[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

On Thu, May 23, 2024 at 05:48:29PM -0400, Wietse Venema via Postfix-users wrote: > Greg Sims via Postfix-users: > > We see conn_use about 24% of the time: > > But none of the sessions shown in your message have that. > > Do they also have multiple-of-5-second type 'c' delays? Indeed those

[pfx] Re: Strengthen email system security

On Wed, May 22, 2024 at 11:27:15PM -0500, Scott Techlist via Postfix-users wrote: > >All of these entries are using the LOGIN mech. Unless you have an > >extremely old outlook express MUA (or similar) you xan and should be > >using the PLAIN mech. You can eliminate all of the above attacks by

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

On Wed, May 22, 2024 at 12:19:03PM -0500, Greg Sims wrote: > [root@mail01 postfix]# postconf -nf > maximal_backoff_time = 16m > minimal_backoff_time = 2m > queue_run_delay = 2m FWIW (not related to your immediate issue) I would not recommend such a short maximal backoff, you're

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

On Wed, May 22, 2024 at 08:15:41AM -0500, Greg Sims via Postfix-users wrote: > I am having problems with "collate". I greped a 10 minute portion of > our mail.log which created a 6.8M file. I ran "collate" on this file > and collected the output -- a 796M file. I looked at the file and it >

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

On Wed, May 22, 2024 at 05:35:25AM -0500, Greg Sims wrote: > Thank you again for your feedback on this issue. You're welcome, but I don't see anything in your reply that responds directly to my requests for more detailed configuration and log data. > I watched the workload in real time this

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

On Tue, May 21, 2024 at 08:31:51AM -0500, Greg Sims wrote: > Changes: > * certs back to defaults > * smtp_tls_loglevel = 1 Better. Now it is time to post a more detailed transcript of a single message (the sender and recipient addresses can be obfuscated if you wish, the recipient domain

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

On Tue, May 21, 2024 at 06:51:08AM -0500, Greg Sims via Postfix-users wrote: > Our main.cf contains: > smtpd_tls_cert_file = > smtpd_tls_key_file = > smtpd_tls_security_level = none There's no point in configuring SMTP server certificates when TLS is disabled in the SMTP

[pfx] Re: "delivered to command" config

On Tue, May 21, 2024 at 08:33:58AM +0100, Adam Weremczuk via Postfix-users wrote: > When I email "bugzi...@mydomain.com" from another account I get "Recipient > address rejected: User unknown in local recipient table". If you want this to not happen, see:

[pfx] Re: recipient_canonical works for orig_to in mydomain but not for orig_to in other.domain

On Mon, May 13, 2024 at 11:56:30AM +0200, Peter Uetrecht via Postfix-users wrote: > I have a working multi-instance setup with Postfix version 3.8.4 What > surprises me is that “recipient_canonical” works for some recipients > but not for all. It seems that "recipient_canonical" works for >

[pfx] Re: TLS Library Problem

On Sat, May 11, 2024 at 11:55:14PM -0400, Jason Hirsh via Postfix-users wrote: > I have they error message > > postfix/smtps/smtpd[39559]: warning: TLS library problem: > error:14094416:SSL routines:ssl3_read_bytes: > sslv3 alert certificate unknown: >

[pfx] Re: Fwd: [S-announce] [ANN]ounce of s-dkim-sign v0.6.1

On Sun, May 12, 2024 at 03:59:27AM +0200, Steffen Nurpmeso via Postfix-users wrote: > Well here i am indeed back again, to announce > > v0.6.1, 2024-05-12: > - Adds the algorithm big_ed-sha256 which effectively is RFC 8463 > (aka ed25519-sha256), but performs three digest operations

[pfx] Re: Different SMTP access/relay control for ipv4 vs ipv6?

