[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-15 Thread Dino Edwards via Postfix-users 
>Conceptually you can. I tested it yesterday and it worked. At first I 
>encountered said phenomenon that the >mails in my inbox had no DMARC AR 
>header, but that was because the content_filter Amavis removed them. >After 
>disabling DKIM verification on the content_filter, headers looked like this:

>Authentication-Results: arcsin.de; dmarc=pass (p=quarantine dis=none) 
>header.from=arcsin.de
>Authentication-Results: arcsin.de; spf=none smtp.mailfrom=redacted
>X-Spam-Flag: NO
>X-Spam-Score: -1.142
>X-Spam-Level: 
>X-Spam-Status: No, score=-1.142 tagged_above=-100 required=6.31
 >tests=[...redacted...]
 >autolearn=unavailable autolearn_force=no
>Authentication-Results: arcsin.de (amavis); dkim=pass (2048-bit key)
 >header.d=arcsin.de

>OpenDKIM was not involved here.

So as per your previous post, setting a policy such as this one would do the 
trick?

/etc/postfix/main.cf:

content_filter = amavis:[127.0.0.1]:10021

/etc/amavis/conf.d/50-user:

$interface_policy{'10021'} = 'DISABLEDKIM';

$policy_bank{'DISABLEDKIM'} = { 

   enable_dkim_verification => 0

};

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-15 Thread Dino Edwards via Postfix-users 
>That's what Dino is trying to do. Make amavis-over-milter add an DKIM 
>AR-header, then make OpenDMARC evaluate DMARC using that header. It may be 
>true that SpamAssassin 4 has a DMARC test, but Amavis >does not use such test 
>hit for a policy enforcement.

>Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not for 
>DMARC policy enforcement.

This question has stirred up a lot of answers but if I’m understanding 
correctly, it looks like I cannot use opendmarc with amavisd in postfix as a 
pre-queue filter for dkim. The only viable option is opendkim with opendmarc as 
pre-queue milters like I was originally doing.

 

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Dino Edwards via Postfix-users 



-Original Message-
From: Matus UHLAR - fantomas via Postfix-users  
Sent: Tuesday, November 14, 2023 8:04 AM
To: postfix-users@postfix.org
Subject: [pfx] Re: Postfix, Amavis DKIM and DMARC

>this does not make sense unless you use it somewhere.

Can you elaborate?

>what do logs say?

Logs don't say anything. There are simply no entries for opendmarc going
anything, i.e. opendmarc does not get called thus no logs.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Dino Edwards via Postfix-users 
By “getting skipped” I mean I have no logs of opendmarc doing anything. I don’t 
understand how I would disable dkim in my content_filter policy. Dkim 
verification is either enabled or disabled in Amavis unless I’m not 
understanding what you mean.

 

 

 

From: Damian via Postfix-users  
Sent: Tuesday, November 14, 2023 9:13 AM
To: postfix-users@postfix.org
Subject: [pfx] Re: Postfix, Amavis DKIM and DMARC

 

I tried this config but sadly it doesn’t work, OpenDMARC (127.0.0.1:54321) gets 
skipped completely

If "getting skipped" means that you don't see Authentication-Results for DMARC, 
I have a feeling that you didn't disable DKIM verification on your 
content_filter Interface Policy. Amavis will remove all such headers that match 
your AuthservID.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Dino Edwards via Postfix-users 
Hello,

 

I have been using OpenDKIM and OpenDMARC as smtpd_milters in Postfix and
Amavis as a content filter. I'm trying to replace OpenDKIM with Amavis for
DKIM verify and signing. The problem is that since Amavis is setup as an
after-queue content_filter and OpenDMARC is a pre-queue smptd_milter in
postfix OpenDMARC never sees the authentication headers and it's always
failing DKIM checks. So I need to setup Amavis as a pre-queue milter before
OpenDMARC in order to get this to work. I tried this config but sadly it
doesn't work, OpenDMARC (127.0.0.1:54321) gets skipped completely:

 

milter_amavis = unix:/var/spool/postfix/amavis/amavis.sock

milter_connect_macros = "j {client_name} {daemon_name} v _"

smtpd_milters =
unix:/var/spool/postfix/amavis/amavis.sock,inet:127.0.0.1:54321

non_smtpd_milters = $smtpd_milters

 

I posted in the Amavis mailing list but it wasn't helpful and they suggested
I post in the Postfix mailing list since the original author of amavisd
seems to lurk in here.

 

I would appreciate some assistance.

