. > > Log a deprecation warning with compatibility_levels>=3.9.

[pfx] Re: What features to deprecate

On Tue, Feb 13, 2024 at 12:23:32PM -0500, Wietse Venema via Postfix-users wrote: > Over 25 years, Postfix has accumulated some features that > are essentially obsolete. > > - permit_mx_backup is fundamentally incompatible with recipient > address validation. There is no way to work around that

[pfx] DANE: ATTENTION: Let's Encrypt drops DST X3 from default chain, breaking "depth 2" ISRG "2 1 1" TLSA records...

As of roughly the start of this month, the DANE survey at is seeing a steady stream of validation failures for MX hosts that rely only on: _25._tcp.mail.domain.example. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 [ Some

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

On Mon, Feb 12, 2024 at 09:05:12PM -0600, Jakob Cornell via Postfix-users wrote: > Can we improve this so it's easier to get this right on the first try > as a newcomer, and make it more clear what's happening at run time? It > looks like a code change to skip the logging along with the actual >

[pfx] Re: masquerade_domains does not work for relayed domain

On Mon, Feb 12, 2024 at 04:28:41PM +0100, Aleksandar Ivanisevic via Postfix-users wrote: > > Is it true that masquerade_domains does not work for header From: in relayed > emails? I have a fairly generic setup: > > masquerade_classes = envelope_sender, header_sender, header_recipient >

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

On Sun, Feb 11, 2024 at 07:42:24PM -0600, Jakob Cornell via Postfix-users wrote: > smtpd_recipient_restrictions = > check_sender_access regexp:/etc/postfix/db/sender_access_table > ... As documented regexp, pcre, ... tables don't do "partial key" lookups. This is deliberate and

[pfx] Re: How to forward submitted mails under the identity of an email alias to all other members of that alias?

On Sun, Feb 11, 2024 at 10:59:37AM +0100, Matthias Nagel via Postfix-users wrote: > How do I forward submitted mails under the identity of an email alias > to all other members of that alias? Is that even possible with Postfix > only? Yes, with sender_bcc_maps, and with the proviso that the BCC

[pfx] Re: Understanding log entries

On Sun, Feb 11, 2024 at 07:13:38PM +1300, Peter via Postfix-users wrote: > Right, and further to that a 554 response at connection time is a rejection > of the *connection*. No attempt was ever made to send the *message*, so in > a manner of speaking the message is still valid and a different

[pfx] Re: Alias forwarding request

On Thu, Feb 08, 2024 at 07:08:35PM +0100, Maurizio Caloro via Postfix-users wrote: > To forwarding alias to emailaddress, mysql are setuped followed: > > Files : > > * /etc/folder/mysql-virtual_alias_maps.cf > * /etc/folder/mysql-virtual_mailbox_domains.cf > *

[pfx] Re: Server etiquette

On Wed, Feb 07, 2024 at 11:21:10AM -0500, John Hill via Postfix-users wrote: > I use fail2ban as well. I'm just going to see if the sender sever will give > up! I prefer to have logs that record what I'm blocking. With firewall rules there's not sufficient forensic evidence left behind. --

[pfx] Re: Server etiquette

On Wed, Feb 07, 2024 at 07:59:44AM -0500, John Hill via Postfix-users wrote: > Do mail servers as a whole stop sending an email after a few errors? For a single message, surer On soft errors (4XX), most retry, typically stopping after a maximal delay. The retry strategy varies, but

[pfx] Re: One user unable to send email

On Tue, Feb 06, 2024 at 10:27:17PM -0500, Ken Wright via Postfix-users wrote: > I honestly don't know if this is an issue with Postfix or Roundcube, > but I thought I'd start here. > > I'm running Postfix 3.8.1 on Ubuntu Server 23.10 and I'm hosting a > friend's website and email in addition to

[pfx] Re: why tls library problem?

