[pfx] postfix check_sender_access and subdomain test

2024-02-28 Thread lists--- via Postfix-users 
I can tell you there is significant spam from that Microsoft IP space. That 
spamcop doesn't have false positives, but rather due to the sharing of IP 
space, senders that aren't spammers get tarred with the same brush as the 
spammers.  I did a grep on the maillog files and that is a firehose of spam.

Up to you of course. I have a few posts on the list trying to whitelist just 
one sender.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] question regarding postmap -q test

2024-02-28 Thread lists--- via Postfix-users 
My sender_access file contains

charity.donation.jp REJECT

postmap -q charity.donation.jp  hash:sender_access
REJECT

So it returns REJECT as expected. However testing some random users at
the domain:

postmap -q m...@charity.donation.jp  hash:sender_access

returns nothing. Is the domain being rejected in actual use even though
postmap -q testing with a specific user at the domain name doesn't
return anything?

This test has similar results with OK instead of REJECT.

 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl bounces email that has both rbl_override and client_checks whitelisting

2024-02-27 Thread lists--- via Postfix-users 
Well do I put the domain in sender_access or sender_checks?

It looks like sender_access with an OK since it acts on the FROK field.

https://www.postfix.org/postconf.5.html

I have a sender_checks file but I don't see that on the postfix.org website. Is 
that a deprecated parameter?

Feb 27, 2024 1:09:02 PM Wietse Venema :

> Your mistake:  you are trying to match a SENDER ADDRESS with 
> check_CLIENT_access.
> 
>     Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] rbl bounces email that has both rbl_override and client_checks whitelisting

2024-02-27 Thread lists--- via Postfix-users 


I still have that problem with the sender that used a spammy microsoft
server that gets rejected by IP for  using spamcop. I put the domain in
the client_checks file but the sender gets bounced.

postconf mail_version
mail_version = 3.8.1

compatibility_level = 2

The client_checks line was added. 

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_non_fqdn_recipient,
  check_client_access hash:/etc/postfix/client_checks,
  check_sender_access hash:/etc/postfix/sender_checks,
  check_client_access hash:/etc/postfix/rbl_override,
  reject_rbl_client bl.spamcop.net,
  check_policy_service unix:private/policy

This is the contents of client_checks:
cat client_checks
idontspam.com OK

A simple check to verify the postmap worked:

sh-4.2# ls -l client_check*
-rw-r--r-- 1 root root19 Feb 25 03:03 client_checks
-rw-r--r-- 1 root root 12288 Feb 25 03:06 client_checks.db


**
This is an actual spammer being rejected:
Feb 25 23:10:03 MYDOMAIN postfix/smtpd[19121]: connect from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108] Feb
25 23:10:03 MYDOMAIN postfix/smtpd[19121]: Anonymous TLS connection
established from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 25
23:10:03 MYDOMAIN postfix/smtpd[19121]: NOQUEUE: reject: RCPT from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]:
554 5.7.1 Service unavailable; Client host [40.107.220.108] blocked
using bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.220.108;
from= to=
proto=ESMTP helo= Feb 25
23:10:03 MYDOMAIN postfix/smtpd[19121]: using backwards-compatible
default setting smtpd_relay_before_recipient_restrictions=no to reject
recipient "m...@mydomain.com" from client
"mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]"
Feb 25 23:10:04 MYDOMAIN postfix/smtpd[19121]: disconnect from
mail-co1nam11on2108.outbound.protection.outlook.com[40.107.220.108]
ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 
**

**
This is email from the sender that appears on the client_check file

Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: connect from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125] Feb
27 03:55:55 MYDOMAIN postfix/smtpd[31397]: Anonymous TLS connection
established from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 27
03:55:55 MYDOMAIN postfix/smtpd[31397]: NOQUEUE: reject: RCPT from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]: 554
5.7.1 Service unavailable; Client host [40.107.93.125] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.93.125;
from= to= proto=ESMTP
helo= Feb 27 03:55:55
MYDOMAIN postfix/smtpd[31397]: using backwards-compatible default
setting smtpd_relay_before_recipient_restrictions=no to reject
recipient "m...@mydomain.com" from client
"mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]"
Feb 27 03:55:55 MYDOMAIN postfix/smtpd[31397]: disconnect from
mail-dm6nam10on2125.outbound.protection.outlook.com[40.107.93.125]
ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 Feb 27 03:57:47

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl override doesn't work perhaps due to sender using relay

2024-02-24 Thread lists--- via Postfix-users 
That should work. Thanks

https://www.postfix.org/access.5.html

Feb 24, 2024 8:05:00 AM Matus UHLAR - fantomas via Postfix-users 
:

>>> On 24.02.24 00:49, lists--- via Postfix-users wrote:
>>>> I have set up rbl_override for the sender's domain.
> [...]
>>>> smtpd_recipient_restrictions =
>>> [...]
>>>> check_client_access hash:/etc/postfix/rbl_override,
>>>> reject_rbl_client bl.spamcop.net,
>>>> check_policy_service unix:private/policy
> 
>> Feb 24, 2024 6:03:54 AM Matus UHLAR - fantomas via Postfix-users 
>> :
>>> What's in /etc/postfix/rbl_override ? It obviously does not match 
>>> 40.107.93.98
> 
> On 24.02.24 06:12, lists--- via Postfix-users wrote:
>> The rbl_override file only contains domain names with "space OK".  If I 
>> whitelisted that IP address, I would be whitelisting a Microsoft address 
>> that I assume has multiple users.  Also that relay IP address isn't static.
> 
> I see it now.
> 
> If you are trying to whitelist sender domain, you must use 
> check_sender_access, since check_client_access checks sending IP address or 
> hostname that IP maps to, which is in this case 
> mail-dm6nam10on2098.outbound.protection.outlook.com.
> 
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> He who laughs last thinks slowest.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl override doesn't work perhaps due to sender using relay

2024-02-24 Thread lists--- via Postfix-users 
https://www.dnswl.org/?page_id=15

I get your point but this is for a different blocking list. That is spamcop and 
spamassassin have different blocking lists.

What I really need is a way to make the rbl_override work for the domain name 
that has been related.

I am going to review my logs and see how much spam spamcop stops that isn't 
coming from Microsoft. Maybe I could whitelist the Microsoft IP space in 
rbl_override.

Feb 24, 2024 6:15:10 AM Benny Pedersen via Postfix-users 
:

> lists--- via Postfix-users skrev den 2024-02-24 09:49:
> 
>>   check_client_access hash:/etc/postfix/client_checks,
>>   check_sender_access hash:/etc/postfix/sender_checks,
>>   check_client_access hash:/etc/postfix/rbl_override,
>>   reject_rbl_client bl.spamcop.net,
>>   check_policy_service unix:private/policy
> 
> https://hetrixtools.com/blacklist-check/40.107.93.98
> 
> not listed, suggest dnswl in postfix, google it :)
> 
> other then that don't use hash for ip checks
> 
> cidr is more perfect for this
> 
> on the other side https://multirbl.valli.org/lookup/40.107.93.98.html
> 
> https://dnswl.org/s/?s=1357
> 
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: rbl override doesn't work perhaps due to sender using relay

2024-02-24 Thread lists--- via Postfix-users 
Sorry for the top post but I am using my phone.

The rbl_override file only contains domain names with "space OK". If I 
whitelisted that IP address, I would be whitelisting a Microsoft address that I 
assume has multiple users. Also that relay IP address isn't static.

Feb 24, 2024 6:03:54 AM Matus UHLAR - fantomas via Postfix-users 
:

> On 24.02.24 00:49, lists--- via Postfix-users wrote:
>> I have set up rbl_override for the sender's domain. However it
>> occasionally gets blocked by spamcop. The user owns a domain but relays
>> the mail from outlook.
>> 
>> Here is the bounce message the user received:
> 
> 
>> Remote server returned '550 5.7.514 Decision Engine classified the mail
>> item was rejected because of IP Block (from outbound normal IP pools)
>> -> 554 5.7.1 Service unavailable; Client host [40.107.93.98] blocked
>> using bl.spamcop.net; Blocked - see
>> https://www.spamcop.net/bl.shtml?40.107.93.98'
> 
>> This is the relevant part of my postfix main.cf. I am only showing the
>> spamcop rbl.
> 
> 
>> smtpd_recipient_restrictions =
> [...]
>> check_client_access hash:/etc/postfix/rbl_override,
>> reject_rbl_client bl.spamcop.net,
>> check_policy_service unix:private/policy
> 
> What's in /etc/postfix/rbl_override ? It obviously does not match 40.107.93.98
> 
> 
> 
> -- 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>     One OS to rule them all, One OS to find them,
> One OS to bring them all and into darkness bind them
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] rbl override doesn't work perhaps due to sender using relay

2024-02-24 Thread lists--- via Postfix-users 
I have set up rbl_override for the sender's domain. However it
occasionally gets blocked by spamcop. The user owns a domain but relays
the mail from outlook. 

Here is the bounce message the user received:

**
Remote server returned '550 5.7.514 Decision Engine classified the mail
item was rejected because of IP Block (from outbound normal IP pools)
-> 554 5.7.1 Service unavailable; Client host [40.107.93.98] blocked
using bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.93.98'
**

Here is the the related area from maillog with minimal sanitizing due
to google reading these posts.

**
Feb 22 18:25:18 MYDOMAIN postfix/smtpd[12010]: connect from
mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98] Feb
22 18:25:18 MYDOMAIN postfix/smtpd[12010]: Anonymous TLS connection
established from
mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 22
18:25:19 MYDOMAIN postfix/smtpd[12010]: NOQUEUE: reject: RCPT from
mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]: 554
5.7.1 Service unavailable; Client host [40.107.93.98] blocked using
bl.spamcop.net; Blocked - see
https://www.spamcop.net/bl.shtml?40.107.93.98;
from= to= proto=ESMTP
helo= Feb 22 18:25:19
MYDOMAIN postfix/smtpd[12010]: using backwards-compatible default
setting smtpd_relay_before_recipient_restrictions=no to reject
recipient "m...@mydomain.com" from client
"mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]" Feb
22 18:25:19 MYDOMAIN postfix/smtpd[12010]: disconnect from
mail-dm6nam10on2098.outbound.protection.outlook.com[40.107.93.98]
ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6 Feb 22 18:28:39
MYDOMAIN postfix/anvil[12013]: statistics: max connection rate 1/60s
for (smtp:40.107.93.98) at Feb 22 18:25:18


This is the relevant part of my postfix main.cf. I am only showing the
spamcop rbl.


smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  reject_non_fqdn_recipient,
  check_client_access hash:/etc/postfix/client_checks,
  check_sender_access hash:/etc/postfix/sender_checks,
  check_client_access hash:/etc/postfix/rbl_override,
  reject_rbl_client bl.spamcop.net,
  check_policy_service unix:private/policy
*
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] migrating server to new host

2024-02-02 Thread lists--- via Postfix-users 
I have postfix/dovecot/mysql with virtual domains on centos;
I would like to migrate working server setup to new host on rocky 8
installed new rocky with postfix as is available for rocky

what's the best way to do such ?

do I install ghettoforge repo on rocky, get version pf 3.8.5 then copy
main/master .cf , start it and check for errors ?


existing centos server:
# postconf mail_version
mail_version = 3.8.5


# postconf -m
btree cidr environ fail hash inline internal ldap memcache mysql nis pcre
pipemap proxy randmap regexp socketmap static tcp texthash unionmap unix

rocky:
# postconf mail_version
mail_version = 3.5.8

# postconf -m
btree cidr environ fail hash inline internal ldap memcache mysql nis pcre
pipemap proxy randmap regexp socketmap static tcp texthash unionmap unix

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: 25 years today

2023-12-14 Thread Rob Sterenborg (Lists) via Postfix-users 

On 14-12-2023 14:20, Wietse Venema via Postfix-users wrote:

As a few on this list may recall, it is 25 years ago today that the
"IBM secure mailer" had its public beta release. This was accompanied
by a nice article in the New York Times business section.


