Re: sanity-check postfix XCLIENT usage ?
On 22/10/2020 00:39, PGNet Dev wrote: On 10/21/20 4:31 PM, Wietse Venema wrote: PGNet Dev: Two questions: clear. i'll focus just on just the dmarc bits. both debugging opendmarc, and replacing it with another option to see if behavior changes. xclient's extremely helpful in any case. It may be unrelated, but we have received a few fake intuit emails recently, all correctly identified as such by opendmarc.
Re: Is changing "Hostname" mandatory?
Jason Long wrote: > For configuration Postfix, is changing "hostname" to something like > "Mail.example.net" mandatory? For example, my server running Apache > and I don't like to change its name. Your hostname can be almost anything you feel like completely independent of running either Postfix or Apache servicing other names. They are in many ways mostly unrelated. However Postfix will need to have some of its own configuration such as $myhostname set properly. Bob
Re: sanity-check postfix XCLIENT usage ?
On 10/21/20 4:31 PM, Wietse Venema wrote: PGNet Dev: Two questions: clear. i'll focus just on just the dmarc bits. both debugging opendmarc, and replacing it with another option to see if behavior changes. xclient's extremely helpful in any case.
Re: sanity-check postfix XCLIENT usage ?
PGNet Dev: > Two questions: > > (1) my postfix config includes, > > strict_rfc821_envelopes = yes > > the FROM: & RCPT TO: addressed i inject, as well as those in the originally > sent mail, appear to be compliant. > > is there _more_ that strict restriction that might be relevant? Postfix would have logged any hostile actions.. > (2) currently, the opendmarc milter here is launched as a 'simple' > non-forking/foreground systemd service I don't expect that the forking model would make a difference for how DMARC etc. policy is evaluated. > Initially, I see no difference. At least not with the XCLIENT > injection tests. > > For milter use, in postfix, is there any preference/requirement > for the milters to exec in forked vs. un-forked mode? Postfix does not care. If forked versus non-forked would change the bits that the milter receives or sends, then that would be a defect on the milter side (it can happen when they fork in the middle of a postfix-milter conversation that is already in progress, but the cole is old enough that it would be unlikely). Wietse
Re: sanity-check postfix XCLIENT usage ?
On 10/21/20 11:13 AM, Wietse Venema wrote: If your XCLIENT arguments match Postfix logging, including the name and IP address info they do and you used HELO or EHLO depending on Postfix's proto= logging proto=ESMTP, so I used EHLO then I think that the Postfix SMTP daemon cannot distinguish between a real intuit.com connection and one made with XCLIENT. useful to know. so likely downstream, NOT xclient. That leaves the possibility of - Some Postfix configuration affects intuit.com mail but not other mail. For example a false match with an inaccurate regular expression! nothing intuit-specific, and also ripped out all regex matching to test. same - Copy and paste problem with message header or body content double checked. same - Sender's DMARC etc. configuration problem If so, online checks I've used aren't finding it. I understand they're not necessarily exhaustive. - Local DMARC etc. configuration problem The DMARC logging shouod give an idea of what the problem is. I still haven't managed to get opendmarc to cough up more than the reported unhelpful one-liner in logs. Which, in addition to the lack of maintenance of the software, makes me increasingly suspicious. I can do some debug with my own builds; see how far that gets me. Two questions: (1) my postfix config includes, strict_rfc821_envelopes = yes the FROM: & RCPT TO: addressed i inject, as well as those in the originally sent mail, appear to be compliant. is there _more_ that strict restriction that might be relevant? (2) currently, the opendmarc milter here is launched as a 'simple' non-forking/foreground systemd service [Service] Type=simple ExecStart=/usr/sbin/opendmarc \ -f \ -c /etc/opendmarc/opendmarc.conf \ -u opendmarc been that way for ages. and obviously works, generally. checking newer implementations online, i've switched to a forking service, [Service] Type=forking ExecStart=/usr/sbin/opendmarc \ -c /etc/opendmarc/opendmarc.conf \ -u opendmarc Initially, I see no difference. At least not with the XCLIENT injection tests. For milter use, in postfix, is there any preference/requirement for the milters to exec in forked vs. un-forked mode?