On Tue, Feb 06, 2024 at 06:50:28PM +0100, Maurizio Caloro via Postfix-users wrote: > Feb6 time P postfix/tlsproxy[300980]: warning: TLS library problem: > error:1417A0C1:SSL routines:tls_post_process_client_hello: > no shared cipher:../ssl/statem/statem_srvr.c:2283: This looks like a client

[pfx] Re: Forward mails if user unknown in local recipient table

On Tue, Feb 06, 2024 at 10:31:06PM +0530, Akshay Pushparaj via Postfix-users wrote: > I would like to know if i can configure postfix to forward mails if user not > found in local recipient table. That's not the right question. The right question is: - How to deliver some users for a

[pfx] Re: postscreen segfault since 3.8.4

On Sun, Feb 04, 2024 at 08:12:56PM -0500, Christophe Kalt via Postfix-users wrote: > These are the alpine packages themselves, but I'm not familiar with how > they're built so I can't rule out a bad build. It's also possible that I > didn't let the 3.8.3 version run long enough for it to crash

[pfx] Re: postscreen segfault since 3.8.4

On Sun, Feb 04, 2024 at 05:06:22PM -0500, Viktor Dukhovni via Postfix-users wrote: > > - 3.8.4 on alpine 3.19.0 > > - 3.8.5 on alpine 3.19.1 > > > > but apparently not for 3.8.3 on alpine 3.18.3 > > There's perhaps an issue in the OpenSSL or other library depende

[pfx] Re: postscreen segfault since 3.8.4

On Sun, Feb 04, 2024 at 01:37:18PM -0500, Christophe Kalt via Postfix-users wrote: > /usr/libexec/postfix/postscreen pid 93 killed by signal 11 > > These connections are from an SMTP probe that goes EHLO STARTTLS EHLO QUIT > > I've not run postscreen previously, so I cannot tell whether this

[pfx] Re: Adjusting smtpd_recipient_restrictions

On Sun, Feb 04, 2024 at 01:22:45PM +0200, Mark via Postfix-users wrote: > Is it better to list reject_unauth_destination after; > > permit_mynetworks, > permit_sasl_authenticated, > > Or before these? And why? Best practice is to require submission users sending outbound mail do so via ports

[pfx] Re: Is there a way to reject an internal domain on our border MXes

On Sat, Feb 03, 2024 at 10:17:45PM +0100, Jaroslaw Rafa via Postfix-users wrote: > Dnia 3.02.2024 o godz. 12:59:27 Viktor Dukhovni via Postfix-users pisze: > > > > These days, users are far better off with delivery to an IMAP store that > > is not tied directly to any l

[pfx] Re: Is there a way to reject an internal domain on our border MXes

On Sat, Feb 03, 2024 at 04:57:05PM +0100, Jaroslaw Rafa via Postfix-users wrote: > > The "local" transport is a legacy Sendmail-compatibilty interface, > > and should generally be avoided. > > Why avoided? If you have local Unix users on your server, and you want those > users to receive mail,

[pfx] Re: Is there a way to reject an internal domain on our border MXes

On Sat, Feb 03, 2024 at 05:52:17AM -0800, Dan Mahoney via Postfix-users wrote: > We have an internal domain, zimbra.example.org, but it's only used for > internal routing of our corporate mail (there's a master delivery map > that controls what addresses at example.org route to >

[pfx] Re: Adjusting smtpd_recipient_restrictions

On Fri, Feb 02, 2024 at 08:26:20AM +0300, Mark via Postfix-users wrote: > I'm trying to adjust my smtpd_recipient_restrictions so that any emails > coming to a non-existent account on my server would be rejected BEFORE the > attempt reaches RBLs/RBL queries. If you're using Postfix 3.6 or later,

[pfx] Re: milter: how about a SMFIP_NOQUIT?

On Wed, Jan 31, 2024 at 12:13:51PM -0500, Wietse Venema via Postfix-users wrote: > - The MTA then needs to keep the Milter connection open while watting > for new work. Once there is work, the MTA sends SMFIC_CONNECT and > so on. > > - This sounds like the MTA needs a Milter connection cache

[pfx] Re: Are multiple white spaces allowed in a date in headers?

