On 04.07.22 13:28, Scappatura Rocco wrote:
These are the top lines of my master.cf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtp inet n - y - 400 smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
this file looks to be misordered, proper order should look like:
smtp inet n - y - 400 smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
Also, you seem to have missing many important options for submission (needed
to avoid spamming and getting spammed).
smtps inet n - y - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
authentication should be mandatory on smtps port.
Submission is not enabled.. what happens if I enable it? What are the changes
that I have to do?
you will be able to submit mail using port 587.
you should enable and require authentication on submission port too.
-----Messaggio originale-----
Da: [email protected] [mailto:[email protected]]
Per conto di David Bürgin
Inviato: lunedì 4 luglio 2022 14:23
A: [email protected]
Oggetto: Re: DMARC milter question
Scappatura Rocco:
I have one postfix server (say, 'myserver.domain.tld') acting as MX for some
domains and as SMTP relay for the SASL authenticated user from the same domains.
On that server I have enabled DMARC milter (other than I have set up DKIM, and
it works fine):
milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:12301,local:opendmarc/opendmarc.sock
non_smtpd_milters =
inet:localhost:12301,local:opendmarc/opendmarc.sock
But after that, all authenticated user that use 'myserver.domain.tld' as
outgoing mail server (Port TCP25 or TCP465 with SSL), can't send messages
because receive messages like this:
Jun 8 16:49:59 av6 postfix/cleanup[3049167]: E7A75D6564:
milter-reject: END-OF-MESSAGE from
host-79-3-222-54.business.telecomitalia.it[79.3.222.54]: 5.7.1
rejected by DMARC policy for inframail.it; from=<[email protected]>
to=<[email protected]> proto=ESMTP helo=<DESKTOPT41K2DB>
This is correct because doesn't satisfy for sure SPF policy.. So I think that I
have to enable DMARC on for incoming email (email destined to domain whose
value of MX record is 'myserver.domain.tld')..
If I'm right, how I configure DMARC milter in postfix to get this? Otherwise,
how I have to use DMARC to limit SPAM?
You can override the smtpd_milters setting from /etc/postfix/main.cf, for
example,
smtpd_milters =
unix:spf/spf-milter.sock
unix:opendkim/opendkim.sock
unix:openarc/openarc.sock
unix:opendmarc/opendmarc.sock
unix:spamassassin/spamassassin-milter.sock
...
by specifying just a subset of milters for mail submission in
/etc/postfix/master.cf, for example:
submission inet n - y - - smtpd
...
-o smtpd_milters=unix:opendkim/opendkim.sock
...
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