 

Thanks

 

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: Filter mail with dangerous attachments

2022-12-14 Thread Dino Edwards 
Normally you would use a content filter like Amavis along side postfix accomplish this. From: Tan Mientras Sent: Wednesday, December 14, 2022 9:22 AMTo: postfix-us...@cloud9.netSubject: Filter mail with dangerous attachmentsHello Excuse my generic question, but I dont know where to startIs it possible to filter/detect/forbid mails containing invoice.exe as attachment at postfix level?Thanks

RE: Postscreen DNSBL do not seem to be working

2022-08-09 Thread Dino Edwards 


>It's absolutely not forwarding. It's resolving recursively. I'm using
unbound with pfsense and I'm suspecting there is something wrong with it.
>When I point to MS DNS server or 9.9.9.9, it's resolving correctly. 

The issue has been resolved. Just in case someone finds the solution useful,
pfsense by default has rebind protection enabled which disables DNS
responses using rfc1918. So disabling rebinding DNS protection in pfsense is
the solution.

Thanks for the help that pointed me in the right direction.

RE: Postscreen DNSBL do not seem to be working

2022-08-09 Thread Dino Edwards 


>In any case, the OP may well be using a local resolver, but they didn't say
whether it's resolving recursively or forwarding (e.g. to 8.8.8.8), and I'd
bet it's the latter.

It's absolutely not forwarding. It's resolving recursively. I'm using
unbound with pfsense and I'm suspecting there is something wrong with it.
When I point to MS DNS server or 9.9.9.9, it's resolving correctly.

RE: postfix-policyd-spf-python

2022-05-15 Thread Dino Edwards 



-Original Message-
From: owner-postfix-us...@postfix.org <> On Behalf Of Matus UHLAR - fantomas

>perhaps a but I don't see

So you agree, it should be passing but it's not for some reason.

Re: postfix-policyd-spf-python

2022-05-13 Thread Dino Edwards 




On 5/13/2022 9:41 AM, Matus UHLAR - fantomas wrote:

perhaps you can post logs? local part of mail address may be censored...


Sure.

NOQUEUE: reject: RCPT from 
smtp15-ia5-sp1.mta.salesforce.com[13.110.78.238]: 550 5.7.23 : Recipient 
address rejected: Message rejected due to: SPF fail - not authorized. 
Please see 
http://www.openspf.net/Why?s=mfrom;id=oemcustomerc...@acuitybrands.com;ip=13.110.78.238;r=; 
from= to= proto=ESMTP helo=


Thanks

postfix-policyd-spf-python

2022-05-12 Thread Dino Edwards 
Hi,

Not sure if this is the right place to post the question concerning 
postfix-policyd-spf-python but I can't seem to find any working links for the 
openspf project.

Our postfix-policyd-spf-python server recently rejected an e-mail from a sender 
that was using SPF macros. I tried to find out if our version of spf (2.0.0) 
supported SPF macros but I can't seem to find any information on that. Can 
someone shed some lights on this?

Thanks

10s of REJECT messages multiple times a day

2022-04-14 Thread Dino Edwards 
Hello,

We have various IPs that throughout the day hammer our server attempting to 
deliver messages to non-existent recipients. The messages get rejected because 
the recipients do not exist. This results with having 30 to 100 rejected emails 
at a time. What is the recommended way to combat this behavior?

Thanks

RE: Postgrey - whitelisting subdomains

2021-11-26 Thread Dino Edwards 
Did you try using

.dhs.gov

In /usr/local/etc/postfix/postgrey_whitelist_clients.local?



-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of James B. Byrne
Sent: Friday, November 26, 2021 2:33 PM
To: postfix-us...@cloud9.net
Subject: Postgrey - whitelisting subdomains

I looked for a postgrey list to ask this, but the one that I found does not 
seem to have any archives after 2019 so I came here instead.  If there is 
somewhere else to ask this please let me know.

We use postfix with postgrey.  We have a whitelist 
/usr/local/etc/postfix/postgrey_whitelist_clients.local

According to the man page:

   Whitelists
   Whitelists allow you to specify client addresses or recipient address,
   for which no greylisting should be done. Per default postgrey will read
   the following files:

/usr/local/etc/postfix/postgrey_whitelist_clients
/usr/local/etc/postfix/postgrey_whitelist_clients.local
/usr/local/etc/postfix/postgrey_whitelist_recipients


In /usr/local/etc/postfix/postgrey_whitelist_clients.local we have dhs.gov:

[root@mx31 ~]# grep dhs.gov
/usr/local/etc/postfix/postgrey_whitelist_clients.local

dhs.gov

The problem is that postgrey grey-listed this email:

Nov 26 13:43:36 mx31 postgrey[27438]: action=greylist, reason=new, 
client_name=mx0f-00376703.gpphosted.com, client_address=67.231.155.98, 
sender=aceuserserv...@cbp.dhs.gov, recipient=


After a delay the send/receive pair was auto whitelisted.  However, I was given 
to understand that domain entries in the whitelist also applied to subdomains.

