[pfx] Re: Capture Bounced Email Headers & Content
Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a écrit : What I mean is: wildcard TXT (SPF) record for *.single-wild.porcupine.org only applies to wildcarded hosts, not to any other record explicitly defined in single-wild.porcupine.org zone. Thus, when A record for mail01-t122.raystedman.org already exists, the *.raystedman.org TXT record will not cover it and explicit TXT for mail01-t122.raystedman.org must be created (I see it's been done) On 05.06.24 14:55, Emmanuel Fusté via Postfix-users wrote: No wildcard are for the defined record type. A A record will not clobber a corresponding wildcard TXT record. These are two separate record. RFC 1034 point 4.3.3 Wildcard RRs do not apply: [...] - When the query name or a name between the wildcard domain and the query name is know to exist. For example, if a wildcard RR has an owner name of "*.X", and the zone also contains RRs attached to B.X, the wildcards would apply to queries for name Z.X (presuming there is no explicit information for Z.X), but not to B.X, A.B.X, or X. RFC 4592 section 2.2.1 *.example. 3600 TXT "this is a wildcard" *.example. 3600 MX10 host1.example. [...] host1.example. 3600 A 192.0.2.1 [...] The following responses would not be synthesized from any of the wildcards in the zone: QNAME=host1.example., QTYPE=MX, QCLASS=IN because host1.example. exists Simply said, "*" works only for domains that do not exist and queries for which would return NXDOMAIN, not for anything that exists and query for it would return NOERROR/NODATA Returning to original issue, that's why you must expliticly configure SPF record to every explicitly configured A, or MX record, if you want SPF to apply - wildcards don't apply there. mail.example.com A 192.0.2.1 mail.example.com TXT "v=spf1 a -all" - query for mail.example.com will only return one of these *.example.com A 192.0.2.2 *.example.com TXT "v=spf1 -all" and/or perhaps: *.example.com MX . - these won't be returned for mail.example.com. But if you delete the mail.example.com TXT record, the TXT wildcard record will be returned for mail.example.com TXT requests. As a proof of concept I have configured this on my bind server and observation matches what I have said. Feel free to check at my server 195.80.174.185 (I will remove it in short time) Does your nameserver work differently? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Capture Bounced Email Headers & Content
Matus UHLAR - fantomas via Postfix-users: >- Create a wild-card SPF policy for *.raystedman.org that permits >all your SMTP client IP addresses. Sorry: wildcard in DNS only applied for non-existing names and since the hostname already exists: On 04.06.24 13:02, Wietse Venema via Postfix-users wrote: Perhaps you are confusing wildcards with CNAME. With CNAME, there can be no other record type with the same name. There is no such restriction for wildcards. I have an example: *.single-wild.porcupine.org. IN A 168.100.3.4 This returns an A record for foo.single-wild.porcupine.org: % host -t a foo.single-wild.porcupine.org foo.single-wild.porcupine.org has address 168.100.3.4 But no TXT record for foo.single-wild.porcupine.org: % host -t txt foo.single-wild.porcupine.org foo.single-wild.porcupine.org has no TXT record Here, the wildcard applies only to A queries. What I mean is: wildcard TXT (SPF) record for *.single-wild.porcupine.org only applies to wildcarded hosts, not to any other record explicitly defined in single-wild.porcupine.org zone. Thus, when A record for mail01-t122.raystedman.org already exists, the *.raystedman.org TXT record will not cover it and explicit TXT for mail01-t122.raystedman.org must be created (I see it's been done) mail.example.comA 192.0.2.1 mail.example.comTXT "v=spf1 a -all" - query for mail.example.com will only return one of these *.example.com A 192.0.2.2 *.example.com TXT "v=spf1 -all" and/or perhaps: *.example.com MX . - these won't be returned for mail.example.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Capture Bounced Email Headers & Content
Greg Sims via Postfix-users: We had another DMARC Failure last night. The email ended up at the gmail level. X-Original-Authentication-Results: mx.google.com; spf=none (google.com: mail01-t122.raystedman.org does not designate permitted sender hosts) smtp.helo=mail01-t122.raystedman.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org It appears that Google is looking for SPF information for one of the transports we use in randmap. Do we need to have SPF records in place for all of our transports? Greg: what kind of mail was this? I encountered DSNs from microsoft (exchange, outlook.com) addresses which had empty envelope from:<> but header From: was set e.g. postmas...@outlook.com, but those mails did NOT have DKIM signatures. These did fail DMARC. I just searched log for this and this behaviour still persists. Do you send bounces? If so, you'll need to sign them. On 04.06.24 11:02, Wietse Venema via Postfix-users wrote: Google wants your smtp_helo_name (default: $myhostname) to have an SPF policy. This is expecially necessary when bounces are sent (yes, you chould generally not send bounces) because then, envelope from: does not exist and HELO name is checked for SPF. Options: - Create an SPF policy for the SMTP helo name that permits the corresponding SMTP client IP address. +1 - Create a wild-card SPF policy for *.raystedman.org that permits all your SMTP client IP addresses. Sorry: wildcard in DNS only applied for non-existing names and since the hostname already exists: mail01-t122.raystedman.org. 172800 IN A 209.73.152.122 it needs its own explicit SPF record: mail01-t122.raystedman.org. 172800 IN TXT "v=spf1 a -all" - Change the smtp_helo_name to a name that already has an SPF policy. This is messy because the name should match the PTR record for the SMTP client IP address. I think this only applies for SPF records that have "ptr" option which is discouraged in SPF. Otherwise, the IP must be listed in SPF record which is a bit easier to achieve. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved
On 04.06.24 10:00, Chris Green via Postfix-users wrote: I run dnsmasq instead of systemd-resolved on all my systems. I recently moved my dekstop server to new hardware running xubuntu 24.04 replacing my previous system that was running xubuntu 22.04. I installed dnsmasq and removed systemd-resolved and all seemed well until I noticed I couldn't send E-Mail, I run a postfix 3.8.6 server which sends outgoing E-Mail via my ISP's smarthost. In the mail.log I was seeing lots of messages like:- 2024-06-02T00:10:30.652648+01:00 q957 postfix/smtp[8733]: 9763C3542024: to=, relay=none, delay=8729, delays =8729/0.02/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=smtp-auth.mythic-beasts.com type=A: Host not found, try again) But running 'host smtp-auth.mythic-beasts.com' returned a perfectly OK address. It turned out that the file /var/spool/postfix/etc/resolv.conf was:- nameserver 127.0.0.53 options edns0 trust-ad search zbmc.eu Changing it to:- nameserver 127.0.0.53 options edns0 trust-ad search zbmc.eu Has fixed the problem. they look the same, didn't you set nameserver to 127.0.0.1 instead? However I'm sure this isn't the 'right' way to do this. How do I get postfix to pick up the resolv.conf file that is used/created by dnsmasq? restarting postfix does set up proper environment, should apply on Ubuntu. After changing resolv.conf restarting postfix should fix this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: force to use starttls on port 587
On 03.06.24 20:55, Jeff P via Postfix-users wrote: I have closed sasl auth on port 25. but users still can use port 587 for login with plain text. how can I force users to use submission via start-tls only? I know I can open port 465 for ssl connection. but for history reason the port 587 must be open. I wonder how did you configure port 587, since the default master.cf contains instructions for requiring TLS and also disables unautenticated clients: #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes [...] # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject On 04.06.24 08:03, Jeff P via Postfix-users wrote: After postfix and dovecot were installed, there are 4 ports open by default. port 587 port 25 port 993 port 143 So I have improved them by implementing: 1. close public port 143 2. disable sasl auth on port 25 3. force smtp client to login using tls only on port 587 the 3. is implied by 2., although you can tune it a bit e.g. my main.cf: mua_client_restrictions = permit_sasl_authenticated, check_client_access static:{530 5.7.0 Authentication Required.} and in master.cf: submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions [...] smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions do you think there is any stuff I am missing? Use postscreen on port 25, it will drop many bots from trying to connect and send mail through your server. http://www.postfix.org/POSTSCREEN_README.html -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: whitelisting and greylisting
On 31.05.24 12:19, Gerben Wierda via Postfix-users wrote: smtpd_milters = unix:/opt/local/var/spool/postfix/opt/local/var/run/rspamd/milter.sock But it gets greylisted anyway: May 31 12:02:13 hermione smtp/smtpd[58412]: connect from 66-220-155-148.mail-mail.facebook.com[66.220.155.148] May 31 12:02:14 hermione smtp/smtpd[58412]: 32BB7CA4F79E: client=66-220-155-148.mail-mail.facebook.com[66.220.155.148] May 31 12:02:14 hermione postfix/cleanup[58416]: 32BB7CA4F79E: message-id= May 31 12:02:15 hermione postfix/cleanup[58416]: 32BB7CA4F79E: milter-reject: END-OF-MESSAGE from 66-220-155-148.mail-mail.facebook.com[66.220.155.148]: 4.7.1 Try again later; from= to= proto=ESMTP helo=<66-220-155-148.mail-mail.facebook.com> May 31 12:02:20 hermione smtp/smtpd[58412]: disconnect from 66-220-155-148.mail-mail.facebook.com[66.220.155.148] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 rset=1 quit=1 commands=7/8 What am I doing wrong? It's the milter that tempfailed the message, it's not postfix. perhaps you need allow facebook mail at milter level. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users < postfix-users@postfix.org> wrote: For submission I only use xbl (return code 127.0.0.4) excluding other other data contained in zen like pbl that lists isp dynamic ip ranges from which you would normally expect to get connections to submission. For me it's safe to use xbl for submission since I don't want connections from exploited machines and it cuts out most of the noise and some of the risk from people hammering smtp auth. It won't fit everyone's use case though. On 28.05.24 05:39, Christophe Kalt via Postfix-users wrote: For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? Good point. But only on smtps/submission level, so in master.cf services. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote: While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. On 27.05.24 07:31, John Hill via Postfix-users wrote: I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings in master.cf. Worked, but it blocked my AT mobile block. Go figure! The discussion was "xbl.spamhaus.org" vs. "zen.spamhaus.org=127.0.0.4" If you configured zen.spamhaus.org with different combination, no wonder you got unexpected result. I changed it to 127.0.0.4 to be more specific. It turns out AT mobile has numbers is in the XBL database. I tried bl.spamcop.net, and it does nothing. No, they are in PBL database which is designed to contain home networks. I'm not sure about spamcop, but zen.spamhaus.org=127.0.0.4 should be safe at submission level. Last night I logged "81 SASL authentication failed." That's about average. Seems I have a lot of new friends. I'm still thankful to learn more about master.cf, I had ignored it for the most part. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: disable authentication on port 25
Stephan Seitz via Postfix-users skrev den 2024-05-24 15:01: Carefull, if you have „smtpd_tls_auth_only = yes” (I think), then you’ll see AUTH after STARTTLS… On 24.05.24 15:12, Benny Pedersen via Postfix-users wrote: port 25 must not be tls only if its needed use another port for tls only this is something very different from what Stephan said. He mentioned that on postfix with "smtpd_tls_auth_only=yes" (the default) authentication is only available when TLS is active -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: how does smtpd know the connection is a submission request, or a MX request?