On Sun, Apr 28, 2024 at 05:31:21PM -0700, Peter via Postfix-users wrote: > The ideal end goal would be to use the same general set of controls as > v4, but to start off I would like to use a more permissive/less > restrictive set of controls, and initially only enable v6 for > receiving (as

[pfx] Re: private/dovecot-lmtp]: Connection refused)

On Sat, May 11, 2024 at 11:11:30AM +0200, Benny Pedersen via Postfix-users wrote: > > I am running Postfix/Dovecot/MySQL mail server. It was doing ok > > until I tried to improve it., I > > maybe just reboot ? :) Unlikely to help. Just restarting dovecot would be about the most that's

[pfx] Re: Postfix not doing round robin for equal weight MX records

On Fri, May 10, 2024 at 01:13:06PM -0400, Wietse Venema via Postfix-users wrote: > > Logs: > > grep relay=nlp[123456].*status=sent /var/log/maillog | sed > > 's/.*relay=//' | sed 's/,.*//' | sort | uniq -c This fails to deduplicate multi-recipient deliveries, which record the same relay= for

[pfx] Re: private/dovecot-lmtp]: Connection refused)

On Fri, May 10, 2024 at 08:47:26PM -0400, Jason Hirsh via Postfix-users wrote: > I am running Postfix/Dovecot/MySQL mail server. It was doing ok > until I tried to improve it. Reverting back to the "unimproved" prior state may be the best course of action. > May 10 20:11:27 triggerfish

[pfx] Re: recipient_bcc_maps with multi-instance

On Fri, May 10, 2024 at 09:47:31PM -0400, Alex via Postfix-users wrote: > Hi, I'm using postfix-3.7.9 multi-instance on fedora38 and can't figure out > why always_bcc and recipient_bcc_maps aren't working on the outbound > instance. > > 127.0.0.1:10025 inet n- n - 16

[pfx] Re: Cleanup service adds unexpected characters when replacing header

On Tue, May 07, 2024 at 10:07:15AM +0200, Denis Krienbühl via Postfix-users wrote: > Ultimately, I ended up with the following rule, but I have a problem with it > (or any other that I've found): > > /^\s*Received:[^\n]+(.*)/ REPLACE Received: from > [127.0.0.1]

[pfx] Re: When to set virtual_alias_domains, when virtual_mailbox_domains is already set?

On Mon, May 06, 2024 at 11:37:54AM +0200, Дилян Палаузов via Postfix-users wrote: > My reading is that a domain in virtual_alias_domains can be mentioned > neither in virtual_mailbox_domains nor as mydestination domain. Correct, note however, that *all* recipients are subject to virtual(5)

[pfx] Re: Fun with line endings, was Re: Mail text wrapping

On Sun, Apr 28, 2024 at 07:15:38PM -0700, Doug Hardie wrote: > > I suppose, but sending bare LF in SMTP is definitely wrong, so he needs to > > fix that first. > > Well, the header lines are properly terminated by CRLF. However, the > text lines are whatever I get from postfix. Generally that

[pfx] Re: Enforce TLS in smtp client sender based?

On Fri, Apr 26, 2024 at 07:21:24AM +0200, Tobi via Postfix-users wrote: > Or would it be possible to use a sender_dependent_relayhost_maps and > define just the transport ex smtps: (without nexthop) in there so > postfix would use that transport (to be defined in master.cf) and the > normal MX of

[pfx] Re: IMPORTANT, drop "resolve [!UNAVAIL=return]" from Linux nsswitch.conf files

On Wed, Apr 24, 2024 at 07:23:00PM +0200, Kim Sindalsen via Postfix-users wrote: > > Regardless, as things stand, the default Fedora 39 nsswitch.conf > > makes Postfix restrictions much too fragile, and needs to be > > avoided. > > files dns is standard on my installation (Gentoo Linux/OpenRC)

[pfx] Re: IMPORTANT, drop "resolve [!UNAVAIL=return]" from Linux nsswitch.conf files

On Wed, Apr 24, 2024 at 07:43:35AM +0200, Reto via Postfix-users wrote: > On Mon, Apr 22, 2024 at 03:50:34PM GMT, Viktor Dukhovni via Postfix-users > wrote: > > and this (specifically, !UNAVAIL=return) turns soft DNS failures into > > hard errors. > > > > The so

[pfx] Re: Fun with line endings, was Re: Mail text wrapping

On Wed, Apr 24, 2024 at 01:01:46AM -, John Levine via Postfix-users wrote: > >I must be interpreting this wrong because it appears postfix is not > >accepting that. Here is the complete process. A message arrives at > >my MTA addressed to a specific address. Postfix delivers that >

