[pfx] Re: managesieve filter not working

[John Fawcett via Postfix-users]

On 04/06/2024 11:18, Celal.Dikici via Postfix-users wrote:

Hello,
For the e-mail infrastructure we use roundcube 1.6.6 postfix 3.7.10, 
dovecot 2.3.19.1 installed on debian 12.05.  We use the larry theme as 
the interface. We use managesieve plugin for filtering. I have 
extracted some configurations below. Although the services are working 
properly, the filtering rules are not working. Although I have 
activated the Sieve logs, no negative logs are being sent. It is as if 
postfix/dovecot is not talking to managesieve. I wonder where I am 
doing wrong?

Thank you for your help.


Hi Celal

this is not a Postfix issue. You will probably find more help about 
sieve on the dovecot mailing list. Postfix itself does not have any 
direct interaction with managesieve or with sieve script interpreter.


I assume that you are using lmtp protocol to deliver email from postfix 
to dovecot. If that's the case then I guess you are missing the 
following dovecot setting for lmtp.


mail_plugins = $mail_plugins sieve

I'd also suggest checking which of your sieve scripts is active and 
therefore supposed to be running during mail delivery. The active one is 
pointed to by a link in the mail directory named dovecot.sieve.


John



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Fawcett via Postfix-users]

Sorry for following up on my own post, but I want to correct the record. 
Please disregard my previous email. I realize now I made a blunder 
during the analysis, since I was working on two similar questions one 
unrelated to postfix and I mixed up the data sets without realizing it. 
Sorry for the noise.


What I should have posted is that for postfix and xbl for submission 
service, if I take last 30 days of data, xbl blocked 100% of probes 24 
out of 30 days. When probes do get through they tend to do quite a few 
attempts at authenticating, often from the same ip address, so adding 
fail2ban on top has the potential (in my case) to bring the blocking to 
near 100%. The probes that get through generally seem low risk since 
they mainly but not always are for random and inexistent users.


One thing to bear in mind is that the number of probes explicitly 
blocked by xbl as evidenced by the logs may be lower than the number of 
probes being avoided by using it. This would be the case if the probe 
scripts have an adaptive behaviour, increasing the probes where they 
start getting real responses to AUTH and backing off if they get 
disconnected before AUTH.


John

On 29/05/2024 17:46, John Fawcett via Postfix-users wrote:



On 29/05/2024 14:07, Viktor Dukhovni via Postfix-users wrote:

On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:


The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.


    465    inet  n   -   n   -   -   smtpd
     -o smtpd_delay_reject=no
     -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
     -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     ...

     submission inet  n   -   n   -   -   smtpd
     -o smtpd_delay_reject=no
     -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
     -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

All set up this way.
I will let it run overnight and see what hits.

Works like  a charm.

  1   SASL authentication failed ---

Only one.

Perhaps a bit of luck?  For me, the XBL only catches around 10% of the
SASL probes.  May your luck hold up.


The majority of the probes I see that are not stopped by XBL are 
relatively harmless and don't get to try the AUTH command. They mainly 
come from ips that repeat in a short space of time (where potentially 
fail2ban could be used) and


  * fail in the starttls for protocol or cipher issues
  * disconnect without issuing starttls so never get to the AUTH command
  * try issuing AUTH without starttls so get disconnected for too many
invalid commands

The cases I have where AUTH has been tried and failed are relatively 
few. They mainly come from fast varying ips so fail2ban is not that 
useful unless I want to start banning based on a single probe. They 
usually appear to target specific existing users.


John



___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Fawcett via Postfix-users]

On 29/05/2024 14:07, Viktor Dukhovni via Postfix-users wrote:

On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:


The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.


    465    inet  n   -   n   -   -   smtpd
     -o smtpd_delay_reject=no
     -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
     -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     ...

     submission inet  n   -   n   -   -   smtpd
     -o smtpd_delay_reject=no
     -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
     -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

All set up this way.
I will let it run overnight and see what hits.

Works like  a charm.

  1   SASL authentication failed ---

Only one.

Perhaps a bit of luck?  For me, the XBL only catches around 10% of the
SASL probes.  May your luck hold up.


The majority of the probes I see that are not stopped by XBL are 
relatively harmless and don't get to try the AUTH command. They mainly 
come from ips that repeat in a short space of time (where potentially 
fail2ban could be used) and


 * fail in the starttls for protocol or cipher issues
 * disconnect without issuing starttls so never get to the AUTH command
 * try issuing AUTH without starttls so get disconnected for too many
   invalid commands

The cases I have where AUTH has been tried and failed are relatively 
few. They mainly come from fast varying ips so fail2ban is not that 
useful unless I want to start banning based on a single probe. They 
usually appear to target specific existing users.


John

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/29/24 8:31 AM, Benny Pedersen via Postfix-users wrote:

Viktor Dukhovni via Postfix-users skrev den 2024-05-29 14:07:


Perhaps a bit of luck?  For me, the XBL only catches around 10% of the
SASL probes.  May your luck hold up.


https://www.abuseipdb.com/user/139902 enless tryes :)

all zen.spamhaus.org should be used as authbl, but not pbl 127.0.0.10 
and 127.0.0.11



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


I'll fix this

thanks

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 10:15 PM, John Hill via Postfix-users wrote:


On 5/28/24 10:11 PM, Viktor Dukhovni via Postfix-users wrote:
On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via 
Postfix-users wrote:



You might in fact want to reject XBL IPs early, before they even
attempt authentication.  So I have:

 465    inet  n   -   n   -   - smtpd
 -o smtpd_delay_reject=no
 -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}

 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 ...

 submission inet  n   -   n   -   - smtpd
 -o smtpd_delay_reject=no
 -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
 -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject



Example logs showing early enforcement for the above:

 postfix/smtps/smtpd[3583655]: connect from unknown[115.44.140.188]
 postfix/smtps/smtpd[3583655]: Anonymous TLS connection 
established from unknown[115.44.140.188]:

 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 postfix/smtps/smtpd[3583655]: NOQUEUE: reject: CONNECT from 
unknown[115.44.140.188]:
 554 5.7.1 Service unavailable; Client host [115.44.140.188] 
blocked using zen.spamhaus.org;
 Listed by XBL, see 
https://check.spamhaus.org/query/ip/115.44.140.188 /
 Listed by CSS, see 
https://check.spamhaus.org/query/ip/115.44.140.188; proto=SMTP
 postfix/smtps/smtpd[3583655]: lost connection after CONNECT from 
unknown[115.44.140.188]
 postfix/smtps/smtpd[3583655]: disconnect from 
unknown[115.44.140.188] commands=0/0


 postfix/submission/smtpd[3583513]: connect from 
burger.census.shodan.io[66.240.219.146]
 postfix/submission/smtpd[3583513]: NOQUEUE: reject: CONNECT from 
burger.census.shodan.io[66.240.219.146]:
 554 5.7.1 Service unavailable; Client host [66.240.219.146] 
blocked using zen.spamhaus.org;
 Listed by CSS, see 
https://check.spamhaus.org/query/ip/66.240.219.146 /
 Listed by XBL, see 
https://check.spamhaus.org/query/ip/66.240.219.146; proto=SMTP
 postfix/submission/smtpd[3583513]: lost connection after CONNECT 
from burger.census.shodan.io[66.240.219.146]
 postfix/submission/smtpd[3583513]: disconnect from 
burger.census.shodan.io[66.240.219.146] ehlo=0/1 commands=0/1


The wrapper-mode TLS "smtps" rejects are naturally after the TLS 
handshake.




   465    inet  n   -   n   -   -   smtpd
    -o smtpd_delay_reject=no
    -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}

    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    ...

    submission inet  n   -   n   -   -   smtpd
    -o smtpd_delay_reject=no
    -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
    -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject


All set up this way.
I will let it run overnight and see what hits.

Thank you
--john


Works like  a charm.

 1   SASL authentication failed ---

Only one.

Thanks everyone for putting up with me!!

--john




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 10:11 PM, Viktor Dukhovni via Postfix-users wrote:

On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via Postfix-users 
wrote:


You might in fact want to reject XBL IPs early, before they even
attempt authentication.  So I have:

 465inet  n   -   n   -   -   smtpd
 -o smtpd_delay_reject=no
 -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 ...

 submission inet  n   -   n   -   -   smtpd
 -o smtpd_delay_reject=no
 -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
 -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject


Example logs showing early enforcement for the above:

 postfix/smtps/smtpd[3583655]: connect from unknown[115.44.140.188]
 postfix/smtps/smtpd[3583655]: Anonymous TLS connection established from 
unknown[115.44.140.188]:
 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
 postfix/smtps/smtpd[3583655]: NOQUEUE: reject: CONNECT from 
unknown[115.44.140.188]:
 554 5.7.1 Service unavailable; Client host [115.44.140.188] blocked 
using zen.spamhaus.org;
 Listed by XBL, see https://check.spamhaus.org/query/ip/115.44.140.188 /
 Listed by CSS, see https://check.spamhaus.org/query/ip/115.44.140.188; 
proto=SMTP
 postfix/smtps/smtpd[3583655]: lost connection after CONNECT from 
unknown[115.44.140.188]
 postfix/smtps/smtpd[3583655]: disconnect from unknown[115.44.140.188] 
commands=0/0

 postfix/submission/smtpd[3583513]: connect from 
burger.census.shodan.io[66.240.219.146]
 postfix/submission/smtpd[3583513]: NOQUEUE: reject: CONNECT from 
burger.census.shodan.io[66.240.219.146]:
 554 5.7.1 Service unavailable; Client host [66.240.219.146] blocked 
using zen.spamhaus.org;
 Listed by CSS, see https://check.spamhaus.org/query/ip/66.240.219.146 /
 Listed by XBL, see https://check.spamhaus.org/query/ip/66.240.219.146; 
proto=SMTP
 postfix/submission/smtpd[3583513]: lost connection after CONNECT from 
burger.census.shodan.io[66.240.219.146]
 postfix/submission/smtpd[3583513]: disconnect from 
burger.census.shodan.io[66.240.219.146] ehlo=0/1 commands=0/1

The wrapper-mode TLS "smtps" rejects are naturally after the TLS handshake.



   465inet  n   -   n   -   -   smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...

submission inet  n   -   n   -   -   smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
-o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

All set up this way.
I will let it run overnight and see what hits.

Thank you
--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 9:58 PM, Viktor Dukhovni via Postfix-users wrote:

On Tue, May 28, 2024 at 09:32:29PM -0400, John Hill via Postfix-users wrote:


On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:

-o { smtpd_recipient_restrictions =
  reject_rbl_client zen.spamhaus.org=127.0.0.4,
  reject_sender_login_mismatch,
  permit_sasl_authenticated,
  reject }


I had experimented and came close to this.

I will use it.

Question as I use zen 127.0.0.[2..11] on port 25

This is includes the PBL, covering much of the "dynamic" ISP consumer
address space, including homes, hotels, airports, ...  You probably
don't want to block these.  The XBL (127.0.0.4) is a conservative
choice.  You might in fact want to reject XBL IPs early, before they
even attempt authentication.  So I have:

 465inet  n   -   n   -   -   smtpd
 -o smtpd_delay_reject=no
 -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 ...

 submission inet  n   -   n   -   -   smtpd
 -o smtpd_delay_reject=no
 -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
 -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

(The "permit_mynetworks" is for a couple of machine-to-machine submission use 
cases).



Mail all works but I still can't block these SASL attempt.

I use fail2ban to throw them into an SASL ass holes list.

Every number I check is listed in XBL PBL on Spamhaus

But it is not trying to check.


  -o { smtpd_recipient_restrictions =
  reject_rbl_client zen.spamhaus.org=127.0.0.4,
  reject_sender_login_mismatch,
  permit_sasl_authenticated,
      reject }


May 28 21:51:43 proteus.noach.com postfix/submission/smtpd[768476]: 
connect from unknown[136.41.160.87]
May 28 21:51:44 proteus.noach.com postfix/submission/smtpd[768476]: 
discarding EHLO keywords: CHUNKING
May 28 21:51:46 proteus.noach.com postfix/submission/smtpd[768476]: 
Anonymous TLS connection established from unknown[136.41.160.87]: 
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May 28 21:51:46 proteus.noach.com postfix/submission/smtpd[768476]: 
discarding EHLO keywords: CHUNKING
May 28 21:51:51 proteus.noach.com postfix/submission/smtpd[768476]: 
warning: unknown[136.41.160.87]: SASL LOGIN authentication failed: 
(reason unavailable), sasl_username=clpow...@noach.com
May 28 21:51:51 proteus.noach.com postfix/submission/smtpd[768476]: too 
many errors after AUTH from unknown[136.41.160.87]
May 28 21:51:51 proteus.noach.com postfix/submission/smtpd[768476]: 
disconnect from unknown[136.41.160.87] ehlo=2 starttls=1 auth=0/1 
commands=3/4



Thanks

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:

   -o { smtpd_recipient_restrictions =
 reject_rbl_client zen.spamhaus.org=127.0.0.4,
 reject_sender_login_mismatch,
 permit_sasl_authenticated,
 reject }



I had experimented and came close to this.

I will use it.

Question as I use zen 127.0.0.[2..11] on port 25

I have only 10 users that should have access to port 587.

Why not us zen 127.0.0.[2..11] there as well?


Thanks

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Fawcett via Postfix-users]

On 29/05/2024 02:18, John Hill via Postfix-users wrote:


On 5/28/24 8:10 PM, John Hill via Postfix-users wrote:


On 5/28/24 8:00 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400)
John Hill via Postfix-users 
is rumored to have said:
[...

On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users 
is rumored to have said:

[...]

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by 
security policy.
Please check the message recipient "postfix-users@postfix.org" 
and try again.


What does the log say about that attempt?

I believe that specific text indicates a problem in 
smtpd_sender_restrictions.


May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring 
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
Anonymous TLS connection established from 
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from= 
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 
auth=1 mail=1 rcpt=0/1 commands=5/6


It's not something in smtpd_sender_restrictions, but this is as the 
log says, a *Sender* stage failure. I don't see an XBL hit (which 
makes sense, given the private client address) or anything 
indicating a failure at the EHLO or client phases. I see from 
earlier in the thread that you have smtpd_sender_login_maps set and 
"Email blocked by security policy" seems like something you might 
get from that lookup failing. The session summary shows that you did 
authenticate but I see no indication of what your SASL login was. I 
suspect that if you perform a query on your database for the sender 
'jh...@noach.com' it will not return whatever login you 
authenticated as.
I also thought for a moment that the problem was due to having 
'permit_my_networks' before 'permit_sasl_authenticated' in 2 
restriction lists and you hence never needing to authenticate, but 
the session summary says otherwise. Note that if all of your 
submission clients use authentication, permit_my_networks is 
unnecessary.


I do not have a solution handy for you, but you have at least gotten 
beyond the XBL issue. It seems possible that you only need to 
harmonize the login used for authentication in Thunderbird with that 
in your sender login map database.


Yes close, I'll figure it out, trial and error!


Thanks

--john

this worked - I think
 -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_rbl_client=zen.spamhaus,org=127.0.0.4,reject



I added and = after reject_rbl_client=



--john

I doubt it. By the time smtpd_recipient_restrictions is evaluated there 
is the possibility that AUTH attempts have already been allowed. Benny's 
suggestion elsewhere in this thread looks correct to me (substituting 
his rbl with zen and return code 127.0.0.4).


John

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Fawcett via Postfix-users]

On 29/05/2024 01:11, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 18:50:11 UTC-0400 (Wed, 29 May 2024 00:50:11 +0200)
John Fawcett via Postfix-users 
is rumored to have said:

[...]

