Re: postfix for 2 domains on 1 vps 1 ip
silas_nbli...@nocafe.net wrote: > > IIUC, it is possible to implement Reverse DNS validation with > postfix tools in base system with some Postfix option (I've seen > that, but I don't recall the exact postfix setting) postfix main.cf: smtpd_client_restrictions = ... reject_unknown_client_hostname ... sendmail.mc: FEATURE(`require_rdns') dnl see also: delayed_checks Martin Neitzel
Re: postfix for 2 domains on 1 vps 1 ip
On Tue, 5 Jan 2021 22:51:57 +0530 Mayuresh wrote: > On Tue, Jan 05, 2021 at 03:45:54PM +0100, Martin Husemann wrote: > > Using a single mail server and making it send and receive mails from/ > > for various domains is trivial, and completely unrelated to TLS or > > certificates. > > This suggest there is no need of separate certificates for separate > domains. I think that would address TLS side of it. This is what I'm doing. I'm running 4x domains on the same mail infrastructure, all with DANE and TLS, each server having only one certificate - that of the mail server hostname. Servers also have PTR records that match the hostname. SPF records are simply "v=spf1 mx -all". Getting DKIM/DMARC working is a TODO item. There's not lot of volume outbound, but I've never had delivery issues to GMail, AOL, outlook.com, etc. -- Aaron B.
Re: postfix for 2 domains on 1 vps 1 ip
On Tue, Jan 05, 2021 at 03:45:54PM +0100, Martin Husemann wrote: > Using a single mail server and making it send and receive mails from/ > for various domains is trivial, and completely unrelated to TLS or > certificates. This suggest there is no need of separate certificates for separate domains. I think that would address TLS side of it. The thread is having relatively less discussion on TLS, but more on the tactics the mail servers (particularly the dominant players) apply to control spam (or so they say) - one of which is that they check reverse dns map between your ip and email domain. And because of such check would such setup work (work in the sense of acceptance by mail servers at large and if possible reducing the chances of them marking it spam). -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 04:50:16PM -0700, Bob Proulx wrote: SPF identifies authorized IP addresses for domains in the message envelope. Therefore the reverse DNS pointer record does not matter in this. The hostname does not matter. Only the IP address as indicated through a DNS response. This is an anti-forgery protection. This has been a defacto standard requirement for all SMTP host sites for some years now. Must have valid SPF records. However I do know of small low activity sites that still do not implement this and squeeze by depending upon the nebulous value of the sending host's "IP reputation score". https://en.wikipedia.org/wiki/Sender_Policy_Framework (...) Reverse DNS is the oldest validation that checks that a sending host identifies its own FQDN, which is looked up to an IP address with normal forward DNS, which is then looked up to a FQDN with reverse DNS, which must match the original name. This is done under the idea that valid SMTP sites are using static IP address assignments and have control of their DNS. Since spammer sites most often did not have a static IP assignment and did not have control of their DNS. This is an anti-forgery protection. These assumptions have been called into question in recent years. https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS Thanks for the very good summary! IIUC, it is possible to implement Reverse DNS validation with postfix tools in base system with some Postfix option (I've seen that, but I don't recall the exact postfix setting) But, in order to implement SPF checking, it is necessary a third-party program such as mail/py-policyd-spf or mail/libspf2, right?
Re: postfix for 2 domains on 1 vps 1 ip
Sorry if this has already been made clear, but somehow I missed it: - what problem are we trying to solve here? - why would anyone ever want to run two (independent) mail servers on a single machine? The use of two different certificates for TLS depending on mail routing or whatever sounds very strange to me - the certificate identifies the mail server, not the domain used by a mailing list (or the sender(s)). Using a single mail server and making it send and receive mails from/ for various domains is trivial, and completely unrelated to TLS or certificates. So I guess I must be missing something. What is it? Martin
Re: postfix for 2 domains on 1 vps 1 ip
On 05/01/2021 11:02, Pierre-Philipp Braun wrote: I get 2 public ips from the cloud provider - one is ipv4 and one ipv6. Besides, to solve the forward-confirmed-reverse-dns issue, I would also KISS over there and use a single and IPREV FQDN for both v4 and v6 IPs, be it delivered as a host from one of the two domains you are targeting, or simply another domain of yours that they would share an MX record from. As a side-note, it's possible to have a CNAME as an MX record, but it's just simpler and safer to point to the MX who's hosting those domain's email, directly. I thought CNAME in an MX record was considered naughty. Bind zone validation used to warn about it but did accept it. I know it was frowned on the last time I read the various e-mail RFCs but that could easily have changed since then ;) Mike
Re: postfix for 2 domains on 1 vps 1 ip
I get 2 public ips from the cloud provider - one is ipv4 and one ipv6. I have a NetBSD 9.1 host on which I'll setup NetBSD 9.1 qemu guest and would like the guest to get the ipv6 public ip. Is this feasible? Any tips (both NetBSD and qemu side)? That qemu on a cloud instance sounds like bad design. As Bob said, KISS and do dual-stack. You have one IPv4 and one IPv6, that's perfect to setup a dual-stack MX and outbound MTA. Besides, to solve the forward-confirmed-reverse-dns issue, I would also KISS over there and use a single and IPREV FQDN for both v4 and v6 IPs, be it delivered as a host from one of the two domains you are targeting, or simply another domain of yours that they would share an MX record from. As a side-note, it's possible to have a CNAME as an MX record, but it's just simpler and safer to point to the MX who's hosting those domain's email, directly.