...


That was a long time ago. Postfix has evolved as the Internet has
changed. I am continuing the overhaul of this software, motivated
by people like you on this mailing list.

Wietse


Back in 2001 or so, I needed an MTA at the place I worked, and I wasn't 
too experienced. So I tried Sendmail because it was the default, didn't 
understand it, so that didn't work out. Next I somehow found Qmail (it's 
too long ago to remember how that happened), and found it even worse to 
handle. Then I found Postfix, and immediately got it to work for what I 
needed it to do. Since then, I've been using Postfix for all mail 
servers I've ever built, never looked back.


A big thank you for this excellent piece of software and all the support 
we're still getting!



--
Rob

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] printer ip SMTP AUTH / mynetworks question

2023-12-13 Thread lists--- via Postfix-users 
I have a user with an 'old' printer/scanner who wants to scan/email scans
from the home located device

printer offers:
machine email address:
SMTP server:
SMTP server port:

send authentication: PoPb4SMTP/SMTP AUTH: Plain/Login/CRAM-MD5/Auto

login name:
passwd:

tried 587 with each of the 4 AUTH options, keeps failing
added printer IP to mynetworks, changed to port 25, working

any suggestion what it might need to use port 587 / AUTH ?

any undesired side effects of allowing printer IP in main.cf mynetworks ?

Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: connect from
111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: lost connection
after EHLO from 111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:52:13 geko postfix/submission/smtpd[22180]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 commands=1

Dec 13 17:47:20 geko postfix/submission/smtpd[15098]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 commands=1
Dec 13 17:48:12 geko postfix/anvil[15001]: statistics: max connection rate
6/3600s for (submission:111.222.333.444) at Dec 13 17:47:20
Dec 13 17:48:26 geko postfix/postscreen[14984]: CONNECT from
[111.222.333.444]:50694 to [103.106.168.106]:25
Dec 13 17:48:26 geko postfix/postscreen[14984]: WHITELISTED
[111.222.333.444]:50694
Dec 13 17:48:26 geko postfix/smtpd[15061]: connect from
111-222-333-444.tpgi.com.au[111.222.333.444]
Dec 13 17:48:26 geko postfix/smtpd[15061]: CB67D20BBA9:
client=111-222-333-444.tpgi.com.au[111.222.333.444], sasl_method=LOGIN,
sasl_username=u...@tld.com.au
Dec 13 17:48:30 geko amavis[15129]: (15129-15) Checking: P4rpqg2X2xgz
[111.222.333.444]  -> 
Dec 13 17:48:31 geko postfix/smtpd[15061]: disconnect from
111-222-333-444.tpgi.com.au[111.222.333.444] ehlo=1 auth=1 mail=1 rcpt=1
data=1 quit=1 commands=6
Dec 13 17:48:31 geko amavis[15129]: (15129-15) Passed CLEAN
{RelayedInbound}, [111.222.333.444]:50694 [111.222.333.444] ESMTP/ESMTP
 -> ,
(ESMTPA://[111.222.333.444]:50694), Queue-ID: CB67D20BBA9, mail_id:
P4rpqg2X2xgz, b: cNaGQKTr-, Hits: 0.436, size: 525554, queued_as:
C064E20A5CB, Subject: "ScanFrom Printer (raw:
=?utf-8?B?U2NhbkZy2NhbkZyb20gW50ZXI=?=)", From: ,
helo=iptarget, Tests:
[ALL_TRUSTED=-1,BAYES_00=-1.9,DATE_IN_PAST_06_12=1.543,DKIM_INVALID=0.1,DKIM_SIGNED=0.1,INVALID_DATE=1.096,MISSING_MID=0.497],
autolearn=no autolearn_force=no, autolearnscore=1.875, 1715 ms




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-12 Thread lists--- via Postfix-users 
On Sun, September 10, 2023 2:03 am, Viktor Dukhovni via Postfix-users wrote:

> Hard to say, you're not well prepared to isolate the issue, and
> the symptoms are diverse.

Viktor, Matus, many thanks!!

Viktor, I think and I'm afraid you've hit the nail on the head... that's
certainly large if not major part of my problem...
thank you for pointing it out! I hope you woke me up...!


> Your amavis content filter has a non-trivial backlog of mail, probably
> because each message takes a long time to process.  Here the message sat
> 5.4 seconds in the incoming queue and then took 11 seconds to to deliver
> to amavis.  This bottleneck suggess that the amavis filter is doing remote
> DNS lookups that are quite slow.
> You need to review your amavis configuration and disable or tune the
> actions that lead to the processing delays.


OK, took out amavis from main.cf

#content_filter = smtp-amavis:[127.0.0.1]:10024

BIG reduction in Load average, still problem persists

took out amavis line from master.cf submission block

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#  -o content_filter=smtp-amavis:[127.0.0.1]:10026


user still reports problems...

wait... shouldn't main.cf mynetworks = INCLUDE user's fixed IP...??
I thought it always did...?

add IP to mynetwork - I think it's working OK now..

so, it seems my issue was (partially?) not having senders's fixed IP in
mynetworks ?

(I'm still aiming to look at today's logs, eralier today, timeouts, after
editing mynetworks, seems OK)

>> hmmm... supposed to be using 587...
>
> if you properly uncommented submission service in master.cf, the smtp
> should log as postfix/smtps/smtpd or postfix/submission/smtpd
> or your user used port 25 which is used for server-server mail transfer
> and may have different setup.
>
> I e.g. use postscreen (which sometimes adds 6-seconds delay) and also
> spam and virus checking milters (like amavisd-milter) on 25. This takes
> much time.
>
> on port 587/465 I tend to use amavis as content_filter, which means mail
> is received from user and filtered afterwards. This makes apparent
> receiving mail from client much faster.

does this look OK, that's what I had:

submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026


$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["virusalert\@$mydomain"],
  spam_admin_maps  => ["virusalert\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
#  forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread lists--- via Postfix-users 
On Sat, September 9, 2023 9:00 pm, Matus UHLAR - fantomas via
Postfix-users wrote:
>> On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via
>> Postfix-users wrote:

Matus, Michel, thanks

> did you reorder those lines? look at timestamps.

didn't intend to, but maybe stuffed up when I've tried to get out of
maillog like:
grep "Sep  8"' followed by grep "16:40:" and grep "16:41:"
was trying to get entries between 16:40


On Sat, September 9, 2023 8:45 pm, Michel Verdier via Postfix-users wrote:

> How much cores do you have on that system ?

2 cores 4gb


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread lists--- via Postfix-users 
On Sat, September 9, 2023 3:52 am, Viktor Dukhovni via Postfix-users wrote:
> On Fri, Sep 08, 2023 at 11:13:02PM +1000, lists--- via Postfix-users
> wrote:


>
> Your amavis content filter has a non-trivial backlog of mail, probably
> because each message takes a long time to process.  Here the message sat
> 5.4 seconds in the incoming queue and then took 11 seconds to to deliver
> to amavis.  This bottleneck suggess that the amavis filter is doing remote
> DNS lookups that are quite slow.
>
>
> You need to review your amavis configuration and disable or tune the
> actions that lead to the processing delays.


Viktor, thank you

hmmm, noticed that system has quite high load average, reaching  1.5/1.6
when I was checking... is that my problem ? or part of it ?
have I overloaded/underresourced ?

Tasks: 114, 98 thr; 2 running  2
Load average: 1.18 0.92 0.69


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: tracing smtp submission issues/ server timed out?

2023-09-09 Thread lists--- via Postfix-users 
On Sat, September 9, 2023 2:42 am, Matus UHLAR - fantomas via
Postfix-users wrote:
> On 08.09.23 23:13, lists--- via Postfix-users wrote:


Matus, Viktor, thanks

> logs from unsuccessful attempts are important, not from the one that
> succeeded.

is there some proper way to identify that..? looking at lines immediately
above I see like, I screen scrapped lines immediately above:

Sep  8 16:40:34 geko postfix/qmgr[1654]: 708204346EE: removed
Sep  8 16:40:37 geko postfix/postscreen[21264]: CONNECT from
[111.222.333.444]:50452 to [103.106.168.106]:25
Sep  8 16:40:37 geko postfix/postscreen[21264]: PASS OLD
[111.222.333.444]:50452
Sep  8 16:40:37 geko postfix/smtpd[15732]: connect from
unknown[111.222.333.444]
Sep  8 16:40:37 geko postfix/smtpd[15732]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bitsSep  8 16:40:37 geko
postfix/smtpd[15732]: lost connection after STARTTLS from
unknown[111.222.333.444]
Sep  8 16:40:37 geko postfix/smtpd[15732]: disconnect from
unknown[111.222.333.444] ehlo=1 starttls=1 commands=2
Sep  8 16:40:46 geko postfix/smtpd[15519]: connect from
unknown[111.222.333.444]
Sep  8 16:40:46 geko postfix/smtpd[15519]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128
Sep  8 16:40:47 geko postfix/smtpd[15519]: 2556C4346EC:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:44:24 geko postfix/anvil[1945]: statistics: max connection rate
4/3600s for (smtpd:185.222.58.40) at Sep  8 16:40:22
Sep  8 16:44:24 geko postfix/anvil[1945]: statistics: max connection count
3 for (smtpd:185.222.58.40) at Sep  8 16:40:19
Sep  8 16:41:06 geko postfix/smtpd[15519]: lost connection after DATA (0
bytes) from unknown[111.222.333.444]
Sep  8 16:41:06 geko postfix/smtpd[15519]: disconnect from
unknown[111.222.333.444] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=0/1
commands=6/7
Sep  8 16:41:24 geko postfix/smtpd[15518]: connect from
unknown[111.222.333.444]
Sep  8 16:41:25 geko postfix/smtpd[15518]: Anonymous TLS connection
established from unknown[111.222.333.444]: TLSv1.3 with cipher
TLS_AES_128_GCM_SHA256 (128/128
Sep  8 16:41:25 geko postfix/smtpd[15518]: C92564346E5:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
message-id=


>
> so, your users send mail on port 25?


hmmm... supposed to be using 587...

>
>> Sep  8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
>> message-id=
>
> this one took 6 seconds.
>
>> Sep  8 16:41:31 geko opendkim[910]: C92564346E5: DKIM-Signature field
>> added (s=default, d=tld.com)
>
> and you run opendkim (milter) on that? any other milters?

dkim/dmarc



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] tracing smtp submission issues/ server timed out?

2023-09-08 Thread lists--- via Postfix-users 
a user reported mail client message:

"It hard to sent mail we try 2-3 times then sent."
screengrab from mail client had: sending failed, couldn't send, connection
to outgoing server timed out

I couldn't noticed anything, tail maillog, saw emails going, probably
looking at wrong things ?

subsequently was told reply email to me took two attempts, the received
copy log is like;

what/where to look/check ?

