Re: DKIM milter: adding a TXT record
On Fri, 17 May 2019 16:37:26 +0200 Christian Rößner wrote: > a little bit hard to figure out your problem. I only can guess. I was using 'dig txt chez-vrolet.net' and not turning up the correct TXT records, and should have used 'dig txt 201905._domainkey.chez-vrolet.net' instead. Oops. =D -Dennis
(Disregard) Re: DKIM milter: adding a TXT record
On Thu, 16 May 2019 22:28:59 -0700 Dennis Carr wrote: > I'm working to implent DKIM and DMARC at this time (DMARC is next), > and I've got DKIM just about down except for one thing: the TXT > record. ...and wouldn't you know it, it's because I was digging the wrong domain name. Never mind. -Dennis
DKIM milter: adding a TXT record
Hey, guys. Might be a little bit off topic, but I'll throw it out there. I'm working to implent DKIM and DMARC at this time (DMARC is next), and I've got DKIM just about down except for one thing: the TXT record. Bind doesn't seem to want to load the TXT record, despite that I've even re-edited it per what I found at https://serverfault.com/questions/571720/publishing-long-domain-key-records-in-bind9. (Running 9.10.3.dfs in Debian Stable.) There doesn't seem to be a clue as to what's going on at this point, so I'm a bit lost. Help? -Dennis Carr
Re: Rejecting based on From is...not rejecting
On Fri, 16 Nov 2018 01:08:42 -0500 Viktor Dukhovni wrote: > On Nov 16, 2018, at 12:17 AM, Dennis Carr > wrote: > > > Suffice it to say, I seem to be doing it wrong. > > In a creatively diverse number of ways. :-) Well Viktor, we can't say I do everything right, now, can we? =D I noted too in Dominic's response the pointer to header_checks instead; sounds like the better option. I'll give that a go. -Dennis Carr
Rejecting based on From is...not rejecting
Heya. Postfix 3.1.8 on Debian Stable. I'm trying to use /etc/postfix/sender_access to pretty much reject anything showing as 'From: *@qq.com' as there's a plethora of spam coming from that domain - and it's not rejecting. Suffice it to say, I seem to be doing it wrong. In sender_access, I have: \/.qq.com$/ REJECT ...and the reference to this file in main.cf is: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, ... ...what'd I miss? If needed I can stick the files up on a pastebin. -Dennis Carr
Re: Problem when I send a mail
This is fairly normal. It just means that postfix can't figure out the name of the connecting box by resolution or host look-up. -Dennis Carr On May 15, 2018 11:34:30 AM PDT, for...@mehl-family.fr wrote: >Hi, > >When I send a mail with roundcube from my computer I find this message >on my maillog : > >_MAY 15 20:16:51 MYSERVER POSTFIX/SMTPD[29843]: CONNECT FROM >UNKNOWN[192.168.1.1]_ > >192.168.1.1 is my box IP > >My computer is in the same lan than my mailserver (home network). > >I think I have a bad configuration somewhere, postfix or server >network. > > >I takes any sugsestion. > >Thank's. > >-- >## > >Philippe - Forums -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Keep Postfix running in the foreground
On Tue, 26 Sep 2017 21:21:56 +0200 A Debian User <deb_mailingl...@niemeczek.at> wrote: > Hello, > > I am currently having trouble to get postfix running in a Docker > Container. > > Docker requires a Process to stay alive and in foreground at ID 1, if > not the container dies. I don't know much about Docker, but would it be possible to just start a shell script therein that pretty much does nothing, e.g. 'while true ()' as PID 1? -Dennis Carr
Cannot send mail following upgrade to 3.1.4 - can't find user/alias info
permit smtpd_relay_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, permit smtpd_sender_restrictions = check_sender_access pcre:/etc/postfix/sender_access, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit strict_rfc821_envelopes = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual In a nutshell: what am I missing here? -Dennis CArr
Re: [Mailman-Users] SPF best practices?
On Mon, 24 Aug 2015 00:13:14 +0900 Stephen J. Turnbull step...@xemacs.org wrote: That does mean that anybody who can send through smtp.comcast.net can send as a mailbox from your domain and pass DMARC, most likely. I don't see a way to profitably exploit that offhand, though (unless you're a bank). This means, then, that I should probably remove it from the SPF record - at its current configuration, the ~all should at least softfail while I work on getting Postfix set up for TLS. -Dennis Carr
Re: Di I need to open port 25?