Re: postfix for 2 domains on 1 vps 1 ip
Mayuresh wrote: > On Mon, Jan 04, 2021 at 03:19:22PM -0700, Bob Proulx wrote: > > So for example it is okay for a mailing list for a domain like > > us...@lists.example.com be hosted on a machine server123.example.net > > at a different hostname and FQDN. That's okay. The name set as the > > reverse DNS lookup should match the FQDN of the hostname. As long as > > that is true then everything should work okay. > > Any in your example server123.example.net is also an email domain, right? It does not need to be. Probably would not be. It might be. For example I was just dealing with a backscatter joe-job style abuse against debbugs.gnu.org in the last two days. Appearances are there are many outlook.com exit nodes similar to these that I will just take a 'head' from the list of them. mail-ad2are01hn.outbound.protection.outlook.com mail-ad2are01hn2232.outbound.protection.outlook.com mail-am5eur02hn2200.outbound.protection.outlook.com mail-am5eur02hn2201.outbound.protection.outlook.com mail-am5eur02hn2205.outbound.protection.outlook.com mail-am5eur02hn2206.outbound.protection.outlook.com mail-am5eur02hn2207.outbound.protection.outlook.com mail-am5eur02hn2208.outbound.protection.outlook.com mail-am5eur02hn2209.outbound.protection.outlook.com mail-am5eur02hn2210.outbound.protection.outlook.com Wow there are a lot of exit nodes! And that is just a sample. They all have forward reverse DNS lookup verification. None of them have MX records therefore as to if they are "also an email domain" I would say they are not. They would not receive mail normally. However if a host does not have an MX record then the A record address will be used and an attempt to deliver will be made there. Therefore it is not required to have an MX record. Just strongly recommended to do so. (If a domain does not receive mail then it is advised to specify a Null MX record for it.) https://tools.ietf.org/html/rfc7505 So in summary server123.example.net is just a hostname. It would have both forward and reverse DNS lookup that would validate for those sites that require that circle to validate. And it could then send mail for any domain for which that domain has specified this is allowed in the SPF record. Just by-the-by but many larger corporations use the convention that their .com names are public facing and then they use .net names for infrastructure of internal use only. Just as a way to organize things. And many other different conventions. > So domain D1, D2 map to ip IP1. When checking in the context of D1 it will > check whether IP1 maps to D1 and the check will succeed. In the context of > D2 similarly it will succeed. It won't get paranoid about IP1 having 2 > domains. Then it sounds good. Not quite. D1 forward maps to IP1. Then IP1 reverse maps to D1. Therefore the forward reverse DNS lookup check verifies. D2 forward maps to IP1. IP1 reverse maps to D1. Fails the forward reverse DNS lookup check. Therefore one would not use D2 as the envelope header for an SMTP transaction since it would fail that test. But D1 can send D2 mail for D2 no problem. As long as D2's SPF record allows it. Reverse DNS entry: 216.184.93.in-addr.arpa. IN PTR D1 Forward DNS entries: D1 IN A 93.184.216.34 D2 IN A 93.184.216.34 D2 IN TXT "v=spf1 a -all" D2 IN MX10 D1 Since D2's SPF record says that the Address of D2 is allowed and that address is 93.184.216.34 and mail is being sent from 93.184.216.34 then the SPF check passes. Or could specify the MX relays are allowed like this. D2 IN TXT "v=spf1 mx -all" Since D2 specifies D1 as the MX mail exchange relay for inbound mail and the SPF TXT record says "mx" is allowed. I would do both. I would put both a and mx into the record and then either would allow it. D2 IN TXT "v=spf1 a mx -all" Meanwhile in Postfix I would have this. myhostname = D1 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain, www.$mydomain, D2, www.D2, lists.D2 virtual_alias_domains = D2 virtual_alias_maps = hash:/etc/postfix/virtual sender_canonical_maps = hash:/etc/postfix/canonical That would set up the host natively for D1 but would also receive mail for D2 too. And I threw in another few names just to expand the example. They would be whatever names you need not these.p I thought about saying this instead. Specifying both D1 and D2 as virtual domains. virtual_alias_domains = D1, D2 That's possible. Especially if the local host system won't ever receive any email at all and all email for all domains is being routed out to other places. But anyway, I would then have these and more in the /etc/postfix/virtual map file. abuse@D1root postmaster@D1 b...@proulx.com abuse@D2root postmaster@D2 b...@proulx.com alice@D2al...@example.com bob@D2 b...@proulx.com
Re: postfix for 2 domains on 1 vps 1 ip