- also, in case this matters:
sender has BOTH TLD.com.au as well as same TLD.com (without .au)
the mail server was always TLD.com.au, TLD.com was added as domain alias
several years ago, around 2015, 'alias domain' in PFA


# grep "C92564346E5"  /var/log/maillog
Sep  8 16:41:25 geko postfix/smtpd[15518]: C92564346E5:
client=unknown[111.222.333.444], sasl_method=PLAIN,
sasl_username=i...@tld.com.au
Sep  8 16:41:31 geko postfix/cleanup[15407]: C92564346E5:
message-id=
Sep  8 16:41:31 geko opendkim[910]: C92564346E5: DKIM-Signature field
added (s=default, d=tld.com)
Sep  8 16:41:31 geko postfix/qmgr[1654]: C92564346E5: from=,
size=3262, nrcpt=1 (queue active)
Sep  8 16:41:42 geko amavis[31308]: (31308-14) Passed CLEAN
{RelayedInternal}, ORIGINATING LOCAL [111.222.333.444]:52547
[111.222.333.444]  -> , Queue-ID: C92564346E5,
Message-ID: , mail_id:
zj3cR-iB-usR, Hits: -3.069, size: 3681, queued_as: F22794346E8, 10889 ms
Sep  8 16:41:42 geko postfix/smtp[15464]: C92564346E5: to=,
relay=127.0.0.1[127.0.0.1]:10026, delay=16, delays=5.4/0/0.01/11,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as F22794346E8)
Sep  8 16:41:42 geko postfix/qmgr[1654]: C92564346E5: removed

# grep "F22794346E8"  /var/log/maillog
Sep  8 16:41:41 geko postfix/smtpd[13013]: F22794346E8:
client=localhost[127.0.0.1]
Sep  8 16:41:41 geko postfix/cleanup[15407]: F22794346E8:
message-id=
Sep  8 16:41:42 geko postfix/qmgr[1654]: F22794346E8: from=,
size=4144, nrcpt=1 (queue active)
Sep  8 16:41:42 geko amavis[31308]: (31308-14) Passed CLEAN
{RelayedInternal}, ORIGINATING LOCAL [111.222.333.444]:52547
[111.222.333.444]  -> , Queue-ID: C92564346E5,
Message-ID: , mail_id:
zj3cR-iB-usR, Hits: -3.069, size: 3681, queued_as: F22794346E8, 10889 ms
Sep  8 16:41:42 geko postfix/smtp[15464]: C92564346E5: to=,
relay=127.0.0.1[127.0.0.1]:10026, delay=16, delays=5.4/0/0.01/11,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as F22794346E8)
Sep  8 16:41:42 geko postfix/pipe[15414]: F22794346E8: to=,
relay=dovecot, delay=0.09, delays=0.02/0/0/0.07, dsn=2.0.0, status=sent
(delivered via dovecot service)
Sep  8 16:41:42 geko postfix/qmgr[1654]: F22794346E8: removed


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: milter - wrong ordering of responses on pipelining

2022-12-13 Thread lists+postfix 

there is bug report for PMilter:
https://rt.cpan.org/Ticket/Display.html?id=145263

On 2022.12.11. 15:10, Wietse Venema wrote:

lists+post...@sad.lv:

Hello !

I met an issue with milter when multiple messages pushed within single
smtp session (using pipelining indeed):
warning: milter unix:/run/t.socket: unexpected filter response
SMFIR_ADDHEADER after event SMFIC_MAIL

It looks similar for
https://www.mail-archive.com/postfix-users@postfix.org/msg13652.html


This was caused by a bug in Sendmail::PMilter.

Background: the SMTP protocol supports multiple MAIL transactions
per SMTP connection. After each successful or unsuccessful MAIL
transaction, Postfix sends an SMFIC_ABORT command to all Milters,
to ensure that they are in a knwn state for the next MAIL transaction.

The Sendmail::PMilter code comes with a description of the Milter
protocol that says:

 COMMAND CODES
 ...
 'A' SMFIC_ABORT Abort current filter checks
Expected response:  NONE
 ...

Yet, when the Sendmail::PMilter receives SMFIC_ABORT, it sends a
response (SMFIR_CONTINUE). Evidence from PMilter logging:

Fri Dec  9 20:14:15 2022 PID=13886 Context.pm(215): main(eval): got command=[A]
Fri Dec  9 20:14:15 2022 PID=13886 Context.pm(508): call_hooks: (non-existent 
callback=[abort])
write =>c<= ><

The command=[A] is SMFIC_ABORT, and the =>c<= response is SMFIR_CONTINUE.

Because of this "extra" response, Postfix and Sendmail::PMilter are
now out of step, and eventually Postfix complains about a protocol error.

Wietse

milter - wrong ordering of responses on pipelining

2022-12-09 Thread lists+postfix 

Hello !

I met an issue with milter when multiple messages pushed within single 
smtp session (using pipelining indeed):
warning: milter unix:/run/t.socket: unexpected filter response 
SMFIR_ADDHEADER after event SMFIC_MAIL


It looks similar for 
https://www.mail-archive.com/postfix-users@postfix.org/msg13652.html


the issue is nearly 100% reproducible.
my postfix config is simple:
smtpd_milters=unix:/run/t.socket

milter daemon is simple perl code on top of Sendmail::PMilter and does 
addheader/chgheader at EOM stage.


Then I connect with "telnet 0 25" and pipeline multiple messages 
(actually four) with header "X-TEST: 1-2-3-4" into postfix.


from postfix milter debug log I learn that 1st message processed like
Dec  3 15:22:33 srv postfix/cleanup[168510]: event: SMFIC_BODYEOB;
macros: i=16C381A1BA2
Dec  3 15:22:34 srv postfix/cleanup[168510]: reply: SMFIR_ADDHEADER data 
18 bytes
Dec  3 15:22:34 srv postfix/cleanup[168510]: reply: SMFIR_CHGHEADER data 
12 bytes
Dec  3 15:22:34 srv postfix/cleanup[168510]: reply: SMFIR_CONTINUE data 
0 bytes

Dec  3 15:22:34 srv postfix/cleanup[168510]: free milter unix:/run/t.socket

when 2nd (or time-to-time 3rd) fails:
Dec  3 15:22:35 srv postfix/cleanup[168510]: reply: SMFIR_CONTINUE data 
0 bytes
Dec  3 15:22:35 srv postfix/cleanup[168510]: event: SMFIC_BODYEOB; 
macros: i=23FA51A1BA9
Dec  3 15:22:35 srv postfix/cleanup[168510]: reply: SMFIR_CONTINUE data 
0 bytes

Dec  3 15:22:35 v/cleanup[168510]: free milter unix:/run/smilter/t.socket

Dec  3 15:22:36 srv postfix/smtpd[168502]: reply: SMFIR_ADDHEADER data 
17 bytes
Dec  3 15:22:36 srv postfix/smtpd[168502]: warning: milter 
unix:/run/t.socket: unexpected filter response SMFIR_ADDHEADER after 
event SMFIC_MAIL


Tested on postfix-3.7.3

Is there any way to avoid milter reply disordering ?

full code of test perl milter daemon:
==
use Sendmail::PMilter qw(:all);
use IO::Socket::INET;

my %cbs;
$cbs{envfrom} = sub { my $ctx = shift; $ctx->setpriv({ c => 0) }); 
SMFIS_CONTINUE; };


$cbs{envrcpt} = sub { my $ctx = shift;
my $data_ref = $ctx->getpriv();
$data_ref->{c}++;  $ctx->setpriv($data_ref); SMFIS_CONTINUE; };

$cbs{header} = sub {
  my $ctx = shift;
  my $data_ref = $ctx->getpriv();
  if ($args[0] eq 'X-TEST') { $data_ref->{test} = $args[1]; sleep (1); }
  $ctx->setpriv($data_ref);
  SMFIS_CONTINUE;
};

$cbs{eom} = sub {
  my $ctx = shift;
  my $data_ref = $ctx->getpriv();
  sleep(1);
  $ctx->addheader('X-FIX',$data_ref->{test});
  $ctx->chgheader('X-TEST');
  SMFIS_CONTINUE;
};

my $m = new Sendmail::PMilter;
$m->setconn("local:/run/t.socket");
$m->register('t', \%cbs, SMFIF_CHGHDRS|SMFIF_ADDHDRS);
$m->set_dispatcher(Sendmail::PMilter::prefork_dispatcher( max_children 
=> 10, max_requests_per_child => 50 ));

$m->main();

==


Best Regards,
Deniss

Re: no shared cipher revisited

2022-09-28 Thread Lists Nethead 



Quoting Viktor Dukhovni :


On Wed, Sep 28, 2022 at 07:22:37PM +0200, Lists Nethead wrote:


> Your server defaults to an ECDSA P-384 certificate, the client may not
> support ECDSA at all, or may not support P-384 (P-256 is a more broadly
> supported choice):
>
> $ posttls-finger -c -lmay -Lsummary "[nh1.nethead.se]"
> posttls-finger: Untrusted TLS connection established
> to nh1.nethead.se[5.150.237.137]:25:
> TLSv1.3 with
> cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> key-exchange X25519
> server-signature ECDSA (P-384)
> server-digest SHA384
>
> There appears to be no additional RSA certificate configured:
>
> $ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aRSA" -c
> -lmay -Lsummary "[nh1.nethead.se]"
> posttls-finger: SSL_connect error to  
nh1.nethead.se[5.150.237.137]:25: -1

> posttls-finger: warning: TLS library problem: error:14094410:SSL
> routines:ssl3_read_bytes:sslv3 alert handshake
> failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40:
>
> $ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aECDSA" -c
> -lmay -Lsummary "[nh1.nethead.se]"
> posttls-finger: Untrusted TLS connection established to
> nh1.nethead.se[5.150.237.137]:25: TLSv1.2 with cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
>
> Your choice of private key (ECDSA P-384) is likely the problem.

Thanks Viktor, that is exactly where my suspicions laid. Now on to fix it.


You should have at least an RSA certificate (2048-bit key, not more),
and only if you're feeling particularly expert also an ECDSA certificate
(P-256 is plenty strong, not P-384 or P-521).


Yes agree, on my way there now.

Re: no shared cipher revisited

2022-09-28 Thread Lists Nethead 



Quoting Viktor Dukhovni :


On Wed, Sep 28, 2022 at 06:47:39PM +0200, Lists Nethead wrote:


>> smtpd_tls_protocols = >=TLSv1.2
>
> That's not the default setting.
>
>> smtpd_tls_exclude_ciphers = aNULL
>
> This is only appeases clueless auditors, in reality it is silly.
>
>> From what I can see, this is what they want:
>> TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128
>
> What certificate did you deploy?  What is the name of the server,
> would I be able to connect to it?

Hm, what is the default then?


The default is to allow TLS 1.0 or higher.  If you want to be broadly
interoperable, this is the recommended setting.  There is no actual risk
in SMTP from leaving TLS 1.0 enabled.  When you support TLS 1.2, and
the client does too, there is no known downgrade attack to TLS 1.0.


Yes, nh1.nethead.se and vrt.nethead.se


Your server defaults to an ECDSA P-384 certificate, the client may not
support ECDSA at all, or may not support P-384 (P-256 is a more broadly
supported choice):

$ posttls-finger -c -lmay -Lsummary "[nh1.nethead.se]"
posttls-finger: Untrusted TLS connection established
to nh1.nethead.se[5.150.237.137]:25:
TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519
server-signature ECDSA (P-384)
server-digest SHA384

There appears to be no additional RSA certificate configured:

$ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aRSA" -c  
-lmay -Lsummary "[nh1.nethead.se]"

posttls-finger: SSL_connect error to nh1.nethead.se[5.150.237.137]:25: -1
posttls-finger: warning: TLS library problem: error:14094410:SSL  
routines:ssl3_read_bytes:sslv3 alert handshake  
failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40:


$ posttls-finger -p TLSv1.2 -o tls_medium_cipherlist="aECDSA" -c  
-lmay -Lsummary "[nh1.nethead.se]"
posttls-finger: Untrusted TLS connection established to  
nh1.nethead.se[5.150.237.137]:25: TLSv1.2 with cipher  
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)


Your choice of private key (ECDSA P-384) is likely the problem.