Re: Limiting HELO spoofing in Postfix?
On 2020-10-21 09:18, Benny Pedersen wrote: > why do you SHOUT at Wietse ? I was not shouting -- at least not intentionally. I was being emphatic, and perhaps a little frustrated at the suggestion that I might have been hit by a WordPress exploit even after I had said earlier in this thread that I'm not using WordPress. I intended no offence to Wietse or anyone else, and I wish to apologize to anyone I might have inadvertently offended. > try wget 127.0.0.1:25 and se what postfix responce to http remotes $ wget 127.0.0.1:25 --2020-10-21 10:20:27-- http://127.0.0.1:25/ Connecting to 127.0.0.1:25... connected. HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9 Length: unspecified index.html: Permission denied Cannot write to ‘index.html’ (Permission denied). $ Not surprising that this command failed, I suppose, since Postfix isn't an HTTP server. I've also checked for illicit listeners -- though I will check again. Since this box lives behind a physically separate firewall appliance system, in addition to having its own host-based firewall rules in place, a breakin -- though obviously not impossible -- is probably less likely than if the server were connected directly to the Internet. For the time being, I am going to continue to monitor the system in question and see if any further instances of the "fake open relay spam flood" problem occur. No more incidents in the last several days (cross fingers and touch wood). The next time it happens (assuming it does), I will take a much more careful look at what is going on, in hopes of catching the offender in the act. In order not to scatter any more spam onto the Internet, I'll temporarily block inbound and outbound SMTP in the firewall while I'm investigating the next incident (again, assuming there is one) -- previously, I stopped Postfix, but this may have made it harder for me to track down the issue in real time. I would still like to figure out a way, btw, to catch locally generated spam of this sort in Postfix. I've already asked here about rejecting HELO/EHLO when the client is localhost but the HELO/EHLO host is not localhost -- I still think this would make sense, but I'm getting the clear impression that it's just not there and just isn't going to get added. Or maybe I can reduce my use of permit_mynetworks in my configuration -- I am currently invoking permit_mynetworks in my client, HELO, sender, relay, and recipient smtpd restrictions, maybe this is excessive. I'll also check on other lists, do more extensive web searches, etc., to see if anyone else out there has encountered this kind of attack. As a very last resort, I may consider wiping and rebuilding the system, but I'm not willing to expend the time and energy to do that without first having some reasonably specific evidence indicating exactly what has happened. Rich Wales ri...@richw.org
Re: sanity-check postfix XCLIENT usage ?
If your XCLIENT arguments match Postfix logging, including the name and IP address info and you used HELO or EHLO depending on Postfix's proto= logging, then I think that the Postfix SMTP daemon cannot distinguish between a real intuit.com connection and one made with XCLIENT. That leaves the possibility of - Some Postfix configuration affects intuit.com mail but not other mail. For example a false match with an inaccurate regular expression! - Copy and paste problem with message header or body content - Local DMARC etc. configuration problem - Sender's DNARC etc. configuration problem The DMARC logging shouod give an idea of what the problem is. Wietse
sanity-check postfix XCLIENT usage ?