On Mon, Jan 04, 2021 at 03:19:22PM -0700, Bob Proulx wrote: > So for example it is okay for a mailing list for a domain like > us...@lists.example.com be hosted on a machine server123.example.net > at a different hostname and FQDN. That's okay. The name set as the > reverse DNS lookup should match the FQDN of the hostname. As long as > that is true then everything should work okay. Any in your example server123.example.net is also an email domain, right? So domain D1, D2 map to ip IP1. When checking in the context of D1 it will check whether IP1 maps to D1 and the check will succeed. In the context of D2 similarly it will succeed. It won't get paranoid about IP1 having 2 domains. Then it sounds good. -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
Jason Mitchell wrote: > Bob Proulx wrote: > > Then Thunderbird will *send* mail using again many possible protocols > > but perhaps most typically using an authenticated SMTP to the > > submission port 587 on the configured mail server. Postfix is my > > preference. This outbound connection to the submission port will use > > STARTTLS most typically and will require authentication credentials. > > An account name and password. > > I'm referring to implicit SSL for SMTP -- port 465. I'm doing it with > stunnel, but I assume later MTA's do this internally. However, it appears I > was wrong, it wasn't the certificate being the problem, it was the TLS > version. Ah! The submissions port formerly known as the smtps port. TLS encrypted SMTP. Gotcha! I don't support any Outlook only clients but I have read articles saying that Outlook only supports outgoing mail to TLS port 465. And we now have RFC 8314 too. January 2018 is fairly recent as email goes. But it has made it into the standards now. Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access January 2018 https://tools.ietf.org/html/rfc8314 And because that is always a configured connection between known client and the associated server then any policy made by the local admin is the rule. Therefore if the local policy requires them to be signed by a well known CA then that is certainly okay. I admit that I don't know what the generally accepted practice is about this. If I have time I will try to find out. There is too much for anyone to know! :-) For both sending outbound mail and for receiving inbound mail there are many possible protocols. That's why I used so many weasel words like "typical" and such. No way to cover all possibilities in a single generalization. Have to walk each possible path individually. > And mail.com is one site that requires the forward/reverse DNS lookups to > match (regardless of SPF), in case anyone wanted an example. Examples are perfect! :-) "Few things are harder to put up with than the annoyance of a good example." --Mark Twain Just for a clarification let me note that it is okay for a mail site to send mail to these types of sites for other domains for which they handle mail. A multi-domain mail site is allowed to send mail for other domains. That's fine. They just need to fully identify themselves as the single exit node FQDN that they are using. Then the forward reverse DNS lookup verification passes for the exit node. That's used in the HELO/EHLO envelope header. That's all okay. So for example it is okay for a mailing list for a domain like us...@lists.example.com be hosted on a machine server123.example.net at a different hostname and FQDN. That's okay. The name set as the reverse DNS lookup should match the FQDN of the hostname. As long as that is true then everything should work okay. Bob
Re: postfix for 2 domains on 1 vps 1 ip
On 1/3/21 1:08 AM, Bob Proulx wrote: Jason Mitchell wrote: Everything you have written is totally accurate, but self signed certificates for SMTP may be going away. The latest version of Thunderbird requires a valid certificate on the SMTP server it uses. (Sorry for the formatting, I can't send mail from my laptop until I fix the certificate issue (: ) Uhm... yes... your formatting problematic. Your message was missing entirely from the plain text version of the message! That's not good. That made things super confusing. It only appeared in the html text version of the message. I had to dig it out! :-) I am not using Thunderbird (mutt user here) but I must ask for clarification. Perhaps there are other Thunderbird users who know? As far as I know Thunderbird will *read* mail using many possible different protocols perhaps the most typical today being IMAPS using a TLS IMAP connection and that TLS connection needs a valid certificate. That is most easily done using Let's Encrypt and a Domain Validation certificate. Works great. Zero cost. Dovecot is typical to serve IMAPS. Then Thunderbird will *send* mail using again many possible protocols but perhaps most typically using an authenticated SMTP to the submission port 587 on the configured mail server. Postfix is my preference. This outbound connection to the submission port will use STARTTLS most typically and will require authentication credentials. An account name and password. I'm referring to implicit SSL for SMTP -- port 465. I'm doing it with stunnel, but I assume later MTA's do this internally. However, it appears I was wrong, it wasn't the certificate being the problem, it was the TLS version. And mail.com is one site that requires the forward/reverse DNS lookups to match (regardless of SPF), in case anyone wanted an example. Jason M.