On 24.05.24 20:41, Northwind via Postfix-users wrote: my guess, submission clients were using ehlo, and a mx client uses helo command. so postfix differ them based on this command? EHLO is the extended HELO, supports SMTP extensions. Mail clients just like servers may use either, but nowadays I would expect all of them to use EHLO, especially because of DSN and SIZE extensions. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 24.05.24 07:36, John Hill via Postfix-users wrote: What command do you use to reset the connection? no command, just rule in OUTPUT chain: 1710 649K REJECT 6-- * * 0.0.0.0/00.0.0.0/0 tcp spt:25 match-set block-smtp dst reject-with icmp-port-unreachable so any outgoing (dst) packet from TCP port 25 to IP address in ipset "block-smtp" will result in icmp port unreachable. It can be changed to tcp-reset. On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote: On 23.05.24 21:03, John Hill via Postfix-users wrote: I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I use fail2ban a way where incoming packets to port 25 get dropped and outgoing packets from port 25 get reset, so smtpd should receive info to close connection when first packet leaves. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: disable authentication on port 25
On 24/05/2024 03:15, Peter via Postfix-users wrote: No you definately should disable auth on port 25 regardless. It is possible for postscreen to pass a connection to smtpd and smtpd can *then* offer auth. To answer your original question, you can just set -o smtpd_sasl_auth_enable=no in master.cf but it has to be on the smtpd service, not on postscreen. That said, I recommend not setting smtpd_sasl_auth_enable in main.cf and instead explicitly set it on your submission and/or submissions service in master.cf instead. When it comes to things like this it is generally better to default to off and explicitly turn on rather than default to on and explicitly turn off. On 24.05.24 10:51, Allen Coates via Postfix-users wrote: Many moons ago I was told to put "smtpd_sasl_auth_enable=no" in main.cf, blocking the function everywhere, and then put "-o smtpd_sasl_auth_enable=yes" in the submission stanza(s) in master.cf, expressly enabling it *just* there. smtpd_sasl_auth_enable it "no" by default, but OP may have it enabled by having "smtpd_sasl_auth_enable=yes" in main.cf If OP does not need SASL on port 25 (clients should use 465/587), it's better to disable it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 23.05.24 21:03, John Hill via Postfix-users wrote: I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I use fail2ban a way where incoming packets to port 25 get dropped and outgoing packets from port 25 get reset, so smtpd should receive info to close connection when first packet leaves. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. On 24/05/24 02:12, Matus UHLAR - fantomas via Postfix-users wrote: Yes, but these are (usually) not considered valid clients, these should use submission/submissions(smtps) ports where reject_rbl_client and/or zen.spamhaus.orgshould not be used. On 24.05.24 12:00, Peter via Postfix-users wrote: And the OP is referring to SASL AUTH attacks which are for submission, not MX connections. But some of those log lines mention postfix/smtpd, which means they happen on port 25. BTW, While one usually has SASL disabled on port 25, some networks may require it because of backwards compatibility. I have solved this issue by forwarding port 25 from external networks to local port 1025 (or any other), where I run postscreen, dnsbls and per-queue spam/virus filters. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: how disable DSN pipe
On 23.05.24 20:51, Alexander Kolesnikov via Postfix-users wrote: 23.05.2024 19:06, Wietse Venema via Postfix-users пишет: Aleksandr Kolesnikov via Postfix-users: if the user requests a DSN, he receives a delivery message via the ... how to prohibit the sending of such DSN? Perhaps: [1]https://www.postfix.org/DSN_README.html Wietse I may have misunderstood the contents of DSN_README, but I don't need to turn off DSN completely. I need the DSN to not work only for those senders for whom the transport is configured to "resubmit" (pipe). In my case, I was helped by the smtpd_command_filter option, which you pointed out in your recent answer to a similar topic. since we don't know what your resubmis_mail.sh script does it's hard do know. If it calls sendmail and passes the "-N success" option to it, the obvious solution is to use "-N never" instead resubmit unix - n n - 10 pipe flags=Rq user=nobody null_sender= argv=/usr/local/libexec/resubmit_mail.sh -N success -- ${recipient} -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Postfix-users wrote: will this also stop the valid client's SMTP connection? thank you Wietse. On 2024-05-23 at 02:31:05 UTC-0400 (Thu, 23 May 2024 08:31:05 +0200) Matus UHLAR - fantomas via Postfix-users is rumored to have said: not, unless they are listed in zen.spamhaus.org, which should not happen. On 23.05.24 09:45, Bill Cole via Postfix-users wrote: Zen includes the "PBL" component, which consists largely of residential and mobile consumer IPs. Yes, but these are (usually) not considered valid clients, these should use submission/submissions(smtps) ports where reject_rbl_client and/or zen.spamhaus.orgshould not be used. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Strengthen email system security
Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org". For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Postfix-users wrote: will this also stop the valid client's SMTP connection? thank you Wietse. not, unless they are listed in zen.spamhaus.org, which should not happen. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Disable Non Delivery Notifications only for some adresses
On 21.05.24 15:13, Kevin Cousin via Postfix-users wrote: We are using Postfix as relay for our internal apps. This apps are sending mails to final users with from nore...@example.net, but sometimes, adresses are wrong and a Non delivery notification is generated ans sent back to nore...@example.net. Is it any way to disable this notifications only to "noreply@xxx" (without disabling NDN) ? It seems creating an header check To: noreply@ DISCARD is not the good way. how do you handle situations when you send mail to non-existing recipient? because keeping sendins mail to them may cause troubles. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Dovecot logging to files causes postfix to break
Richard Rosner via Postfix-users: I have a mailing server setup based on Debian Stable that uses postfix for IMAP and SMTP and dovecot for internel mail handling, You mean, Postfix for SMTP, Dovecot for IMAP. Possible. like filtering, sorting into users inboxes etc. I now wanted to set dovecot to not write to syslog, but to dedicated files in /var/log/dovecot. While everything indicates that this happens successfully, postfix will soon start logging complaints: May 13 20:55:37 mail postfix/local[2824184]: 95BCF1000A9: to=, relay=local, delay=3.2, delays=1.9/0.29/0/1.1, dsn=4.3.0, status=deferred (temporary failure. Command output: lda(user): Error: net_connect_unix(/run/dovecot/stats-writer) failed: Permission denied Can't open log file /var/log/dovecot/error.log: Permission denied ) Am 18.05.24 um 17:55 schrieb Wietse Venema: That is a DOVECOT error message from the DOVECOT local delivery agent (lda). On 18.05.24 18:18, Richard Rosner via Postfix-users wrote: Why does it say postfix/local though? So you are sure this error can't have been caused by any interaction with postfix? becauser local(8) executed mbox_command - lda, which produced the output. postfix/local is just reporting error message from dovecot-lda. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IPv6 and RBL checks
On 15.05.24 11:25, Jos Chrispijn via Postfix-users wrote: Recently I noticed this in my logfile: 0.3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.bl.spamcop.net: Host or domain name not found. Name service error for name=0.3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.bl.spamcop.net type=A: Host not found, try again According to Postfix/postscreen it happens to be the reversed notation of the IPv6 sender of the email: May 11 23:14:27 terra postfix/postscreen[4111]: PASS NEW [2607:f8b0:4864:20::930]:43019 Can someone explain why bl.spamcop.net reverses the ipv6 ip, thus not recognizing it like postscreen? Matus UHLAR - fantomas via Postfix-users skrev den 2024-05-15 11:29: This is how DNSBLs work, so you can simple block 2607:f8b0:4864:: by defining *.4.6.8.4.0.b.8.f.7.0.6.2.bl.spamcop.net On 15.05.24 12:17, Benny Pedersen via Postfix-users wrote: please no dont do this Guys, I am not doing this, I am explaining why is the order reversed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IPv6 and RBL checks
On 15.05.24 11:25, Jos Chrispijn via Postfix-users wrote: Recently I noticed this in my logfile: 0.3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.bl.spamcop.net: Host or domain name not found. Name service error for name=0.3.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.bl.spamcop.net type=A: Host not found, try again According to Postfix/postscreen it happens to be the reversed notation of the IPv6 sender of the email: May 11 23:14:27 terra postfix/postscreen[4111]: PASS NEW [2607:f8b0:4864:20::930]:43019 Can someone explain why bl.spamcop.net reverses the ipv6 ip, thus not recognizing it like postscreen? This is how DNSBLs work, so you can simple block 2607:f8b0:4864:: by defining *.4.6.8.4.0.b.8.f.7.0.6.2.bl.spamcop.net -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: TLS Library Problem
On 11.05.24 23:55, Jason Hirsh via Postfix-users wrote: Still chasing ssl/tls issue I have they error message postfix/smtps/smtpd[39559]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert number 46: simple search for "ssl alert 46" provides answer, that it is certificate unknown by client. Perhaps you have self-signed certificate or you fail to provide intermediate certificate from your CA. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Difference between alias_maps and alias_database
On 07.05.24 17:13, Дилян Палаузов via Postfix-users wrote: I try to understand the difference between alias_database and alias_maps. Or, does postalias/newaliases use is alias_database as input, ignoring alias_maps, while local ignores alias_databases and uses alias_maps? Precisely. alias_maps is for local(8) to know which database(s) to read. They don't need to be writable (e.g. nis:mail.aliases) alias_database is for newaliases/postalias to know which database to reindex. ...because not all databases in aliases can be indexed by postfix programs. when the same table is supposed to be used by local and postaliases, the same value (filename) must be set to alias_database and alias_maps? If you want postfix to work properly, yes. I think it would be better to have only one parameter: alias_maps, and newaliases should either update, what is pointed to by alias_maps, or This may not be possible for NIS maps, LDAP maps etc etc. That's why there are separate parameters. report an error on failure. In any case the presence of the two options currently suggests that there are use cases to have for both options two different local files as value and the documentation does not elaborate whether this is a good or bad idea. perhaps the default value for alias_maps could be something like: alias_maps = $alias_database, nis:mail.aliases But the rest still applies. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: long header folding and DKIM fails
On 02.05.24 12:53, Tim Coote via Postfix-users wrote: I think that I’ve now fixed this in my domain, so I thought I’d just note the route to finding it, more as a comment on the complexity of working out what’s going on. After making a simple robot to send emails with long headers and demonstrating how they broke in my production environment, I rebuilt that env on a Vagrant box. It worked properly (ie it didn’t replace “,” with “,”) until I’d added in the old spambayes filter that I’d been ‘using’. Removing Spambayes fixed the issue. Dunno whether this will have an effect on the amount of spam, but I suspect that it hadn’t done anything useful for some time. This looks like someone is signing headers they should not sign. Can you look at that? Is fo, you can also check DKIM signature before you sign or before you check for spam. What would have helped - and I’ve no idea how feasible this is - would be some tooling to pull out different versions of the message as they flow through the queues. Interesting how long latent bugs can lie around, isn’t it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fun with line endings, was Re: Mail text wrapping
On Apr 24, 2024, at 09:05, John Levine via Postfix-users wrote: I suppose, but sending bare LF in SMTP is definitely wrong, so he needs to fix that first. On 28.04.24 19:15, Doug Hardie via Postfix-users wrote: Well, the header lines are properly terminated by CRLF. However, the text lines are whatever I get from postfix. Get from postfix how? If you receive mail via program or mailbox delivery from local(8), line endings on UNIX system are converted to LF (\n). The MTA donverts them to this state. If you receive mail via SMTP/LMTP, you should get "CR+LF" (\r\n) and when feeding to program/mailbox you should convert them yourself. Sending mail is the opposite: when sending via SMTP, you should end lines using CR+LF. When using postfix' sendmail, it usually does autodetection/conversion: http://www.postfix.org/postconf.5.html#sendmail_fix_line_endings Generally that is just a LF. I copied the text and inserted the CRs and sent it to see what happens. I get the same result: = signs at each fold point. The solution was to replace all the =LFs with a couple spaces. so, you discard the notion of "continued line" here. Postfix/receiving MUA wraps the text of long lines properly (e.g., without and =). There was one other = occurance that I found a replaced with spaces. This solution was easy to accomplish since the text of the message is accessed via mmap. I expected to see some extraneous spaces in the message, but something is optimizing them out. There are MUAs (outlook) which tend to ignore line breaks and reformat the mail as they wish, which may look awfully (you can luckily turn this off). However, even these MUAs tend to understand final "=" as a sign "this line doesn't have to be wrapped". Do not rely on these MUAs behaviour by dropping the final "=". -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: hmm spf is missing :)
On 15/04/24 10:14, Benny Pedersen via Postfix-users wrote: Authentication-Results list.sys4.de; dkim=pass header.d=porcupine.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=porcupine.org policy.dmarc=none On 25.04.24 19:19, Peter via Postfix-users wrote: What does this have to to with Postfix, or even the Postfix mailing list? You're posting headers coming from Wietse's personal email, not the list itself. It's header from mailing lists' mail server, when it received mail from Wietse's machine. iiuc Benny complains that the list server does not verify SPF, or at least doesn't put spf info into Authentication-Results: This applies for all mail to the list. dmarc can't be aligned with this missing, This is just plain wrong. DMARC will align just fine with SPF missing if DKIM is correct and signed by the From: header domain. looking backup my mailbox I found that mail from a domain with no DKIM that passes SPF is marked as dmarc=fail so it looks like SPF is not checked at all on the list server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mail text wrapping
On 22.04.24 22:55, Doug Hardie via Postfix-users wrote: This is probably not the right place to be asking this as it is not directly Postfix related, but I don't know a better group to ask. For years I have sent text messages and just let the lines run on. Only inserting a \n for the start of a new paragraph. I never exceed the 988 line length limit. My mail client does it's magic to make it smaller line lengths and the recipient's puts it back together again so that it fills whatever window size they are using. However, in the last couple days, something has changed. Looking at the raw sent text of the message, the lines are less than 80 bytes with an "=" at the end of each line that is not a line end. Going back through some of my email history, I see that occurring for years. It was never visible to me or any of my recipients. I have a process that takes a portion of a received email and distributes it to a small recipient list. I am one of the recipients and It arrived with no cleanup. The = was at the end of every line. There was no reassembly of the original lines. The outgoing email had the following headers: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I have searched the internet for some discussion of this and find nothing. The RFCs don't seem to address it either. Given the normal thoroughness of the RFCs I believe that just means I haven't found the right one. What controls this behavior and what is needed to get the reassembly to work again? this is quoted-printable MIME formatting which wraps lines to <80 characters per line and uses = at the end of line as continuation character. see RFC 2045 section 6.7 for its definnition I also recommend to look at the "format=flowed" option which is nicer approach. RFC 3676 addresses this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Forward mail
