[pfx] Re: Forward mail
* Peng via Postfix-users: > Gmail/fastmail rely more on DKIM than SPF. What makes you assume that? Sending mail to f...@gmail.com works with SPF alone, in the absense of DKIM. I have not tried the reverse (DKIM without SPF) yet. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Forward mail
Gmail/fastmail rely more on DKIM than SPF. And, some huge providers (such as Microsoft, Mail.ru) have no SRS enabled for their forwarding mails. In my experience, don't rely too much on SPF settings, either for incoming email or for outgoing mail. regards. On Sat, Apr 13, 2024 at 6:52 PM Paul van der Vlis via Postfix-users < postfix-users@postfix.org> wrote: > Hallo, > > Unfortunately, I have quite a few customers who want to receive email > from their own domain at a different email address, such as a Gmail or > Hotmail address. I forward this in /etc/postfix/virtual. > > But I actually don't understand why this arrives, especially if the > sender has an SPF or DMARC clearly states that it should be rejected if > the email comes from the wrong IP. > > Perhaps Gmail and others don't care about that, but it could also be > that they look beyond the forward address and see that it comes from a > legitimate IP, but only forwarded is. > That would be good, but maybe easily forged without DKIM? > > Could someone tell us more about this? > > And what is a good solution for forwarding? Rewrite the sender? SRS? > > With regards, > Paul van der Vlis > > > -- > Paul van der Vlis Linux systeembeheer Groningen > https://vandervlis.nl/ > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: duplicate deliveries
Marek Podmaka via Postfix-users: > Hi, > > When/how does postfix prevent duplicate deliveries when delivering to an > alias and explicitly also to the alias result? For example all@domain + Cc > to one of the members of that alias. I have found parameters > "duplicate_filter_limit" and "enable_original_recipient" that mention it, > but I don't understand how exactly it works. The above duplicate filter is in effect when Postfix writes recipients to a queue file. This happens after virtual alias expansion, always_bcc, sender_bcc_mapsm, recipient_bcc_maps, and after any recipients added with Milter actions. When enable_original_recipient is turned on, the above duplicate filter will NOT discard duplicate recipients that differ in their "original recipient" address. This is for use cases where all mail for a domain is received in a single mailbox, and where the original recipient is obtained from the X-Original-To: header. > I have an older mailserver where this works (no duplicate deliveries, > otherwise someone would complain). I am using virtual users with default > virtual delivery. > > I also have another mail server also with the same type of virtual users > (same database schema), but which was setup with Dovecot LDA as delivery > agent. And there the deduplication doesn't work, I had to use If that is the only difference: you changed from delivery with the virtual delivery agent to delivery with the lmtp or pipe delivery agent, then Postfix still delivers the same recipients. If there is a difference in deduplication, then you have introduced a difference up-stream of the delivery agents. You need to find that difference. I siggest that you start with comparing the outputs from "postconf -n" on the old and new servers. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] duplicate deliveries
Hi, When/how does postfix prevent duplicate deliveries when delivering to an alias and explicitly also to the alias result? For example all@domain + Cc to one of the members of that alias. I have found parameters "duplicate_filter_limit" and "enable_original_recipient" that mention it, but I don't understand how exactly it works. I have an older mailserver where this works (no duplicate deliveries, otherwise someone would complain). I am using virtual users with default virtual delivery. I also have another mail server also with the same type of virtual users (same database schema), but which was setup with Dovecot LDA as delivery agent. And there the deduplication doesn't work, I had to use dovecot-sieve's "duplicate" extension, which discards the duplicated email. Is it because for LDA I have destination_recipient_limit=1? Or maybe just because of using sender_bcc_maps and not related to LDA? I have setup sieve rule in the past according to https://serverfault.com/questions/112958/postfix-aliases-and-duplicate-e-mails-how-to-fix which mentions old faq.html on postfix web and some broken links to old mail list archives claiming the deduplication is not implemented. So what are the prerequisites for it to work? I am now planning to migrate the old server from courier to dovecot + lda and want to know if I will need the sieve solution again or not... -- bye, Marki ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Submission Forward
svoop_pvde84wdgt--- via Postfix-users:
> Hiya!
>
> I'm running my own Postfix as part of a dockered MailU which works
> really smoothly for my own domains. However, I also have a few
> email addresses for client projects at work and for the sake of
> MUA simplicity, I forward all incoming mail to these addresses to
> my main email address on my own domain. Receiving is a piece of
> cake, unfortunately, sending is another story.
>
> This is the situation stripped to the important bits:
>
> * m...@mydomain.org is my main email handled by my own MX (Postfix/MailU)
> * m...@clientproject.org is my email used for this client project and handled
> by Google workspace
>
> Incoming mail to m...@clientproject.org is forwarded to m...@mydomain.org and
> delivered normally.