On Sun, 14 Jun 2015 20:54:58 -0700 Jithesh AP jithesh...@gmail.com wrote: I am newbie into mail and mTA setup. Welcome. =) I have my port 465 smtps/587 (submission) working, so do i need to keep port 25 open? I am asking this because when i try to telnet gmail then it does not work, so was wondering if blocking port 25 will stop all my incoming mails or not? It will, on the basis that anybody sending mail to your domain will be unable to deliver mail to your domain - they won't have a user account. To try it out i did telnet gmail like below telnet gmail-smtp-in.l.google.com 25 it just said trying and did not work This may not be related to you blocking TCP 25, and is more likely your ISP blocking TCP 25 to anything but their SMTP server from your connection. But that also depends on the error that turns up. Do it again and wait for the error - start the attempt, and go get yourself a cup of coffee. =) Then i sent a mail from gmail to my mail ID after blocking port 25 and I did not receive the mail, dont know where it went :( Wait a bit and see what the bounce tells you. It should soft bounce. -Dennis
Aliases aren't even being looked at
To briefly explain my system - I have my workstation and server, both running Debian Wheezy (current stable). If I send mail, Postfix (2.9.6) passes to my server via an ssh tunnel on port 2525 (relayhost for this). Now, the relevant part. On the workstation, there are a few key aliases I have set up in order to make certain commonly used addresses easy to use (e.g., my Spamcop receiving address). Unfortunately, those aren't working so well, because if I send one to 'fda', I get this: Reporting-MTA: dns; chez-vrolet.net X-Postfix-Queue-ID: 9B88F8A13B X-Postfix-Sender: rfc822; dennistheti...@shere-khan.chez-vrolet.net Arrival-Date: Tue, 25 Mar 2014 07:09:34 -0700 (PDT) Final-Recipient: rfc822; fda@localhost Action: failed Status: 5.1.1 Diagnostic-Code: X-Postfix; unknown user: fda It's notable that I restored my /etc/postfix from a backup that had previously worked perfectly well with no changes. (I had to reinstall.) So the short versio: What would cause postfix to happily ignore my /etc/aliases.db, doubly so after rerunning postalias? Note that I have not purged and reinstalled Postfix yet. -Dennis
reject_listed_domain option?
I'm basically looking for such an option - for all intents, if a domain is not, for some reason, in the RBLs, one could manually add the domain into such a list. In particular, I'm looking to do this to hostwinds.net and bluemountain14.com, as they do not seem to test positive in the RBLs. Or, maybe I'm doing it wrong. In any case, is there any way that exists to do this? -Dennis
Odd warning in my syslog
Running 2.7.1 on Debian Squeeze. I'm a tad concerned when looking at my syslog on a transaction. I currently have my workstation configured to ssh tunnel into my server, the latter of which is in a remote location from me (local port is 2525, to port 25 on the server), and I've noticed this warning coming up in /var/log/syslog: warning: 206.225.172.6: address not listed for hostname bast.chez-vrolet.net Note that I have an A record in DNS pointing bast to this IP address. Mail is otherwise working just fine. Is this something I should be worrying about? To note, I do the tunnel configuration because I find that Comcast's SMTP servers are not all that reliable for my purposes. -Dennis
Re: Odd warning in my syslog
On Sat, 19 Jan 2013 20:22:53 +0100 Reindl Harald h.rei...@thelounge.net wrote: * please do not strip most informations from log, one stripped line is not enough * which machine throws the warning That would be clever, wouldn't it? =D Here's a single transaction from bast, using account 'null', which I use for test purposes and such: Jan 19 12:58:05 bast postfix/smtpd[19019]: warning: 206.225.172.6: address not listed for hostname bast.chez-vrolet.net Jan 19 12:58:05 bast postfix/smtpd[19019]: connect from unknown[206.225.172.6] Jan 19 12:58:05 bast postfix/smtpd[19019]: 7804ED4051: client=unknown [206.225.172.6] Jan 19 12:58:05 bast postfix/cleanup[19023]: 7804ED4051: message-id=20130119125654.88f18c3d0aed5d6300fa8...@chez-vrolet.net Jan 19 12:58:05 bast postfix/smtpd[19019]: disconnect from unknown [206.225.172.6] Jan 19 12:58:05 bast postfix/qmgr[1497]: 7804ED4051: from=dennistheti...