[pfx] Re: Postfix, Amavis DKIM and DMARC
>Conceptually you can. I tested it yesterday and it worked. At first I >encountered said phenomenon that the >mails in my inbox had no DMARC AR >header, but that was because the content_filter Amavis removed them. >After >disabling DKIM verification on the content_filter, headers looked like this: >Authentication-Results: arcsin.de; dmarc=pass (p=quarantine dis=none) >header.from=arcsin.de >Authentication-Results: arcsin.de; spf=none smtp.mailfrom=redacted >X-Spam-Flag: NO >X-Spam-Score: -1.142 >X-Spam-Level: >X-Spam-Status: No, score=-1.142 tagged_above=-100 required=6.31 >tests=[...redacted...] >autolearn=unavailable autolearn_force=no >Authentication-Results: arcsin.de (amavis); dkim=pass (2048-bit key) >header.d=arcsin.de >OpenDKIM was not involved here. So as per your previous post, setting a policy such as this one would do the trick? /etc/postfix/main.cf: content_filter = amavis:[127.0.0.1]:10021 /etc/amavis/conf.d/50-user: $interface_policy{'10021'} = 'DISABLEDKIM'; $policy_bank{'DISABLEDKIM'} = { enable_dkim_verification => 0 }; ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix, Amavis DKIM and DMARC
>That's what Dino is trying to do. Make amavis-over-milter add an DKIM >AR-header, then make OpenDMARC evaluate DMARC using that header. It may be >true that SpamAssassin 4 has a DMARC test, but Amavis >does not use such test >hit for a policy enforcement. >Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not for >DMARC policy enforcement. This question has stirred up a lot of answers but if I’m understanding correctly, it looks like I cannot use opendmarc with amavisd in postfix as a pre-queue filter for dkim. The only viable option is opendkim with opendmarc as pre-queue milters like I was originally doing. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix, Amavis DKIM and DMARC
-Original Message- From: Matus UHLAR - fantomas via Postfix-users Sent: Tuesday, November 14, 2023 8:04 AM To: postfix-users@postfix.org Subject: [pfx] Re: Postfix, Amavis DKIM and DMARC >this does not make sense unless you use it somewhere. Can you elaborate? >what do logs say? Logs don't say anything. There are simply no entries for opendmarc going anything, i.e. opendmarc does not get called thus no logs. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix, Amavis DKIM and DMARC
By “getting skipped” I mean I have no logs of opendmarc doing anything. I don’t understand how I would disable dkim in my content_filter policy. Dkim verification is either enabled or disabled in Amavis unless I’m not understanding what you mean. From: Damian via Postfix-users Sent: Tuesday, November 14, 2023 9:13 AM To: postfix-users@postfix.org Subject: [pfx] Re: Postfix, Amavis DKIM and DMARC I tried this config but sadly it doesn’t work, OpenDMARC (127.0.0.1:54321) gets skipped completely If "getting skipped" means that you don't see Authentication-Results for DMARC, I have a feeling that you didn't disable DKIM verification on your content_filter Interface Policy. Amavis will remove all such headers that match your AuthservID. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Postfix, Amavis DKIM and DMARC
Hello, I have been using OpenDKIM and OpenDMARC as smtpd_milters in Postfix and Amavis as a content filter. I'm trying to replace OpenDKIM with Amavis for DKIM verify and signing. The problem is that since Amavis is setup as an after-queue content_filter and OpenDMARC is a pre-queue smptd_milter in postfix OpenDMARC never sees the authentication headers and it's always failing DKIM checks. So I need to setup Amavis as a pre-queue milter before OpenDMARC in order to get this to work. I tried this config but sadly it doesn't work, OpenDMARC (127.0.0.1:54321) gets skipped completely: milter_amavis = unix:/var/spool/postfix/amavis/amavis.sock milter_connect_macros = "j {client_name} {daemon_name} v _" smtpd_milters = unix:/var/spool/postfix/amavis/amavis.sock,inet:127.0.0.1:54321 non_smtpd_milters = $smtpd_milters I posted in the Amavis mailing list but it wasn't helpful and they suggested I post in the Postfix mailing list since the original author of amavisd seems to lurk in here. I would appreciate some assistance. Thanks ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
Re: Filter mail with dangerous attachments
Normally you would use a content filter like Amavis along side postfix accomplish this. From: Tan Mientras Sent: Wednesday, December 14, 2022 9:22 AMTo: postfix-us...@cloud9.netSubject: Filter mail with dangerous attachmentsHello Excuse my generic question, but I dont know where to startIs it possible to filter/detect/forbid mails containing invoice.exe as attachment at postfix level?Thanks
RE: Postscreen DNSBL do not seem to be working
>It's absolutely not forwarding. It's resolving recursively. I'm using unbound with pfsense and I'm suspecting there is something wrong with it. >When I point to MS DNS server or 9.9.9.9, it's resolving correctly. The issue has been resolved. Just in case someone finds the solution useful, pfsense by default has rebind protection enabled which disables DNS responses using rfc1918. So disabling rebinding DNS protection in pfsense is the solution. Thanks for the help that pointed me in the right direction.
