[pfx] Re: postfix mail server qmgr log entry query

[Jitendra Chaudhari via Postfix-users]

Hi Viktor,

Thanks for the interpretation of the log entry.

The strange thing that is observed in the log is no-reply=19=tjsb@xxx.co.in 
 

The user email id at the email server is tjsb@xxx.co.in  so my worry is 
what is the " no-reply=19=" string getting appended before the user email id 
"tjsb@xxx.co.in" 

Is this a postfix qmgr process that is adding this string? 

And I can see many such entries in /var/maillog particularly for postfix/qmgr 
process with the random number getting appended as "no-reply=XX="user email 
address

Thanks & Regards,
Jitendra Chaudhari

 


-Original Message-
From: Viktor Dukhovni via Postfix-users  
Sent: Tuesday, April 25, 2023 12:59 AM
To: postfix-users@postfix.org
Subject: [pfx] Re: postfix mail server qmgr log entry query

On Mon, Apr 24, 2023 at 05:39:01PM +, Jitendra Chaudhari via Postfix-users 
wrote:

> Mail flow is as follows.
> 
> IceWarp (email Server)--->
>postfix--->
>cisco(ironport email gateway)--->
>Internet
> 
> I found some strange messages for qmgr process as follows

What looked strange to you?

> Can anyone please help me how to interpret this log entry?
> 
> Apr 20 14:04:09 fsmta1 postfix/smtpd[169407]: 36421809DB5: 
> client=localhost[127.0.0.1], orig_client=unknown[192.168.234.51]

This message is likely downstream of a content_filter, that forwarded it with 
"xforward" enabled, to record the original client IP address.  That IP address 
is an RFC1918 (192.168.0.0/16) non-public IP address, so the message is 
purportedly from a client inside your network.

> Apr 20 14:04:09 fsmta1 postfix/cleanup[173827]: 36421809DB5: 
> message-id=295c0a7e4f14d016618afa55b5e5472f-1452568706@192.168.234.51<
> mailto:295c0a7e4f14d016618afa55b5e5472f-1452568706@192.168.234.51>

To see the log entries recording the original mesasge coming in, look for other 
log entries that contain either "36421809DB5" or  the above message-id.  Then 
find all entries for *that* queue-id.

> Apr 20 14:04:09 fsmta1 postfix/qmgr[2205]: 36421809DB5: 
> from=no-reply=19=tjsb@.co.in, size=2169, nrcpt=1 (queue 
> active)

Nothing interesting here.  Unless you suspect that this message should not have 
been accepted in the first place.

> Apr 20 14:04:09 fsmta1 postfix/smtp[167717]: 36421809DB5: 
> to=x...@x.com, relay=xxx:366, delay=0.05, 
> delays=0/0.01/0.02/0.02, dsn=2.0.0, status=sent (250 ok:  Message 
> 14326499 accepted) Apr 20 14:04:09 fsmta1 postfix/qmgr[2205]: 
> 36421809DB5: removed

The message was then delivered to some SMTP server on port 366 (or did you also 
obfuscate the port number)?

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an 
email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Gerald Galster via Postfix-users]

>> ;; QUESTION SECTION:
>> ;eurobank-direktna.rs .IN  
>> NS
>> 
>> ;; ANSWER SECTION:
>> eurobank-direktna.rs . 3600IN  NS  
>> bgdit01edns01.eurobank.rs .
>> 
>> This is obviously wrong, but why should a resolver query
>> @ns1.eurobank.rs for eurobank-direktna.rs  
>> nameservers as
>> this information is already known.
> 
> This can happen in a variety of ways.  Sometimes the child zone
> "helpfully" includes NS records in the authority section along with
> answers.  Sometimes this happens when the delegation records are
> being refreshed due to TTL expiration, and sometimes an explicit user
> or application query for the NS records.
> 
> In any case BIND is "entitled" to prefer the child zone NS RR, which
> then turns out to be unusable.  The zone in question is misconfigured.

Thanks for clarification, Viktor.

Alex, you might try unbound instead of bind while this error persists.

https://unbound.docs.nlnetlabs.nl/en/latest/reference/history/requirements.html

-->
Parent and child with different nameserver information

A misconfiguration that sometimes happens is where the parent and child
have different NS, glue information. The child is authoritative, and
unbound will not trust information from the parent nameservers as the
final answer. To help lookups, unbound will however use the parent-side
version of the glue as a last resort lookup. This resolves lookups for
those misconfigured domains where the servers reported by the parent are
the only ones working, and servers reported by the child do not.
<--

In case you or your customer is affiliated with eurobank, you might
tell them about that misconfiguration.