@chez-vrolet.net, size=705, nrcpt=1 (queue active) Jan 19 12:58:05 bast postfix/local[19024]: 7804ED4051: to=n...@chez-vrolet.net, relay=local, delay=0.17, delays=0.16/0/0/0, dsn=2.0.0, status=sent (delivered to file: /dev/null) Jan 19 12:58:05 bast postfix/qmgr[1497]: 7804ED4051: removed ...and from my workstation, shere-khan: Jan 19 12:58:05 shere-khan postfix/pickup[8509]: 4951F8C3C5: uid=1000 from=dennisthetiger Jan 19 12:58:05 shere-khan postfix/cleanup[8774]: 4951F8C3C5: message-id=20130119125654.88f18c3d0aed5d6300fa8...@chez-vrolet.net Jan 19 12:58:05 shere-khan postfix/qmgr[7293]: 4951F8C3C5: from=dennistheti...@chez-vrolet.net, size=518, nrcpt=1 (queue active) Jan 19 12:58:05 shere-khan postfix/smtp[8777]: 4951F8C3C5: to=n...@chez-vrolet.net, relay=127.0.0.1[127.0.0.1]:2525, delay=0.29, delays=0.02/0.01/0.08/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7804ED4051) Jan 19 12:58:05 shere-khan postfix/qmgr[7293]: 4951F8C3C5: removed ...by comparison, here's one if I send from my gmail acount, and here, you'll note the lack of such a warning: Jan 19 13:00:14 bast postfix/smtpd[19043]: connect from mail-ie0-f170.google.com[209.85.223.170] Jan 19 13:00:14 bast postfix/smtpd[19043]: A81F5D4051: client=mail-ie0-f170.google.com [209.85.223.170] Jan 19 13:00:14 bast postfix/cleanup[19048]: A81F5D4051: message-id=CAFgCO2Zm1B6Pc_6YS9J=LK=_MjXrC +bbFxyx=xmdhc0xwpw...@mail.gmail.com Jan 19 13:00:14 bast postfix/qmgr [1497]: A81F5D4051: from=dennistheti...@gmail.com, size=1784, nrcpt=1 (queue active) Jan 19 13:00:14 bast postfix/smtpd[19043]: disconnect from mail-ie0-f170.google.com[209.85.223.170] Jan 19 13:00:14 bast postfix/local[19049]: A81F5D4051: to=dennistheti...@chez-vrolet.net, relay=local, delay=0.37, delays=0.31/0.01/0/0.05, dsn=2.0.0, status=sent (delivered to mailbox) Jan 19 13:00:14 bast postfix/qmgr [1497]: A81F5D4051: removed * connection comes from where? The connection is an ssh tunnel from my workstation. My workstation has localhost port 2525 tunnelled to bast port 25. * what says the host-command on the machine which throws the warning? root@bast:/etc/postfix# host bast.chez-vrolet.net bast.chez-vrolet.net has address 206.225.172.6 Comparative: dennisthetiger@shere-khan:~$ host bast.chez-vrolet.net bast.chez-vrolet.net has address 206.225.172.6 -Dennis
Re: Lamentation and query
On Sun, 25 Nov 2012 17:08:26 -0600 Stan Hoeppner s...@hardwarefreak.com wrote: Dennis, how many computer books, or books in general, do you own? Do you have any on display? Or are they all simply hoarded away in boxes in the attic or basement? Two shelves of books I could use regularly on things various such as computers and matters spiritual, inclusive of a fictoin collection, and a small collection of text books from my studies of late. Reading Seattle, by the way, is not a bad collection of excerpts. The prescribed solution for this problem isn't more newer books, but therapy for the personality disorder known as hoarding. I think there's a reality TV show about this. Well, I got rid of the old DOS and OS/2 Warp books eons ago, when I disposed of my printed manuals for Maximus and Binkley Do understand taht I previously owned the books I noted; the reason I do not now is because they were lost in a move some time ago, and I'm just getting to a point where I want to reobtain them. -Dennis
Re: Lamentation and query
On Sat, 24 Nov 2012 12:50:48 -0700 Glenn English g...@slsware.com wrote: Have you considered printing (parts of) the website? I hadn't, but being a broke college student, it may cost a bit. I could probably pull off printing it on campus though -Dennis
Re: Lamentation and query
On Sun, 25 Nov 2012 16:10:11 + Viktor Dukhovni postfix-us...@dukhovni.org wrote: The basic concepts (what you need to understand) have not changed much, in that sense the old books are fine. The specific facts you need to know to tweak Postfix to do non-routine tasks may have changed a bit, but the documentation for that is online. Given that, then, the latest from either No Starch or O'Reilly may just be perfectly cromulent for my purposes. An Amazon book printed on demand, is possible but is not going to make anyone any money for the time spent. ...you think I can get Amazon to do my dishes? =D -Dennis
Re: Lamentation and query
On Sun, 25 Nov 2012 21:35:46 +0100 Patrick Ben Koetter p...@sys4.de wrote: I am working on an updated version as time permits. Thank you, Patrick. Looking forward to the newer version when it's out there. -Dennis