I'm using Postfix's XCLIENT to synthesize/inject a test email into my postfix->filter/milter->delivery chain. I'd like to verify that my XCLIENT usage isn't the cause of the delivery failure I see below ... @ this postfix instance, mail flows as -> postscreen (@ IP = 203.0.113.1) | internal smptd | spf policy engine (no reject; check + header only) | preQ milters: opendkim, opendmarc, clamav-milter, spamassassin-milter | lmtp -> dovecot I've no inbound/outbound issues. Except ... ... from a single source -- @intuit.com. it's FAIL'ing @ opendmarc checks. I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok. I've cranked up opendmarc logging level to MilterDebug 5 with that, on failed attempt, I see only an unhelpful Oct 21 09:43:39 mx.example.com opendmarc[7977]: 4CGbb3aX1Pz2N: intuit.com fail I'm trying to use XCLIENT to replicate the issue so I can test, rinse & repeat. Trying 1st from @gmail.com (or any domain i've tried _other_ than 'intuit.com') using data pulled from postfix logs for a SUCCESSFUL fr...@gmail.com delivery, @ an opened 'openssl s_client' session to my postfix external IP, injecting XCLIENT NAME=mail-vs1-f46.google.com ADDR=209.85.217.46 PORT=40169 PROTO=ESMTP HELO=mail-vs1-f46.google.com DESTADDR=203.0.113.1 DESTPORT=25 MAIL FROM: RCPT TO: DATA test message (CR/LF) . (CR/LF) mail passes all filters, and is delivered cleanly. I'm able to repeat the success for any/all of the non-intuit.com senders I try. Switching to the data pulled from postfix logs for a FAILED fr...@intuit.com delivery, again @ an opened 'openssl s_client' session to my postfix external IP, injecting XCLIENT NAME=55.57.138.139.in-addr.arpa.iphmx.com ADDR=139.138.57.55 PORT=62440 PROTO=ESMTP HELO=esa3.hc3812-35.iphmx.com DESTADDR=203.0.113.1 DESTPORT=25 MAIL FROM: RCPT TO: DATA test message (CR/LF) . (CR/LF) fails in the session with 550 5.7.1 rejected by DMARC policy for intuit.com and is not delivered. Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the specific intuit.com case above, that would suggest a cause for the dmarc/milter FAIL, that 1st needs fixing? I _suspect_ not, given the success with all _other_ domains ...
Re: Various bcc options in postfix
On 20 Oct 2020, at 19:01, Viktor Dukhovni wrote: > On Tue, Oct 20, 2020 at 05:29:22PM -0600, @lbutlr wrote: > The current setup uses recipient_bcc_maps which I would have thought did what I wanted, but it actually does all outbound mail as well. >>> >>> With recipient_bcc_maps, the specified BCC recipient from the RHS of the >>> table is added whenever the message envelope contains a recipient that >>> matches the LHS of the table. Therefore, either the outbound mail in >>> question also had local recipients, or your table inadvertently matches >>> some or all remote recipients. >> >> Right, which means custom m matches for every domain instead of being >> able to just catch the local users. > > No, it just means that the table should not match remote recipients, how > that is done depends on the table type. > >>> I don't see anything above that limits the matched recipients to local >>> users. Do you? What is the intent of the "([^.]*)" pattern following >>> the "@" sign? It will always match, possibly an empty string if the >>> first character after "@" is ".", but otherwise some initial substring >>> of the domain part. >> >> The first character cannot be a . in an email address >> (u...@.example.com is invalid), so it matches the first portions of >> the domain part of the email address. So 'example' in example.com or >> 'mail' in mail.example.com. > > Lossy, but if you just want the first label, so be it. What is your > definition of a "local" recipient? Do you literally mean a mailbox > handled via local(8), aliases(5) and delivery to a unix-account, or do > you mean anything you're willing to accept inbound? These are the same thing in my case, I only accept mail for accounts that will deliver to a local (well, virtual in the context of postfix) user, though u...@example.com may actually deliver to us...