Best regards,
Gerald___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Viktor Dukhovni via Postfix-users]

On Tue, Apr 25, 2023 at 08:43:26PM +0200, Gerald Galster via Postfix-users 
wrote:

> >; Delegation NS
> >eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
> >eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
> >eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0
> > 
> >; Authoritative NS
> >eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.
> > 
> > The latter host does not exist:
> > 
> > [...]
> >
> > Once BIND learns the authoritative NS, the domain is bricked until that
> > data times out.
> 
> Is that implementation specific? It doesn't seem to be the case with unbound.

Some resolvers are "parent-centric" and some "child-centric".  The child
NS records are de jure more authoritative.

> It probably works because the NS records are already provided
> by the .rs tld nameservers:

That's typically the initial state.

> ;; QUESTION SECTION:
> ;eurobank-direktna.rs.IN  NS
> 
> ;; ANSWER SECTION:
> eurobank-direktna.rs. 3600IN  NS  bgdit01edns01.eurobank.rs.
> 
> This is obviously wrong, but why should a resolver query
> @ns1.eurobank.rs for eurobank-direktna.rs nameservers as
> this information is already known.

This can happen in a variety of ways.  Sometimes the child zone
"helpfully" includes NS records in the authority section along with
answers.  Sometimes this happens when the delegation records are
being refreshed due to TTL expiration, and sometimes an explicit user
or application query for the NS records.

In any case BIND is "entitled" to prefer the child zone NS RR, which
then turns out to be unusable.  The zone in question is misconfigured.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Gerald Galster via Postfix-users]

>; Delegation NS
>eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
>eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
>eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0
> 
>; Authoritative NS
>eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.
> 
> The latter host does not exist:
> 
> [...]
> Once BIND learns the authoritative NS, the domain is bricked until that
> data times out.

Is that implementation specific? It doesn't seem to be the case with unbound.

It probably works because the NS records are already provided
by the .rs tld nameservers:

# dig @f.nic.rs eurobank-direktna.rs ns
[...]
;; QUESTION SECTION:
;eurobank-direktna.rs.  IN  NS

;; AUTHORITY SECTION:
eurobank-direktna.rs.   3600IN  NS  ns2.eurobank.rs.
eurobank-direktna.rs.   3600IN  NS  ns1.eurobank.rs.
eurobank-direktna.rs.   3600IN  NS  ns3.eurobank.rs.


# dig @ns1.eurobank.rs eurobank-direktna.rs ns
[...]
;; QUESTION SECTION:
;eurobank-direktna.rs.  IN  NS

;; ANSWER SECTION:
eurobank-direktna.rs.   3600IN  NS  bgdit01edns01.eurobank.rs.

This is obviously wrong, but why should a resolver query
@ns1.eurobank.rs for eurobank-direktna.rs nameservers as
this information is already known. And it's not a subdomain
that might be delegated to another nameserver.

Best regards
Gerald


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM questions

[Scott Kitterman via Postfix-users]

On Tuesday, April 25, 2023 2:12:23 PM EDT Ken Peng via Postfix-users wrote:
> Hello
> 
> Can the domain certificates sign its sub domain?
> For example, mail.a.com was signed by certs of a.com.
> If so, does this make sense to DMRC of mail.a.com?

Yes.

If I understand the second question correctly, yes, as long as you use relaxed 
alignment (the default).

Scott K


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] DKIM questions

[Ken Peng via Postfix-users]

Hello

Can the domain certificates sign its sub domain?
For example, mail.a.com was signed by certs of a.com.
If so, does this make sense to DMRC of mail.a.com?

Thanks.

--
https://kenpeng.pages.dev/
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Wayne Spivak via Postfix-users]

Thank you Victor.

With help, I was able to "pipe" the mailing list to a port that bypasses
virus checking.

Wayne

-Original Message-
From: Viktor Dukhovni via Postfix-users  
Sent: Tuesday, April 25, 2023 1:56 PM
To: postfix-users@postfix.org
Subject: [pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

On Mon, Apr 24, 2023 at 02:23:54PM -0400, Wayne Spivak via Postfix-users
wrote:

> My PHPList (broadcast only) goes through port 587, and since it sits 
> on the server, it doesn't need authentication (I'm the only user).