>
> Outgoing mail as m...@clientproject.org should use the (authenticated)
> SMTP of Google to assure SPF/DKIM alignment, but my MUAs don't
> support such a setting. (IMO, only Thunderbird allows multiple
> outgoing SMTP per email account.)
>
> I tried to figure out a server-side solution instead, something
> like a reverse forward or submission forward: Submit outgoing mail
> as m...@clientprojet.org to my own Postfix which is configured to
> recognise this "From" as external and therefore resubmit the message
> via the SMTP of Google (using my credentials for auth).
The official solution is to use sender_dependent_default_transport_maps
(indexed by envelope.from) to choose the relay MTA (such as Google
for a google-hosted sender address), combined with smtp_sasl_passwd
maps, indexed by that same relay MTA (including any :port and []).
Untested example:
/etc/postfix/main.cf:
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_passwd_maps = hash:/etc/postfix/smtp_sasl_passwd
smtp_tls_security_level = may
/etc/postfix/sender_relay:
m...@clientproject.org [smtp.google.com]:587
/etc/postfix/smtp_sasl_passwd:
[smtp.gmail.com]:587usedrname:password
Again, untested, typed from fallible memory.
You can harden this further with sender_dependent_default_transport_maps
and defining a dedicated SMTP client in master.cf, with
-o { smtp_tls_security_level = encrypt }
to make TLS mandatory.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere
On Sat, Apr 13, 2024 at 11:14:34AM -0400, Dan Mahoney wrote: > >>> virtual_alias_maps = static:allmail@$mydomain > >>> default_transport = virtual > >>> virtual_mailbox_maps = static:/var/spool/virtual/allmail/ > >>> virtual_uid_maps = static:12345 > >>> virtual_gid_maps = static:12345 > > I’ve dropped this in, changing only 12345 to the “nobody” UID (65534 on BSD), > rather than a UID that doesn’t exist. > > This fails for me with: > > postfix/virtual[3806]: fatal: bad string length 0 < 1: virtual_mailbox_base = > > I’ve chown'd /var/spool/virtual/allmail to that UID/GID of course. Indeed, you need: virtual_mailbox_base = /var/spool/virtual virtual_mailbox_maps = static:allmail/ A detail I overlooked. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to just quickly deliver "everything" to a file somewhere
> On Apr 11, 2024, at 08:35, Viktor Dukhovni via Postfix-users > wrote: > > On Wed, Apr 10, 2024 at 11:39:24PM -0400, Dan Mahoney via Postfix-users wrote: > >>> On Apr 2, 2024, at 10:52, Viktor Dukhovni via Postfix-users >>> mailto:postfix-users@postfix.org>> wrote: >>> >>> On Tue, Apr 02, 2024 at 04:14:29AM -0400, Dan Mahoney via Postfix-users >>> wrote: Hey there all, I’m setting up a staging version of dayjob’s ticket system, and we’d basically like postfix to still function, but instead of touching the internet at all, just deliver everything to a single file (or a maildir, I suppose), regardless of if a file is invoked via sendmail, or a port 25 connection. I’d like nothing to leave the box. Is there some kind of transport hack I can use for this? > > Complete recipe was posted, quoted below: > >>> # No local(8) delivery >>> # >>> alias_database = >>> mydestination = >>> local_transport = error:5.1.2 Mailbox unavailable >>> >>> # No locally hosted domains, but you may want to set one of these >>> # non-empty to accept mail over SMTP, if mail comes in from outside, >>> # but this could also be via submission, permit_mynetworks, ... >>> # >>> relay_domains = >>> virtual_alias_domains = >>> virtual_mailbox_domains = >>> >>> # Collapse all recipients to a single address, delivered to a single >>> # maildir. >>> # >>> enable_original_recipient = no >>> virtual_alias_maps = static:allmail@$mydomain >>> default_transport = virtual >>> virtual_mailbox_maps = static:/var/spool/virtual/allmail/ >>> virtual_uid_maps = static:12345 >>> virtual_gid_maps = static:12345 >> >> I guess I missed something. — I also want it to null route (or route >> to a maildir) all *outbound* mail — so we can examine what our ticket >> system *would* send, is there something in here to do that, or is the >> above only for inbound? > > I see no disclaimer that this would only cover "inbound" or "outbound" > mail. Rather, I see "default_transport = virtual", which sends *all* > mail to the maildir. Once mail is in the queue it is simply mail to be > delivered, there is no "inbound" or "outbound" when making transport > decisions. > > What the recipe comments doe is that the above configuration does not > accept any inbound mail as written, you'd need to allow some clients to > inject mail via SMTP either to "inbound" domains, by e.g. adding some to > "virtual_alias_domains" or "virtual_mailbox_domains" (same result either > way). Or via "smtpd_recipient_restrictions" to allow some clients to > send mail (just adding them to "mynetworks" would typically suffice). > > Your reluctance to test this is puzzling. Read it, try to understand > it, test it, tweak as needed, repeat. I’ve dropped this in, changing only 12345 to the “nobody” UID (65534 on BSD), rather than a UID that doesn’t exist. This fails for me with: postfix/virtual[3806]: fatal: bad string length 0 < 1: virtual_mailbox_base = I’ve chown'd /var/spool/virtual/allmail to that UID/GID of course. What am I missing? -Dan___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Submission Forward