RE: Postscreen DNSBL do not seem to be working
>In any case, the OP may well be using a local resolver, but they didn't say whether it's resolving recursively or forwarding (e.g. to 8.8.8.8), and I'd bet it's the latter. It's absolutely not forwarding. It's resolving recursively. I'm using unbound with pfsense and I'm suspecting there is something wrong with it. When I point to MS DNS server or 9.9.9.9, it's resolving correctly.
RE: postfix-policyd-spf-python
-Original Message- From: owner-postfix-us...@postfix.org <> On Behalf Of Matus UHLAR - fantomas >perhaps a but I don't see So you agree, it should be passing but it's not for some reason.
Re: postfix-policyd-spf-python
On 5/13/2022 9:41 AM, Matus UHLAR - fantomas wrote: perhaps you can post logs? local part of mail address may be censored... Sure. NOQUEUE: reject: RCPT from smtp15-ia5-sp1.mta.salesforce.com[13.110.78.238]: 550 5.7.23 : Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=oemcustomerc...@acuitybrands.com;ip=13.110.78.238;r=; from= to= proto=ESMTP helo= Thanks
postfix-policyd-spf-python
Hi, Not sure if this is the right place to post the question concerning postfix-policyd-spf-python but I can't seem to find any working links for the openspf project. Our postfix-policyd-spf-python server recently rejected an e-mail from a sender that was using SPF macros. I tried to find out if our version of spf (2.0.0) supported SPF macros but I can't seem to find any information on that. Can someone shed some lights on this? Thanks
10s of REJECT messages multiple times a day
Hello, We have various IPs that throughout the day hammer our server attempting to deliver messages to non-existent recipients. The messages get rejected because the recipients do not exist. This results with having 30 to 100 rejected emails at a time. What is the recommended way to combat this behavior? Thanks
RE: Postgrey - whitelisting subdomains
Did you try using .dhs.gov In /usr/local/etc/postfix/postgrey_whitelist_clients.local? -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of James B. Byrne Sent: Friday, November 26, 2021 2:33 PM To: postfix-us...@cloud9.net Subject: Postgrey - whitelisting subdomains I looked for a postgrey list to ask this, but the one that I found does not seem to have any archives after 2019 so I came here instead. If there is somewhere else to ask this please let me know. We use postfix with postgrey. We have a whitelist /usr/local/etc/postfix/postgrey_whitelist_clients.local According to the man page: Whitelists Whitelists allow you to specify client addresses or recipient address, for which no greylisting should be done. Per default postgrey will read the following files: /usr/local/etc/postfix/postgrey_whitelist_clients /usr/local/etc/postfix/postgrey_whitelist_clients.local /usr/local/etc/postfix/postgrey_whitelist_recipients In /usr/local/etc/postfix/postgrey_whitelist_clients.local we have dhs.gov: [root@mx31 ~]# grep dhs.gov /usr/local/etc/postfix/postgrey_whitelist_clients.local dhs.gov The problem is that postgrey grey-listed this email: Nov 26 13:43:36 mx31 postgrey[27438]: action=greylist, reason=new, client_name=mx0f-00376703.gpphosted.com, client_address=67.231.155.98, sender=aceuserserv...@cbp.dhs.gov, recipient= After a delay the send/receive pair was auto whitelisted. However, I was given to understand that domain entries in the whitelist also applied to subdomains. Also from the postgrey man page: The following can be specified for client addresses: domain.addr "domain.addr" domain and subdomains. Why was email from dhs.gov grey-listed? Have I misconfigured something? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
RE: HELO and nothing else
> I am working on a spam filter and so I find myself spending a lot more > quality time with mail logs than I used to. One of the things I have noticed > is that I will get a lot of connections that send a HELO command and then > disconnect. Sometimes I get this > repeated several times a minute from the > same IP for hours on end. What is going on here? Should I block these IPs? > Am I being scanned? By what? To what end? Have you looked into the following postfix directives? smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20
Postfix relay to external and internal
Hi, I have a postfix server that acts as a relay server for several domains and relays e-mail to several external e-mail servers based on the domain. This setup has been working for years with no problems. Now I have a need to install a local mailserver (dovecot?) server on this relay server and I'm trying to figure out the best way to accomplish that. So in the end, I want to maintain the relay ability for the several domains to outside e-mail servers but I also want to be able to deliver e-mail to local mailserver with ideally virtual users. Is this possible and what would be the best way to accomplish this? Thanks a lot in advance.