Lamentation and query
So I went and looked at O'Reilly Publications, as they had, for me, been the historical go-to for tech documentation of all flavors. Imagine my dismay, then, when I find that the cricket book (DNS and BIND) was current for version 9.3, but more to the point for this list's topic, Postfix has not been updated in eight years. I miss my dead tree versions being current. =/ -Dennis Carr
Re: Lamentation and query
On Sat, 24 Nov 2012, Dennis Carr wrote: I miss my dead tree versions being current. =/ and having said all this, I realize I forgot the query, but it may be foregone. =) Does anyone know who's currently published the most recent documentation for Postfix in a dead-tree form? -Dennis
Re: Lamentation and query
On Sat, 24 Nov 2012, Wietse Venema wrote: Dennis Carr: and having said all this, I realize I forgot the query, but it may be foregone. =) Does anyone know who's currently published the most recent documentation for Postfix in a dead-tree form? Have you tried a bookseller's search engine? Actually, no, I haven't. The thought never really crossed my mind. Checking bookfinder, though, it appears that much of what's out there seems to only be as recent as 2004. =/ -Dennis
Re: please delete or hide the content in the mail
On Fri, 29 Jun 2012 05:18:13 + (UTC) Kshitij mali kshitij.m...@orange.com wrote: Hello sir , Please delete the thread or atleast hide the ipadress and email address in the content on the below archived post: You have already asked this. Wietse made it perfectly clear that the archive will not be changed. If you did not want the data in the logs on the mailing list, you should have used a pastebin. -Dennis
Re: mail delivery system message
On Sat, 7 Apr 2012, Jon Miller wrote: ad...@desborough.com.au: localhost: No address associated with hostname In a nutshell, Postfix thinks that the address 'admin@$host' does not exist. What does /etc/postfix/aliases say about admin@? Vaguely important: does it point to a live account? Logs are needed for the bounce - please provide the excerpt from your log file. What OS are you running? -Dennis
Re: spam to postmaster
On Sat, 18 Feb 2012, Reindl Harald wrote: what i do not understand is how f^%@#!!$ stupid people are spamming to postmaster/abuse-addresses (bowdlerized for comical effect -ed) As near as I can tell, the spammers just run under a few assumptions. RFC requires one to maintain those addresses and have them point to a human-readable address, and with this assumption they are considered viable recipient addresses. Granted, back in the day, we actually *used* these addresses for the purpose, but due to this they've become mostly useless in my opinion. As to why these people would be so stupid to do this, well, consider a spammer. =( -Dennis
Re: spam to postmaster
On Sat, 18 Feb 2012, Reindl Harald wrote: what i do not understand is how %#^%$@!! stupid people are spamming to postmaster/abuse-addresses Oh. One other thing - they don't care. There is no courtesy. They don't care if you scream at them, yell at them, because people are paying them to do this shite, and all they gotta do is conjure up a list of email addresses. Even if they're all here on chez-vrolet.net, they just have to conjure up a list of email addresses and bombard the entire lot. What amuses me, if anything, is that they think we're angry because we don't make the money they do. Personally, I just dislike them because I don't want their garbage in my email, let alone just press delete. I have better things to do with my time. But that's just me steering off topic - sorry. -Dennis
Re: Disable sending mails via telnet
On Wed, 11 Jan 2012, Rod Dorman wrote: The suggested (i.e. SHOULD) SMTP timeouts are given in minutes. No human typing the commands is going to have any difficulty. Never underestimate the power (or lack thereof) of a hunt-and-pecker unfamiliar with coputers tasked with doing this. =) -Dennis
Re: Disable sending mails via telnet