@someotherexample.tld. > If you're abusing terminology and really "local" as in local address > class, No, sorry, I was using 'local' as in 'local to the mail server' and not 'local as in a shell user on $mydomain', apologies. All users are virtual users on virtual domains (even me and where root mail is aliased), but local to the mail server. >> I'm fine with that. I have no quoted local part emails and if anyone >> created one with a double .. (an obviously attempt to break things) >> I'd deal with that with a clue bat. > > I don't recommend waiting for broken edge-cases to show in practice, but > your system your rules... Every user is known to me, and only a very few users can create new email accounts. Everyone can create aliases, but nearly none know how to. > Otherwise, the simplest solution is to completely separate > inbound and outbound mail either with multiple instances, > or just separate smtpd(8) and cleanup(8) instances. That is probably the way to go. I am also looking at the possibility of using a default.sieve in dovecot since at that point we've already reached the LDA and the outbound mail cannot be affected. The script I have to generate the postfix configuration file can do much the same for default sieve, and it would take all of this out of postfix. > Then your recipient bcc table would never see the outbound > mail in the first place. Yeah. The more I think about this, the more I think default.sieve is the way to go. The reason that I did not do this before was because the mail server used to discard high scoring mail that had been expected and I had the backup to recover even those mails, but the mail server now rejects high scoring mail before it is accepted. I have a suspicion I am forgetting something, though. Thank you, again, for your time. -- 'They say that whoever pays the piper calls the tune.' 'But, gentlemen,' said Mr Saveloy, 'whoever holds a knife to the piper's throat writes the symphony.' --Interesting Times
Re: multiple relay servers
On 10/21/20 11:16 AM, Fred Morris wrote: > If DNSSEC isn't required for the domain(s) in question (or at least > postfix in this specific case) you might look at RPZ as a way of > rewriting just a single record in the zone: https://www.dnsrpz.info/ Demi M. Obenour: > You can also use a local validating recursive resolver (such as > Unbound) and inject a fake record yourself. Postfix doesn't validate > DNSSEC on its own. That said, I am not sure how to get Unbound to > lie about the AD bit. Postfix "requests" DNSSEC validation only when the TLS security level involves DANE support, so lack of DNSSEC validation for a SPECIFIC name x not necessarily a problem. However, Postfix 3.6 and later will try to determine if DNSSEC is available (by default, querying the root zone NS record) and will log a warning if the response is not DNSSEC validated. http://www.postfix.org/postconf.5.html#dnssec_probe So as long as unbound etc. are transparent for most of DNS, some selective rewriting should be OK. Wietse
Re: Limiting HELO spoofing in Postfix?
Rich Wales skrev den 2020-10-21 17:50: On 2020-10-21 06:17, Wietse Venema wrote: My server IS NOT RUNNING THINKPHP OR WORDPRESS. Never has. why do you SHOUT at Wietse ? it does not matter if you have or not have, remote will try to detect if you do or did, long time frame or not try wget 127.0.0.1:25 and se what postfix responce to http remotes to protect websites, i begin to think about make my own problem with apache directoryindex websites does not need to expose directoryindex files since http://example.org/?url still works same as http://example.org/index.php?url lets say the directoryindex subdir is pr dir and not used any other places, then hackers have to be naviseels :=)
Re: Limiting HELO spoofing in Postfix?
On Wed, Oct 21, 2020 at 08:50:54AM -0700, Rich Wales wrote: > My server IS NOT RUNNING THINKPHP OR WORDPRESS. Never has. While the webserver is a good bet, before investing too much time chasing ghosts, enumerate all the network listeners on your listem. Something along the lines of (for Linux): # netstat -anp --inet --tcp | grep LISTEN # netstat -anp --inet6 --tcp | grep LISTEN What LISTENERS do you see? Then check your iptables for any unexpected source IP mappings. # iptables -4 -t nat -n -L These are hard to read, look carefully for anything that might NAT remote IPs to 127.0.0.1. But of course the web server is still a good bet. -- Viktor.
Re: Limiting HELO spoofing in Postfix?