[pfx] Re: Mail text wrapping

On Tue, Apr 23, 2024 at 11:46:22AM -0700, Doug Hardie via Postfix-users wrote: > > RFC 3676 addresses this. > > That was an amazing and helpful response. RFC 2045 showed exactly > what caused the problem. When the message was delivered to a file, > the CRLFs were replaced by \n. An = followed

[pfx] IMPORTANT, drop "resolve [!UNAVAIL=return]" from Linux nsswitch.conf files

The isi.edu DNS nameservers were apparently being DoSed today, and reverse and forward lookups (from my MX host) were failing. I was however surprised to then see: postfix/smtpd[2530673]: NOQUEUE: reject: RCPT from unknown[128.9.29.254]: 550 5.7.1 Client host rejected: cannot find

[pfx] Re: status=deferred (bounce or trace service failure)

On Mon, Apr 22, 2024 at 12:21:01AM -0400, 785 243 via Postfix-users wrote: > Recently i'm seeing a few messages deferred with status=deferred > (bounce or trace service failure) > > instead of status=deferred (host .. said: 450 ...) > > from the logs: > > postfix/smtp[272605]: warning:

[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere

On Sat, Apr 13, 2024 at 11:14:34AM -0400, Dan Mahoney wrote: > >>> virtual_alias_maps = static:allmail@$mydomain > >>> default_transport = virtual > >>> virtual_mailbox_maps = static:/var/spool/virtual/allmail/ > >>> virtual_uid_maps = static:12345 > >>> virtual_gid_maps = static:12345

[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere

On Wed, Apr 10, 2024 at 11:39:24PM -0400, Dan Mahoney via Postfix-users wrote: > > On Apr 2, 2024, at 10:52, Viktor Dukhovni via Postfix-users > > wrote: > > > > On Tue, Apr 02, 2024 at 04:14:29AM -0400, Dan Mahoney via Postfix-users > > wrote: > >> H

[pfx] Re: old TLS client

On Wed, Apr 03, 2024 at 09:23:26AM +0300, Levente Birta via Postfix-users wrote: > > The other possibility, is that the client never tried TLS 1.3, and was > > implemented by a clueless keyboard-monkey, who decided to always send > > the fallback SCSV even though there was no fallback. That's

[pfx] Re: old TLS client

On Thu, Mar 28, 2024 at 09:58:13AM +0200, Levente Birta via Postfix-users wrote: > > That's worth a try: > > > > 588 inet ... smtpd > > -o smtpd_tls_security_level=encrypt > > -o smtpd_tls_mandatory_protocols=TLSv1.2 > > ... > > Limiting to only TLSv1.2 did the

[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo

On Tue, Apr 02, 2024 at 12:11:03PM -0400, David Mehler wrote: > Here is the complete log of the connections, IPS x-d out, but I tried > twice, once on 587, once with smtps enabled. Any help appreciated. As noted by Wietse, debug (verbose) logging is not useful here. Just normal logging is quite

[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere

On Tue, Apr 02, 2024 at 04:14:29AM -0400, Dan Mahoney via Postfix-users wrote: > Hey there all, > > I’m setting up a staging version of dayjob’s ticket system, and we’d > basically like postfix to still function, but instead of touching the > internet at all, just deliver everything to a single

[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo

On Mon, Apr 01, 2024 at 04:09:34PM -0400, David Mehler via Postfix-users wrote: > In my master.cf I do have smtpd_tls_wrappermode but it's in the commented > out service for port 465, I'm using submission. > > I've checked with postconf and smtpd_tls_wrappermode is set to no. Of course, but

[pfx] Re: Thunderbird 91, Postfix 3.7.x, Debian 12, Virtual Mailbox Users, TLS with Letsencrypt, error improper command pipelining after helo

On Mon, Apr 01, 2024 at 01:45:11PM -0400, David Mehler via Postfix-users wrote: > I've tried configuring with both the automatic configuration and the > manual configuration, in both cases I am getting an error in my > maillog from submission/smtpd service stating error improper command >

[pfx] Re: check_policy_service for customizing routing & load balancing

On Wed, Mar 27, 2024 at 10:41:08AM -0400, Wietse Venema via Postfix-users wrote: > Viktor Dukhovni via Postfix-users: > > On Tue, Mar 26, 2024 at 02:20:55PM -0400, Wietse Venema via Postfix-users > > wrote: > > > Viktor Dukhovni via Postfix-users: > > > &