On 13.04.24 12:51, Paul van der Vlis via Postfix-users wrote: Unfortunately, I have quite a few customers who want to receive email from their own domain at a different email address, such as a Gmail or Hotmail address. I forward this in /etc/postfix/virtual. But I actually don't understand why this arrives, especially if the sender has an SPF or DMARC clearly states that it should be rejected if the email comes from the wrong IP. as other have stated, many recipients don't reject SPF fail if DKIM (DMARC) passes. Google is one of those recipients. Perhaps Gmail and others don't care about that, but it could also be that they look beyond the forward address and see that it comes from a legitimate IP, but only forwarded is. That would be good, but maybe easily forged without DKIM? Could someone tell us more about this? If both DKIM and SPF fail, google will explicitly reject such email. Before, it was possible that the mail would be accepted based on spamminess and your IP reputation. Others still may use similar handling but I wouldn't rely on it. And what is a good solution for forwarding? Rewrite the sender? SRS? Yes. And if both DKIM and SPF fail, there's stil possibility of rewriting From: header and DKIM-signing it. Alternativelly, tell customer that the sender does not wish their mail to be forwarded. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: duplicate deliveries
On 14.04.24 00:53, Marek Podmaka via Postfix-users wrote: When/how does postfix prevent duplicate deliveries when delivering to an alias and explicitly also to the alias result? For example all@domain + Cc to one of the members of that alias. I have found parameters "duplicate_filter_limit" and "enable_original_recipient" that mention it, but I don't understand how exactly it works. I have an older mailserver where this works (no duplicate deliveries, otherwise someone would complain). I am using virtual users with default virtual delivery. I also have another mail server also with the same type of virtual users (same database schema), but which was setup with Dovecot LDA as delivery agent. And there the deduplication doesn't work, I had to use dovecot-sieve's "duplicate" extension, which discards the duplicated email. Is it because for LDA I have destination_recipient_limit=1? Or maybe just because of using sender_bcc_maps and not related to LDA? where/how are those aliases implemented? I believe if they are implemented in virtual_alias_maps, deduplication takes place. I have setup sieve rule in the past according to https://serverfault.com/questions/112958/postfix-aliases-and-duplicate-e-mails-how-to-fix which mentions old faq.html on postfix web and some broken links to old mail list archives claiming the deduplication is not implemented. So what are the prerequisites for it to work? I am now planning to migrate the old server from courier to dovecot + lda and want to know if I will need the sieve solution again or not... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: reliable RBL
Στις 11/4/24 10:59, ο/η Matus UHLAR - fantomas via Postfix-users έγραψε: It still works, but you may need supplementary software as amavis, sagator, spamass-milter or mimedefang because SpamAssassin only focuses on classification, not about delivery. On 11.04.24 11:54, Dimitris via Postfix-users wrote: iirc, you also need a compiler installed (for SA rules). only if you want to compile them. They are written in perl and can be used without compiler. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: reliable RBL
On 11.04.24 15:41, Mr. Peng via Postfix-users wrote: BTW, is spamassassin still a popular option for antispam today? or should I use rspamd instead? It still works, but you may need supplementary software as amavis, sagator, spamass-milter or mimedefang because SpamAssassin only focuses on classification, not about delivery. On Wed, Apr 10, 2024 at 10:23 PM Bill Cole via Postfix-users < postfix-users@postfix.org> wrote: On 2024-04-10 at 05:46:36 UTC-0400 (Wed, 10 Apr 2024 17:46:36 +0800) Mr. Peng via Postfix-users is rumored to have said: > I have been using spamhaus, spamcop, sorbs as the RBL providers for > antispam. > But some of the customers speak to me about the FP issues caused by RBL. > Do you think the three RBL above are reliable in a practical system? Those are three of the best, but you have to understand that they are complicated and may not fit YOUR needs. Spamhaus offers multiple DNSBLs which each has a vey specific definition, which they aggregate in the "Zen" list which uses reply value to indicate which component an address listing belongs to. Not all component lists of Zen are appropriate for all MTAs. Spamhaus is extremely careful about making each list reliably represent what they claim it represents. They act quickly on the rare occasions when they inadvertently list sources of legitimate email. SpamCop is based on actual feeds of spam from many sources, and when they list an IP, you can be certain that it recently sent spam. They do not exempt major mailbox providers who are also major spam emitters. If you use the SpamCop list as an absolute test, you will reject some legitimate mail which shares an outbound MTAQ with spam. Reliably. SORBS is also informed by multiple sources of spam, and like SpamCop they do not exempt mixed sources. Like Spamhaus, they have both independent DNSBLs and an aggregated list that uses distinct return values for each component list, so you need to take that into account when using it, to fit the different sorts of listings to different interfaces. Like SpamCop, some of the SORBS components intermittently list major mixed sources. You really need to look at your DNSBL choices carefully and with an understanding of your users and their needs. You may want to consider using them in a more complex filtering tool like SpamAssassin where it is possible to weight the impact of different DNSBLs to fit your needs and to make explicit direct exemptions if you like. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: reliable RBL
On 10.04.24 17:46, Mr. Peng via Postfix-users wrote: I have been using spamhaus, spamcop, sorbs as the RBL providers for antispam. But some of the customers speak to me about the FP issues caused by RBL. Do you think the three RBL above are reliable in a practical system? On 10/04/24 22:50, Matus UHLAR - fantomas via Postfix-users wrote: I use them on many servers. I just use postscreen which supports scoring and only block when more than one blocklist hits. On 11.04.24 09:55, DL Neil via Postfix-users wrote: For the benefit of those of us following-along with the conversation and hoping to learn 'nuggets' of good-practice, would you mind sharing the settings related to the combination of RBLs and postscreen, please? Yes slightly OT, but relates to getting the best from postfix! I have posted it multiple in the past, last time not so long ago and haven't changed it since: https://marc.info/?l=postfix-users=171066924208941=2 I am posting link to the archive, because I also find searching archives for postscreen_dnsbl_sites as the best way for seeing people's configuration and others' comments about it. Others also posted their postscreen_dnsbl_sites, but I recommend reading replies on that configuration, because people often discuss it here when something bad happens. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: reliable RBL
Dnia 10.04.2024 o godz. 10:22:52 Bill Cole via Postfix-users pisze: > I have been using spamhaus, spamcop, sorbs as the RBL providers for > antispam. > But some of the customers speak to me about the FP issues caused by RBL. > Do you think the three RBL above are reliable in a practical system? Those are three of the best, but you have to understand that they are complicated and may not fit YOUR needs. Spamhaus offers multiple DNSBLs which each has a vey specific definition, [...] SpamCop is based on actual feeds of spam from many sources, and when they list an IP, you can be certain that it recently sent spam. They do not [...] SORBS is also informed by multiple sources of spam, and like SpamCop they do not exempt mixed sources. Like Spamhaus, they have both independent DNSBLs and an aggregated list that uses distinct return values for each [...] You really need to look at your DNSBL choices carefully and with an understanding of your users and their needs. You may want to consider On 10.04.24 17:39, Jaroslaw Rafa via Postfix-users wrote: Myself, I use Spamcop, SBL-XBL list from Spamhaus (only this one), Why not zen? In includes PBL.. for SORBS, I use only their "Dynamic IP" list. sorbs dyna is supposed to contain the same IP addresses as spamhaus PBL -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: reliable RBL
On 10.04.24 17:46, Mr. Peng via Postfix-users wrote: I have been using spamhaus, spamcop, sorbs as the RBL providers for antispam. But some of the customers speak to me about the FP issues caused by RBL. Do you think the three RBL above are reliable in a practical system? I use them on many servers. I just use postscreen which supports scoring and only block when more than one blocklist hits. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Aliases with "@" in it
Dnia 9.04.2024 o godz. 11:11:31 Paul van der Vlis via Postfix-users pisze: When I want to make an alias, I try this in /etc/aliases: "al...@domain.nl": j...@domain.nl But when I sent mail, I get a bounce with "user unknown". When I do this in /etc/aliases: alias: j...@domain.nl This works fine, but for all domains on this server. And that's not what I want. Do you know a way how to use aliases with an @ in it? Op 09-04-2024 om 11:46 schreef Jaroslaw Rafa via Postfix-users: You can't do it alias_maps= table (which by default points to /etc/aliases file). You should use virtual_alias_maps= table in main.cf file and define the aliases there. On 09.04.24 12:04, Paul van der Vlis via Postfix-users wrote: Thanks, it works. I thought I would not need this file anymore. virtual_alias_maps and alias_maps have slightly different capabilities virtual_alias_maps - is processed when mail is being received - can be used to rewrite ANY destination mail address (including non-local recipients) - can be (usually is) used at SMTP level to validate recipients alias_maps - is used when delivering mail to local recipients - can include recipients from file - can feed mail to a program or a file - can change mail sender when "alias" is the recipient and "owner-alias" exists Preferrably use virtual_alias_maps, but if you need any of alias_maps features, use that one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
On 28.03.24 08:11, Samuel Goodies via Postfix-users wrote: This is for a "smarthost" like setup. Mail goes from my server of multiple domains, 2 ip addresses, to this postfix server for delivery. The postfix server does nothing but accept mail from the "real" server and deliver it to the outside world, and supply bounce/error notifications. So, where did you see the error? Can you post the whole syslog message? On 3/28/2024 7:15 AM, Matus UHLAR - fantomas via Postfix-users wrote: Please use plaintext for list mail. On 28.03.24 06:39, Samuel Goodies via Postfix-users wrote: Ok, I got it installed and running, but any mail from the server to be relayed gets this error. --> DATA <-- 530 5.7.0 Authentication required --> QUIT are you trying to send mail to this postfix server or from this postfix server? I have set up this error when sending mail on ports 465/587, but It's not postfix default afaik. is it possible that you are trying to send mail through other mail server on submission port where authentication is required and you don't try to authenticate. So far I've chosen Internet Site as my Debian configuration when the package installed. I added my main domain name, though this postfix box will pass mail for several other domains as well. I edited /etc/postfix/main.cf Under mynetworks I added my firewalled mail server's IP address of 4.4.4.4 (the real one though, not that) mynetworks = 127.0.0.0/8 4.4.4.4 [:::127.0.0.0]/104 [::1]/128 Then I restarted with systemctl restart postfix Finally, I added it as my smarthost, but the error above occurs. I thought that adding my server's IP to the mynetworks line would authenticate, but I think I misunderstood. Can someone point me to where I messed up? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
Please use plaintext for list mail. On 28.03.24 06:39, Samuel Goodies via Postfix-users wrote: Ok, I got it installed and running, but any mail from the server to be relayed gets this error. --> DATA <-- 530 5.7.0 Authentication required --> QUIT are you trying to send mail to this postfix server or from this postfix server? I have set up this error when sending mail on ports 465/587, but It's not postfix default afaik. is it possible that you are trying to send mail through other mail server on submission port where authentication is required and you don't try to authenticate. So far I've chosen Internet Site as my Debian configuration when the package installed. I added my main domain name, though this postfix box will pass mail for several other domains as well. I edited /etc/postfix/main.cf Under mynetworks I added my firewalled mail server's IP address of 4.4.4.4 (the real one though, not that) mynetworks = 127.0.0.0/8 4.4.4.4 [:::127.0.0.0]/104 [::1]/128 Then I restarted with systemctl restart postfix Finally, I added it as my smarthost, but the error above occurs. I thought that adding my server's IP to the mynetworks line would authenticate, but I think I misunderstood. Can someone point me to where I messed up? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
On 25.03.24 16:11, Daniel Marquez-Klaka via Postfix-users wrote: I have a problem with check_sender_access that I can't find a solution to. My setup actually works very well with the exception of bounce handling. More on that later, first to describe my setup: 2 postfix mail server, one, mail-server1, is connected to the internet, the second, calling it list-server1, which serves a few mailing lists, is only reachable thru mail-server1. On mail-server1 a transport map entry sends everything for @list-dom.de to list-server1, list-server1 does his work and sends all back to mail-server1 which then delivers to the final destination. On list-server1, to prevent the whole world sending mails, I have installed a check_sender_access map to accept a few allowed domains, reject everything else. 8< smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/config/access_sender, reject 8< access_sender file: 8< /^([a-z0-9_=\.-]+)@dom1.de/OK /^([a-z0-9_=\.-]+)@dom2.de/OK /^([a-z0-9_=\.-]+)@dom3.de/ OK are you trying to limit allowed characters for local part of address in those domains? I'd recommend simple hash map, containing "dom1.de", "dom2.de", "dom3.de" - you need not (probably should not) to use regular expressions for everything 8< All fine so far, but... ... bounces, as the are send with empty FROM (<>), as I understand to prevent loops, get rejected to. This is a problem because nobody will ever notice if there are dead emails in a list. Also, automatic bounce handling (I am using mailman3 on list-server1) will never do anything. 8< : host 10.245.16.24[10.245.16.24] said: 554 5.7.1 <>: Sender address rejected: Access denied (in reply to MAIL FROM command) 8< add "<>" or whatever you have defined as smtpd_null_access_lookup_key as another allowed sender. http://www.postfix.org/postconf.5.html#smtpd_null_access_lookup_key with 10.245.16.24 being list-server1 After all googleing and manual reading I have done, I can't find a solution and hope someone can point me into the right direction. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpd_discard_ehlo_keyword_address_maps all but internal
On Thu, Mar 21, 2024 at 03:20:23PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: Wietse Venema via Postfix-users: smtpd_discard_ehlo_keyword_address_maps = cidr:{ {!10/8 silent-discard,dsn} } On 23.02.24 11:12, Wietse Venema via Postfix-users wrote: But that does not generalize to hosts with IPv4 and IPv6. In that case, your approach will be more suitable. On 3/21/2024 10:21 AM, Viktor Dukhovni via Postfix-users wrote: Surely the generalisation is: smtpd_discard_ehlo_keyword_address_maps = cidr:{ {if 0.0.0.0/0} # Private IPv4 addresses {!10.0.0.0/8 silent-discard,dsn} On 21.03.24 11:06, Noel Jones via Postfix-users wrote: Seems to me 172. and 192. would match the above line. Does cidr support DUNNO? CIDR should, but smtpd_discard_ehlo_keyword_address_maps would understand it as drop "DUNNO" kwyerd. That's why I used plain "silent-discard" in my example instead. {!172.16.0.0/12 silent-discard,dsn} {!192.168.0.0/16 silent-discard,dsn} I understand this as any address outside 10/8 would match the first !10.0.0.0/8, adress in 10/8 would match the second !172.16.0.0/12 thus third line would never be tried and all addresses would return "silent-discard,dsn" like this: {if 0.0.0.0/0} # Private IPv4 addresses {10.0.0.0/8 silent-discard} {172.16.0.0/12 silent-discard} {192.168.0.0/16 silent-discard} {0.0.0.0/0 silent-discard,dsn} {endif} {endif} {if ::/0} # Unique local, site and link local IPv6 addresses {!fc00::/7 silent-discard,dsn} {!fe80::/9 silent-discard,dsn} {endif} } Each set of negative rules can be constrained to its address family by enclosing it in an if..endif block. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpd_discard_ehlo_keyword_address_maps all but internal