How does it send mail, a separate message per recipient, or one message with
many envelope recipients?

> How do I create another smtp port that will allow PHPList to bypass
Amavis?
> With a 15K address list, the load on the server would cripple it if it 
> checked every list broadcast.

If the message is submitted with all 15k recipients in the envelope, then it
should be possible to scan it just once.

And of course Amavis has "policy banks" to tune inspection policy by various
features of the message.  (I don't use amavis, so can't provide more
detailed guidance).

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send
an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Gerald Galster via Postfix-users]

>> content_filter=smtp-amavis:[127.0.0.1]:10024 meta_directory = /etc/postfix
>>  
>> smtp_tls_security_level = may
>> smtpd_tls_security_level = may
>>  [...]
> 
> 127.0.0.1:2510 inet n   -   n   -   -   smtpd
>   -o syslog_name=postfix/submission
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated
>   -o milter_macro_daemon_name=ORIGINATING
>   -o content_filter=
> 
> [...]
> 
>> My  PHPList config.php file shows
>>  
>> define('PHPMAILERHOST', '127.0.0.1');
>> define('PHPMAILERPORT',2510);

This has been resolved offlist. There were some additional credentials
in phplist config that interfered.

Best regards,
Gerald___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Viktor Dukhovni via Postfix-users]

On Mon, Apr 24, 2023 at 02:23:54PM -0400, Wayne Spivak via Postfix-users wrote:

> My PHPList (broadcast only) goes through port 587, and since it sits on the
> server, it doesn't need authentication (I'm the only user).

How does it send mail, a separate message per recipient, or one message
with many envelope recipients?

> How do I create another smtp port that will allow PHPList to bypass Amavis?
> With a 15K address list, the load on the server would cripple it if it
> checked every list broadcast.

If the message is submitted with all 15k recipients in the envelope,
then it should be possible to scan it just once.

And of course Amavis has "policy banks" to tune inspection policy by
various features of the message.  (I don't use amavis, so can't provide
more detailed guidance).

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Viktor Dukhovni via Postfix-users]

On Tue, Apr 25, 2023 at 12:24:04PM -0400, Alex via Postfix-users wrote:
> Hi, I realize this is probably one of the most frequently asked questions,
> but I really can't figure out why this was rejected.
> 
> Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT from
> mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 :
> Sender address rejected: Domain not found; from=<
> obaveste...@eurobank-direktna.rs> to= proto=ESMTP helo=<
> mail.email.eurobank-direktna.rs>
> 
> What am I missing? eurobank-direktna.rs and mail.email.eurobank-direktna.rs
> both have forward and reverse DNS entries.
> 
> I thought maybe it just didn't resolve properly at the time the email was
> received, but it's been happening for hours.

See:

https://dnsviz.net/d/eurobank-direktna.rs/ZEgBpw/dnssec/

The most obvious problem is that the delegation NS (parent zone) records
for the domain don't agree with the authoritative NS (child zone) records.

; Delegation NS
eurobank-direktna.rs. IN NS ns1.eurobank.rs. ; AD=0
eurobank-direktna.rs. IN NS ns2.eurobank.rs. ; AD=0
eurobank-direktna.rs. IN NS ns3.eurobank.rs. ; AD=0

; Authoritative NS
eurobank-direktna.rs. IN NS bgdit01edns01.eurobank.rs.

The latter host does not exist:

; <<>> DiG 9.18.7 <<>> -t a bgdit01edns01.eurobank.rs.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19772
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1400
;; QUESTION SECTION:
;bgdit01edns01.eurobank.rs. IN  A

Once BIND learns the authoritative NS, the domain is bricked until that
data times out.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Matus UHLAR - fantomas via Postfix-users]

Hi, I realize this is probably one of the most frequently asked questions, but 
I really can't figure out why this was rejected.

Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT from mail.email.eurobank.rs 
[195.242.76.237]: 450 4.1.8 mailto:u...@eurobank-direktna.rs>>: Sender address rejected: Domain not found; from=mailto:obaveste...@eurobank-direktna.rs>> to=mailto:mi...@example.com>> proto=ESMTP 
helo=http://mail.email.eurobank-direktna.rs/>>

What am I missing? eurobank-direktna.rs  and 
mail.email.eurobank-direktna.rs  both have 
forward and reverse DNS entries.