[pfx] Re: old TLS client

On Wed, Mar 27, 2024 at 03:28:38PM +0200, Levente Birta via Postfix-users wrote: > Please help me out with the following error. It's a not very old DVR > equipment sending notification emails on submission with TLS. > > Before (with Centos 7 and postfix 3.6) was working, but  now, with rocky 8 >

[pfx] Re: strict access restrictions and bounces

On Wed, Mar 27, 2024 at 11:57:22AM +0100, Daniel Marquez-Klaka via Postfix-users wrote: > Why my setup looks like this? mail-server1 servs a couple of other mail > domains, not only the one destined for the mailing lists. An access list > here would affect all domains, right? Only if the access

[pfx] Re: check_policy_service for customizing routing & load balancing

On Tue, Mar 26, 2024 at 02:20:55PM -0400, Wietse Venema via Postfix-users wrote: > Viktor Dukhovni via Postfix-users: > > That's fine, the SRV records can be keyed by destination domain. > > Locally-managed SRV records, keyed by the final destination domain > name, to select

[pfx] Re: check_policy_service for customizing routing & load balancing

On Tue, Mar 26, 2024 at 05:22:52PM +, Colin McKinnon wrote: > > What kind of "load balancing"? Why won't MX records do? For uneven > > weights, you can even use SRV records: > > I'm trying to setup load balancing across a cluster of relays for a > SAAS application. There's several problems

[pfx] Re: check_policy_service for customizing routing & load balancing

On Tue, Mar 26, 2024 at 01:52:42PM +, Colin McKinnon via Postfix-users wrote: > I want to provision load balancing for my relays. What kind of "load balancing"? Why won't MX records do? For uneven weights, you can even use SRV records: use_srv_lookup = smtp relayhost =

[pfx] Re: strict access restrictions and bounces

On Mon, Mar 25, 2024 at 04:11:47PM +0100, Daniel Marquez-Klaka via Postfix-users wrote: > I have a problem with check_sender_access that I can't find a solution to. > > 2 postfix mail server, one, mail-server1, is connected to the > internet, the second, calling it list-server1, which serves a

[pfx] Re: How to set the minimum number of bits for (non-EC) DH key exchange?

On Mon, Mar 25, 2024 at 09:24:23AM +0100, Alexander Leidinger wrote: > thought-chain could be: > IF there is no MITM, and IF the session is encrypted, then at least use good > encrpytion so that an attacker which is only able to listen, is not able to > get the content. But, in that case, the

[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

On Mon, Mar 25, 2024 at 12:00:12PM +0800, Cowbay via Postfix-users wrote: > On 2024/3/25 10:55, Viktor Dukhovni via Postfix-users wrote: > > > I checked posttls-finger on my another container which is Ubuntu > > > 22.04.4, posttls-finger still doesn't support ipv6, weird. >

[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

On Mon, Mar 25, 2024 at 10:08:59AM +0800, Cowbay via Postfix-users wrote: > On 2024/3/25 01:12, Viktor Dukhovni via Postfix-users wrote: > > > If the "posttls-finger" has the identical behavior as postfix, then I > > > could write a simple cronjob script to "

[pfx] Re: Sending email via ipv4

On Sun, Mar 24, 2024 at 08:39:16PM +0100, Jack Raats via Postfix-users wrote: > > master.cf: > > smtp .. .. .. .. .. .. smtp > > -o inet_protocols=ipv6 > > What to do if my smtp line ends with postscreen? That's "smtp inet", while the delivery agent is "smtp unix ...", see my post for

[pfx] Re: Sending email via ipv4

On Sun, Mar 24, 2024 at 04:32:15PM +0100, Jack Raats via Postfix-users wrote: > Can any help me. I want to recieve email via ipv4 and ipv6. I want to send > email via ipv6 only. > I tried using smtp_address_preference = ipv6, but that didn't work. I have a machine where IPv6 connectivity is

[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

On Sun, Mar 24, 2024 at 11:34:35PM +0800, Cowbay via Postfix-users wrote: > > You might not get to observe the problem for quite some time (if ever > > again). > > I'm quite seldom sending mail by gmail via my postfix server. > > If the "posttls-finger" has the identical behavior as postfix,

