[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger
On 01-12-2023 08:59, Alexander Leidinger via Postfix-users wrote: Am 2023-11-30 16:53, schrieb Wietse Venema via Postfix-users: Alexander Leidinger via Postfix-users: What is wrong here that [tlsproxy] doesn't establish a trusted connection to the github mailservers when posttls-finger is able to do that with the same cert store? Because there are differences between tlsproxy and posttls-finger. 1) Different executable files may be subject to different SeLinux, AppArmor etc. policies. This is FreeBSD, no different policies. 2) Different privileges: tlsproxy runs as the "postfix" user, posttls-finger as "root". Ok. The cert store permissions are OK. Any ordinary user is able to read it. posttls-finger as any other user (incl. postfix) produces the same output. With -P it verifies the cert, without it it doesn't. So still the question why the same configured cert store (posttls-finger + postfix + @FreeBSD.org + @reply.github.com) works for sending mail to FreeBSD.org but not to github.com. 3) Different certificate stores, when tlsproxy may runs chrooted, and posttls-finger does not. No chroot-difference between both. This runs in a FreeBSD jail (like a container or a Solaris zone) and I was logged into this container, so both have seen the same filesystem content. There still seems to be a disconnect in communication here, as you didn't quote Viktors response on 'smtp_tls_policy_maps', which seems to be the key issue here. The policy in your connection to github seems to be 'verify' or higher. Maybe you could test again with an empty 'smtp_tls_policy_maps' parameter in postfix config, or show all values in your policy map explicitly (which might be difficult due to mysql usage)? Kind regards, Tom ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Domain-Specific inbound relay host rules
On 15-10-2023 15:52, B Williams via Postfix-users wrote: All: Long time postfix user. I have an internet facing mail server running Postfix. For about half of my domains, I have them run through a spam filtering service (like MimeCast/Proofpoint). The other half just come direct because they are either very low volume or are used for testing/automation. There is a spam network that has figured out that they can bypass my spam filtering service by ignoring the MX record and just sending mail directly to the mail server. Pretty sneaky. So what I’m trying to devise is a strategy that would allow me to reject email for some domains if it didn’t come through the spam filtering service, but allow messages for other domains to be delivered that I don’t have going through the spam service. Ideally, there would be some kind of hash map that would basically say if the domain is present in the map it must come through a defined relayhost. Or maybe there is a custom milter strategy. I'm running a similar Postfix instance, receiving mail from an external spamfilter. I run an additional smtpd process on a dedicated port for the spamfilter. This port only accepts mail from the spamfiltering company (using a check_client_access cidr map). Note: The spamfilter company allows me to configure a specific delivery hostname and port, so no port 25 required. On the public smtpd process at port 25, there should never arrive any mail for the spamfiltered domains, so you can leave the domains out of mydestination, virtual_alias_domains, or whichever way you define the list of domains that you accept mail for. Or maybe simpler to add to your existing setup: create a check_recipient_access table to reject the domains only in the smtpd process listening at port 25. Tom ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Njal.la
On 02-05-2023 13:14, pripercat--- via Postfix-users wrote: Thanks, but it still doesn't work for me with those parameters. The relayhost value is an email server of my hosting. And I don't have that information. The njal.la admin refers me to this forum. :( If njal.la provides documentation on how to setup an authenticated relay server, but without credentials, and then they point you here, my simple conclusion would be that don't provide this service. Probably you'll have to use an e-mail relay service from a different provider (which might be your home ISP, domain provider etc). My 2 cents, Tom ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Different set of milters for one domain?
Hi, I've been using milter-manager [1] for a long time now to run various milters selectively. In my case, I defined a custom 'Applicable condition' (see docs) to exempt various email accounts from spamfilter/virus checks (f.i. spamtraps). The docs look like they haven't been updated in a while, but the github repo [2] is quite active. [1] https://milter-manager.osdn.jp/ [2] https://github.com/milter-manager/milter-manager/ On 28-03-2023 15:32, Bill Cole via Postfix-users wrote: On 2023-03-28 at 06:10:27 UTC-0400 (Tue, 28 Mar 2023 03:10:27 -0700 (PDT)) Dan Mahoney (Gushi) via Postfix-users is rumored to have said: Hey there all, Dayjob sometimes receives mail for one domain that we'd like to have bypass certain milters (specifically, we want to exempt them from some filtering/scanning mitlers since the domain is pretty much entirely passthrough) -- Is there an easy way to do this in postfix without completely splitting the config up? Short answer: No. The question has come up here multiple times and always gets the same assortment of alternative ideas for how to do what people want... Fortunately, many milters provide the tools to be selective about how to handle different target domains. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org