Thanks Viktor, that is exactly where my suspicions laid. Now on to fix it.

Thanks again,
Per

Re: no shared cipher revisited

2022-09-28 Thread Lists Nethead 



Quoting Benny Pedersen :


Lists Nethead skrev den 2022-09-28 18:47:


smtpd_tls_protocols = >=TLSv1.2

Hm, what is the default then?


put an # infront of this line in main.cf, then do a postfix reload

simple ? :=)


If this would enable everything from tls1, no.

Re: no shared cipher revisited

2022-09-28 Thread Lists Nethead 



Quoting Viktor Dukhovni :


On Wed, Sep 28, 2022 at 06:38:15PM +0200, Lists Nethead wrote:


Hello again postfix-users,

After Viktor gave really helpful advise re SSLv3, now on to the next
problem, dealing with crypto is opening a can of worms, at least where
I am.

We cannot receive messages from a Big Corp, our Postfix MX's responds
with "no shared cipher". The configuration is pretty standard I think,

smtpd_tls_protocols = >=TLSv1.2


That's not the default setting.


smtpd_tls_exclude_ciphers = aNULL


This is only appeases clueless auditors, in reality it is silly.


From what I can see, this is what they want:
TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128


What certificate did you deploy?  What is the name of the server,
would I be able to connect to it?


Hm, what is the default then?

Yes, nh1.nethead.se and vrt.nethead.se

Letsencrypt

no shared cipher revisited

2022-09-28 Thread Lists Nethead 



Hello again postfix-users,

After Viktor gave really helpful advise re SSLv3, now on to the next  
problem, dealing with crypto is opening a can of worms, at least where  
I am.


We cannot receive messages from a Big Corp, our Postfix MX's responds  
with "no shared cipher". The configuration is pretty standard I think,


smtpd_tls_security_level = may
smtpd_tls_ciphers = medium
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_exclude_ciphers = aNULL

From what I can see, this is what they want:
TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128

This seems to be available in the openssl version

1.1.1q-freebsd
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA  Enc=AESGCM(128) Mac=AEAD

that we currently use but we do not offer it, and why is beyond me  
unfortunately, any help welcome.


Thanks,
Per

Re: Enable SSLv3 from a specific IP

2022-09-27 Thread Lists Nethead 

Quoting Viktor Dukhovni :


On Sun, Sep 25, 2022 at 10:24:23AM +0200, Lists Nethead wrote:


> You probably do not need a dedicated port, just configure both an
> RSA and a DSA certificate.  Why you'd want to do this is a mystery,
> an SMTP client that only supports DSS is rather a museum piece.

Thank you Viktor for this explanation, really helpful, I will go with
the iptables suggestion (or in our case pf). The OS is FreeBSD 12 so
it should be doable.


Are you sure you need a dedicated port?  Are you trying to avoid
configuring an additional DSA certificate on the default port?

In any case, your call.  Yes remapping the client a non-default
port via a packet filter will give you enough rope.


It will be re-mapped to a different smtp server altoghter, because we  
know the sending IP's it is easy to restrict access.


Thanks,
Per

Re: Enable SSLv3 from a specific IP

2022-09-25 Thread Lists Nethead 



Quoting Viktor Dukhovni :


On Sat, Sep 24, 2022 at 01:22:30PM +0200, Lists Nethead wrote:


I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.


Note that while the cipher was first defined for use in SSLv3, it
continues to be applicable in TLS 1.0, 1.1 and even 1.2.  For
example, on FreeBSD 12.3 system with OpenSSL 1.1.1 I get:

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS+SHA1+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

While on a Fedora 36 system no such ciphers are available

$ openssl ciphers -v -s -tls1_2 kDHE+aDSS:@SECLEVEL=0
$

So if you OpenSSL library does not support the cipher, you're out of
luck.

However, even if does that cipher can only be negotiated on a server
that has a DSA (a.k.a. DSS) certificate.  So you'd need to configure
either only a DSA certificate, or both a DSA and an RSA certificate.

That's all that's required.  Postfix is fairly liberal in the list of
ciphers it supports, because SMTP typically uses unauthenticated
opportunistic TLS, and turning up the ciphers to 11 is mostly
counterproductive.


I suppose that must be a lookup table but unsure about the syntax. Or,
is smtpd_discard_ehlo_keyword_address_maps the way to go?


It is not possible to configure fine-grained TLS settings by client
IP directly in Postfix.  You'd have to use iptables or similar to
map connections from the client in question to an alternative SMTP
port, for which in master.cf you configure appropriate settings.

You probably do not need a dedicated port, just configure both an
RSA and a DSA certificate.  Why you'd want to do this is a mystery,
an SMTP client that only supports DSS is rather a museum piece.

If the client in fact only supports SSL 3.0 (even more ancient), then
you'd need to have an OpenSSL version that has not disabled SSL 3.0:

$ openssl ciphers -v -s -ssl3 kDHE+aDSS+AES:@SECLEVEL=0
DHE-DSS-AES256-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES128-SHA  SSLv3 Kx=DH   Au=DSS  Enc=AES(128)  Mac=SHA1

and to change the default value of "smtpd_tls_protocols":

# Postfix 3.6 or later:
smtpd_tls_protocols = >=SSLv3

# Older Postfix
smtpd_tls_protocols = !SSLv2


Thank you Viktor for this explanation, really helpful, I will go with  
the iptables suggestion (or in our case pf). The OS is FreeBSD 12 so  
it should be doable.


Thanks again,
Per

Enable SSLv3 from a specific IP

2022-09-24 Thread Lists Nethead 

Hello Postfix users,

I am tasked with what the subject says, to enable
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS  Enc=AES(128)  Mac=SHA1
from a specific IP.

I suppose that must be a lookup table but unsure about the syntax. Or,  
is smtpd_discard_ehlo_keyword_address_maps the way to go?


Thankful for a pointer.

Best,
Per

Re: ot: SPF/DKIM woes

2022-09-18 Thread lists 
thank you, everyone, much appreciate advice and testing!

I'll try to summarize how it went:

user is India complained he couldn't access geko.sbt.net.au mail server
as there was an issue with some 'links' at data centre reported few hours
earlier, I assumed it was related and didn't try to test

next day I had reported, from same TLD users:
- SPF rejects at gmail (original post here)
- silent loss of gmail sent to the user (saw similar report on the list)
- user in India still can't access mail server

noticed that user in India can not resolve geko.sbt.net.au BUT can ping IP
address name resolution not working ?? but, working everywhere else

as a workaround I've told user in India to create hosts entry for
geko.sbt.net.au - that worked

question - could the name resolution fail from India be at all related to
my name server timeouts/web central outages ?

could the name resolution fail from India be at all related to some
malware/virus hijacking of domain name resolution ? on users laptop ?

though, before entering/editing host name in hosts file, geko just
wouldn't resolve, but, could ping IP


On Sat, September 17, 2022 7:30 pm, raf wrote:

> So unless you added ip4:103.106.168.106 to the SPF
> record after the bounce, I can't see what's wrong.

Raf,

thanks, no, haven't edited SPF record lately

On Sat, September 17, 2022 7:54 pm, Matus UHLAR - fantomas wrote:

> your domain is registered to ns1.netregistry.net. nameservers:
>
> Name Server: NS1.NETREGISTRY.NET

>
> however, NS records say otherwise:
>
> sbt.net.au. 3600IN  NS  ns1.yourdnshost.net.

Matus,

I checked with registrar, was advised I should be using
NSx.PARTNERCONSOLE.NET, so shortly after I've edited the records as
advised

On Sun, September 18, 2022 1:26 pm, Viktor Dukhovni wrote:

>> https://status.webcentral.au/

> DNS service at netregistry.net is gradually returning to normal.  The
> majority of locations (though not yet all) where queries were previously
> failing now appear to be working.

Viktor,

does this shows up on the https://status.webcentral.au/ somewhere, or how
do you assess that ? couldn't find such ?

thanks again to everyone, much appreciated

Voytek

Re: ot: SPF/DKIM woes

2022-09-17 Thread lists 
On Sat, September 17, 2022 7:54 pm, Matus UHLAR - fantomas wrote:

> your domain is registered to ns1.netregistry.net. nameservers:
>
> Name Server: NS1.NETREGISTRY.NET
> Name Server: NS2.NETREGISTRY.NET
> Name Server: NS3.NETREGISTRY.NET
>
>
> however, NS records say otherwise:
>
> sbt.net.au. 3600IN  NS  ns1.yourdnshost.net.
> sbt.net.au. 3600IN  NS  ns2.yourdnshost.net.
> sbt.net.au. 3600IN  NS  ns3.yourdnshost.net.
>
> these servers have the same IP addresses, but such discrepancy can cause
> you troubles.
>
> currently 8.8.8.8 (and 1.1.1.1) fail to return response for your domain:
>
> % dig mx sbt.net.au @8.8.8.8

Matus, Benny, Raf,

thanks for helping out, thanks for all suggestions.

the domain registrar told me to use nsX.partnerconsole.net instead of
netregistry/yourdnshost original default, I've now updated and can see
some improvement, I'll retest tomorrow, thanks again

Voytek

ot: SPF/DKIM woes

2022-09-17 Thread lists 
I have mail server on geko.sbt.net.au serving sbt.net.au as well as
several other TLD domains,
a while back using help from this list, some write ups and mxtoolbox as
means of verifying/testing I've set SPF/DKIM/DMARC (or so I thought...)

as it seemed to pass all test I was able to run, I assumed it was set up
correctly, just now, noticed I get rejected from my own gmail address with
SPF/DKIM (1) (it was working OK in the past)

checking with mxtoolbox:

I get NO SPF for geko.sbt.net.au, I do get SPF for sbt.net.au

what tools/website should I use to test/verify SPF/DKIM/DMARC ?
do I need SPF record for both mail host as well as domain ?
what else am I missing or stuffed up ?

thanks for any pointers, hope I'm not too far off topic

Voytek


(1)
Sep 16 13:04:55 geko postfix/smtp[2651]: BC9EB200534: to=,
relay=gmail-smtp-in.l.google.com[172.217.194.26]:25, delay=11,
delays=0.01/0.04/2/8.8, dsn=5.7.26, status=bounced (host
gmail-smtp-in.l.google.com[172.217.194.26] said: 550-5.7.26 This message
does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not
pass). SPF check for [sbt.net.au] does not pass with ip: 550-5.7.26
[103.106.168.106].To best protect our users from spam, the message
550-5.7.26 has been blocked. Please visit 550-5.7.26 
https://support.google.com/mail/answer/81126#authentication for more 550
5.7.26 information. p2-20020a170902e74200b00176a0d8780csi2398305plf.285 -
gsmtp (in reply to end of DATA command))

started getting 550 #5.7.1 SPF unauthorized mail

2022-08-24 Thread lists 
I have a simple 'mail list' where an alias 'ct...@sbt.net.au' sends email
to several recipients, that's been in use since long time.

today noticed one of these addresses started bouncing with '5.7.1 SPF
unauthorized mail' since just today:

what am I doing wrong ?