On 10/20/20 8:20 PM, IL Ka wrote: >> > /index.php?s=index/\\think\\app/invokefunction=call_user_func_array[0]=phpinfo[1][]=1 > That is fine: networks are constantly scanned by bots. They are trying to > hack any site using well-known vulnerabilities. > > I have a lot of similar entries, although I do not have PHP on my site) > > I have never been hacked, but if I were, here is what I would do: > * Reformat drive and install the latest stable version of your favorite OS. > Be sure to upgrade it on the regular basis. Many OSes can do that using > cron. I agree, with the caveat that an attacker would need to have obtained root access to implant a rootkit. I consider the likelihood of this high enough that wiping and reinstalling is justified. > * Use the latest stable version of some mature framework and also update > it. If you aren't using one, then make sure you understand how to write > secure code and how to run it correctly > * Close all ports except http, https and ssh (which you should move away > from 22 port because 22 port is also scanned by bots). Disable password > authentication for ssh (use keys instead) If password and challenge-response authentication for SSH are disabled, it isn't necessary to move SSH off of port 22. SSH keys are not vulnerable to brute-force attack, and last pre-authentication vulnerability (other than denial of service) that I am aware of in OpenSSH was in 2003. Moving the SSH port can, however, reduce noise in your logs. fail2ban and friends can help as well. Sincerely, Demi OpenPGP_0xB288B55FFF9C22C1.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Re: multiple relay servers
On 10/21/20 11:16 AM, Fred Morris wrote: > If DNSSEC isn't required for the domain(s) in question (or at least postfix > in this specific case) you might look at RPZ as a way of rewriting just a > single record in the zone: https://www.dnsrpz.info/ You can also use a local validating recursive resolver (such as Unbound) and inject a fake record yourself. Postfix doesn't validate DNSSEC on its own. That said, I am not sure how to get Unbound to lie about the AD bit. Demi OpenPGP_0xB288B55FFF9C22C1.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Re: Limiting HELO spoofing in Postfix?
On 2020-10-21 06:17, Wietse Venema wrote: > If any of those got a 200 HHTP response then you have been owned. Acknowledged. In this case, though, I honestly don't think so. Let me explain why. My server IS NOT RUNNING THINKPHP OR WORDPRESS. Never has. The PHP site in question here was not built using WordPress, ThinkPHP, or any other framework or toolkit. And the /index.php file for the site does not expect, and isn't written to process, command-line parameters such as "s", "a", "content", "function", or "vars". Apache would, to be sure, return a 200 HTTP status code for these queries, but I think all that means is that the /index.php file was found. However, the PHP code in the /index.php file (plus the functions in the other PHP files on the site invoked from /index.php) isn't expecting any of the above command-line parameters and, as best I can tell, should simply be ignoring them. Unless there's something in raw PHP (not using any frameworks) that recognizes and acts on these or other parameters outside the context of whatever the raw PHP code in question is doing, nothing untoward should happen, right? Please feel free to try attacking the site in question for yourself, adding any parameters you like to the URL, and let me know, and I'll go check the site and confirm if I saw anything strange. https://www.marywalesloomis.com The only command-line parameter which this web site is supposed to recognize and do anything with is a "page=" parameter. Everything else on the command line / URL should be disregarded. Rich Wales ri...@richw.org
Re: multiple relay servers
If DNSSEC isn't required for the domain(s) in question (or at least postfix in this specific case) you might look at RPZ as a way of rewriting just a single record in the zone: https://www.dnsrpz.info/ On Wed, 21 Oct 2020, IL Ka wrote: I think you can install the DNS server locally (on the same machine where postfix runs) and configure postfix to use it On Wed, Oct 21, 2020 at 1:42 PM Zsombor B: I can' force the customer changing their DNS. Any postfix solution? [...]
Re: multiple relay servers
Zsombor B: > Hi Wietse, > > > > Postfix 3.5 supports multiple relayhosts: > > Currently we are on 3.2 > > > If these folks want to receive mail in six places, why can't they > > set up DNS records like everyone else does? > > I'm already over this discussion, that's why I have asked the question. :( > Big company, rigid people, dumb rules. In that case, make up a fake hostname with multiple address records in /etc/hosts, and configure Postfix "smtp_host_lookup = dns, native". This asumes that you have "multi on" in /etc/host.conf on LINUX systems. Postfix will randomize the order or addresses for the "same" name (assuming the default "smtp_randomize_addresses = yes" is in effect). Wietse smtp_host_lookup (default: dns) What mechanisms the Postfix SMTP client uses to look up a host's IP address. This parameter is ignored when DNS lookups are disabled (see: disable_dns_lookups and smtp_dns_support_level). THE "DNS" MECHANISm IS ALWAYS TRIED BEFORE "NATIVE" IF BOTH ARE LISTED. Specify one of the following: dnsHosts can be found in the DNS (preferred). native Use the native naming service only (nsswitch.conf, or equivalent mechanism). dns, native Use the native service for hosts not found in the DNS. This feature is available in Postfix 2.1 and later.
