Re: smtpd_delay_reject with rspamd milter

Kai Schaetzl: [ Charset ISO-8859-1 converted... ] > Addendum. > > Currently, I get client rejections with the setup shown in my last mail > (despite the delay). I don't know if it hits *always*, though. I can't > check if it didn't hit for some client where the name matches, there are > too

Re: Name Service error but resolver is working

Hi Maybe related to some of your NS not responding certainly from the UK that is dig  -t a mx31.harte-lyne.ca  @dns01.harte-lyne.ca  OK dig  -t a mx31.harte-lyne.ca  @dns02.harte-lyne.ca No response dig  -t a mx31.harte-lyne.ca  @dns03.harte-lyne.ca   several seconds to respond dig 

Re: Regenerating DHparams

> > On Nov 7, 2018, at 1:39 PM, Postfix User wrote: > > Is there any recommended schedule for regenerating DHparams for Postfix? I > could not find anything specific about it. Since the parameters are not secret (in fact sent to the client with every full handshake), there's no risk of

Re: Name Service error but resolver is working

On Wed, November 7, 2018 12:22, Paul wrote: > Hi > > Maybe related to some of your NS not responding certainly from the UK > that is > > dig  -t a mx31.harte-lyne.ca  @dns01.harte-lyne.ca  OK > > dig  -t a mx31.harte-lyne.ca  @dns02.harte-lyne.ca     No > response > > dig  -t a

RE: looking for any options to better deal with mail looping

I changed my config and added/changed in main.cf smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unverified_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination address_verify_poll_count = ${stress?1}${stress:3} address_verify_poll_delay = 3s

RE: looking for any options to better deal with mail looping

Do you have a wildcard in table? De: owner-postfix-us...@postfix.org em nome de Fazzina, Angelo Enviado: quarta-feira, 7 de novembro de 2018 14:27 Para: Postfix users Assunto: looking for any options to better deal with mail looping Hi, I have a domain that

Regenerating DHparams

Is there any recommended schedule for regenerating DHparams for Postfix? I could not find anything specific about it. -- Jerry

Re: smtpd_delay_reject with rspamd milter

Wietse Venema wrote on Wed, 7 Nov 2018 12:10:40 -0500 (EST): > HOWEVER, by default Postfix evaluates all of these at RCPT TO time. which means smtpd_delay_reject = yes is the default? Am I correct in assuming that with "yes" it doesn't matter if I list the client restrictions in

Re: smtpd_delay_reject with rspamd milter

On 11/7/2018 12:40 PM, Kai Schaetzl wrote: > Wietse Venema wrote on Wed, 7 Nov 2018 12:10:40 -0500 (EST): > >> HOWEVER, by default Postfix evaluates all of these at RCPT TO time. > > which means smtpd_delay_reject = yes is the default? Yes, that's the default, and generally should not be

Re: Name Service error but resolver is working

>> 50DFB12B2F7 7501 Tue Nov 6 17:22:42 MAILER-DAEMON >> (delivery temporarily suspended: Host or domain name not found. >> Name service error for name=mx31.harte-lyne.ca type=MX: Host not >> found, try again) On Wed, November 7, 2018 11:30, Wietse Venema wrote: >> I do not understand what

Re: Best way of synchronizing configs for multiple relay servers?

i have similar case and set the first relayseever inmy pool as the one on which changes ar eonly allowed. then i do scp + service restart to the others with bash oneliner on demand. for the future i plan to check in config from any host to central svn/git repo and check frequently for changes

Re: looking for any options to better deal with mail looping

> On Nov 7, 2018, at 3:26 PM, Fazzina, Angelo wrote: > > relay_recipient_maps = mysql:/etc/postfix/files/mysql_pn.cf > > I did a test > postmap /etc/postfix/files/mysql_pn.cf There's no point in trying to "postmap" MySQL, LDAP, PosgreSQL, "pcre", "regexp", ... tables. Only tables that have

Re: Name Service error but resolver is working

> On Nov 7, 2018, at 3:27 PM, James B. Byrne wrote: > > Neither dns02 nor dns04 are listed in the /etc/resolv.conf file on the > affected services. > > With respect to Viktor's answer. > > My understanding is that: in the absence of a specified MX record then > the A RR is supposed to be

Re: Name Service error but resolver is working

On 7 Nov 2018, at 15:27, James B. Byrne wrote: Neither dns02 nor dns04 are listed in the /etc/resolv.conf file on the affected services. That does not necessarily mean they are not being tried. They are half of your authoritative nameservers and they aren't working, so unless the

Re: Name Service error but resolver is working

I do not know what is going on here: This is found in the maillog on inet17 Nov 7 16:40:21 inet17 postfix/smtpd[79991]: NOQUEUE: reject: RCPT from unknown[216.185.71.31]: 450 4.1.2 : Recipient address rejected: Domain not found; from=<> to= proto=ESMTP helo= But this is what I get when I run