On Wed, 11 Jan 2012, Leslie León Sinclair wrote: I´m testing a server, so I need to unable people[users], to connect via telnet[smtp.mydomain.com:25] to the mail server. If you're testing it, your best bet is to either a) bring it up as long as you need to test it, and then shut it down when you don't (ONLY for the purpose of testing), or b) set configuration to only allow mail from localhost - so this way, a user on the machine the server resides on could, in theory, type 'telnet localhost 25', but this assumes that the telnet client is installed thereon Keep in mind, though, that there are people who keep the telnet client on machines that you don't have control of - and in my case, I keep it around to debug occasionally. You won't have control fo those machines, and direct telnet into a SMTP server is really not a security hole. -Dennis
Re: Disable sending mails via telnet
On Tue, 10 Jan 2012, Leslie León Sinclair wrote: Can anyone point me in the right direction, I´m stucked here and Google is not helping... If you mean the act of disabling the ability of using a telnet client to connect to port 25, you're best not doing this - or, just set any session timeouts to something short to prevent manual interaction. If you mean disabling the ability to send email while logged in using telnet then your best bet is to disable telnet and use ssh instead. -Dennis
Re: Upgrade ...
On Thu, 29 Dec 2011, Barbara M. wrote: My plan is to update Postfix (and dovecot, procmail), in the old box to the release in the new box and when tested, move user/data to the new box (new box is 64 bit while old box is 32 bit, but hope this isn't a problem). Copying the old /etc/postfix dir to the new server and restarting the service seems work well (not tested local delivery, procmail, ...). There is some guidolines that I can study/follow to have a painless migration? Funny, I just did a server migration. =) Caveat: I don't run CentOS (which is Red Hat based), I run Debian. I wound up doing a dist-upgrade for my old server to bring it up to current Stable (Squeeze), to make sure that everything was on par with what's current in the latest version of Postfix, and then pretty much ported over my requisite files - straight copy of /etc/postfix aliases, and hand alteration of the existing main.cf. I didn't port over master.cf because the new one contained features than what I already had in place. (Much of my configuration was current back in '03, when that server first came up under Mandrake. Those were the days) This said, if it's possible, I'd highly recommend doing an in-place version upgrade for the distribution you're using - but to avoid killing the server, make sure you can downgrade, that it's not going to break, or that you have a fallback if necessary. I have no idea what CentOS will do if you do such a thing, so check with their support channels before you go that route and find out what to do in order to avoid blowing up that server. -Dennis
Re: Do you people ever rest
On Sat, 24 Dec 2011, Andreas Berton wrote: Merry christmas to you all! You as well! Have a safe and happy holiday, and a prosperous 2012! ANd as to the subject - no, I don't rest. This is what espresso and Red Bull are for. =D -Dennis
Re: postfix devnull mailbox
On Thu, 22 Dec 2011, Sahil Tandon wrote: Because this thread has veered off into a general discussion about mail operation/policy, would you consider taking it off-list or to a more appropriate forum, e.g. the mailop list? Agreed. I'm stunned that a tongue in cheek comment of mine has resulted in a flame war. =.= -Dennis
Re: postfix devnull mailbox
On Tue, 20 Dec 2011, /dev/rob0 wrote: Why do you want to do that? What would be wrong with rejecting that address? /dev/null is just the proper repository to recycle bits. We don't want to run out. =^_^= In all seriousness, I guess it depends on who you ask. For the original poster's case, it's going to a noreply address, and I've seen cases where nore...@foo.bar is simply eaten, more often than not, rather than rejected. Besides, as far as I'm concerned, it does serve as an extra use: messages to noreply or similar black hole addresses can serve as a receptacle for flames. Some yutz can decide he's going to e a jerk and flame somebody that doesn't actually exist - s/he feels good about {him,her}self in theory, and the only thing tat sees the message is postfix, which just relegates it to nothingness - leaving it to tie up storage resources only for as long as it takes for Postfix to chew on it. -Dennis (who couldn't resist a bit if silliness and bounces null@ and some other addresses to /dev/null himself)
Migration from one server to another - best practices?