I thought maybe it just didn't resolve properly at the time the email was 
received, but it's been happening for hours.


On 25.04.23 19:02, Gerald Galster via Postfix-users wrote:

Negative dns answers may be cached but usually not for hours.
Verify that the resolver running on the postfix server can
resolve that domain because this sounds like a dns problem.

https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

Query the resolvers listed in /etc/resolv.conf directly, e.g.

dig @127.0.0.1 eurobank-direktna.rs a
dig @127.0.0.1 eurobank-direktna.rs mx

Alternatively try a public resolver in /etc/resolv.conf:

nameserver 8.8.8.8
or
nameserver 1.1.1.1


If you have any kind of spam filtering that uses DNS based lists, at postfix 
or spam filter level, do NOT do this. 


install full recursive DNS server for your mailserver instead.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Bill Cole via Postfix-users]

On 2023-04-25 at 12:24:04 UTC-0400 (Tue, 25 Apr 2023 12:24:04 -0400)
Alex via Postfix-users 
is rumored to have said:

Hi, I realize this is probably one of the most frequently asked 
questions,

but I really can't figure out why this was rejected.

Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT 
from
mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 
:

Sender address rejected: Domain not found; from=<
obaveste...@eurobank-direktna.rs> to= proto=ESMTP 
helo=<

mail.email.eurobank-direktna.rs>

What am I missing? eurobank-direktna.rs and 
mail.email.eurobank-direktna.rs

both have forward and reverse DNS entries.

I thought maybe it just didn't resolve properly at the time the email 
was

received, but it's been happening for hours.


The 450 error code implies a transient failure, e.g. a SERVFAIL reply or 
a timeout. One of the authoritative nameservers for eurobank-direktna.rs 
(the domain part of the sender address) times out for me at the moment, 
which may be related to what you're seeing.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Alex via Postfix-users]

Hi,

On Tue, Apr 25, 2023 at 1:03 PM Gerald Galster via Postfix-users <
postfix-users@postfix.org> wrote:

> Hi, I realize this is probably one of the most frequently asked questions,
> but I really can't figure out why this was rejected.
>
> Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT
> from mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 <
> u...@eurobank-direktna.rs>: Sender address rejected: Domain not found;
> from= to=
> proto=ESMTP helo=
>
> What am I missing? eurobank-direktna.rs and
> mail.email.eurobank-direktna.rs both have forward and reverse DNS entries.
>
> I thought maybe it just didn't resolve properly at the time the email was
> received, but it's been happening for hours.
>
>
> Negative dns answers may be cached but usually not for hours.
> Verify that the resolver running on the postfix server can
> resolve that domain because this sounds like a dns problem.
>
> https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain
>
> Query the resolvers listed in /etc/resolv.conf directly, e.g.
>
> dig @127.0.0.1 eurobank-direktna.rs a
> dig @127.0.0.1 eurobank-direktna.rs mx
>

That was the problem, thanks. I think it may be due to a low memory issue
on the mail server. Simply restarting bind fixed it, but it is definitely
curious to me that it was responding properly for so long.

Thanks for taking the time to help.

>
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender address rejected, but domain is found?

[Gerald Galster via Postfix-users]

> Hi, I realize this is probably one of the most frequently asked questions, 
> but I really can't figure out why this was rejected.
> 
> Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT from 
> mail.email.eurobank.rs [195.242.76.237]: 450 
> 4.1.8 mailto:u...@eurobank-direktna.rs>>: Sender 
> address rejected: Domain not found; from= > to= > proto=ESMTP helo= >
> 
> What am I missing? eurobank-direktna.rs  and 
> mail.email.eurobank-direktna.rs  
> both have forward and reverse DNS entries.
> 
> I thought maybe it just didn't resolve properly at the time the email was 
> received, but it's been happening for hours.