Matus UHLAR - fantomas via Postfix-users: > as I maintain some mail gateways with postfix, I would like to discard the > DSN ehlo keyword, from all hosts but internal network. > > I see that with smtpd_discard_ehlo_keyword_address_maps > "Tables will be searched in the specified order until a match is found." > > but is it possible to allow all keywords from internal network and drop DSN > from everywhere else? > > should I use workaround and use dummy silend-discard without other keyword? > > smtpd_discard_ehlo_keyword_address_maps = > cidr:{ {10/8 silent-discard} {0/0 silent-discard,dsn} } Wietse Venema via Postfix-users: smtpd_discard_ehlo_keyword_address_maps = cidr:{ {!10/8 silent-discard,dsn} } On 23.02.24 11:12, Wietse Venema via Postfix-users wrote: But that does not generalize to hosts with IPv4 and IPv6. In that case, your approach will be more suitable. Thank you. For evidence, I have set it up only on port 25 using master.cf: smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd -o smtpd_discard_ehlo_keywords=silent-discard,dsn thus, it does not apply on submission and smtps ports and main.cf: smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/discard_keywords /etc/postfix/discard_keywords contains: 10.0.0.0/8 silent-discard 192.168.0.0/16 silent-discard This way, I was able to also discard other keywords from other internal clients. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watkins. -- Daffy Duck & Porky Pig ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: collect emails in maildir folder without delivering them to user
On 19.03.24 07:10, Fourhundred Thecat via Postfix-users wrote: All these aliases are delivered to the users home / maildir. Now I would like to have yet another alias/email address, but instead of having the emails delivered to my main user, I would like to just collect the emails in some maildir. I just need to collect these emails for archival purposes, separately from my main account. I could create a new unix user, and have them delivered to his home / maildir, but that seems quite convoluted. Is there some straightforward way to collect emails from given alias/emaiul address directly to some maildir folder ? The easiest way I know is to use user and let the user store mail to its own maildir. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Ignoring postscreen DNSBL disposition by recipient address
On 15.03.24 15:06, Noel Jones via Postfix-users wrote: Postscreen by design only looks at the IP, and has no mechanism to consider other envelope data. The solution is to not use a DNSBL that routinely blocks wanted mail in postscreen. Or, set postscreen_dnsbl_threshold high enough so it does not rely on listing in single list. You could e.g. set up: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[0..255] dnsbl.sorbs.net=127.0.0.[0..255] bl.spamcop.net=127.0.0.2 list.dnswl.org=127.0.[0..255].[0..255]*-1 list.dnswl.org=127.0.[0..255].3*-1 postscreen_dnsbl_threshold=2 maybe if you trust spamhaus enough, append *2 to it On 3/15/2024 1:11 PM, Matt Saladna via Postfix-users wrote: Mar 15 13:51:22 atlas postfix/postscreen[5978]: NOQUEUE: reject: RCPT from [1.2.3.4]:51944: 550 5.7.1 Service unavailable; client [1.2.3.4] blocked using zen.spamhaus.org; from=, to=, proto=ESMTP, helo= Postscreen config: postscreen_dnsbl_action=enforce postscreen_dnsbl_sites=bl.spamcop.net*2 b.barracudacentral.org*2 zen.spamhaus.org=127.0.[0;1;2].[0..254]*2 list.dnswl.org*-2 I'm somewhat surprised that your (fake) sample singles out zen. It's been pretty reliable for me. postscreen reports the first dns?l that replies. Thus, it can also report "blacklisted by dnswl" if dnswl catches first. That's why postscreen_dnsbl_reply_map exists postscreen_dnsbl_reply_map=texthash:/etc/postfix/dnsbl_map % cat /etc/postfix/dnsbl_map list.dnswl.org multiple DNS-based blocklists -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Dumb question about logging
Stephen Satchell via Postfix-users skrev den 2024-03-08 06:52: grep relay= mail.log | grep -v relay=local I can then use the message ID to get all the log information for each questioned transaction. Am I on the right road? Please disabuse me of any incorrect notions. On 08.03.24 12:47, Benny Pedersen via Postfix-users wrote: is it not grep -i relay ? or just grep relay=local they want to exclude locally delivered mail. But still, there are too many possibilities: Mar 8 11:51:58 fantomas postfix/local[26437]: 4TrjfP18t3z4w4T: to=, relay=local, delay=1.8, delays=1.6/0.01/0/0.1, dsn=2.0.0, status=sent Mar 8 12:02:21 fantomas postfix/smtp[26684]: 4TrjtN6SF2z4wB0: to=, relay=... In case of domains in relay_domains, the command could be even postfix/relay, so one needs to exclude that one as well. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: [OT] postfwd3 as check_policy_service hogging the CPU
On 07.03.24 12:14, Wietse Venema via Postfix-users wrote: The Postfix SMTP server counts only the recipients that it accepts, not the ones that it rejects. That is, a DATA or BDAT command after all recipients are rejected will result in a "554 5.5.1 Error: no valid recipients". So I guess there is no way for a milter/policy server to know about rejected recipients (other than parsing log file)? e.g. the DCC milter would report total count of recipients (including rejected/non-existing) to DCC servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Dumb question about logging
On 07.03.24 21:52, Stephen Satchell via Postfix-users wrote: Assuming that one's configuration has open relay, what does a log entry for relayed mail look like? It looks like any other mail, just it was received without authentication, from unstrusted clients and sent to remote (not in relay_domains or permit_mx_backup_networks) recipients that were entered by the sender (not local recipients rewritten to remote in aliases or virtual_alias_maps). I don't think I've any open relay, but I want to look and make sure. I've searched for half an hour, and no answer came up. But, I did find some hints. Specifically, I use this command to list all outgoing mail: grep relay= mail.log | grep -v relay=local the "relay" means mail destination. I can then use the message ID to get all the log information for each questioned transaction. Am I on the right road? Please disabuse me of any incorrect notions. yes, that could help, but it's pretty much work. I find it better to explicitly test server for relaying. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Active queue congestion
You can also configure a non-zero smtpd_client_message_rate_limit On 07.03.24 17:21, Colin McKinnon via Postfix-users wrote: H, not so sure about that. The docs do advise against this for legitimate traffic - and I've yet to see anything in the documentation that describes what happens when these rates are exceeded is it a 4xx? a 5xx? Is the IP just blocked? I have set this number on some servers to big enough (1000), just to see maximum number in anvil stats. It helps with setting limits later. And yes, there are better ways for this, e.g. using postfwd. you could use a policy service to impose rate limits per SASL login, or sender address I had not considered that as a means of load balancing across the available relays (delaying the message at the origin is very much a last resort). I will do some reading on this. Note that policy limits incoming mail, not outgoing. Just like smtpd_*_limit - these are to limit receiving mail from your clients, not sending it out. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] postfwd3 as check_policy_service hogging the CPU
On 07.03.24 11:16, Ralf Hildebrandt via Postfix-users wrote: I'm using postfwd3 as a policy service for rate limiting based on the envelope sender address and number of recipients. not authenticated user? ;-) We're both limiting "freemailer" senders (they can only reach a low number of internal recipients before being restricted) as well as our internal users (they can only reach a low number of external recipients before being subject to inspection) The integration into postfix boils down to: smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10040 Now postfwd3 is written in Perl, and that thing is hogging the CPU: # ltrace -c -p 2722940 % time seconds usecs/call calls function -- --- --- - 24.955.368282 86 62012 free 16.653.582837 86 41368 memmove 15.743.387136 86 38990 malloc 15.653.368211 86 39100 __errno_location 10.812.327013 85 27109 calloc 10.312.217849 86 25717 memcpy 2.960.637078 85 7418 memcmp 2.780.597770 85 6958 memchr ... snip ... -- --- --- - 100.00 21.516662249020 total I put the check into smtpd_end_of_data_restrictions, so all recipients are known... Is smtpd_end_of_data_restrictions maybe a suboptimal place for that check_policy_service? if you want to see/process mail size, using it in smtpd_end_of_data_restrictions is necessary. if not, you can use it in smtpd_data_restrictions. otherwise, the "size" shows what the client send in mail from: However, I'd say the optimal place is where you need it. Before smtpd_data_restrictions you don't see recipient_count either. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A functional lightweight reverse alias?
On 3 Mar 2024, at 19:24, Matus UHLAR - fantomas via Postfix-users wrote: The question was if there is other solution for this. On 04.03.24 11:52, Gerben Wierda via Postfix-users wrote: Indeed. If I use an alias in /etc/aliases, mail from X to that alias gets delivered to my original mailbox. If I reply, it gets sent from that original mailbox (canonicals included). So, I was looking for a way to reply such that the one (X) who sent to the alias would get reply from that alias, but only the one that sent to that alias. I’m OK with generalising to ‘all mail to X’. I think Wietse’s milter suggestion might do the trick, but I also think this will be too complex for me having not enough daily practice with creating milters. Mozilla supports multiple identities on the same mailbox, even using different sending server/mailbox. So, with mozilla you can have the same result with both alias and mailbox. However, this may not apply to other clients, where separate account may be needed. So far I only know of ticketing systems like OTRS but that's far more than e-mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Implementing From: field heuristic when sending messages?
Matus UHLAR - fantomas via Postfix-users skrev den 2024-03-03 15:59: milters vrfydmn and milterfrom, which allow you to reject mail where envelope and header from: are different On 03.03.24 17:20, Benny Pedersen via Postfix-users wrote: ok if smtpd_milter_maps knows all maillist ips to not use milters, it could be ok Clients usually use separate ports for sending e-mail. Of course these milters should not be used for incoming mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A functional lightweight reverse alias?
Gerben Wierda: Aliases are nice, to receive mail. But when you reply, the address behind the alias is exposed. On 03.03.24 17:59, David Bürgin via Postfix-users wrote: I’m puzzling a bit over this statement … I also use aliases but was not aware that they would expose my real address? You need to configure MUA to use that address in From: and ocasionally also the MTA to allow you using that address in From: Generally the OP mentioned using separate mailbox with separate addresses that has to be configured in MUAs As a test I’m sending this message from a virtual alias (hostmaster@), different from the main address that I use here. It shouldn’t be exposed I believe. (Please ignore if I completely misunderstood.) You can configure separate address without having separate mailbox, e.g. mozilla has separate "identities". The question was if there is other solution for this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Implementing From: field heuristic when sending messages?
On 03.03.24 10:40, Paul Menzel via Postfix-users wrote: A user had their password guessed/leaked, and the account was used to send spam/phishing messages – but only once an hour or so, so it wasn’t detected as abnormal traffic. One thing detectable thing would have been, that the sent unsolicited messages used a different name than the user in the From: field. Jennifer Wood To detect phishing messages on the receiving end, we already maintain a list in regexp-header for “important” people, so names used in From: have to match certain email addresses. The names are already present in the user name or comment field in `/etc/passwd` but also some LDAP database. Has somebody already experience with implementing such a heuristic, and is it useful¹? If it is useful, how could I do it? Probably an exact match would cause too much trouble, as some users want to put their academic title to the field too. There are commercial solutions that supports this. So far I don't know anything about free solutions. I know about: - postfix smtpd_sender_login_maps, reject_authenticated_sender_login_mismatch and reject_known_sender_login_mismatch that allow you to reject disallowed (envelope) from addresses - milters vrfydmn and milterfrom, which allow you to reject mail where envelope and header from: are different neither of these controls the non e-mail part of header From: tho. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix check_sender_access and subdomain test
On 28.02.24 21:31, Scott Techlist via Postfix-users wrote: As I understand from your explanation, if I keep my parent_domain_matches_subdomains = smtpd_access_maps Then the preceding dot format is moot/not needed. Only outbound.protection.outlook.com OK I recommend keeping parent_domain_matches_subdomains empty and use .outbound.protection.outlook.com other possibility is not to exempt client network but individual sender domains. Of course, it's up to you. I've updated my personal postfix manual, and added comments in my respective files as reminders, so as to not get them (client/sender) mixed up next time. The details you covered in-line were very helpful for me. Much appreciated. And now with client checks, it's working as desired. Note that you can put check_client_access to smtpd_sender_restrictions or smtpd_recipient_restrictions so you'll have them at the same place. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl override doesn't work perhaps due to sender using relay
On 24.02.24 07:43, lists--- via Postfix-users wrote: https://www.dnswl.org/?page_id=15 I get your point but this is for a different blocking list. That is spamcop and spamassassin have different blocking lists. you can still use postscreen which supports multiple weighed block/allow lists, so single listing may not trigger blocking. postscreen also helps much against bots. http://www.postfix.org/POSTSCREEN_README.html otoh, postscreen does not check for sender address, but with postscreen you may not need it. I am going to review my logs and see how much spam spamcop stops that isn't coming from Microsoft. Maybe I could whitelist the Microsoft IP space in rbl_override. microsoft has been reported to have many problems with their sending IPs being listed in blocklists. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl override doesn't work perhaps due to sender using relay
On 24.02.24 00:49, lists--- via Postfix-users wrote: I have set up rbl_override for the sender's domain. [...] smtpd_recipient_restrictions = [...] check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policy Feb 24, 2024 6:03:54 AM Matus UHLAR - fantomas via Postfix-users : What's in /etc/postfix/rbl_override ? It obviously does not match 40.107.93.98 On 24.02.24 06:12, lists--- via Postfix-users wrote: The rbl_override file only contains domain names with "space OK". If I whitelisted that IP address, I would be whitelisting a Microsoft address that I assume has multiple users. Also that relay IP address isn't static. I see it now. If you are trying to whitelist sender domain, you must use check_sender_access, since check_client_access checks sending IP address or hostname that IP maps to, which is in this case mail-dm6nam10on2098.outbound.protection.outlook.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: rbl override doesn't work perhaps due to sender using relay
On 24.02.24 00:49, lists--- via Postfix-users wrote: I have set up rbl_override for the sender's domain. However it occasionally gets blocked by spamcop. The user owns a domain but relays the mail from outlook. Here is the bounce message the user received: Remote server returned '550 5.7.514 Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 554 5.7.1 Service unavailable; Client host [40.107.93.98] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.93.98' This is the relevant part of my postfix main.cf. I am only showing the spamcop rbl. smtpd_recipient_restrictions = [...] check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client bl.spamcop.net, check_policy_service unix:private/policy What's in /etc/postfix/rbl_override ? It obviously does not match 40.107.93.98 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] smtpd_discard_ehlo_keyword_address_maps all but internal
hello, as I maintain some mail gateways with postfix, I would like to discard the DSN ehlo keyword, from all hosts but internal network. I see that with smtpd_discard_ehlo_keyword_address_maps "Tables will be searched in the specified order until a match is found." but is it possible to allow all keywords from internal network and drop DSN from everywhere else? should I use workaround and use dummy silend-discard without other keyword? smtpd_discard_ehlo_keyword_address_maps = cidr:{ {10/8 silent-discard} {0/0 silent-discard,dsn} } Does smtpd_discard_ehlo_keyword_address_maps override value in smtpd_discard_ehlo_keywords if a match is found? thanks -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: success! Re: Re: removing Authentication-Results, how?
