[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> If you specify
>
> reject_rbl_client string-with-complex-syntax
>
> Then the rbl_reply_maps seach key will be that 
> string-with-complex-syntax.
...
> Unlike rbl_reply_maps, postscreen strips the filter (and weight)
> before searching the reply table. There are merits to both approaches.
> Zen is a combination of XBL, PBL, and other lists. In some cases
> one might want to handle XBL, PBL, etc. differently.

It may be helpful to update rbl_reply_maps, so that it will query
with the domain, after a query with domain=filter returns 'not
found'.

That's a backwards compatible change that can simplify configuration.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how to implement this route

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello
> 
> I saw gmx.de/web.de have a policy that, if the submission IP is not from 
> DE/EU, messages will be routed to a different gateway which is listed in 
> spamhaus already. Otherwise if submission client's IP is in DE/EU, 
> messages will be routed out via the normal gateway whose IP is clean. 
> How to customized my own transport for that?

You can configure customized SMTP clients in master.cf, each with
an appropriate smtp_bind_address setting, and use transport_maps
to choose between those clients.

References:
https://www.postfix.org/postconf.5.html#smtp_bind_address
https://www.postfix.org/transport.5.html

AI is an experimental feature of this mailing list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Cody Millard via Postfix-users:
> Check out this link showing a example postfix configuration.
> 
> https://portal.spamhaus.com/dqs/#3.1.2
> 
> I found it to be very helpful in displaying the ranged syntax that 
> spamhaus supports.

For a web page that does not require logging in, see:

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Bill Cole via Postfix-users:
> > Absolutely. If you specify
> >
> > reject_rbl_client string-with-complex-syntax
> >
> > Then the rbl_reply_maps seach key will be that 
> > string-with-complex-syntax.
> 
> OK. Right now I have multiple items like this in 
> smtpd_recipient_retrictions
> 
>  reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.2
>  reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.3
>  [... etc.]

In that case you need two table entries like

KEY.zen.dq.spamhaus.net=127.0.0.2   reply text...
KEY.zen.dq.spamhaus.net=127.0.0.3   reply text...

Or a pcre: table with a pattern that matches both.

/^\QKEY.(zen.dq.spamhaus.net)\E(=.*)/ 554 $rbl_class $rbl_what Blocked by 
$1...

But no-one should be doing that.

> So the string being searched is 'KEY.zen.dq.spamhaus.net=127.0.0.2', but 
> if I consolidated those into a single restriction:
> 
>   reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.[2..11]
> 
> that would then search for 'KEY.zen.dq.spamhaus.net=127.0.0.[2..11]', 
> matching the existing map entry.

Indeed. Mind you, I had to do some digging myself because address
filters were added 10+ years ago, and their impact on then 10-year
old existing features was not fully documented.

Unlike rbl_reply_maps, postscreen strips the filter (and weight)
before searching the reply table. There are merits to both approaches.
Zen is a combination of XBL, PBL, and other lists. In some cases
one might want to handle XBL, PBL, etc. differently.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> The rbl_reply_maps are searched with the domain specified with
> reject_rbl_client. 
> 
> That includes the optional "=address" portion, added in Postfix
> 2.8, but that was not added to the much older rbl_reply_maps
> documentation.

I have added documentation for how rbl_reply_maps handles reject_rbl_*
or reject_rhsbl_* arguments with an address filter. That text should
hjave been added in Postfix 2.8.

Wietse

rbl_reply_maps (default: empty)

Optional lookup tables with RBL or RHSBL response templates.
The table search key is the reject_rbl_* or reject_rhsbl_*
argument, including any optional "=address-pattern" filter. By
default, Postfix uses the default template as specified with
the default_rbl_reply configuration parameter. See there for a
discussion of the response template syntax.

(Example omitted)

NOTE: This feature differs from postscreen_dnsbl_reply_map where
the table search key is a domain name (no "=address" filter,
no "*weight" factor) and where the lookup result should be a
domain name (no free text, no $name variables).

This feature is available in Postfix 2.0 and later. The
"=address-pattern" filter is available in Postfix 2.8 and later.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Bill Cole via Postfix-users:
> On 2024-06-22 at 15:19:42 UTC-0400 (Sat, 22 Jun 2024 15:19:42 -0400 
> (EDT))
> Wietse Venema via Postfix-users 
> is rumored to have said:
> 
> [...]
> > The rbl_reply_maps are searched with the domain specified with
> > reject_rbl_client.
> >
> > That includes the optional "=address" portion, added in Postfix
> > 2.8, but that was not added to the much older rbl_reply_maps
> > documentation.
> >
> > There is an rbl_reply_maps example (a hash map) at
> > https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html
> >
> > your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]
> > 554 $rbl_class $rbl_what blocked using ZEN - see ... for details
> 
> Are you certain that the range syntax works?

Absolutely. If you specify

reject_rbl_client string-with-complex-syntax

Then the rbl_reply_maps seach key will be that string-with-complex-syntax.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Cody Millard via Postfix-users:
> |Hello list.|
> 
> |
> |
> 
> |I included Spamhaus XBL in client restrictions for my server. An error 
> is supplied to the individual/bot that is trying to connect that looks 
> like the follow:
> 
> |
> 
> |Transcript of session follows. Out: 
554 5.7.1 Service unavailable; 
> Client host [57.152.56.248] blocked using .xbl.dq.spamhaus.net; 
> Listed by XBL, see https://check.spamhaus.org/query/ip/57.152.56.248 In: 
> ??? Out: 500 5.5.2 Error: bad UTF-8 syntax In: Out: 500 5.5.2 Error: bad 
> UTF-8 syntax In: ? Out: 221 2.7.0 Error: I can break rules, too. 
> Goodbye. For other details, see the local mail logfile *You can see my 
> dqs key in the err*|*or send to the client. Is this a problem? If so, how 
> could I remove the 
> DQS key from the response? *

The rbl_reply_maps are searched with the domain specified with
reject_rbl_client. 

That includes the optional "=address" portion, added in Postfix
2.8, but that was not added to the much older rbl_reply_maps
documentation.

There is an rbl_reply_maps example (a hash map) at
https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html

your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]
554 $rbl_class $rbl_what blocked using ZEN - see ... for details
...
your_DQS_key.zen.dq.spamhaus.net
554 $rbl_class $rbl_what blocked using ZEN - see ... for details
...

This behavior is different from postscreen; that program searches
the reply table with the service domain (your_DQS_key.zen.dq.spamhaus.net),
i.e. without the optional "=address" or "*weight".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: non_smtpd relayhost ?

[Wietse Venema via Postfix-users]

Geert Hendrickx via Postfix-users:
> Hi
> 
> We have few different sets of Postfix mailservers with different roles;
> inbound servers, outbound servers that DKIM sign outgoing mail with a
> milter, and some other servers that just relay mail that is already signed
> elsewhere.
> 
> The first and third types of mailservers don't need to sign mail passing
> through them, but we are looking for a way to sign their locally generated
> mail (bounces or DSN's), preferably without having to setup and maintain
> DKIM milters (and corresponding private keys) on all those servers.

So you're looking at setting up a host that will sign bounces that were
generated on those machines and not elsewhere.

And "those machines" could be back-end hosts that deliver to a
message store.

Fortunately, there is a way to distinguish between locally- and
remotely-generated bounces.

Locally-generated bounces are generated by the Postfix bounce daemon
which talks to a cleanup service to queue a message. One could run
bounce daemons with a cleanup_service override in master.cf:

(Postfix 3.0 long parameter syntax)

bounce ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
defer ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
trace ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }

This approach is reatively safe, because it is unlikely to clash
with bounce parameter settings in main.cf. Such main.cf settings
are extremely rare.

To queue the messages, configure a clone of the cleanup service
with a content_filter override that forces delivery to an ndr-signer
host.

ndr-cleanup ... ... ... ... ... ... ... cleanup
-o {content_filter = smtp:[ndr-signer] }

This approach may conflict with main.cf parameters that target the
"normal" cleanup service. If that is the case then you can override
the conflicting main.cf setting with a ndr-cleanup master.cf override
for that parameter.

A long list is at https://www.postfix.org/cleanup.8.html.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Wietse Venema via Postfix-users]

Peter via Postfix-users:
> On 21/06/24 07:13, Wietse Venema via Postfix-users wrote:
> > Bounces are sent with the null envelope.from address which has no
> > domain. Therefore, SPF applies policy to a surrogate: the hostname
> > in the SMTP client's HELO/EHLO command (as if the envelope.from
> > address was postmaster@helo-argument).
> > 
> > This helo-argument is by default the value of the Postfix myhostname
> > parameter, which depending on myorigin setting may appear in the
> > header.from address mailer-daemon@whatever.
> > 
> > DMARC wants that the dmain in envelope.from address (or its surrogate
> > in the case of <>) in some way align with the domain in the header.from
> > address (in this case mailer-daemon@whatever).
> > 
> > If someone can come up with a simple checklist for how to do this
> > then that would be great.
> 
> SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your mail 
> to be accepted:
> 
> 1.  HELO banner should pass SPF.
> 
> 2.  Envelope Sender should pass SPF.
> 
> 3.  Envelope Sender domain should align with the From: header domain.
> 
> 4.  Message should be DKIM signed.
> 
> 5.  Domain for the DKIM signature should align with the From: header domain.
> 
> Not all of the able are necessary (e.g. you can get away with SPF 
> alignment only or DKIM alignment only) but the more of those boxes that 
> you can successfully tick off the better chance you have for you message 
> to be accepted when things go wrong, or when a destination doesn't 
> implement one of the above checks properly.

Thanks. For completeness, in the case of bounce messages, items 2-3
apply as if the sender was postmaster@HELO-argument.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 20, 2024, at 7:17?AM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> Is there a place in postfix where I could discard mail if it has
> >> a spam score higher than say 4 or 5? I know that postfix hands the
> >> mail off to spamassassin for processing and then receives it back
> >> for delivery, but I'm unclear what checks could be implemented to
> >> catch spam and discard it.
> >> 
> >> This is what I could match on: X-Spam-Status: Yes, score=2.1
> >> 
> >> If the score was higher than some number (e.g >4) than reject the mail.
> > 
> > One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
> 
> Would this be in header_checks? I confess, I?m not clear on how
> mail is handled after spamassassin returns it to Postfix. Does it
> go all the way through the process again, beginning with header_checks?

That depends. 

If you use the "content_filter" feature then header_checks shold do it.

If you use some Milter like rspamd then you need milter_header_checks.

> If it?s header_checks, I would probably use something like /^X-Spam-Status: 
> Yes, score=[5-100[/ to catch everything above five.

No. It's a regular expression, it does not compute that 5 is less than 100.
Use a pattern from Viktor's post.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Wietse Venema via Postfix-users]

Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).

This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.

DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).

If someone can come up with a simple checklist for how to do this
then that would be great.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> Is there a place in postfix where I could discard mail if it has
> a spam score higher than say 4 or 5? I know that postfix hands the
> mail off to spamassassin for processing and then receives it back
> for delivery, but I'm unclear what checks could be implemented to
> catch spam and discard it.
> 
> This is what I could match on: X-Spam-Status: Yes, score=2.1
> 
> If the score was higher than some number (e.g >4) than reject the mail.

One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

postfix--- via Postfix-users:
> > does smtp have an action "discard"? if so where messages will be discarded?
> > I see smtp code has "reject" while sieve has "discard". So I am asking this 
> > question.
> 
> http://www.postfix.org/header_checks.5.html
> There is a DISCARD action.

Also in http://www.postfix.org/access.5.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Wietse Venema via Postfix-users]

Ralph Seichter via Postfix-users:
> * Ansgar Wiechers via Postfix-users:
> 
> > [...]
> 
> Did I ever send mail to you using the mailing list address you got
> barred from targeting, or send mail to you at all from my servers? No,
> I did not.
> 
> You tried to initiate communication by sending mail to an address you
> had no reason to contact, this being a mailing list, and you were thus
> redirected to a page explaining how you could ask for permission to send
> to said protected address in case you had a legitimate reason to (which
> you don't). I have also provided an unrestricted email address so
> anybody can send mail to in order to ask for clearance for the protected
> address, something which you didn't do.
> 
> All this is nothing like using a no-reply address, which is easy enough
> to understand. TL;DR: Apples and oranges.
> 
> > Guess what just happened to horus-it.com on my mail server.
> 
> Go on, guess if I care. :-)

No, don't. Please take this off-list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL_README correction

[Wietse Venema via Postfix-users]

Rob Sterenborg (Lists) via Postfix-users:
> Hi,
> 
> I was reading the SASL_README, "The ldapdb plugin" at:
> 
>  https://www.postfix.org/SASL_README.html#auxprop_ldapdb
> 
> [quote]
> Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the 
> LDAP database directly, with appropriate configuration in 
> saslauthd.conf, as described here. [...snip...]
> [/quote]
> 
> The link for "as described here" points to:
> 
>  http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD
> 
> Which returns a "No page found" message.
> 
> I guess it is currently hosted at:
>  
> https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD

Confirmed, your link matches the archived content in the wayback machine at
https://web.archive.org/web/20140301224448/http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD

It's a bit dated, but that is what we have.

I have updated the link in Postfix documentation. it will show up
on the website in a hour or so.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Wietse Venema via Postfix-users]

Gary R. Schmidt via Postfix-users:
[reply-to header]
> He didn't do it - it's being added by Mailman.  Whether by default or
> deliberately I do not know.

This is damage control for DMARC. The mailing list address goes in
the From: header, and the poster's email address goes in Reply-To:
so that list members can still choose between replying to the poster
or to the list.

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rate limiting a group of domains

[Wietse Venema via Postfix-users]

785 243 via Postfix-users:
> I want to implement rate limiting based on the target server rather
> than by recipient domain. Specifically, I want to rate limit email
> sent to domains like yahoo.com, ymail.com, aol.com, myyahoo.com, and
> verizon.net as a group, since these domains appears to be handled by
> the same servers. This grouping should be done in case the receiving
> server does not discriminate based on domain for rate limiting
> purposes.

/etc/postfix/main.cf:
smtpd_recipient_restrictions = 
check_recipient_mx_access hash:/etc/postfix/mx_access
...
# Also reduces concurreny to 1.
smtp-yahoodns_destination_rate_delay =1
# Don't declare yahoo dead after a single failure.
smtp-yahoodns_destination_concurrency_failed_cohort_limit = 5

/etc/postfix/mx_access:
# For yahoo.com, ymail.com, myyahoo.com.
yahoodns.netFILTER smtp-yahoodns:

/postfix/master.cf
smtp-yahoodns unix .. .. .. .. .. .. smtp

This sends one message per second.


Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 18, 2024, at 3:33?PM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
> >> support authentication (POST 
> >> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)
> > 
> > Indeed, you have
> > 
> > smtps  inet  n   -   n   -   -   smtpd
> >-o smtpd_tls_wrappermode=yes
> >-o smtpd_sasl_auth_enable=no
> > 
> > Try: smtpd_sasl_auth_enable=yes
> > 
> 
> Doh! After fixing that and restarting postfix, I am successfully sending mail 
> from RC with $config['smtp_host'] = 'ssl://mail.stovebolt.com:465';
> 
> Thanks for your patience with this old man.

Congrats. I also have made progress with the migration from vintage
to present.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
> support authentication (POST 
> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)

Indeed, you have

smtps  inet  n   -   n   -   -   smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=no

Try: smtpd_sasl_auth_enable=yes

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

What about providing Postfix logs? As long as you can't provide
the Postfix perspective, finding help here will be difficult.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] always_add_missing_headers / local_header_rewrite_clients

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> 465inet  n   -   n   -   -   smtpd
> -o smtpd_tls_wrappermode=yes
...
> -o smtpd_milters=$mua_milters
> -o always_add_missing_headers=yes

Nit: always_add_missing_headers is a cleanup(8) daemon feature.  It
has no effect in the above configuration. To append headers from
submission(s) clients, one could configure

local_header_rewrite_clients =
permit_sasl_authenticated, permit_inet_interfaces

Should we change the existing default, "local_header_rewrite_clients =
permit_inet_interfaces"?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> Both apps on on the same server and *should* be using the same clock.
> > 
> I don't want to waste any more of your time. It?s working, so I?m happy.

You can make your life easier by fixing the program that is losing
Postfix logging. systemd has been implicated in such problems.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> >>> - Did the client send starttls? That is logged in the "disconnect
> >>> from" line.
> >>> 
> >> 
> >> I don't see anything in the postfix logs (/var/log/maillog) from 
> >> roundcube. I guess I need to enable debug.
> > 
> > No debug logging needed. This information is ALWAYS logged:
> > 
> > Example of client that sends starttls:
> >disconnect from host[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 
> > commands=7
> 
> When I grep for 'disconnect from' I get 118,816 entries in the
> log. 20,297 of those are from one IP.
> 
> When I look in the logs for the timestamp that is in the roundcube
> smtp log, I find nothing.

Yeah. Are your clocks properly synchronized, like NTP? Or do you
use whatever the clock on the motherboard says?

> [17-Jun-2024 15:24:58 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
> Postfix
[successsful auth, mail, rcpt, data and so on.]

Clearly you solved a problem by June 17.

> So, that's one session in Roundcube. There should be a corresponding entry in 
> the maillog, right?
> 
> grep "15:24:5" /var/log/maillog

You can do that only if your clocks are accurate to within two seconds,
otherwise it could already be 15:25:0* on the host that runs Postfix.

> Jun 16 15:24:57 ded602 postfix/smtpd[11420]: disconnect from 
> unknown[80.244.11.148] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

That was on June 16, an example of a client that did not send
STARTTLS, and that sent AUTH but failed (0 successful of 1 attempts).
It then sent RSET and QUIT.

Clearly, a different session than the successful one above.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 17, 2024, at 4:43?AM, Jaroslaw Rafa via Postfix-users 
> >  wrote:
> > 
> > Dnia 16.06.2024 o godz. 20:54:34 Paul Schmehl via Postfix-users pisze:
> >> 
> >> The odd thing is, I don't see any connection attempts at all in the mail
> >> logs.
> > 
> > May seem a strange question, but it's always first thing I check in case I
> > don't see any connection attempt in logs: Is your Roundcube really
> > connecting to the correct server? It's worth to double-check this.
> 
> It is: 
> 
> [17-Jun-2024 14:54:50 -0500]:  Connecting to 
> mail.stovebolt.com:25...
> [17-Jun-2024 14:54:50 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
> Postfix
> [17-Jun-2024 14:54:50 -0500]:  Send: EHLO www.stovebolt.com
> [17-Jun-2024 14:54:50 -0500]:  Recv: 250-mail.stovebolt.com

In that case you must also have Postfix logging.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: End of Data from client or postfix

[Wietse Venema via Postfix-users]

a49093915 via Postfix-users:
> Thank you very much for your detailed response.
> 
> So as far as I understand Postfix can receive "." or 
> "." or even other "End of DATA's",
> but will always strip them and add its own "." "End of DATA" 
> for outgoing SMTP.
> (Additionally it also strips and adds parts of the DATA itself.)
> 
> Is there a ways to verify this on the postfix server? Or would it
> be required to setup another SMTP server and somehow watch the
> incoming mails on that one?

Please upgrade to Postfix stable release 3.8.5, 3.7.10, 3.6.14,
3.5.24 and read the announcement for how to configure Postfix.

https://www.postfix.org/announcements/postfix-3.8.5.html

To verify, use a network sniffer (for example, tcpdump or wireshark).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 16, 2024, at 5:02?PM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> I?m trying to sort out a problem with Roundcube failing to send email with 
> >> an error message that says SMTP Error(): authentication failed. In the 
> >> roundcube error log I find this:
> >> 
> >> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
> >> support authentication (POST 
> >> /webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
> >> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication 
> >> failure: mail.stovebolt.com <http://mail.stovebolt.com/>
> > 
> > Look in Your logs.
> > 
> > - Did the client connect to port 25 or 578?
> > 
> 
> 578
> 
> > - Did the client send starttls? That is logged in the "disconnect
> > from" line.
> > 
> 
> I don't see anything in the postfix logs (/var/log/maillog) from roundcube. I 
> guess I need to enable debug.

No debug logging needed. This information is ALWAYS logged:

Example of client that sends starttls:
disconnect from host[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 
commands=7

Example of client that does not send starttls:
disconnect from host[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

In your case there may be only ehlo but no mail, rcpt, and so on.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> I?m trying to sort out a problem with Roundcube failing to send email with an 
> error message that says SMTP Error(): authentication failed. In the roundcube 
> error log I find this:
> 
> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
> support authentication (POST 
> /webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication failure: 
> mail.stovebolt.com 

Look in Your logs.

- Did the client connect to port 25 or 578?

- Did the client send starttls? That is logged in the "disconnect
from" line.

Do you have any "smtpd_tls_auth_only=yes" override in effect?

For main.cf:
postconf -n smtpd_tls_auth_only

For master.cf:
postconf -P '*/*/smtpd_tls_auth_only'

If that is set to 'yes', Postfix will ananounce AUTH only after 
the client sends STARTTLS. 

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to mostly reject unwanted sender

[Wietse Venema via Postfix-users]

John Levine via Postfix-users:
> Turns out it's more complicated than I thought, they want a restricted
> sending address to be able to send only to particular recipients.
> Suggestions?

Here is a non-intuitive solution, based on
https://www.postfix.org/RESTRICTION_CLASS_README.html

/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders

smtpd_restriction_classes = joe_user_acl
joe_user_acl = 
check_recipient_access hash:/etc/postfix/joe_user_recipients, reject

/etc/postfix/restricted_senders:
joe_user@some.example  joe_user_acl

/etc/postfix/joe_user_recipients:
foo@one.example OK
bar@two.example OK

But this is non-intuitive and gives me a headache.

If milter-regex or postfwd can handle your use case, then that would
be more intuitive.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users 
> wrote:
> > John R. Levine via Postfix-users:
> > > On Sat, 15 Jun 2024, Jeff Peng wrote:
> > > > I think postscreen can block them easily.
> > > 
> > > I'm looking at the postscreen man page and I don't see anything about 
> > > mail 
> > > addresses.  Am I missing something?
> > 
> > That is a bad suggestion, please ignore.
> > 
> > > I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> > > QUIT?
> > 
> > That would do the job. With regexp: or pcre: tables you may save
> > some CPU cycles with:
> > 
> > # Don't indent text between IF and ENDIF.
> > IF /^MAIL FROM:/
> > /^MAIL FROM:/ QUIT
> > /^MAIL FROM:/ QUIT
> > ...
> > ENDIF
> 
> What's wrong with simple literall access(5) checks on the envelope
> sender, one then also gets to log the rejected recipients assuming the
> default setting of "smtpd_delay_reject = yes".

True as a more general solution, but I don't think
that is required here.

> Regular expressions are much too fragile in the hands of most users.

I think that John has the competence to make that decision.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Wietse Venema via Postfix-users]

John R. Levine via Postfix-users:
> On Sat, 15 Jun 2024, Jeff Peng wrote:
> > I think postscreen can block them easily.
> 
> I'm looking at the postscreen man page and I don't see anything about mail 
> addresses.  Am I missing something?

That is a bad suggestion, please ignore.

> I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> QUIT?

That would do the job. With regexp: or pcre: tables you may save
some CPU cycles with:

# Don't indent text between IF and ENDIF.
IF /^MAIL FROM:/
/^MAIL FROM:/ QUIT
/^MAIL FROM:/ QUIT
...
ENDIF

If the list is short, this 'optimization' won't be worthwhile.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> On 2024-06-15 21:35, Wietse Venema via Postfix-users wrote:
> 
> > 
> > This is a bit off topic for Postfix, but a comnmon approach is to
> > shard a global database into regional ones and limit the impact of
> > outages. Some database systems support sharding out of the box (for
> > example, MongoDB, supported by Postfix 3.9 and later).
> > 
> 
> Hi Wietse,
> 
> what does it mean "sharding out of the box"?

"X supports Y out of the box" means epression that X has support
for Y built in.

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: myorigin usage for ONLY unqualified addresses

[Wietse Venema via Postfix-users]

One addendum about how to distinguish from root@mydomain
from different hosts.

Dan Mahoney via Postfix-users:
> > Use a virtual alias mapping from "r...@dayjob.org" to the collector
> > email address.  This is a variation on
> > 
> > /usr/local/etc/postfix/main.cf:
> > virtual_alias_maps = hash:/local/etc/postfix/virtual-for-root
> > 
> > /local/etc/postfix/virtual-for-root:
> >r...@dayjob.org collector-u...@collector-host.dayjob.org
> > 
> > Run "postmap hash:/local/etc/postfix/virtual-for-root" after
> > editing the file.
> > 
> > Instead of a hash: map you could use a networked table such as *SQL
> > or LDAP.
> 
> This would still result in rootmail being from root@mydomain, not
> root@myhostname -- regardless of the destination, which makes it
> way more confusing to read.

I forgot to mention that FreeBSD daily/security/weekly/monthly email
messages have the hostname in the Subject. Like this:

Subject: hostname.porcupine.org weekly run output
Subject: hostname.porcupine.org daily run output
Subject: hostname.porcupine.org daily security run output

They arrive in the same mailbox, and there is confusion about their
provenance.

> However, we would like our rootmail to respect our aliases file,
> which tells root to go to a specific mail destination on a specific
> box.

Set up a virtual alias

r...@dayjob.org root@localhost

or

r...@host.dayjob.orgroot@localhost

(which one depends on myorgin and masquerade_xxx settings).

The Postfix local delivery agent will then respect the local
aliases database.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: myorigin usage for ONLY unqualified addresses

[Wietse Venema via Postfix-users]

Dan Mahoney via Postfix-users:
> > Use a virtual alias mapping from "r...@dayjob.org" to the collector
> > email address.  This is a variation on
> > 
> > /usr/local/etc/postfix/main.cf:
> > virtual_alias_maps = hash:/local/etc/postfix/virtual-for-root
> > 
> > /local/etc/postfix/virtual-for-root:
> >r...@dayjob.org collector-u...@collector-host.dayjob.org
> > 
> > Run "postmap hash:/local/etc/postfix/virtual-for-root" after
> > editing the file.
> > 
> > Instead of a hash: map you could use a networked table such as *SQL
> > or LDAP.
> 
> This would still result in rootmail being from root@mydomain, not
> root@myhostname -- regardless of the destination, which makes it
> way more confusing to read.

> However, we would like our rootmail to respect our aliases file,
> which tells root to go to a specific mail destination on a specific
> box.

Set up a virtual alias

r...@dayjob.org root@localhost

or

r...@host.dayjob.orgroot@localhost

(which one depends on myorgin and masquerade_xxx settings).

The Postfix local delivery agent will then respect the local
aliases database.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Joachim Lindenberg via Postfix-users:
> sql databases optimize for consistency instead of availability.
> And even if you design your data model not to rely on joins, to
> use unique ids per node, and to replicate both directions or
> disallow writes on the slave, at least MariaDB failed on partitioning,
> and I didn't want or tried to use an database not supported by the
> application.
> Obviously you may get by without encountering issues for quite
> some time, and this unfortunately is true for many replication
> scenario recommendations.

This is a bit off topic for Postfix, but a comnmon approach is to
shard a global database into regional ones and limit the impact of
outages. Some database systems support sharding out of the box (for
example, MongoDB, supported by Postfix 3.9 and later).

Reportedly, 

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: myorigin usage for ONLY unqualified addresses

[Wietse Venema via Postfix-users]

Dan Mahoney via Postfix-users:
> Hello,
> 
> We currently have myorigin = $mydomain, and mydomain = dayjob.org
> on one of our border MXes, which is also the outbound MX for our
> whole organization.  We are a fairly large site with mxes in two
> locations and many machines which send mail which may relay through
> here.  Mydomain feels like the *correct* origin answer.
> 
> However, we would like our rootmail to respect our aliases file,
> which tells root to go to a specific mail destination on a specific
> box.

Use virtual_alias_maps, as shown below.

> FreeBSD by default sends all its nightly security checks and the
> like to "root" (bareword), and we globally deploy an alias file
> that reroutes this to a collector on a single machine, both for
> our machines that run postfix, as well as our machines that run
> more simple mailers like dma.  We'd like the expectations consistent
> across the board.

Use a virtual alias mapping from "r...@dayjob.org" to the collector
email address.  This is a variation on

/usr/local/etc/postfix/main.cf:
 virtual_alias_maps = hash:/local/etc/postfix/virtual-for-root

/local/etc/postfix/virtual-for-root:
r...@dayjob.org collector-u...@collector-host.dayjob.org

Run "postmap hash:/local/etc/postfix/virtual-for-root" after
editing the file.