Negative dns answers may be cached but usually not for hours.
Verify that the resolver running on the postfix server can
resolve that domain because this sounds like a dns problem.

https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain

Query the resolvers listed in /etc/resolv.conf directly, e.g.

dig @127.0.0.1 eurobank-direktna.rs a
dig @127.0.0.1 eurobank-direktna.rs mx

Alternatively try a public resolver in /etc/resolv.conf:

nameserver 8.8.8.8
or
nameserver 1.1.1.1

Best regards,
Gerald

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Matus UHLAR - fantomas via Postfix-users]

On 24.04.23 14:23, Wayne Spivak via Postfix-users wrote:

I run a postfix install which requires authentication and pipes all email
through Amavis (spam checking).



My PHPList (broadcast only) goes through port 587, and since it sits on the
server, it doesn't need authentication (I'm the only user).


port 587 usually required authentication and I don't recommend to change this.


I just added Amavis Clamscan, which is working correctly.


clamscan? Perhaps you should run daemon clamd which workc much faster.


How do I create another smtp port that will allow PHPList to bypass Amavis?


It's funny that you have asked this on clamav mailing list, got advise to 
solve this on amavis list, and went here to postfix list instead.



With a 15K address list, the load on the server would cripple it if it
checked every list broadcast.


add this service to master.cf, similar to:
https://amavis.org/README.postfix.html#basics_smtpd-daemon
and feed PHPList output to 127.0.0.1:10026

127.0.0.1:10026 inet n   -   n   -   -   smtpd
-o syslog_name=postfix/submission-nocheck
-o smtpd_tls_security_level=none
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=

- you get lines "postfix/submission-nocheck/smtpd" in syslog
- no tls for local communication
- authentication not required nor enabled
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [External] Re: Error when telnet testing, 1st cmd always fails

[Kinter, Jim via Postfix-users]

Thanks Wietse, you are correct.
I went into the putty config for that profile and unchecked a few things 
("Answer back to ^E" was set to PuTTy, Telnet Negotiation from Active to 
Passive, etc) and its working now. 

Thanks again.
Jim

-Original Message-
From: Wietse Venema via Postfix-users  
Sent: Tuesday, April 25, 2023 9:43 AM
To: Postfix users 
Subject: [External] [pfx] Re: Error when telnet testing, 1st cmd always fails

Caution: This is email originated from outside of the organization. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe.


Ue netcat (nc) instead of putty.

I suspsect that putty is sending telnet protocol options, even when it connets 
to a server on a non-telnet port. That would be a putty bug.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an 
email to postfix-users-le...@postfix.org

This message may contain confidential information. If you are not the intended 
recipient, do not disseminate, distribute, or copy this e-mail or its 
attachments. Please notify the sender of the error immediately by e-mail or at 
the telephone number listed below, and delete this e-mail and any attachments 
from your system. Receipt by anyone other than the intended recipient(s) is not 
a waiver of any trade secrets, proprietary interests, or other applicable 
rights. E-mail transmission is not necessarily secure or error-free, as 
information could be intercepted, corrupted, lost, destroyed, delayed, 
incomplete, or may contain viruses. The sender disclaims all liability for any 
errors or omissions arising as a result of the e-mail transmission. 
 
OEConnection LLC, (888) 776-5792, www.oeconnection.com 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Error when telnet testing, 1st cmd always fails

[Marek Podmaka via Postfix-users]

It is a feature. Putty has option to use "Telnet" protocol or "Raw"
protocol.

On Tue, 25 Apr 2023 at 16:43, Wietse Venema via Postfix-users <
postfix-users@postfix.org> wrote:

> Ue netcat (nc) instead of putty.
>
> I suspsect that putty is sending telnet protocol options, even when
> it connets to a server on a non-telnet port. That would be a putty
> bug.
>
> Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Error when telnet testing, 1st cmd always fails

[Wietse Venema via Postfix-users]

Ue netcat (nc) instead of putty. 

I suspsect that putty is sending telnet protocol options, even when
it connets to a server on a non-telnet port. That would be a putty
bug.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Error when telnet testing, 1st cmd always fails

[Kinter, Jim via Postfix-users]

We have an issue with 2 postfix servers of the same vintage/version.

If I telnet port 25 to the server (Putty), it connects fine, then ANY command I 
send, be it helo, ehlo, or even just cr/lf (hit enter), I get:

502 5.5.2 Error: command not recognized

If I send the same command again, it then works fine from then on out:

ehlo localhost
250-dlmail.domain.local
250-PIPELINING
250-SIZE 1024
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Its always the 1st command after initial connection fails, any subsequent of 
that same connection works fine.