Re: multiple relay servers
Hi Wietse, Postfix 3.5 supports multiple relayhosts: Currently we are on 3.2 If these folks want to receive mail in six places, why can't they set up DNS records like everyone else does? I'm already over this discussion, that's why I have asked the question. :( Big company, rigid people, dumb rules. Thanks, Zsombor Idézet (Wietse Venema ): Zsombor B: Hi All, Customer asked us to relay their mails to a specific smtp server. Actually they provided 6 possible destination servers. When add them to sender_dependent_relayhost_maps postmap complains that there are duplicate entries: @foo.bar [mail1.whatever]:123 @foo.bar [mail2.whatever]:123 @foo.bar [mail3.whatever]:123 There can be only one table entry with the name @foo.bar. The postmap command ignores the rest with a warning. How can I solve this? Postfix 3.5 supports multiple relayhosts: transport_maps example: example.com relay:[mail1.example]:123, [mail2.example]:123, ... sender_dependent_relayhost_maps example: @foo.bar [mail1.example]:123, [mail2.example]:123, .. This is a fixed order (as if you had multiple records in /etc/hosts). If these folks want to receive mail in six places, why can't they set up DNS records like everyone else does? Wietse binG8w4XuAMPH.bin Description: PGP nyilvános kulcs
Re: multiple relay servers
Zsombor B: > > Hi All, > > > Customer asked us to relay their mails to a specific smtp server. > > Actually they provided 6 possible destination servers. > > > When add them to sender_dependent_relayhost_maps postmap complains > that there are duplicate entries: > > @foo.bar [mail1.whatever]:123 > @foo.bar [mail2.whatever]:123 > @foo.bar [mail3.whatever]:123 There can be only one table entry with the name @foo.bar. The postmap command ignores the rest with a warning. > How can I solve this? Postfix 3.5 supports multiple relayhosts: transport_maps example: example.com relay:[mail1.example]:123, [mail2.example]:123, ... sender_dependent_relayhost_maps example: @foo.bar [mail1.example]:123, [mail2.example]:123, .. This is a fixed order (as if you had multiple records in /etc/hosts). If these folks want to receive mail in six places, why can't they set up DNS records like everyone else does? Wietse
Re: Limiting HELO spoofing in Postfix?
Rich Wales: > On 2020-10-20 06:45, Wietse Venema wrote: > > > Extract time stamps for NON-ERROR web server responses, and > > correlate those time stamnps with activity in Postfix logs. > > Working on this now. There are log entries for several GET requests > asking for nonsensical things like the following: > > /index.php?s=/Index/\\think\\app/invokefunction=call_user_func_array[0]=md5[1][]=HelloThinkPHP Now we're getting somewhere :-) According to a well-known search engine: Query: HelloThinkPHP Result: ThinkPHP Remote Code Execution (RCE) bug > /?a=fetch=die(@md5(HelloThinkCMF)) Query: HelloThinkCMF Result: WordPress exploit. > /index.php?s=index/\\think\\app/invokefunction=call_user_func_array[0]=phpinfo[1][]=1 Another remote code execution exploit. If any of those got a 200 HHTP response then you have been owned. Wietse > A couple of the above are near the dates/times when I was having the > e-mail problem. But this could just as easily be a coincidence -- and > as far as I can tell, none of the above would accomplish anything -- the > supplied parameters are completely different from what the "index.php" > script in question is expecting. Are these strange GET requests still > something which I should investigate further? > > Some other observations (none apparently pointing to any problem): > > My server runs a web site which sells a book on shoemaking which my > mother wrote long ago. The site uses PHP, plus one JavaScript file. > There are, however, NO FORMS -- it's all done by clicking buttons, and > the financial transactions are handled by PayPal. Lots and lots of GETs > in the log for this site, but no PUTs or POSTs, and the files themselves > are all read-only, so I can't really see how they could have