Instead of a hash: map you could use a networked table such as *SQL
or LDAP.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> On 2024-06-14 22:31, Wietse Venema via Postfix-users wrote:
> > Jeff Peng via Postfix-users:
> >> Hello,
> >> 
> >> Is there any guide to setup a distributed email system? there should 
> >> be
> >> multiple MX, multiple IMAP/storage servers, and sasl server cluster 
> >> etc.
> > 
> > That could be a job interview question.
> > 
> > The easier part is setting up a pool of dataless Postfix SMTP
> > servers; sharding the users across a pool of replicated Dovecot
> > POP/IMAP servers; and nginx proxies.
> 
> Are IMAP and smtp stateful protocols? If so I have to use hashes based 
> on src IP etc.

There is a difference between IMAP/POP and SMTP. With IMAP/POP a
front end proxy needs to connect each user to the right message
store instance. With SMTP, different sessions can be handled by
different servers. The servers can figure where to deliver mail.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: End of Data from client or postfix

[Wietse Venema via Postfix-users]

a49093915 via Postfix-users:
> Hello,
> 
> Unfortunately I was unable to find this information myself, so I am now 
> asking here:
> 
> Does postfix forward the end of data characters from the client or does it 
> replace them?
> Is there any way to influence this behavior?

Line endings depends on context. UNIX files and commands use ,
whereas SMTP and LMTP use . Instead of picking a specific
line ending, Postfix uses none. Instead it stores a length and text.

When delivering mail, Postfix ADDS the line endings that are appropriate.

- The delivery agents for UNIX files and commands add  line endings.
  The pipe daemon can also be configured to prepend "." and append
  .

- The Postfix SMTP and LMTP clients add the SMTP encapsulation:
  they append  at the end of a line, and prepend "." to to
  lines that start with ".". This behavior is required by the
  protocol and is not configurable.

For completeness, when receiving mail, Postfix strips line endings.

- The Postfix SMTP server REMOVES the SMTP encapsulation: the
   line endings and "." at the start of a line. 

  (for compatiility with poorly written apps, it may also permit
  bare  depending on "smtpd_forbid_bare_newline" configuration).

- The Postfix sendmail command REMOVES the UNIX-style  line
  ending. 

  (for compatibility with poorly written apps, it may also remove
   depending on "sendmail_fix_line_endings" cxonfiguration)

Additionally, the latest Postfix 3.5..2.9 versions will replace
 or  in the middle of a line with the SPACE character.
This neutraslizes any attempts to inject false line endings.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello,
> 
> Is there any guide to setup a distributed email system? there should be 
> multiple MX, multiple IMAP/storage servers, and sasl server cluster etc.

That could be a job interview question.

The easier part is setting up a pool of dataless Postfix SMTP
servers; sharding the users across a pool of replicated Dovecot
POP/IMAP servers; and nginx proxies.

The harder part is implementing the databases and (web) applications
to manage the above.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secure the email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello Wietse,
> 
> I have added this line:
>  smtpd_reject_unlisted_sender = yes
> 
> into main.cf.
> May I ask, this option is for submission request, or for MX request?

All services that use smtpd.

Wietse

> On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote:
> > Wietse Venema via Postfix-users:
> >> A paranoid configuration could add:
> >> 
> >> smtpd_reject_unlisted_sender = yes
> >> 
> >> That is, do not send mail with a sender address that is known to
> >> be invalid (the SMTP server would reject mail for the address with
> >> "user unknown").
> >> 
> >> For more details (what is valid, why reject invalid senders) see
> >> https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender
> > 
> > This will respect address extensions, because it reuses the logic for
> > rejecting unknown recipients. Less code, more functionality.
> > 
> > Wietse
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secure the email system

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> A paranoid configuration could add:
> 
> smtpd_reject_unlisted_sender = yes
> 
> That is, do not send mail with a sender address that is known to
> be invalid (the SMTP server would reject mail for the address with
> "user unknown").
> 
> For more details (what is valid, why reject invalid senders) see
> https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

This will respect address extensions, because it reuses the logic for
rejecting unknown recipients. Less code, more functionality.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Need help with postfix

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> I'm 77. I've been retired for 10 years. Now I'm struggling trying
> to get postfix working with Dovecot and Spamasassin on a CentOS 7
> server. I manage a small hobby domain for some friends (for free),
> and the changes in systems are so dramatic that I feel I'm losing
> touch.

Welcome back. I'm also updating some different infrastructure from
a similar vintage, and translating configurations from the past to
the present can be challenging.

> I read this doc to help me understand the new setup:
> https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin
> 
> I used to use filter.sh and didn't run the spamd daemon, but I
> thought that using the daemon would be the best way to go now.
> 
> I uninstalled postfix 2.10 and installed postfix 3.9. I installed
> spamassassin 3.4. I copied my old 2.1 master.cf and main.cf to the
> new configs (after backing those up) and started up both daemons.
> (I don't know if that's a mistake.
> 
> I can send and receive email, including remotely using saslauth.
> But, I'm not gettting headers altered by spamassassin and I'm
> seeing some warnings in the logs that bother me.
> 
> Here's the spamassassin bits in master.cf:
> 
> smtp  inet  n   -   n   -   -   smtpd
> -o content_filter=spamassassin
> 
> spamassassin unix -  n   n   -   -  pipe
>user=spamd argv=/usr/local/bin/spamc -f -e
>/usr/sbin/sendmail -oi -f ${sender} ${recipient}

So that one seems to be failing.

> Jun 13 13:10:34 ded602 postfix/master[31118]: warning: 
> /usr/libexec/postfix/pipe: bad command startup -- throttling
> Jun 13 13:10:34 ded602 postfix/master[31118]: warning: process 
> /usr/libexec/postfix/pipe pid 2404 exit status 1

This is the exist status when the pipe daemon detects a bad
configuration.  I suspect that the pipe daemon is logging some
details along the linesof:

unknown flag:
unknown username
unknown group

> Jun 13 13:10:34 ded602 postfix/qmgr[31120]: warning: private/spamassassin 
> socket: malformed response

That is to be expected when the pipe daemon detects a configuyration problem.

> [root@ded602 etc]# postconf -n

Skipping that for now.

> I'm not sure if all these parameters are still in use or if I even need them.

> I'm seeing a lot of these, but I assume this is just a nefarious actor:
> Jun 13 13:16:18 ded602 postfix/smtpd[2438]: warning: non-SMTP command from 
> unknown[80.244.11.148]: 
> \026\003\001\000\342\001\000\000\336\003\003iRf+\246d\261&]\303\034/;\315\213\372\t4\005L\253\250

That's a TLS handshake. If this is on port 25 or 587 that is the
client's mistake. With modern master.cf files, Postfix will log
the service name for user mail user agents as postfix/submission/smtpd,
postfix/smtps/smtpd, or postfix/submissions/smtpd.

> Please be gentle. I'm far from a pro, and I've been out of the game for a 
> decade.

No problem. Could you be so kind not to include a 80 kilobyte
HTML attachment?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secure the email system

[Wietse Venema via Postfix-users]

A paranoid configuration could add:

smtpd_reject_unlisted_sender = yes

That is, do not send mail with a sender address that is known to
be invalid (the SMTP server would reject mail for the address with
"user unknown").

For more details (what is valid, why reject invalid senders) see
https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Working around load balancers

[Wietse Venema via Postfix-users]

On second consideration, if an *SQL "server_hosts" setting specifies
only one target (host or IP address), then Postfix has little to
lose if it pretends that the name is given twice, and retries once
immediately, especially of it turns off the logic to avoid a failed
*SQL server for 60 seconds.

The logic for LMTP and SMTP can be similar: if a next-hop destination
resolves to exactly one IP address, pretend that it is given twice,
and retry once immediately. If both attempts fail, defer mail as usual.

Bulk mailers may want to skip the immediate SMTP retry if the error
was at the network-level (no connection) because an SMTP client
that is retrying a "down" host cannot be used to deliver mail.

This retry logic does not aply to milters, where a failure in the
middle of an SMTP conversation is not immediately recoverable.
Commands would have to be replayed and message changes would have
to be undone. Instead, the remote SMTP client has to retry the
entire transaction later.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: milter round robin

[Wietse Venema via Postfix-users]

Christian Zoffoli via Postfix-users:
> Using a load balancer like HAProxy for MySQL connections allows 
> balancing only on servers that are synchronized. Direct use of multiple 
> MySQL hosts in Postfix does not allow for any checks.

If you want to load balance N mysql servers behind 1 load balancer,
you can specify that server N times in the Postfix's "hosts" drective.
That will end the "mysterious delays".

The alternative, retry immediately on a single IP address, would
require configuration changes (it cannot be the default) and some
code to implement that.

> Given this, the 
> example of MySQL, which could also be the balancing of multiple LMTP 
> connections to IMAP servers, 

If you present only one server IP address to the Postfix LMTP client,
then that client will not immediately retry that IP address after
error, because that would normally be rude behavior. Thus there
will be delays.

If you present multiple IP addresses to the Postfix LMTP client,
then it will try them in random order until delivery succeeds. There
will be no delays. I'm not sure if the client deduplicates IP
addresses; a quick code search suggests it does not.

As with mysql, making the Postfix LMTP client retry immediately on
a single IP address would require configuration changes (it cannot
be the default) and some code to implement that.

It gets messy if we want to do this with every network dependency.

> occur with the use of the balancer under some load conditions. I am 
> looking for information to address the problem since Postfix does not 
> natively support clustered milters.

Clustered or otherwise, the Postfix Milter client isn't going to
retry after a failure mid-session. There is no way to 'replay' the
Postfix-to-Milter conversation. The SMTP server does not control
what happens, it has to respond in real time to events from a remote
SMTP client and relay any responses from the Milter.

The SMTP and LMTP clients can handle mid-session failures because
they are in complete control.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: milter round robin

[Wietse Venema via Postfix-users]

Christian Zoffoli via Postfix-users:
> I'm asking because I was using it with HAProxy, and with the load 
> balancer between Postfix and the two Rspamd machines, I often have 
> unexplainable timeouts. In general, I see that Postfix does not like 
> interacting with load balancers; I've had similar issues with MySQL 
> connections always balanced with HAProxy

By design Postfix DOES NOT immediately retry connecting to the
same host. In many contexts that would be considered rude.

That of course has consequences when a service "host" is in fact
a load balancer.

If you MUST use a load balancer for the MySQL service, specify the
"host" multiple times in the Postfix MySQL client configuration.

Or stop playing load balancer games and specify the real server
hosts in the Postfix MySQL client configuration. That is how it is
supposed to be used.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: milter round robin

[Wietse Venema via Postfix-users]

Christian Zoffoli via Postfix-users:
> Hello,
> is there a way to use multiple milters in round-robin without using a 
> load balancer? From what I can see in version 3.9, using multiple 
> milters separated by commas results in them being used in sequence.

This is not built into Postfix. 

If you specify a hostname that has multiple IP addresses, then
Postfix will try the IP addresses in the order returned by the
getaddrinfo() system library function. If the order is the same
with each call, then that sucks.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SSL_accept error for smtpd

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello
> 
> what's this error in mail.log?
> 
> Jun 11 01:52:15 tls-mail postfix/smtpd[67409]: connect from 
> unknown[172.210.47.140]
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: SSL_accept error from 
> unknown[172.210.47.140]: -1
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning: TLS library 
> problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no  <<
> shared cipher:../ssl/statem/statem_srvr.c:2283: <
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: lost connection after 
> STARTTLS from unknown[172.210.47.140]
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: disconnect from 
> unknown[172.210.47.140] ehlo=1 starttls=0/1 commands=1/2
> 
> I have only port 465 opened for sending mail. port 587 is shutdown.

The lines with  show the error message (no shared cipher).

If this does not happen with a legitimate client, then this could
be someone who is looking for trouble (they failed) and you can
ignore the problem.

If this does happen with a legitimate client, then the client or
server needs to adjust their TLS settings.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: Re: ssl update needs rebuilds

[Wietse Venema via Postfix-users]

>  ...
>  |>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
>  |>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
>  |>   be compatible with OpenSSL 3.2.0
>  ...
>  |[.] OpenSSL 3.2.0 and 3.3.0
>  |are ABI and API compatible. I would not expect to see a warning or
>  |error. See   |tml>.

Some irrelevant background: that document covers OpenSSL 3.0 and
later (earlier releases use a different versioning scheme).

>  |From the document under Minor Release:
>  |
>  |A minor release is indicated by changing the second number of the
>  |version. A minor release can, and generally will, introduce new
>  |features. However both the API and ABI will be preserved.

That same document says under "Patch release":

A patch release is indicated by changing the final number of
the version. A patch release will only contain bug and security
fixes. Both the API and ABI will remain compatible across patch
releases.

Note that only the text for "Patch release" promises that the "Both
the API and ABI will remain compatible".

Based on that, Postfix will not complain when the build-time and
run-time versions differ only in the Patch release number.

> This is postfix.  I must say, out of my head i have no idea
> whether it has always been like that for minor releases for one,
> and whether that is also true for LibreSSL, and the other SSL
> libraries that postfix possibly works with.  And AlpineLinux did
> use LibreSSL for some time in the past.

Postfix 3.6 and later prety-much require OpenSSL.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Looking for a neat way to determine the time a mail sits in active queue

[Wietse Venema via Postfix-users]

Tobi via Postfix-users:
> Hi list
> 
> maybe someone has a good idea :-)
> 
> I'm looking for a way to reliably determine how long a message sits in
> active queue. Currently I use postqueue -j and pipe it to jq, get only
> hits from queue_id==active and then get arrival time, sort it by
> arrival time, take the oldest and calculate the difference to current
> time

Postfix already logs the (last) time spent in the active queue as
well as the time spent in any queue before that. Details are in

https://www.postfix.org/postconf.5.html#delay_logging_resolution_limit

A message may move in and out of the active queue multiple times,
and the above information will be logged each time the message
leaves the active queue.

If you want a per-domain time distribution of how long messages are
in the queue at a given point in time, perhaps the qshape tool may
be useful. It is included with Postfix source code under the
auxuliary/qshape directory. This is good for bottleneck analysis.

https://www.postfix.org/qshape.1.html

> Or would it be possible in future postfix releases to teach the
> postqueue command to return the "last time taken into active queue"
> for each message in active?