If I -vvv the log, I see (IPs and other sensitive data redacted):

Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: event_loop: read fd=6 
act=0x557650a49f60 0x6
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: event_cancel_timer: 0x557650a4a040 
0x0 45
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: connection established
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: master_notify: status 0
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: name_mask: resource
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: name_mask: software
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: connect from gateway[172.X.X.X]
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: match_list_match: gateway: no match
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: match_list_match: 172.X.X.X: no 
match
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: match_list_match: gateway: no match
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: match_list_match: 172.X.X.X: no 
match
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: smtp_stream_setup: maxtime=300 
enable_deadline=0
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: match_hostname: gateway ~? 172. 
X.X.X /32
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: match_hostaddr: 172. X.X.X ~? X.X.X 
/32
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: > gateway[172. X.X.X]: 220 
DLW011.domain.local ESMTP Postfix
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: watchdog_pat: 0x557652305720
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: vstream_fflush_some: fd 12 flush 40
Apr 25 09:29:04 DLW011 postfix/smtpd[5393]: vstream_buf_get_ready: fd 12 got 21
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: vstream_buf_get_ready: fd 12 got 16
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: < gateway[172. X.X.X]: ? 
?'?ehlo localhost
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: match_string: ? ~? CONNECT
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: match_string: ? ~? GET
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: match_string: ? ~? POST
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: match_list_match: ?: no match
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: > gateway[172. X.X.X]: 502 5.5.2 
Error: command not recognized
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: watchdog_pat: 0x557652305720
Apr 25 09:29:10 DLW011 postfix/smtpd[5393]: vstream_fflush_some: fd 12 flush 41

The 1st command is always prefaced with a bunch of question marks.
Subsequent commands of the same connection do not have all those question marks.

Anyone have a clue whats going on/what setting needs changed/whats busted?

Thanks
Jim

This message may contain confidential information. If you are not the intended 
recipient, do not disseminate, distribute, or copy this e-mail or its 
attachments. Please notify the sender of the error immediately by e-mail or at 
the telephone number listed below, and delete this e-mail and any attachments 
from your system. Receipt by anyone other than the intended recipient(s) is not 
a waiver of any trade secrets, proprietary interests, or other applicable 
rights. E-mail transmission is not necessarily secure or error-free, as 
information could be intercepted, corrupted, lost, destroyed, delayed, 
incomplete, or may contain viruses. The sender disclaims all liability for any 
errors or omissions arising as a result of the e-mail transmission. 
 
OEConnection LLC, (888) 776-5792, www.oeconnection.com 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Wayne Spivak via Postfix-users]

Thank you

 

From: Gerald Galster via Postfix-users  
Sent: Tuesday, April 25, 2023 10:05 AM
To: Postfix users 
Subject: [pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

 

Applicable snippets from files are:

 

My main.cf

 

 

content_filter=smtp-amavis:[127.0.0.1]:10024 meta_directory = /etc/postfix

 

smtp_tls_security_level = may

smtpd_tls_security_level = may

 

 

 

I did this to master.cf

 

127.0.0.1:2510 inet n   -   n   -   -   smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated

-o milter_macro_daemon_name=ORIGINATING

-o content_filter=

 

check if those lines are beginning with whitespace (tab/space):

 

127.0.0.1:2510 inet n   -   n   -   -   smtpd

  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_sasl_authenticated

  -o milter_macro_daemon_name=ORIGINATING

  -o content_filter=

 

Depending on the mail-/logvolume on the server you might temporarily

set "  -o syslog_name=postfix/submission2510" to distinguish

submission (587) and submission (2510).

 

 

My  PHPList config.php file shows

 

define('PHPMAILERHOST', '127.0.0.1');

define('PHPMAILERPORT',2510);

define('PHPMAILER_SECURE',true);

 

If connections are originating from localhost only, you don't

need encryption (PHPMAILER_SECURE / "-o smtpd_tls_security_level=encrypt").

 

With encryption you need to check if PHPMAILER verifies certificates

and if verification is successful. Usually this requires a certificate

signed by a certification authority like letsencrypt. Self-signed

certificates can be problematic in this context.

 

Apr 25 08:52:08 mcq postfix/submission/smtpd[18972]: lost connection after
STARTTLS from localhost[127.0.0.1]

 

This might be a hint that validation is not successful - PHPMAILER drops the
connection.