[pfx] Re: dane.sys4.de

On Sun, Mar 24, 2024 at 05:22:26PM +0100, Benny Pedersen via Postfix-users wrote: > Viktor Dukhovni via Postfix-users skrev den 2024-03-24 02:31: > > > The code should be fixed, but nobody has complained loudly enough. > > time out or not, dnssec is green, tlsa is yellow

[pfx] Re: dane.sys4.de

On Sat, Mar 23, 2024 at 11:43:02PM +0100, Benny Pedersen via Postfix-users wrote: > It go into endless loop if mx is missing, so it does not do a/ failback > testing, is this a bug ? This is an off-topic question. The code behind dane.sys4.de is a Perl script that tests the correctness of

[pfx] Re: Why has smtpd_tls_cipherlist been deprecated?

On Sat, Mar 23, 2024 at 12:45:04PM +0100, Matthias Nagel via Postfix-users wrote: > what is the rationale behind the deprecation of the setting > `smtpd_tls_cipherlist`? Are there any plans to remove it entirely in > some future versions? Superseded by smtpd_tls_cipher_grade and

[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

On Sat, Mar 23, 2024 at 06:24:50PM +0800, Cowbay via Postfix-users wrote: > My smtp_tls_policy_maps points to a hash table and the relevant entry is > [smtp.gmail.com]:465secure OK, nothing unusual there. > > No, the self-signed certificate might have been some root CA that isn't

[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

On Sat, Mar 23, 2024 at 08:04:18AM -0400, Wietse Venema via Postfix-users wrote: > Please note that Postfix does not automatically use the "system" > root CA store that openssl s_client and curl may use. That could > result in verification differences between Postfix and other tools. > >

[pfx] Re: How to set the minimum number of bits for (non-EC) DH key exchange?

On Sat, Mar 23, 2024 at 03:58:15PM +0100, Matthias Nagel via Postfix-users wrote: > So the question still stand, how do I ensure that Postfix uses at > least 2048bit DH, if TLS 1.2 and FFDH have been negotiated? As an SMTP server, Postfix uses a 2048-bit build-in group, or else whatever group

[pfx] Re: How to set the minimum number of bits for (non-EC) DH key exchange?

On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users wrote: > I am currently assessing the TLS security of a Postfix mail server and > among other things sslscan reported that the server allows a (non-EC) > DH exchange with only 1024 bits. The Postfix SMTP server uses

[pfx] Re: Do I have to reload Postfix after the X.509 certificate (and key) file has been renewed?

On Sat, Mar 23, 2024 at 01:57:39PM +0100, Matthias Nagel via Postfix-users wrote: > Also note, that the file which is configured in > `smtpd_tls_chain_files` is only a symbolic link, e.g. > > # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem > lrwxrwxrwx 1 root root 51

[pfx] Re: Postfix thinks smtp.gmail.com uses self-signed certificate

On Wed, Mar 20, 2024 at 10:25:26PM +0800, Cowbay via Postfix-users wrote: > I'm using debian 10, an old debian distribution. The Postfix version is > 3.4.23. The base 4.0 release is ~5 years old, but not materially different in its core TLS functionality. You'd see the same results with the

[pfx] Re: smtpd_discard_ehlo_keyword_address_maps all but internal

On Thu, Mar 21, 2024 at 11:06:12AM -0500, Noel Jones via Postfix-users wrote: > > Surely the generalisation is: > > > >smtpd_discard_ehlo_keyword_address_maps = > >cidr:{ > > {if 0.0.0.0/0} > > # Private IPv4 addresses > > {!10.0.0.0/8

[pfx] Re: smtpd_discard_ehlo_keyword_address_maps all but internal

On Thu, Mar 21, 2024 at 03:20:23PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > > Wietse Venema via Postfix-users: > > > smtpd_discard_ehlo_keyword_address_maps = > > > cidr:{ {!10/8 silent-discard,dsn} } > > On 23.02.24 11:12, Wietse Venema via Postfix-users wrote: > > But