I'm about to do a migration from one server to another - old server runs Debian Lenny, new one runs Squeeze, both with respective current versions of postfix. Long and short is that I'm basically preparing to migrate everything, including users and a mailman configuration, to the new box. Basic strategy I have is to shut down smtp on the old server during the course of the migration, and once postfix is configured on the new box with the users and mailman aliases, switch the old box over to being a secondary mx for a few days while DNS settles down. Is there a better way to do this, or some sort of online guide I can follow that can guide me through the process? -Dennis Carr
Re: Printing received mails
On Thu, 3 Nov 2011, Daniel L. Miller wrote: We're now using a hosted fax service and receive our faxes via email to a dedicated address. Is there a method via Postfix I can have these printed when received? Or do I handle this via mda scripting (at the moment, Dovecot with Sieve). Considering all the discusson on this thread, wouldn't it just be easier to alias the dedicated address in /etc/postfix/aliases to something like |/path/to/fax/program or something? -Dennis
Re: mailing lists software ?
Throwing one more in for Mailman. -Dennis Carr -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Frank Bonnet f.bon...@esiee.fr wrote: Hello We are moving our old LISTSERV server after 15 years of very good services :-) Lsoft prices have grown up amazingly so I plan to use open source software to replace it ... I would like to have feedbacks from lists managers that use Postfix we have approx 100 lists most of them are internals. Thank you
Re: sending mass mail
Check with your ISP, make sure spf and domain keys are up to date, and install a mailing list manager like Mailman. -Dennis Carr -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Amira Othman a.oth...@cairosource.com wrote: Hi all I want to send mails to all users I have in my database and I am using postfix-2.3.3-2.3.el5_6. I am afraid that ISPs consider me spammer and add me to black list.Any one can suggest to me where to start to send mass mails and how to be protected from being considered spammer at ISP Regards
Re: Accepting email regardless of address
I'd suggest configuring as secondary, setting the MX record for this box as a primary, and use transport maps as suggested. -Dennis Carr -- Sent from my Android phone with K-9 Mail. Please excuse my brevity and top posting. Jason Gauthier jgauth...@lastar.com wrote: Greetings, Due to a new business requirement, I need to make a change with postfix that I am not certain how to handle. First, I use postfix as a relay only system. It does not do local delivery. Once it does it's tasks it passes the email to a backend email system. On the frontend, postfix handles several domains, and will bounce unknown email by using relay_recipients: relay_recipient_maps = hash:/etc/postfix/relay_recipients relay_recipients is populated from backend from legitimate email addresses. These makes the postfix system a nice 'bouncer' for unknowns :) Now, my requirements have changes. I have acquired a domain, we'll call it xyz.com. I don't host it, and never have. Therefore, I do not know what email addresses are valid. I would like to capture *any* email address sent to xyz.com and accept it, and deliver it somehow. I'm not sure how to accomplish this task yet, and looking for ideas. One inchoate idea I have, is translating all the email address to 'xyz.com' to an existing, valid, email address. Thanks, Jason
Blocking mail supposedly from my domain
Over the past couple days I'm noticing mail coming in from outside that is supposedly from users of mine - but apparently isn't. HELO message comes from chez-vrolet.net which is in my $mynetworks setting, but the IP address for the incoming machine does not match DNS. What adjustment in main.cf should I look at? On the surface, permit_mynetworks in strategic locations can be eliminated, but last time I did that, I couldn't send mail from localhost. -Dennis
Re: Blocking mail supposedly from my domain
On Sat, 7 May 2011, Reindl Harald wrote: mynetworks has nothing to do with DNS/PTR/HELO mynetworks is for IP-ADDRESSES/NETWORKS which are allowed to relay and override settings in smtp-restricitions That does eliminate it from the equation, but I still need to block this crap from coming in. =) -Dennis
Re: Blocking mail supposedly from my domain
On Sat, 7 May 2011, Reindl Harald wrote: in your case you have to place the check_sender_access policy in smtpd_recipient_restrictions AFTER permit_mynetworks and permit_sasl_authenticated so only internal hosts and authenticated users are allowed to use in this policy listed domains Being that the issue seems to be stemming from an issue in HELO, wouldn't it be more logical to work with smtpd_helo_restrictions? The problem is that HELO comes up as chez-vrolet.net - and while they aren't relaying (the machine is recognizing somewhere that there is a mismatch), I need to tune that so that it recognizes that the IP from the client is NOT chez-vrolet.net. -Dennis
Re: Blocking mail supposedly from my domain
On Sat, 7 May 2011, Reindl Harald wrote: and how will HELO change anything in Over the past couple days I'm noticing mail coming in from outside that is supposedly from users of mine? sure you can restrict HELO but it solves not the real problem that you will stop forged-from of your domains Good point, but... feh, I should elaborate: I'm ultimately trying to reject any mail from servers that say they are me and are distinctively NOT. -Dennis
Re: Blocking mail supposedly from my domain