Perhaps you can enable a debug log in PHPMAILER for more information.

 

Best regards,

Gerald

 

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Use of PTR record

[Gerald Galster via Postfix-users]

> Running mailservice with Postfix
> PTR record is set to myserver.mydomain.com (1.2.3.4)

Check if your PTR record is traceable:

dig +trace -x 1.2.3.4 ptr

If that works check your resolver in /etc/resolv.conf, e.g.:
nameserver 127.0.0.1

dig @127.0.0.1 -x 1.2.3.4 ptr

You have a dns problem, not a postfix problem if any
of those fail.

Best regards,
Gerald
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Gerald Galster via Postfix-users]

> Applicable snippets from files are:
>  
> My main.cf
>  
>  
> content_filter=smtp-amavis:[127.0.0.1]:10024 meta_directory = /etc/postfix
>  
> smtp_tls_security_level = may
> smtpd_tls_security_level = may
>  
>  
>  
> I did this to master.cf
>  
> 127.0.0.1:2510 inet n   -   n   -   -   smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated
> -o milter_macro_daemon_name=ORIGINATING
> -o content_filter=

check if those lines are beginning with whitespace (tab/space):

127.0.0.1:2510 inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated
  -o milter_macro_daemon_name=ORIGINATING
  -o content_filter=

Depending on the mail-/logvolume on the server you might temporarily
set "  -o syslog_name=postfix/submission2510" to distinguish
submission (587) and submission (2510).


> My  PHPList config.php file shows
>  
> define('PHPMAILERHOST', '127.0.0.1');
> define('PHPMAILERPORT',2510);
> define('PHPMAILER_SECURE',true);

If connections are originating from localhost only, you don't
need encryption (PHPMAILER_SECURE / "-o smtpd_tls_security_level=encrypt").

With encryption you need to check if PHPMAILER verifies certificates
and if verification is successful. Usually this requires a certificate
signed by a certification authority like letsencrypt. Self-signed
certificates can be problematic in this context.

> Apr 25 08:52:08 mcq postfix/submission/smtpd[18972]: lost connection after 
> STARTTLS from localhost[127.0.0.1]

This might be a hint that validation is not successful - PHPMAILER drops the 
connection.
Perhaps you can enable a debug log in PHPMAILER for more information.

Best regards,
Gerald


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Use of PTR record

[Wietse Venema via Postfix-users]

Jos Chrispijn via Postfix-users:
> Running mailservice with Postfix
> PTR record is set to myserver.mydomain.com (1.2.3.4)
> 
> Every time I receive external e-mail, my logfile shows:
> Apr 25 15:01:39 terra postfix/smtpd[12479]: 073416D2: 
> client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=me

Postfix ALSO logs a warning that this name does not resolve
to the client IP address.

Hint, hint, ...

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Use of PTR record

[Bill Cole via Postfix-users]

On 2023-04-25 at 09:14:18 UTC-0400 (Tue, 25 Apr 2023 15:14:18 +0200)
Jos Chrispijn via Postfix-users 
is rumored to have said:


Running mailservice with Postfix
PTR record is set to myserver.mydomain.com (1.2.3.4)

Every time I receive external e-mail, my logfile shows:
Apr 25 15:01:39 terra postfix/smtpd[12479]: 073416D2: 
client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=me


How can I configure that client=unknown[1.2.3.4] will be replaced with 
the PTR record text instead?


Make the name in the PTR record resolve back to the same client IP.

I could force that by puting 'myserver.mydomain.com 1.2.3.4' in my 
hosts file, but I am not quite convinced that is the only solution.


Actual DNS is also an option, and a better one usually.

As you've chosen to pose this as a hypothetical with bogus details, 
there may be complications we can't see.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Use of PTR record

[Jos Chrispijn via Postfix-users]

Running mailservice with Postfix
PTR record is set to myserver.mydomain.com (1.2.3.4)

Every time I receive external e-mail, my logfile shows:
Apr 25 15:01:39 terra postfix/smtpd[12479]: 073416D2: 
client=unknown[1.2.3.4], sasl_method=LOGIN, sasl_username=me


How can I configure that client=unknown[1.2.3.4] will be replaced with 
the PTR record text instead?
I could force that by puting 'myserver.mydomain.com 1.2.3.4' in my hosts 
file, but I am not quite convinced that is the only solution.