On Wed, Jan 31, 2024 at 01:00:56PM +0100, Michael Storz via Postfix-users wrote: > day = ([FWS] 1*2DIGIT FWS) / obs-day > > This says a day can consist of one or two digits preceded by an optional > folding white space (FWS): > > FWS = ([*WSP CRLF] 1*WSP) / obs-FWS

[pfx] Re: problem to add, alias failed

On Tue, Jan 30, 2024 at 07:57:18PM +0100, Maurizio Caloro via Postfix-users wrote: > if adding a new user with postfixadmin 3.3.8 or with cli this will run > without problem. > > GRANT ALL PRIVILEGES ON mailserver.* TO markus@'domain.com > ' IDENTIFIED BY >

[pfx] Re: different queue time based on the sender address

On Sat, Jan 27, 2024 at 12:01:55PM +0100, Aleksandar Ivanisevic via Postfix-users wrote: > in main.cf > sender_dependent_default_transport_maps = hash:/etc/postfix/relay_by_sender > > in /etc/postfix/relay_by_sender > mysender.com smtp:[localhost]:588 The listening SMTP service for that port

[pfx] Re: Log/Capture outbound messages?

On Fri, Jan 26, 2024 at 07:51:31PM -0500, Wietse Venema via Postfix-users wrote: > joe a via Postfix-users: > > Postfix 3.5.9-5.9.2 > > > > Perhaps not a postfix question at all. Looking for a way to capture > > outbound email, for troubleshooting purposes. > > > > Is "smtp-sink" the way to

[pfx] Re: ldap + 550 5.1.1

On Fri, Jan 26, 2024 at 03:41:10PM +0100, Karsten Schmid via Postfix-users wrote: > So how would an appropriate entry in virtual_alias_maps look like? https://www.postfix.org/ldap_table.5.html > root@creampuff [/etc/postfix/ldap] # postfix reload > /usr/sbin/postconf: fatal:

[pfx] Re: [postfix] 3.4.23: virtual, pipe and ${original_recipient} vs. ${recipient}

On Thu, Jan 25, 2024 at 04:48:39PM -0500, Bill Cole via Postfix-users wrote: > > - Are you expected exactly one recipient per-invocation of the > > spamassassin filter? I'm not sure how spamc handles multiple > > recipients after "-u". > > It doesn't. The argument to '-u' is a key to

[pfx] Re: Different rules for submission(s)

On Thu, Jan 25, 2024 at 09:13:22PM +0100, Paul van der Vlis via Postfix-users wrote: > Op 25-01-2024 om 20:40 schreef Viktor Dukhovni via Postfix-users: > > On Thu, Jan 25, 2024 at 08:31:44PM +0100, Paul van der Vlis via > > Postfix-users wrote: > > > Hello, > >

[pfx] Re: Different rules for submission(s)

On Thu, Jan 25, 2024 at 08:31:44PM +0100, Paul van der Vlis via Postfix-users wrote: > Hello, > > Since over 20 years I use Postfix, but some things I don't understand... > > I want different rules for mail what comes through submission(s) and what > comes from other mailservers using port 25.

[pfx] Re: [postfix] 3.4.23: virtual, pipe and ${original_recipient} vs. ${recipient}

On Thu, Jan 25, 2024 at 12:04:38PM +, hawky--- via Postfix-users wrote: > we're in the process to integrate SpamAssassin in our mail system. We > decided to use the after-queue attempt with > > > smtpd -o content_filter= > The problem we're facing right now is that pipe is getting the alias

[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check

On Wed, Jan 24, 2024 at 08:27:53PM +0100, Matthias Schneider via Postfix-users wrote: > Using a Milter is an option, but it often involves correlating > information from both the milter process and the log for a > comprehensive view. Everything of interest can be added as a message header. >

[pfx] Re: Documentation on upgrade 2.10 to 3.5

On Wed, Jan 24, 2024 at 11:17:16AM -0500, Viktor Dukhovni via Postfix-users wrote: > > > 2) The leapp output mentions a compatibility option.  I think I need to > > > use that.  Is there documentation on it? > > https://www.postfix.org/postconf.5.html#compati

[pfx] Re: Documentation on upgrade 2.10 to 3.5

On Wed, Jan 24, 2024 at 09:38:06AM -0600, Bill Gee via Postfix-users wrote: > > 1) Is there any documentation about moving from Postfix 2 to 3?  I > > looked on the web site but saw nothing obvious. The RELEASE NOTES:

[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check

On Wed, Jan 24, 2024 at 03:10:03PM +0100, Matthias Schneider via Postfix-users wrote: > Initially, I experimented with a Milter for logging the required > headers, but I found that employing a larger %s printf value proved to > be a more efficient solution. However, I'd like to point out that