On Sat, 7 May 2011, Michael Orlitzky wrote: If he wants to reject hosts that HELO as his own, he can check his own SPF record, and reject anything that softfails. ...spf does that? -Dennis
RE: need help for controlling authenticated realy
mallah.raj...@gmail.com mallah.raj...@gmail.com wrote: Coming back to real issue,i have already initiated password policy control. But i feel its not impossible for the enduser to somehow leak the password, passwords are commonly remembered by muas and possibility of virus and malware sniffing out the passwords from end user can also not be ruled out. It actually can. I don't know your password policy, but I have noticed in over 25 years of working with computing that users will always try to find a way to adhere simply to a password policy.(e.g.: requirements for one capital letter, one number, and one punctuation mark in a 8-32 char length password will be met with something like Password1! - a capitalized dictionary word with a number one and exclamation mark.) The ybest policy is to require true randomness, have them write the password down legibly and keep it someplace like their wallet or something, and to make sure they aren't installing crapware on their computers - and if it happens again, change their passwords immediately. I have a more detailed explanation of how I handle my own passwords - I'll link when I'm not typing on my phone. :-) -Dennis -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: The future of SMTP ?
On Sun, 13 Mar 2011, Frank Bonnet wrote: But to fight spam and all other malicious problems it's getting more and more sophisticated and complex to configure every day. It is not a criticism it is a fact that jump to every sysadmin's face. Does anyone has knowing of the future of SMTP ? Is there some project to replace it by some more secure protocol ? I, too, would have to say no to this one. SMTP is used largely because it has worked since the standard was implemented with RFC 822 back nearly 30 years ago and it still works, for all intents, and in fact does exactly what it says on the tin. So it's not SMTP that's broken, it's pretty much a) the end users who allow their machines to be zombied as a result of not exercising proper security practices, and b) the scumbags who actually generate the crap. The best we can really do is implement the spam blocks for receiving, unfortunately, and continue the usual practices: SPF implementations, the varying blacklists, etc. -Dennis
Re: The future of SMTP ?
On Sun, 13 Mar 2011, Reindl Harald wrote: Am 13.03.2011 12:38, schrieb Steve: I really don't understand why people keep telling that spam is a problem? because there are peopole out their whose time costs money? This prt of the problem I suspect is marginal. It's not the cost, it's who's making the money. Consider that part of my background involves being the mailroom guy in an outfit that routinely sent out bulk snail mail here in the US. As annoying as junk mail is, it's documentably easier to target than email and somebody is actually putting time, money, and effort into this stuff - you have to buy the advertisement materials and the address list, somebody is getting paid to collate and prepare everything, and somebody is hauling it down to the post office - who takes their payment in the form of postage. Busted my ass for that, I did, and it was decent money - when the company owner was not there to tell me how to do my job. =) A spammer? It's just a list of email addresses. Push a button and sure, the spam is targeted - to a bunch of email addresses. Doesn't work so hot - my girlfriend gets ads for Viagra and penis enlargement, and I get ads for having my organ enlarged. Why would I want an enlarged heart or liver ? Meanwhile, for ten minutes of work max, these assholes need only press a button and go get a cup of coffee, and they just made a mint. So the problem is not with SMTP, it's with the spammers. Only thing we can do is block them. I really, REALLY wish there was more we could do so we can stop them - but the only thing we can do to stop them is to make it cost more than it's worth, and the only way I can admittedly come up with would be pretty unethical. . -Dennis
Re: my postfix mail server sending spam mail out
On Fri, 7 Jan 2011, Makara wrote: Hi All, I'm plesk control panel administrator. In this few days I found there are many deferred message in mailq and I know that hosting server is sending hug spam message out. Here is the log from postfix. Turn up the log deg level a bit and it will show the source messages. It's possible for postfix or maybe smtp client to trace which directory sending message from? or any advise how to prevent or solve this problem? or extend log file so that I have more possibilities to find out where is the problem come from? Yes, it will be in the log files - with a sufficiently high loglevel. If you think it's coming from a user's web page, then you might also move those files elsewhere for the time being as you are an adminisrator, and see if it stops - and if it is, you've found it. To explain, the logs are just showing that Postfix is doing something with the mail spool - and everything in there, on my server, lives in /var/spool/postfix - your mileage may vary. The problem is that it doesn't explain where these messages are coming from - the actual SMTP transactions are not shown in the sample you provided. A higher loglevel will tell you where the messages are coming from - or it could be that Postfix is still dumping the log info into /var/log/syslog. -Dennis
Re: metrics to show benefits of postfix vs. sendmail?