been > exploited (though I'm open to enlightenment on this). All of the above > weird GETs with random options tacked onto the URL were for this site. > And for what it may be worth, this site consists of raw PHP and JS which > I wrote from scratch, without using any frameworks or toolkits. > > Lots of attempts to GET a script named "wp-login.php" in several > directories. In fact, there are not (and never have been) ANY > "wp-login.php files on this server (not running WordPress). Strangely, > though, many of the GETs return a 200 HTTP status code -- not something > I would expect when a requested file doesn't exist. Were it not for the > 200 HTTP status code, I would have just dismissed these as irrelevant. > In any case, none of these "wp-login.php" attempts correspond to the > dates when I was having the e-mail problem. > > I had a couple of VERY old PHP scripts supporting "Project Honey Pot". > I've removed them, though, and will review my security before putting > them back (or, more properly, installing fresh scripts from the > project). The logs showed about 20 accesses to my honeypot scripts, but > none around the dates of interest. > > And I have still not seen any further instances of the hacker attack in > the last several days. > > Rich Wales > ri...@richw.org >
Re: multiple relay servers
I think you can install the DNS server locally (on the same machine where postfix runs) and configure postfix to use it On Wed, Oct 21, 2020 at 1:42 PM Zsombor B wrote: > > I can' force the customer changing their DNS. > > Any postfix solution? > > BTW it looks like postfix delivers mails to all the relay servers so > the postmap warning is a bit misleading as if it won't work. > > But this brings up another question: if any of the relay servers can't > accept mail will postfix try any other relay server in the list at the > next attempt? > > > Zsombor > > >> How can I solve this? > > > > Create mail.whatever with A or CNAME records that point to each server. > > > > Then you use: > > > > @foo.bar [mail.whatever]:123 > > >
Re: multiple relay servers
I can' force the customer changing their DNS. Any postfix solution? BTW it looks like postfix delivers mails to all the relay servers so the postmap warning is a bit misleading as if it won't work. But this brings up another question: if any of the relay servers can't accept mail will postfix try any other relay server in the list at the next attempt? Zsombor How can I solve this? Create mail.whatever with A or CNAME records that point to each server. Then you use: @foo.bar [mail.whatever]:123 binZfTkJ7aRgS.bin Description: PGP nyilvános kulcs
Re: multiple relay servers
> Hi All, > > > Customer asked us to relay their mails to a specific smtp server. > > Actually they provided 6 possible destination servers. > > > When add them to sender_dependent_relayhost_maps postmap complains that there > are duplicate entries: > > @foo.bar [mail1.whatever]:123 > @foo.bar [mail2.whatever]:123 > @foo.bar [mail3.whatever]:123 > etc. > > > How can I solve this? Create mail.whatever with A or CNAME records that point to each server. Then you use: @foo.bar [mail.whatever]:123
multiple relay servers
Hi All, Customer asked us to relay their mails to a specific smtp server. Actually they provided 6 possible destination servers. When add them to sender_dependent_relayhost_maps postmap complains that there are duplicate entries: @foo.bar [mail1.whatever]:123 @foo.bar [mail2.whatever]:123 @foo.bar [mail3.whatever]:123 etc. How can I solve this? Thanks, Zsombor binqfKEemZKu_.bin Description: PGP nyilvános kulcs
Re: Is changing "Hostname" mandatory?
> Date: Wednesday, October 21, 2020 05:26:38 + > From: Jason Long > > For configuration Postfix, is changing "hostname" to something like > "Mail.example.net" mandatory? For example, my server running Apache > and I don't like to change its name. No, but the forward and reverse DNS records need to match. >From a security perspective, I would run these services under different VMs.