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On Mon, Jan 22, 2024 at 02:57:16PM -0500, Bill Cole via Postfix-users wrote: > The reason implicit TLS isn't useful for SMTP (MTA-MTA) use is that port 25 > must always be backwards-compatible and so MUST start with a plaintext > server greeting, NOT a TLS handshake. Establishing a new secure

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On Mon, Jan 22, 2024 at 11:44:40AM -0300, Taco de Wolff via Postfix-users wrote: > Two questions really, one is that I can't enable TLS1.3 whatever I try. > Running CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm > that TLS1.3 ciphers are available: Protocol version negotiation

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> syntax/behaviuor of virtual_alias_maps

On Sun, Jan 21, 2024 at 11:35:39PM +0100, Simon Hoffmann via Postfix-users wrote: > > DO NOT use the deprecated "virtual_domains" parameter, it mixes > > classification of domains with address mappings. > > I have read that and I thought I understood it. Simply put, use "virtual_alias_domains"

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> syntax/behaviuor of virtual_alias_maps

On Sun, Jan 21, 2024 at 07:21:26PM +0100, Simon Hoffmann via Postfix-users wrote: > The old virtual_domains file just lists all domains (one per line), and can > directly be used in > virtual_alias_domains. You're going about this the wrong way, by tryign to translate low-level artefacts from

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching

On Sun, Jan 21, 2024 at 06:53:58PM +0100, Simon Hoffmann via Postfix-users wrote: > > This copies only the message headers and body, but fails to capture the > > message envelope, which contains the true recipient list. With > > per-recipient addressing in "recipient_bcc_maps", and provided the

[pfx] Re: How to reject messages on submission with typo in To address?

On Sun, Jan 21, 2024 at 09:39:06AM +0100, Paul Menzel via Postfix-users wrote: > pg.de is currently a parked domain, so our users will not going to > email there, and I would like to reject such messages submitted to us, > that the email client shows an error as it’s done, when, for example, >

[pfx] Seeking contact with Postfix SELinux policy maintainers...

I am looking to make contact with the maintainers of the SELinux policy profile for Postfix on Fedora (presumably ultimately also RHEL), Debian and other systems that ship with pre-installed SELinux policy rules for Postfix. If you're a maintainer of such policy rules please reach out. I had a

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching

On Sat, Jan 20, 2024 at 05:44:25PM +0100, Simon Hoffmann wrote: > > > I am currently planning to switch from OpenSMTPd to postfix for two > > > reasons > > > > > > - smtpd_sender_login_maps functionality not really implemented in > > > OpenSMTPd > > > - always_bcc not possible on OpenSMTPd > >

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching

On Sat, Jan 20, 2024 at 03:42:52PM +0100, Simon Hoffmann via Postfix-users wrote: > I am currently planning to switch from OpenSMTPd to postfix for two reasons > > - smtpd_sender_login_maps functionality not really implemented in OpenSMTPd > - always_bcc not possible on OpenSMTPd FWIW, I'd

[pfx] Re: client checks with suspect IPs

On Tue, Jan 16, 2024 at 02:28:50PM -0500, Alex via Postfix-users wrote: In addition to other comments, beware sloppy and inappropriate use of "regular" expressions: > /etc/postfix-118/client_checks.pcre: > /74\.203\.184\.40/ OK This should be a "cidr:" table lookup instead,

[pfx] Re: relay_domains override for smtpd

On Tue, Jan 16, 2024 at 06:12:58PM +0100, Marc Dierksen via Postfix-users wrote: > I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that accepts > mails on port 25 for a list of domains defined as relay_domains in the > main.cf. > > I am currently trying to setup a second smtpd

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Mon, Jan 15, 2024 at 08:14:13AM +0100, Gerd Hoerst via Postfix-users wrote: > I added > > masquerade_domains > = hoerst.net > > to main.cf and mail sent via mailx is sent asu...@domain.tld and it has also > both DKIM Signatures

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Sun, Jan 14, 2024 at 06:05:20PM +0100, Gerd Hoerst via Postfix-users wrote: > Still no success.. > > non_smtpd_milters is set and mail send via mailx or sendmail is still not > signed.. > > btw: with mailx or sendmail  email will send with u...@host.domain.tld > instead of u...@domain.tld