Hi John

I think you are missing the following in master.cf for the submission 
service


-o smtpd_delay_reject=no

Without that the smtpd_client_restrictions will not be evaluated when 
the client connects and so you will allow the connected client to try 
authentication.


That is not what is happening here. The order of restrictions within 
the same restriction list matters, and Postfix is careful about logic. 
If you put permit_sasl_authenticated ahead of reject_rbl_client, the 
permit must be able to   take effect without evaluating the reject 
condition. That demands allowing as many AUTH commands as your other 
config will allow to fail.



Hi Bill

You're right that the order matters and the reject_rbl_client should be 
the first restriction in smtpd_client_restrictions for the submission 
service. Actually it is probably the only one that is really needed.


I may be wrong but I don't believe that specifying 
permit_sasl_authenticated influences behaviour in allowing AUTH 
attempts. I believe it will just evaluate to permitting the access if at 
the time of the evaluation the user is authenticated.


John

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 8:10 PM, John Hill via Postfix-users wrote:


On 5/28/24 8:00 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400)
John Hill via Postfix-users 
is rumored to have said:
[...

On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users 
is rumored to have said:

[...]

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by 
security policy.
Please check the message recipient "postfix-users@postfix.org" and 
try again.


What does the log say about that attempt?

I believe that specific text indicates a problem in 
smtpd_sender_restrictions.


May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring 
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
Anonymous TLS connection established from 
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS 
(2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from= 
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 
auth=1 mail=1 rcpt=0/1 commands=5/6


It's not something in smtpd_sender_restrictions, but this is as the 
log says, a *Sender* stage failure. I don't see an XBL hit (which 
makes sense, given the private client address) or anything indicating 
a failure at the EHLO or client phases. I see from earlier in the 
thread that you have smtpd_sender_login_maps set and "Email blocked 
by security policy" seems like something you might get from that 
lookup failing. The session summary shows that you did authenticate 
but I see no indication of what your SASL login was. I suspect that 
if you perform a query on your database for the sender 
'jh...@noach.com' it will not return whatever login you authenticated 
as.
I also thought for a moment that the problem was due to having 
'permit_my_networks' before 'permit_sasl_authenticated' in 2 
restriction lists and you hence never needing to authenticate, but 
the session summary says otherwise. Note that if all of your 
submission clients use authentication, permit_my_networks is 
unnecessary.


I do not have a solution handy for you, but you have at least gotten 
beyond the XBL issue. It seems possible that you only need to 
harmonize the login used for authentication in Thunderbird with that 
in your sender login map database.


Yes close, I'll figure it out, trial and error!


Thanks

--john

this worked - I think
 -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_rbl_client=zen.spamhaus,org=127.0.0.4,reject



I added and = after reject_rbl_client=



--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 8:00 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:18:10 UTC-0400 (Tue, 28 May 2024 19:18:10 -0400)
John Hill via Postfix-users 
is rumored to have said:
[...

On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users 
is rumored to have said:

[...]

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by 
security policy.
Please check the message recipient "postfix-users@postfix.org" and 
try again.


What does the log say about that attempt?

I believe that specific text indicates a problem in 
smtpd_sender_restrictions.


May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring 
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
Anonymous TLS connection established from 
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS 
(2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from= 
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 
auth=1 mail=1 rcpt=0/1 commands=5/6


It's not something in smtpd_sender_restrictions, but this is as the 
log says, a *Sender* stage failure. I don't see an XBL hit (which 
makes sense, given the private client address) or anything indicating 
a failure at the EHLO or client phases. I see from earlier in the 
thread that you have smtpd_sender_login_maps set and "Email blocked by 
security policy" seems like something you might get from that lookup 
failing. The session summary shows that you did authenticate but I see 
no indication of what your SASL login was. I suspect that if you 
perform a query on your database for the sender 'jh...@noach.com' it 
will not return whatever login you authenticated as.
I also thought for a moment that the problem was due to having 
'permit_my_networks' before 'permit_sasl_authenticated' in 2 
restriction lists and you hence never needing to authenticate, but the 
session summary says otherwise. Note that if all of your submission 
clients use authentication, permit_my_networks is unnecessary.


I do not have a solution handy for you, but you have at least gotten 
beyond the XBL issue. It seems possible that you only need to 
harmonize the login used for authentication in Thunderbird with that 
in your sender login map database.


Yes close, I'll figure it out, trial and error!


Thanks

--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 7:18 PM, John Hill via Postfix-users wrote:


On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users 
is rumored to have said:


On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }



tried to rspond

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by 
security policy.
Please check the message recipient "postfix-users@postfix.org" and 
try again.


What does the log say about that attempt?

I believe that specific text indicates a problem in 
smtpd_sender_restrictions.


May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring 
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
Anonymous TLS connection established from 
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS 
(2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from= 
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 
auth=1 mail=1 rcpt=0/1 commands=5/6



Dovecot log

May 28 19:00:45 proteus.noach.com dovecot[504384]: lmtp(504721): Connect 
from local
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth: Error: 
auth-worker: Aborted PASSL request for jh...@noach.com: Lookup timed out
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414): 
Error: sqlpool(mysql): Finished query 'SELECT email as user, password 
FROM virtual_users where email='jhill
@noach.com';' in 60006 msecs: Query timed out (no free connections for 
60 secs)
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414): 
Error: conn unix:auth-worker (pid=504400,uid=109): auth-worker<1>: 
sql(jh...@noach.com): Password query fai

led: Not connected to database
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth-worker(504414): 
Warning: conn unix:auth-worker (pid=504400,uid=109): Auth master 
disconnected us while handling request for

 jh...@noach.com for 60 secs (result=FAIL)
May 28 19:00:58 proteus.noach.com dovecot[504384]: auth: Error: 
auth-worker: Auth request was queued for 55 seconds, 2 left in queue 
(see auth_worker_max_count)



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 7:13 PM, Bill Cole via Postfix-users wrote:

On 2024-05-28 at 19:04:37 UTC-0400 (Tue, 28 May 2024 19:04:37 -0400)
John Hill via Postfix-users 
is rumored to have said:


On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject }



tried to rspond

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by security 
policy.
Please check the message recipient "postfix-users@postfix.org" and 
try again.


What does the log say about that attempt?

I believe that specific text indicates a problem in 
smtpd_sender_restrictions.


May 28 19:02:04 proteus.noach.com opendmarc[504352]: ignoring 
connection from gibson.noach.com
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
Anonymous TLS connection established from 
gibson.noach.com[192.168.200.253]: TLSv1.3 with cipher TLS_AES_128_GC
M_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS 
(2048 bits) server-digest SHA256
May 28 19:02:04 proteus.noach.com postfix/submission/smtpd[504893]: 
discarding EHLO keywords: CHUNKING
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
NOQUEUE: reject: RCPT from gibson.noach.com[192.168.200.253]: 554 
5.7.1 : Sender address rejec
ted: Email blocked by security policy; from= 
to= proto=ESMTP helo=<[192.168.200.253]>
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
too many errors after RCPT from gibson.noach.com[192.168.200.253]
May 28 19:02:09 proteus.noach.com postfix/submission/smtpd[504893]: 
disconnect from gibson.noach.com[192.168.200.253] ehlo=2 starttls=1 
auth=1 mail=1 rcpt=0/1 commands=5/6



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 6:54 PM, Bill Cole via Postfix-users wrote:
-o { smtpd_client_restrictions=permit_mynetworks,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4,permit_sasl_authenticated,reject } 



tried to rspond

Sending of the message failed.
An error occurred while sending mail. The mail server responded:
: Sender address rejected: Email blocked by security 
policy.
Please check the message recipient "postfix-users@postfix.org" and try 
again.


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Fawcett via Postfix-users]

On 29/05/2024 00:27, John Hill via Postfix-users wrote:


On 5/28/24 4:50 PM, John Hill via Postfix-users wrote:


On 5/28/24 4:43 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 22:12:

On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 21:14:


I had dumped the configs but here is what I had.


submission inet n   -   y   -   - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_delay_reject=no
  -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.43, permit }
  -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }


https://www.spamrats.com/postfix-configuration.php

works for me :)


Does this look correct. I'm not getting a error, waiting to see if 
it works.!


submission inet  n   -   n   -   - smtpd
  2 -o smtpd_hard_error_limit=1
  3 -o stress=yes
  4 -o syslog_name=postfix/submission
  5 -o smtpd_etrn_restrictions=reject
  6 -o smtpd_sasl_auth_enable=yes
  7 -o smtpd_sasl_type=dovecot
  8 -o smtpd_sasl_path=private/auth
  9 -o smtpd_sasl_security_options=noanonymous
 10 -o smtpd_sasl_tls_security_options=noanonymous
 11 -o 
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4, reject}
 12 -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

 13 -o smtpd_helo_restrictions=permit_mynetworks,permit
 14 -o smtpd_tls_security_level=encrypt
 15 -o 
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf

 16 -o milter_macro_daemon_name=ORIGINATING
 17

--john


unneeded complicated

line: 2 5 7 8 9 10 13 15 fits better in main.cf

spamrats allow sending mail when recipient is only local

with your config its rejected


I have been sending mail from local/remote authenticated clients?

--john 
 11 -o 
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4, reject}


reject_rbl_client doing nothing.

SASL logon fails ips are in manually found in XBL

Postscreen spamhaus blocks work.

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] for port 25


--john


Hi John

I think you are missing the following in master.cf for the submission 
service


-o smtpd_delay_reject=no

Without that the smtpd_client_restrictions will not be evaluated when 
the client connects and so you will allow the connected client to try 
authentication.


Personally I use zen.spamhaus.org=127.0.0.4 for submission, but I'm not 
sure that makes any difference respect to xbl.spamhaus.org=127.0.0.4.


Also please check your settings in the config files. In the email above 
I see a comma in xbl.spamhaus,org instead of a dot. If you copied it 
from the config then the config is wrong.


John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 4:50 PM, John Hill via Postfix-users wrote:


On 5/28/24 4:43 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 22:12:

On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 21:14:


I had dumped the configs but here is what I had.


submission inet n   -   y   -   - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_delay_reject=no
  -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.43, permit }
  -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }


https://www.spamrats.com/postfix-configuration.php

works for me :)


Does this look correct. I'm not getting a error, waiting to see if 
it works.!


submission inet  n   -   n   -   -   smtpd
  2 -o smtpd_hard_error_limit=1
  3 -o stress=yes
  4 -o syslog_name=postfix/submission
  5 -o smtpd_etrn_restrictions=reject
  6 -o smtpd_sasl_auth_enable=yes
  7 -o smtpd_sasl_type=dovecot
  8 -o smtpd_sasl_path=private/auth
  9 -o smtpd_sasl_security_options=noanonymous
 10 -o smtpd_sasl_tls_security_options=noanonymous
 11 -o 
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4, reject}
 12 -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

 13 -o smtpd_helo_restrictions=permit_mynetworks,permit
 14 -o smtpd_tls_security_level=encrypt
 15 -o 
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf

 16 -o milter_macro_daemon_name=ORIGINATING
 17

--john


unneeded complicated

line: 2 5 7 8 9 10 13 15 fits better in main.cf

spamrats allow sending mail when recipient is only local

with your config its rejected


I have been sending mail from local/remote authenticated clients?

--john 
 11 -o 
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4, reject}


reject_rbl_client doing nothing.

SASL logon fails ips are in manually found in XBL

Postscreen spamhaus blocks work.

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] for port 25


--john




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 4:43 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 22:12:

On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 21:14:


I had dumped the configs but here is what I had.


submission inet n   -   y   -   - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_delay_reject=no
  -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.43, permit }
  -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }


https://www.spamrats.com/postfix-configuration.php

works for me :)


Does this look correct. I'm not getting a error, waiting to see if it 
works.!


submission inet  n   -   n   -   -   smtpd
  2 -o smtpd_hard_error_limit=1
  3 -o stress=yes
  4 -o syslog_name=postfix/submission
  5 -o smtpd_etrn_restrictions=reject
  6 -o smtpd_sasl_auth_enable=yes
  7 -o smtpd_sasl_type=dovecot
  8 -o smtpd_sasl_path=private/auth
  9 -o smtpd_sasl_security_options=noanonymous
 10 -o smtpd_sasl_tls_security_options=noanonymous
 11 -o 
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4, reject}
 12 -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

 13 -o smtpd_helo_restrictions=permit_mynetworks,permit
 14 -o smtpd_tls_security_level=encrypt
 15 -o 
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf

 16 -o milter_macro_daemon_name=ORIGINATING
 17

--john


unneeded complicated

line: 2 5 7 8 9 10 13 15 fits better in main.cf

spamrats allow sending mail when recipient is only local

with your config its rejected


I have been sending mail from local/remote authenticated clients?

--john



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 3:38 PM, Benny Pedersen via Postfix-users wrote:

John Hill via Postfix-users skrev den 2024-05-28 21:14:


I had dumped the configs but here is what I had.


submission inet n   -   y   -   - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_delay_reject=no
  -o { smtpd_client_restrictions = reject_rbl_client 
auth.spamrats.com=127.0.0.43, permit }
  -o { smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject }


https://www.spamrats.com/postfix-configuration.php

works for me :)


Does this look correct. I'm not getting a error, waiting to see if it 
works.!


submission inet  n   -   n   -   -   smtpd
  2 -o smtpd_hard_error_limit=1
  3 -o stress=yes
  4 -o syslog_name=postfix/submission
  5 -o smtpd_etrn_restrictions=reject
  6 -o smtpd_sasl_auth_enable=yes
  7 -o smtpd_sasl_type=dovecot
  8 -o smtpd_sasl_path=private/auth
  9 -o smtpd_sasl_security_options=noanonymous
 10 -o smtpd_sasl_tls_security_options=noanonymous
 11 -o 
{smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_rbl_client 
xbl.spamhaus,org=127.0.0.4, reject}
 12 -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

 13 -o smtpd_helo_restrictions=permit_mynetworks,permit
 14 -o smtpd_tls_security_level=encrypt
 15 -o 
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf

 16 -o milter_macro_daemon_name=ORIGINATING
 17

--john




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

On 5/28/24 11:48 AM, Wietse Venema via Postfix-users wrote:

postconf -Mf submission/inet".



May 28 10:51:07 proteus.noach.com postfix/submission/smtpd[57120]: 
warning: malformed map specification: '{ reject_rbl_client 
xbl.spamhaus.org }'
May 28 10:51:07 proteus.noach.com postfix/submission/smtpd[57120]: 
warning: expected maptype:mapname instead of 'reject_rbl_client'


submission inet  n   -   n   -   -   smtpd
    -o smtpd_hard_error_limit=1
    -o stress=yes
    -o syslog_name=postfix/submission
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o smtpd_sasl_security_options=noanonymous
    -o smtpd_sasl_tls_security_options=noanonymou

smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{ 
$submission_recipient_restrictions },reject

#    -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    -o smtpd_helo_restrictions=permit_mynetworks,permit
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf
    -o milter_macro_daemon_name=ORIGINATING


I took a break to study.

I had dumped the configs but here is what I had.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Hill via Postfix-users]

Not working had recipient instead of client. Fixed that and then is says 
its not a map.



On 5/28/24 10:36 AM, John Hill via Postfix-users wrote:

Here is what IS NOT causing postfix to dump, not sure if it will work.

main.cf

submission_recipient_restrictions = reject_rbl_client xbl.spamhaus.org

master.cf

submission

 -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{ 
$submission_recipient_restrictions },reject



It sends and receives mail so far. not sure on the RBL yet.

--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Masters.cf

[John Hill via Postfix-users]

Here is what IS NOT causing postfix to dump, not sure if it will work.

main.cf

submission_recipient_restrictions = reject_rbl_client xbl.spamhaus.org

master.cf

submission

 -o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,{ 
$submission_recipient_restrictions },reject



It sends and receives mail so far. not sure on the RBL yet.