RE: Add additional smtp port in postfix
> Then why don't you setup a relay using port 587 elsewhere which you login to > to send/get emails? I don't think Verizon blocks that port at all... Cause it would be easier to setup the relay to listen on 2525 in addition to port 25 rather than setting up authentication on 587. They are doing something because I can't telnet to port 25 from the Verizon to the relay server.
RE: Add additional smtp port in postfix
>The main question is, why do you need port other than 25? Cause Verizon blocks all incoming and outgoing traffic to port 25 unless it's to their SMTP servers and I have an Exchange server that needs to send/receive email through an outside relay.
Add additional smtp port in postfix
Hello all, I need to add an additional port for postfix to listen for incoming connections (port 2525). Most of the stuff I've seen on the Internet simply states to add the following in my master.cf smtp inet n - n - - smtpd 2525 inet n- n -- smtpd However, since I have postscreen enabled my #smtp inet n - n - - smtpd Line in my master.cf is commented out, so I'm thinking the config is different in my case. Can someone help with this? Thanks a lot
RE: Postfix, mailman, and aliases problem
Are you using system users or virtual users in your system? /etc/aliases are for system users in the system. You may be looking for virtual_alias_maps instead? -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of James Dore Sent: Thursday, October 26, 2017 10:17 AM To: postfix-us...@cloud9.net Subject: Postfix, mailman, and aliases problem Hi list, I recently migrated our mailman server from an old SLES 11 box to Ubuntu 16.04.3 LTS, and installed Mailman from the Ubuntu repositories along with Postfix and other prerequisites. Mailman itself is working fine, but I have a handful of regular email aliases in /etc/aliases which do not receive mail, and when examining the logs, get bounced with a “User unknown” error. What did I screw up? (I’ve checked my aliases and they’re good, and I’ve run the newaliases command numerous times). Cheers, James -- James Dore, IT Officer, New College Oxford
451 4.3.5 Server configuration error
Hello, Having a strange issue with a server. Multiple times a day I get the following errors in mail.log: 451 4.3.5 Server configuration error; from=to= proto=ESMTP helo= I also get the following email in my admin mailbox: From: Mail Delivery System Subject: Postfix SMTP server: errors from localhost[::1] To: postmas...@domain.tld Transcript of session follows. Out: 220 server.domain.tld In: ehlo server.domain.tld Out: 250- server.domain.tld Out: 250-PIPELINING Out: 250-SIZE 52428800 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: mail FROM: size=527 Out: 250 2.1.0 Ok In: rcpt TO: Out: 451 4.3.5 Server configuration error In: rset Out: 250 2.0.0 Ok Session aborted, reason: lost connection For other details, see the local mail logfile So, it looks like some process is trying to send email from r...@server.domain.tld to root@localhost but I don't know what process it is or how to make it stop. It doesn't seem to affect the server otherwise. Other email flows in and out as normal except for these errors. I would appreciate some insight on where to look to get this resolved. Thanks