Where would it get that information from? A completely new RPC
interface in the queue manager? That goes against the principle
that the queue manager must be highly available and must do as
little as possible, delegating all work to disposable processes.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Thu, Jun 06, 2024 at 04:01:06PM -0400, Wietse Venema via Postfix-users 
> wrote:
> > GDS via Postfix-users:
> > > Hello, I am seeing hundreds of lines like the one below in my mail.log 
> > > from this specific IP address, which belongs to Google. 
> > > Jun  5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
> > > to=, orig_to=, relay=none, 
> > > delay=4099, delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery 
> > > temporarily suspended: connect to localhost.com[74.125.224.72]:25: 
> > > Connection timed out)
> > > 
> > 
> > Maybe you have  "myhostname = something.com" and Postfix infers $mydomain 
> > from that.
> 
> Indeed, when "mydomain" is not explicitly specified, one label is
> dropped even if only two were present in $myhostname.
> 
> $ postconf -o myhostname=foo.com mydomain
> mydomain = com
> 
> which, in combination with "append_dot_mydomain = yes", would match the
> OP's report/observations.

The problem is fixed by adopting the 10-year old "new" default
setting "append_dot_mydomain = no", or by setting the compatibility_level
to a value > 1.

> It might be reasonable to infer "mydomain = $myhostname" when the latter
> has two or fewer labels.

There are top-level domains with more than 2 components.

Doing this "correctly" (there can be TLDs with more than 2 components)
would require a domain suffix list (with the registrar portions of
domain names).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[Wietse Venema via Postfix-users]

Roy Bellingan via Postfix-users:
> Good evening, I am not able to use this parameter.
> 
> My current version is the 3.9.2, I already have many other entity 
> configured to use mysql, but some reason this one is silently ignored 
> and produces no error.
> 
> If I use the hash metod and follow https://www.postfix.org/SASL_README.html
> I should write the config file like
> 
> /etc/postfix/sasl_passwd:
>  # Per-sender authentication; see also /etc/postfix/sender_relay.
>  us...@example.comusername1:password1
>  us...@example.netusername2:password2
>  # Login information for the defaultrelayhost  
> .
>  [mail.isp.example]  username:password
>  # Alternative form:
>  # [mail.isp.example]:submission username:password
> 
> Therefore I wrote
> [smtp-relay.brevo.com]:587 x@y.z:123
> 
> But this will NOT work, I have instead write
> 
> smtp-relay.brevo.com:587 x@y.z:123

That form turns on MX record lookup. Postfix should not do such
lookups for smtp-relay.brevo.com.

Specify [smtp-relay.brevo.com]:587 in main.cf:relayhost (or whatever
you are getting the relay from).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP command trace

[Wietse Venema via Postfix-users]

Joachim Lindenberg via Postfix-users:
> Hello,
> 
> I am trying to obtain a SMTP command trace for a specific destination.
> I tried with debug_peer_list and debug_peer_level, but it looked
> like not all commands are included but lots of other information
> that were distracting.

What commands are missing? Are you screwed by systemd throttling?

For SMTP commands and responses, a debug level of 1 will be sufficient.
The Postfix default setting "debug_peer_level  = 2" is higher than
needed, and may cause systemd to drop information.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[Wietse Venema via Postfix-users]

GDS via Postfix-users:
> Hello, I am seeing hundreds of lines like the one below in my mail.log from 
> this specific IP address, which belongs to Google. 
> Jun  5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
> to=, orig_to=, relay=none, delay=4099, 
> delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily 
> suspended: connect to localhost.com[74.125.224.72]:25: Connection timed out)
> 

Maybe you have  "myhostname = something.com" and Postfix infers $mydomain from 
that.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Matus UHLAR - fantomas via Postfix-users:
> >- Create a wild-card SPF policy for *.raystedman.org that permits
> >all your SMTP client IP addresses.
> 
> Sorry: wildcard in DNS only applied for non-existing names and since 
> the hostname already exists:

Perhaps you are confusing wildcards with CNAME. With CNAME, there
can be no other record type with the same name. There is no such
restriction for wildcards.

I have an example:

*.single-wild.porcupine.org. IN A 168.100.3.4

This returns an A record for foo.single-wild.porcupine.org:

% host -t a foo.single-wild.porcupine.org
foo.single-wild.porcupine.org has address 168.100.3.4

But no TXT record for foo.single-wild.porcupine.org:

% host -t txt foo.single-wild.porcupine.org
foo.single-wild.porcupine.org has no TXT record

Here, the wildcard applies only to A queries.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> We had another DMARC Failure last night.  The email ended up at the gmail 
> level.
> 
>   X-Original-Authentication-Results: mx.google.com;
> 
>spf=none (google.com: mail01-t122.raystedman.org does not
> designate permitted sender hosts)
> smtp.helo=mail01-t122.raystedman.org;
>dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org
> 
> It appears that Google is looking for SPF information for one of the
> transports we use in randmap.  Do we need to have SPF records in place
> for all of our transports?

Google wants your smtp_helo_name (default: $myhostname) to have an SPF
policy.

Options:

- Create an SPF policy for the SMTP helo name that permits the
corresponding SMTP client IP address.

- Create a wild-card SPF policy for *.raystedman.org that permits
all your SMTP client IP addresses.

- Change the smtp_helo_name to a name that already has an SPF policy.
This is messy because the name should match the PTR record for the
SMTP client IP address.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved

[Wietse Venema via Postfix-users]

Chris Green via Postfix-users:
> I run dnsmasq instead of systemd-resolved on all my systems.
> 
> I recently moved my dekstop server to new hardware running xubuntu
> 24.04 replacing my previous system that was running xubuntu 22.04.
> 
> I installed dnsmasq and removed systemd-resolved and all seemed well
> until I noticed I couldn't send E-Mail, I run a postfix 3.8.6 server
> which sends outgoing E-Mail via my ISP's smarthost.
> 
> In the mail.log I was seeing lots of messages like:-
> 
> 2024-06-02T00:10:30.652648+01:00 q957 postfix/smtp[8733]: 9763C3542024: 
> to=, relay=none, delay=8729, delays =8729/0.02/0/0, 
> dsn=4.4.3, status=deferred (Host or domain name not found. Name service error 
> for name=smtp-auth.mythic-beasts.com type=A: Host not found, try again)
> 
> But running 'host smtp-auth.mythic-beasts.com' returned a perfectly OK
> address.
> 
> It turned out that the file /var/spool/postfix/etc/resolv.conf was:-
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search zbmc.eu
> 
> Changing it to:-
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search zbmc.eu
> 
> Has fixed the problem.

Those two sets of lines are identical.

> However I'm sure this isn't the 'right' way to do this.  How do I get
> postfix to pick up the resolv.conf file that is used/created by dnsmasq?

Postfix does not import system files under /var/spool/postfix
(the list of files needed is OS-specific).

Those files are normally copied by OS-specific scripts that start
Postfix.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Mon, Jun 03, 2024 at 08:55:11PM +0800, Jeff P via Postfix-users wrote:
> 
> > I have closed sasl auth on port 25.  but users still can use port 587
> > for login with plain text.  how can I force users to use submission
> > via start-tls only?  I know I can open port 465 for ssl connection.
> > but for history reason the port 587 must be open.
> 
> Belt and suspenders (the first setting implies the second, and the third
> should then never be used), in master.cf for the submission entry set:
> 
> -o { smtpd_tls_security_level = encrypt }
> -o { smtpd_tls_auth_only = yes }
> -o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary 
> }
> -o { smtpd_sasl_tls_security_options = noanonymous }

I'm updating the Postfix documentation that "smtpd_tls_security_level
= encrypt" will reject all plaintext commands except HELO, EHLO,
XCLIENT, STARTTLS, NOOP, QUIT, and HELP.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> On Tue, May 28, 2024 at 8:12?AM Greg Sims  wrote:
> >
> > On Tue, May 28, 2024 at 6:49?AM Wietse Venema via Postfix-users 
> >  wrote:
> >
> > > In recent experience with my personal porcupine.org email address,
> > > they not only want SPF or DKIM, they *also* want a DMARC policy
> > > with p=quarantine or p=reject.
> >
> > We have run p=reject for years.  DMARC is currently p=none because of the 
> > issue you are helping with.  I feel like we have a solution now -- time 
> > will tell.  I hope to be p=reject once again soon!
> >
> > Thanks Wietse, Greg
> 
> We have our bounce messages being stored in a local mailbox
> bounce-local -- this is working well.  Unfortunately the SPF Failure
> we see in the logs is not being sent to bounce-local.  Please see the
> following "collate" sequence:
> 
>   Jun 02 02:19:21 mail01.raystedman.org postfix/bounce[26402]:
> B9A1C305D596: sender non-delivery notification: EF978305D5BA

EF978305D5BA is a non-delivery notification for message B9A1C305D596.

>   Jun 02 02:19:21 mail01.raystedman.org postfix/cleanup[26400]:
> EF978305D5BA: message-id=<20240602091921.ef978305d...@mail01.raystedman.org>
>   Jun 02 02:19:21 mail01.raystedman.org postfix/qmgr[1311]:
> EF978305D5BA: from=<>, size=36846, nrcpt=1 (queue active)
>   Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
> Trusted TLS connection established to
> aspmx.l.google.com[142.251.2.26]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature ECDSA (P-256) server-digest SHA256
>   Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
> EF978305D5BA: host aspmx.l.google.com[142.251.2.26] said: 421-4.7.26
> Your email has been rate limited because it is unauthenticated. Gmail
> 421-4.7.26 requires all senders to authenticate with either SPF or
> DKIM. 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM
> = did not pass 421-4.7.26  SPF [] with ip: [209.73.152.121] = did not
> pass 421-4.7.26  421-4.7.26  For instructions on setting up
> authentication, go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> d2e1a72fcca58-70242b097aasi4749745b3a.183 - gsmtp (in reply to end of
> DATA command)

Google rejects non-delivery notification message EF978305D5BA after
receiving End-of-DATA. The SMTP reply is 421, therefore Postfix
will try to deliver EF978305D5BA to an alternate Google server.

>   Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
> Trusted TLS connection established to
> alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature ECDSA (P-256) server-digest SHA256
>   Jun 02 02:19:23 mail01.raystedman.org postfix/t121/smtp[26247]:
> EF978305D5BA: 
> to==icloud@devotion.raystedman.org>,
> relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.3,
> delays=0/0/0.89/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK  1717319963
> ca18e2360f4ac-7eafe6365f9si240806939f.105 - gsmtp)
>   Jun 02 02:19:23 mail01.raystedman.org postfix/qmgr[1311]:
> EF978305D5BA: removed

Postfix tried alt2.aspmx.l.google.com and was able to deliver the 
non-delivery notification message EF978305D5BA(delivery status
notification for B9A1C305D596).

If you are interested in the content of that message, you might
find it in the mailbox for en-devo-bounce+=icloud.com

> Two things caught my eye here:
>   * Please note the message is being sent from=<> (qmgr).  This is
> likely the cause of the SPF failure as there is no domain that can be
> used to lookup the SPF record.

Isn't SPF supposed to apply policy to the EHLO/HELO argument?
Especially when the sender address has no domain.

>   * The goal for the past period of time is to get a look at the
> headers of this message. Unfortunately the message is not being sent
> to bounce-local.  No entry from process "local" above to send the
> message to the bounce-local user's mailbox.

Message EF978305D5BA is a non-delivery notification. It has sender
address <> and is a "single bounce".  I contains an attachment with
the headers of message B9A1C305D596 that you want to see. It was
delivered to the mailbox for en-devo-bounce+=icloud.com

If for some reason you cannot access the above message with the
headers of message B9A1C305D596, then you can receive a message
with a copy of those headers by configuring in Postfix main.cf:

notify_classes = bounce, resource, software 

This message has a double-bounce sender address, and is by default
sent to postmaster. You can change that with:

bounce_notice_recipient = bounce-local

Or something else, if you prefer.

HOWEVER

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> I have changed the $myhostname string and it still says it loops
> back to myself. Port 25 must be forwarded for incoming mail. Postfix
> isn't supposed to be listening to any ports. In fact, I only have
> smtpd enabled, and not smtp. This is very confusing. :(

Wietse Venema:
> To inform the Postfix SMTP client that this Postfix instance does
> not receive mail from the network, specify:
> 
> main.cf:
> inet_interfaces =

Mailman29 via Postfix-users:
> I thought that may be right, but if I comment out the "inet_interfaces"
> it fails to take mail from the main server for outbound delivery.

We appear to be talking aobut different servers: one that: "isn't
supposed to be listening to any ports", yet ssomehow should be able
to receive mail.  and one that should listen: "if I comment out the
"inet_interfaces" it fails to take mail from the main server for
outbound delivery".

Coming back to the diagram:

public IP address, port 25: haproxy -> 

non-public port or address: frontend.example.com MTA with transport_maps -> 

non-public port or address: backend.example.com MTA

I understand from your response that the backend MTA should send
mail to the internet through the frontend MTA.  All that is possible
but it requires careful configuration:

1) The backend.example.com MTA receives inbound mail from the frontend,
   delivers mail locally for example.com, localhost, backend.example.com,
   frontend.example.com, and sends outbound mail through the frontend.