Hiya! I'm running my own Postfix as part of a dockered MailU which works really smoothly for my own domains. However, I also have a few email addresses for client projects at work and for the sake of MUA simplicity, I forward all incoming mail to these addresses to my main email address on my own domain. Receiving is a piece of cake, unfortunately, sending is another story. This is the situation stripped to the important bits: * m...@mydomain.org is my main email handled by my own MX (Postfix/MailU) * m...@clientproject.org is my email used for this client project and handled by Google workspace Incoming mail to m...@clientproject.org is forwarded to m...@mydomain.org and delivered normally. Outgoing mail as m...@clientproject.org should use the (authenticated) SMTP of Google to assure SPF/DKIM alignment, but my MUAs don't support such a setting. (IMO, only Thunderbird allows multiple outgoing SMTP per email account.) I tried to figure out a server-side solution instead, something like a reverse forward or submission forward: Submit outgoing mail as m...@clientprojet.org to my own Postfix which is configured to recognise this "From" as external and therefore resubmit the message via the SMTP of Google (using my credentials for auth). My experiments using transport maps worked to some degree, but I never got everything to function properly. Some setups interfered with my own domains, others resulted in misaligned SPF/DKIM etc. I certainly don't know enough about mail delivery in 2024 to configure Postfix in such a way that envelope, headers etc are correctly altered. Is such a setup doable at all and maybe is there an example I missed out during my research? Thanks a lot for your help! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Forward mail
Paul van der Vlis via Postfix-users: > Hallo, > > Unfortunately, I have quite a few customers who want to receive email > from their own domain at a different email address, such as a Gmail or > Hotmail address. I forward this in /etc/postfix/virtual. > > But I actually don't understand why this arrives, especially if the > sender has an SPF or DMARC clearly states that it should be rejected if > the email comes from the wrong IP. If a message has valid DKIM signatures (the message header and body still match) and the receiving systemn verifies DKIM, then it may still accept forwarded mail, despite SPF mismatch. > Perhaps Gmail and others don't care about that, but it could also be > that they look beyond the forward address and see that it comes from a > legitimate IP, but only forwarded is. > That would be good, but maybe easily forged without DKIM? > > Could someone tell us more about this? > > And what is a good solution for forwarding? Rewrite the sender? SRS? If the receiving system insists on SPF despite valid DKIM, yes. I have no first-hand experience doing that, but there is some SPF and SRS tooling. This is a part of Postfix that needs some work. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Forward mail
Hallo, Unfortunately, I have quite a few customers who want to receive email from their own domain at a different email address, such as a Gmail or Hotmail address. I forward this in /etc/postfix/virtual. But I actually don't understand why this arrives, especially if the sender has an SPF or DMARC clearly states that it should be rejected if the email comes from the wrong IP. Perhaps Gmail and others don't care about that, but it could also be that they look beyond the forward address and see that it comes from a legitimate IP, but only forwarded is. That would be good, but maybe easily forged without DKIM? Could someone tell us more about this? And what is a good solution for forwarding? Rewrite the sender? SRS? With regards, Paul van der Vlis -- Paul van der Vlis Linux systeembeheer Groningen https://vandervlis.nl/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Aliases with "@" in it
Op 09-04-2024 om 12:57 schreef Matus UHLAR - fantomas via Postfix-users: virtual_alias_maps and alias_maps have slightly different capabilities virtual_alias_maps - is processed when mail is being received - can be used to rewrite ANY destination mail address (including non-local recipients) - can be (usually is) used at SMTP level to validate recipients alias_maps - is used when delivering mail to local recipients - can include recipients from file - can feed mail to a program or a file - can change mail sender when "alias" is the recipient and "owner-alias" exists Preferrably use virtual_alias_maps, but if you need any of alias_maps features, use that one. Thanks for your explanation! With regards, Paul -- Paul van der Vlis Linux systeembeheer Groningen https://vandervlis.nl/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