Re: postfix for 2 domains on 1 vps 1 ip
On Sat, Jan 02, 2021 at 09:51:48PM -0700, Bob Proulx wrote: > Brett Lymn wrote: > > Bob Proulx wrote: > > > SPF identifies authorized IP addresses for domains in the message > > > envelope. Therefore the reverse DNS pointer record does not matter in > > > > I used to be postmaster for a large organisation and know for a fact that > > even if > > you have SPF and DKIM set up properly there are still places on the > > internet that > > will insist on the forward/reverse check and reject the mail if the > > addresses don't > > match. I can't give specific examples, I cannot remember, but they exist > > so keep an > > eye out for rejected mails. > > I wish you had not quoted the SPF bit when talking about forward > reverse DNS checks but had instead quoted the bit where I talked about > forward reverse DNS. Because it leads me to believe that you think it > is somehow related to SPF checks instead. And as far as I know the > forward reverse DNS issue is not in any way related to SPF. > No I am not confused about what SPF does. I was picking up on what you said: "Therefore the reverse DNS pointer record does not matter in" that is true in the context of SPF but as I said not everyone does that, there are sites out there that will do the forward/reverse validation. > > Right. There are sites that will require this. They will tend to be > the smaller sites that set something up in 2003 and are still running > the same configuration now. Mostly running MS Windows Server 2000 or > some such platform. It is generally not going to be a default action > for new sites. I don't think any of the large mailbox providers > require it. > It really doesnt matter why they are doing it, just that they do. If you are trying to communicate with these people then it becomes a real issue if they are rejecting your emails. It is common enough that we were getting complaints at $WORK about rejected emails when our reverse lookups were broken. -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
Re: postfix for 2 domains on 1 vps 1 ip
On 03/01/2021 14:45, Greg Troxel wrote: If the sending address site has set a strict DMARC configuration then you basically have two options. One is to modify the headers and forward it through the mailing list. Or two it can be discarded or rejected. Forwarding a message from a sender site with strict DMARC set will be seen as a forgery by the recipient site receiving the mailing list and many sites, Google for one, will reject those messages. If valid DKIM is ok, then you have a third option: Do not modify the message. Specifically, do not add a subject tag and do not add a footer. I believe the NetBSD lists operate this way. I find the sender rewriting icky. If it rewrote to a per-user forwarding address at the mail host, so that sending to that address went only to the user, that would be ok, but combined with incorrect List Reply-To: it becomes all too easy for private replies to end up on lists. To me that is a bigger problem than just not allowing addresses with strict DMARC policies to be on lists :-) I think this is solved with ARC: https://dmarc.org/2019/07/arc-protocol-published-as-rfc-8617/ Roy
Re: postfix for 2 domains on 1 vps 1 ip
Bob Proulx writes: > Mailing lists have one very important need and that is to look for > DMARC. A number of sites set "v=DMARC1; p=quarantine;" but notably > for me the sites that set "v=DMARC1; p=reject; sp=reject;" are the > problems. > > $ host -t txt _dmarc.yahoo.com > _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; > rua=mailto:dmarc_y_...@yahoo.com;; > > $ host -t txt _dmarc.zoho.eu > _dmarc.zoho.eu descriptive text "v=DMARC1; p=reject; sp=reject; fo=0; > rua=mailto:dmarc.reports...@zoho.eu; ruf=mailto:dmarc.reports...@zoho.eu; > > This means that mail with a From: header of @yahoo.com will be > rejected by servers unless it is either sent by Yahoo's servers or the > DKIM signature is verified. A signed DKIM signature means the headers > and body have not been modified. I have never been 100% clear on DMARC. Do you really mean "or", so that a message which has a valid DKIM signature but which fails the SPF check is still acceptable? > If the sending address site has set a strict DMARC configuration then > you basically have two options. One is to modify the headers and > forward it through the mailing list. Or two it can be discarded or > rejected. Forwarding a message from a sender site with strict DMARC > set will be seen as a forgery by the recipient site receiving the > mailing list and many sites, Google for one, will reject those > messages. If valid DKIM is ok, then you have a third option: Do not modify the message. Specifically, do not add a subject tag and do not add a footer. I believe the NetBSD lists operate this way. I find the sender rewriting icky. If it rewrote to a per-user forwarding address at the mail host, so that sending to that address went only to the user, that would be ok, but combined with incorrect List Reply-To: it becomes all too easy for private replies to end up on lists. To me that is a bigger problem than just not allowing addresses with strict DMARC policies to be on lists :-) signature.asc Description: PGP signature
Re: postfix for 2 domains on 1 vps 1 ip
On Sat, 2 Jan 2021, Bob Proulx wrote: I apologize to the group for monopolizing the conversation with so many mail messages here today. To 'monopolize' the list would necessitate you invoke magical power to reach into list subscriber's brains in order to restrain them from posting. Most back-and-forth on lists is spawned by someone's desire to contend another's post, and your contributions are sufficiently authoritative that no contenders come forward. Please omit apologies. They are almost always not to the point, for all the situations in which one finds them. Simply put (not my forte -- but you knew that), we are all too busy absorbing what you do post to worry much about crafting replies, other than, as at least one of the faithful here present has, to say "Thank You!" -- ...it is undesirable to believe a proposition when there is no ground whatever for supposing it true. Bertrand Russell (1928)
Re: postfix for 2 domains on 1 vps 1 ip