--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Master.cf

[John Hill via Postfix-users]

I have yet to get a proper configuration to add xbl.spamhaus.org to 
submission.


-o 
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject


Everything I try fails.

I have researched the list but can't find the answer.

I'm still getting hammered by SASL failures.

I check the number on spamhaus and they come back listed.

I am correct, postscreen is on port 25.

I use 587 for submissions.

Sorry to be so dense.


--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

On 5/28/24 5:39 AM, Christophe Kalt via Postfix-users wrote:

smtpd_delay_reject to no



I had it at yes.

Changed it.

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Fawcett via Postfix-users]

On 28/05/2024 11:39, Christophe Kalt via Postfix-users wrote:
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users 
 wrote:


For submission I only use xbl (return code 127.0.0.4) excluding
other other data contained in zen like pbl that lists isp dynamic
ip ranges from which you would normally expect to get connections
to submission. For me it's safe to use xbl for submission since I
don't want connections from exploited machines and it cuts out
most of the noise and some of the risk from people hammering smtp
auth. It won't fit everyone's use case though.

For this to be worthwhile, I assume you also set smtpd_delay_reject to 
no ?


___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org


yes, I set it in master.cf just for submission service.

John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Fawcett via Postfix-users]

On 27/05/2024 13:31, John Hill via Postfix-users wrote:



On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote:

> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]



John Hill via Postfix-users:

Is this the same thing?


On 25.05.24 15:54, Wietse Venema via Postfix-users wrote:

See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.

To block xbl listed clients with postscreen, one would configure
xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4


While they are the same, I recommend using the latter, so you can 
benefit from caching DNS results in case the same source IP connects 
to smtp and submission/submissions(=smtps) services.


I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings 
in master.cf. Worked, but it blocked my AT mobile block. Go figure!


That's to be expected. The zen.spamhaus.org list also contains isp 
dynamic ip ranges which can be users that need to access submission.


I changed it to 127.0.0.4 to be more specific. It turns out AT 
mobile has numbers is in the XBL database. I tried bl.spamcop.net, and 
it does nothing.


If AT  is blocked when checking specifically for 127.0.0.4 then the ip 
is in XBL, but that would mean there is a likely to be an exploited 
device on that ip. I would not recommend using spamcop or other general 
purpose spam blocking lists for this purpose. XBL is specific for 
compromised hosts.


Last night I logged  "81 SASL authentication failed." That's about 
average. Seems I have a lot of new friends.


I'm still thankful to learn more about master.cf, I had ignored it for 
the most part.


--john


___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote:

> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]



John Hill via Postfix-users:

Is this the same thing?


On 25.05.24 15:54, Wietse Venema via Postfix-users wrote:

See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.

To block xbl listed clients with postscreen, one would configure
xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4


While they are the same, I recommend using the latter, so you can 
benefit from caching DNS results in case the same source IP connects 
to smtp and submission/submissions(=smtps) services.


I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings in 
master.cf. Worked, but it blocked my AT mobile block. Go figure!


I changed it to 127.0.0.4 to be more specific. It turns out AT mobile 
has numbers is in the XBL database. I tried bl.spamcop.net, and it does 
nothing.


Last night I logged  "81 SASL authentication failed." That's about 
average. Seems I have a lot of new friends.


I'm still thankful to learn more about master.cf, I had ignored it for 
the most part.


--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Fawcett via Postfix-users]

On 25/05/2024 20:50, John Hill via Postfix-users wrote:



On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote:


On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up 
with the conversation!


I had auth on ports I did not need. I use auth on submission port 
587, for users access.


I do get a boat load of failed login attempts on 587. Funny how a 
China, US, Argentina, you name it, hosts, will try the same failed 
username password at nearly the same time.


Small world.

I use Fail2Ban to block the failed IP. The script writes it into the 
nftables table immediately.


I think this keeps Postfix waiting and times out, not a big deal. Is 
there a cli that my bash script could force disconnect the ip from 
Postfix?


I did search the man page and the docs, sorry if I missed it.

Thanks

--john



Hi John

maybe controversial for use on the submission service, but a while 
back I started using spamhaus xbl (the exploits data only, not the 
PBL or spammer data) as the first check (reject_rbl_client) in 
smtpd_client_restrictions for the submission service (on which I have 
AUTH enabled only after STARTTLS). I saw two results


1. there are few illegitimate smtp auth attempts that aren't blocked 
by XBL and end up trying the credentials


2. even the blocked traffic has fallen off to a small number of tries 
per day (usually < 20).


Point 2 tends to indicate that the hacker scripts only start 
hammering when they find an AUTH command enabled.


Fail2ban can still be used for the ips that get through, since then 
they start hammering, but the cases are so limited I haven't bothered.


John





I use zen.spamhaus.net in postscreen.



postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]

Is this the same thing?
--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org


postscreen is protecting the smtp service (port 25). I also use the zen 
configuration you have above in postscreen, (i.e. including the other 
data not just xbl) since I am more aggressive for smtp.


For submission I only use xbl (return code 127.0.0.4) excluding other 
other data contained in zen like pbl that lists isp dynamic ip ranges 
from which you would normally expect to get connections to submission. 
For me it's safe to use xbl for submission since I don't want 
connections from exploited machines and it cuts out most of the noise 
and some of the risk from people hammering smtp auth. It won't fit 
everyone's use case though.


John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to allow only one specific sender to use smtp ?

[John Fawcett via Postfix-users]

On 25/05/2024 23:58, Mike via Postfix-users wrote:

Hello,

My setup like below:

I have Postfix setup and use dovecot as SASL. Now, all email accounts 
can use the smtp server to send emails. I want to allow only one email 
account to send out emails and rest of others can only use POP3 or IMAP.


How can I make that?

Thanks

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


Hi Mike

as mentioned elsewhere in the thread you could use the sasl backend to 
do this.


For example if using dovecot sasl for the authentication with sql 
backend (and probably with ldap too though I didn't try that), dovecot 
has a %s variable that will be set to the service name (smtp, pop3, imap 
etc) and you can use that variable in the sql query to have different 
responses depending on user and service.


John


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

On 5/25/24 3:54 PM, Wietse Venema via Postfix-users wrote:

John Hill via Postfix-users:

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]

Is this the same thing?

See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.

To block xbl listed clients with postscreen, one would configure
xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4

Wietse


I checked. Postscreen blocked 2 127.0.0.4 sites.

I do appreciate postscreen. A lock on the front door!!!

Thanks

--john



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote:


On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up 
with the conversation!


I had auth on ports I did not need. I use auth on submission port 
587, for users access.


I do get a boat load of failed login attempts on 587. Funny how a 
China, US, Argentina, you name it, hosts, will try the same failed 
username password at nearly the same time.


Small world.

I use Fail2Ban to block the failed IP. The script writes it into the 
nftables table immediately.


I think this keeps Postfix waiting and times out, not a big deal. Is 
there a cli that my bash script could force disconnect the ip from 
Postfix?


I did search the man page and the docs, sorry if I missed it.

Thanks

--john



Hi John

maybe controversial for use on the submission service, but a while 
back I started using spamhaus xbl (the exploits data only, not the PBL 
or spammer data) as the first check (reject_rbl_client) in 
smtpd_client_restrictions for the submission service (on which I have 
AUTH enabled only after STARTTLS). I saw two results


1. there are few illegitimate smtp auth attempts that aren't blocked 
by XBL and end up trying the credentials


2. even the blocked traffic has fallen off to a small number of tries 
per day (usually < 20).


Point 2 tends to indicate that the hacker scripts only start hammering 
when they find an AUTH command enabled.


Fail2ban can still be used for the ips that get through, since then 
they start hammering, but the cases are so limited I haven't bothered.


John





I use zen.spamhaus.net in postscreen.



postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]

Is this the same thing?
--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Fawcett via Postfix-users]

On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up 
with the conversation!


I had auth on ports I did not need. I use auth on submission port 587, 
for users access.


I do get a boat load of failed login attempts on 587. Funny how a 
China, US, Argentina, you name it, hosts, will try the same failed 
username password at nearly the same time.


Small world.

I use Fail2Ban to block the failed IP. The script writes it into the 
nftables table immediately.


I think this keeps Postfix waiting and times out, not a big deal. Is 
there a cli that my bash script could force disconnect the ip from 
Postfix?


I did search the man page and the docs, sorry if I missed it.

Thanks

--john



Hi John

maybe controversial for use on the submission service, but a while back 
I started using spamhaus xbl (the exploits data only, not the PBL or 
spammer data) as the first check (reject_rbl_client) in 
smtpd_client_restrictions for the submission service (on which I have 
AUTH enabled only after STARTTLS). I saw two results


1. there are few illegitimate smtp auth attempts that aren't blocked by 
XBL and end up trying the credentials


2. even the blocked traffic has fallen off to a small number of tries 
per day (usually < 20).


Point 2 tends to indicate that the hacker scripts only start hammering 
when they find an AUTH command enabled.


Fail2ban can still be used for the ips that get through, since then they 
start hammering, but the cases are so limited I haven't bothered.


John



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

On 5/24/24 9:33 AM, Matus UHLAR - fantomas via Postfix-users wrote:

On 24.05.24 07:36, John Hill via Postfix-users wrote:

What command do you use to reset the connection?


no command, just rule in OUTPUT chain:

 1710  649K REJECT 6    --  *  * 0.0.0.0/0    
0.0.0.0/0    tcp spt:25 match-set block-smtp dst reject-with 
icmp-port-unreachable


so any outgoing (dst) packet from TCP port 25 to IP address in ipset 
"block-smtp" will result in icmp port unreachable.

It can be changed to tcp-reset.

I use NFtables. This is near what I use in the active table. I was 
having so many multiple attempts, I had to block it immediately.


I'm not sure It would kill the current connection. But the change to 
Postfix timing did.


--john





On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote:

On 23.05.24 21:03, John Hill via Postfix-users wrote:
I use Fail2Ban to block the failed IP. The script writes it into 
the nftables table immediately.


I think this keeps Postfix waiting and times out, not a big deal. 
Is there a cli that my bash script could force disconnect the ip 
from Postfix?


I use fail2ban a way where incoming packets to port 25 get dropped 
and outgoing packets from port 25 get reset, so smtpd should receive 
info to close connection when first packet leaves.



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

What command do you use to reset the connection?

On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote:

On 23.05.24 21:03, John Hill via Postfix-users wrote:
I use Fail2Ban to block the failed IP. The script writes it into the 
nftables table immediately.


I think this keeps Postfix waiting and times out, not a big deal. Is 
there a cli that my bash script could force disconnect the ip from 
Postfix?


I use fail2ban a way where incoming packets to port 25 get dropped and 
outgoing packets from port 25 get reset, so smtpd should receive info 
to close connection when first packet leaves.



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL reject force disconnect

[John Hill via Postfix-users]

Will do it. Tonight. 

Thanks 



On May 23, 2024 9:11 PM, Wietse Venema via Postfix-users 
 wrote:

John Hill via Postfix-users: 
> I learn something every time I read this group, when I can keep up with 
> the conversation! 
> 
> I had auth on ports I did not need. I use auth on submission port 587, 
> for users access. 
> 
> I do get a boat load of failed login attempts on 587. Funny how a China, 
> US, Argentina, you name it, hosts, will try the same failed username 
> password at nearly the same time. 
> 
> Small world. 
> 
> I use Fail2Ban to block the failed IP. The script writes it into the 
> nftables table immediately. 
> 
> I think this keeps Postfix waiting and times out, not a big deal. Is 
> there a cli that my bash script could force disconnect the ip from Postfix? 
> 
> I did search the man page and the docs, sorry if I missed it. 

On port 587? setting "smtpd_hard_error_limit=1" might do it. 

masster.cf: 
submission .. .. .. .. .. .. .. smtpd 
-o { smtpd_hard_error_limit = 1 } 
...other -o options... 

You need to "postfix reload" after editing master.cf, 

This assumes that a good user makes no mistakes. 

Wietse 
___ 
Postfix-users mailing list -- postfix-users@postfix.org 
To unsubscribe send an email to postfix-users-le...@postfix.org 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SASL reject force disconnect

[John Hill via Postfix-users]

I learn something every time I read this group, when I can keep up with 
the conversation!


I had auth on ports I did not need. I use auth on submission port 587, 
for users access.


I do get a boat load of failed login attempts on 587. Funny how a China, 
US, Argentina, you name it, hosts, will try the same failed username 
password at nearly the same time.


Small world.

I use Fail2Ban to block the failed IP. The script writes it into the 
nftables table immediately.


I think this keeps Postfix waiting and times out, not a big deal. Is 
there a cli that my bash script could force disconnect the ip from Postfix?


I did search the man page and the docs, sorry if I missed it.

Thanks

--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Dovecot logging to files causes postfix to break

[John Fawcett via Postfix-users]

On 18/05/2024 18:18, Richard Rosner via Postfix-users wrote:

Am 18.05.24 um 17:55 schrieb Wietse Venema:

Richard Rosner via Postfix-users:

I have a mailing server setup based on Debian Stable that uses
postfix for IMAP and SMTP and dovecot for internel mail handling,

You mean, Postfix for SMTP, Dovecot for IMAP.

Possible.



like filtering, sorting into users inboxes etc. I now wanted to
set dovecot to not write to syslog, but to dedicated files in
/var/log/dovecot. While everything indicates that this happens
successfully, postfix will soon start logging complaints:

 May 13 20:55:37 mail postfix/local[2824184]: 95BCF1000A9:
 to=, relay=local, delay=3.2, 
delays=1.9/0.29/0/1.1,

 dsn=4.3.0, status=deferred (temporary failure. Command output:
 lda(user): Error: net_connect_unix(/run/dovecot/stats-writer)
 failed: Permission denied Can't open log file
 /var/log/dovecot/error.log: Permission denied )
That is a DOVECOT error message from the DOVECOT local delivery agent 
(lda).


Wietse


Why does it say postfix/local though? So you are sure this error can't 
have been caused by any interaction with postfix?



Richard


Hi Richard

though probably not relevant to your current issue, one thing to watch 
out for with the approach you are using is the value of postfix 
parameter postfix mailbox_size_limit. This value applies to all files 
written by the lda process that postfix spawns, not just the mailbox 
files, so also applies to log file sizes.


John

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix not doing round robin for equal weight MX records

[John Doe via Postfix-users]

niedz., 12 maj 2024 o 19:10 Wietse Venema via Postfix-users <
postfix-users@postfix.org> napisał(a):

> Viktor Dukhovni via Postfix-users:
> > On Fri, May 10, 2024 at 01:13:06PM -0400, Wietse Venema via
> Postfix-users wrote:
>
> ...

Mystery solved.
Thank You Wietse and Viktor for tips about my issue.

conn_use in logs showed something interesting ...
This one nlp3 was having TLS disabled, and I've missed that somehow, so by
default it was reusing connections.
Rest of relays had TLS enabled, and I don't reuse connections for TLS, so
no conn_use in logs on my side.
I even wote simple script to connect 50 times to each, wait for 220 code,
quit, calculate latency - this showed that nlp3 is not the fastest one.
Networks were all 24 bit ...

We have enabled TLS on nlp3 and all traffic is even now :)
Now it's time for a change to be able to reuse connections for TLS.