Matus UHLAR - fantomas via Postfix-users wrote in : ... |I can now also say that these milters: | |pyspf-milter |opendkim |opendmarc | |(at least their versions in Debian 12) | |do NOT remove existing Authentication-Results: and thus this ste is |necessary to avoid possible confusion of mail filters. I should have been more specific: the milters above do not remove any Authentication-Results: headers, therefore they keep even Authentication-Results: header containing local hostname. |the "openarc" milter seems to detect and remove offending header. openarc DOES remove/replace Authentication-Results: header containing local hostname, not A-R header with other hostnames. On 22.02.24 22:46, Steffen Nurpmeso via Postfix-users wrote: As a spoken out opponent of this header (*in*my*opinion* a new flag "V" for the DKIM signature that i then produce would be the signal that my email infrastructure verified (the) signature(s) on ingress side of things) as well as of SPF, ARC and DMARC i am interested in this topic. However, if i recall correctly, the very sophisticated RFC (that i read more than one year ago) speaks about trust boundaries or similar, on the background of an entire reputation system. Simply removing all instances of this header blows this up, no? Incoming mail can contain multiple Authentication-Results: with the different authserv-id values, including local hostname. RFC 8601 section 5. requires (MUST) removing headers containing the latter. I am only removing Authentication-Results: headers that contain $myhostname: header_checks = pcre:{ {/^Authentication-Results:\s+\Q$myhostname\E[\s;]/ IGNORE} } so I'm doing exactly what given RFC orders me to do. (this was also part of my former questions, if I should remove all such headers or only those with $myhostname) Other than that i could imagine adding a flag to my maturing simple DKIM (yet sign-only) milter that removes headers as configured (Authentication-Results, X-Google-DKIM-Signature, ARC-Seal, ARC-Signature, elder DKIM-Signature). Except for the possible last Authentication-Results (of yourself/your provider) it rapidly looses its meaning, or already lost it once it arrives. Since there can be other types of Authentication-Results: headers defined later, and since people may not want/need to use all of possible milters checking only "their" types, I believe that removing these headers and not relying on spf/dkim/arc/dmarc milters to to that is a good idea. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] success! Re: Re: removing Authentication-Results, how?
On Tue, Feb 20, 2024 at 06:02:22PM -0500, Wietse Venema via Postfix-users wrote: - You'd better add $$ at the end of the pattern, to anchor the regular expression. On 20.02.24 20:22, Viktor Dukhovni via Postfix-users wrote: Actually, that hostname is typically followed by additional data separated by whitespace or a ';'. header_checks = pcre:{ {/^Authentication-Results: \Q$myhostname\E$$/ IGNORE} } Note that pcre, not regexp. Indeed PCRE is best here: header_checks = pcre:{ {/^Authentication-Results: \Q$myhostname\E[\s;]/ IGNORE} } Thanks to both of you for recommendation, especially about the escaping - It didn't come so my mind. I did a little change to the RE, so multiple spaces between header name and value doesn't make the avoid this check: header_checks = pcre:{ {/^Authentication-Results:\s+\Q$myhostname\E[\s;]/ IGNORE} } I have tested this and the multiple space hack was necessary as headers with multiple spaces were not deleted. I can now also say that these milters: pyspf-milter opendkim opendmarc (at least their versions in Debian 12) do NOT remove existing Authentication-Results: and thus this ste is necessary to avoid possible confusion of mail filters. the "openarc" milter seems to detect and remove offending header. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
Am 22.02.24 um 15:58 schrieb Wietse Venema via Postfix-users: michaelof--- via Postfix-users: 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: improper command pipelining after CONNECT from : \026\003\001\001 \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: disconnect from commands=0/0 Configure the client to onnect to port 465 instead of 578. With Postfix, uncomment the smtps(submissions) service in the Postfix master.cf file. It should have the same "-o" options lines as the submission service, plus a line that says "-o smtpd_tls_wrappermode=yes". Then execute the command "postfix reload". You may need to open port 465 with a firewall rule. On 22.02.24 18:10, michaelof--- via Postfix-users wrote: Opened smtps service in firewalld. Changed email user config for testing in Thunderbird from port 578 to 465, and from "STARTTLS" to "SSL/TLS". Sending from Thunderbird works at once. You can leave both services running. 587/submission will use (explicit) STARTTLS, port 465/smtps (implicit) SSL/TLS - different MUAs often call those protocols differently. Sending from NVR still fails, new msgs in log: 2024-02-22T17:49:57.074140+01:00 vserver postfix/smtps/smtpd[165894]: connect from 2024-02-22T17:49:57.177663+01:00 vserver postfix/smtps/smtpd[165894]: warning: : SASL LOGIN authentication failed: Invalid authentication mechanism your sasl server does not support LOGIN authentication mechanism. with dovecot, you need to set up in dovecot config e.g.: auth_mechanisms = plain login and with cyrus sasl, your smtpd config needs e.g.: mech_list: PLAIN LOGIN -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Authentication question
On 22.02.24 15:28, michaelof--- via Postfix-users wrote: Postfix 3.7.3 on OpenSuse Leap 15.5 I've set up my private Postfix for outgoing SMTP traffic with authentication, port 587, starttls, password normal. Works fine for years now (2016 or so) for outgoing email sent via Thunderbird, Roundcube Webmail, K9-Mail on Android etc. pp. Now I want to tell my new Hikvision CCTV NVR to sent event based email via my own Postfix. Created a designated email adress for this, works fine with Email clients mentioned above. NVR's config options are looking pretty usual, have to specify SMTP-server, port, "SSL/TLS" true/false, "Authenticate" true/false and user/pw if "Authenticate" is set to true. But test option simply says "failed". Looking into my Postfix's server logs, I'm seeing the following log entries for a SUCCESFUL (Thunderbird) sent: 2024-02-22T14:00:49.478132+01:00 vserver postfix/submission/smtpd[150293]: connect from 2024-02-22T14:00:50.026993+01:00 vserver postfix/submission/smtpd[150293]: 066DC4D74DC: client=, sasl_method=PLAIN, sasl_username=c...@tufar.at 2024-02-22T14:00:50.069519+01:00 vserver postfix/cleanup[150298]: 066DC4D74DC: message-id= 2024-02-22T14:00:50.124765+01:00 vserver postfix/qmgr[1644]: 066DC4D74DC: from=, size=810, nrcpt=1 (queue active) 2024-02-22T14:00:50.386658+01:00 vserver postfix/smtp[150299]: 066DC4D74DC: to=, relay=..., delay=0.39, delays=0.13/0.01/0.1/0.15, dsn=2.0.0, status=sent (250 2.0.0 Message accepted.) 2024-02-22T14:00:50.386891+01:00 vserver postfix/qmgr[1644]: 066DC4D74DC: removed and the following log entries for NVR's UNSUCCESFUL sent: 2024-02-22T13:56:15.715392+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.715607+01:00 vserver postfix/submission/smtpd[150038]: improper command pipelining after CONNECT from : \026\003\001\001 \001\000\001\034\003\003o\365\274\337\000\246\346\341\276\270\237\233\021p\314S\312\371\3149\231\202d\201?\241\332\357\214\330\313\301 \255\357\251\234m\024\225\250Yx\344oa\207\342p\354\0261B\347\223m\224Q\td\276n:#\n\000>\023\002\023\003\023\001\300,\3000\000\237\314\251\314\250\314\252\300+\300/ 2024-02-22T13:56:15.715853+01:00 vserver postfix/submission/smtpd[150038]: disconnect from commands=0/0 2024-02-22T13:56:15.740078+01:00 vserver postfix/submission/smtpd[150038]: connect from 2024-02-22T13:56:15.857410+01:00 vserver postfix/submission/smtpd[150038]: warning: : SASL LOGIN authentication failed: Invalid authentication mechanism 2024-02-22T13:56:15.867110+01:00 vserver postfix/submission/smtpd[150038]: lost connection after AUTH from 2024-02-22T13:56:15.867404+01:00 vserver postfix/submission/smtpd[150038]: disconnect from ehlo=2 starttls=1 auth=0/1 commands=3/4 Any hints, would be great, if this might be a firmware bug from NVR, our could maybe be solved by changing my SASL etc. config. this looks like encryption problem. Someone is trying to use port 587 as implicit SSL, instead of explitic (STARTTLS). implicit SSL should be used on port 465 (aka smtps/submissions service) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: removing Authentication-Results, how?
Reviving my a bit old question. Matus UHLAR - fantomas via Postfix-users: RFC 8601 section 5. requires deleting Authentication-Results headers from incoming messages. This should be done at trusted border, so when receiving message via SMTP from clients or the world, except MX gateways or possibly backup MX srevers. On 16.01.24 11:55, Wietse Venema via Postfix-users wrote: Indeed, the idea is to delete any Authentication-Results instance that claims [...] to have been added within [this MTA's] trust boundary but that did not come directly from another trusted MTA." I don't want to rely on milters stripping those headers so I'll try header_checks. I guess I could remove all Authentication-Results: headers by using regexp_table: /^Authentication-Results: / IGNORE but is it possible to put environment or postfix variable there? /^Authentication-Results: $myhostname/ IGNORE I guess the inline code available since 3.7 supports this: header_checks = regexp:{ {/^Authentication-Results: $myhostname/ IGNORE} } This would only remove problem headers and exempt MX backups. If it helps, header_checks happen before Milters see the message, while milter_header_checks happen when a Milter adds a header. I am very glad it works this way. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change unknown_address_reject_code on a smarthost to a 5xx reply?
On 15.02.24 15:27, Simon Hoffmann via Postfix-users wrote: > - it took 4h for the sender to get a notification that the domain was not found Matus UHLAR - fantomas via Postfix-users wrote: this should be configuable by tuning delay_warning_time On 15.02.24 16:10, Simon Hoffmann via Postfix-users wrote: yes, but this setting is "global" in the sense that I cannot restrict the warning time to be short only on "domain not found" or similar errors, and keep it longer on network timeouts or such. Neither Postfix nor my current internal server can make this distinction (and that is okay). Sometimes I take the smarthost offline because I perform maintenance on the underlying proxmox host. These are normally periods shorter than 30 mins thus I want the delay warning to be something bigger than 1h to not annoy the users, but I want the users to know immediately if they have a typo in their domain. I guess you can modity the delay as needed. check your internal MTA docs. Hopefully the warn time is resolved at the attempt, not at the time mail is received. Your user sent two mails, one to wrong address and got a deferral then a timeout. It's hard to solve this technically, if user can't look what address failed Sure. But even I needed to read the delay warning email my user showed me several times until i finally found the typo in the address. Having the internal server generate new warning mails after the new email has been sent (because the old mail is still in the queue because it was never officially rejected) only leads to confusion. Furthermore, since the subject says "mail delayed" the user might not even read the explanation in the body of the notification and realise that they have a typo in their recipient domain. So having the smarthost postfix permfail an email sent to a domain that does not exist means the internal user gets the notification immediately and the notification contains "failed" instead of "delayed" and the internal server does not try to send the mail over and over. This is what I means "It's hard to solve this technically". The system can't know who did the user want to send e-mail to, system only knows who the mail was sent to. > so tldr: can I change unknown_address_reject_code to a perm fail on a server thats only purpose is > to send outgoing mails, without any unwanted effects resulting from this change? > (that means the behaviour of postfix on this machine would exactly be the same with > or without the change with the only difference that emails with typos would be > rejected with a permfail) I have done this on my servers. I believe it's better when senders know immediately that the address is not deliverable. exactly. But did you experience any unwanted side effects like the server permfailing email because of dns timeouts or something? no, as you wrote before, dns failures are handled by unknown_address_tempfail_action -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change unknown_address_reject_code on a smarthost to a 5xx reply?