/etc/postfix/main.cf:
# This example assumes delivery with the local(8) delivery agent,
# with valid recipients specified in local_recipient_maps
# (default: $alias_maps unix:passwd.byname).
# Instead, one could deliver with virtual_transport, list the
# domains with virtual_mailbox_domains, and list valid recipients
# with virtual_mailbox_maps.
mydestination = example.com localhost 
backend.example.com frontend.example.com
# Use a distinct MTA name to avoid name-based loop detection.
myhostname = backend.example.com
relayhost = [127.0.0.1]:frontend-outbound-port
inet_interfaces = 127.0.0.1

/etc/postfix/master.cf:
# Use a port other than 25 to disable IP address based loop detection.
127.0.0.1:backend-inbound-port  .. .. .. .. .. .. .. smtpd

2) The frontend.example.com MTA forwards mail to the backend for
   example.com, localhost, *.example.com:

/etc/postfix-frontend/main.cf:
# Use a distinct MTA name to avoid name-based loop detection.
myhostname = frontend.example.com
# Forward example.com, *.example.com, localhost.
relay_domains = example.com localhost 
# This assumes you have a list of valid recipients.
relay_recipient_maps = ...list with valid recipients...
transport_maps = hash:/etc/postfix-frontend/transport
mydestination =
proy_interfaces = the haproxy public IP address
inet_interfaces = 127.0.0.1

/etc/postfix-frontend/transport:
# Forward example.com, *.example.com, localhost to the backend.
# Execute "postmap hash:/etc/postfix-frontend/transport after
# editing the file.
example.com relay:[127.0.0.1]:backend-inbound-port
.example.com relay:[127.0.0.1]:backend-inbound-port
localhost relay:[127.0.0.1]:backend-inbound-port

/etc/postfix-frontend/master.cf:
# The port that receives inbound mail through haproxy.
127.0.0.1:frontend-inbound-port .. .. .. .. .. .. .. smtpd
-o syslog_name=postfix/frontend-inbound
-o smtpd_upstream_proxy_protocol=haproxy
# The port that receives outbound mail from the backend MTA.
# Use a port other than 25 to disable IP address based loop detection.
127.0.0.1:frontend-outbound-port .. .. .. .. .. .. .. smtpd
-o syslog_name=postfix/frontend-outbound
-o smtpd_upstream_proxy_protocol=

There's probably a setting that I'm overlooking but this
should cover most of it.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> I have changed the $myhostname string and it still says it loops
> back to myself. Port 25 must be forwarded for incoming mail. Postfix
> isn't supposed to be listening to any ports. In fact, I only have
> smtpd enabled, and not smtp. This is very confusing. :(

To inform the Postfix SMTP client that this Postfix instance does
not receive mail from the network, specify:

main.cf:
inet_interfaces =

This change requires "postfix reload".

We're solving this one micro step at a time, because there
are no clear design and requirements.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Gerben Wierda via Postfix-users:
> > On 31 May 2024, at 14:53, Wietse Venema  wrote:
> > 
> > Gerben Wierda via Postfix-users:
> >> 
> >>> On 31 May 2024, at 13:20, pat...@patpro.net wrote:
> >>> 
> >>> Hello,
> >>> 
> >>> Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
> >>> errors/abuse/half-baked connections?
> >> 
> >> Not blacklisting as I understand it, but as HAproxy makes a connection to 
> >> test if the service is up and then breaks the connection I always see this 
> >> on both systems:
> >> 
> >> On the postfix 3.9 instance
> >> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
> >> router.rna.nl[192.168.2.2]
> >> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
> >> pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
> >> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
> >> router.rna.nl[192.168.2.2] commands=0/0
> > 
> > Yep, turn off smtpd_forbid_unauth_pipelining and try again..
> > 
> > Wietse
> 
> Actually, changing the health check on submission to 
> 
> "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\n"
> 
> (without the added "QUIT\r\n") did the trick as well. It might
> have been that in a previous situation HAproxy would 'never' finish
> the health check, I don't recall why I added "QUIT\r\n". Maybe it
> is needed for postscreen or dovecot and I just copied it to all
> and now it stopped working for submission.

Does not work?

- Logging would be extremely helpful.

- A machine-readable before-after configration diff would also be extremely 
helpful. 

Wietse


Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Fri, May 31, 2024 at 02:01:50PM +0200, Gerben Wierda via Postfix-users 
> wrote:
> 
> > It sends: "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\nQUIT\r\n"
> > It expects a response that matches regex ^220
> 
> Don't send "QUIT\r\n", just send the PROXY handshake and wait for 220,
> and then drop the connection, or if not difficult to specify, send QUIT
> *after* the 220.

Viktor is correct. Your probe talks SMTP too soon, and the real
fix is to not send QUIT before Postfix responds.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> I set the following in main.cf
> 
> mydestination = localhost
> 
> and received the following in our logs:
> 
>   May 31 04:42:27 mail01.raystedman.org postfix/local[3978]:
> 7CE5C30F558E: to=, orig_to=,
> relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1, status=bounced
> (unknown user: "bounce-local")

Well duh, where should she deliver the message?

Alternatives:

- create a user, deliver to mailbox /var/mail/bounce-local

- create a user, specify command in ~bounce-local/.forward

"|path/to/command args..."

- create a local alias in /etc/aliases

bounce-local: /path/to/file

- create a local alias in /etc/aliases

bounce-local: "|path/to/command args..."

After editing /etc/aliases execute the command "newaliases".

Wietse

>   May 31 04:42:27 mail01.raystedman.org postfix/bounce[3970]: warning:
> 7CE5C30F558E: undeliverable postmaster notification discarded
> 
> It appears we are trying to deliver locally now -- a step in the right
> direction.
> 
> bounce-local is not a rhel user of the local machine -- please note
> the entry we have in virtual.
> 
> I updated main.cf as follows hoping this will help:
> 
> mydestination = $myhostname, localhost.$mydomain, localhost
> 
> We know that the SPF error for the double-bounce was trying to be sent
> to domain mail01.raystedman.org -- thus $myhostname.
> 
> Thanks, Greg
> 
> On Thu, May 30, 2024 at 2:52?PM Wietse Venema  wrote:
> >
> > Greg Sims via Postfix-users:
> > > On Thu, May 30, 2024 at 12:27?PM Greg Sims  wrote:
> > > >
> > > > I believe I am ready to capture the double-bounce locally.
> > > >
> > > > This is main.cf:
> > > >   # 24-05-30 save the bounces locally at bounce-local
> > > >   notify_classes = 2bounce, bounce, resource, software
> > > >   bounce_notice_recipient = bounce-local
> > > >   2bounce_notice_recipient = bounce-local
> > > >   virtual_alias_maps = hash:/etc/postfix/virtual
> > > >
> > > > This is virtual:
> > > >   bounce-localbounce-local@localhost
> > > >
> > > > and ran postmap /etc/postfix/virtual.
> > >
> > > This does not look good --
> > >
> > >  May 30 11:30:40 mail01.raystedman.org postfix/t121/smtp[52641]: <<< NOTE 
> > > SMTP
> > > 4FE9D3061EF0: to=, orig_to=,
> > > relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail
> > > for localhost loops back to myself)
> >
> > You are delivering mail for localhost with the Postfix SMTP CLIENT.
> >
> > Add localhost to main.cf:mydestination and do "postfix reload".
> >
> > Then, Postfix will use the local delivery agent for localhost mail.
> >
> > Wietse
> >
> > >
> > >  May 30 11:30:40 mail01.raystedman.org postfix/bounce[52732]: warning:
> > > 4FE9D3061EF0: undeliverable postmaster notification discarded
> > >
> > > The only changes were to set up the local mailbox.
> > >
> > > Thanks, Greg
> > > ___
> > > Postfix-users mailing list -- postfix-users@postfix.org
> > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > >
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Gerben Wierda via Postfix-users:
> 
> > On 31 May 2024, at 13:20, pat...@patpro.net wrote:
> > 
> > Hello,
> > 
> > Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
> > errors/abuse/half-baked connections?
> 
> Not blacklisting as I understand it, but as HAproxy makes a connection to 
> test if the service is up and then breaks the connection I always see this on 
> both systems:
> 
> On the postfix 3.9 instance
> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
> router.rna.nl[192.168.2.2]
> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
> pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
> router.rna.nl[192.168.2.2] commands=0/0

Yep, turn off smtpd_forbid_unauth_pipelining and try again..

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Gerben Wierda via Postfix-users:
> Hmm, I just noticed (all outgoing smtp was going to a backup server that 
> works) that one of my postfix instances cannot send mail (smtp doesn't work, 
> postscreen and smtpd work fine).
> 
> # submission (587)
> submission inet n   -   n   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_tls_auth_only=yes
>   -o syslog_name=submission
> 990 inet n   -   n   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_tls_auth_only=yes
>   -o syslog_name=submission_haproxy
>   -o smtpd_upstream_proxy_protocol=haproxy
> 
> The one that haproxy sees as down has been recently updated to postfix 3.9
> 
> So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down. In 
> reality, both are up.

Postfix logging for failed haproxy connections would be extremely
informative.

There was a change in how Postfix detects clients that talk too early
(smtpd_forbid_unauth_pipelining = yes). This was disabled prior to
Postfix 3.9. Perhaps haproxy falls into this trap.

Wietse

> It probably started to behave this when I installed postfix 3.9 on one side, 
> though I cannot exclude that I updated HAproxy too, so I am not 100% certain.
> 
> What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade 
> the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy 
> for now)
> 
> Gerben Wierda (LinkedIn , Mastodon 
> )
> R IT Strategy  (main site)
> Book: Chess and the Art of Enterprise?Architecture 
> 
> Book: Mastering ArchiMate 
> YouTube Channel 

> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> Have a good pub visit. 
> Changing the "myhostname" line in postfix has zero effect. It still says 
> "loops back to myself" :(

Having a problem?  https://www.postfix.org/DEBUG_README.html#mail

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> 
> 
> The network diagram you have is correct. I'm afraid I don't
> understnad the "use loopback for internal communication". There's
> no internal communication. Should I just put 127.0.0.1 in my main.cf
> in place of "mail2"?

- External: communication from internet to haproxy.

- Internal: communication between haproxy and front-end MTA.

- Internal: communication between front-end MTA and back-end MTA.

The internal communication endpoints are supposed to be hidden from
the public internet, so that mail from outside can only flow over
the intended path, not around it.

It's time to go to the pub. Cheers.

Wietse

> Sent with Proton Mail secure email.
> 
> On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29 via Postfix-users:
> > 
> > > myhostname is set to "mail2" in main.cf, but the mx record points
> > > to mail.somedomain.com, (they share the same IP though) would it
> > > be doing an ip lookup first? I guess I need to "trick" it into
> > > thinking it's not the same if it's IP based.
> > 
> > 
> > Postfix requires transport_maps to forward mail from a front-end
> > MTA to a backend MTA. Other approaches are not supported.
> > 
> > Based on your earlier description I expect something like:
> > 
> > public IP address, port 25: haproxy ->
> > 
> > 
> > hidden port or address: frontend MTA with transport_maps ->
> > 
> > 
> > hidden port or address: backend MTA
> > 
> > If all this runs on a single host, and you use loopback (127.0.0.1)
> > for internal communication, then Postfix won't care whether servers
> > use the same MTA name.
> > 
> > If you use a non-routable network such as 10.* or 192.168.* for
> > internal communication, then you will need distinct MTA names.
> > 
> > However, for sanity sake, I'd always recommend that different MTA
> > instances identify themselves with different names. Otherwise youir
> > logging will be incomprehensible.
> > 
> > Wietse
> > 
> > > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
> > > postfix-users@postfix.org wrote:
> > > 
> > > > Mailman29 via Postfix-users:
> > > > 
> > > > > Well the logs say this, which doesn't help.
> > > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > > > > loops back to myself)
> > > > 
> > > > On the contrary, it says that you have configured a mailer loop,
> > > > or that you have two different mail services that use the same MTA
> > > > name (in Postfix parlance, the MTA name is the myhostname setting).
> > > > 
> > > > > The domain and the postfix server do share the same IP (haproxy
> > > > > server), but if Postfix would deliver the bounce message it would
> > > > > get passed through the proxy to the mail server backend. Is there
> > > > > a way to force this?
> > > > 
> > > > 1) If the Postfix machine is a front-end for a backend server, then
> > > > Postfix must be configured as a mail gateway, and there should be
> > > > a transport_maps setting that routes mail for the domain to the
> > > > backend instead of sending it to the public internet address. See
> > > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> > > > 
> > > > 2) If your Postfix server is behind an inbound proxy server, then
> > > > you MUST specify the external address with main.cf:proxy_interfaces,
> > > > so that Postfix will know that it should not try to connect there.
> > > > https://www.postfix.org/postconf.5.html#proxy_interfaces
> > > > 
> > > > 3) If you really have more than one mail server, then they must
> > > > have different MTA names (In Postfix parlance the MTA name is the
> > > > myhostname setting).
> > > > 
> > > > Wietse
> > > > 
> > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via 
> > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > 
> > > > > > Mailman29:
> > > > > > 
> > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my 
> &

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> myhostname is set to "mail2" in main.cf, but the mx record points
> to mail.somedomain.com, (they share the same IP though) would it
> be doing an ip lookup first? I guess I need to "trick" it into
> thinking it's not the same if it's IP based.

Postfix requires transport_maps to forward mail from a front-end
MTA to a backend MTA. Other approaches are not supported.

Based on your earlier description I expect something like:

public IP address, port 25: haproxy -> 

hidden port or address: frontend MTA with transport_maps -> 

hidden port or address: backend MTA

If all this runs on a single host, and you use loopback (127.0.0.1)
for internal communication, then Postfix won't care whether servers
use the same MTA name.

If you use a non-routable network such as 10.* or 192.168.* for
internal communication, then you will need distinct MTA names.

However, for sanity sake, I'd always recommend that different MTA
instances identify themselves with different names. Otherwise youir
logging will be incomprehensible.

