're still just guessing because you have still not
adequately described what you're doing, what you've changed, what
the error is, and where the error occurs.
If you're tired of guesses from random list members who are trying
to help, please see
http://www.postfix.org/DEBUG_README.html#mail
On 3/27/2024 11:51 AM, Noel Jones via Postfix-users wrote:
On 3/27/2024 11:25 AM, Samuel Goodies via Postfix-users wrote:
Hi guys. I'm inheriting a job that has an email server hosting
several domains, and I'm wanting to move them behind our firewall
and route mail from the main mail server
by step would surely be
appreciated.
Start with
http://www.postfix.org/documentation.html
Many of the how-to sites you find on the internet are wrong in small
or large ways.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
IPv4 addresses
{!10.0.0.0/8 silent-discard,dsn}
Seems to me 172. and 192. would match the above line.
Does cidr support DUNNO?
-- Noel Jones
{!172.16.0.0/12 silent-discard,dsn}
{!192.168.0.0/16 silent-discard,dsn}
{endif
to postfix.
The usual cause is a compromised web server or abused web forms.
Fix the right problem.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
, YMMV...
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
'
hash:/etc/postfix/sender_checks
(does not match)
postmap -q 'outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
OK #(matches)
As documented, postmap is a simple test tool and does not do any
automatic parent or subdomain searching.
-- Noel Jones
"postconf -Mf", and samples
of what postfix logs when mail is received.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
.
Alternately, you can control it all yourself -- use canonical_maps
to map users to the correct outgoing domain, then use
virtual_alias_maps to map incoming mail back to the original user.
-- Noel Jones
On 12/19/2023 12:34 PM, Richard Raether via Postfix-users wrote:
In addition, the boss just
to do the mapping using canonical_maps,
but the first choice should be configuring the user's mail client.
If this isn't working as expected, please send logging demonstrating
the problem, and your "postconf -Mf".
-- Noel Jones
___
Pos
milestone!
Your kind and respectful attitude towards all the list members sets
the tone for this list, making it a great resource for both newbies
and experts. I think this list is one of the best features of postfix.
Looking forward to many more years! Thanks!
--
ke:
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_milters=
-o syslog_name=postfix/10025
add other parameters, such as overrides for the various
smtpd_*_restrictions, as necessary for your situation.
-- Noel Jones
___
Postfix-users mai
. This will override any existing
content_filter setting.
http://www.postfix.org/access.5.html
Also some content filters, such as amvisd-new, can alter their
behavior based on the sender domain or other criteria. This might be
easier to maintain than multiple filters.
-- Noel Jones
d to limit attacks and not to regulate
legit traffic, as any host slowed by these limits will likely see
significant delays. But maybe that's what you need.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe sen
#soft_bounce
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
in master.cf and must have the
check_sender_access somewhere in that path.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
ww.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
tfix or interfere with other mail. The biggest annoyance is
junking up the logs.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
l controls ...
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
l need a milter for that. Maybe look at milter-regex.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
it came from.
chris@localhost user@somewhere
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
ody_checks are evaluated one line at a time, not on the whole message.
You could probably use a milter, or a policy_service that rejects
based on size. Set the main.cf size value to something big, and
reject after the client sends all the data. This is inefficient, but
would work.
-- Noe
wrong solution. With this setting, postfix will accept mail to any
user address, and you will eventually have a queue full of undeliverable
bounces, plus get listed as a backscatter source.
The correct solution is to give postfix a list of all valid users. The easiest
way to do that is have all users be system users.
— Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
ail(TM), not Postfix. You need to run whatever
system utility FreeBSD uses to switch the default mailer. Note the
mail already is addressed to @mail.citytel.net, so that's happening
before postfix ever sees the mail.
-- Noel Jones
___
Postfix-users mailin
g all mail containing "2024", is just a land mine waiting to
disrupt mail in the future.
Leave date checking to mail parsers that are made for that job, or
find some other feature of the message to block on.
-- Noel Jones
___
Postfi
dn’t. A tcp
capture will show what’s actually being sent.
— Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
is a reliable
spam indicator. Zero false positives is a much better goal than zero
spam.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
same spam
controls and valid recipient lists. and an excuse to get rid of
largely unnecessary secondary MX servers.
Note that reject_unknown_client_hostname is a very strict test that
is likely to reject legit mail. Consider using
reject_unknown_reverse_client_hostname instead.
--
on your spam filter (or unknown mitigations) when a common feature
such as authentication will do the job? Why the risk?
This is a local spam problem.
Report abuse to your provider. If the provider is unwilling or
unable to fix the abuse, find another provider.
-- Noel Jones
em. If someone has found a way to abuse
this, then the abuse should be reported to the provider.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
authentication to send any mail, but I
don't see where this is a problem.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
sender
just above the final reject to minimally check for an existing
sender address.
http://www.postfix.org/postconf.5.html#reject_unlisted_sender
http://www.postfix.org/postconf.5.html#reject_unverified_sender
-- Noel Jones
___
Postfix-users mailin
t; message.
One common error is hidden non-text characters in the config file, I
don't know if that's what you're seeing or not.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfi
with signal 11,
restarting
The problem is your opendmarc is crashing. I'm afraid I don't have
any insight into why.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
to see who replied.
Any workarounds in Thunderbird to override this behavior?
In thunderbird, I'm using the "Correspondents" column instead of
"From" and it works for me.
-- Noel Jones
___
Postfix-users mailing lis
google to not handle your mail.
Anyway, this isn't a postfix problem. Rather, a google apps config
problem.
-- Noel Jones
e for more details and other examples.
http://www.postfix.org/postsuper.1.html
-- Noel Jones
: instead of pcre:
postconf -m will show supported map types.
-- Noel Jones
is (intentionally) not documented, and
dropping files directly into a queue directory is not supported.
-- Noel Jones
>
> Would you please advise?
>
> --
> Janos Dohanics
The goal is to have a matching PTR and A record. If you are able to have an A
record of customer.com pointing to only that IP address, then you can use it as
is.
If the customer has multiple IPs, particularly if they have a web server on a
different IP, then you’ll need to get this corrected.
— Noel Jones
will still log the action. There is no option to REJECT
or DISCARD without logging.
Some log systems have the ability to ignore certain entries, or you
can use grep etc. to preprocess a log file before analysis. That's
outside the scope of postfix.
-- Noel Jones
to be rejected, it can be rejected once
anywhere in the chain.
So even if a client is allowed in postscreen, it can still be
rejected by a later test.
You'll need to list the IP in postscreen, then also list the IP in a
check_client_access map before your policy services.
-- Noel Jones
r so it doesn't continue to reject this mail? How can I
otherwise permit the 209.177.165.0/24 <http://209.177.165.0/24> network?
Yes, using either a postfix check_sender_access table with
generalatlantic.com or a check_client_access cidr: table with that
IP address range would bypass both policy services completely.
-- Noel Jones
in the scheduled November update.
-- Noel Jones
.
-- Noel Jones
zed for safety.
I can tell that im beating a dead horse now and will just let this
issue go. Bug or not, it is clear that it is not going to change.
Thank you everyone for the replies.
There is nothing to change, except possibly documenting this
behavior better.
-- Noel Jones
.
Unprintable characters are replaced with "?"
-- Noel Jones
that will
need to be adjusted.
-- Noel Jones
On 8/24/2022 11:03 AM, Ivars Strazdiņš wrote:
Hi Julio,
I tested and it did not work for local users, access is denied
(sending not possible) only for external ones.
Mail is sent to l...@domain.com regardless if local sender address
is in the insiders
il encrypted.
If you need further help, share your "postconf -nf" and "postconf
-Mf" and the actual log lines of both successful delivery and what
happens after you add the -o smtp_tls_wrappermode=yes
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
ccess inline:{192.0.2.1=permit_auth_destination}
using the IP of the offending client
For more complete examples and how to integrate this in your setup,
share your "postconf -nf" and the actual log entry.
-- Noel Jones
or is there a better way of doing this check and
reject those mails with the certain +whatever part
Thanks
To reject the recipient, use a check_recipient_access table.