worked:

Aug 23 09:27:25 geko postfix/smtp[12957]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 23 09:27:27 geko postfix/smtp[12957]: 3119E21C52F:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=1.9,
delays=0.03/0/0.73/1.2, dsn=2.0.0, status=sent (250 ok:  Message 199653922
accepted)

no longer:

Aug 25 09:22:29 geko postfix/smtp[19538]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aug 25 09:22:30 geko postfix/smtp[19538]: 61DA820053B:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=1.9,
delays=0.08/0.02/0.74/1, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))

Aug 25 09:39:17 geko postfix/smtp[26188]: Untrusted TLS connection
established to asav.tpg.com.au[27.32.32.10]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aug 25 09:39:18 geko postfix/smtp[26188]: 5C7FE2004D9:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=0.64,
delays=0.05/0.01/0.26/0.33, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))

looking at the log is see:

# grep 4678220053B  /var/log/maillog

Aug 25 09:38:55 geko postfix/smtpd[21733]: 4678220053B:
client=mail-me3aus01on2049.outbound.protection.outlook.com[40.107.108.49]
Aug 25 09:38:55 geko postfix/cleanup[26173]: 4678220053B:
message-id=
Aug 25 09:38:56 geko opendkim[930]: 4678220053B: failed to parse
authentication-results: header field
Aug 25 09:38:56 geko opendkim[930]: 4678220053B: DKIM verification successful
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B ignoring
Authentication-Results at 1 from geko.sbt.net.au
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B: SPF(mailfrom):
tld.com.au pass
Aug 25 09:38:56 geko opendmarc[908]: 4678220053B: tld.com.au none
Aug 25 09:38:56 geko postfix/qmgr[23312]: 4678220053B:
from=, size=629054, nrcpt=8 (queue active)

Aug 25 09:39:17 geko amavis[23896]: (23896-16) Passed CLEAN
{RelayedOpenRelay}, [40.107.108.49]:3695 [40.107.108.49] 
-> , Queue-ID: 4678220053B, Message-ID:
,
mail_id: ecrv8dP6h0oa, Hits: -1.712, size: 629477, queued_as: 5C7FE2004D9,
4939 ms

Aug 25 09:39:17 geko postfix/smtp[26175]: 4678220053B:
to=, orig_to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=1.2/16/0.01/4.9,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 5C7FE2004D9)

Aug 25 09:44:04 geko postfix/qmgr[23312]: 4678220053B: removed
#


# grep 5C7FE2004D9  /var/log/maillog

Aug 25 09:39:17 geko postfix/smtpd[26177]: 5C7FE2004D9:
client=localhost[127.0.0.1]
Aug 25 09:39:17 geko postfix/cleanup[26173]: 5C7FE2004D9:
message-id=
Aug 25 09:39:17 geko postfix/qmgr[23312]: 5C7FE2004D9:
from=, size=629970, nrcpt=1 (queue active)
Aug 25 09:39:17 geko amavis[23896]: (23896-16) Passed CLEAN
{RelayedOpenRelay}, [40.107.108.49]:3695 [40.107.108.49] 
-> , Queue-ID: 4678220053B, Message-ID:
,
mail_id: ecrv8dP6h0oa, Hits: -1.712, size: 629477, queued_as: 5C7FE2004D9,
4939 ms
Aug 25 09:39:17 geko postfix/smtp[26175]: 4678220053B:
to=, orig_to=,
relay=127.0.0.1[127.0.0.1]:10024, delay=22, delays=1.2/16/0.01/4.9,
dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250
2.0.0 Ok: queued as 5C7FE2004D9)
Aug 25 09:39:18 geko postfix/smtp[26188]: 5C7FE2004D9:
to=, relay=asav.tpg.com.au[27.32.32.10]:25, delay=0.64,
delays=0.05/0.01/0.26/0.33, dsn=5.0.0, status=bounced (host
asav.tpg.com.au[27.32.32.10] said: 550 #5.7.1 SPF unauthorized mail is
prohibited. (in reply to DATA command))
Aug 25 09:39:18 geko postfix/bounce[26219]: 5C7FE2004D9: sender
non-delivery notification: 0C96B21C52C
Aug 25 09:39:18 geko postfix/qmgr[23312]: 5C7FE2004D9: removed


mail_version = 3.7.2

Re: password security

2022-04-27 Thread lists 
The TOTP built into Linux has a 30 second time limit but most implementations 
approve the stale code making it effectively 60 seconds. 

Hackers have either implemented or there was a proof of concept (I forget 
which) where a man in the middle attack intercepted the token. That is more 
likely to occur with a web page Auth where the MITM presents a fake page. 






  Original Message  


From: postfixlists-070...@billmail.scconsult.com
Sent: April 27, 2022 8:04 AM
To: postfix-users@postfix.org
Subject: Re: password security


On 2022-04-27 at 01:47:06 UTC-0400 (Wed, 27 Apr 2022 17:47:06 +1200)
AndrewHardy 
is rumored to have said:

> Hi,
>
> Following this thread has been quite intriguing. Interesting
> conversation indeed.
>
> On a similar topic but probably more focused on addressing root cause
> (which in mind is just passwords = the devil of security) and the
> inherent insecurities with using them.
>
> I’m very interested in what options / solutions (if any) exist that
> allow you to use a passwordless approach to authenticating your users
> against imaps/pop3/smtps/submission services (tls encrypted of course)
> acknowledging that it’s extremely unlikely to address abuse of the
> non-auth enabled smtp listener so won’t rid the server of ‘all
> noise’ or ‘hacking attempts’ nor address lower level
> exploit/attacks (network/protocol level etc).
>
> Do any solutions exist today? I suspect the issue isn’t so much what
> you can do server side as possibilities are near endless but
> constraint is email client support which in my mind is the primary
> issue? Is that a reasonable conclusion?

I think it depends on what you mean by 'primary' but basically: yes. The
reason client support is extremely uneven is that there are not easily
implementable standards for how to avoid passwords with SMTP AUTH. The
most common mechanism is to use OAuth2, which requires client developers
to register their authenticating apps with service providers and get
their blessings to be used with their services. Typically the
out-of-band OAuth2 interaction requires some form of one-time password.
Another approach is to use client X.509 certificates, a mechanism that
is better for automated use (i.e. where there's no one available to
respond to perform the OOB OAuth2 renewal.) Both client certs for
authentication and OTP+OAuth2  are non-trivial to do correctly in a MUA.

The real root cause is deep and insoluble. Passwords are problematic
because they can be guessed or stolen. A certificate can be stolen. A
hardware token (e.g. RSA key) that generates random-ish one-time
passwords (i.e. HOTP) can itself be stolen and has seed and counter
values that can be stolen. A TOTP authenticator app (e.g. Google
Authenticator or MS Authenticator) has a seed value. To fix that
problem, nth-factors typically are time-limited. TOTP codes expire every
minute, typically. HOTP codes are strictly one-use so that a thief needs
the seed, counter AND to prevent legit use. Certificates expire, and the
trend is towards making them expire faster. OAuth2 tokens expire. All of
these create the need for regular human interaction to renew the
authentication, and so feel inconvenient. A 'slick' solution is
impossible because there needs to be a barricade against a thief
automating access with stolen credentials.


> I’m guessing what I’m asking is if there’s an open source
> solution that doesn’t require you to pay Microsoft or others
> extraordinary amounts of money just to get some smart protection?

If you want to do it now with Postfix, client certificates from your own
CA are probably the best way to go. Based on the angst displayed on that
topic here over the years, it is not trivial to get set up correctly,
but it is possible. Dovecot SASL supports OAuth2, so that's also an
option if you're willing to handle the backend yourself.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: password security

2022-04-27 Thread lists 
  Steve Gibson spent four years developing a passwordless Auth system. Open sourced it. Provided APIs. Nobody bought into it. https://www.grc.com/sqrl/sqrl.htmPart of what you asked sounds like the equivalent of a web firewall (WAF). I'm not a fan since the one I was using often broke the website I think postfix and dovecot have enough options that you don't need something like a WAF. From: andrewha...@andrewhardy.co.nzSent: April 26, 2022 10:47 PMTo: li...@lazygranch.comCc: postfix-users@postfix.orgSubject: Re: password security  Hi,Following this thread has been quite intriguing. Interesting conversation indeed.On a similar topic but probably more focused on addressing root cause (which in mind is just passwords = the devil of security) and the inherent insecurities with using them.I’m very interested in what options / solutions (if any) exist that allow you to use a passwordless approach to authenticating your users against imaps/pop3/smtps/submission services (tls encrypted of course) acknowledging that it’s extremely unlikely to address abuse of the non-auth enabled smtp listener so won’t rid the server of ‘all noise’ or ‘hacking attempts’ nor address lower level exploit/attacks (network/protocol level etc).Do any solutions exist today? I suspect the issue isn’t so much what you can do server side as possibilities are near endless but constraint is email client support which in my mind is the primary issue? Is that a reasonable conclusion? I’m guessing what I’m asking is if there’s an open source solution that doesn’t require you to pay Microsoft or others extraordinary amounts of money just to get some smart protection? I see security as a right for users so open source way to craft an architecture that provides this as an option for users who opt-in would be pretty cool (eventually becoming the normal longer term)Keen to hear thoughts on this as I suspect if you can architect a solution that allows users to opt for passwordless approach to auth’ing with a long term desire and goal to phase out password use, then it seems like a pretty epic win for I loving the security of the internet as a whole longer term. Large scale providers with perhaps millions of users = ok tough luck that’s gonna be a real challenge, legendary feat if can accomplish it in practice :) May not be the appropriate thread or ask these questions but thought if there were solutions available for such a solution, perhaps that may go a long way to helping answer what can be done to secure the servers from these types of attacks :)I’m much more inclined personally to tackle root cause and remove the issue completely but acknowledge that it may be a panacea and utopian mind set and may not = reality or not readily work in more scenarios than what issues it’s trying to address. Feasibility question(s) really.ThanksAndrewOn 27/04/2022, at 2:00 PM, lists <li...@lazygranch.com> wrote:   https://www.reddit.com/r/postfix/Well there is a subreddit for postfix. News to me but I just joined it. I do my best to stay out of these "conversations" on the listserv and reserve my posts for when I am really stumped. But since I am posting put me in the firewall geofence crowd. I have done this for a two years now and it vastly reduces the hacking on my server. I block all email ports other than 25 from countries I have no plan on visiting. This is really only practical for a personal email server. I also have a list of data centers that I give the same treatment. I see the snowshoe hackers on my web server and I assume they are on my email but I don't read the postfix logs as often. I haven't seen a hacker hammer my server in a long time. It is all snowshoe these days. I am not a fan of fail2ban or sshguard on my low powered VPS. I find dynamically adding IPs to the firewall is a high CPU usage event. It may be a consequence of having a huge list of IP space to block. My assumption is firewalld has to add the IPs in an efficient to search manner and arranging the table/database is CPU intensive. It would send the VPS to 100%. (My personal data center blocking list is about 40k lines of CIDRs.) I was choking the server adding IPs for what would otherwise be a low impact event. Sometimes I think a VPS is lower CPU power than a R Pi. Firewalld itself is a very low CPU usage program once the table/database is established. It does use a fair amount of RAM which again must be related to the table/database it creates. I have no fear of my passwords being breached. It is a personal server so every password was created by me and all are generated by an algorithm to achieve high entropy. I've been using 20 characters as a standard