Best regards,
Thank You!
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix not doing round robin for equal weight MX records

[John Doe via Postfix-users]

pt., 10 maj 2024 o 16:13 Wietse Venema via Postfix-users <
postfix-users@postfix.org> napisał(a):

All at once answer, hope it's OK:


IP's:
^

dig mx mxmail.adatum.net +short | cut -d' ' -f2 | xargs dig a +short
10.56.155.14
10.32.32.103
10.32.32.104
10.26.15.31
10.26.15.32
10.26.15.34

And this one is favorized nlp3.loc-prd.net = 10.26.15.31

$


RESOLV.CONF and DIG:
^

cat /etc/resolv.conf

search adatum.net
nameserver 10.20.30.10
nameserver 10.20.30.20


AND:

dig mx mxmail.adatum.net
...

;; ANSWER SECTION:
mxmail.adatum.net. 146 IN  MX  10 nlp1.loc-prd.net.
mxmail.adatum.net. 146 IN  MX  10 nlp2.loc-prd.net.
mxmail.adatum.net. 146 IN  MX  10 nlp3.loc-prd.net.
mxmail.adatum.net. 146 IN  MX  10 nlp6.loc-prd.net.
mxmail.adatum.net. 146 IN  MX  10 nlp5.loc-prd.net.
mxmail.adatum.net. 146 IN  MX  10 nlp4.loc-prd.net.

;; Query time: 0 msec
;; SERVER: 10.20.30.10#53(10.20.30.10)
;; WHEN: Fri May 10 15:26:10 BST 2024
;; MSG SIZE  rcvd: 261

--
also:
dig a mxmail.adatum.net
NOTHING ( no A record in DNS for this)

$


CONFIG:
^

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = yes
allow_percent_hack = no
append_dot_mydomain = no
best_mx_transport = local
default_database_type = hash
default_process_limit = 500
delay_warning_time = 16
disable_vrfy_command = no
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /app/PFXpostfix/postfix/usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost,
smtp.mydomain.com, mailhost
mynetworks = 127.0.0.1, 10.20.30.5
myorigin = anonymized.com
nested_header_checks =
queue_directory = /var/spool/postfix
readme_directory = no
relayhost = mxmail.adatum.net
setgid_group = postdrop
smtp_host_lookup = dns, native
smtp_mx_address_limit = 10
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_security_level = may
swap_bangpath = no
syslog_name = postfix
transport_maps = hash:/etc/postfix/transport.map

$





> > We have another 2 servers with the same setup, and they relay quite
> equally.
>
> Equally as in that they also "prefer" the same MX host? Or a different one?
>
>
It means, we have other set of mailhost + other 6 relayhosts, all setup the
same, and this other set is working fine, round robin, equal amount of
emails relayed, etc.

Please provide evidence in the form of logs that show the preference.
>
> grep 'postfix/smtp.*relay=' /the/maillog/file | grep -v
> nlp3.loc-prd.net
>
>
Is this OK / enough ?

Logs:
^

grep relay=nlp[123456].*status=sent /var/log/maillog | sed 's/.*relay=//' |
sed 's/,.*//' | sort | uniq -c

  5770 nlp1.loc-prd.net[10.56.155.14]:25
  5694 nlp2.loc-prd.net[10.32.32.103]:25
  5402 nlp4.loc-prd.net[10.32.32.104]:25
  21531 nlp3.loc-prd.net[10.26.15.31]:25
  5570 nlp6.loc-prd.net[10.26.15.32]:25
  5694 nlp5.loc-prd.net[10.26.15.34]:25

$

Best regards,
John

pt., 10 maj 2024 o 16:13 Wietse Venema via Postfix-users <
postfix-users@postfix.org> napisał(a):

> John Doe via Postfix-users:
> > Hi,
> >
> > I was hoping for real MX record round-robin but it does not work on one
> of
> > my servers.
> >
> > Somehow, postfix is prioritising one of the MX more than others.
>
> By default, Postfix looks up SMTP servers in DNS, and randomizes
> the order of equal-preference records. After 25 years this is one
> of the more bizarre problem reports.
>
> > Always the same: nlp3.loc-prd.net
>
> Then you aren't using the default settings for server lookup, or
> Postfix is using a different resolver than your manual tests (with
> dig), or Postfix has to ignore hosts that speak only IPv6 while
> Postfix speaks only IPv4, or your resolver is doing nasty things.
>
> Postfix has no built-in DNS protocol support and relies on system
> infrastructure.  Historically that was a local bind or unbound
> server, but more recently, systemd has also invaded into this
> territory.
>
> > All MX servers, are in local network to this client mailserver.
>
> Postfix can handle that.
>
> > We have relayhost in main.cf:
> >
> > relayhost = mxmail.adatum.net
>
> Good. You have MX lookups turned on.
>
> > We have MX record for this relayhost with equal weights of 10 for each,
> DNS
> > TTL is setup to 300s, dns system is BIND, not Windows.
>
> > dig mx mxmail.adatum.net
>
> Can you demonstrate that this uses the exact same resolv.conf file
> as Postfix?

[pfx] Postfix not doing round robin for equal weight MX records

[John Doe via Postfix-users]

Hi,


I was hoping for real MX record round-robin but it does not work on one of
my servers.

Somehow, postfix is prioritising one of the MX more than others.

Always the same: nlp3.loc-prd.net

All MX servers, are in local network to this client mailserver.



We have relayhost in main.cf:

relayhost = mxmail.adatum.net



We have MX record for this relayhost with equal weights of 10 for each, DNS
TTL is setup to 300s, dns system is BIND, not Windows.



dig mx mxmail.adatum.net



mxmail.adatum.net. 146 IN  MX  10 nlp1.loc-prd.net.

mxmail.adatum.net. 146 IN  MX  10 nlp2.loc-prd.net.

mxmail.adatum.net. 146 IN  MX  10 nlp3.loc-prd.net.

mxmail.adatum.net. 146 IN  MX  10 nlp6.loc-prd.net.

mxmail.adatum.net. 146 IN  MX  10 nlp5.loc-prd.net.

mxmail.adatum.net. 146 IN  MX  10 nlp4.loc-prd.net.





Some setup parametres for better view:

smtp_randomize_addresses = yes

smtp_mx_address_limit = 10

smtp_mx_session_limit = 2

smtp_connection_cache_on_demand = yes

smtp_connection_cache_time_limit = 2s

default_destination_concurrency_limit = 20

smtp_destination_concurrency_limit = $default_destination_concurrency_limit

default_destination_concurrency_failed_cohort_limit = 1





We have another 2 servers with the same setup, and they relay quite equally.

Anything that will help to sove this issue would be much appreciated.



Best regards,

John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: long header folding and DKIM fails

[John Levine via Postfix-users]

It appears that Steffen Nurpmeso via Postfix-users  said:
W> |I did not want to insult you!
> |In mind i had these canon..py snippets
> |
> |  def strip_trailing_whitespace(content):
> |return re.sub(b"[\t ]+\r\n", b"\r\n", content)
> |
> |
> |  def compress_whitespace(content):
> |return re.sub(b"[\t ]+", b" ", content)
> |
> |  ...
> |
> |(x[0].lower().rstrip(),
> |  compress_whitespace(unfold_header_value(x[1])).strip() + b"\r\n")
> |  for x in headers]
> |
> |These strip()s remove any whitespace, as opposed to [\t ] only.

If you are complaining that it removes bare \r and \n, those are invalid,
we've repeatedly told you why they're invalid and you're not doing yourself
any favors by continued digging.

R's,
JOhn
































































a
>a

>In general "all the interoperability problems" are only (as far as
>*i* flew above it) about such whitespace issues.  Most dramatical,
>still, by opendkim and rspamd (git repository source).
>
>--steffen
>|
>|Der Kragenbaer,The moon bear,
>|der holt sich munter   he cheerfully and one by one
>|einen nach dem anderen runter  wa.ks himself off
>|(By Robert Gernhardt)
>___
>Postfix-users mailing list -- postfix-users@postfix.org
>To unsubscribe send an email to postfix-users-le...@postfix.org


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fun with line endings, was Re: Mail text wrapping

[John R. Levine via Postfix-users]

Well, the header lines are properly terminated by CRLF.  However, the 
text lines are whatever I get from postfix.  Generally that is just a 
LF.  I copied the text and inserted the CRs and sent it to see what 
happens.  I get the same result: = signs at each fold point.


Those = signs are something helpfully trying to turn your text into quoted 
printable.  What else is going on there?


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fun with line endings, was Re: Mail text wrapping

[John Levine via Postfix-users]

It appears that Viktor Dukhovni via Postfix-users  
said:
>On Wed, Apr 24, 2024 at 01:01:46AM -0000, John Levine via Postfix-users wrote:
>
>> >I must be interpreting this wrong because it appears postfix is not
>> >accepting that.  Here is the complete process.  A message arrives at
>> >my MTA addressed to a specific address.  Postfix delivers that
>> >message to a pipe to my process which reads the pipe and stores
>> >everything in a file.  Portions of the text of that message are
>> >extracted and then sent using SMTP to port 25 on my MTA with new
>> >recipients. ...
>> 
>> Oh, there's your problem. If you are talking directly to an SMTP
>> server, you have to use SMTP line endings \r\n rather than the \n used
>> in files on Unix systems.
>
>Maybe, but perhaps this is too literal a reading of the OP's anecdotal
>description of the message handling.  One might equally expect that the
>problem is with some parser of the message content not expecting to decode
>quoted-printable MIME bodies.

I suppose, but sending bare LF in SMTP is definitely wrong, so he needs to
fix that first.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fun with line endings, was Re: Mail text wrapping

[John Levine via Postfix-users]

According to Doug Hardie via Postfix-users :
>I must be interpreting this wrong because it appears postfix is not accepting 
>that.  Here is the complete process.  A message arrives at my MTA addressed to 
>a specific address.  Postfix delivers that
>message to a pipe to my process which reads the pipe and stores everything in 
>a file.  Portions of the text of that message are extracted and then sent 
>using SMTP to port 25 on my MTA with new
>recipients. ...

Oh, there's your problem. If you are talking directly to an SMTP
server, you have to use SMTP line endings \r\n rather than the \n used
in files on Unix systems.

There are several simple solutions. If the MTA is on the same machine,
you can feed the message to /usr/sbin/sendmail and it'll do the
conversions. Or whan you're talking to some other SMTP server, stuff a
\r in front of each \n and it should work. BTDT.

This has nothing to do with MIME or wrapping, by the way. The SMTP
spec says that the *only* line ending is \r\n and bare \r or \n is
undefined. Postfix strips the \r on the way in and will add the \r on
the way out if you let it handle the SMTP sessions.

R's,
John
-- 
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] userid for file delivery ?

[John Levine via Postfix-users]

Here's another question that might be answered in the documentation
but I can't find it.  If I have a file delivery like this in
the /etc/aliases file

foo: /a/b/somefile

what userid writes to the file?  postfix? nobody?

I realize that for user mailboxes it's the user, but
in this case, there's no user, just the file.  TIA.

R's,
John


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] dumb-ish question about submission rewriting

[John Levine via Postfix-users]

I am trying to tidy up a complicated and messy postfix config that has
all the issues you'd expect in one that has been twiddled by many
people over a decade to handle multiple sort of related mail streams.

Today's issue is ensuring that we only do submission rewrites on
outgoing mail, not incoming mail, e.g., adding Date and Message-ID.

Maybe I'm having a senior moment, but what in the config says to do
or not do that?  TIA.

R's,
John

PS to Viktor: yes, that one.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

you would like to have. The
best you can do is keep evolving the measures you use to reject attacks,
hope that the hosts at the other end can recognise that their attempts
aren't getting though, and hence discontinue their anti-social
behaviour. All this while trying not to make your own servers generally
anti-social (I'm currently "educating" a team from my local government
as to why their email setup is anti-social, and their website just
inadequate).

___  > Postfix-users mailing list -- postfix-users@postfix.org > To 

unsubscribe send an email to postfix-users-le...@postfix.org

I have a habit of cutting the source code and forwarding it with the 
email to abuse@xxx.


But it does not seem to work, in fact I have often notice an increase.

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

On 2/14/24 4:18 AM, Nikolai Lusan via Postfix-users wrote:

On Wed, 2024-02-07 at 10:51 -0500, Phil Stracchino via Postfix-users
wrote:
> On 2/7/24 10:41, John Hill via Postfix-users wrote:
>> Good info.
>>
>> This site sends nothing but junk. IN fact the domain is known for
>> it.
>> I tried just rejecting the email address. But they just change it.
>> So I blocked the IP, they have several.

> Have you considered blocking the *domain* with a 50x error (permanent
> fail)?

Amen.  My blocklist contains a mix of domains and individual addresses
(predominately gmail/outlook/hotmail/yahoo). Blocking the whole domain
can be more effective than blocking the individual addresses (which can
theoretically be a long list). Unless you have certain email addresses
from that domain you _need_ to receive mail from either whitelist just
the addresses you know are legit and block the domain (assuming there is
more than one address sending spam/virus/garbage). Or you could go down
the path most MS hosted domains do, and send everything to SPAM folders
unless the address/domain is in someones contact list (probably means
writing a filter that can communicate with a CardDAV server).



I used an access list to redirect all email from them to a spam folder.

Turns out I was asked to block the emails users had subscribed to.

I broke my rule of never unsubscribing email and did each one.

To my surprise they went away.

The redirect access list is a great tool I will use often.

--john


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

On 2/7/24 12:53 PM, John Hill via Postfix-users wrote:


On 2/7/24 12:15 PM, Viktor Dukhovni via Postfix-users wrote:
On Wed, Feb 07, 2024 at 11:21:10AM -0500, John Hill via Postfix-users 
wrote:


I use fail2ban as well. I'm just going to see if the sender sever 
will give

up!

I prefer to have logs that record what I'm blocking.  With firewall
rules there's not sufficient forensic evidence left behind.


True.

I think this deny list is working. The hits keep coming, but fewer so 
far!


--john




Victor was right. With post screen deny list I get fewer hits. I was 
blocking over 8,000 hits on the firewall from 28 hosts (same domain).


Now it has dropped to circa 800 total.

Am I correct, I can use a client access list to redirect by IP to a 
virtual email account?


It might be interesting to see what is so important about this email.


--john

*/
/*
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

On 2/7/24 12:56 PM, Matus UHLAR - fantomas via Postfix-users wrote:

On 2/7/24 10:48, Matus UHLAR - fantomas via Postfix-users wrote:
postscreen is great against bots, but fail2ban with firwall are 
still better

against abusers.


On 07.02.24 10:52, Phil Stracchino via Postfix-users wrote:
And once you get the "Aha!" insight into how its configuration works, 
it's actually not difficult to set up.


perfect note. It's quite hard to configure properly, luckily you can 
get sane defaults on e.g. Debian.


I have configured this into /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 195.80.174.185
loglevel = DEBUG

[postfix]
enabled = true
mode = aggressive


it should be enough for start you may want to adapt it to your e.g. 
firewall or syslog structure.


I wrote a fail2ban filter for postfix & postscreen. I tried, but could 
not get what I needed from the dist postfix one.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

On 2/7/24 12:15 PM, Viktor Dukhovni via Postfix-users wrote:

On Wed, Feb 07, 2024 at 11:21:10AM -0500, John Hill via Postfix-users wrote:


I use fail2ban as well. I'm just going to see if the sender sever will give
up!

I prefer to have logs that record what I'm blocking.  With firewall
rules there's not sufficient forensic evidence left behind.


True.

I think this deny list is working. The hits keep coming, but fewer so far!

--john



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

On 2/7/24 10:51 AM, Phil Stracchino via Postfix-users wrote:

On 2/7/24 10:41, John Hill via Postfix-users wrote:

Good info.

This site sends nothing but junk. IN fact the domain is known for it.
I tried just rejecting the email address. But they just change it.
So I blocked the IP, they have several.


Have you considered blocking the *domain* with a 50x error (permanent 
fail)?




I thought postscreen deny did that?