On 15.02.24 15:27, Simon Hoffmann via Postfix-users wrote: I have a dedicated postfix machine that I use as a smarthost for all my outgoing email from my internal servers. The smarthost even has only ports 465 and 587 enabled/opened. Recently we had the case that an internal used composer an email to an external recipient and had a typo in the domain. The internal server currently does no checks but forwards all email for external recipients to the smarthost. The smarthost then replied to the internal mailserver with Out: 450 4.1.2 : Recipient address rejected: Domain not found Since this was a 4xx tempfail reply, the internal mailserver tried to send the email over and over and only after 4 hours the internal mailserver send a "mail delivery delayed" email to the original sender. They then could compose the email again with the correct recipient address, but since they have no ssh root access to the server they could not remove the email with typo from the internal server's queue and thus they got even more "mail delivery delayed" notifications periodically until the message expired from the queue. There is two things that bother me: - it took 4h for the sender to get a notification that the domain was not found this should be configuable by tuning delay_warning_time - after they "corrected" it by sending a second email with the correct address, they still got mail delivery delayed notification which leads to confusion if they miss the fact that the mail with the type was delayed, and instead think their new mail is delayed again because something is wrong Your user sent two mails, one to wrong address and got a deferral then a timeout. It's hard to solve this technically, if user can't look what address failed so tldr: can I change unknown_address_reject_code to a perm fail on a server thats only purpose is to send outgoing mails, without any unwanted effects resulting from this change? (that means the behaviour of postfix on this machine would exactly be the same with or without the change with the only difference that emails with typos would be rejected with a permfail) I have done this on my servers. I believe it's better when senders know immediately that the address is not deliverable. Note that you need to do this on your smarthost, not on the internal server. Also, you can configure domain verification on that internal servers and I recommend doing so. You can hypotetically override the code from your smarthost on your internal mail server by using smtp_delivery_status_filter but you must be damn careful about that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Server etiquette
On Wed, 2024-02-07 at 12:15 -0500, Viktor Dukhovni via Postfix-users wrote: I prefer to have logs that record what I'm blocking. With firewall rules there's not sufficient forensic evidence left behind. On 14.02.24 19:11, Nikolai Lusan via Postfix-users wrote: Here's a tip - try the 'LOG' target before you DROP/DENY/REJECT (I prefer REJECT with an ICMP host/port unreachable for _all_ ports on my side of the link). Unfortunately it only provides IP you have banned, not from/to mail addresses. However I also implemented it because of too many attacks on servers... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: masquerade_domains does not work for relayed domain
On 13.02.24 09:39, Aleksandar Ivanisevic via Postfix-users wrote: so far so good, but on mail2.v2.eentf.com: masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = 2e-systems.com [root@mail2.v2] fgrep 943B8CCEE05 /var/log/maillog Feb 13 08:32:38 mail2 postfix/smtpd[3873524]: 943B8CCEE05: client=stats2.2e-systems.com[213.198.74.82] Feb 13 08:32:38 mail2 postfix/cleanup[3873509]: 943B8CCEE05: message-id=<20240213083238.61c241c...@stats2.2e-systems.com> Feb 13 08:32:38 mail2 opendkim[2498371]: 943B8CCEE05: no signing table match for 'st...@stats2.2e-systems.com' Feb 13 08:32:38 mail2 postfix/qmgr[3729579]: 943B8CCEE05: from=, size=565, nrcpt=1 (queue active) Feb 13 08:32:47 mail2 postfix/smtp[3872588]: 943B8CCEE05: to=, relay=mx2.forwardemail.net[104.248.224.170]:25, delay=8.9, delays=0.05/0/1.6/7.3, dsn=2.0.0, status=sent (250 OK: message queued) Feb 13 08:32:47 mail2 postfix/qmgr[3729579]: 943B8CCEE05: removed so the envelope from has been rewritten, but the received email looks like this: ... Received: from STATS2.2e-systems.com (stats2.2e-systems.com [213.198.74.82]) by eentf.com (Postfix) with ESMTP id 943B8CCEE05 for ; Tue, 13 Feb 2024 08:32:38 + (UTC) Received: by STATS2.2e-systems.com (Postfix, from userid 505) id 61C241CE21; Tue, 13 Feb 2024 09:32:38 +0100 (CET) From: st...@stats2.2e-systems.com To: aleksan...@ivanisevic.de Subject: masquerade test Message-Id: <20240213083238.61c241c...@stats2.2e-systems.com> Date: Tue, 13 Feb 2024 09:32:05 +0100 (CET) is 213.198.74.82 listed in local_header_rewrite_clients ? http://www.postfix.org/postconf.5.html#masquerade_domains Note: with Postfix version 2.2, message header address masquerading happens only when message header address rewriting is enabled: The message is received with the Postfix sendmail(1) command, The message is received from a network client that matches $local_header_rewrite_clients, The message is received from the network, and the remote_header_rewrite_domain parameter specifies a non-empty value. http://www.postfix.org/postconf.5.html#local_header_rewrite_clients -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: I don't understand the problem with DMARC and postfix
On 09.02.24 14:58, natan via Postfix-users wrote: Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: smtpfarm4.allegro.pl [91.207.xxx.xxx] not internal Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: not authenticated Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: DKIM verification successful Feb 2 09:02:45 mail134 opendkim[27903]: 888B43B0063: s=smtp d=allegromail.pl SSL Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063 ignoring Authentication-Results at 0 from mail134.xxx.xxx.pl Feb 2 09:02:45 mail134 opendmarc[29379]: 888B43B0063 ignoring Authentication-Results at 12 from mail134.xxx.xxx.pl I guess this is from your host so why is it ignoring them? My machine ignores Authentication-Results from foreign servers. Are you sure it's not caused by the typu in AuthservID? Can you post at least first 13 headers from that e-mail? opendmarc.conf: AuthservID mail143.xxx.xxx.pl PidFile /var/run/opendmarc.pid RejectFailures false Syslog true IgnoreAuthenticatedClients true IgnoreHosts /etc/opendmarc/ignore.hosts SyslogFacility mail UMask 0002 UserID opendmarc:opendmarc HistoryFile /var/tmp/opendmarc.dat And I have no idea. And I don't know what to pay attention to the email itself has the correct structure -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
On Feb 8, 2024, at 01:56, Matus UHLAR - fantomas via Postfix-users wrote: I have removed postgrey from servers I manage a few years ago. - without good exemption lists, you'll run into hours long waiting for email from various mail services that attempt multiple times from multiple IP addresses, e.g. microsoft or google. I implemented postscreen instead that has similar functionality but is a bit more safe to use. On 08.02.24 13:05, Doug Hardie via Postfix-users wrote: I implemented postscreen quite a while ago. I don't see where or how it introduces a delay to force the originating MTA to queue and try later. It does not introduce _this_ kind of delay, because it was the main reason for noticeable delays of incoming mail I mentioned in my last e-mail. It has multiple benefits against bots, like: - few seconds delay for refusing clients that send helo/ehlo before esmtp greeting (I have used this for years with sendmail) - dnwsl/dnsbl scoring system. These are pretty safe to use. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
On 07.02.24 21:51, Christophe Kalt via Postfix-users wrote: +1 on setting up SRS, it helps with Gmail and I believe ARC does too (although I don't have hard data on this). Interesting note about postgrey, I didn't think that was effective any longer but maybe it is. I have removed postgrey from servers I manage a few years ago. - without good exemption lists, you'll run into hours long waiting for email from various mail services that attempt multiple times from multiple IP addresses, e.g. microsoft or google. I implemented postscreen instead that has similar functionality but is a bit more safe to use. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
Op 08-02-2024 om 04:09 schreef Peter via Postfix-users: My recommendations are as follows (other people's recommendations will vary): 1. Don't forward mail. 2. If you must forward mail then relay it using a different IP address to mail that originates from you, that way if the IP gets added to a DNSRBL it at least should hopefully not affect the mail that you originate. 3. SPAM-filter mail before you forward it, be aggressive with this as you really don't want to be forwarding SPAM. Note that some SPAM will still get through. 4. ARC sign your forwarded mail. 5. Use SRS on forwarded mail. This is in addition to all the other things you do for mail that you originate (SPF, DKIM, DMARC, etc). On 08.02.24 09:38, Kees van Vloten via Postfix-users wrote: A little addition that also helps a bit: move the content of the From: header to the Reply-To: header and replace From: with the local account that is forwarding the message. All mail then originates from your domain and a reply to a forwarded message will go to the original sender. This requires mechanism to prevent any error messages from being forwarded. Simple forwarding usually forwards all messages sent to a mailbot, but if you forward to an address that has a problem which results error mail, you don't want to forward that error mail to the same address again. Especially if that error looks like "gmail has decided your mail is spam" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Server etiquette
On 2/7/24 10:48, Matus UHLAR - fantomas via Postfix-users wrote: postscreen is great against bots, but fail2ban with firwall are still better against abusers. On 07.02.24 10:52, Phil Stracchino via Postfix-users wrote: And once you get the "Aha!" insight into how its configuration works, it's actually not difficult to set up. perfect note. It's quite hard to configure properly, luckily you can get sane defaults on e.g. Debian. I have configured this into /etc/fail2ban/jail.local [DEFAULT] ignoreip = 195.80.174.185 loglevel = DEBUG [postfix] enabled = true mode = aggressive it should be enough for start you may want to adapt it to your e.g. firewall or syslog structure. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Server etiquette
On 07.02.24 10:41, John Hill via Postfix-users wrote: This site sends nothing but junk. IN fact the domain is known for it. I tried just rejecting the email address. But they just change it. So I blocked the IP, they have several. I have watched them do constant connections over and over. 20 then pause the 20 again and again. I think I have become somewhat of a challenge. I'll try using postscreen and see how it shakes out. postscreen is great against bots, but fail2ban with firwall are still better against abusers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Server etiquette
On 07.02.24 07:59, John Hill via Postfix-users wrote: Do mail servers as a whole stop sending an email after a few errors? abusers never stop, others possibly. I have a server I have blocked in my firewall. It continues to try and is blocked as many as 4000+ times a day. If postscreen was set to deny it, would that signal the server and limit the attempts? The sending IP most likely would not care. It's better to keep that IP in firewall, maybe dropping packets, maybe tarpitting them (most probably requires addons to your firewall). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Adjusting smtpd_recipient_restrictions
On 05.02.24 16:59, Mark via Postfix-users wrote: Hi again Matus, oh, now I got it! After your reply, I now have in my master.cf ($mua_*); submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=$mua_recipient_restrictions -o smtpd_relay_restrictions=permit_sasl_authenticated,reject submissions inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=$mua_recipient_restrictions -o smtpd_relay_restrictions=permit_sasl_authenticated,reject for both 'submission' and 'submissions'. as I said before, I would put there: -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions and set in main.cf: mua_client_restrictions = permit_sasl_authenticated, check_client_access static:{530 5.7.0 Authentication Required.} mua_helo_restrictions = so no mail would get through without authentication and clients attempting that would get proper error message - HELO from authenticated clients is not handled at all. And in main.cf, I replaced smtpd_sender* and smtpd_recipient* with: mua_sender_restrictions = mua_recipient_restrictions = I did not recommend you to change either of those. They should be used for mail servers as you had them set up before. Better set them back, so you don't affect receiving mail from mail servers. setting mua_* variables in main.cf and using them in master.cf is just trick to have settings for both "smtps" and "submission" in one place. The "smtpd" processes use settings from main.cf, unless you redefine them in master.cf. That's why you put "-o smtpd_*_restrictions=..." in master.cf. mua_sender_restrictions = reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, move reject_unknown_sender_domain up, so you don't accept non-existing domains from local ($mynetworks) or authenticated clients: smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unlisted_sender, reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, permit If you set it like this, you don't need to set mua_sender_restrictions in main.cf not use it in master.cf. mua_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11], check_policy_service unix:private/spf-policy, permit I think this is a better approach, if I did it correctly? Could you confirm please? I have tried to explain it before: you should not use DNSBLs in submission/smtps services, as you can expect many your clients to connect from shared or dynamic IP addresses, which are surelly listed in zen.spamhaus.org maybe in other DNSBLs too. You should keep smtpd_recipient_restrictions as it was before. looking again at your paste: >> >https://pastebin.mozilla.org/i5tMtPAk you should drop from mua_recipient_restrictions everything perhaps except: mua_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_unauth_destination, ...perhaps add (for sure) permit_sasl_authenticated, reject -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Adjusting smtpd_recipient_restrictions
On 05.02.24 15:46, Mark wrote: Thanks for the idea below. I'm going to try wrapping them in $mua in main.cf . However, you said; "Looking at your smtpd_recipient_restrictions and using reject_rbl_client, you need to override them too." I really didn't get this, by "overriding" could you explain further please where I made a mistake? all settings like "smtpd_recipient_restrictions" are taken from main.cf, unless they are overridden in master.cf like this: >submission inet n - y - - smtpd > -o smtpd_sasl_auth_enable=yes > -o smtpd_tls_auth_only=yes > -o smtpd_sender_restrictions=permit_sasl_authenticated,reject > -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject so, you override content of settings in main.cf. Since your smtpd_recipient_restrictions in main.cf: >But I guess most of my rules are happening in main.cf, which is listed >here; > >https://pastebin.mozilla.org/i5tMtPAk contain number of reject_rbl_client options, it makes sense to override them as above: "-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject" In short, I have commented out smtpd_sender_restrictions and smtpd_recipient_restrictions in master.cf, you better keep them as they are. looking at yout smtpd_recipient_restrictions and using reject_rbl_client, you need to override them too. I have moved those to postscreen and only use like nonexistent domains, users, banned domains described above -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Adjusting smtpd_recipient_restrictions
On 04.02.24 22:06, Mark via Postfix-users wrote: ->"Best practice is to require submission users sending outbound mail do so via ports 465 and/or 587." Indeed here, I'm able to connect my smtp service *only* through; port 465 - SSL only port 587 - TLS only Authentication/login is not enabled on port 25, however port 25 is still open for worldwide communication, as usual. I have: smtp inet n - y - - smtpd submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sender_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject I don't really *deeply* know how safe I go with my master settings above.. Anything absurd? I use these two for submission/submissions in master.cf -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_relay_restrictions=permit_sasl_authenticated,reject where main.cf contains: mua_client_restrictions = permit_sasl_authenticated, check_client_access static:{530 5.7.0 Authentication Required.} mua_helo_restrictions = which means: - unauthenticatec clients get error "530 5.7.0 Authentication Required." - completely no HELO restrictions - senders and recipients are handled the same way for internal and external clients, we have some banned domains who stopped providing mail service But I guess most of my rules are happening in main.cf, which is listed here; https://pastebin.mozilla.org/i5tMtPAk looking at yout smtpd_recipient_restrictions and using reject_rbl_client, you need to override them too. I have moved those to postscreen and only use like nonexistent domains, users, banned domains described above -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problems with round-robin outbound emails