[pfx] Re: Trouble with qmqp

On Wed, Mar 20, 2024 at 09:40:56PM +, Brad Koehn via Postfix-users wrote: > I’m trying to deliver email with Postfix 3.7.10 using `qmqpd`. > Unfortunately when I do this, the email is often unreadable by a > variety of email clients.  Can you be more specific about what you mean by "deliver

[pfx] Re: Feature request

On Wed, Mar 20, 2024 at 09:17:58AM -0400, Viktor Dukhovni via Postfix-users wrote: > With bash <(command) inline file syntax, make the RHS unique on the fly: > > $ keystr=... > $ remap=/etc/postfix/... > $ postmap -q "$keystr" pcre:<(perl -pe 's/$/

[pfx] Re: Feature request

On Wed, Mar 20, 2024 at 01:42:16PM +0100, Ralf Hildebrandt via Postfix-users wrote: > Hi! > > I wonder if this is possible: > > If a PCRE/regexp style map is triggering, it can be quite hard to > find out WHICH pattern actually caused the action. > > So maybe postmap (when invoked with "-b",

[pfx] Re: postfix and from

On Tue, Mar 19, 2024 at 11:39:29AM +0100, natan via Postfix-users wrote: > Hi > I have one question regarding the RFC of the FROM field: in the message > header. > > Is there any restriction that will force the FROM field to be correct > according to the RFC? Nothing builtin to Postfix. > I'm

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Mon, Mar 18, 2024 at 12:20:09AM -0700, Glenn Tenney via Postfix-users wrote: > > transport: > > u...@domain.nameerror:5.1.1 purported to not exist > > > > > > Thank you very much. A question please… the above two “solutions” seem to > accomplish very similar tasks: to reject

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Mon, Mar 18, 2024 at 12:50:18AM -0700, Glenn Tenney via Postfix-users wrote: > On Monday, March 18, 2024, Benny Pedersen via Postfix-users < > > > Victor gave a vierd config :) > > > > postfix must not return any result on non existsing users, so if this > > gives no result user is unknown,

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Sun, Mar 17, 2024 at 09:52:10PM -0700, Glenn Tenney via Postfix-users wrote: > > It is a reserved domain name, (one of many) that you can use internally, > > without clashing with *real domains*. > > Wow. Once you KNOW it's there, you can find out about "local.invalid". > BUT if you didn't

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Sun, Mar 17, 2024 at 04:28:00PM -0700, Glenn Tenney via Postfix-users wrote: > Are you saying that if I want "username1" at my local domain to be > delivered to "user2" at my local domain, that that should be in the > virtual table and not in aliases? That's a 1-to-1 rewrite, not a >

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Mon, Mar 18, 2024 at 02:04:55PM +1100, Phil Biggs via Postfix-users wrote: > Monday, March 18, 2024, 1:52:46 PM, Glenn Tenney via Postfix-users wrote: > Not sure about the rest of your requirements but perhaps > > smtpd_recipient_restrictions = reject_unverified_recipient > >

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Sun, Mar 17, 2024 at 01:22:29PM -0700, Glenn Tenney via Postfix-users wrote: > I have to convert all of my "virtusertable" entries over to postfix. > I've read through > https://www.postfix.org/VIRTUAL_README.html & > https://www.postfix.org/postconf.5.html & >

[pfx] Re: postfix not working with squarespace domains

On Sun, Mar 17, 2024 at 09:38:27AM -0500, Paxton Houston via Postfix-users wrote: > i'm trying to set up a mail server using postfix. i currently have a > squarespace domain and are using mailutils to send the email. do i need to > set up some kinda dns record? thanks bye For novice users

[pfx] Re: Behavior of smtp_tls_security_level = dane

On Sun, Mar 17, 2024 at 03:19:02PM +0100, Dirk Stöcker via Postfix-users wrote: > Hallo, > > > On my machine, the authoriative server (BIND) only listends on the > > the ethernet IP interface, while the recursive server (unbound) > > listends only on 127.0.0.1. It validates queries for my own

[pfx] Re: Behavior of smtp_tls_security_level = dane

On Sat, Mar 16, 2024 at 11:04:46PM +0100, Dirk Stöcker via Postfix-users wrote: > From the server which has the local name server the answer has the > aa flag, but not the ad flag. That's expected when the nameserver in question is authoritative for the requested domain, no DNSSEC validation is

[pfx] Re: Behavior of smtp_tls_security_level = dane

On Fri, Mar 15, 2024 at 10:13:01PM +0100, Dirk Stöcker via Postfix-users wrote: > I recently did a misconfiguration of an internal mail server for a test > system and as a result broke the TLSA record. Exactly *how* was the TLSA record broken? Logs? And were alternative MX hosts available for

[pfx] Re: Dynamic transport?