Wietse

> On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29 via Postfix-users:
> > 
> > > Well the logs say this, which doesn't help.
> > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > > loops back to myself)
> > 
> > On the contrary, it says that you have configured a mailer loop,
> > or that you have two different mail services that use the same MTA
> > name (in Postfix parlance, the MTA name is the myhostname setting).
> > 
> > > The domain and the postfix server do share the same IP (haproxy
> > > server), but if Postfix would deliver the bounce message it would
> > > get passed through the proxy to the mail server backend. Is there
> > > a way to force this?
> > 
> > 1) If the Postfix machine is a front-end for a backend server, then
> > Postfix must be configured as a mail gateway, and there should be
> > a transport_maps setting that routes mail for the domain to the
> > backend instead of sending it to the public internet address. See
> > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> > 
> > 2) If your Postfix server is behind an inbound proxy server, then
> > you MUST specify the external address with main.cf:proxy_interfaces,
> > so that Postfix will know that it should not try to connect there.
> > https://www.postfix.org/postconf.5.html#proxy_interfaces
> > 
> > 3) If you really have more than one mail server, then they must
> > have different MTA names (In Postfix parlance the MTA name is the
> > myhostname setting).
> > 
> > Wietse
> > 
> > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
> > > postfix-users@postfix.org wrote:
> > > 
> > > > Mailman29:
> > > > 
> > > > > Brilliant! I had a loop with haproxy that pointed it back at my mail 
> > > > > server!
> > > > > 
> > > > > Now, how do I get postfix to send failures etc to my server? It
> > > > > seems they just disappear into the ether!
> > > > 
> > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > > > 
> > > > If you don't understand an error or warning message, report the
> > > > problem on the postfix-users mailing list.
> > > > 
> > > > Wietse
> > > > 
> > > > > Sent with Proton Mail secure email.
> > > > > 
> > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via 
> > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > 
> > > > > > Mailman29 via Postfix-users:
> > > > > > 
> > > > > > > HI guys.
> > > > > > > I'm having an awful time getting postfix to work in one form only.
> > > > > > > Accept mail from one ip address only, regardless of the sender's
> > > > > > > domain name, and send it out to the recipients. Postfix has no
> > > > > > > accounts, and accepts no incoming mail. It's only for sending from
> > > > > > > my local server.
> > > > > > > 
> > > > > > > Here's my main.cf, as you can see I have it set up to accept mail
> > > > > > > from my IP address only

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> On Thu, May 30, 2024 at 12:27?PM Greg Sims  wrote:
> >
> > I believe I am ready to capture the double-bounce locally.
> >
> > This is main.cf:
> >   # 24-05-30 save the bounces locally at bounce-local
> >   notify_classes = 2bounce, bounce, resource, software
> >   bounce_notice_recipient = bounce-local
> >   2bounce_notice_recipient = bounce-local
> >   virtual_alias_maps = hash:/etc/postfix/virtual
> >
> > This is virtual:
> >   bounce-localbounce-local@localhost
> >
> > and ran postmap /etc/postfix/virtual.
> 
> This does not look good --
> 
>  May 30 11:30:40 mail01.raystedman.org postfix/t121/smtp[52641]: <<< NOTE SMTP
> 4FE9D3061EF0: to=, orig_to=,
> relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail
> for localhost loops back to myself)

You are delivering mail for localhost with the Postfix SMTP CLIENT.

Add localhost to main.cf:mydestination and do "postfix reload".

Then, Postfix will use the local delivery agent for localhost mail.

Wietse

> 
>  May 30 11:30:40 mail01.raystedman.org postfix/bounce[52732]: warning:
> 4FE9D3061EF0: undeliverable postmaster notification discarded
> 
> The only changes were to set up the local mailbox.
> 
> Thanks, Greg
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> Well the logs say this, which doesn't help. 
> May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> to=, relay=none, delay=5.2,
> delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> loops back to myself)

On the contrary, it says that you have configured a mailer loop,
or that you have two different mail services that use the same MTA
name (in Postfix parlance, the MTA name is the myhostname setting).

> The domain and the postfix server do share the same IP (haproxy
> server), but if Postfix would deliver the bounce message it would
> get passed through the proxy to the mail server backend. Is there
> a way to force this?

1) If the Postfix machine is a front-end for a backend server, then
Postfix must be configured as a mail gateway, and there should be
a transport_maps setting that routes mail for the domain to the
backend instead of sending it to the public internet address. See
https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

2) If your Postfix server is behind an inbound proxy server, then
you MUST specify the external address with main.cf:proxy_interfaces,
so that Postfix will know that it should not try to connect there.
https://www.postfix.org/postconf.5.html#proxy_interfaces

3) If you really have more than one mail server, then they must
have different MTA names (In Postfix parlance the MTA name is the
myhostname setting).

Wietse

> On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29:
> > 
> > > Brilliant! I had a loop with haproxy that pointed it back at my mail 
> > > server!
> > > 
> > > Now, how do I get postfix to send failures etc to my server? It
> > > seems they just disappear into the ether!
> > 
> > 
> > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > 
> > If you don't understand an error or warning message, report the
> > problem on the postfix-users mailing list.
> > 
> > Wietse
> > 
> > > Sent with Proton Mail secure email.
> > > 
> > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users 
> > > postfix-users@postfix.org wrote:
> > > 
> > > > Mailman29 via Postfix-users:
> > > > 
> > > > > HI guys.
> > > > > I'm having an awful time getting postfix to work in one form only.
> > > > > Accept mail from one ip address only, regardless of the sender's
> > > > > domain name, and send it out to the recipients. Postfix has no
> > > > > accounts, and accepts no incoming mail. It's only for sending from
> > > > > my local server.
> > > > > 
> > > > > Here's my main.cf, as you can see I have it set up to accept mail
> > > > > from my IP address only, but every time I try to send mail through
> > > > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > > > 
> > > > > --> EHLO mail!
> > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet 
> > > > > you
> > > > 
> > > > THAT IS NOT Postfix. You can tweak settings and it will have no effect,
> > > > because you are not taking to Postfix.
> > > > 
> > > > I suggest that you look in the maillog file to fid out what
> > > > program is answering the connection..
> > > > 
> > > > Wietse
> > > > ___
> > > > Postfix-users mailing list -- postfix-users@postfix.org
> > > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > 
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29:
> Brilliant! I had a loop with haproxy that pointed it back at my mail server! 
> 
> Now, how do I get postfix to send failures etc to my server? It
> seems they just disappear into the ether!

Look in your logs: https://www.postfix.org/DEBUG_README.html#logging

If you don't understand an error or warning message, report the
problem on the postfix-users mailing list.

Wietse

> Sent with Proton Mail secure email.
> 
> On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29 via Postfix-users:
> > 
> > > HI guys.
> > > I'm having an awful time getting postfix to work in one form only.
> > > Accept mail from one ip address only, regardless of the sender's
> > > domain name, and send it out to the recipients. Postfix has no
> > > accounts, and accepts no incoming mail. It's only for sending from
> > > my local server.
> > > 
> > > Here's my main.cf, as you can see I have it set up to accept mail
> > > from my IP address only, but every time I try to send mail through
> > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > 
> > > --> EHLO mail!
> > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you
> > 
> > 
> > THAT IS NOT Postfix. You can tweak settings and it will have no effect,
> > because you are not taking to Postfix.
> > 
> > I suggest that you look in the maillog file to fid out what
> > program is answering the connection..
> > 
> > Wietse
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> HI guys.
> I'm having an awful time getting postfix to work in one form only.
> Accept mail from one ip address only, regardless of the sender's
> domain name, and send it out to the recipients. Postfix has no
> accounts, and accepts no incoming mail. It's only for sending from
> my local server.
> 
> Here's my main.cf, as you can see I have it set up to accept mail
> from my IP address only, but every time I try to send mail through
> it I get the error : (somedomain.com is placeholder for my FQDN)
> 
> --> EHLO mail!
>   <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you

THAT IS NOT Postfix. You can tweak settings and it will have no effect,
because you are not taking to Postfix.

I suggest that you look in the maillog file to fid out what
program is answering the connection..

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> double-bounces which is now unclear -- at least to me.  Perhaps you
> can give me an idea of how to capture just the double-bounces locally.

1) The postmaster recipient address for single or double bounces is 
configurable.
https://www.postfix.org/postconf.5.html#notify_classes
https://www.postfix.org/postconf.5.html#bounce_notice_recipient
https://www.postfix.org/postconf.5.html#2bounce_notice_recipient

2) You can configure Postfix to deliver that address locally.
https://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> On Wed, May 29, 2024 at 2:52?PM Wietse Venema via Postfix-users
>  wrote:
> 
> > Presumably you have to DKIM or SPF or DMARC for hostname.raystedman.org,
> > so any way to get double-bou...@raystedman.org should help.
> >
> > You have to be careful about mailer loops, though.
> >
> > Postfix gives special treatment to <> and 
> > to avoid an infinite loop of notifications for failed notifications.
> 
> Please note mail01 receives email from our private network Only.  This
> email is created by our servers.
> mail01 does not receive email from the Internet. All of our MX records
> point to Google.
> If we can get the double-bounce to Google, there seems to be little
> chance of a mailer loop.

I may have a different solution below.

First the worse news:

Suppose that delivery of the double-bounce to Google fails. Postfix
will then try to notify the envelope sender address. If we're not
careful, that can result in non-delivery notifiation loop.

I just checked the implemenation. The Postfix bounce daemon handles
failed double bounces by not generating a non-delivery notification
(i.e. it ignores a failed double bounce). But it ignores them only
when the sender address was

$double_bounce_sender@$myhostname

Othwerwise, this special handling won't work, and the Postfix bounce
daemon will generate a new notification, and the process may repeat
over and over.

The better news is that unlike (sender_)canonical_maps, the
smtp_generic_maps feature does not change the (double bounce) sender
address that Postfix uses internally. This feature changes only
what is sent in SMTP commands.

So, get rid of my (sender_)canonical mapping, and update master.cf:

master.cf:
special-smtp-client . .. .. .. .. .. .. smtp
-o { notify-classes = bounce, ... }
-o { smtp_generic_maps = inline:{
 { double-bou...@hostname.raystedman.org =
 double-bou...@raystedman.org } } }

Thus, the sending Postfix will ignore a failed notification from
double-bou...@hostname.raystedman.org as intended, and the receiving
Google server will see SMTP commands with double-bou...@raystedman.org
which are good for SPF and DKIM.

If you need to DKIM sign bounces, and you are using non_smtpd_milters
to do that, then you may have to specify:

main.cf:
internal_mail_filter_classes = bounce

See https://www.postfix.org/postconf.5.html#internal_mail_filter_classes

> We have two DMARC/DKIM/SPF setups:
>   (1) email with domain raystedman.org is relayed through Google.
> This is our transactional email (subscription double opt-in and the
> like).
>   (2) email with domain devotion.raystedman.org is sent directly onto
> the Internet.
> 
> I am reluctant to create a third DMARC/DKIM/SPF for the double-bounce
> case which is now using domain mail01.raystedman.org.
> 
> I created a SPF record for mail01.raystedman.org -- for tonight.  This
> should be enough to get DMARC to pass when the double-bounce email is
> received by Google -- at least this is the hope.  I will work on this
> again Thursday.

I think it's a bad idea to send your double bounces to a different site.
The Postfix design really wants to handle them locally.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> I wrote software that reviews the bounces in the Gmail mailbox and
> unsubscribes email addresses from the daily devotion distribution as
> needed.The software is very conservative in the way this is done.
> Bounces 3 out of 5 consecutive days and only for certain types of errors.
> If our software recognises the bounce, the bounce email is deleted by the
> software from the mailbox.  Once per month I log into Gmail and review the
> remaining bounces manually.  RSM uses Gmail for all of the people who work
> & volunteer for the ministry.  This pattern seemed to fit.
> 
> I am looking for a way to resolve our SPF issue.  If sender_canonical_maps
> is the solution, I will give it a try.  Did you expect that using "myorigin
> = raystedman.org" would resolve the SPF issue?

Presumbaly you have to DKIM or SPF or DMARC for hostname.raystedman.org,
so any way to get double-bou...@raystedman.org should help.

You have to be careful about mailer loops, though.

Postfix gives special treatmment to <> and 
to avoid an infinite loop of notifications for failed notifications.

So there waas a typo in my earlier sender_canonical_maps example,
where I used _  instead of -.

 sender_canonical_maps = inline:{
 { double-bou...@mail01.raystedman.ora =
   double-bou...@raystedman.org } }

Specitying a domain in the double_bounce_sender setting will not work.
The implementation does not expect @ in the double_bounce_sender
value, and should handle that.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> Greg Sims via Postfix-users:
> > Hello,
> > 
> > We found the following in our email logs this morning.  I ran
> > "collate" and here is the result:
> > 
> >   May 29 02:10:04 mail01.raystedman.org postfix/bounce[31220]:
> > AFC7030537E6: postmaster non-delivery notification: 7A80D32EDB2C
> >   May 29 02:10:04 mail01.raystedman.org postfix/cleanup[31245]:
> > 7A80D32EDB2C: message-id=<20240529091004.7a80d32ed...@mail01.raystedman.org>
> >   May 29 02:10:04 mail01.raystedman.org postfix/qmgr[27525]:
> > 7A80D32EDB2C: from=, size=3380,
> > nrcpt=1 (queue active)
> >   May 29 02:10:04 mail01.raystedman.org postfix/t122/smtp[31017]:
> > Trusted TLS connection established to
> > aspmx.l.google.com[142.250.141.27]:25: TLSv1.3 with cipher
> > TLS_AES_256_GCM_SHA384 (256/2
> > 56 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest 
> > SHA256
> >   May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> > 7A80D32EDB2C: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26
> > Your email has been rate limited because it is unauthenticated. Gmail
> > 421-4.7.26 requires all senders to authenticate with either SPF or
> > DKIM. 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM
> > = did not pass 421-4.7.26  SPF [mail01.raystedman.org] with ip:
> > [209.73.152.122] = did not pass 421-4.7.26  421-4.7.26  For
> > instructions on setting up authentication, go to 421 4.7.26
> > https://support.google.com/mail/answer/81126#authentication
> > d2e1a72fcca58-6f8fc04d880si9913771b3a.16 - gsmtp (in reply to end of
> > DATA command)
> >   May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> > Trusted TLS connection established to
> > alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
> > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> > server-signature ECDSA (P-256) server-digest SHA256
> >   May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> > 7A80D32EDB2C: to=, orig_to=,
> > relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.2,
> > delays=0/0/0.92/0.3, dsn=4.7.26, status=deferred (host
> > alt2.aspmx.l.google.com[74.125.126.26] said: 421-4.7.26 Your email has
> > been rate limited because it is unauthenticated. Gmail 421-4.7.26
> > requires all senders to authenticate with either SPF or DKIM.
> > 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM = did
> > not pass 421-4.7.26  SPF [mail01.raystedman.org] with ip:
> > [209.73.152.122] = did not pass 421-4.7.26  421-4.7.26  For
> > instructions on setting up authentication, go to 421 4.7.26
> > https://support.google.com/mail/answer/81126#authentication
> > ca18e2360f4ac-7e9c1b21032si328213139f.60 - gsmtp (in reply to end of
> > DATA command))
> > 
> > main.cf contains:
> > 
> >   # 24-05-28
> >   # email comes from raystedman.org instead of mail0.raystedman.org
> >   # note: the mail01 subdomain does not need a SPF record in DNS as a result
> >   myorigin = raystedman.org
> > 
> > I hoped this would allow the message being sent to be
> > from=.  Please note the qmgr record
> > above shows the name of the sending machine -- mail01.raystedman.org.
> 
> How about using sender_canoical_maps?
> 
> sender_canonical_maps = inline:{
>   { double-bou...@mail01.raystedman.ora = double_bou...@raystedman.org } }