Jason Mitchell wrote: > Everything you have written is totally accurate, but self signed > certificates for SMTP may be going away. > > The latest version of Thunderbird requires a valid certificate on > the SMTP server it uses. > > (Sorry for the formatting, I can't send mail from my laptop until I > fix the certificate issue (: ) Uhm... yes... your formatting problematic. Your message was missing entirely from the plain text version of the message! That's not good. That made things super confusing. It only appeared in the html text version of the message. I had to dig it out! :-) I am not using Thunderbird (mutt user here) but I must ask for clarification. Perhaps there are other Thunderbird users who know? As far as I know Thunderbird will *read* mail using many possible different protocols perhaps the most typical today being IMAPS using a TLS IMAP connection and that TLS connection needs a valid certificate. That is most easily done using Let's Encrypt and a Domain Validation certificate. Works great. Zero cost. Dovecot is typical to serve IMAPS. Then Thunderbird will *send* mail using again many possible protocols but perhaps most typically using an authenticated SMTP to the submission port 587 on the configured mail server. Postfix is my preference. This outbound connection to the submission port will use STARTTLS most typically and will require authentication credentials. An account name and password. This TLS connection would most typically be a self-signed certificate but again a Domain Validation DV certificate using Let's Encrypt is easily available on the server side of things. I have more than a few times seen certificates that were at one time valid but long expired being used for this purpose. Because there is not a hard requirement that they validate. And so no one notices. Because nothing breaks when they expire. This TLS outbound *may* also use certificates for authentication of the user. That is of course the "BEST" method but most mailbox service providers of which I am aware use traditional account names and passwords because... Consumers! Consumers are people and usually not very technical and therefore passwords are the least amount of support for getting them hooked up for outbound email. I apologize to the group for monopolizing the conversation with so many mail messages here today. Sorry! Bob
Re: postfix for 2 domains on 1 vps 1 ip
Mayuresh wrote: > I get 2 public ips from the cloud provider - one is ipv4 and one ipv6. ... > Is this feasible? But it's all "dual stack networking" these days. Those two software stacks, IPv4 and IPv6, are operated in parallel. I strongly recommend not to try to go with one logical virtual host having only IPv4 and the other one only having only IPv6. I think as a technical point that it can be done that way but then there are other problems that are worse because that is being attempted. I strongly recommend not to do it that way. Operate them together as a dual stack network as they are intended. That is the middle of the road mainstream method. Also note that we are at a transition point in time right now. Where right now is a window of time of a few years before now and after now. We are transitioning from when IPv4 only was okay to when IPv6 is required. For example 99.44% (a number I use when I have no data but feel it is overwhelming) of mail sites use IPv4. Due to the long history of using IPv4. Due to the long problems of needing DNSBLs for blocking spammers and scammers. Which were all based upon IPv4. For many years most sites used *only* IPV4 due to spam problems of enabling IPv6. We are transitioning to a time when DNSBLs for IPv6 are fully useful in the same way. Many will argue that we have already passed that point in time and *only* IPv6 is needed already and moving forward. I am one of the hold-outs that only enable IPv4 for email at this moment but I know that must change at some point. But for example my home ISP CenturyLink still to this very day does not support IPv6 and only supports IPv4! Wow! Still today only IPv4. And there are still others like that too. But most providers and all server level providers in datacenters will provide IPv6. Even Amazon is now finally providing IPv6 networking to their cloud nodes. That was a long, long time in coming. My opinion is that for web servers they must have an IPv6 address along with an IPv4 address. They need to IPv4 for all of the older iSPs like CenturyLink where client hosts like mine are stuck and only have IPv4. Therefore to browse the web the web must provide IPv4 addresses for poor souls like me stuck behind IPv4. But mobile clients such as phones and tablets on cell data networks many areas are only getting IPv6 addresses. Only getting IPv6 because there are no spare IPv4 subnets available for those areas. Many mobile data client hosts have the opposite problem of needing IPv6 in order to browse the web. Therefore web servers should have both IPv4 and IPv6 addresses available. Bob
Re: postfix for 2 domains on 1 vps 1 ip
Mayuresh wrote: > My main requirement from one of the domains is a mailing list. As long as > it merely relays the mails without touching the mail headers / body, can I > get away without implementing all these measures? I have done so once, but > not sure whether it survived based on reputation score or because I didn't > tinker with the mail header and body. Mailing lists have one very important need and that is to look for DMARC. A number of sites set "v=DMARC1; p=quarantine;" but notably for me the sites that set "v=DMARC1; p=reject; sp=reject;" are the problems. $ host -t txt _dmarc.yahoo.com _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_...@yahoo.com;; $ host -t txt _dmarc.zoho.eu _dmarc.zoho.eu descriptive text "v=DMARC1; p=reject; sp=reject; fo=0; rua=mailto:dmarc.reports...@zoho.eu; ruf=mailto:dmarc.reports...@zoho.eu; This means that mail with a From: header of @yahoo.com will be rejected by servers unless it is either sent by Yahoo's servers or the DKIM signature is verified. A signed DKIM signature means the headers and body have not been modified. If the sending address site has set a strict DMARC configuration then you basically have two options. One is to modify the headers and forward it through the mailing list. Or two it can be discarded or rejected. Forwarding a message from a sender site with strict DMARC set will be seen as a forgery by the recipient site receiving the mailing list and many sites, Google for one, will reject those messages. This has a perhaps surprising effect. Let's talk about Mailman to keep it concrete but the different mailing list managers have different rules and are all slightly different. Mailman tracks bounces and rejects per recipient. Upon receiving a bounce it will increment the bounce count for that recipient. It will do so at most once per day. After the bounce count exceeds the default threshold value of 7 then it will unsubscribe the recipient. Which means that if there are seven days of bounces Gmail recipients will be unsubscribed from a mailing list that forwards through messages from senders that set a strict DMARC setting. Basically this makes it a data dependent behavior. It depends upon the traffic of the mailing list. Every day that there is no message from a strict DMARC site will decrement the count. But if it is an active list with lots of posts then almost certainly one of them will be from a strict site and will cause the bounce count to increment. But over the course of months there is bound to be seven consecutive days where