Re: smtpd_delay_reject with rspamd milter

Noel Jones wrote on Wed, 7 Nov 2018 13:30:08 -0600: > With the above list, check_sender_access comes first. Postfix does > not reorder the list you have specified. Thanks for the answer. But, please look again. /etc/mail/access: createsend.com REJECT cmail20.com REJECT The order is: > >

Re: Name Service error but resolver is working

> On Nov 7, 2018, at 6:08 PM, Viktor Dukhovni > wrote: > > Your DNS is broken. Fix it! At the .CA level you have: > > harte-lyne.ca. IN NS dns04.harte-lyne.ca. ; AD=0 > harte-lyne.ca. IN NS dns03.harte-lyne.ca. ; AD=0 > harte-lyne.ca. IN NS dns01.harte-lyne.ca. ; AD=0 > harte-lyne.ca.

Re: Name Service error but resolver is working

> On Nov 7, 2018, at 5:14 PM, James B. Byrne wrote: > > I do not know what is going on here: > > This is found in the maillog on inet17 > > Nov 7 16:40:21 inet17 postfix/smtpd[79991]: NOQUEUE: reject: RCPT > from unknown[216.185.71.31]: 450 4.1.2 > : Recipient address > rejected: Domain not

Re: what does it mean?

On Thu, 8 Nov 2018 at 07:35, Poliman - Serwis wrote: > I have domain kamir-transport.pl deployed on the server with dns zone > where are configured google MX servers like aspmx.l.google.com, > alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, > all email things are deployed

Re: Regenerating DHparams

Viktor Dukhovni: It is easy to set up a cron job that runs every 30 days, Hello, that's the first time I personally note a specific time windows. Thanks for sharing your position. I also regenerate dhparameter on monthly base, not every month but approximately every half year... if [

what does it mean?

I have domain kamir-transport.pl deployed on the server with dns zone where are configured google MX servers like aspmx.l.google.com, alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, all email things are deployed on google. Yesterday I saw in log the message: 9FBE713D05F

How do I turn on logging for postfix on mac

I have been asked how I turn on /var/log/mail.log for postfix on a Mac running Mohave. I have it running on mine, but it always has - but I can’t remember if I had to do anything special to turn it on. The person asking has no /var/log/mail.log at all and now I’m curious. thanks robert

Re: Best way of synchronizing configs for multiple relay servers?

Not sure I understand the suggestions fully.The configuration management systems I've found for postfix, are all concentrated on a single postfix system?Containers? Like in Docker? Why? I have the servers set up already?Not sure what the Makefile should do in the configuration context. It's

Best way of synchronizing configs for multiple relay servers?

Hi all I'm contemplating on how I best keep all our relay servers synchronized in their config.They are set up as round robin servers in the DNS, so they distribute the load pretty ok.My first idea was to set up some rsync to copy the relevant directories like /etc/postfix and

Re: How do I make our relay server (postfix) redirect from one domain to another

Ahh, yes, much better idea, thanks! Den onsdag den 7. november 2018 09.18.40 CET skrev Viktor Dukhovni : > On Nov 7, 2018, at 3:08 AM, K F wrote: > > I can see in our outgoing mailqueue, that some users consistently spells > their email addresses wrong. > Ie. gmail.dk instead of

Re: Best way of synchronizing configs for multiple relay servers?

* K F : > Not sure I understand the suggestions fully.The configuration management > systems I've found for postfix, are all concentrated on a single postfix > system?Containers? Like in Docker? Why? I have the servers set up already?Not > sure what the Makefile should do in the configuration

Re: Best way of synchronizing configs for multiple relay servers?

Patrick Ben Koetter: > * K F : > > Hi all > > I'm contemplating on how I best keep all our relay servers synchronized in > > their config.They are set up as round robin servers in the DNS, so they > > distribute the load pretty ok.My first idea was to set up some rsync to > > copy the relevant

Re: Best way of synchronizing configs for multiple relay servers?

* K F : > Hi all > I'm contemplating on how I best keep all our relay servers synchronized in > their config.They are set up as round robin servers in the DNS, so they > distribute the load pretty ok.My first idea was to set up some rsync to copy > the relevant directories like /etc/postfix and

Re: TLS X.509 certificate hygiene...

> On Nov 5, 2018, at 10:18 PM, Alice Wonder wrote: > > if not using keyUsage but using extendedKeyUsage within req_extensions should > digitalSignature be used? > > I basically do the following for my postfix certs > > [req] > distinguished_name = dn > req_extensions = ext >

How do I make our relay server (postfix) redirect from one domain to another

I can see in our outgoing mailqueue, that some users consistently spells their email addresses wrong.Ie. gmail.dk instead of gmail.comI've looked into the 'virtual' setup, but I'm not sure if that can be used, as it sounds like that is only for incoming domains?So our setup is:mail generator ->