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Sun, Jan 14, 2024 at 04:20:29PM +0100, Gerd Hoerst via Postfix-users wrote: > How can i check if its now correct with my setup, that mail which is not > coming from smpt or esmtp ? Log in to the machine and send an email message (to some address you receive) via sendmail(1) or the mail(1) or

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Fri, Jan 12, 2024 at 08:07:02PM -0500, Wietse Venema via Postfix-users wrote: > > In my case it is the "daemon_name" macro, and so I have: > > > > $ postconf -Mf cleanup/unix > > cleanupunix n - n - 0 cleanup > > -o

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Fri, Jan 12, 2024 at 11:10:52PM +0100, Gerd Hoerst via Postfix-users wrote: > Hi ! > > In my main.cf > > non_smtpd_milters = $smtpd_milters > > is already configured... > > Where else can I check ? The milter configuration, and Postfix cleanup(8) milter macros How does the milter decide

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Fri, Jan 12, 2024 at 07:43:51PM +0100, Gerd Hoerst via Postfix-users wrote: > im using ubuntu 22.04 and i setup complete feature set  with spf / dkim / > dmarc / dane during the last time i get some emails related to this domain > which i do not understand (if the problem is on my side) The

[pfx] Re: postfix repo

On Thu, Jan 11, 2024 at 07:29:40PM +0100, Benny Pedersen via Postfix-users wrote: > Wietse Venema via Postfix-users skrev den 2024-01-11 15:56: > > natan via Postfix-users: > > > Hi Wietse Have you thought about postfix repo for Debian, just like > > > dovecot has for his relase ? > > > > > >

[pfx] Re: postfix repo

On Thu, Jan 11, 2024 at 03:53:35PM +0100, natan via Postfix-users wrote: > Hi Wietse Have you thought about postfix repo for Debian, just like dovecot > has for his relase ? > What is a "Postfix repo for Debian"? Do you mean binary release packages? What's wrong with the packages from the

[pfx] Re: Not a very important problem - smtpd_sender_login_maps

On Thu, Jan 11, 2024 at 02:08:28PM +0100, natan via Postfix-users wrote: > I need a mapping every single email to the same one in pcre for > sender_login_maps.cf for > > reject_sender_login_mismatch > ... > smtpd_sender_login_maps = pcre:/etc/postfix/sender_login_maps.cf > ... > > Yes, I can use

[pfx] Re: Downloadlinks for postfix-3.9-20240109 seem to be broken

On Wed, Jan 10, 2024 at 04:47:43PM +0100, Ralf Hildebrandt via Postfix-users wrote: > http://ftp.porcupine.org/mirrors/postfix-release/index.html > > lists: > > http://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.9-20240109.tar.gz >

[pfx] Re: Incoming mail server blocks outlook / microsoft servers

On Wed, Jan 10, 2024 at 05:38:37PM +0200, Nikolaos Milas via Postfix-users wrote: > On 10/1/2024 5:24 μ.μ., Matus UHLAR - fantomas via Postfix-users wrote: > > > If you use postscreen, remove reject_rbl_client from *_restrictions. > > > > reject_rhsbl_client, reject_rhsbl_sender and

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

On Mon, Jan 08, 2024 at 07:36:37PM +0100, Michael Grimm via Postfix-users wrote: > >smtp unix - - n - - smtp > >smtpv4 unix - - n - - smtp > >-o inet_protocols=ipv4 > >smtpv6 unix - - n

[pfx] Re: recipient_bcc_maps clarification.

On Mon, Jan 08, 2024 at 10:24:15AM +0530, anant--- via Postfix-users wrote: > For specific 2 recipients of our domain, we don't want always_bcc to be > implemented. ie. if a mail is addressed to a...@xx.com (our domain only), > mail should not be Bcc to zz...@xx.com. similarly if mail recipient

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

On Mon, Jan 08, 2024 at 04:02:48PM +0100, Michael Grimm via Postfix-users wrote: > Sometimes outgoing mail is deferred due to "reputational issues" at > the receiving side. These "reputational issues" mostly concerned my > IP6 addresses, thus I removed IP6 mailing completely. But now, I do > want

[pfx] Re: SMTP Smuggling with long-term fix

On 6 Jan 2024, at 12:04 pm, Damian via Postfix-users wrote: > > If I remember correctly, on the wire there was \r\n\r\n.\r\r\n > > I will assemble a pcap and some logs when I'm back home. That's expected, Postfix will accept one *or more* CRs before LF as CRLF.