Or maybe double_bounce_sender = double-bou...@raystedman.org

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> Hello,
> 
> We found the following in our email logs this morning.  I ran
> "collate" and here is the result:
> 
>   May 29 02:10:04 mail01.raystedman.org postfix/bounce[31220]:
> AFC7030537E6: postmaster non-delivery notification: 7A80D32EDB2C
>   May 29 02:10:04 mail01.raystedman.org postfix/cleanup[31245]:
> 7A80D32EDB2C: message-id=<20240529091004.7a80d32ed...@mail01.raystedman.org>
>   May 29 02:10:04 mail01.raystedman.org postfix/qmgr[27525]:
> 7A80D32EDB2C: from=, size=3380,
> nrcpt=1 (queue active)
>   May 29 02:10:04 mail01.raystedman.org postfix/t122/smtp[31017]:
> Trusted TLS connection established to
> aspmx.l.google.com[142.250.141.27]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/2
> 56 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest 
> SHA256
>   May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> 7A80D32EDB2C: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26
> Your email has been rate limited because it is unauthenticated. Gmail
> 421-4.7.26 requires all senders to authenticate with either SPF or
> DKIM. 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM
> = did not pass 421-4.7.26  SPF [mail01.raystedman.org] with ip:
> [209.73.152.122] = did not pass 421-4.7.26  421-4.7.26  For
> instructions on setting up authentication, go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> d2e1a72fcca58-6f8fc04d880si9913771b3a.16 - gsmtp (in reply to end of
> DATA command)
>   May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> Trusted TLS connection established to
> alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature ECDSA (P-256) server-digest SHA256
>   May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> 7A80D32EDB2C: to=, orig_to=,
> relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.2,
> delays=0/0/0.92/0.3, dsn=4.7.26, status=deferred (host
> alt2.aspmx.l.google.com[74.125.126.26] said: 421-4.7.26 Your email has
> been rate limited because it is unauthenticated. Gmail 421-4.7.26
> requires all senders to authenticate with either SPF or DKIM.
> 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM = did
> not pass 421-4.7.26  SPF [mail01.raystedman.org] with ip:
> [209.73.152.122] = did not pass 421-4.7.26  421-4.7.26  For
> instructions on setting up authentication, go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> ca18e2360f4ac-7e9c1b21032si328213139f.60 - gsmtp (in reply to end of
> DATA command))
> 
> main.cf contains:
> 
>   # 24-05-28
>   # email comes from raystedman.org instead of mail0.raystedman.org
>   # note: the mail01 subdomain does not need a SPF record in DNS as a result
>   myorigin = raystedman.org
> 
> I hoped this would allow the message being sent to be
> from=.  Please note the qmgr record
> above shows the name of the sending machine -- mail01.raystedman.org.

How about using sender_canoical_maps?

sender_canonical_maps = inline:{
{ double-bou...@mail01.raystedman.ora = double_bou...@raystedman.org } }

Why are you sending these notifications to Google?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL login username in log

[Wietse Venema via Postfix-users]

Northwind via Postfix-users:
> Hello,
> 
> Is it possible to set mail.log for recording sasl login usernames?
> 
> May 29 06:52:45 mx postfix/smtps/smtpd[3022855]: warning: 
> unknown[138.185.193.64]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:52:57 mx postfix/smtpd[3023133]: warning: 
> unknown[49.156.148.93]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:53:03 mx postfix/smtps/smtpd[3022864]: warning: 
> unknown[167.179.45.182]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:53:07 mx postfix/smtps/smtpd[3022912]: warning: 
> unknown[165.227.46.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:53:08 mx postfix/smtps/smtpd[3022901]: warning: 
> unknown[112.199.181.114]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:53:12 mx postfix/smtpd[3023133]: warning: 
> unknown[58.23.17.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:53:14 mx postfix/smtps/smtpd[3022912]: warning: 
> unknown[165.227.46.18]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> May 29 06:53:19 mx postfix/smtps/smtpd[3022869]: warning: 
> unknown[58.174.79.124]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> 
> For example, for the failed login events above, I want to know what 
> usernames they happened on.

https://www.postfix.org/announcements/postfix-3.8.3.html

Fixed with Postfix 3.8.3, 3.7.8, 3.6.12, 3.5.22:
...
  * Usability: the Postfix SMTP server (finally) attempts to log
the SASL username after authentication failure. In Postfix
logging, this appends ", sasl_username=xxx" after the reason
for SASL authentication failure. The logging replaces an
unavailable reason with "(reason unavailable)", and replaces
an unavailable sasl_username with "(unavailable)". Based on
code by Jozsef Kadlecsik.
...

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[Wietse Venema via Postfix-users]

John Hill via Postfix-users:
> 
> On 5/28/24 11:48 AM, Wietse Venema via Postfix-users wrote:
> > postconf -Mf submission/inet".
> 
> 
> May 28 10:51:07 proteus.noach.com postfix/submission/smtpd[57120]: 
> warning: malformed map specification: '{ reject_rbl_client 
> xbl.spamhaus.org }'

There is no reject_rbl_client in the configuration that you sent.

In any case, with parameters in master.cf the {} are used like this

-o { name = value... }

That is, the name and value INSIDE the {}.

The {} are NOT in the middle of a value like you did:

-o name=value,{ value },...

For syntax see https://www.postfix.org/master.5.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "delivered to command" config

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> Adam Weremczuk via Postfix-users:
> > I've tried your suggestion.
> > 
> > SERVER1 is still trying to deliver test email locally rather than 
> > forward to SERVER2:

According to your postfinger output, you did not confihgure
virtual_alias_maps on server1 to send bugzilla mail to server2.
Therefore, Postfix on server1 will deliver it locally.

There needs to be a virtual_alias_maps rule like this:

bugzi...@matrixscience.co.ukbugzi...@server2.matrixscience.co.uk

or like thisL

bugzi...@matrixscience.com  bugzi...@server2.matrixscience.co.uk

or maybe both.

See my previous email for how to configure and manage Postfix virtual
alias maps.

Wietse

> > : host
> >  mx0.myLANdomain.com[/var/run/cyrus/socket/lmtp] said: 550-Mailbox
> >  unknown.  Either there is no mailbox associated with this 550-name 
> > or you
> >  do not have authorization to see it. 550 5.1.1 User unknown (in 
> > reply to
> >  RCPT TO command)
> 
> The NEW virtual_alias_maps configuration takes effect ONLY for new messages.
> 
> For more support, follow https://www.postfix.org/DEBUG_README.html#mail
> 
>   Wiuetse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[Wietse Venema via Postfix-users]

John Hill via Postfix-users:
> Not working had recipient instead of client. Fixed that and then is says 
> its not a map.

We need:

- The complete error message, exactly as logged.

- Output from "postconf -Mf submission/inet".

Wietse
> 
> On 5/28/24 10:36 AM, John Hill via Postfix-users wrote:
> > Here is what IS NOT causing postfix to dump, not sure if it will work.
> >
> > main.cf
> >
> > submission_recipient_restrictions = reject_rbl_client xbl.spamhaus.org
> >
> > master.cf
> >
> > submission
> >
> > ?-o 
> > smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{ 
> > $submission_recipient_restrictions },reject
> >
> >
> > It sends and receives mail so far. not sure on the RBL yet.
> >
> > --john
> >
> >
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "delivered to command" config

[Wietse Venema via Postfix-users]

Adam Weremczuk via Postfix-users:
> I've tried your suggestion.
> 
> SERVER1 is still trying to deliver test email locally rather than 
> forward to SERVER2:
> 
> : host
>  mx0.myLANdomain.com[/var/run/cyrus/socket/lmtp] said: 550-Mailbox
>  unknown.  Either there is no mailbox associated with this 550-name 
> or you
>  do not have authorization to see it. 550 5.1.1 User unknown (in 
> reply to
>  RCPT TO command)

The NEW virtual_alias_maps configuration takes effect ONLY for new messages.

For more support, follow https://www.postfix.org/DEBUG_README.html#mail

Wiuetse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "delivered to command" config

[Wietse Venema via Postfix-users]

Adam Weremczuk via Postfix-users:
> Sorry, I'm still struggling to get anywhere with that.
> 
> Just to recap what I'm trying to achieve:
> 
> SERVER1 is a fully blown Postfix+Cyrus stack operating over the internet 
> and serving multiple domains.
> 
> SERVER2 is a small VM on a local LAN (same LAN as SERVER1) that runs 
> Bugzilla.
> 
> Both SERVERS use the same LAN domain myLANdomain.com.

You can have multiple servers with the same domain name, as long
as on each server also receives mail for its own hostname
(in your case: server1.myLANdomain.com and server2.myLANdomain.com,
respectively).

server1 :

/etc/postfix/main.cf: 
# Execute "postfix reload" after editing this file
mydestination = localhost, myLANdomain.com, server1.myLANdomain.com
 virtual_alias_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
# Execute "postmap hash:/etc/postfix/virtual" after editing
# this file
bugzi...@mylandomain.combugzi...@server2.mylandomain.com

server2:

Here is the bugzilla account with ~bugzilla/.forward

/etc/postfix/main.cf
# Execute "postfix reload" after editing this file
mydestination = localhost, myLANdomain.com, server2.myLANdomain.com

> I've installed Postfix on SERVER2 and configured it as below:

Sorry, I know only Postfix settings, not thrd-prty control panels.

Wietse

> setting synchronous mail queue updates: false
> setting myorigin
> setting destinations: server2.myLANdomain.com, server2, localhost
> setting relayhost:
> setting mynetworks: 127.0.0.0/8 192.168.0.0/24
> setting mailbox_size_limit: 0
> setting recipient_delimiter: +
> setting inet_interfaces: all
> setting inet_protocols: ipv4
> 
> Now, all I want to achieve is to forward all emails to 
> bugzi...@mypublicdomain.com to a local user (unique name) bugzilla2 
> created on SERVER2.
> 
> Whatever email is delivered to bugzilla2 on SERVER2 locally should be 
> fed to the command defined in ~bugzilla2/.forward file
> 
> So my first objective, I guess, would be to allow that local user to 
> receive emails from outside somehow and be treated as local emails.
> 
> I feel like I'm missing something fundamental here...
> 
> Adam
> 
> 
> On 21/05/2024 12:00, Wietse Venema via Postfix-users wrote:
> > Adam Weremczuk via Postfix-users:
> >> Thank you Victor.
> >>
> >> What's the easiest way to change:
> >>
> >> bugzilla@mailserver:~$ cat ~/.forward
> >> "|/vol/localhome/bugzilla/site/live/email_in.pl -vvv 2>/tmp/bz_emailin.log"
> >>
> >> to something like:
> >>
> >> remoteser...@mydomain.com:/vol/localhome/bugzilla/site/live/email_in.pl
> >> -vvv 2>/tmp/bz_emailin.log
> > 
> > There are multiple ways:
> > 
> > 1 On the milserver achine:
> > 
> >In ~bugzilla/.forward
> >  bugzilla@remoteser...@mydomain.com
> > 
> >On the remoteserver, the ~bugzilla/.forward file with email_in.pl.
> > 
> > 2) On the mailserver achine:
> > 
> >In /etc/aliases:
> >bugzilla: bugzilla@remoteser...@mydomain.com
> > 
> >run the "newaliases" command after edirting the file.
> > 
> >On the remoteserver, the ~bugzilla/.forward file with email_in.pl.
> > 
> > Wietse
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> > On Mon, May 27, 2024 at 3:40?AM Viktor Dukhovni via Postfix-users <
> postfix-users@postfix.org> wrote:
> 
> > You really should have posted "collate" output, which would have shown
> > the envelope sender address in the "qmgr active" log entry.  Perhaps
> > the actual domain used did not have the expected SPF records.
> 
> Wietse:
> 
> notify_classes is working well.  Postmaster is hosted by Google and we are
> seeing sequences like the following as a result.  I had to move
> notify_classes to main.cf to cover all of our email.  For debug it would
> likely be best to have Postmaster email remain on our server -- instead of
> sending it to Google.  Please see below as I believe we may have a
> better understanding without the email headers.

It does not have to be postmaster:
https://www.postfix.org/postconf.5.html#bounce_notice_recipient
https://www.postfix.org/postconf.5.html#notify_classes

Or: "Delivering some but not all accounts locally":
https://www.postfix.org/STANDARD_CONFIGURATION_README.html#some_local

> Viktor:
> 
> The "collate" for this issue is enlightening.  Here is an instance:
> 
>   May 28 02:11:41 mail01.raystedman.org postfix/bounce[19442]:
> B78BC305D5A9: postmaster non-delivery notification: 4A841305D5BE
>   May 28 02:11:41 mail01.raystedman.org postfix/cleanup[19458]:
> 4A841305D5BE: message-id=<20240528091141.4a841305d...@mail01.raystedman.org>
>   May 28 02:11:41 mail01.raystedman.org postfix/qmgr[16460]: 4A841305D5BE:
> from=, size=3187, nrcpt=1 (queue
> active)
>   May 28 02:11:41 mail01.raystedman.org postfix/t124/smtp[19403]: Trusted
> TLS connection established to aspmx.l.google.com[142.250.141.27]:25:
> TLSv1.3 with cipher T
> LS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
> ECDSA (P-256) server-digest SHA256
>   May 28 02:11:41 mail01.raystedman.org postfix/t124/smtp[19403]:
> 4A841305D5BE: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26 Your
> email has been rate limited because it is unauthenticated. Gmail 421-4.7.26
> requires all senders to authenticate with either SPF or DKIM. 421-4.7.26
>  421-4.7.26  Authentication results: 421-4.7.26  DKIM = did not pass
> 421-4.7.26  SPF [mail01.raystedman.org] with ip: [209.73.152.124] = did not
> pass 421-4.7.26  421-4.7.26  For instructions on setting up authentication,
> go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> d2e1a72fcca58-701bc33108esi1286635b3a.272 - gsmtp (in reply to end of DATA
> command)

In recent experience with my personal porcupine.org email address,
they not only want SPF or DKIM, they *also* want a DMARC policy
with p=quarantine or p=reject.