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

On 2/7/24 10:48 AM, Matus UHLAR - fantomas via Postfix-users wrote:

On 07.02.24 10:41, John Hill via Postfix-users wrote:

This site sends nothing but junk. IN fact the domain is known for it.
I tried just rejecting the email address. But they just change it.
So I blocked the IP, they have several.

I have watched them do constant connections over and over. 20 then 
pause the 20 again and again.

I think I have become somewhat of a challenge.

I'll try using postscreen and see how it shakes out.


postscreen is great against bots, but fail2ban with firwall are still 
better against abusers.



I use fail2ban as well. I'm just going to see if the sender sever will 
give up!

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

Good info.

This site sends nothing but junk. IN fact the domain is known for it.
I tried just rejecting the email address. But they just change it.
So I blocked the IP, they have several.

I have watched them do constant connections over and over. 20 then pause 
the 20 again and again.

I think I have become somewhat of a challenge.

I'll try using postscreen and see how it shakes out.

Thanks
--john

On 2/7/24 10:05 AM, Viktor Dukhovni via Postfix-users wrote:

On Wed, Feb 07, 2024 at 07:59:44AM -0500, John Hill via Postfix-users wrote:


Do mail servers as a whole stop sending an email after a few errors?

For a single message, surer

 On soft errors (4XX), most retry, typically stopping after a maximal
 delay.  The retry strategy varies, but 4,000 retries in one day is
 atypical, since that averages out to retrying approximately every 20
 seconds, without backoff.

 Sendmail, and IIRC Exim, retry at fixed intervals, with IIRC 30minutes
 being somewhat popular.  Postfix performs exponential backoff from an
 initial (default 300s) minimal backoff time to a (default 4000s) maximum
 backoff time.


I have a server I have blocked in my firewall. It continues to try and is
blocked as many as 4000+ times a day.

If you drop packets from a system that has multiple messages to send,
then none of the messages will be rejected outright, and they'll all
queue up.  Once there are enough messages queued, you can easily see
thousands of TCP SYN attempts a day because:

 - Even a single application-level connection attempt will send
   multiple TCP SYNs until the connection times out.

 - Each message will be retried periodically.

 - Meanwhile more messages can arrive, or be already queued.


If postscreen was set to deny it, would that signal the server and limit the
attempts?

With a legitimate MTA, SMTP-layer reject would indeed be more effective.
(But then perhaps you should not be rejecting the mail???).


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Server etiquette

[John Hill via Postfix-users]

I figured. I block on the ingress so it is minimal network but maximum 
pain in the A$$.


Thanks.


On 2/7/24 8:06 AM, Matus UHLAR - fantomas via Postfix-users wrote:

On 07.02.24 07:59, John Hill via Postfix-users wrote:

Do mail servers as a whole stop sending an email after a few errors?


abusers never stop, others possibly.

I have a server I have blocked in my firewall. It continues to try 
and is blocked as many as 4000+ times a day.


If postscreen was set to deny it, would that signal the server and 
limit the attempts?


The sending IP most likely would not care. It's better to keep that IP 
in firewall, maybe dropping packets, maybe tarpitting them (most 
probably requires addons to your firewall).



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Server etiquette

[John Hill via Postfix-users]

Do mail servers as a whole stop sending an email after a few errors?

I have a server I have blocked in my firewall. It continues to try and 
is blocked as many as 4000+ times a day.


If postscreen was set to deny it, would that signal the server and limit 
the attempts?


Thanks

--john



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: client checks with suspect IPs

[John Fawcett via Postfix-users]

On 16/01/2024 20:28, Alex via Postfix-users wrote:

Hi,

I need help with making a decision involved in determining whether to 
add an IP to my client_checks to bypass a blocklist entry on the 
Barracuda blocklist that is impacting one of our users. The problem is 
that this would also bypass the checks for other Zix hosted customers.


Jan 16 12:04:30 xavier postfix-118/postscreen[1006916]: NOQUEUE: 
reject: RCPT from  74.203.184.40]:3602: 550 5.7.1 Service unavailable; 
client [74.203.184.40] blocked using DNS Blocklist (barracuda); 
from=, to=, 
proto=ESMTP, helo=http://zh-gw.zixsmbhosted.com>>


I was also thinking I could add a sender_check for users at 
myclient.com <http://myclient.com> domain only, but that didn't work. 
The above entry relates to a client reject, but shouldn't a 
sender_check involving myclient.com <http://myclient.com> work as well?


smtpd_client_restrictions =
        permit_mynetworks,
        check_client_access ${indexed}client_checks,
        check_client_access pcre:$config_directory/client_checks.pcre,
        check_reverse_client_hostname_access 
pcre:$config_directory/reverse_client_hostname_access.pcre,

        check_client_access cidr:$config_directory/client_access_blocklist

/etc/postfix-118/client_checks.pcre:
/74\.203\.184\.40/                      OK

smtpd_sender_restrictions =
        permit_mynetworks,
        check_sender_access ${indexed}sender_checks,
        check_sender_access pcre:$config_directory/sender_checks.pcre,
        reject_unknown_sender_domain

/etc/postfix-118/sender_checks.pcre:
/myclient\.com/             permit

Any ideas greatly appreciated.


Hi Alex

that rejection is happening in postscreen, before handing off to smtpd 
so anything you configure in smtpd is not going to allow this email to 
pass. You'll at least need to allow this ip in the postscreen 
configuration for it to get to smtpd.


John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: relay_domains override for smtpd

[John Fawcett via Postfix-users]

On 16/01/2024 18:12, Marc Dierksen via Postfix-users wrote:

Salutations,

I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that 
accepts mails on port 25 for a list of domains defined as 
relay_domains in the main.cf.


I am currently trying to setup a second smtpd process on port 587 that 
accepts mails only for local recipients.


I have added the following entry to the master.cf:

587    inet  n   -   y   -   -   smtpd
    -o relay_domains=
    -o content_filter=
    -o 
receive_override_options=no_unknown_recipient_checks,no_address_mappings,no_header_body_checks,no_milters

    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_relay_restrictions=
    -o 
smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination

    -o mynetworks=127.0.0.0/8

The idea is that the reject_unauth_destination will reject all mails 
except for local recipients because relay_domains is empty.


Problem is mails for all the domains defined as relay_domains in the 
main.cf are still accepted.


If I set relay_domains to empty in the main.cf it works as expected.

So it seems to me the '-o relay_domains=' parameter for smtpd does not 
work correctly. According to the man page of smtpd however it should 
be supported.


Am I overlooking something?


Hi Marc

I'm probably missing something, but what would be the advantage of 
setting up a separate smtpd processes for this?  Out of curiosity how 
are these emails being sent to port 587?


One suggestion is to customize the syslog name of the new smtpd instance 
in master.cf so as to easily distinguish the logging that comes from the 
two processes.


  -o syslog_name=postfix/submission

Could you show the log entries of what you are seeing when email arrives 
on port 587?


Thanks

John



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: recipient_bcc_maps clarification.

[John Fawcett via Postfix-users]

On 08/01/2024 05:54, anant--- via Postfix-users wrote:

Hello,

We have in main.cf always_bcc = zz...@xx.com and our domain is xx.com

For specific 2 recipients of our domain, we don't want always_bcc to 
be implemented.  ie. if a mail is addressed to a...@xx.com  (our domain 
only), mail should not be Bcc to zz...@xx.com. similarly if mail 
recipient is d...@xx.com (our domain only), mail should not be Bcc to 
zz...@xx.com.  For all others always_bcc to continue.


So, in summary, main.cf

always_bcc = zz...@xx.com
recipient_bcc_maps=regexp:/etc/postfix/regexp_recipient_bcc


#regexp_recipient_bcc

#/etc/postfix/regexp_recipient_bcc

a...@xx.com    a...@xx.com
d...@xx.com    d...@xx.com

Whether the above configuration will enable to get desired results? 
ie. always_bcc should not work for a...@xx.com and d...@xx.com and 
instead the mails are delivered to a...@xx.com and d...@xx.com only.



H Anant

I don't think that will work: if you try it I think you will find you 
get two copies of the email to a...@xx.com and d...@xx.com and still get 
all mails copied to zz...@xx.com without achieving the aim because the 
copy will alzo go to zz...@xx.com i.e. these are all cumulative 
configurations.


You will need to eliminate the always_bcc configuration since you don't 
always want all email to be bcced. You should only have the 
recipient_bcc_maps configured.


Since this map is searched according to the search order indicated here 
https://www.postfix.org/postconf.5.html#recipient_bcc_maps you could try 
to map the more specific addresses to /dev/null and have a domain wide 
bcc for the rest.


In order to do it and depending on how your domains are configured you 
might need a local alias in the aliases file to send mail to /dev/null 
file, e.g.


devnull:    /dev/null

Then you can use that as bcc destination for those addressed that should 
skip bcc copies.


#/etc/postfix/regexp_recipient_bcc

a...@xx.com    devnull
d...@xx.com    devnull
@xx.com    zz...@xx.com

Postfix will still generate bcc messages for emails to abc and def but 
they won't actually get sent out.


best regards

John

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Smuggling?

[John Hill via Postfix-users]

I added onmicrosoft.com to my sender access file, I've dumped 10 so far.


On 1/7/24 1:41 PM, Matus UHLAR - fantomas via Postfix-users wrote:

On 07.01.24 10:17, John Hill via Postfix-users wrote:
First I am really amazed at the amount of support, that's not true 
everywhere. I also like the tone of the posts, very respectful.


I have 3.7.9 and all the settings.

Outlook protection is slamming me, 6 to 10 worthless emails every 
day. glad they don't make condoms.


I have sent everyone with source back to ab...@outlook.com. They 
always automatically thank me.


I can't block outlook, so I gave up and block all onmicrosoft emails.

I'll see how that goes.


Is the domain still the same? Last time I got spam from such domain, I 
have blocked the .onmicrosoft.com domain at MTA level.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Smuggling?

[John Hill via Postfix-users]

Thx. Will do!

--john

On 1/7/24 12:57 PM, mailmary--- via Postfix-users wrote:

Same here, but I found some interesting facts about outlook spam, they have 4 
common marks that can be used to catch them with Spamassassin.

The following rules block all outlook spam, but will also block some legitimate emails 
that use "undisclosed recipients". Not a big deal for me and my networks, but 
be aware of this limitation. To use, simply copy paste the rules under 
/etc/mail/spamassassin/outlook.cf (which is the correct location for Enterprise Linix 
distros like Alma, Rocky and Oracle).


Here are the rules:



header  __SPAM_DOMAIN_OUTLOO1 Received =~ 
/outbound\.protection\.outlook\.com/i
header  __SPAM_DOMAIN_OUTLOO2 From =~ 
/\@(?:outlook|hotmail)\.com\b/i
header  __SPAM_DOMAIN_OUTLOO3 To =~ /undisclosed/i
header  __SPAM_DOMAIN_OUTLOO4 To =~ /recipients/i
header  __SPAM_DOMAIN_OUTLOO5 exists:To

metaSPAM_DOMAIN_OUTLOO6   (__SPAM_DOMAIN_OUTLOO1 && 
(__SPAM_DOMAIN_OUTLOO3 || __SPAM_DOMAIN_OUTLOO4))
score   SPAM_DOMAIN_OUTLOO6   15.0
describeSPAM_DOMAIN_OUTLOO6   Outlook spam with undisclosed 
recipients (outloo)

metaSPAM_DOMAIN_OUTLOO7   (__SPAM_DOMAIN_OUTLOO2 && 
MISSING_HEADERS)
score   SPAM_DOMAIN_OUTLOO7   15.0
describeSPAM_DOMAIN_OUTLOO7   Outlook spam with missing headers 
(outloo)

metaSPAM_DOMAIN_OUTLOO8   (__SPAM_DOMAIN_OUTLOO1 && 
__SPAM_DOMAIN_OUTLOO2 && __TO_EQ_FROM_DOM)
score   SPAM_DOMAIN_OUTLOO8   15.0
describeSPAM_DOMAIN_OUTLOO8   Outlook spam, same From/To (outloo)

metaSPAM_DOMAIN_OUTLOO9   (__SPAM_DOMAIN_OUTLOO1 && MISSING_HEADERS 
&& !__SPAM_DOMAIN_OUTLOO5)
score   SPAM_DOMAIN_OUTLOO9   15.0
describeSPAM_DOMAIN_OUTLOO9   Outlook spam with missing headers, 
missing To (outloo)






On Sun, 7 Jan 2024 10:17:56 -0500 John Hill via Postfix-users 
 wrote:


First I am really amazed at the amount of support, that's not true
everywhere. I also like the tone of the posts, very respectful.

I have 3.7.9 and all the settings.

Outlook protection is slamming me, 6 to 10 worthless emails every day.
glad they don't make condoms.

I have sent everyone with source back to ab...@outlook.com. They always
automatically thank me.

I can't block outlook, so I gave up and block all onmicrosoft emails.

I'll see how that goes.

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Smuggling?

[John Hill via Postfix-users]

First I am really amazed at the amount of support, that's not true 
everywhere. I also like the tone of the posts, very respectful.


I have 3.7.9 and all the settings.

Outlook protection is slamming me, 6 to 10 worthless emails every day. 
glad they don't make condoms.


I have sent everyone with source back to ab...@outlook.com. They always 
automatically thank me.


I can't block outlook, so I gave up and block all onmicrosoft emails.

I'll see how that goes.

--john

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Regarding reject_unlisted_sender and preventing sender address spoofing

[John Fawcett via Postfix-users]

On 05/01/2024 19:44, Taco de Wolff via Postfix-users wrote:

Hi,

I'm trying to understand how the reject_unlisted_sender option works 
in the smtpd_sender_restrictions option. This is what I understand it 
to do:


For any received mail (it is an smtpd option after all), either for 
receiving mail from an external server or for sending mail from a 
logged in user with SASL, it checks whether the sender domain 
(envelope FROM) is a valid recipient address (ie. in my case the 
domain exists in the virtual_mailbox_domains) for this server, and if 
it is not it will reject.


When testing however, it was accepting mail from an external server 
(gmail) to be delivered to an existing mailbox, but the sender domain 
was x...@gmail.com which is not a listed sender for my server 
obviously! Why are these mails not rejected? I don't want them to be 
rejected, but it is what I understood reject_unlisted_sender to do.


My goal is to prevent spoofing of the envelope FROM (since we can't 
control the header FROM from Postfix) for outgoing mail, I do this by 
setting smtpd_sender_login_maps and adding 
reject_sender_login_mismatch to the smtpd_sender_restrictions. This 
works perfectly for SASL authenticated users by forcing the envelope 
FROM to be the same as the login username (u...@domain.com), and I 
think the reject_unlisted_sender option would be redundant in this 
case. However, mail delivered locally (sendmail from system or from 
PHP) is not checked by the smtpd options, and I need a way to force 
the envelope sender for certain system users to 
nore...@primary-domain-of-user.com so that a PHP application can't 
spoof the envelope FROM when using sendmail. I use `sendmail -f 
nore...@primary-domain-of-user.com --` as the PHP sendmail_path, but 
I'd like to force this in Postfix for security.


Regarding spoofing of the header FROM, if they use a different domain 
name than their envelope FROM (whether it is a permitted sender for 
the server or not), the destination server will likely reject it due 
to invalid DKIM. This is something I'll take up with the milter 
(rspamd) that does the DKIM signing, to reject any mail that it cannot 
DKIM sign. It will be possible to use a different local part: 
int...@example.com could impersonate himself as ad...@example.com (not 
sure if that is something I want to fix).


Kind regards,
Taco de Wolff

___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org


Hi Taco

you might find the address class readme useful in this context 
https://www.postfix.org/ADDRESS_CLASS_README.html#classes.