-- Noel Jones
I think you configure unbound with another forward-zone: name:
“zen.spamhaus.org” and then don’t list any forwarding addresses. That should
turn off forwarding for that zone.
A forum for your OS or for unbound will probably give an authoritative answer
— Noel Jones
> On Mar 4, 2022, a
ossible some of their
back-end servers are blocked and some aren't, which will give you
unpredictable results.
To fix, insure you either use a local DNS nameserver installed on
your computer, such as unbound, or sign up for the free (for low
volume) Spamhaus Data Query Service
-- Noel Jones
> On Feb 18, 2022, at 7:02 AM, P.V.Anthony wrote:
> I am reporting back to say it works well.
>
> One more question. In the maps file is it possible to use a hostname instead
> of an ip address?
>
> P.V.Anthony
>
>
No. The docs say the table is not searched by hostname
— Noel Jones
enough. This
subject has been discussed in the archives several times, but might
be hard to track down.
-- Noel Jones
216.109.104.12 starttls
-- Noel Jones
right. I
still need so modify main.cf to redirect the messages to get deferred.
To put everything on hold, insert check_client_access static:hold in
one of your restrictions. Something like:
smtpd_client_restrictions =
check_client_access static:hold
... stuff you have already ...
-- Noel Jones
676536ybt.537 - gsmtp)
Feb 10 19:39:04 postfix postfix/qmgr[13849]: 7D1D0E0E6F: removed
What am I missing?
To test your existing filter, submit mail via SMTP on port 25. If
you intend to filter mail submitted via the command line sendmail,
you will need an Advanced Content Filter or milter.
-- Noel Jones
a milter or content_filter for complex actions
based on multiple headers, such as milter_regex
-- Noel Jones
, it will cause postfix to trust all hosts in the
88.103.239.0-255 subnet, which may not be appropriate.
For more info on CIDR or "slash notation" you can start here:
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
-- Noel Jones
5.6.7.8,
work?
Yes, you can add a comment by itself and continue the line by
starting real data with a space.
mynetworks =
# local host
192.168.2.12
# accounting
10.10.1.0/24
# production
10.1.0.0/16
-- Noel Jones
ou can do that with milter-regex or some other milter.
-- Noel Jones
attempts.
-- Noel Jones
he "backup" and "ttl" options.
-- Noel Jones
On 8/5/2021 12:56 PM, Gomes, Rich wrote:
Anywhere else to look?
The logs.
-- Noel Jones
ed more help, please see:
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
the anti-http stuff because of ALPACA or was it
already there?
R's,
John
I think 2004, so it's been there a while. Back then sometimes open
web proxies were used to send spam knowing the MTA would ignore the
invalid commands.
-- Noel Jones
of starting from scratch.
-- Noel Jones
://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
On 7/20/2021 3:31 PM, post...@ptld.com wrote:
Also meaning if a client passed reject_unknown_client_hostname then
it would be procedurally pointless to check both reject_rhsbl_client
and reject_rhsbl_reverse_client, right?
It's ALWAYS pointless to check both.
-- Noel Jones
considers it "unknown" until it's been verified with FCrDNS.
Or am i misunderstanding what "unverified reverse client hostname"
means?
Apparently yes.
Unverified PTR hostnames are easily forged, so postfix tries to warn
you (by the feature name) when you're using a potentially forged
hostname.
-- Noel Jones
omain part - of an
email address. Since HELO is already a hostname and not an email
address, rhs of helo is nonsense.
-
-- Noel Jones
mail, either remove
mydomain from main.cf:mydestination, or add a transport_maps entry
as a hint.
-- Noel Jones
st of the mail handled by postfix-A goes to postfix-B, updating
the transport table map might be a better solution.
-- Noel Jones
any local mail
to the remote B instance periodically.
Actually, my first thought is if the vpn is frequently down, then
*that's* the problem to fix. Or just keep all the mail on the
cloud-A and access IMAP over the internet.
-- Noel Jones
recipients should be listed in
relay_recipient_maps, and the routing to the final destination is
defined in transport_maps.