>   May 28 02:11:42 mail01.raystedman.org postfix/t124/smtp[19403]: Trusted
> TLS connection established to alt2.aspmx.l.google.com[74.125.126.27]:25:
> TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
> X25519 server-signature ECDSA (P-256) server-digest SHA256
>   May 28 02:11:42 mail01.raystedman.org postfix/t124/smtp[19403]:
> 4A841305D5BE: to=, orig_to=, relay=
> alt2.aspmx.l.google.com[74.125.126.27]:25, delay=1.2, delays=0/0/0.81/0.39,
> dsn=2.0.0, status=sent (250 2.0.0 OK  1716887502
> ca18e2360f4ac-7eae2d6333asi30711039f.32 - gsmtp)
>   May 28 02:11:42 mail01.raystedman.org postfix/qmgr[16460]: 4A841305D5BE:
> removed
> 
> It appears that this bounce email was sent using the subdomain
> mail01.raystedman.org.  There is no "from=<>" here but the error log seems
> to imply the SPF failure was associated with this subdomain.  If this is
> the case, we need to add an SPF record for this subdomain.  Please note we
> are already configured for raystedman.org and devotion.raystedman.org.  Are
> there any other subdomains that Postfix would use?  Please let me know and
> I will make the appropriate modifications to DNS.
> 
> Thank you, Greg

> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> We found the following in our email log:
> 
>   May 26 00:35:57 mail01.raystedman.org postfix/t124/smtp[39065]:
> 0A7D630F1C7C: to==
> cecytebc.edu...@devotion.raystedman.org>,
> relay=aspmx.l.google.com[142.251.2.26]:25,
> delay=0.52, delays=0/0/0.21/0.31, dsn=5.7.26, status=bounced (host
> aspmx.l.google.com[142.251.2.26] said: 550-5.7.26 Unauthenticated email
> from raystedman.org is not accepted due to 550-5.7.26 domain's DMARC
> policy. Please contact the administrator of 550-5.7.26 raystedman.org
> domain if this was a legitimate mail. To learn about 550-5.7.26 the DMARC
> initiative, go to 550 5.7.26
> https://support.google.com/mail/?p=DmarcRejection
> 98e67ed59e1d1-2bf5fe61ba7si4174351a91.147 - gsmtp (in reply to end of DATA
> command))
> 
> We delivered 1000s of email to Google in this time frame -- we received
> only five failures like the one above.  I worked with the Google Team today
> and determined the following:
> 
> (1) Our SPF DNS contains the IP Address this email was sent from.  This
> implies DMARC should have passed -- as I believe DMARC requires failures
> for Both SPF and DKIM for a hard failure.
> 
> (2) The sending IP Address is a valid relay for our domain at Google.  The
> email should not have been Unauthenticated as a result.
> 
> (3) I checked bou...@raystedman.org which in general ends up with all email
> that bounce and contains VERP -- this was not the case with this email.
> 
> The Google Team would like to have the message headers of this email to
> further debug the issue.  How can I use Postfix to capture the email
> headers/content in this case.

notify_classes (default: resource, software)
   The list of error classes that are reported to  the  postmaster.
...
   bounce (also implies 2bounce)
  Send the postmaster copies of the headers of bounced  mail,  and
  send transcripts of SMTP sessions when Postfix rejects mail. The
  notification  is  sent  to  the  address  specified   with   the
  bounce_notice_recipient  configuration parameter (default: post-
  master).

You can specify "-o { notify_classes = bounce, resource, software}"
in master.cf for the Postfix SMTP client.

If all Google mail is handled by a dedicated delivery transport
(using transport_maps) then you can make this custom notify_classes
setting specific to that transport.

Wietse

Wietse
Wietse
that only base on a reject in the middle of a delivery.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

[Wietse Venema via Postfix-users]

This problem was resolved off-list.

Greg Sims:
> Wietse & Viktor,
> 
> All is not lost.  Restarting BIND on Ray08 solved the problem of
> c=30!!  I am sorry that I did not review/restart this service earlier.
> Your comments related to the 5 second intervals and DNS timeouts
> caused me to look there.

Unfortunately we went down some dead ends because I missed that
the Postfix SMTP client will make DNS MX and address queries even
when reusing connections. I am updating Postfix documentation.

With the crippled DNS resolver, the Postfix 'type c' delays were
dominated by the number of DNS lookups. This resulted in larger
delays for domains with many MX records such as gmail.com, compared
to domains with fewer MX records such as yahoo.com or outlook. These
differences in delays were not the result of receiver-side throttling.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to allow only one specific sender to use smtp ?

[Wietse Venema via Postfix-users]

Mike via Postfix-users:
> Hello,
> 
> My setup like below:
> 
> I have Postfix setup and use dovecot as SASL. Now, all email accounts 
> can use the smtp server to send emails. I want to allow only one email 
> account to send out emails and rest of others can only use POP3 or IMAP.
> 
> How can I make that?

Something like:

master.cf:
 submission ... ... ... ... ... ... smtpd
-o { smtpd_client_restrictions =
check_sasl_access inline:{{ user@example = OK }}
static:{ REJECT this user is not allowed to send mail }
}
...other -o options...
 submissions ... ... ... ... ... ... smtpd
-o { smtpd_client_restrictions =
check_sasl_access inline:{{ user@example = OK }}
static:{ REJECT this user is not allowed to send mail }
}
...other -o options...

Instead of 'submissions', some configurations use 'smtps' for the same thing.

Execute "postfix reload" after editing master.cf, and look for
warnings in the maillog file.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[Wietse Venema via Postfix-users]

John Hill via Postfix-users:
> > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
> Is this the same thing?

See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.

To block xbl listed clients with postscreen, one would configure
xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[Wietse Venema via Postfix-users]

John Hill via Postfix-users:
> I learn something every time I read this group, when I can keep up with 
> the conversation!
> 
> I had auth on ports I did not need. I use auth on submission port 587, 
> for users access.
> 
> I do get a boat load of failed login attempts on 587. Funny how a China, 
> US, Argentina, you name it, hosts, will try the same failed username 
> password at nearly the same time.
> 
> Small world.
> 
> I use Fail2Ban to block the failed IP. The script writes it into the 
> nftables table immediately.
> 
> I think this keeps Postfix waiting and times out, not a big deal. Is 
> there a cli that my bash script could force disconnect the ip from Postfix?
> 
> I did search the man page and the docs, sorry if I missed it.

On port 587? setting "smtpd_hard_error_limit=1" might do it.

masster.cf:
submission .. .. .. .. .. .. .. smtpd
-o { smtpd_hard_error_limit = 1 }
...other -o options...

You need to "postfix reload" after editing master.cf,

This assumes that a good user makes no mistakes.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: disable authentication on port 25

[Wietse Venema via Postfix-users]

Northwind via Postfix-users:
> Hello,
> 
> since my smtp instance is postscreen as showing the follow,
> 
> smtp  inet  n   -   y   -   1   postscreen
> 
> 
> How can I disable authentication on port 25 then?
> 
> I know if the smtp instance is smtpd, this option should work:
> 
>-o smtpd_sasl_auth_enable=no

As documnented somewhere, postscreen never announces AUTH support.
It must therefore not be used on the submission/smtps ports.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> We see conn_use about 24% of the time:

But none of the sessions shown in your message have that.

Do they also have multiple-of-5-second type 'c' delays?

Wietse 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Dedicated servers for Address Verification Probes

[Wietse Venema via Postfix-users]

Pedro David Marco via Postfix-users:
> Hi all,
> is it possible to have several Postfix instances to use a centralized
> Postfix server for address verification probes when this centralized
> server is NOT an MDA but a relay to external MDAs?

You can specify address_verify_relayhost and the like, but
that will just tell you if the relayhost accepts the probe.

Wietse


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how disable DSN pipe]

[Wietse Venema via Postfix-users]

You have been perfectly clear. As outlined in DSN_README, the RFC
does not support a way to selectively disable SUCCESS notification.

Postfix is not just a bunch of random hacks thrown together. You
are free to use a different mail system.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how disable DSN pipe

[Wietse Venema via Postfix-users]

Aleksandr Kolesnikov via Postfix-users:
> if the user requests a DSN, he receives a delivery message via the
...
> how to prohibit the sending of such DSN?

Perhaps: https://www.postfix.org/DSN_README.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Strengthen email system security

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> Northwind via Postfix-users:
> > Hello list,
> > 
> > In the last two days, my mail system (small size) met attacks.
> > 
> > mail.log shows a lot of this stuff:
> > 
> > May 23 06:24:29 mx postfix/smtpd[2655149]: warning: 
> > unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> 
> This just wastes a few CPU cycles and file system space.
> 
> > My questions are:
> > 1. what's the purpose of this kind of attack? Brute force password 
> > cracking, or DDoS?
> 
> They want to use your machine to send spam to the Internet.
> 
> > 2. How to strengthen email system security to stop this?
> 
> Don't accept mail from home networks. For example, use "reject_dbl_client

Typo: this should be reject_rbl_client.

> zen.spamhaus.org".  For this you must use your own DNS resolver,
> not the DNSresolver from your ISP.
> 
>   Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Strengthen email system security

[Wietse Venema via Postfix-users]

Northwind via Postfix-users:
> Hello list,
> 
> In the last two days, my mail system (small size) met attacks.
> 
> mail.log shows a lot of this stuff:
> 
> May 23 06:24:29 mx postfix/smtpd[2655149]: warning: 
> unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

This just wastes a few CPU cycles and file system space.

> My questions are:
> 1. what's the purpose of this kind of attack? Brute force password 
> cracking, or DDoS?

They want to use your machine to send spam to the Internet.

> 2. How to strengthen email system security to stop this?

Don't accept mail from home networks. For example, use "reject_dbl_client
zen.spamhaus.org".  For this you must use your own DNS resolver,
not the DNSresolver from your ISP.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> > It is assumed that you're not a victim of systemd-journald log mangling.
> > It may be dropping some messages, and recording others out of order,
> > breaking "collate".  On Linux systems where systemd is doing the
> > logging, you'll want to have Postfix writing its own log files directly,
> > bypassing syslog.  I have:

I think that the nost useful info is logged by the Postfix SMTP
client, especially including the low-level connection info that may
not have a queue ID.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> Greg Sims via Postfix-users:
> >   May 22 03:13:22 mail01.raystedman.org t123/smtp[46725]:
> > 604BE30A4ACA: to=<@gmail.com>,
> > relay=gmail-smtp-in.l.google.com[142.251.2.26]:25, conn_use=2,
> > delay=1576, delays=0.05/1550/25/0.84, dsn=2.0.0, status=sent (250
> > 2.0.0 OK  1716372802 41be03b00d2f7-6578166a383si2117154a12.283 -
> > gsmtp)
> 
> These 25s are unexpected.
> 
> - When Postfix saves/reuses a connection it does not rmember the
> time spent setting up the connection.  Technically, there is no
> msg_stats_print() call in the code path that saves a connection to
> the connection cache, and there is no msg_stats_scan() call in the
> code path that retrieves a connection from cache.
> 
> That means it took the Postfix SMTP client 25s to:
> 
> - Receive a delivery request from the queue manager,
> 
> - Retrieve a connection from the connection cache,
> 
> - Send the RSET command to the remote SMTP server,
> 
> - Retrieve the RSET server response.
> 
> That is, the clock for 'connection setup' stops when the Postfix
> SMTP client builds the MAIL FROM command. This is also when he 
> clock is started for the time spent delivering the message.

If the delay is with snding or receiving RSET, then the SMTP client
log "conversation with XXX timed out". I don't know if hat has a
queue ID logged with thata, though. Just grep for 'conversation with'.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
>   May 22 03:13:22 mail01.raystedman.org t123/smtp[46725]:
> 604BE30A4ACA: to=<@gmail.com>,
> relay=gmail-smtp-in.l.google.com[142.251.2.26]:25, conn_use=2,
> delay=1576, delays=0.05/1550/25/0.84, dsn=2.0.0, status=sent (250
> 2.0.0 OK  1716372802 41be03b00d2f7-6578166a383si2117154a12.283 -
> gsmtp)

These 25s are unexpected.

- When Postfix saves/reuses a connection it does not rmember the
time spent setting up the connection.  Technically, there is no
msg_stats_print() call in the code path that saves a connection to
the connection cache, and there is no msg_stats_scan() call in the
code path that retrieves a connection from cache.

That means it took the Postfix SMTP client 25s to:

- Receive a delivery request from the queue manager,

- Retrieve a connection from the connection cache,

- Send the RSET command to the remote SMTP server,

- Retrieve the RSET server response.

That is, the clock for 'connection setup' stops when the Postfix
SMTP client builds the MAIL FROM command. This is also when he 
clock is started for the time spent delivering the message.

> Another 25 seconds by google without conn_use:
> 
>   May 22 03:12:57 mail01.raystedman.org t121/smtp[47173]:
> 4224D30C1817: to=<@gmail.com>,
> relay=gmail-smtp-in.l.google.com[142.250.141.27]:25, delay=1543,
> delays=0.01/1517/25/0.79, dsn=2.0.0, status=sent (250 2.0.0 OK
> 1716372777 41be03b00d2f7-66d4526311dsi4920983a12.891 - gsmtp)

Yup.

Wiets
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS for SMTP Outbound -- Only One tlsproxy

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> This is a sample of delays= for google.com -- 20 and 25 second delays:
> 
>   0.01/11/20/0.73,
>   0.01/9.5/20/0.77,
>   0.01/0/25/0.74,
>   0.01/7.6/25/0.91,
>   0.01/6.9/25/1.1,
>   0.01/13/20/4.6,
>   0.01/14/25/0.56,
>   0.01/14/25/1.1,
>   0.01/0/0.22/0.72,
>   0.01/0/0.39/0.79,

So there is some reuse. You still need to answer Viktor's request
for detail logging. That will reveal (to us, at least) what the
those 20-25 seconds are going into. It is DNS, TCP connection setup,
TLS, and so on.

> Here are delays= from yahoo -- 5.3 second delays:
> 
>   0.01/0/10/4.1,
>   0.05/0/5.1/0.95,
>   0.01/0/5.2/0.68,
>   0.01/0/5.3/0.57,
>   0.01/0/0.45/0.42,
>   0.01/0/5.3/0.42,
>   0.01/0/5.3/0.34,
>   0.01/0.39/5.1/0.73,
>   0.01/0/1.2/2,
>   0.01/0/5.3/0.34,

Some reuse, mostlyinsane delays.

> And from icloud -- little delay:
> 
>   0.01/0/0.14/2.5,
>   0.01/0.02/0.15/2.7,
>   0.01/0/0.34/11,
>   0.01/0/0.13/4.9,
>   0.01/0/0.06/4.1,
>   0.01/0/0.13/1.5,

I wonder what portion of that are reused connections.

Well, you have your data collection home work.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org