A reject_unlisted_recipient that worked as you are suggesting, that can 
reject x...@gmail.com, would not be useful since your server cannot have 
the list of potentially valid senders for domains that are not managed 
by your server. Such addresses are in the "default domain class" which 
does not have any "valid recipient" table.


The thing to note about reject_unlisted_sender is that it rejects the 
senders that would be rejected as recipients by 
reject_unlisted_recipient. i.e. it rejects senders that would not be 
valid recipients on your server.


So if address aaa@yourdomain does not exist on your server 
reject_unlisted_sender would reject it. If address bbb@yourdomain does 
exist reject_unlisted_sender would not reject it.


So if you are aiming to prevent forgeries ariving via smtp at port 25 
then reject_unlisted_sender will do this for a subset (those that are 
not valid addresses for your server). If you want to prevent all 
forgeries, you'd need to set up a sender access table with e REJECT 
action for your domain(s), and obviously not apply that to submission. 
However that could break some legitimate use cases, such as mail forwarding.


As for adding security to php use of sendmail, sendmail does not enforce 
the kind of controls you want. If you are concerned about forgeries from 
php then it is best to disable the use of sendmail from php or 
substitute the php sendmail setting with something custom that peforms 
the controls you want before invoking sendmail.


If you disable sendmail from php that way people will have to 
authenticate to your submission service from php to send emails.


John








___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: The SMTP HELP command

[John R. Levine via Postfix-users]

On Fri, 29 Dec 2023, Wietse Venema wrote:

The real reason is that it's easier to convince a few delinquent
MTA implementors, than an IETF working group.


The WG isn't opposed but we have a very long list of nits to clean up so 
I'd rather make the list shorter if as in this case it doesn't matter.


We also have one person (you can guess who) who thinks that sometime in 
the distant past there might have been a HELP command that returned 
something useful so who knows, maybe one will again.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: The SMTP HELP command

[John R. Levine via Postfix-users]

On Fri, 29 Dec 2023, Theodore Ts'o wrote:

Of course, implementing a HELP command is also not much work, so why
not?


That's the conclusion we came to in emailcore.  It's so easy to implement 
that even though it's been a long time (if ever) since it did anything 
useful, it's not worth the hassle of changing the spec.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: The SMTP HELP command

[John Levine via Postfix-users]

It appears that Joachim Lindenberg via Postfix-users 
 said:
>Hello John,
>are you willing to share what direction you/IETF are working towards?

It's the EMAILCORE working group.  You can see the documents here:

https://datatracker.ietf.org/wg/emailcore/documents/

>What I am really missing is clear statements like SMTP-DANE, SPF, DKIM, DMARC 
>are mandatory unless you don´t use SMTP at all. 

There is no chance whatsoever of that happening.

You might want to look at the applicability statement which is where
we are putting the implementation advice.

As with all IETF working groups, thoughtful comments from people who
have read the documents and looked at the mailing list archives to see
how we got here are welcome. People jumping in and saying "I think you
should do X" are not.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: The SMTP HELP command

[John Levine via Postfix-users]

It appears that Phil Biggs via Postfix-users  said:
>Where do see the "mandatory" requirement?  
>
>Section 4.1.1.8 says: 
>
>   SMTP servers SHOULD support HELP without arguments and MAY support it
>   with arguments.

SHOULD is IETF-ese for you have to, except that there might be reasons
not to do it but you better be sure you understand the implications.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] The SMTP HELP command

[John Levine via Postfix-users]

Over in the IETF we're slowly working on updating RFC 5321.

Today's topic is the HELP command. The current spec says that it is
mandatory to implment it. Most MTAs implement it by returning a fixed
string, or something close to fixed, e.g., gmail's answer appears to
include a code that tells you which instance you're talking to.

Unlike every other MTA I've looked at, Postfix doesn't implement it at
alll and returns an error code. You don't have to tell me that it's
not useful, but why not? It's in the spec, the work to return the
string is trivial.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP Smuggling disclosure process & VINCE

[John D'Orazio via Postfix-users]

I believe some users are in fact confusing DMARC and DKIM. DMARC is a
policy that lets receiving servers know how to deal with mail that seems to
be coming from your server but has *not* passed SPF and DKIM checks. From
the Google support forum:

DMARC (Domain-based Message Authentication, Reporting, and Conformance)
: consente di indicare ai
server di destinazione le operazioni da eseguire sui messaggi in uscita
della tua organizzazione che non superano l'autenticazione SPF o DKIM

The problem with this attack, is that is succeeds in passing SPF record
policies and DKIM signature policies with the attackers domain, then
injecting a message with a different from header into the validated
message, making seem quite like an authentic message.


Il Sab 23 Dic 2023, 21:03 Wietse Venema via Postfix-users <
postfix-users@postfix.org> ha scritto:

> Bill Sommerfeld via Postfix-users:
> > On 12/22/23 17:30, Vijay S Sarvepalli via Postfix-users wrote:
> > > Arguably the second server is at fault
> > > here for "SPF" signing two emails, nevertheless the vulnerability is
> due
> > > to the combinatorial or Composition Attack as Wietse has identified.
> >
> > SPF does not involve any per-message signatures.  Did you perhaps mean
> > to say "DKIM" here?
>
> Vijay was confused.
>
> The smuggled message has no From: aligned DKIM signature from the
> From: address domain. The receiving mail system is in a different
> domain, and therefore cannot add a From: aligned DKIM signature.
>
> The receiving MTA can assert that the message was received from an
> an IP address that satisfied the SPF policy for the envelope sender
> domain. That is the whole point this attack on SPF-based authentication.
>
> Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SMTP smuggling in Postfix

[John D'Orazio via Postfix-users]

I was directed to this thread from the dev mailing list. Seeing I'm using
Postfix 3.4.13 on a server of mine that has an OS of Ubuntu 20.04, I'm
guessing I don't have access to this smtpd restriction. I have however
started implementing amavis as spam detection, which does use -o
smtpd_data_restrictions=reject_unauth_pipelining. Should this be enough?
Would this have the same effect?

> - Postfix 3.9 (pending official release soon), rejects unauthorised

>   pipelining by default: "smtpd_forbid_unauth_pipelining = yes".

>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
>   code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining"
>   parameter defaults to "no".
>
>  This default avoids breaking compatibility in a patch to stable
>  release, in case some fax-to-email machine, or other minimally
>  conformant device performs illegal pipeling.
>
>  However, for most users it is IMHO prudent to override the default to
>  "yes" in their configuration, after ensuring that that this is
>  compatible with their mail flows.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SMTP smuggling in Postfix

[John Levine via Postfix-users]

This paper describes a clever hack that uses defective line endings to embed
a second SMTP session inside a first one, which has the practical effect
of letting you send fake authenticated mail from anyone else who uses the
same mail system you do.  If that system is MS Outlook, that's a lot of people.

The hack depends on embedding strings like . in a message which
a sending system doesn't recognize as needing dot stuffing, and a recipient
system treats as end of data.

The paper claims that Postfix falls for this trick.  We might want to tighten
up bare LF handling.  These days does anything that's not a botnet send bare
LFs without using BDAT?

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: 25 years today

[John Stoffel via Postfix-users]

>>>>> "Wietse" == Wietse Venema via Postfix-users  
>>>>> writes:

> As a few on this list may recall, it is 25 years ago today that the
> "IBM secure mailer" had its public beta release. This was accompanied
> by a nice article in the New York Times business section.

As a recovering sendmail user, I appreciate all the hard work you've
put into this tool and all the help you continue to give all these
years later.  I wish I could buy you a beer, or a dinner out to thank
you for all the time and money you've saved me over the years.

John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: 25 years today

[John Fawcett via Postfix-users]

On 14/12/2023 14:20, Wietse Venema via Postfix-users wrote:

As a few on this list may recall, it is 25 years ago today that the
"IBM secure mailer" had its public beta release. This was accompanied
by a nice article in the New York Times business section.


Thanks Wietse and to all who have contributed.

Apart from being the only MTA software I'd want to use, this project 
stands out for its exemplary software engineering from design to 
implementation and for the dedication to it's support and evolution.


Happy anniversary Wietse and everyone!

John

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: 25 years today

[John Hill via Postfix-users]

I am a retired System Administrator. I have used Postfix to feed 
Exchange servers. I trust Postfix on the front line.


Now as a hobbyist I use it for my personal domain.

 Thank you for the continued dedication to the project.

25 years is a huge accomplishment.

 Congratulations!

--john


On 12/14/23 8:20 AM, Wietse Venema via Postfix-users wrote:

As a few on this list may recall, it is 25 years ago today that the
"IBM secure mailer" had its public beta release. This was accompanied
by a nice article in the New York Times business section.

There is some literature at https://www.postfix.org/press.html that
attests how this project accelerated open-source adoption by a very
large company.

At the time there were several efforts by people inside IBM to do
open-source projects, but it was the NY Times article that brought
open source on the radar of the CEO. He then tasked people to come
up with an open-source strategy for IBM.

As for the name Postfix, my colleagues and I had come up with
multiple names that were rejected each time (I still have some
Internet domains names from that time). We decided that this was
not going to work, released it as "IBM secure mailer", and then,
after IBM was no longer in control, changed the name to Postfix.

That was a long time ago. Postfix has evolved as the Internet has
changed. I am continuing the overhaul of this software, motivated
by people like you on this mailing list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] What does postfix do with malformed messages?

[John Levine via Postfix-users]

If a malformed mail message shows up by SMTP (not local sendmail or
submission), will postfix generally try to clean it up or just
pass it along?

I see the cleanup program and all the options about when to run it and
what to tell it to do, but in practice, will a typical system clean
everything up, just locally submitted stuff, or soemthing else? TNx.

R's,
John


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP Require TLS Option?

[John Levine via Postfix-users]

It appears that Viktor Dukhovni via Postfix-users  
said:
>Postfix supports DANE, but there's no MTA-STS support.  And I've not
>seen much by way of receiving MTAs advertising REQUIRETLS as a
>capability

I did a proof of concept implementation that advertises REQUIRETLS and then 
ignores it.

As I told the guy who wrote the RFC, if you send mail to my MTA,
you're going to get what you get, not something else that you might
want.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Anyone using SMTP relay through dnsexit.com?

[John Stoffel via Postfix-users]

>>>>> "Jim" == Jim Wright via Postfix-users  writes:

> Hey all.  Recently my ISP (Spectrum) decided (after this was working for 
> me for almost 20 years) to make it impossible for a self hosted domain 
> to relay through their SMTP server unless it was actually a spectrum.com 
> email address being used.  After going back and forth with them to try 
> to find a workaround, I had to give up and look elsewhere.  My next stop 
> was with dnsexit.com.

I've got sorta the same issue, but it's more that Spectrum (charter)
is not allowing any emails from my personal domain hosted on Linode to
send email to their customers.  Guess who runs cable in my town?
Sigh... so I too am looking for solutions.  


> Despite following their FAQ on postfix setup 
> (http://www.dnsexit.com/support/mailrelay/postfix.html), I kept getting 
> the dreaded 454, Relay access denied error message when attempting to 
> send.  I verified all of my settings with their support but still 
> couldn't relay through them, even though I had working settings 
> previously for Spectrum (mail.twc.com).

> Finally, I setup an account with smtp2go.com, jumped through their hoops 
> to set up various cname records for my domain, and once that was done, I 
> was able to relay a test email through them on the first try.  So, 
> everything seemed to point to some issue with the dnsexit folks.

It's probably charter doing their own spam blocking by just blocking
entire netblocks.  

> My question for the list is, is anyone here relaying via dnsexit.com, 
> and if so, did you have similar issues that got resolved?  I'd rather 
> use their service if possible as they are currently handling my dynamic DNS.

It's almost certainly charter just blocking netblocks.  It sucks.  

John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: A strange DMARC failure

[John Levine via Postfix-users]

It appears that Tom Reed via Postfix-users  said:
>Since the message was sent to mailing list which rewrites envelope address
>and adds list signature, so:
>
>1) SPF for header From: address won't get pass due to SRS.
>2) DKIM won't get pass due to list signature.
>
>So the DMARC failed totally and the message was rejected.

Right.  Approximately every mailing list in the world has this problem.

>How to improve this?

There is no good answer. If your system is fairly small, make a
whitelist of mailing lists (probably by IP) and skip the DMARC checks.

Some lists apply ARC headers which let you look back and see what the
DMARC result was before the list changed it, but most lists don't, and
at this point there is no ARC milter I would want to use.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: any web.de staff here?

[John Levine via Postfix-users]

It appears that Jaroslaw Rafa via Postfix-users  said:
>Dnia 16.04.2023 o godz. 16:32:41 Gerald Galster via Postfix-users pisze:
>> 
>> Mails classified as spam or external forwards seemingly take another route
>> via mout-xforward.web.de. These servers are SBL-listed by intention, most
>> likely because the spam probability is higher in this context. This 
>> separation
>> helps mout.web.de to maintain a better reputation.
>
>While I can fully understand separation of outgoing servers for different
>classes of emails, who the hell intentionally puts their own outgoing
>servers on a blacklist???

I believe it's due to a strained reading of German law that claims
it's illegal to interfere with mail without the user's permission, so
their solution is to route the outgoing spam into a black hole rather
than block it locally. As the SBL listing suggests, they don't expect
anyone to accept it.

But this has nothing to do with Postfix.  You can ask the same question
on the mailop list but I doubt you'll get a different answer.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: any web.de staff here?

[John Levine via Postfix-users]

It appears that tom--- via Postfix-users  said:
>$ dig -x 82.165.159.35 +short
>mout-xforward.web.de.
>
>Can anyone from web.de help with this?

The only people who should be able to send mail through that server are web.de 
customers.

If you are a customer, what happened when you contacted them through
their customer support channels and asekd for the support you are
paying for?

If you are not a web.de customer, how did you send mail through their system?

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[John Stoffel via Postfix-users]

>>>>> "Phil" == Phil Stracchino via Postfix-users  
>>>>> writes:

> On 3/7/23 15:36, Bernardo Reino via Postfix-users wrote:
>> On Tue, 7 Mar 2023, John Stoffel via Postfix-users wrote:
>> 
>>> So what's the option for a more upto date version of DKIM milter for debian?
>> 
>> rspamd does DKIM, SPF, DMARC and ARC (and lots more), and doesn't segfault 
>> (so
>> far ;-)


> I'm STILL trying to figure out rspamd's documentation enough to
> understand how to enable and configure all of those, so that I can
> have one milter instead of four.

I found and fixed my own opendkim.conf screwup and I think I'm now
validating incoming and signing outgoing stuff properly now.  I
think.  LOL!

I used to try using rspamd, but it's a resource hog on small Linode/DO
droplets with only 1gb of RAM.  And as you suggest, the configuration
style is pretty damn baroque (as in wierd and complex and it's own
thing entirely) and I gave u and went to spamassasin for incoming
email filter.

John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[John Stoffel via Postfix-users]

> "mailmary---" == mailmary--- via Postfix-users 
>  writes:

> Unfortunately I've seen this crash as well, its actually quite
> frequent in my case and I'm using a newer version of OpenDMARC than
> you:

> # opendmarc -V
> opendmarc: OpenDMARC Filter v1.4.2
>   SMFI_VERSION 0x101
>   libmilter version 1.0.1
>   Active code options:
>   WITH_SPF
>   WITH_SPF2


> No solution so far, I think there are 2-3 open bug reports on
> github, but since the project is very dead, nobody has bothered to
> fix the problem.

So what's the option for a more upto date version of DKIM milter for debian?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: Send email to one @domain.com via authenticated relay?