Re: password security

2022-04-26 Thread lists 
  https://www.reddit.com/r/postfix/Well there is a subreddit for postfix. News to me but I just joined it. I do my best to stay out of these "conversations" on the listserv and reserve my posts for when I am really stumped. But since I am posting put me in the firewall geofence crowd. I have done this for a two years now and it vastly reduces the hacking on my server. I block all email ports other than 25 from countries I have no plan on visiting. This is really only practical for a personal email server. I also have a list of data centers that I give the same treatment. I see the snowshoe hackers on my web server and I assume they are on my email but I don't read the postfix logs as often. I haven't seen a hacker hammer my server in a long time. It is all snowshoe these days. I am not a fan of fail2ban or sshguard on my low powered VPS. I find dynamically adding IPs to the firewall is a high CPU usage event. It may be a consequence of having a huge list of IP space to block. My assumption is firewalld has to add the IPs in an efficient to search manner and arranging the table/database is CPU intensive. It would send the VPS to 100%. (My personal data center blocking list is about 40k lines of CIDRs.) I was choking the server adding IPs for what would otherwise be a low impact event. Sometimes I think a VPS is lower CPU power than a R Pi. Firewalld itself is a very low CPU usage program once the table/database is established. It does use a fair amount of RAM which again must be related to the table/database it creates. I have no fear of my passwords being breached. It is a personal server so every password was created by me and all are generated by an algorithm to achieve high entropy. I've been using 20 characters as a standard since that seems to work on most websites as well. They are SHA512 on the server. Regarding setting up postfix and Dovecot it is best to follow a guide. This is what I used:https://blog.andreev.it/?p=1975It isn't complete as far as postfix goes but I implement features I find discussed on the postfix listserv as they come up. I doubt I could just read the man pages for postfix and Dovecot to set up an email server. Too many options. Back to lurker mode. From: t...@leding.netSent: April 26, 2022 12:45 PMTo: le...@spes.grCc: postfix-users@postfix.orgSubject: Re: password security  

Good feedback - typically I’d have some comments but since we’ve wandered a fair bit off the reserve here, I will refrain.  If anyone wants to continue this at Reddit or somewhere else more appropo, let me know…



On 26 Apr 2022, at 11:56, Lefteris Tsintjelis wrote:


On 26/4/2022 20:11, Antonio Leding wrote:


“…I'm just saying it's [F2B] not a solution to modern brute-force attack on passwords/accounts….”

It’s actually staggering that you say this because of how incredibly inaccurate this statement is…

Presume someone goes brute-force against a PostFix server via v6 only - so tons of addresses at their disposal. And let’s also presume that the defender has F2B tuned to allow no more than 2 attempts.

We know that brute-force is all about attempts per unit time, right? Yes - ok, so then let’s presume the attacker tunes their stack with a very low TCP wait time - somewhere around 1s. OK, fine, so after 2 rapid attempts, the attacker will get blocked and they will wait 1s before moving on to the next IP - rinse - repeat.

The reality here is the attacker is essentially stuck in the mud against F2B. And because they want to maximize their attempts per unit time, they will move on once they realize someone is actively blocking their traffic.


They never moved on from here


In my real-world use-case, I had over 200K daily password attempts prior to F2B and 2 weeks after implementation, that number dropped to below 1 per day.


1-2 per IP per day here. They adopt and tune accordingly. It has been happening and still does for many years now no matter what even with F2B. Even once a day coming from a few thousand IPs is still a few thousand attempts even with IP blocking set at 1 day blocking per IP.


Blocking an IP is the single cheapest most effective thing one can do re: undesired traffic. Are there “better” solutions? Sure but what is “best” is a subjective determination and always depends on the use-case. And for almost all use-cases, blocking IPs is a solid tool…


IP blocking is one of the best ways but F2B is limited to each firewall's capabilities and you deal with thousands of IPs. If you want something more permanent and use F2B then firewall will reach its limits sooner or later.

Changing the authentication method to anything that does not accept PLAIN TEXT may also be another good way

Re: Solving reverse DNS problem with Postfix configuration?

2022-04-11 Thread lists 
FWIW my VPS only allows one reverse pointer. I host multiple domains so only 
one reverse pointer will match. My mail does not get bounced for that. 

And before someone posts you can have more than one reverse pointer per IP the 
VPS (Digital Ocean) says it can't be done. 





  Original Message  


From: m...@junc.eu
Sent: April 11, 2022 7:43 AM
To: postfix-users@postfix.org
Subject: Re: Solving reverse DNS problem with Postfix configuration?


On 2022-04-11 15:38, Richard Rasker wrote:

> Could I solve this by setting smtp_helo_name in main.cf to
> 77-172-184-9.fixed.kpn.net ? Or is this a bad idea?

no this will not solve it, you have to talk to isp kindly ask for change
of ptr, if thay are unvilling it most cases not a problem to change to
another isp that allows it

Re: Why the name Postfix?

2022-03-27 Thread lists 
Perhaps someone who knows how to update wiki can add this information. 

https://en.wikipedia.org/wiki/Postfix_(software)





  Original Message  


From: wie...@porcupine.org
Sent: March 27, 2022 3:01 PM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Why the name Postfix?


Viktor Dukhovni:
> On Sun, Mar 27, 2022 at 09:08:53AM +0530, Amarjeet Anand wrote:
>
> > What?s the story behind choosing the name as ?Postfix??
>
> One of the stories can be found here:
>
> https://techmonitor.ai/technology/ibm_takes_on_sendmail_with_secure_mailer
>
> ...
> IBM calls the new mail program Secure Mailer, but it is actually one and
> the same as Postfix, which is the same product as VMailer. IBM?s lawyers
> nixed the VMailer moniker because it was too similar to another
> company?s product.
> ...
>
> This sounds plausible.  As for why "Postfix" and not, say, "Platypus", I
> don't know.

We tried a bunch of names for which I could register a domain name,
and each time the IBM naming authority would reject our choice.
Changing the name of a program is a lot of work; it is worse than
changing the name of the main character in a story.

Then we found out that a different IBM team had open-sourced their
PKIX code under an external name "Jonah". So we gave my code two
names: the approved internal name "IBM secure Mailer", and the
external name "Postfix". "post" was a different word for "mail",
and "fix" was for Sendmail, the inspiration for my efforts.

Wietse

Re: Removing an old post

2022-02-15 Thread lists 
Stating the obvious, if you want privacy, hire a consultant. 





  Original Message  


From: r...@rafa.eu.org
Sent: February 15, 2022 8:08 AM
To: postfix-users@postfix.org
Subject: Re: Removing an old post


Dnia 15.02.2022 o godz. 10:33:50 Bill Cole pisze:
> >Our internal security team have detected an archived post from me
> >dating back to August 2014 that contains some internal host
> >information.
> >
> >Can this post be removed please?
>
> In short: no, it cannot. That's not a possibility, and your security
> team should know it. Anything posted publicly to the Internet risks
> the fate of being forever public, and that it most true for postings
> to lists like this one.
>
> This is a public mailing list. It does not have a single
> authoritative archive.

It could help a bit if OP would know where exactly his security team found
the posting in question. Then he should write to administrator of that
particular site asking for removal. But even if it will be removed there, it
is only one - as you noted - of multiple places where this post exists. But
maybe his security team will be happy with removing it from that particular
place where they found it...
--
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

Adding a header on incoming mail, unintended consequences?

2022-02-13 Thread joea- lists 
I was pondering adding a header item on certain incoming mail.  Specifically 
mail from some lists that do not arrive with an explicit "Reply-To: Some-list".

One might ask why? Well certain older email clients (MUA's?) choose to, upon a 
"reply" to select the address of the person that posted to the list, while for 
those
lists that contain the "Reply-to:" header item, it will select the list.   This 
forces one to remember to choose "reply all" (or some equivalent) and delete 
the extraneous address.  Simple matter, or so one might think.  

Not asking, by any stretch, for any list to reconfigure their end, just for 
this situation.

So, back to my pondering.   If I were, via some means, to add "Reply-To: 
The-right-list" this should solve the problem described above.   However my 
"email foo (as distinct from "email fu" stops well short of knowing what this 
might break upon replying with this doctored header.  That is, will it cause 
"breakage" of certain SPAM/Malware checks, or email tamper detectors.

PS.  Yes, I am considering "modernizing".  But you know how old folks can be.

joe a.

Re: Strange error when having hold as symlink

2021-09-30 Thread (lists) Denis BUCHER 



Le 29.09.2021 à 06:33, Viktor Dukhovni a écrit :

On Wed, Sep 29, 2021 at 02:19:53PM +1000, raf wrote:


If you really have a problem that you think would be
solved by relocating the hold queue, you could mount
another file system over the hold queue directory.
That might work. But it might a bad idea. Not sure.

Sorry, not possible.  Postfix uses rename(2) to move message queue files
between the various queue directories.  The hold queue needs to be a
sub-directory (in the same filesystem) as "incoming", "active",
"deferred" and "corrupt" (if I'm not forgetting some).

If the OP wants to periodically drain the hold queue of old messages
into a long-term archive, the way to do that is to write and sync the
copy file to its destination, then unlink the hold queue file.  Best to
use long queue ids when doing that sort of thing.


Thank you Viktor and raf !

Your answers help me confirm that the problem was the symlink and 
understand why this problem occurs.


I will think about a solution, but at least I know exactly what's 
happening...


Denis

Strange error when having hold as symlink

2021-09-28 Thread (lists) Denis BUCHER 

Hello,

When creating /var/spool/postfix/hold as symlink to another folder I get 
the following error from Postfix :


 * "move to hold queue failed: No such file or directory"

...even when doing "chmod 777" on the target directory.

Do you know if postfix is unable to work with "hold" as symlink or is 
there something that could be wrong ?


Thanks in advance a lot for any help or advise...

Denis

Re: Postfix shows unknown instead of resolved hostname

2021-04-29 Thread lists 
Sorry for the top posting. 
http://www.stretchoid.com/
has a way to opt out. Unfortunately they want you to give them your IP space 
rather than the other way around. They use a floating IP scheme and can't 
easily be blocked. 







  Original Message  


From: 400the...@gmx.ch
Sent: April 28, 2021 9:25 PM
To: postfix-users@postfix.org
Subject: Postfix shows unknown instead of resolved hostname


Hello,

Postfix does not show hostname for a connecting IP address, when the
hostname does not have reverse lookup:

Example from my log:

   warning: hostname zg-0416b-243.stretchoid.com does not resolve to
address 192.241.220.141: Name or service not known
   connect from unknown[192.241.220.141]
   timeout after EHLO from unknown[192.241.220.141]
   disconnect from unknown[192.241.220.141] ehlo=1 commands=1

It is a good thing that postfix warns me that hostname does not resolve
back to the IP, but why does it show:

   connect from unknown[192.241.220.141]

instead of

   connect from zg-0416b-243.stretchoid.com[192.241.220.141]

The IP has DNS record, so even when reverse does not work, I would like
to see the hostname that is connecting

can this be configured?

thank you,

Re: Speaking of Firefox and HTTP^H^H^H^HFTP...

2021-04-22 Thread lists 
The was brought up as a point of curiosity on Steve Gibson's "Security Now" 
podcast a few months ago. My recollection is Chrome has the same plan. But the 
interesting thing is Mozilla surveyed to see who used FTP. It was some fraction 
of a percent as you can imagine. But later it dawned on me that by survey 
Mozilla meant the telemetry of Firefox. Telemetry is the first thing I disable 
on any program where it is possible and I suspect the kind of person who uses 
FTP in a browser is also the kind of person to nuke the telem. Thus I suspect 
the "survey" is s bit biased.