Also from the postgrey man page:

   The following can be specified for client addresses:

   domain.addr
 "domain.addr" domain and subdomains.

Why was email from dhs.gov grey-listed?  Have I misconfigured something?


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy  Do NOT open attachments 
nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3

RE: HELO and nothing else

2021-02-11 Thread Dino Edwards 


> I am working on a spam filter and so I find myself spending a lot more 
> quality time with mail logs than I used to.  One of the things I have noticed 
> is that I will get a lot of connections that send a HELO command and then 
> disconnect.  Sometimes I get this > repeated several times a minute from the 
> same IP for hours on end.  What is going on here?  Should I block these IPs?  
> Am I being scanned?  By what?  To what end?

Have you looked into the following postfix directives?

smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20

Postfix relay to external and internal

2020-05-29 Thread Dino Edwards 
Hi,

I have a postfix server that acts as a relay server for several domains and 
relays e-mail to several external e-mail servers based on the domain. This 
setup has been working for years with no problems. Now I have a need to install 
a local mailserver (dovecot?) server on this relay server and I'm trying to 
figure out the best way to accomplish that. So in the end, I want to maintain 
the relay ability for the several domains to outside e-mail servers but I also 
want to be able to deliver e-mail to local mailserver with ideally virtual 
users.

Is this possible and what would be the best way to accomplish this?

Thanks a lot in advance.

RE: Add additional smtp port in postfix

2018-02-17 Thread Dino Edwards 

> Then why don't you setup a relay using port 587 elsewhere which you login to 
> to send/get emails?  I don't think Verizon blocks that port at all...

Cause it would be easier to setup the relay to listen on 2525 in addition to 
port 25 rather than setting up authentication on 587. They are doing something 
because I can't telnet to port 25 from the Verizon to the relay server.

RE: Add additional smtp port in postfix

2018-02-17 Thread Dino Edwards 

>The main question is, why do you need port other than 25?

Cause Verizon blocks all incoming and outgoing traffic to port 25 unless it's 
to their SMTP servers and I have an Exchange server that needs to send/receive 
email through an outside relay.

Add additional smtp port in postfix

2018-02-17 Thread Dino Edwards 
Hello all,

I need to add an additional port for postfix to listen for incoming connections 
(port 2525). Most of the stuff I've seen on the Internet simply states to add 
the following in my master.cf

smtp  inet  n   -   n   -   -   smtpd
2525   inet n-   n  --   smtpd

However, since I have postscreen enabled my

#smtp  inet  n   -   n   -   -   smtpd

Line in my master.cf is commented out, so I'm thinking the config is different 
in my case. Can someone help with this?

Thanks a lot

RE: Postfix, mailman, and aliases problem

2017-10-26 Thread Dino Edwards 
Are you using system users or virtual users in your system? /etc/aliases are 
for system users in the system. You may be looking for virtual_alias_maps 
instead?



-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of James Dore
Sent: Thursday, October 26, 2017 10:17 AM
To: postfix-us...@cloud9.net
Subject: Postfix, mailman, and aliases problem

Hi list,

I recently migrated our mailman server from an old SLES 11 box to Ubuntu 
16.04.3 LTS, and installed Mailman from the Ubuntu repositories along with 
Postfix and other prerequisites. Mailman itself is working fine, but I have a 
handful of regular email aliases in /etc/aliases which do not receive mail, and 
when examining the logs, get bounced with a “User unknown” error. What did I 
screw up?

(I’ve checked my aliases and they’re good, and I’ve run the newaliases command 
numerous times).

Cheers,
James

-- 
James Dore,
IT Officer, 
New College Oxford

451 4.3.5 Server configuration error

2017-08-06 Thread Dino Edwards 
Hello,

Having a strange issue with a server. Multiple times a day I get the following 
errors in mail.log:

451 4.3.5 Server configuration error; from= 
to= proto=ESMTP helo=

I also get the following email in my admin mailbox:

From: Mail Delivery System 
Subject: Postfix SMTP server: errors from localhost[::1]
To: postmas...@domain.tld 

Transcript of session follows.

 Out: 220 server.domain.tld 
 In:  ehlo server.domain.tld
 Out: 250- server.domain.tld
 Out: 250-PIPELINING
 Out: 250-SIZE 52428800
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  mail FROM: size=527
 Out: 250 2.1.0 Ok
 In:  rcpt TO:
 Out: 451 4.3.5 Server configuration error
 In:  rset
 Out: 250 2.0.0 Ok

Session aborted, reason: lost connection

For other details, see the local mail logfile

So, it looks like some process is trying to send email from 
r...@server.domain.tld to root@localhost but I don't know what process it is or 
how to make it stop.

It doesn't seem to affect the server otherwise. Other email flows in and out as 
normal except for these errors.

I would appreciate some insight on where to look to get this resolved.

Thanks