[pfx] Re: Behaviour in case of multiple relay hosts with multiple DNS records

On Fri, Jan 05, 2024 at 06:46:01PM +0100, Peter Wienemann via Postfix-users wrote: > > Unfortunately this says that RFC 5321 applies to LMTP deliveries, > > RFC 2033 says: "The LMTP protocol is identical to the SMTP protocol [SMTP] > [HOST-REQ] with its service extensions [ESMTP], except as

[pfx] Re: Postfix stopped logging lines with sender IP addresses after upgrade

On Tue, Jan 02, 2024 at 02:44:06PM -0500, Vince Heuser via Postfix-users wrote: > Jan 02 14:26:56 islou postfix/qmgr[2]: 4T4NC41vLCzQ1P: > from=, size=1258, nrcpt=1 (queue active) > Jan 02 14:26:56 islou postfix/smtp[22517]: 4T4N9z4tYzzQ1b: to=, > relay=127.0.0.1[127.0.0.1]:10024, delay=57,

[pfx] Re: Behaviour in case of multiple relay hosts with multiple DNS records

On Tue, Jan 02, 2024 at 11:12:28AM +0100, Peter Wienemann via Postfix-users wrote: > To avoid a potential misunderstanding: I do not see any reason to cast doubt > on the RFC compliance of Postfix. I think the issue discussed in this thread > rather goes beyond what is specified in RFCs. It

[pfx] Re: How to configure lmtp delivery

On Sun, Dec 31, 2023 at 08:25:42PM +0100, toganm--- via Postfix-users wrote: > >>>>> "VDvP" == Viktor Dukhovni via Postfix-users > >>>>> writes: > > VDvP> So the "hostname" form does not use "[]", which are only

[pfx] Re: How to configure lmtp delivery

On Sun, Dec 31, 2023 at 07:52:39PM +0100, Togan Muftuoglu via Postfix-users wrote: > so the following is all I need which I wrote in the first mail > (without the inet part) I don't need to set anything in master.cf > > mailbox_transport = lmtp:inet:[172.16.0.216]:24 > virtual_transport =

[pfx] Re: How to configure lmtp delivery

On Sun, Dec 31, 2023 at 06:47:25PM +0100, toganm--- via Postfix-users wrote: > When the documentation lacks what I am looking for then is there another way? > > WVvP> To integrate Dovecot, see Dovecot documentation for examples. > > That does not help because dovecot is not running on the

[pfx] Re: postfix 'non-interactive-package' build/install to non-default target location requires existence of /etc/postfix/{main,master}.cf ?

On Sat, Dec 30, 2023 at 07:54:56PM -0500, pgnd via Postfix-users wrote: > BUT, just-built 'postconf' FAILs, > > /usr/local/TMP/postfix-package/sbin/postconf mail_version > /usr/local/TMP/postfix-package/sbin/postconf: fatal: open > /etc/postfix/main.cf: No such file or

[pfx] Re: Behaviour in case of multiple relay hosts with multiple DNS records

On Fri, Dec 29, 2023 at 07:45:45PM +0100, Peter Wienemann via Postfix-users wrote: > > And then shows some examples that deminstarte that the using > > MX records is mutually exclusive with using address (A or ) records. > > I think what bears the potential for confusion is what you mean by

[pfx] Re: SMTP Smuggling, workarounds and fix // Clarification on BDAT

On Wed, Dec 27, 2023 at 11:40:56PM +0100, Damian via Postfix-users wrote: > > The attack can be mitigated by using BDAT. > > Can someone clarify? It really does not matter much, but leaving BDAT enabled can help in some cases. It is not necessary to go this deep down the rabbit hole. If both

[pfx] Re: WTF X-ANONYMOUSTLS ???

On Wed, Dec 27, 2023 at 06:45:27AM +0100, Ralph Seichter via Postfix-users wrote: > * Viktor Dukhovni via Postfix-users: > > > Microsoft ESMTP MAIL Service [...] > > Gee, who woulda thunk? ;-) That being said, perhaps somebody on the > "mailop" mailing list woul

[pfx] WTF X-ANONYMOUSTLS ???