-- Noel Jones
service could also do this.
http://www.postfix.org/SMTPD_POLICY_README.html
Usually postfwd is recommended as a good general-purpose policy
service, maybe there's another that would suit your needs better.
http://www.postfix.org/addon.html#policy
-- Noel Jones
3.5.6.
Thank you.
As the docs say, the brackets disable MX lookups, not DNS lookups.
Sounds like you should read
http://www.postfix.org/postconf.5.html#smtp_host_lookup
and probably use "dns, native"
-- Noel Jones
On 5/17/2021 6:27 PM, Benny Pedersen wrote:
On 2021-05-18 00:29, Noel Jones wrote:
127.0.0.1:submission inet n - n - - smtpd
[::1]:submission inet n - n - - smtpd
localhost:submission inet n - n - - smtpd
imho postfix will accept this aswell, not tested
Yes, postfix will attempt
- - smtpd
[::1]:submission inet n - n - - smtpd
-- Noel Jones
On 5/12/2021 2:21 PM, Noel Jones wrote:
On 5/12/2021 2:11 PM, David Mehler wrote:
Hello,
Thanks. Here's my master.cf submission entry:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o
internet connections have to pass.
add something like
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-- Noel Jones
t does make the error response
confusing. Maybe time to update your SPF service too.
-- Noel Jones
$smtpd_policy_maps
For reference, all postfix parameters, including deprecated ones,
are listed here:
http://www.postfix.org/postconf.5.html
-- Noel Jones
is no such thing.
>
> When a Milter asks Postfix to add a header to the message, then
> Postfix runs that header through milter_header_checks before updating
> the queue file (or taking some other action as specified in the
> milter_header_checks result).
>
>Wietse
You could probably log added headers with a WARN action if that would be useful
to you.
/./ WARN
— Noel Jones
/^(.+)@backup\.example\.com$/ $1...@example.com
#transport
backup.example.com relay:mx.backup.example.com
-- Noel Jones
A step further would be to periodically dump your SQL data to a cdb
database. These scale to millions of records with very low latency
and low resource usage.
http://www.postfix.org/CDB_README.html
Or switch to LMDB.
http://www.postfix.org/LMDB_README.html
-- Noel Jones
l subdomains on all levels.
Best
Marc
To control how many levels are matched you'll need a regex or pcre
table.
for matching one level, maybe:
/^[a-z0-9]+\.example\.com$/ transport:nexthop
-- Noel Jones
h as katie@localhost.local
-- Noel Jones
ESS_REWRITING_README.html
http://www.postfix.org/VIRTUAL_README.html
and several others.
-- Noel Jones
# virtual_alias
dom@business-domain dom.w@business-domain
-- Noel Jones
PTR hostname. This is mostly
safe since many major mail providers will either mark such mail as
spam or outright reject it.
If these aren't causing you any trouble, feel free to keep using them.
-- Noel Jones
out offer.
How can it be? Does ubuntu broke postfix?
Sincerely,
Nerijus Kislauskas
http://www.postfix.org/postconf.5.html#smtp_tls_note_starttls_offer
Looks like it's working correctly.
-- Noel Jones
nd try again again again - especially if the reject happens
during the connect phase.
-- Noel Jones
you list everything in smtpd_recipient_restrictions, you'll
probably only need to maintain one manual permit/reject access list.
-- Noel Jones
m sure the normal logging contains everything you need. Resist the
urge to enable debug logs, which will hide the important bits in a
flood of irrelevant information.
Feel free to share "postconf -n" and relevant logs on the list if
you need more help.
-- Noel Jones
spambot, or an MTA that
doesn't like something about your server's response.
Probably not a scan or anything to be overly concerned with, unless
it looks like you might want their mail. Unless they repeat
thousands of times for hours it's not worth blocking - just ignore them.
-- Noel
il came from and what happened to it.
If you want to get rid of the logging (not recommended) use a log
filter such as rsyslogd or block the client IP in your firewall, or
use fail2ban to automatically block clients that make too many errors.
-- Noel Jones
. There is no protection against poorly written
expressions or typos that happen to result in a valid expression.
-- Noel Jones
1 - 100 of 3787 matches
Mail list logo