Thanks, Jos

-- With both feet on the ground you can't make any step forward
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Wayne Spivak via Postfix-users]

Thank you.  

 

I tried it, and it didn’t work.

 

Applicable snippets from files are:

 

My main.cf

 

 

content_filter=smtp-amavis:[127.0.0.1]:10024 meta_directory = /etc/postfix

 

smtp_tls_security_level = may

smtpd_tls_security_level = may

 

 

 

I did this to master.cf

 

127.0.0.1:2510 inet n   -   n   -   -   smtpd

-o syslog_name=postfix/submission

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_client_restrictions=permit_sasl_authenticated

-o milter_macro_daemon_name=ORIGINATING

-o content_filter=

 

 

My  PHPList config.php file shows

 

define('PHPMAILERHOST', '127.0.0.1');

define('PHPMAILERPORT',2510);

define('PHPMAILER_SECURE',true);

 

my maillog says:

 

Apr 25 08:52:08 mcq postfix/submission/smtpd[18972]: connect from 
localhost[127.0.0.1]

Apr 25 08:52:08 mcq postfix/submission/smtpd[18972]: Anonymous TLS connection 
established from localhost[127.0.0.1]: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256

Apr 25 08:52:08 mcq postfix/submission/smtpd[18972]: lost connection after 
STARTTLS from localhost[127.0.0.1]

Apr 25 08:52:08 mcq postfix/submission/smtpd[18972]: disconnect from 
localhost[127.0.0.1] ehlo=1 starttls=1 commands=2

Apr 25 08:52:08 mcq opendmarc[11855]: ignoring connection from localhost

 

 

 

From: Gerald Galster via Postfix-users  
Sent: Tuesday, April 25, 2023 7:48 AM
To: Postfix users 
Subject: [pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

 

I run a postfix install which requires authentication and pipes all email 
through Amavis (spam checking).

 

My PHPList (broadcast only) goes through port 587, and since it sits on the 
server, it doesn’t need authentication (I’m the only user).

 

I just added Amavis Clamscan, which is working correctly.

 

How do I create another smtp port that will allow PHPList to bypass Amavis?  
With a 15K address list, the load on the server would cripple it if it checked 
every list broadcast.

 

 

/etc/postfix/master.cf

 

submission inet n   -   n   -   -   smtpd

  -o smtpd_sasl_auth_enable=yes

  ...

  #-o smtpd_proxy_filter=

  #-o content_filter=

 

Copy your submission block and replace submission with another port.

A typical example for amavisd reinjection is:

 

127.0.0.1:10025 inet n  -   n   --  smtpd

  ...

 

That way smtpd is bound to 127.0.0.1 Port 10025 instead of submission.

Just choose another ip and/or port that suits you.

 

Do not set a content_filter or smtpd_proxy_filter to bypass amavis.

If content_filter is set globally in main.cf, disable it for this service:

  -o content_filter=

 

Keep in mind there are no spaces around "=" in master.cf.

 

Best regards,

Gerald

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Amavis (Virus Checker) PHPList workaround

[Gerald Galster via Postfix-users]

> I run a postfix install which requires authentication and pipes all email 
> through Amavis (spam checking).
>  
> My PHPList (broadcast only) goes through port 587, and since it sits on the 
> server, it doesn’t need authentication (I’m the only user).
>  
> I just added Amavis Clamscan, which is working correctly.
>  
> How do I create another smtp port that will allow PHPList to bypass Amavis?  
> With a 15K address list, the load on the server would cripple it if it 
> checked every list broadcast.


/etc/postfix/master.cf

submission inet n   -   n   -   -   smtpd
  -o smtpd_sasl_auth_enable=yes
  ...
  #-o smtpd_proxy_filter=
  #-o content_filter=

Copy your submission block and replace submission with another port.
A typical example for amavisd reinjection is:

127.0.0.1:10025 inet n  -   n   --  smtpd
  ...

That way smtpd is bound to 127.0.0.1 Port 10025 instead of submission.
Just choose another ip and/or port that suits you.

Do not set a content_filter or smtpd_proxy_filter to bypass amavis.
If content_filter is set globally in main.cf, disable it for this service:
  -o content_filter=

Keep in mind there are no spaces around "=" in master.cf.

Best regards,
Gerald

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org