On 30.01.24 20:20, Israel britto via Postfix-users wrote: hello, I'm having a problem with spamhaus that I don't know how to solve. Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2 The PTR and rDNS entries are correctly configured: 1.1.1.1 > a1.domain.com 2.2.2.2 > a2.domain.com a1.domain.com -> 1.1.1.1 a2.domain.com -> 2.2.2.2 My Postfix is behind a load balance, which performs round-robin balancing between these 2 IPs, however, my server is configured with the helo -> xpto.com.br That's almost certainly wrong. The HELO argument should be the resolvable primary name associated with the actual client IP as it connects to the server. In this case, that would be the outward-facing IP of the load balancer. # host xpto.com.br xpto.com.br has address 186.202.157.79 xpto.com.br mail is handled by 20 mx.jk.locaweb.com.br. xpto.com.br mail is handled by 10 mx.core.locaweb.com.br. xpto.com.br mail is handled by 20 mx.a.locaweb.com.br. xpto.com.br mail is handled by 20 mx.b.locaweb.com.br. # host 186.202.157.79 Host 79.157.202.186.in-addr.arpa. not found: 3(NXDOMAIN) On 31.01.24 09:43, Bill Cole via Postfix-users wrote: So if your load balancer isn't at 186.202.157.79, the hosts behind it should not be announcing themselves as xpto.com.br. how did you get to this? xpto.com.br exists and has addres, so there's no reason why it could not be used in HELO. If that is your load balancer, you should fix its reverse DNS (i.e. a PTR record at 79.157.202.186.in-addr.arpa.) this is needed if e-mail comes from that IP. On 2024-01-31 at 03:32:20 UTC-0500 (Wed, 31 Jan 2024 09:32:20 +0100) Matus UHLAR - fantomas via Postfix-users is rumored to have said: In fact, refusing mail because of HELO inconsistence is against all SMTP RFCs issued so far. That's a very narrow prohibition, technically only against simplistic requirement that HELO must use a name that resolves to the client IP with a matching PTR resolving the IP to the HELO name. precisely, it's a very simple provision and easy not to break. Since you did not provide us with your real address nor the error message spamhaus provides when you check for your IPs, it's really hard to help you. Spamhaus doesn't control error messages... some mail servers can use contents of dnsbl's TXT records in error messages I assume that anyone obfuscating IPs when seeking support on issues directly related to specific IPs being blocklisted is trying to get their spambots working. There's absolutely no excuse for it in 99% of cases and it leads to random pointless speculation. quite possible. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Problems with round-robin outbound emails
On 30.01.24 20:20, Israel britto via Postfix-users wrote: hello, I'm having a problem with spamhaus that I don't know how to solve. Today I have 1 domain that uses 2 exclusive IPs 1.1.1.1 and 2.2.2.2 The PTR and rDNS entries are correctly configured: 1.1.1.1 > a1.domain.com 2.2.2.2 > a2.domain.com a1.domain.com -> 1.1.1.1 a2.domain.com -> 2.2.2.2 My Postfix is behind a load balance, which performs round-robin balancing between these 2 IPs, however, my server is configured with the helo -> xpto.com.br Spamhaus is listing my IPs because it says that my HELO address is not aligned with the rDNS of my IPs. Has anyone had this type of problem and could help me with how to resolve it? I have never seen anyone having this problem, also I have never see spamhaus list IP address because of this. In fact, refusing mail because of HELO inconsistence is against all SMTP RFCs issued so far. However, if your HELO string is invalid or not existing, it's somehow common for some servers to refuse mail from you. Since you did not provide us with your real address nor the error message spamhaus provides when you check for your IPs, it's really hard to help you. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix and reproducible builds
On 30.01.24 10:12, Scott Kitterman via Postfix-users wrote: It looks to me like it does fix it. Isn't/was't the sort important? (I'd expect it to be) On Tuesday, January 30, 2024 9:14:09 AM EST Wietse Venema via Postfix-users wrote: Scott Kitterman via Postfix-users: > In case anyone is unfamiliar, you can read about reproducible builds here: > reproducible-builds.org > > It looks like Postfix as shipped is very close to being reproducible. We > got positive results on reproducibility with the patch below added. Is > this something you could include in a future release? I have "LC_ALL=C" at the top of many shell files, but forgot the makedefs script. Can you confirm that this fixes the problem? Doing "LC_ALL=C" in the middle of one command means we can re-introduce the problem again with some other change. Wietse --- /var/tmp/postfix-3.9-20240129/makedefs 2024-01-04 12:50:28.0 -0500 +++ ./makedefs2024-01-30 09:05:47.198434044 -0500 @@ -184,6 +184,8 @@ # New York, NY 10011, USA #-- +LC_ALL=C; export LC_ALL + # By now all shells must have functions. error() { > Scott K > > diff --git a/makedefs b/makedefs > index d9dc529..2b376b3 100644 > --- a/makedefs > +++ b/makedefs > @@ -211,7 +211,7 @@ echo > "#" > > echo "# Start of summary of user-configurable 'make makefiles' options." > echo "# CCARGS=$CCARGS" > echo "# AUXLIBS=$AUXLIBS" > > -env | grep '^AUXLIBS_' | sed 's/^/# /' > +env | grep '^AUXLIBS_' | sed 's/^/# /' | LC_ALL=C sort > > echo "# shared=$shared" > echo "# dynamicmaps=$dynamicmaps" > echo "# pie=$pie" -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465
On 22.01.24 12:34, Taco de Wolff via Postfix-users wrote: Sorry, this was a problem with the system-wide cryptographic policies. I set it to DEFAULT and it works. This is unexpected though, since at least two TLS1.3 ciphersuites are enabled with FIPS:OSPP and TLS1.3 works with Nginx (Dovecot is similar to Postfix though and both are fixed with this crypto setting). Surely, somewhere in how Postfix/Dovecot use OpenSSL is getting blocked when using FIPS mode. Is that a bad configuration or a bug perhaps? do you mean openssl.cnf? If so, look at http://www.postfix.org/postconf.5.html#tls_config_file Still wondering whether I can enable server-to-server connections opportunistically over port 465 though, not just 587. 465 is designed for client-server, not server-server connections. server-server connections are to be made on port 25 with possible upgrade using starttls command. you can tune this using http://www.postfix.org/postconf.5.html#smtp_tls_security_level Note that in case of unability to set up server-server TLS connection, plaintext connection will be used (unless you explicitly disable it). That's why requirements for ciphers and protocols are usually weaker than on client connections (smtp_tls_mandatory_* options) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching
> I am currently planning to switch from OpenSMTPd to postfix for two reasons > > - smtpd_sender_login_maps functionality not really implemented in OpenSMTPd > - always_bcc not possible on OpenSMTPd Viktor Dukhovni wrote: FWIW, I'd like to recommend "recipient_bcc_maps" over always_bcc. - You will perhaps before long want to make exceptions. On 20.01.24 17:44, Simon Hoffmann via Postfix-users wrote: This is a Company Mail Server, and in Germany there is a rule to copy all mails to a special archive. This my use of always_bcc to copy all mails going through the server to the archive software import mailbox. Further processing is then done on the archive server with keywords, such as keeping Quotes for x years, invoices for y years and so on. I managed this on one server by storing syslog per-mail along with mail archive. It may be not as elegant though. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: removing Authentication-Results, how?
Matus UHLAR - fantomas: Do you remove those headers on your servers? On 17.01.24 08:57, David Bürgin via Postfix-users wrote: In my chain of milters, the very first one simply deletes incoming Authentication-Results whose authserv-id equals $myhostname … The rest of the milters can then assume that no such headers are present. Which milter is that? Does it support trusted hosts? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] removing Authentication-Results, how?
Hello, RFC 8601 section 5. requires deleting Authentication-Results headers from incoming messages. This should be done at trusted border, so when receiving message via SMTP from clients or the world, except MX gateways or possibly backup MX srevers. I'm curious if there is a recommended way to achieve this. I see that using header_checks or message_drop_headers would do what I want, however: 1. message_drop_headers would IIUC remove headers added by milter, which is not what we want 2. header_access would do just what I want. Still can't exempt MX gateway. Do you remove those headers on your servers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ldap + 550 5.1.1
On 16.01.24 06:50, jungle.hunt--- via Postfix-users wrote: Mail from root.brezen.example.net is rejected. to be more precise, mail to r...@example.net is rejected: (expanded from ): host creampuff.example.net[fd00::11] said: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command) root's mail should not be masked since it will be sorted by sieve depending on the originating host. Is /etc/aliases ignored when ldap is in use? /etc/aliases only applies to local mail, but example.net is not in your $mydestination myhostname = mail.example.net mydestination = $myhostname creampuff creampuff.example.net brezen.example.net I assume that brezen.example.net should be on continued line, otherwise it's an error. virtual_alias_maps = ldap:/etc/postfix/ldap/virtual-alias-maps.cf virtual_mailbox_domains = $mydomain virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual-mailbox-maps.cf virtual_transport = lmtp:unix:private/dovecot-lmtp according to the error above, domain example.net is a virtual mailbox domain, and r...@example.net is neither in virtual_alias_maps (which is processed always) nor in virtual_mailbox_maps (which is processed for virtual mailbox domains). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
On 15.01.24 10:15, Admin Beckspaced via Postfix-users wrote: somoene is trying to use your postfix as http proxy server. Looks like security scanner. do you know the type of encoding? I would like to decode and see the actual commands. after CONNECT usually TLS negotiation occurs, that may be it. I don't know if there's any value in knowing that. Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: improper command pipelining
On 15.01.24 09:34, Admin Beckspaced via Postfix-users wrote: dear postfix users, since the recent SMTP smuggling issue I applied the short term workaround by setting smtpd_forbid_unauth_pipelining = yes I also do a daily scan on journalctl with some keywords, e.g. 'pipelining' the following showed up this morning. do i need to be worried? somoene is trying to use your postfix as http proxy server. Looks like security scanner. Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003'>\232\037\250\226/zan\025\307\023\350_\373\253\021W\212\3262\246\223\3378\314/\312\200>\200 \343p5J\020\265q@\355\241\371b\377\236\375\227;\352\202wL\303\204\003\305O\255\273\2319\322\330\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001\244\001\000\001\240\003\003pP\244\201Y\346\233\272\340=\365\222\201\333\ba\354\v1V \356\277\200\370\023\264zR\360\243\307 \270T\336w\204\177\213\220D\317\234\210\220w\2446\b\302\206\376\202\365\317\312\340\353\177\016\370~\032\306\000\212\000\005\000\004\000\a\000\300\000\204\000\272\000A\000\235\300\241\300\235\000= Jan 14 01:57:15 cx20 postfix/submission/smtpd[25120]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\003\001U\001\000\001Q\003\003V\021\240\231\032m\243\224\002A\fL-\017n\315\f1g\037k\021\357\245\302EG\317\a\226 \331 \006^\005V[#\265\001\255t\246\340\364\357\020g\247F\301\317\203\253\201U[\324(\221\247\221R9\000F\300\022\300\a\314\024\023\001\023\002\314\251\300s\300r\300,\300\257\300\255 Jan 14 01:57:15 cx20 postfix/submission/smtpd[25122]: improper command pipelining after CONNECT from battery.census.shodan.io[93.174.95.106]: \026\003\002\001\231\001\000\001\225\003\002\003\201\335\374\201\271\a\022!\224@\272z]\362\006\371\001\313\371\233(\245\ne\200\fm\370\270\335{ \366S\224\365\370\220\355\033\237\3706\033\347\237P\312\236\247\274\232a^_\361\227\257,\275\nu\276D\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 Jan 14 05:05:41 cx20 postfix/submission/smtpd[31071]: improper command pipelining after CONNECT from scanner-29.ch1.censys-scanner.com[167.248.133.186]: \026\003\003\001\244\001\000\001\240\003\003\316@\257\332\b\000\n\337\205^\377\260D\331\344\364\222\250\030\215\234\220\032\341\352\313`\2470K+\306 \265~P\206\337O\364Q\310\236xi\277\017\266\244\020\205\006i\a\273\317\220\006]t0x\216\221\311\000\212\000\026\0003\000g\300\236\300\242\000\236\0009\000k\300\237\300\243\000\237 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Not a very important problem - smtpd_sender_login_maps
On 11.01.24 14:08, natan via Postfix-users wrote: I know it may seem quite strange, but I need it for my MX ... I need a mapping every single email to the same one in pcre for sender_login_maps.cf for reject_sender_login_mismatch ... smtpd_sender_login_maps = pcre:/etc/postfix/sender_login_maps.cf ... Yes, I can use an existing map - I have such a map for outgoing e-mails But I need a this "wildcard" for my MX that only works for incoming mail something like .*@.* -> *.@.* By "incoming mail" do you mean mail from unauthenticated machines on internet? Why do you want allow them send e-mail as any user? Because that's what such wildcard would to. I just don't want stupid bots to try to play... Perhaps try explaining your problem more deeply? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 10.01.24 20:18, Nikolaos Milas via Postfix-users wrote: Unfortunately at this time I don't have the luxury to invest time in more complex configuration scenarios as mail server management is only a small fraction of our tiny department... I guess I have to trust Postscreen and avoid false positives in smtpd restrictions as Matus advised. I believe your dnsbls are quite sane and reliable, I just recommend verifying return values so you won't reject any mail if they start blocking you (and return "blocked" value for all lookups) or they get discontinues and start returning positive values for all lookups (already happened): zen.spamhaus.org=127.0.0.[0..255] dnsbl.sorbs.net=127.0.0.[0..255] bl.spamcop.net=127.0.0.2 list.dnswl.org=127.0.[0..255].[0..255]*-1 list.dnswl.org=127.0.[0..255].3*-1 I guess other bl's also provide list of correct values -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Incoming mail server blocks outlook / microsoft servers
On 10.01.24 17:12, Nikolaos Milas via Postfix-users wrote: Our postfix v3.8.3 mail gateway server (for incoming mail) filters clients using postscreen as follows: postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4 Here you configured 40.107.20.56 to be allowed and: smtpd_recipient_restrictions = ... reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net and yet here you block it here. reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org permit It seems that the blacklisting services sometimes block some of microsoft/outlook servers. Example: Jan 08 10:02:17 mailgw1 postfix/dnsblog[930573]: addr 40.107.20.56 listed by domain bl.spamcop.net as 127.0.0.2 Jan 08 10:02:17 mailgw1 postfix/dnsblog[928879]: addr 40.107.20.56 listed by domain list.dnswl.org as 127.0.3.0 Jan 08 10:02:18 mailgw1 postfix/postscreen[925211]: PASS OLD [40.107.20.56]:12832 Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: connect from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56] Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: Anonymous TLS connection established from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 08 10:02:18 mailgw1 postfix/smtpd[930587]: NOQUEUE: reject: RCPT from mail-db8eur05on2056.outbound.protection.outlook.com[40.107.20.56]: 554 5.7.1 Service unavailable; Client host [40.107.20.56] blocked using bl.spamcop.net; Blocked - see https://www.spamcop.net/bl.shtml?40.107.20.56; from= to= proto=ESMTP helo= and this causes legitimate mail to be discarded (actual mail addresses modified above). My question in this case: If I understand right, it seems that postscreen allows the client connection even though it is listed because it uses a cache which serves as a useful buffer; however the client is subsequently blocked by reject_rbl_client restrictions. precisely. So, it seems I should I entirely remove the reject_rbl_client filters (from smtpd_recipient_restrictions) as they are already listed with postscreen. If you use postscreen, remove reject_rbl_client from *_restrictions. reject_rhsbl_client, reject_rhsbl_sender and reject_rhsbl_helo are fine to stay since they use something postscreen does not. It appears to me that using rbl services both with postscreen and smtpd_recipient_restrictions is actually pointless yes. and causes double lookups which in the end make things worse. they will most likely be cached so this should not happen. It's still pointless however. Postscreen is sufficient and better in filtering with rbl services. Am I right? yes. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Smuggling?