this happens. Therefore one must either modify the headers or discard mail from sites with strict DMARC set. Otherwise properly configured sites will validly reject those messages causing innocent victims to be unsubscribed. Repeatedly. These days when you see that the From: address has been modified to say something like the sender's name "via the mailing list" that is usually the reason behind it. Almost certainly when you see that only some of the messages are that way and some are normal. However I am on at least one list that has decided to /always/ munge the header so that every message is the same. I don't prefer that but it is at least uniform. https://wiki.list.org/DEV/DMARC https://dmarc.org/wiki/FAQ#senders https://dmarc.org/overview/ The next problem are subject tags and mailing list footers. They will break DKIM signatures. Therefore footers are problematic. They were always problematic before though so this is nothing new. https://lists.debian.org/debian-devel-announce/2015/08/msg3.html None of the above has anything to do with sharing domains on a single server however and are just part of the environment for running mailing lists these days. > There is an occasional requirement to send system generated mail, and if > it comes to that can I use gmail smtp with from field set to my own domain > (I guess they still allow) so that I need not implement all these > measures? System generated mail makes me think of two types of messages. One is root mail to me as the admin. Those are definitely no problem because I will always allow those messages through. Either by making sure everything is happy with them from the sender side or allowing them with an allow-list on my receiving side. The others is mail such as password recovery mail and other such small but necessary infrastructure messages that originate on the server but are then sent to random addresses out on the net. Those are no problem if the server has SPF and DKIM set appropriately. For SPF that is simply setting up the DNS records to allow the address. Most likely something like this: @ IN TXT "v=spf1 a mx example.com -all" I am a hardliner here so I will say -all but ~all is also okay and probably what you should use when setting this up. That's a soft-fail flag. Tools like SpamAssassin and others would score it if it
Re: postfix for 2 domains on 1 vps 1 ip
Brett Lymn wrote: > Bob Proulx wrote: > > SPF identifies authorized IP addresses for domains in the message > > envelope. Therefore the reverse DNS pointer record does not matter in > > I used to be postmaster for a large organisation and know for a fact that > even if > you have SPF and DKIM set up properly there are still places on the internet > that > will insist on the forward/reverse check and reject the mail if the addresses > don't > match. I can't give specific examples, I cannot remember, but they exist so > keep an > eye out for rejected mails. I wish you had not quoted the SPF bit when talking about forward reverse DNS checks but had instead quoted the bit where I talked about forward reverse DNS. Because it leads me to believe that you think it is somehow related to SPF checks instead. And as far as I know the forward reverse DNS issue is not in any way related to SPF. > > Reverse DNS is the oldest validation that checks that a sending host > > identifies its own FQDN, which is looked up to an IP address with > > normal forward DNS, which is then looked up to a FQDN with reverse > > DNS, which must match the original name. This is done under the idea > > that valid SMTP sites are using static IP address assignments and have > > control of their DNS. Since spammer sites most often did not have a > > static IP assignment and did not have control of their DNS. This is > > an anti-forgery protection. These assumptions have been called into > > question in recent years. > > > > https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS Right. There are sites that will require this. They will tend to be the smaller sites that set something up in 2003 and are still running the same configuration now. Mostly running MS Windows Server 2000 or some such platform. It is generally not going to be a default action for new sites. I don't think any of the large mailbox providers require it. Bob
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 04:50:16PM -0700, Bob Proulx wrote: > > SPF identifies authorized IP addresses for domains in the message > envelope. Therefore the reverse DNS pointer record does not matter in > this. The hostname does not matter. Only the IP address as indicated > through a DNS response. This is an anti-forgery protection. This has > been a defacto standard requirement for all SMTP host sites for some > years now. Must have valid SPF records. However I do know of small > low activity sites that still do not implement this and squeeze by > depending upon the nebulous value of the sending host's "IP reputation > score". > I used to be postmaster for a large organisation and know for a fact that even if you have SPF and DKIM set up properly there are still places on the internet that will insist on the forward/reverse check and reject the mail if the addresses don't match. I can't give specific examples, I cannot remember, but they exist so keep an eye out for rejected mails. -- Brett Lymn -- Sent from my NetBSD device. "We are were wolves", "You mean werewolves?", "No we were wolves, now we are something else entirely", "Oh"
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 04:26:09PM -0700, Bob Proulx wrote: > Running VMs with their own address would make them look exacty like > different hosts. And the extra layers would add to the security. > > Postfix is very secure in a standard configuration. I get 2 public ips from the cloud provider - one is ipv4 and one ipv6. I have a NetBSD 9.1 host on which I'll setup NetBSD 9.1 qemu guest and would like the guest to get the ipv6 public ip. Is this feasible? Any tips (both NetBSD and qemu side)? -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Jan 1, 2021, 8:53 PM, at 8:53 PM, Bob Proulx wrote: >Mayuresh wrote: >> I am faced with a requirement to merge the mail servers running on 2 >VPSes >> into 1, with a single ip address on NetBSD 9.1 amd64. > >Generally this should not be a problem for a single server to handle >email for multiple domains. Assuming that one FQDN is chosen to be >the exit node. Then all is easy and straight forward. > >> I searched around, mainly tls certificate of both domains being >different >> looks a bit gray to me. Some posts say it is possible, while some >cite >> issues with it. > >STARTTLS for SMTP is opportunistic unless specifically configured for >the point-to-point connection between sites. Therefore most SMTP >servers use a self-signed certificate by default and without validity >checking. Many use CA valid certificates because that is also easy to >set up. But for the most part SMTP is not a high security transfer >protocol when connecting between random servers. Only when >specifically configured between two cooperating servers. > >In any case the authoritative documentation is better than any summary >I might make. > >http://www.postfix.org/TLS_README.html > >> I can get into experimenting, but thought of getting a word of advice >on >> the overall idea, feasibility, alternatives etc. > >I think you are asking if you can make one IP address appear as if it >is the two original servers. > >http://www.postfix.org/MULTI_INSTANCE_README.html > >At some level of outbound direction traffic that is possible, but my >opinion is that it is not worth the effort. And not for the inbound >direction. That would require multiple IP addresses and binding to >the specific one individually. One of those questions where "if you >have to ask, then you shouldn't do it" types of things. > >Instead I would configure one server that can handle multiple domains. > >http://www.postfix.org/VIRTUAL_README.html > >> If performance isn't critical, purely from networking point of view, >would >> it be possible to run one of the domains in a VM so that both postfix >> instances can be watertight. > >> Alternatively if getting 2 ip addresses is considered as an option >would >> it ease anything? > >Running VMs with their own address would make them look exacty like >different hosts. And the extra layers would add to the security. > >Postfix is very secure in a standard configuration. > >> [Similar question would arise for http, but as of now one domain uses >http >> and the other uses https, so that should be manageable.] > >My opinion is that this just sets things up to be a problem later when >the one domain that uses http decides that https is now needed. And >for when the https domain decides that they would like to switch to >Domain Validation certificates using Let's Encrypt on http. > >SNI for HTTP is very well supported now. I would just use one host, >one IP, and multiple HTTP Virtual Hosts. > >Bob
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 04:50:16PM -0700, Bob Proulx wrote: > All of this is probably too much information and too much detail. It's very useful to have all this at one place. Thank you very much for compiling it. My main requirement from one of the domains is a mailing list. As long as it merely relays the mails without touching the mail headers / body, can I get away without implementing all these measures? I have done so once, but not sure whether it survived based on reputation score or because I didn't tinker with the mail header and body. There is an occasional requirement to send system generated mail, and if it comes to that can I use gmail smtp with from field set to my own domain (I guess they still allow) so that I need not implement all these measures? -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
Mayuresh wrote: > I am faced with a requirement to merge the mail servers running on 2 VPSes > into 1, with a single ip address on NetBSD 9.1 amd64. Generally this should not be a problem for a single server to handle email for multiple domains. Assuming that one FQDN is chosen to be the exit node. Then all is easy and straight forward. > I searched around, mainly tls certificate of both domains being different > looks a bit gray to me. Some posts say it is possible, while some cite > issues with it. STARTTLS for SMTP is opportunistic unless specifically configured for the point-to-point connection between sites. Therefore most SMTP servers use a self-signed certificate by default and without validity checking. Many use CA valid certificates because that is also easy to set up. But for the most part SMTP is not a high security transfer protocol when connecting between random servers. Only when specifically configured between two cooperating servers. In any case the authoritative documentation is better than any summary I might make. http://www.postfix.org/TLS_README.html > I can get into experimenting, but thought of getting a word of advice on > the overall idea, feasibility, alternatives etc. I think you are asking if you can make one IP address appear as if it is the two original servers. http://www.postfix.org/MULTI_INSTANCE_README.html At some level of outbound direction traffic that is possible, but my opinion is that it is not worth the effort. And not for the inbound direction. That would require multiple IP addresses and binding to the specific one individually. One of those questions where "if you have to ask, then you shouldn't do it" types of things. Instead I would configure one server that can handle multiple domains. http://www.postfix.org/VIRTUAL_README.html > If performance isn't critical, purely from networking point of view, would > it be possible to run one of the domains in a VM so that both postfix > instances can be watertight. > Alternatively if getting 2 ip addresses is considered as an option would > it ease anything? Running VMs with their own address would make them look exacty like different hosts. And the extra layers would add to the security. Postfix is very secure in a standard configuration. > [Similar question would arise for http, but as of now one domain uses http > and the other uses https, so that should be manageable.] My opinion is that this just sets things up to be a problem later when the one domain that uses http decides that https is now needed. And for when the https domain decides that they would like to switch to Domain Validation certificates using Let's Encrypt on http. SNI for HTTP is very well supported now. I would just use one host, one IP, and multiple HTTP Virtual Hosts. Bob
Re: postfix for 2 domains on 1 vps 1 ip
Mayuresh wrote: > On Fri, Jan 01, 2021 at 09:53:13AM -0600, Edgar Pettijohn wrote: > > If you set up spf, dkim, and dns correctly you shouldn't have any issues. > > How exactly - meaning if these are set reverse dns check is not applied by > peers or does it mean these mechanisms deal with multiple reverse map as > desired? SPF identifies authorized IP addresses for domains in the message envelope. Therefore the reverse DNS pointer record does not matter in this. The hostname does not matter. Only the IP address as indicated through a DNS response. This is an anti-forgery protection. This has been a defacto standard requirement for all SMTP host sites for some years now. Must have valid SPF records. However I do know of small low activity sites that still do not implement this and squeeze by depending upon the nebulous value of the sending host's "IP reputation score". https://en.wikipedia.org/wiki/Sender_Policy_Framework DKIM signs based upon the sending domain name in the message header and is not concerned about IP addresses. This is a "newish" defacto standard that is now required for all SMTP host sites. Required because Google and Yahoo pretty