[John Stoffel]

> "Bill" == Bill Cole  writes:

> On 2022-12-04 at 20:57:49 UTC-0500 (Sun, 4 Dec 2022 20:57:49 -0500)

> You are missing the point here.

> NO ONE running a serious mailserver will reject mail based on a 
> UCEPROTECT level 3 listing. It is a waste of your energy to focus on 
> that listing.

I'd like to believe that.

> Your problem is Linode. They have had a steady stream of spamming 
> custromers that they have failed to deal with for extended periods. Some 
> mail systems have responded by rejecting all mail from all machines on 
> Linode networks.

Sure, I can understand that, but I don't like it and I don't really
want to move to another hosting provider at this time, unless people
have a good suggestion?  

And how long before that provider gets completely banned as well?  And
what VPS provider do you recommend?

So right now I'm trying to learn how to write a milter to re-write
email sent via a specific transport.  So I have setup my transport
like this:

  # Added to deliver mail to charter.net, 20221202
  charter   unix  -   -   y   -   -   smtp
  -o smtp_tls_wrappermode=yes
  -o smtp_tls_security_level=encrypt
  -o smtp_generic_maps=hash:/etc/postfix/sender_charter
  -o header_checks=pcre:/etc/postfix/charter_header_first
  -o smtp_header_checks=pcre:/etc/postfix/charter_header_second
  -o myorigin=charter.net


And I have it properly trying to send the emails, but I get bounced
with:

  : host mobile.charter.net[47.43.18.12] said:
  550 5.1.0  sender rejected (in reply to MAIL FROM
  command)

so I think I need a milter to re-write my From: header on my outgoing
emails to be jstof...@charter.net.

Should be simple, but how to tie it in isn't quite clearcut to me
yet.  

Re: Send email to one @domain.com via authenticated relay?

[John Stoffel]

>>>>> "Rob" == Rob McGee  writes:

> On 12/3/2022 9:37 AM, John Stoffel wrote:
>>>>>>> "Jim" == Jim Popovitch  writes:
>> 
>>> On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote:
>>> I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3
>>> spam list.  Nothing I can do about it.
>> 
>> 
>>> I doubt that many sites block by using UCEPROTECH-3 alone, but you can
>>> use www.whitelisted.org to be excluded from it.
>> 
>> I'm not going to pay those scum to get my IP whitelisted, that's just
>> blackmail.  How does paying some extortionate third party make my
>> email problems go away?

> Like Jim said, it's very unlikely that a UCEPROTECT listing would be the 
> cause of any delivery problems. Do you have some evidence that your 
> target site (charter.net?) is using UCEPROTECT for blocking?

> If so, please share that evidence. If not, assume your listing has 
> nothing to do with your problem. It surely does not.

I'm not sure honestly, and charter isn't saying.  I was on a chat with
a 1st level support guy for over an hour, and each time he came with
an RBL to check, or some other setting, I was able ot show that my
IP/hostname was clean, without any entries.  The only entry I could
find was in the UCEPROTECT-3 list, which blocks entire chunks.


So now my option is to setup a special transport which would be used
to submit emails to charter.net, but now I need to setup a milter
because I need to replace the From: *@stoffel.org with 

From: jstof...@charter.net
Reply-to: *@stoffel.org

so that it all gets handled nicely.  It's not a critical need, but
it's an opportunity to learn how to write a milter and how to tie it
into just a specific transport for outgoing emails.  

I don't want/need a full fledged mailman like setup either. 

John

Re: Send email to one @domain.com via authenticated relay?

[John Stoffel]

>>>>> "Wietse" == Wietse Venema  writes:

> Viktor Dukhovni:
>> On Fri, Dec 02, 2022 at 11:36:30AM -0500, John Stoffel wrote:
>> 
>> > I tried setting up /etc/postfix/transport_maps like this:
>> > 
>> >charter.net  [mobile.charter.net]:587

> The right-hand side should be 

>   transport:nexthop

> or

>   transport:nexthop:service-or-port

> Where transport is the name of a mail delivery service in master.cf,
> like 'smtp' or 'relay'.

Thanks, this was just the nudge I needed to make this work.  But... it
turns out that charter.net deliveries to port 587 requires that I
change the following two configs:

  smtp_tls_wrappermode = yes
  smtp_tls_security_level = encrypt

where I used to just have 

  smtp_tls_security_level = may

before.  So I strongly suspect I need to setup a new transport in
master.cf called "charter" which will overridge those two settings for
deliveries, so I added this:

  # Added to deliver mail to charter.net, 20221202
  charter   unix  n   -   y   -   -   smtp
  -o smtp_tls_wrappermode=yes
  -o smtp_tls_security_level=encrypt


And this works, but now I need to tweak the transport so that when it
logs in, the MAIL FROM uses the proper name of jstof...@charter.net,
but I haven't been able to make it work quite yet.

I've also setup two pcre maps, and now my transport looks like this:

   # Added to deliver mail to charter.net, 20221202
   charter   unix  -   -   y   -   -   smtp
   -o smtp_tls_wrappermode=yes
   -o smtp_tls_security_level=encrypt
   -o smtp_generic_maps=hash:/etc/postfix/sender_charter
   -o header_checks=pcre:/etc/postfix/charter_header_first
   -o smtp_header_checks=pcre:/etc/postfix/charter_header_second

And the two maps are:

  # cat charter_header_first
  /^From:(.*)/ PREPEND X-Original-From: $1

  # cat charter_header_second
  /^From:(.*)/ REPLACE From: 


Note: Of course I want this to work properly if I have multiple
recipients in an email but only one of them is in an @charter.net
address, only that single email should be re-written to have the new
From: header.


Anyway, when I do the above, I get the following in the logs, which
tells me I proably need to tweak the masquerade setting for the
charter transport:

   Dec  3 16:47:21 localhost postfix/smtp[548460]: Untrusted TLS
   connection established to mobile.charter.net[47.43.18.12]:587: TLSv1.2
   with cipher AES256-SHA256 (256/256 bits)
   Dec  3 16:47:26 localhost postfix/smtp[548460]: EE29D275BF:
   to=, relay=mobile.charter.net[47.43.18.12]:587,
   delay=5.3, delays=0.05/0.01/0.17/5.1, dsn=5.1.0, status=bounced (host
   mobile.charter.net[47.43.18.12] said: 550 5.1.0 
   sender rejected (in reply to MAIL FROM command))


So I'm getting there, but not quite.  Would it be smarter to just
setup two instances of postfix, and use the transport map from the
main instance to only send to the second when needed, and then do all
the header re-writing there?  

Thanks,
John

Re: Send email to one @domain.com via authenticated relay?

[John Stoffel]

>>>>> "Jim" == Jim Popovitch  writes:

> On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote:
> I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 
> spam list.  Nothing I can do about it. 


> I doubt that many sites block by using UCEPROTECH-3 alone, but you can 
> use www.whitelisted.org to be excluded from it.

I'm not going to pay those scum to get my IP whitelisted, that's just
blackmail.  How does paying some extortionate third party make my
email problems go away?  

I'm going to be looking into the transport maps solution that I was
pointed to.  

Re: AW: Send email to one @domain.com via authenticated relay?

[John Stoffel]

>>>>> "Joachim" == Joachim Lindenberg  writes:

> UCEProtect are gangsters, even the founder admits:
> https://uceprotect.wtf/. You don´t want to do anything about it,
> except you are located in Europe and can complain to their customers
> and authorities violating GDPR.

Yup, I wish I could do something about them since they are doing a
disservice, but it's charter.net in the US who are really to blame
here for blocking my IP by being lazy.  

This is why I hate the US telecoms market in alot of ways...

> -Ursprüngliche Nachricht-
> Von: owner-postfix-us...@postfix.org  Im 
> Auftrag von John Stoffel
> Gesendet: Freitag, 2. Dezember 2022 17:37
> An: Postfix users 
> Betreff: Send email to one @domain.com via authenticated relay?


> Hi all,
> I run my own domain @stoffel.org and I'm trying to fix a problem sending 
> email to @charter.net users, since Spectrum has blocked my Linode's ASN 
> number completely.  My IP passes all the RBL blacklists their first line 
> support suggested I check, but I find my IP for mail.stoffel.org in the 
> UCEPROTECT-3 spam list.  Nothing I can do about it.  Running postfix 3.5.13

> Since I'm also a charter customer for my internet, I've got an email account 
> with them, so I'd like to just route all email for @charter.net addresses 
> through their transport.  

> Everything else should just route naturally to where ever the MX
> record points.   

> My host also has dovecot for local virtual users, with postscreen and 
> spamassasin setup as well.

> I tried setting up /etc/postfix/transport_maps like this:

>charter.net  [mobile.charter.net]:587

> But it started routing all my outgoing email through them, which isn't going 
> to work.  So I'm missing something here.  Do I need to setup a seperate 
> instance for sending email to @charter.net through an authenticated 
> connection?

> I though about using relay_domains = charter.net, but I certainly don't want 
> anyone to be able to use my host to try and spam that domain.  I really just 
> want SASL authenticated clients who send email from my stoffel.org domain to 
> be routed (and possibly have the from:
> header re-written and a reply-to: header added) through an authenticated path 
> into charter.net.

> I know this should be possible, just not finding the setting in my personal 
> mail archive of the list, or in google-foo.



>   $ postconf -nf
>   alias_database = hash:/etc/aliases
>   alias_maps = hash:/etc/aliases
>   append_dot_mydomain = no
>   biff = no
>   compatibility_level = 3.5
>   disable_vrfy_command = yes
>   html_directory = /usr/share/doc/postfix/html
>   inet_interfaces = all
>   inet_protocols = ipv4
>   local_recipient_maps = $virtual_mailbox_maps
>   message_size_limit = 5500
>   milter_connect_macros = i j {daemon_name} v {if_name} _
>   milter_default_action = accept
>   milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
>   milter_protocol = 6
>   mydestination = localhost
>   myhostname = mail.stoffel.org
>   mynetworks_style = host
>   myorigin = $myhostname
>   non_smtpd_milters = inet:127.0.0.1:8891
>   postscreen_access_list = permit_mynetworks
>   postscreen_greet_action = enforce
>   readme_directory = /usr/share/doc/postfix
>   recipient_delimiter = +
>   sender_bcc_maps = hash:/etc/postfix/sender_bcc
>   smtp_sasl_password_maps = hash /etc/postfix/saslpass
>   smtp_tls_loglevel = 1
>   smtp_tls_security_level = may
>   smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>   smtp_tls_wrappermode = yes
>   smtpd_banner = $myhostname ESMTP $mail_name
>   smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
>   zen.spamhaus.org
>   smtpd_milters = inet:127.0.0.1:8891
>   smtpd_recipient_restrictions = permit_mynetworks,
>   permit_sasl_authenticated,
>   reject_unauth_destination, check_sender_access
>   hash:/etc/postfix/local_domains
>   smtpd_tls_auth_only = yes
>   smtpd_tls_cert_file = /etc/letsencrypt/live/mail.stoffel.org/fullchain.pem
>   smtpd_tls_key_file = /etc/letsencrypt/live/mail.stoffel.org/privkey.pem
>   smtpd_tls_loglevel = 1
>   smtpd_tls_received_header = yes
>   smtpd_tls_session_cache_database =
>   btree:${data_directory}/smtpd_scache
>   smtpd_use_tls = yes
>   spamass-dovecot_destination_recipient_limit = 1
>   transport_maps = hash:/etc/postfix/transport_maps
>   virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
>   virtual_mailbox_domains = stoffel.org play.stoffel.org mail.stoffel.org
>   virtual_mailbox_maps = sqlite:/etc/postfix/virtual_users.cf
>   virtual_transport = spamass-dovecot



> 

Send email to one @domain.com via authenticated relay?

[John Stoffel]

Hi all,
I run my own domain @stoffel.org and I'm trying to fix a problem
sending email to @charter.net users, since Spectrum has blocked my
Linode's ASN number completely.  My IP passes all the RBL blacklists
their first line support suggested I check, but I find my IP for
mail.stoffel.org in the UCEPROTECT-3 spam list.  Nothing I can do
about it.  Running postfix 3.5.13

Since I'm also a charter customer for my internet, I've got an email
account with them, so I'd like to just route all email for
@charter.net addresses through their transport.  

Everything else should just route naturally to where ever the MX
record points.   

My host also has dovecot for local virtual users, with postscreen and
spamassasin setup as well.

I tried setting up /etc/postfix/transport_maps like this:

   charter.net  [mobile.charter.net]:587

But it started routing all my outgoing email through them, which isn't
going to work.  So I'm missing something here.  Do I need to setup a
seperate instance for sending email to @charter.net through an
authenticated connection?

I though about using relay_domains = charter.net, but I certainly
don't want anyone to be able to use my host to try and spam that
domain.  I really just want SASL authenticated clients who send email
from my stoffel.org domain to be routed (and possibly have the from:
header re-written and a reply-to: header added) through an
authenticated path into charter.net.

I know this should be possible, just not finding the setting in my
personal mail archive of the list, or in google-foo.



  $ postconf -nf
  alias_database = hash:/etc/aliases
  alias_maps = hash:/etc/aliases
  append_dot_mydomain = no
  biff = no
  compatibility_level = 3.5
  disable_vrfy_command = yes
  html_directory = /usr/share/doc/postfix/html
  inet_interfaces = all
  inet_protocols = ipv4
  local_recipient_maps = $virtual_mailbox_maps
  message_size_limit = 5500
  milter_connect_macros = i j {daemon_name} v {if_name} _
  milter_default_action = accept
  milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
  milter_protocol = 6
  mydestination = localhost
  myhostname = mail.stoffel.org
  mynetworks_style = host
  myorigin = $myhostname
  non_smtpd_milters = inet:127.0.0.1:8891
  postscreen_access_list = permit_mynetworks
  postscreen_greet_action = enforce
  readme_directory = /usr/share/doc/postfix
  recipient_delimiter = +
  sender_bcc_maps = hash:/etc/postfix/sender_bcc
  smtp_sasl_password_maps = hash /etc/postfix/saslpass
  smtp_tls_loglevel = 1
  smtp_tls_security_level = may
  smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  smtp_tls_wrappermode = yes
  smtpd_banner = $myhostname ESMTP $mail_name
  smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
  zen.spamhaus.org
  smtpd_milters = inet:127.0.0.1:8891
  smtpd_recipient_restrictions = permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination, check_sender_access
  hash:/etc/postfix/local_domains
  smtpd_tls_auth_only = yes
  smtpd_tls_cert_file = /etc/letsencrypt/live/mail.stoffel.org/fullchain.pem
  smtpd_tls_key_file = /etc/letsencrypt/live/mail.stoffel.org/privkey.pem
  smtpd_tls_loglevel = 1
  smtpd_tls_received_header = yes
  smtpd_tls_session_cache_database =
  btree:${data_directory}/smtpd_scache
  smtpd_use_tls = yes
  spamass-dovecot_destination_recipient_limit = 1
  transport_maps = hash:/etc/postfix/transport_maps
  virtual_alias_maps = hash:/etc/postfix/virtual-alias-maps
  virtual_mailbox_domains = stoffel.org play.stoffel.org mail.stoffel.org
  virtual_mailbox_maps = sqlite:/etc/postfix/virtual_users.cf
  virtual_transport = spamass-dovecot



=
  $ postconf -Mf
  smtp   inet  n   -   n   -   1   postscreen
  smtpd  pass  -   -   n   -   -   smtpd
  dnsblogunix  -   -   n   -   0   dnsblog
  tlsproxy   unix  -   -   n   -   0   tlsproxy
  submission inet  n   -   y   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o header_checks=regexp:/etc/postfix/header_checks
  -o 
smtpd_recipient_restrictions=permit_sasl_authenticated,reject_non_fqdn_recipient,reject_unauth_destination
  pickup unix  n   -   y   60  1   pickup
  cleanupunix  n   -   y   -   0   cleanup
  qmgr   unix  n   -   n   300 1   qmgr
  tlsmgr unix  -   -   y   1000?   1   tlsmgr
  rewriteunix  -   -   y   -   -   trivial-rewrite
  bounce unix  -   -   y   -   0   

Re: how to deal with t-online's blocking

[John Stoffel]

>>>>> "Henry" == Henry R  writes:

> I was once charter's customer.
> But I leave them since charter was bought by Spectrum.
> And spectrum blocks all IP from DO and Linode.