So if you nuked the telemetry features of Firefox, you can probably freak 
Mozilla out by re-enabling the telemetry then using FTP. 





  Original Message  


From: postfix-us...@dukhovni.org
Sent: April 22, 2021 6:56 PM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Speaking of Firefox and HTTP^H^H^H^HFTP...


I just updated Firefox to version 88, and now "ftp://; support is
disabled by default, and the plan is to remove support in Firefox 90.

I've re-enabled it, will have to enjoy it to the max while it lasts...

[ Wietse's upstream FTP site for Postfix source tarballs will soon no
  longer be browser-accessible. :-( ]

--
    Viktor.

Re: Postfix : corrupted SMTP transactions?

2021-04-14 Thread (lists) Denis BUCHER 

Hi Bill,

Le 14.04.2021 à 14:51, Bill Cole a écrit :

On 14 Apr 2021, at 5:47, (lists) Denis BUCHER wrote:

It's very strange, but without changing anything in the configuration 
of Postfix, we have corrupted SMTP transactions from Thunderbird 
bêta (Windows) and Outlook (MacOS) but not from command line (Linux) 
and not from Thunderbird release (Windows).


The transaction looks like this :


[ malformatted and excessively verbose log & postconf -n snipped ]
Yes sorry I didn't post to mailing-lists for a long time, sorry for this 
bad formatting.


It's really extremely strange, I cannot even find what the cause 
could be ?


If anyone had any suggestion, or at least an idea, it would be great !

Thanks a lot in advance for any help !


Critical evidence is missing: "postconf -Mf" output and non-verbose 
logs of successful sessions. So what follows is a possibility, not a 
certainty...


My postconf -Mf is very long, so I will only post the beggining, hoping 
that's what you expect :


smtp   inet  n   -   -   
-   -   smtpd
smtps  inet  n   -   -   
-   -   smtpd

    -o syslog_name=postfix/smtps
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject



Your problem is consistent with your 'smtps' service (port 465) not 
having the critical "-o smtpd_tls_wrappermode=yes" argument enabled in 
master.cf. The differences between clients is likely due to different 
configurations and/or differences in how clients attempt to probe the 
server for the best connection configuration.


OK I understand, thanks for pointing at this, that looks logical...

Therefore I added "-o smtpd_tls_wrappermode=yes" in master.cf and... it 
works !!!


You were perfectly right! Thanks a LOT and congratulations!



Non-verbose logs from both working and non-working sessions with the 
addition of "smtpd_tls_loglevel = 1" to your configuration may reveal 
that the working clients are either connecting to the plain smtp or 
submission services or are somehow accommodating the lack of implicit 
TLS on port 465.


Oh thank you very much for this hint. I have a similar (same ?) problem 
on another server, I will use this log option to debug it !


Thanks really a LOT really for your help, the life of some users will 
change from Tomorrow evening, they will be able to send mails without 
having to go through the webmail !


Denis

Re: Postfix : corrupted SMTP transactions?

2021-04-14 Thread (lists) Denis BUCHER 

P. S. daemon started -- version 2.9.6

Le 14.04.2021 à 11:55, (lists) Denis BUCHER a écrit :
P. S. The logs in my previous email are from Thunderbird Windows 
bêta, here are the logs from MacOS Outlook :


Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: connect from 
185.81.185.81.rev.sfr.net[81.185.81.185]
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 127.0.0.0/8
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 10.8.200.0/23
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 79.81.206.215/32
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 213.200.217.210/32
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.27.252/32
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.5.60/32
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: match_list_match: 
81.185.81.185: no match
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: send attr ident = 
smtps:81.185.81.185
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 220 mail.ourdomain.com ESMTP 
Postfix (Debian/GNU)
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: < 
185.81.185.81.rev.sfr.net[81.185.81.185]: ???
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 502 5.5.2 Error: command not 
recognized
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: < 
185.81.185.81.rev.sfr.net[81.185.81.185]: ?0?/?(?'??
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 502 5.5.2 Error: command not 
recognized
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: < 
185.81.185.81.rev.sfr.net[81.185.81.185]: ?
Apr 14 11:07:44 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 502 5.5.2 Error: command not 
recognized
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 127.0.0.0/8
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 10.8.200.0/23
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 79.81.206.215/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 213.200.217.210/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.27.252/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.5.60/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_list_match: 
81.185.81.185: no match
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: send attr ident = 
smtps:81.185.81.185
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: lost connection 
after UNKNOWN from 185.81.185.81.rev.sfr.net[81.185.81.185]
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: disconnect from 
185.81.185.81.rev.sfr.net[81.185.81.185]
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: connect from 
185.81.185.81.rev.sfr.net[81.185.81.185]
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 127.0.0.0/8
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 10.8.200.0/23
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 79.81.206.215/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 213.200.217.210/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.27.252/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.5.60/32
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: match_list_match: 
81.185.81.185: no match
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: send attr ident = 
smtps:81.185.81.185
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 220 mail.ourdomain.com ESMTP 
Postfix (Debian/GNU)
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: < 
185.81.185.81.rev.sfr.net[81.185.81.185]: ???
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 502 5.5.2 Error: command not 
recognized
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: < 
185.81.185.81.rev.sfr.net[81.185.81.185]: ?0?/?(?'??
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 502 5.5.2 Error: command not 
recognized
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: < 
185.81.185.81.rev.sfr.net[81.185.81.185]: ?
Apr 14 11:10:55 mailsvr postfix/smtps/smtpd[19395]: > 
185.81.185.81.rev.sfr.net[81.185.81.185]: 502 5.5.2 Error: command not 
recognized
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 127.0.0.0/8
Apr 14 11:14:06 mailsvr postfix/smtps/sm

Re: Postfix : corrupted SMTP transactions?

2021-04-14 Thread (lists) Denis BUCHER 
tpd[19395]: match_hostaddr: 
81.185.81.185 ~? 79.81.206.215/32
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 213.200.217.210/32
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.27.252/32
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: match_hostaddr: 
81.185.81.185 ~? 212.147.5.60/32
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: match_list_match: 
81.185.81.185: no match
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: send attr ident = 
smtps:81.185.81.185
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: lost connection 
after UNKNOWN from 185.81.185.81.rev.sfr.net[81.185.81.185]
Apr 14 11:14:06 mailsvr postfix/smtps/smtpd[19395]: disconnect from 
185.81.185.81.rev.sfr.net[81.185.81.185]


Denis

Le 14.04.2021 à 11:47, (lists) Denis BUCHER a écrit :


Hello everyone,

It's very strange, but without changing anything in the configuration 
of Postfix, we have corrupted SMTP transactions from Thunderbird bêta 
(Windows) and Outlook (MacOS) but not from command line (Linux) and 
not from Thunderbird release (Windows).


The transaction looks like this :

|Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: connect from 
fix.212.21.212.com[212.212.212.212] Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: smtp_stream_setup: maxtime=300 
enable_deadline=0 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 127.0.0.0/8 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
127.0.0.0/8 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 10.8.200.0/23 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
10.8.200.0/23 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 79.81.206.215/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
79.81.206.215/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 213.200.217.210/32 Apr 13 
16:22:44 mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 
212.212.212.212 ~? 213.200.217.210/32 Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: match_hostname: fix.212.21.212.com ~? 
212.147.27.252/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostaddr: 212.212.212.212 ~? 212.147.27.252/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostname: fix.212.21.212.com 
~? 212.147.5.60/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostaddr: 212.212.212.212 ~? 212.147.5.60/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_list_match: 
fix.212.21.212.com: no match Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: match_list_match: 212.212.212.212: no 
match Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
auto_clnt_open: connected to private/anvil Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: send attr request = connect Apr 13 
16:22:44 mailsvr postfix/smtps/smtpd[17458]: send attr ident = 
smtps:212.212.212.212 Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: private/anvil: wanted attribute: status 
Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: input attribute 
name: status Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: input 
attribute value: 0 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
private/anvil: wanted attribute: count Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: input attribute name: count Apr 13 
16:22:44 mailsvr postfix/smtps/smtpd[17458]: input attribute value: 1 
Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: private/anvil: 
wanted attribute: rate Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: input attribute name: rate Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: input attribute value: 1 Apr 13 
16:22:44 mailsvr postfix/smtps/smtpd[17458]: private/anvil: wanted 
attribute: (list terminator) Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: input attribute name: (end) Apr 13 
16:22:44 mailsvr postfix/smtps/smtpd[17458]: > 
fix.212.21.212.com[212.212.212.212]: 220 mail.ourdomain.com ESMTP 
Postfix (Debian/GNU) Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: xsasl_dovecot_server_create: SASL 
service=smtp, realm=(null) Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: name_mask: noanonymous Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: 
Connecting Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
xsasl_dovecot_server_connect: auth reply: VERSION?1?1 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: auth 
reply: MECH?PLAIN?plaintext Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: name_mask: plaintext Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: auth 
reply: MECH?LOGIN?plaintext Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: name_mask: plaintext Apr 1

Postfix : corrupted SMTP transactions?

2021-04-14 Thread (lists) Denis BUCHER 

Hello everyone,

It's very strange, but without changing anything in the configuration of 
Postfix, we have corrupted SMTP transactions from Thunderbird bêta 
(Windows) and Outlook (MacOS) but not from command line (Linux) and not 
from Thunderbird release (Windows).


The transaction looks like this :

|Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: connect from 
fix.212.21.212.com[212.212.212.212] Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: smtp_stream_setup: maxtime=300 
enable_deadline=0 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 127.0.0.0/8 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
127.0.0.0/8 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 10.8.200.0/23 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
10.8.200.0/23 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 79.81.206.215/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
79.81.206.215/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 213.200.217.210/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
213.200.217.210/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 212.147.27.252/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
212.147.27.252/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_hostname: fix.212.21.212.com ~? 212.147.5.60/32 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: match_hostaddr: 212.212.212.212 ~? 
212.147.5.60/32 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
match_list_match: fix.212.21.212.com: no match Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: match_list_match: 212.212.212.212: no match 
Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: auto_clnt_open: 
connected to private/anvil Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: send attr request = connect Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: send attr ident = 
smtps:212.212.212.212 Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: private/anvil: wanted attribute: status Apr 
13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: input attribute name: 
status Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: input 
attribute value: 0 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
private/anvil: wanted attribute: count Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: input attribute name: count Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: input attribute value: 1 Apr 13 
16:22:44 mailsvr postfix/smtps/smtpd[17458]: private/anvil: wanted 
attribute: rate Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
input attribute name: rate Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: input attribute value: 1 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: private/anvil: wanted attribute: 
(list terminator) Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
input attribute name: (end) Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: > fix.212.21.212.com[212.212.212.212]: 220 
mail.ourdomain.com ESMTP Postfix (Debian/GNU) Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: xsasl_dovecot_server_create: SASL 
service=smtp, realm=(null) Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: name_mask: noanonymous Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: 
Connecting Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
xsasl_dovecot_server_connect: auth reply: VERSION?1?1 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: auth 
reply: MECH?PLAIN?plaintext Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: name_mask: plaintext Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: auth reply: 
MECH?LOGIN?plaintext Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
name_mask: plaintext Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
xsasl_dovecot_server_connect: auth reply: SPID?29750 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: auth 
reply: CUID?141742 Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
xsasl_dovecot_server_connect: auth reply: 
COOKIE?bd665ec25e0c4b7a964903e36eca89b7 Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: xsasl_dovecot_server_connect: auth reply: 
DONE Apr 13 16:22:44 mailsvr postfix/smtps/smtpd[17458]: 
xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: xsasl_dovecot_server_mech_filter: 
keep mechanism: LOGIN Apr 13 16:22:44 mailsvr 
postfix/smtps/smtpd[17458]: watchdog_pat: 0x7f07a2af8b70 Apr 13 16:22:44 
mailsvr postfix/smtps/smtpd[17458]: < 
fix.212.21.212.com[212.212.212.212]:  Apr 13 16:22:44 mailsvr

Re: Postfix 2.10 Failed to Start Centos 7

2021-01-02 Thread lists 
I use "update" instead of "upgrade". You can Google for the difference. 