Re: How do I make our relay server (postfix) redirect from one domain to another

> On Nov 7, 2018, at 3:08 AM, K F wrote: > > I can see in our outgoing mailqueue, that some users consistently spells > their email addresses wrong. > Ie. gmail.dk instead of gmail.com When you say "their email address", is that the user's own (sender) address, or the addresses of remote

smtpd_delay_reject with rspamd milter

I'm having trouble with access_maps kicking in after an upgrade from a Postfix 2.something to Postfix 3.1. on Ubuntu 14.06 and using postscreen and rspamd milter. After some testing I'm not sure yet, but it looks like the recommended smtpd_delay_reject = yes in connection with having the

Re: Name Service error but resolver is working

On Wed, Nov 07, 2018 at 11:06:08AM -0500, James B. Byrne wrote: > 50DFB12B2F7 7501 Tue Nov 6 17:22:42 MAILER-DAEMON > (delivery temporarily suspended: Host or domain name not found. Name > service error for name=mx31.harte-lyne.ca type=MX: Host not found, try > again) Note that the lookup

Re: TLS X.509 certificate hygiene...

Viktor On Wed, Nov 7, 2018, at 8:34 AM, Viktor Dukhovni wrote: > ... Thx for the clarifications! > That's TLS 1.3, which as I mentioned is a different beast. It > always does PFS, and never RSA key exchange, but this is not reflected > in the cipher name, because the ciphers no longer specify

Re: TLS X.509 certificate hygiene...

On Wed, Nov 07, 2018 at 08:52:26AM -0800, pg...@dev-mail.net wrote: > Re: this particular, *internal* connection, > > Nov 4 15:21:45 mx postfix/postscreen-internal/smtpd[15675]: > Anonymous TLS connection established from mx.example.com[XX.XX.XX.XX]: > TLSv1.3 with cipher

Re: smtpd_delay_reject with rspamd milter

Addendum. Currently, I get client rejections with the setup shown in my last mail (despite the delay). I don't know if it hits *always*, though. I can't check if it didn't hit for some client where the name matches, there are too many entries. I expected it to carry out the helo checks before

Re: smtpd_delay_reject with rspamd milter

Kai, both are running simultaneously. So at smtpd_recipient_restriction stat the milter will also get the recipients. As far as I have seen the postfix restriction react faster. So if you reject somebody with an access_map, you won't see any scan result in rspamd. Only the milter connect,

Re: TLS X.509 certificate hygiene...

Viktor, On Wed, Nov 7, 2018, at 12:03 AM, Viktor Dukhovni wrote: > Check your logs for evidence of TLS <= 1.2 ciphers Doing the quick check you mentioned, first for my messy 'test' server, results are just 11 TLS_AES_256_GCM_SHA384 Those log messages, for me, are all generated on

Re: smtpd_delay_reject with rspamd milter

Carsten Rosenberg wrote on Wed, 7 Nov 2018 16:23:54 +0100: > So if you reject somebody with an access_map, you won't see any scan > result in rspamd. This would be fine ;-) > Do you have any problems with this situation? Yes, it's the other way around here. e.g. there is no rejection happening

looking for any options to better deal with mail looping

Hi, I have a domain that has MX point to O365 and then O365 relays mail to Postfix server. Currently, Postfix does a lookup in a MySql table to know where to relay the email to, AFA next hop. If not found in table Postfix looks up MX and relays the email. I want to know if there is a more

Name Service error but resolver is working

On our IMAP service host I am seeing messages in the mailq similar to the following: 50DFB12B2F7 7501 Tue Nov 6 17:22:42 MAILER-DAEMON (delivery temporarily suspended: Host or domain name not found. Name service error for name=mx31.harte-lyne.ca type=MX: Host not found, try again)

RE: Name Service error but resolver is working

It's probably backscatter: http://www.postfix.org/BACKSCATTER_README.html -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of James B. Byrne Sent: Wednesday, November 7, 2018 11:06 AM To: postfix-us...@cloud9.net Subject:

Re: Name Service error but resolver is working

James B. Byrne: > On our IMAP service host I am seeing messages in the mailq similar to > the following: > > 50DFB12B2F7 7501 Tue Nov 6 17:22:42 MAILER-DAEMON > (delivery temporarily suspended: Host or domain name not found. Name > service error for name=mx31.harte-lyne.ca type=MX: Host not

Re: TLS X.509 certificate hygiene...

On Wed, Nov 07, 2018 at 08:07:40AM -0800, pg...@dev-mail.net wrote: > On Wed, Nov 7, 2018, at 12:03 AM, Viktor Dukhovni wrote: > > Check your logs for evidence of TLS <= 1.2 ciphers > > Doing the quick check you mentioned, first for my messy 'test' server, > results are just > > 11

Re: looking for any options to better deal with mail looping

Fazzina, Angelo: > Hi, I have a domain that has MX point to O365 and then O365 relays > mail to Postfix server. Currently, Postfix does a lookup in a > MySql table to know where to relay the email to, AFA next hop. If > not found in table Postfix looks up MX and relays the email. Postfix should