much require it. They will accept mail without it but then score this such that it is mostly delivered only to the user's Junk folder. Therefore you will want it. This is an anti-forgery protection. https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail Reverse DNS is the oldest validation that checks that a sending host identifies its own FQDN, which is looked up to an IP address with normal forward DNS, which is then looked up to a FQDN with reverse DNS, which must match the original name. This is done under the idea that valid SMTP sites are using static IP address assignments and have control of their DNS. Since spammer sites most often did not have a static IP assignment and did not have control of their DNS. This is an anti-forgery protection. These assumptions have been called into question in recent years. https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS Additionaly there is DMARC which is the latest layer of email authentication. This is an anti-forgery protection. Strict DMARC places a requirement that messages pass DKIM and SPF and that the message From: address matches. Strict DMARC is very useful for banks, financial institutions, and other organizations that need to prevent abuses such as phishing emails forging them. However none of those sites typical participate in mailing lists and other related situations. My opinion is that strict DMARC is inappropriate for personal email which is expected to communicate with others in mailing lists and with people who may themselves be forwarding them email through to their own mailbox provider at a different site. Because strict DMARC is specifically designed to block all of that. https://en.wikipedia.org/wiki/DMARC All of this is probably too much information and too much detail. Sorry. But such is the requirements of being a mail operator these days. Every decade things get twice as complicated as they where in the previous as additional layers are added and eventually become required by fait accompli by the large mailbox providers such as Google and the others. Bob
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 09:35:33PM +0530, Mayuresh wrote: > On Fri, Jan 01, 2021 at 09:53:13AM -0600, Edgar Pettijohn wrote: > > If you set up spf, dkim, and dns correctly you shouldn't have any issues. > > How exactly - meaning if these are set reverse dns check is not applied by > peers or does it mean these mechanisms deal with multiple reverse map as > desired? > Look into dns PTR records. > -- > Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 09:53:13AM -0600, Edgar Pettijohn wrote: > If you set up spf, dkim, and dns correctly you shouldn't have any issues. How exactly - meaning if these are set reverse dns check is not applied by peers or does it mean these mechanisms deal with multiple reverse map as desired? -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 09:59:09AM -0500, Zach Hopkins wrote: > As for postfix, many sources I saw said this wasn't possible without > having 2 IP addresses. The same interface has 1 ipv4 and 1 ipv6 address. Would that qualify and be usable as 2 ip addresses for the purpose of postfix configuration? -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 09:18:12PM +0530, Mayuresh wrote: > On Fri, Jan 01, 2021 at 07:15:45PM +0530, Mayuresh wrote: > > I am faced with a requirement to merge the mail servers running on 2 VPSes > > into 1, with a single ip address on NetBSD 9.1 amd64. > > What happens with reverse DNS when one uses same ip for multiple domains > and would it lead to some mail servers rejecting the mails of either > domain? > If you set up spf, dkim, and dns correctly you shouldn't have any issues. Edgar > -- > Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 07:15:45PM +0530, Mayuresh wrote: > I am faced with a requirement to merge the mail servers running on 2 VPSes > into 1, with a single ip address on NetBSD 9.1 amd64. What happens with reverse DNS when one uses same ip for multiple domains and would it lead to some mail servers rejecting the mails of either domain? -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
On Fri, Jan 01, 2021 at 09:59:09AM -0500, Zach Hopkins wrote: > However, you can use an SNI map in postfix >3.4.0 -- see: 9.1 is on 3.1.4. Is it advisable to use one from pkgsrc? I am not likely to prefer current for this system. -- Mayuresh
Re: postfix for 2 domains on 1 vps 1 ip
Multiple domains and certs with 1 http(s) server is straightforward. As for postfix, many sources I saw said this wasn't possible without having 2 IP addresses. However, you can use an SNI map in postfix >3.4.0 -- see: https://serverfault.com/questions/920436/set-up-certs-for-multiple-domains-in-postfix-and-dovecot And the official documentation: http://www.postfix.org/postconf.5.html#tls_server_sni_maps Specifically, something like this should do: main.cf # SNI map - make sure to compile with `postmap -F ...' tls_server_sni_maps = hash:/etc/postfix/sni /etc/postfix/sni test1.example.com /some/path/test1.pem test2.example.com /some/path/test2.pem I haven't tried this myself, so any input from those with experience is welcome. On Fri, Jan 1, 2021 at 8:46 AM Mayuresh wrote: > > I am faced with a requirement to merge the mail servers running on 2 VPSes > into 1, with a single ip address on NetBSD 9.1 amd64. > > I searched around, mainly tls certificate of both domains being different > looks a bit gray to me. Some posts say it is possible, while some cite > issues with it. > > I can get into experimenting, but thought of getting a word of advice on > the overall idea, feasibility, alternatives etc. > > If performance isn't critical, purely from networking point of view, would > it be possible to run one of the domains in a VM so that both postfix > instances can be watertight. > > Alternatively if getting 2 ip addresses is considered as an option would > it ease anything? > > [Similar question would arise for http, but as of now one domain uses http > and the other uses https, so that should be manageable.] > > -- > Mayuresh
postfix for 2 domains on 1 vps 1 ip
I am faced with a requirement to merge the mail servers running on 2 VPSes into 1, with a single ip address on NetBSD 9.1 amd64. I searched around, mainly tls certificate of both domains being different looks a bit gray to me. Some posts say it is possible, while some cite issues with it. I can get into experimenting, but thought of getting a word of advice on the overall idea, feasibility, alternatives etc. If performance isn't critical, purely from networking point of view, would it be possible to run one of the domains in a VM so that both postfix instances can be watertight. Alternatively if getting 2 ip addresses is considered as an option would it ease anything? [Similar question would arise for http, but as of now one domain uses http and the other uses https, so that should be manageable.] -- Mayuresh