I can't imagine what went on in the minds of the developers who thought it necessary to implement an "X-ANONYMOUSTLS" ESMTP extension. What's wrong with STARTTLS, that this was felt to be needed? Does anyone known where this might be, at least in part, documented? I've just run into a domain

[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix

On Thu, Dec 21, 2023 at 04:29:20PM -0500, Wietse Venema via Postfix-users wrote: > > > https://gitlab.com/ohisee/block-shodan-stretchoid-census > > > > I feel no particular urge to block them. > > They apparently flag a lot more Postfix MTAs than Exim ones. By "flag" you mean count instances

[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix

On Thu, Dec 21, 2023 at 03:08:57PM -0500, pgnd via Postfix-users wrote: > > This even includes "shodan" looking > > ugh. shodan. > > this can help a bit > > https://gitlab.com/ohisee/block-shodan-stretchoid-census I feel no particular urge to block them. -- Viktor.

[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix

On Thu, Dec 21, 2023 at 02:17:34PM -0500, Wietse Venema via Postfix-users wrote: > Kim Sindalsen via Postfix-users: > > I'm reading that either " smtpd_data_restrictions = > > reject_unauth_pipelining" or "smtpd_forbid_unauth_pipelining = yes" should > > *work* for shor-term workaround, right? >

[pfx] Re: SMTP Smuggling short & long term fixes

On Wed, Dec 20, 2023 at 05:48:43PM -0500, Wietse Venema via Postfix-users wrote: > Wietse Venema via Postfix-users: > > As part of a non-responsible disclosure process, SEC Consult has > > published an email spoofing attack that involves a composition of > > different mail service behaviors with

[pfx] Re: SMTP smuggling

On Wed, Dec 20, 2023 at 09:12:47PM +0100, John D'Orazio via Postfix-devel wrote: > I recently encountered on a server of my own a case of SMTP smuggling. I am very sceptical that this is in fact the case. Which is to say, very confident it is not. > I was befuddled by the fact that I received

[pfx] Re: Not all errors are postfix's fault

On Wed, Dec 20, 2023 at 03:21:03PM +, Linkcheck via Postfix-users wrote: > > > How does your milter decide which messages to sign? Does it perhaps > > look for: > > > > milter_macro_daemon_name=ORIGINATING > > I originally had this in place but could find no reason for it online nor >

[pfx] Re: Not all errors are postfix's fault

On Tue, Dec 19, 2023 at 04:07:11PM +, Linkcheck via Postfix-users wrote: > Sort of. I now have a problem where (it seems) ALL authenticated mail is not > being dkim signed How does your milter decide which messages to sign? Does it perhaps look for:

[pfx] Re: Using a second domain for outgoing mail

On Tue, Dec 19, 2023 at 12:34:55PM -0600, Richard Raether via Postfix-users wrote: > In addition, the boss just asked is there a way to restrict the group of > users that can send from that second domain? We are using ldap for > authentication. Please forgive any ignorance on my part. How does

[pfx] Re: Postfix authenticated sender and From: header verification

On Tue, Dec 19, 2023 at 10:42:14AM -0500, Wietse Venema via Postfix-users wrote: > First, there is one mistake in my last quoted paragraph above. In > the smuggled commands, an attacker can avoid an SMTP command > pipelining violation, by using use BDAT instead of DATA. > Below I'm indenting the

[pfx] Re: Postfix authenticated sender and From: header verification

On Tue, Dec 19, 2023 at 12:20:57AM +0100, r.barclay--- via Postfix-users wrote: > > For now, enforcement of pipelining is actually available, while > > enforcement of vs. is still only a hypothetical. > > As an average user without any special or legacy systems, I'd > appreciate if one could

[pfx] Re: Postfix authenticated sender and From: header verification

On Mon, Dec 18, 2023 at 05:40:49PM -0500, Wietse Venema wrote: > > - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting > > code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining" > > parameter defaults to "no". > > Indeed, setting "smtpd_forbid_unauth_pipelining =

[pfx] Re: Postfix authenticated sender and From: header verification

On Mon, Dec 18, 2023 at 02:48:43PM -0500, Bill Cole via Postfix-users wrote: > > This research work has now been published by Sec Consult company, see > > link below . > > It is interesting that they seem to be unaware of some SMTP basics, such as > the fact that message bodies, message headers,

[pfx] Re: queue_lifetime clarification

On Thu, Dec 14, 2023 at 12:41:17PM +0100, Marek Podmaka via Postfix-users wrote: > > and used header_checks to hold the mails in queue. > > > > Now, as no decision is made, I want to continue to hold for another 13 > > days more. > > > > Will this change, hold the queue for another 13 days more?