On Wed, Mar 13, 2024 at 04:29:19PM +, Colin McKinnon via Postfix-users wrote: > In my previous question [1] Viktor Dukhovni suggested > > > you could use a policy service to impose rate limits per SASL login, or > > sender address > > as a means of preventing active queue congestion.

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Mon, Mar 11, 2024 at 10:30:19PM -0700, Glenn Tenney wrote: > > Right, the missing "client=" is because the message was not accepted, > > and so no queue id was assigned. It seems this was before the changes > > to master.cf were made effective. > > Ok... that does sound like it's always been

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Mon, Mar 11, 2024 at 07:50:22PM -0700, Glenn Tenney via Postfix-users wrote: > > You should also remove the "smtpd_sasl_auth_enable = yes" from > > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > > in main.cf set: > > No "mail.cf", but only "-o" is left... I meant

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Mon, Mar 11, 2024 at 03:17:01PM -0700, Glenn Tenney via Postfix-users wrote: > So, the actual SASL login is "auser"? (which is what I've told gmail > to use to login) I don't know what it is, the logs will tell the true story. Please post both the "client=" and the "reject:" log entries for

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Sun, Mar 10, 2024 at 09:19:09PM -0700, Glenn Tenney via Postfix-users wrote: > Gmail can login to the imap as "auser", but... when it tries to send > as "au...@domain.name" I get the following error: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from

[pfx] Re: Dumb question about logging

On Sat, Mar 09, 2024 at 12:58:38PM -0500, Wietse Venema via Postfix-users wrote: > Viktor Dukhovni via Postfix-users: > > On Sat, Mar 09, 2024 at 12:49:42PM +0100, Matus UHLAR - fantomas via > > Postfix-users wrote: > > > > > In case of domains in relay_doma

[pfx] Re: mta-sts and smtp_tls_security_level

On Sat, Mar 09, 2024 at 07:21:53PM +0100, Joachim Lindenberg via Postfix-users wrote: > I thought almost all cloud providers use anycast these days, > elminating the need to serve different IPs per region. No. That's not the case. Anycast is a useful tool, but isn't the whole story. The

[pfx] Re: mta-sts and smtp_tls_security_level

On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users wrote: > > Viktor Dukhovni: > > not sufficient market pressure to make it a priority. > Unfortunately yes, not yet. > > various load balancers would need to do online DNSSEC signing > Can you please elaborate why that

[pfx] Re: Dumb question about logging

On Sat, Mar 09, 2024 at 12:49:42PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > In case of domains in relay_domains, the command could be even > postfix/relay, so one needs to exclude that one as well. Actually, no, the "relay" transport is implemented by the smtp(8) delivery agent,

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 11:11:40PM +0100, Joachim Lindenberg via Postfix-users wrote: > But is there any reason that prevents google to use DNSSEC other than > the arrogance of power? My read is that there is not sufficient market pressure to make it a priority. Robust implementation at scale

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 10:01:29PM +0100, Joachim Lindenberg via Postfix-users wrote: > Imho you get pretty close to mta-sts if you use verify together with a > DNSSEC-validating resolver. You just validate the "authorized" MTAs by > different means. Yes, but google.com and yahoo.com (the

[pfx] Re: preserving multi line header_checks REPLACE

On Fri, Mar 08, 2024 at 03:45:42PM -0500, Wietse Venema via Postfix-users wrote: > The postmap command reads input from stdin one line at a time, and > applies each input line to all the header_checks patterns. It can't > be used for multiline inputs. Time has passed, and you've forgotten that

[pfx] Re: preserving multi line header_checks REPLACE

On Fri, Mar 08, 2024 at 09:23:19PM +0200, Mailinglists35 via Postfix-users wrote: > The postmap input looks like this: > > echo -e"Received: from [127.0.0.1] (web1dev [10.11.12.13])\n\tby > email.domain.tld (Postfix) with ESMTPS id C9056 >7E002\n\tfor ; Fri,8 Mar 2024 19:20:29