Yup, so now I'm trying to setup things so that my postfix routes all
emails to @charter.net users via my charter login, but all others
default to normal MX lookups and email sending.  

I've got my saslpass, transport_maps and other stuff setup, but it's
not quite working.  More reading and re-reading of the docs and this
list's archives, since I know this has come up before.

John

Re: how to deal with t-online's blocking

[John Stoffel]

> "Henry" == Henry R  writes:

> My mailserver once had some issues on sending messages to different
> providers. I have contacted the provders and most of them were kind
> enough to resolve the blocking issue. Thanks for them (ATT, GMX,
> 1and1 etc).

I'm in the same boat with one provider, charter.net, to shame them
publicly.  They block my mail host (with proper SPF records, reverse
DNS) mail.stoffel.org for some reason.  Probably because the block all
of linode's address space.  Jerks. 

> But t-online.de keep blocking me. I have contacted them twice and got the 
> same answer:

> We only allow evidently commercial or similar operators to connect
> to our mailservers. So, as a private user please use an SMTP relay
> or e-mail gateway of your hoster or ISP, that you can use as part of
> your contract with them. Their support will surely help you to
> configure your system accordingly.

Oh well... 

> That's so strange policy to permit only commercial company to send
> messages to them.  But there are many small companies/org who have
> their own mailservers, which can't send messages to t-online
> directly.

> How do you think of this behavior?

It sucks big time.  But unfortunately I can see more and more large
providers going this route.  

I wonder if they block hosts in the .edu domains as well like this?

Re: incoming log entries missing during peak arrival time

[John Stoffel]

> "Dhammika" == Dhammika Gunawardena  writes:

> We maintain a private relay server to send ebills for a customer.

Please send more details on your setup:  OS, postfix version, "postconf
-nf"  output, etc.  Give more details

> During peak sending hours, we miss about 5-10% of incoming messages
> but outgoing messages are available.

So the emails arrive succesfully, but the rsyslog messages are lost?
In that case, look at your logging infrastructure.  systemd based
systems are notorious for dropping syslog messages under load.  

> We capture subject line in incoming message to track ebills. When
> incoming messages are missing, we are in trouble.

So write the log files to a local filesystem.  Or push all the
incoming emails through a milter which logs the ebill info into a
seperate system.  Or better yet, just scan the incoming maildir (are
you using maildir?) once a minute for new mail files and then scan
those mails for the information you need.  

> Mail log written by rsyslog.

> Need help either
> 1. to fix the issue
> 2. Or write Subject in outgoing message

You need to re-explain your entire process here, since nothing you've
given us really shows the problem details.

Assume you're explaining it all to someone in accounting, and give
that kind of detail.  *grin*

Re: Unexpected record type 'X'

[John Alex.]

In my case, a single alias was used that expands to 5000 or more addresses in a 
virtual_alias_maps table (after increasing virtual_alias_expansion_limit).


The error is reproduced both when sending an email to this alias address and when just 
checking with 'sendmail -bv'.


John

On 10/6/22 16:37, Wietse Venema wrote:

How was your Postfix queue file with 5000 recipients created?
- with Postfix virtual_alias_maps expansion,
- with Postfix alias_maps expansion (/etc/aliases),
- by submitting a message with 5000 recipients over SMTP?
- ??

Re: Unexpected record type 'X'

[John Alex.]

Hi, I encountered the same issue on two FreeBSD 13.1 + Postfix 3.7.2 installations. It 
only occurs when trying to send an email with >4999 recipients (the mail queue is 
otherwise empty). This issue does not happen on another machine with FreeBSD 13.0 + 
Postfix 3.6.3.


After some search I found that it is caused by the following addition in qmgr_message.c in 
3.7 (line 441):


if (strchr(expected_rec_types, rec_type) == 0) {
msg_warn("Unexpected record type '%c' at offset %ld",
 rec_type, (long) curr_offset);
rec_type = REC_TYPE_ERROR;
break;
}

in combination with the pre-existing (line 385):

/* Keep interrupt latency in check. */
if (recipient_limit > 5000)
recipient_limit = 5000;


If I remove the code that was introduced in 3.7, the mail is delivered without issue. I 
also tried changing 5000 to 10001 and the email was again succesfully delivered to up to 
1 recipients.


So it seems this issue occurs whenever the mail queue total recipient count reaches 5000 
addresses.


John

On 8/30/22 10:20, Frank Brendel wrote:

Hi,

sporadically I get the error
   Unexpected record type 'X' at offset ...
and the message is moved to the corrupt queue.

E.g.
postfix/smtpd[19574] 010EDD6443: client=unknown[1.2.3.4]
postfix/cleanup[98995] 010EDD6443: message-id=<>
postfix/qmgr[63719] 010EDD6443: from=,
size=14197, nrcpt=24 (queue active)
postfix/qmgr[63719] warning: Unexpected record type 'X' at offset 17542
postfix/qmgr[63719] warning: saving corrupt file "010EDD6443" from
queue "active" to queue "corrupt"

The message looks OK to me. It is multipart/mixed with multiple
recipients. The offset is always at the end of the message.

postcat -do 010EDD6443
...
17481  78 boundary_641_fc5671dc-1c1d-438e-a827-019b96ffe19b--
17538  78
17540  78
17542  88 *** HEADER EXTRACTED 010EDD6443 ***
17544  69 *** MESSAGE FILE END 010EDD6443 ***

Postfix version is 3.7.0 and runs on FreeBSD 12.3.

I have no idea what HEADER EXTRACTED means an why it appears or why it
shouldn't.
Messages were sent with different email clients.

So what could be wrong with the message?


Thanks
Frank


  Frank Brendel
Administrator Rechenzentrum

Telefon:  +49 811 9595-157
Telefax:  +49 811 9595-199
Internet: https://www.eurolog.com

EURO-LOG AG
Am Söldnermoos 17, D-85399 Hallbergmoos
Vorstand: Jörg Fürbacher
Aufsichtsratsvorsitzender: Markus Quicken
Registergericht: AG München HRB 140857
Steuer-Nr.: 115/118/10169
Ust-ID-Nr.: DE 811547361

Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte Informationen 
enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte 
Weitergabe dieser Mail sind nicht gestattet. This e-mail may contain 
confidential and/or privileged information. If you are not the intended 
recipient (or have received this e-mail in error) please notify the sender 
immediately and destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.

Dropping out

[John Hicks]

Any way I could get removed from this list?
Thanks!

On Tue, Aug 30, 2022 at 9:59 AM Wietse Venema  wrote:

> Wietse Venema:
> > Frank Brendel:
> > > Here's the Postfix log and the queue file.
> > >
> > > Aug 30 13:02:23 elvmwlx94.eurolog.com postfix/smtpd[56532] 57850C4DC9:
> > > client=unknown[194.50.162.68]
> > > Aug 30 13:02:23 elvmwlx94.eurolog.com postfix/cleanup[55311]
> > > 57850C4DC9: message-id=<>
> > > Aug 30 13:02:23 elvmwlx94.eurolog.com postfix/qmgr[63719] 57850C4DC9:
> > > from=, size=103176, nrcpt=12 (queue active)
> > > Aug 30 13:02:23 elvmwlx94.eurolog.com postfix/qmgr[63719] warning:
> > > Unexpected record type 'X' at offset 105234
> > > Aug 30 13:02:23 elvmwlx94.eurolog.com postfix/qmgr[63719] warning:
> > > saving corrupt file "57850C4DC9" from queue "active" to queue "corrupt"
> > >
> > >
> > > Between these log entries are some other qmgr logs with the same PID
> > > too. Maybe you want the whole log section with some lines before and
> > > after?
> >
> > The "unexpected record" problem does not reproduce on my test system
> > (Fedora Core) which uses gcc.
> >
> > Now I know that FreeBSD is CLANG based which is farily aggressive
> > so I'll see if I can reproduce this on a FreeBSD 13 VM that I
> > already have.
>
> Postfix 3.7.2 built with CLANG from the official Postfix source
> release on FreeBSD 13.1-RC3 also does not reproduce the problem.
> It attempts to deliver the message as expected.
>
> % cc -v
> FreeBSD clang version 13.0.0 (g...@github.com:llvm/llvm-project.git
> llvmorg-13.0.0-0-gd7b669b3a303)
> Target: x86_64-unknown-freebsd13.1
> Thread model: posix
> InstalledDir: /usr/bin
>
> and
>
> % uname -a
> FreeBSD freebsd131.porcupine.org 13.1-RC3 FreeBSD 13.1-RC3
> releng/13.1-n250110-ec2fbe4b1ec GENERIC amd64
>
> and
>
> % egrep '^(CC|OPT)' Makefile
> CC  = cc -I. -I../../include -I/usr/local/include -DHAS_DEV_URANDOM
> -DHAS_PCRE=2 -I/usr/local/include -UUSE_DYNAMIC_LIBS -DDEF_SHLIB_DIR=\"no\"
> -UUSE_DYNAMIC_MAPS $(WARN)
> OPT = -O
> OPTS= 'WARN=$(WARN)'
>
> I'll look into FreeBSD 12.3 later. I don't have a VM with that OS.
>
> Wietse
>
> > Details
> > ===
> >
> > I copied your file into /var/spool/postfix/incoming and did "chmod
> > 700 and "chown postfix".
> > At that point we should have the same conditions as on your machine.
> >
> > In fact, I made a mistake, and the message was delivered to my relayhost:
> >
> > Aug 30 08:46:55 wzv postfix/qmgr[417146]: 57850A22B0: from=<
> a...@eurolog.com>, size=103176, nrcpt=12 (queue active)
> > Aug 30 08:46:55 wzv postfix/tlsproxy[417370]: CONNECT to [168.100.3.2]:25
> > Aug 30 08:46:55 wzv postfix/tlsproxy[417370]: Untrusted TLS connection
> established to spike.porcupine.org[168.100.3.2]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
> RSA-PSS (2048 bits) server-digest SHA256
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: Untrusted TLS connection
> established to spike.porcupine.org[168.100.3.2]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
> RSA-PSS (2048 bits) server-digest SHA256
> > Aug 30 08:46:55 wzv postfix/tlsproxy[417370]: DISCONNECT [168.100.3.2]:25
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> auftragsmanagement.illin...@mosolf.de>, 
> relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> melanie.schwit...@mosolf.de>, relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> bjoern.dannenm...@mosolf.de>, relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> anne.meh...@porsche.de>, relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> denice.lidmi...@porsche.de>, relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> fabian.hasenhue...@porsche.de>, relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv postfix/smtp[417367]: 57850A22B0: to=<
> fabian.ha...@porsche.de>, relay=spike.porcupine.org[168.100.3.2]:25,
> delay=6272, delays=6272/0.06/0.07/0.05, dsn=2.0.0, status=sent (250 2.0.0
> Ok: queued as 4MH6Wg2yvCzJrP1)
> > Aug 30 08:46:55 wzv 

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

[John Fawcett]

On 20/04/2022 22:20, Michael Grimm wrote:

Hi,

this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD 
13.1-STABLE.


Michael

is this problem happening on one of the RC versions of FreeBSD 13.1?

On the FreeBSD site at the moment, unless I'm misreading it, I see the 
latest 13.1 is FreeBSD-13.1-RC4 but that was released on 21/04/2022 so I 
guess you're using a previous version.


John

Re: connection timeout ?

[John Levine]

It appears that Benny Pedersen  said:
>>>> gmail.dk.   300 IN  MX  0 .
>>> 
>>> if nullMX is added then spf and dmarc can be removed
>> 
>> You need both the null MX and the SPF.  Null MX says you
>> don't receive mail, SPF -all says you don't send mail.
>
>why is spf needed if domain is nullMx ?

Null MX says you don't receive mail, SPF -all says you don't send mail.
They're different directions.

>in other words if a domain is nullMx postfix still reject it, aswell for 
>senders

Not all MTAs work the same.

R's,
John

Re: connection timeout ?

[John Levine]

It appears that Benny Pedersen  said:
>On 2022-04-13 19:27, Matus UHLAR - fantomas wrote:
>
>> however, they miss the nullmx record:
>> 
>> gmail.dk.   300 IN  MX  0 .
>
>if nullMX is added then spf and dmarc can be removed

You need both the null MX and the SPF.  Null MX says you
don't receive mail, SPF -all says you don't send mail.

The DMARC record is a matter of taste. The reports can be
amusing to see who's forging your address.

R's,
John

DMARC in postfix ?

[John Levine]

For doing DMARC validation, I know about the opendmarc milter.  Is that what
everyone uses?  Is there anything else used in pratice?

I know about perl and python libraries but they don't seem to have
milters or other ready to use integrations into MTAs.

TIA,
John

Re: Best way forwarding to Gmail

[John Levine]

It appears that Byung-Hee HWANG  said:
>Hellow,
>
>My final Inbox Provider is Gmail(soyeo...@gmail.com) for 13 years. Also
>i added paid plan of Google Workspace for 
>
>Someday far later i have to plan. That is to forward into
>soyeo...@gmail.com all emails (on soyeo...@doraji.xyz). (If True) then,
>i will subtract paid plan of Google Workspace. So now i'm studying
>about forward technology.
>
>I heard that forwarding to Gmail is very rigid as follow:
>https://support.google.com/mail/answer/175365?hl=en
>
>There is good guidance for forwarding? If it is on Gmail, is best option.

In my experience, forwarding to Gmail is an exercise in futility. I
got lots of DMARC rejections of entirely legitimate mail that was only
authenticated with SPF but had a strict DMARC policy, so Gmail rejected it.
(No, SRS will not help.)

What does work is to deliver to a local mailbox and configure your Gmail account
to pick up the mail with POP.

R's,
John

Re: Multiple names for one mail server?

[John Levine]

It appears that @lbutlr  said:
>On 2022 Feb 25, at 08:55, Viktor Dukhovni  =
>wrote:
>> The moment TLS enters into the picture, you start to need much more
>> complicated certificate management to get MUAs to see an acceptable
>> certificate for its expected name on ports 587 and 465,

Also for STARTTLS on port 25 for SMTP clients.

>Ah. Hmm. That does sound like a bit of a problem.
>
>What sort of complicated certificate management?

When a client does a STARTTLS on a port 25 or 587 session, or at
connection time on a port 465 session, the mail server sends back a
certificate with the server name in it. If that name does not match
the name the client is expecting, various bad things can happen
ranging from a warning message in the mail log to dropping the
connection if the server has a TLSA DNS record to identify the
certificate, or you use mta-sts (see RFCs 8460 and 8461.)

If your server has more than one name, there is a TLS feature called
Server Name Indication or SNI in which the client sends the name it is
looking for, and the server tries to find a certificate to match.
Postfix has SNI support but it is not normally turned on, and it is
your problem to get the actual certificates.

Because I am that sort of person (as Viktor can confirm) I hacked SNI
into my homebrew mail server, gave it a different MX name for each of
the 100 domains it serves, and got 100 certificates from Let's
Encrypt. It works for me but other than sometimes seeing that spambots
have an odd idea of who they are talking to, I wouldn't necessarily
recommend it for anyone else.

R's,
John