On 07.01.24 10:17, John Hill via Postfix-users wrote: First I am really amazed at the amount of support, that's not true everywhere. I also like the tone of the posts, very respectful. I have 3.7.9 and all the settings. Outlook protection is slamming me, 6 to 10 worthless emails every day. glad they don't make condoms. I have sent everyone with source back to ab...@outlook.com. They always automatically thank me. I can't block outlook, so I gave up and block all onmicrosoft emails. I'll see how that goes. Is the domain still the same? Last time I got spam from such domain, I have blocked the .onmicrosoft.com domain at MTA level. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] implementing recipient rate limits
Hello, due to spam issue I'm trying to implement rate limits for outgoing mail. I looked at postfwd and its rate limit looks promising, supporting different limits per IP/sasl_user for internal network, webmail: http://www.postfwd.org/ratelimits.html Of course, if there is any other tool that can do that, I'll look. However, I need to find the limits to set. Guessing is quite hard as some clients post too many mails, I'd like to have limits safe and not limiting. Processing past postfix logs to see how many mails to how many recipients were sent by clients in the long run could help much. Do you have any or know about tool that processes log files to produce statistics usable for limiting? Thanks. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail in SRS-format in destination bypasses postfix rules
On 18.12.23 13:52, Kristoff via Postfix-users wrote: Yes, I guess it are spam or phishing mails. The trick with "smtpd_recipient_restrictions" looks interesting. Thanks! As I understand it now, there are three steps in this: 1/ the spammer sends us an email with destination "foreign-email-address-in-srs-for...@ourhobbyclubdomain.com" As"outhobbyclubdomain.com" is mydestination, the email is accepted for relay. 2/ then the SRS-formated email-address is converted into a normal email-address this is done by using recipient_canonical_maps on postfix which rewrites header/envelope recipient. 3/ Then the message is forwarded towards that address. (instead of postfix doing a lookup for the alias, seeing it does not exist and refusing the message). if you use recipient_canonical_maps, then the srs'ed adress is rewritten into original(remote) address, which is why the mail is relayed even if sender has no permission to relay ... I have just verified it works like this. configured as documented on: https://github.com/roehling/postsrsd note that postsrs keeps temporary address only working for certain amount of time (21 days), so those addresses aren't valid permanently. - you seem to be using postsrs as well. If step 2 would be done first (or simply not done on destination addresses), then this trick would be stopped. I guess I am not the first person seeing this behaviour, I guess this is not a bug (as it would have been fixed a earlier), so I guess there must be a postfix configuration for this. How do I influence this order, or stop step 2 being done on destination addresses? you can disable recipient_canonical_maps, but that will block all mail to SRS'ed addresses, and anyone using address verification will block receiving srs-forwarded addresses because your MTA will say they do not exist. Note that one of the point why SRS addresses exist is to validate the sender and to be able to know what forwarded address fails. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail in SRS-format in destination bypasses postfix rules
On 17.12.23 23:12, Kristoff via Postfix-users wrote: I don't know if this question has already been ask, but I did not find anything in the archive of the mailing-list. I co-manage a postfix-server for an hobby-club. We provide email-addresses to our members, which are linked to aliases, so we forward the mails to the personal email-address of the member. (The goal is to provide an email-address to the members, dedicated for the hobby, which helps to shield-of the personal email-address of the members). Anycase, while looking into the log-files of postfix for another issue, I noticed this: --- Dec 17 04:32:05 smtp postfix/smtp[725772]: 4F58E6A10A0: to=u...@example.com, orig_to=SRS0=zxmM=H4=example.com=u...@ourhobbyclubdomain.com, relay=mail.example.com[A.B.C.D]:25, delay=0.16, delays=0.05/0/0.08/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 714F7294BB2) --- (personal information replaced for privacy-reason) "u...@example.com" is just an email-address "ourhobbyciubdomain.com" is the domain used by our organization. So, it looks like somebody is sending use emails with a foreign-email-address-in-srs-for...@ourhobbyclubdomain.com as DESTINATION. The net result seems to be that these mails are actually relayed by our server, although we normally have a rule that we only relay email-addresses of our members ("someu...@hobbyclubdomain.com") I don't know if this is normal that the SRS is used in the destination address? ( "SRS" does mean "SENDER rewriting Sceme" doesn't it?) What is the configuration to block this? These may be spams to adress gathered from someone's mail, or maybe delivery notifications? I guess you are reverse-rewriting those SRSed destination addresses using postsrs to original address of the sender. You can redirect these messages to you as an admin in smtpd_recipient_restrictions using regex matchin, so neither of those mails reach original recipient, but you as admin of ourhobbyclubdomain.com domain. I did something similar but use plussed format SRS0+... and SRS1+..., so I redirected "SRS0" and "SRS1" address (plus is understood as address extension). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Milter own Postfix-prepended Received
> Bill Cole via Postfix-users escribi? el 11/12/2023 a las 15:31: >> On 2023-12-10 at 16:37:16 UTC-0500 (Sun, 10 Dec 2023 22:37:16 +0100) >> Carlos Velasco via Postfix-users >> is rumored to have said: >> [...] >>> And doing the same work in 2 different places can be called software >>> efficiency? >> No, but the "fix" here would be a divergence from how Milter has >> worked >> since it was created and semi-documented by Sendmail Inc. It is de >> facto >> controlled by the current developers of Sendmail, but I don't believe >> anyone is working to make Milter better, at least not in ways that >> would >> break compatibility. On 2023-12-11 at 09:37:39 UTC-0500 (Mon, 11 Dec 2023 15:37:39 +0100) Carlos Velasco via Postfix-users is rumored to have said: > No one is talking here about breaking any compatibility, re-read the > messages. Bill Cole via Postfix-users: What did I miss? Are you not asking for Postfix to support providing milters with a header that none of them expect and which no other Milter implementation supports? On 11.12.23 10:31, Wietse Venema via Postfix-users wrote: He asked to make this configurable. I declined because the human cost (of having two incompatible ways to convey the connection info) would in my opinion exceed the gain from saving a few machine cycles. if application called from milter was able to distinguish between headers added locally (thus trusted) and headers received from the network (untrusted), it could effectively use the locally added headers. SpamAssassin trusts all headers before locally added Received:, however spamass-milter and amavisd-milter add it as first header, thus all other headers added by local milters (spf,dkim,arc,dmarc...) are not trusted. Unless the protocol supports providing this information, ability to see Received: header at proper place would increase SA effectiveness, which is I believe what OP asks for. And I would be happy as well. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Milter own Postfix-prepended Received
On 2023-12-10 at 16:37:16 UTC-0500 (Sun, 10 Dec 2023 22:37:16 +0100) Carlos Velasco via Postfix-users is rumored to have said: And doing the same work in 2 different places can be called software efficiency? Bill Cole via Postfix-users escribió el 11/12/2023 a las 15:31: since it was created and semi-documented by Sendmail Inc. It is de facto controlled by the current developers of Sendmail, but I don't believe anyone is working to make Milter better, at least not in ways that would break compatibility. On 11.12.23 15:37, Carlos Velasco via Postfix-users wrote: No one is talking here about breaking any compatibility, re-read the messages. _You_ have complained why Received: is not seen by milter, here: https://marc.info/?l=postfix-users=170223488205099=2 The answer has been given and documented: this is how milter works from the beginning. However, I agree that this makes work hard for SpamAssassin, because this way SA does not know, which adders have been added by local milters/policy servers and thus can be trusted - SA only trusts headers before locally added Received: ... headers added by spf,dkim,dmarc milters would be very useful for SA processing. So, it would be great if postfix could optionally add (or, better, not remove) locally added Received: header, although milters would need to implement this feature first. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Logging received from address
On 09.12.23 13:53, Doug Hardie via Postfix-users wrote: I am using postfix with postsrsd. Is there a way for postfix to log the from address as originally received? The only addresses I find in postfix's log are the converted addresses from postsrsd. Both addresses are logged by postsrsd, but there is no way to tie it back to the postfix logs for that email. I have worked around this by using separate postfix instance for outgoing mail http://www.postfix.org/MULTI_INSTANCE_README.html I have shortly described the flow here: https://marc.info/?l=postfix-users=169860220412496=2 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Turn Off Verify Service?
On Wed, Nov 29, 2023 at 03:00:24PM +1100, duluxoz via Postfix-users wrote: I was reading an on-line guide about hardening Postfix and came across a line that said that the Verify service could/should be turned off I the master.cf file. Is this actually good advice, or is there some sort of "gotcha" hiding in the background that'll bite us in the @rse? On 29/11/2023 15:38, Viktor Dukhovni via Postfix-users wrote: The advice is largely misguided, but mostly harmless, if you don't use sender or recipient verification. Leaving the service enabled does not materially affect the Postfix "attack surface", but it off when unused is fine too. On 29.11.23 16:28, duluxoz via Postfix-users wrote: For what it's worth, it is my opinion that misguided information, harmless or otherwise, is worse than useless, because it encourages bad habits which then enter the zeitgeist and perpetuate (see mandatory rotating passwords every 90 days) :-) On 29/11/2023 19:45, Matus UHLAR - fantomas via Postfix-users wrote: I completely agree, perhaps if you sent us a link we could comment. There is of course security practice of turning off everything you don't use, but in case of verify, it is only used when you configure it, so commenting it in master.cf means disabling it, not just turning it off. On 29.11.23 19:49, duluxoz via Postfix-users wrote: As requested :-) https://linux-audit.com/postfix-hardening-guide-for-security-and-privacy/ This talks aboud "VRFY" SMTP command, not about "verify service" which is very different issue. http://www.postfix.org/postconf.5.html#disable_vrfy_command Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses. the harvesting is rarely done this way nowadays. It also won't stop harvesting by issuing "rcpt to:" smtp command. So, it's useless but harmless as well. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
On 28.11.23 20:38, Matthew McGehrin via Postfix-users wrote: I was able to replicate this error, however it's not a misconfiguration in Postfix, but rather a policy change by Google. I didn't notice the bounce message sooner, since it was routed to my SPAM folder on Gmail. The change is not that recent, our customers have been requesting fixing SPF records and/or setting up DKIM for some time. If I use a GMAIL From: address and attempt to email another GMAIL account, it bounces back with this error. I don't think you can make your mail servers pass SPF/DKIM checks if you have gmail.com From: address. You need to authenticate to gmail servers for this and google servers afaik also verify if you logged as proper user. For external domains, you can make SPF/DKIM pass so google should be able to verify Only, when I use a third-party to relay the message. I think what is happening is that Google has implemented a new anti-spam policy Anti-forging policy, as SPF and DKIM are designed to authenticate you, they can't guarantee you won't spam. rejecting any emails that have GMAIL email hosted domain that is failing SPF/DKIM. Only messages relayed via Google are valid. If you are using a contact form, the From: address is typically munged to be the user filling out the form. OP is complaining about gmail rejecting message with valid SPF and DKIM: https://marc.info/?l=postfix-users=170110387025370=2 and the solution should be removing useless "s=email" from DNS record as Victor stated here: https://marc.info/?l=postfix-users=170110674327922=2 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Turn Off Verify Service?
On Wed, Nov 29, 2023 at 03:00:24PM +1100, duluxoz via Postfix-users wrote: I was reading an on-line guide about hardening Postfix and came across a line that said that the Verify service could/should be turned off I the master.cf file. Is this actually good advice, or is there some sort of "gotcha" hiding in the background that'll bite us in the @rse? On 29/11/2023 15:38, Viktor Dukhovni via Postfix-users wrote: The advice is largely misguided, but mostly harmless, if you don't use sender or recipient verification. Leaving the service enabled does not materially affect the Postfix "attack surface", but it off when unused is fine too. On 29.11.23 16:28, duluxoz via Postfix-users wrote: For what it's worth, it is my opinion that misguided information, harmless or otherwise, is worse than useless, because it encourages bad habits which then enter the zeitgeist and perpetuate (see mandatory rotating passwords every 90 days) :-) I completely agree, perhaps if you sent us a link we could comment. There is of course security practice of turning off everything you don't use, but in case of verify, it is only used when you configure it, so commenting it in master.cf means disabling it, not just turning it off. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Mail not for my domain
On 20.11.23 22:00, Joseph Castry via Postfix-users wrote: On my postfix server I receive some mails who are not for my domain (jcingenierie.fr) For exemple, I receive mails from oysu...@jipstalles.de to jcrh...@izac.fr on my mailbox cont...@jcingenierie.fr do you mean, you receive spam with headers "From: oysu...@jipstalles.de" and "To: jcrh...@izac.fr"? That's job for spam filter. How can I block them, please ? Ps : I have multiple domains on my postfix server, managed on my mysql database. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org