[pfx] Re: 25 years today

On Thu, Dec 14, 2023 at 08:20:26AM -0500, Wietse Venema via Postfix-users wrote: > As a few on this list may recall, it is 25 years ago today that the > "IBM secure mailer" had its public beta release. This was accompanied > by a nice article in the New York Times business section. Many thanks.

[pfx] Re: TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.

On Thu, Dec 14, 2023 at 11:04:32AM +0100, Joachim Lindenberg via Postfix-users wrote: > I´d say Viktor is biased towards 3 1 1. It isn't a bias, it is a rational recommendation. There are multiple issues with "2 1 1": - With a public issuer CA, you're adding a redundant trusted party,

[pfx] TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.

My previous post on this topic noted that covered Let's Encrypt are planning to *randomise* the choice of intermediate issuer CA used with each renewal. It now turns out that they will also be switching to new underlying intermediate CAs. So you'll a random choice of *new* issuers.

[pfx] Re: [ext] Why can't I get /etc/aliases to do anything?

On Tue, Dec 05, 2023 at 04:45:49PM +, Chris Green via Postfix-users wrote: > On Tue, Dec 05, 2023 at 05:41:11PM +0100, Ralf Hildebrandt via Postfix-users > wrote: > > * Chris Green via Postfix-users : > > > > > mydestination = > > > > no mail is delivered locally. Thus "/etc/aliases"

[pfx] Re: SELinux/SMTP Relay Handshake Failure

On Mon, Dec 04, 2023 at 07:20:08PM +1100, duluxoz via Postfix-users wrote: > This issue is definitely SELinux related, because it only crops up when > SELinux is enabled. > > I'm getting a `TLS handshake failed for service=smtp > peer=[104.199.96.85]:587` error when attempting to rely via

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Sat, Dec 02, 2023 at 11:37:55AM -0500, pgnd wrote: > > - dane:Same as "may" in the absence of DNSSEC MX and TLSA > > iiuc, this functions as > > dane, with DNSSEC MX and TLSA > may, without DNSSEC MX and TLSA > > is there an equivalent single form that functions as > >

[pfx] Re: Patch: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Sat, Dec 02, 2023 at 12:44:27PM +0100, Alexander Leidinger wrote: > > Actually "secure", which means that the match strategy is > > "nexthop:dot-nexthop" unless you specify additional command-line > > arguments to override the match list. > > > > switch (state->level) { > > case

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Sat, Dec 02, 2023 at 09:55:44PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > No, it's a pure security policy thing and an overlooked line in the mysql > > tls > > policy table. > > > > The policy "secure" (and I assume "dane-only") doesn't work, as github is > > not > > using DNSSEC.

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Fri, Dec 01, 2023 at 01:52:19PM +0100, Alexander Leidinger wrote: > > No. The problem you're reporting is with name matching. If the > > certificate chain failed to be constructed, that'd be reported instead. > > You'll only see name match errors if the chain construction succeeds, > > but

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Fri, Dec 01, 2023 at 09:53:25AM +0100, Alexander Leidinger via Postfix-users wrote: > > > Why should it expect reply.github.com? > > > > Because that name is securely known from the recipient address. Because, whether you're willing to understand the point or prefer to "dig in", verifying a

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via Postfix-users wrote: > > > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate > > > verification failed for in-9.smtp.github.com[140.82.112.31]:25: > > > num=62:hostname mismatch > > > > That is the error.

[pfx] Re: What does postfix do with malformed messages?

On Wed, Nov 29, 2023 at 10:17:01AM -0500, Wietse Venema via Postfix-users wrote: > > I see the cleanup program and all the options about when to run it and > > what to tell it to do, but in practice, will a typical system clean > > everything up, just locally submitted stuff, or soemthing else?

<    1   2   3   4   5   6   7   8   9   10   >