On Tue, 21 Sep 2010, Jay G. Scott wrote: they haven't started shouting yet, but i sense it's coming. i don't think i need to be exhaustive. but right now i don't have anything i can use to win this argument, objectively, anyway. And ed is the standard editor, and has a great memory footprint on the Timex Sinclair 1000. :-) The following arguments are about as objective as you're going to get, I'm afraid: 1) It speaks SMTP, ESMTP, and SMTP over secure channels. Just like Sendmail. Imagine that. 2) The configuration files do not require a masters degree in both linguistics and computer science. Just requires a bit of moxie. Not necessarily the soda - but that's your call. 3) Last I checked, the O'Reilly book isn't as thick as the Sendmail tome. And this one applies primarily if it is, indeed, the case: 4) It's working. It's moving mail. It's not causing the magic smoke to come out of the machine room. Unless they plan on regular direct interaction with the mail server (oppose merely sending and receiving email), then they just need to put on the big girl panties and deal with it. To be blunt, if your Sendmail guys are going to gripe about memory footprint, then it's probably time for them to move Sendmail off of the 386 SX 25 with 4 MB of RAM, and perhaps relegate said 386 to maybe serving internal NTP for a six machine LAN. :-) This said, if they need an MTA that will also do the dishes, they might want to go to Sears and ask somebody some questions -Dennis
Re: Postfix MX Real-Time Anit-SPAM Firewall
On Fri, 6 Aug 2010, junkyardma...@verizon.net wrote: See Zip Attachment I see it. What is this? -Dennis
Set up SMTP AUTH/SASL, can't log in
I just set up basic configurations for SMTP AUTH (and, the next step, SASL) for my server, however I cannot seem to make it work quite right. Using the instructions at http://www.postfix.org/SASL_README.html, focusing on using dovecot as it is present. (Note, dovecot is not the active POP3/IMAP4 daemon, that seems to be deferred to the basic daemons from xinetd.) On testing, this happens: $ telnet chez-vrolet.net 25 (motd and dialog involving EHLO goes here) AUTH PLAIN 334 (login) 535 5.7.0 Error: authentication failed: authentication failure The only thing I noticed is that Dovecot did not place /var/spool/postfix/private/auth, which from what I'm reading of the instructions, should happen. What am I doing wrong here? -Dennis
ssh tunnel triggered on usage?
I'm running postfix 2.5.5-1.1 (Debian Stable) on my desktop, which I use to deliver mail to the internet via my server. Under optimal circumstances, I'd just have an IP address assigned to the box that's on the public network, but I'm on a single dynamic IP assigned by Comcast that may or may not change at the drop of a hat. Currently, the method of delivery to my server is by way of an ssh tunnel to my server (deliver on localhost 2525 to get to the server), but the problem lies herein of security - if I do this, I tend to get rooted. So here's the question: is there either... 1) A better way to do this, using already existing mechanisms in Postfix, or... 2) a way to tell Postfix to turn on the ssh tunnel for the period required to deliver mail on delivery to the daemon, and then flush the queue, at which point the tunnel is closed? -Dennis Carr
A better backscatter killer?
Looking at options here for eliminating backscatter. I've reviewed the Howto for this, but it only seems to be effective against backscatter where one's home domain is forged - not too useful, IMNSHO, because spammers aren't always going to forge the home domain. One thing I've been looking at doing is basically checking headers, and if the From: header is null, then reject it immediately. Other approach is to eliminate my 2ary MX from DNS - most of my spam comes from that. I don't really want to do that, though, because the idea of a 2ary MX is for a fallback. Thoughts? -Dennis