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users wrote: > Realistically, Gmail and Yahoo do not care about my MTA-STS > reports. All they care about is that I validate their X.509 certs. > > Is there any reason to use something like mta-sts-daemon in that > transport

[pfx] Re: Active queue congestion

On Thu, Mar 07, 2024 at 01:11:09PM -0500, Wietse Venema via Postfix-users wrote: > > I am planning to look at increasing the size of the Active queue however I > > would need to resize to a minimum of 50x based on past events. > > That should be OK as long as your syustem has enough memory. A

[pfx] Re: verifying postfix github repo source tarballs?

On Thu, Mar 07, 2024 at 05:26:08PM -0500, pgnd via Postfix-users wrote: > I understand the "only official" release sources are the tarballs, > > TARBALL DL FROM MIRROR SITE > wget > https://mirror.reverse.net/pub/postfix-release/official/postfix-3.8.6.tar.gz >

[pfx] Re: [ext] Re: [OT] postfwd3 as check_policy_service hogging the CPU

On Thu, Mar 07, 2024 at 04:24:56PM +0100, Ralf Hildebrandt via Postfix-users wrote: > * Matus UHLAR - fantomas via Postfix-users : > > > > envelope sender address and number of recipients. > > > > not authenticated user? ;-) > > Yes, I'm also checking if the come from our exchangeserver. > >

[pfx] Re: Active queue congestion

On Thu, Mar 07, 2024 at 12:26:06PM +, Colin McKinnon via Postfix-users wrote: > I look after a SAAS site where customers can send emails to their own > domains. At times some of our customers can initiate sending of large mail > volumes - which can swamp the active queue. Given sufficient

[pfx] Re: DNSBL rank log messages after HANGUP

On Thu, Mar 07, 2024 at 01:06:53PM +1100, Phil Biggs via Postfix-users wrote: > Today I noticed that, occasionally, I see a syslog message stating "blocked > using zen.spamhaus..." but no matching "DNSBL rank ..." message. > > A couple of examples from the past two days: > >

[pfx] Re: improving SRS support

On Wed, Mar 06, 2024 at 07:30:01PM -0500, Christophe Kalt via Postfix-users wrote: > The two options I've seen for implementing SRS are milter and > [sender_]canonical_maps but it seems to me that neither are a good fit when > rewriting the envelope From as they happen early on (smtpd and

[pfx] Re: pushing changes to remote system

On Wed, Mar 06, 2024 at 07:12:18PM -0500, Alex via Postfix-users wrote: > I have a few postfix systems on fedora38 with nearly identical > configurations. I'd like to be able to push changes to them from a third > system without having to login to them directly to do so. What's the > best/most

[pfx] Re: Resolve sender domains in file before resorting to database

On Wed, Feb 28, 2024 at 12:17:27PM -0600, Joshua Flanagan via Postfix-users wrote: > Anyone else have suggestions on how to make sure postfix queries a file > table _by domain_ while still having a remote database lookup table as a > backup/last resort? To restrict database lookups to a subset

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote: > > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; > > > > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers, > > which are fine to use.

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: > i still use the > > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 I don't recommend cargo-culting random cipher lists. >

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > Sorry, context is important. This server needs to pass a Payment Card > Industry (PCI) compliance scan. Their definition of weak: "key lengths of > less than 112 bits, or else use the 3DES encryption suite". Opportunistic > TLS

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: > # grep tls main.cf | grep -vE '^#' > smtp_tls_security_level = encrypt > smtpd_tls_ask_ccert = yes > smtpd_tls_CApath = $smtp_tls_CApath Not generally applicable. > smtp_tls_mandatory_protocols = !SSLv2 ,

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users wrote: > Would someone please describe the configuration settings needed to support > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > configuration files: This is not the right question.

[pfx] Re: Postconf.5 smtp_tls_loglevel 2

On Wed, Feb 21, 2024 at 08:32:49AM +, Rune Philosof via Postfix-users wrote: > It seems a bit unclearly phrased > > 2 Also log levels during TLS negotiation. Indeed this is not very helpful. See the description of the "-L" option in . > Should

  1   2   3   4   5   6   >