Since I am on a cloud server, I usually do an image first since email can be 
tricky to debug. 





  Original Message  


From: craigwilso...@hotmail.com
Sent: January 2, 2021 2:39 PM
To: postfix-users@postfix.org
Subject: Re: Postfix 2.10 Failed to Start Centos 7


No, I didn't upgrade Postfix. As the top of my thread, I "yum upgrade" my 
Centos Server. Postfix is 2.10. It worked previously but since yum upgrade, has 
failed.

Thanks!

> On 2 Jan 2021, at 21:34, "Wietse Venema"  wrote:
>
> CRAIG WILSON:
>> Hi,
>> I have recently "yum upgrade" my Centos Linux 7 Server. I had a fully 
>> working Postfix 2.10 system prior to that.
>> My Postfix service won't start. This is the error:
>> Jan 01 20:36:02 pbx.myrevtel.comsystemd[1]: 
>> Starting Postfix Mail Transport Agent...
>> Jan 01 20:36:02 pbx.myrevtel.comaliasesdb[28441]: 
>> /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
>> compatibility_level=2
>> Jan 01 20:36:02 pbx.myrevtel.comaliasesdb[28441]: 
>> /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
>> meta_directory=/etc/postfix
>> Jan 01 20:36:02 pbx.myrevtel.comaliasesdb[28441]: 
>> /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
>> shlib_directory=no
>> Jan 01 20:36:02 pbx.myrevtel.compostfix[28445]: 
>> /usr/lib/postfix/postfix-script: line 74: cd: HOME not set
>> It appears related to the shlib_directory within the above postfix-script 
>> file.
>> However, apparently the shlib_directory variable is only available in 
>> version 3.0+
>> Could anyone advise please.
>
> Why did you "upgrade" from Postfix3 to Postfix2?
>
> You are now running Postfix2 binaries (no suppport for shlib_directory
> or meta_directory) with your Postfix3 configuration (that specifies
> shlib_directory and shlib_directory).
>
>> Just to add: If I execute postconf -d | grep shlib_directory - I
>> get shlib_directory = no on the previous version.
>
> That was a Postfix3 system, which supports shlib_directory and
> meta_directory.
>
>> However, on my upgraded version the shlib_directory = no is not
>> returned from the postconf -d command.
>
> Because that is Postfix2, which does not support shlib_directory
> or meta_directory.
>
>    Wietse

rejecting 'fancy' TLDs, allowing a specified one ?

2020-12-16 Thread lists 
I have a check to reject 'fancy TLDs' as below

smtpd_sender_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 check_sender_access pcre:/etc/postfix/sender_pcre,
 check_sender_access pcre:/etc/postfix/reject_domains

cat /etc/postfix/reject_domains
/\.bid$/ REJECT We reject all .bid domains
/\.biz$/ REJECT We reject all .biz domains
...

that works well, but, now have a user who gets a valid inbound rejected

Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from
mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554
5.7.1 : Sender address rejected: We reject all .biz
domains; from= to= proto=ESMTP
helo=

is there an easy way, and how, to exempt a specified domain like
'abcd.biz' from my sender restriction ?

thanks, V

Reject email containing Google forms

2020-12-01 Thread lists 
About 70% of my spam these days contains links to Google Forms. I've been 
googling for tips on how to reject such email but Google find hits for the 
converse. (People are complaining about Gmail blocking Google Forms which is 
ironic.) 

My current configuration doesn't include SpamAssassin since rbls and the 
existence of a reverse pointer was good enough. 

I'm looking for advice specifically to bounce email that contains a link to any 
Google form. If this is inappropriate for this list serve then I'm fine with 
the moderator nuking the request. I can take it up with stackexchange but it 
had been my experience that the postfix list has the best gurus. 

Re: Mail server recently became an open relay

2020-10-16 Thread lists 
I would think running an open relay test would be step one. 

https://mxtoolbox.com/diagnostic.aspx


There are probably half a dozen online services that do this. Which brings me 
to my question: Is there an open relay test website that is considered the 
best? I have noticed some run multiple tests which I assume means different 
methods. 





  Original Message  


From: wie...@porcupine.org
Sent: October 16, 2020 3:27 PM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Mail server recently became an open relay


Rich Wales:
> Hi.  My mail server (memoryalpha.richw.org), running Postfix 3.3.0,
> recently started attracting open relay spam.  I thought I had done all

Why do you believe that your server is an open relay, as in, it
will forward messages FROM spammers TO remote destinations.

Wietse

Re: Recommended milters for small setup

2020-10-15 Thread lists 
 I run a personal mail server. Back when I used freeBSD, everyone once in a while amavisd would cause the mail queue to stall. I can't be bothered playing sysadmin to keep things running. My advice is to employ whatever Google wants, namely spf and DKIM. Look as legit as possible. Even then you will be blocked by SBC and have to be whitelisted. Spectrum will never accept mail from Digital Ocean. There is no work around. I stopped running SpamAssassin. I use RBLs. I need the mail to go through and don't want to fine tune SpamAssassin. I just delete the obvious spam which these days comes from legit Gmail accounts. If this is a personal server, it isn't like you have customers to complain about spam. I don't even have to open spam to know it is spam. OK maybe some day Bill Gates will be emailing me and I dumped his email. Oh well... The best antivirus is between your ears. Clamav gets about 75% of the malware eventually. The key is eventually. The trouble is it takes some time for any Anti-Malware to get the signatures so the initial implementation of the malware gets through. I was running clamav and yet getting fresh malware based on what I sent virustotal.com. Less is more. I do whatever I can using postfix. I block email from the goofy TLDs like XYZ. You know those TLDs that namecheap will sell for a dollar. I reject most attachments. Why would I ever want an exe file? I barely run windows and certainly don't get software in my email. I suggest using port 587 in your setup. Then use a firewall to keep countries that you will never visit from touching any email port other than 25. When I used a hosting company, I got hacked from Morocco. I'm sure it is a nice place to visit, but don't plan on it so I certainly won't be reading my email or sending email from there. I have a list of hosting companies that I have built over the years. They get blocked as well except for port 25. Now you risk using wifi somewhere and getting rejected but I don't use free wifi often and have a VPN anyway so I won't be blocked from my own server. Don't install anything for web email. You should always use an email client. Less is more. The more programs you chain together, the more likely the email will break.  I suggest not using cpanel. I do everything on my server via command line. Every service you install just increases the attack surface. I like Digital Ocean a lot.  I use centos. No drama. Thus far all the updates have been uneventful.  Technically you can't upgrade centos. They want you to migrate. But the support for each rev lats a long time. From: dheianev...@gmail.comSent: October 15, 2020 8:19 AMTo: postfix-users@postfix.orgSubject: Recommended milters for small setup  The long story short is that due to dealing with family medical issues over the past few years, my Combo web/postfix server is still on Ubuntu 14.04.In a couple of months I will have some time to upgrade. Instead of risking an in place upgrade, I am going to fire up a new droplet on Digitalocean, install the latest stuff over there, and migrate my data. My site has two email users, me and the missus. I currently run an email stack of postfix, amavis, spamassassin, clamav and dovecot. The Postfix also has dkim, dmarc, spf and postscreen. Is there a more efficient, memory stingy, faster milter way to run spamassassin, clamav, etc, or would you recommend sticking with amavis?Thanks. 

Re: DMARC reports - Open Source solution

2020-04-13 Thread lists 
  https://github.com/tierpod/dmarc-report-converter/blob/master/README.mdThis sounds like what you want. I have no first hand experience with the code but I am going to put this on my "lock down" task list. I like the idea of the code mailing a HTML report. This way I don't have to expose the report on my webserver. I would have to set up Auth and it would be just one more attractive nuisance for the hackers.    The only drawback is I have to enable my desktop PC to read html mail.  From: ahsan2...@gmail.comSent: April 13, 2020 11:05 AMTo: m...@junc.euCc: postfix-users@postfix.orgSubject: Re: DMARC reports - Open Source solution  Thanks BennyI wanted to have a open source dmarc dashboard, where it can read the rua emails and parse it on the dashboard. Is this doable using open source.RegardsAhsanOn Mon, Apr 13, 2020 at 10:23 PM Benny Pedersen  wrote:On 2020-04-13 07:36, Ahsan Khan wrote:
> Hello All
> 
> I have a domain where my DMARC reports are delivered to my email
> address. I want to integrate it with a dashboard. Does anyone know of
> a open source solution where these XML reports can be read and
> published?.

https://easydmarc.com/tools

google dmarc report free

> I have a client who is just new in the DMARC journey and I need to
> demonstrate the possible violations of his IP. Once I have sufficient
> data, we can plan to push him to p=reject mode.

dmarc policy reject works well if all maillists stop breaking dkim, all 
that is possible is to use dmarc policy quarantine

so atleast recipients dont reject maillist trafic

all else go for it :=)
'

Re: t/s outbound 99% timeout on TBird?

2020-03-10 Thread lists 
On Tue, March 10, 2020 12:33 pm, Viktor Dukhovni wrote:

>
> One interesting tidbit however is the 111s "before active" time in the
> delays= times.
>
> http://www.postfix.org/postconf.5.html#delay_logging_resolution_limit
>
>
> This does seem to suggest that it took ~111 seconds for the message to
> be accepted before it entered the active queue.  Perhaps PMTU or similar
> issues?  Or a slow pre-queue filter.

Viktor, thanks

maybe the default amavisd value of 'pre forked children' of '2' was
causing this, have increased it now to '10'

V

Re: t/s outbound 99% timeout on TBird?

2020-03-10 Thread lists 
On Tue, March 10, 2020 10:27 am, Wietse Venema wrote:

> This is Postfix logging while SENDING email through an after-queue
> content filter (which has serious congestion, but that is not the problem
> in $SUBJECT).
>
> To come back to $SUBJECT, if you have user clients timing out, then
> you should be looking at Postfix logging while RECEIVING email from the
> client.

Wietse, thanks
oops, sorry.. I guess it the first 'section', for completeness, included
whole progress

noticed (unrelated I think) issue, user has both a_tld.com as well as
a_tld.com.au, from the log, he seems to use both, .com.au in sasl auth


# grep C099F42B0143 /var/log/maillog
Mar 10 00:10:49 geko postfix/smtpd[9483]: C099F42B0143:
client=unknown[119.42.117.134], sasl_method=PLAIN,
sasl_username=bb@a_tld.com.au
Mar 10 00:10:50 geko postfix/cleanup[9389]: C099F42B0143:
message-id=<5262b5f4-18d5-b7fb-b09a-be37f1d61b9e@a_tld.com>
Mar 10 00:12:38 geko opendkim[1322]: C099F42B0143: DKIM-Signature field
added (s=default, d=a_tld.com)
Mar 10 00:12:39 geko opendmarc[1295]: C099F42B0143: SPF(mailfrom):
bb@a_tld.com fail
Mar 10 00:12:39 geko opendmarc[1295]: C099F42B0143: a_tld.com fail
Mar 10 00:12:39 geko postfix/qmgr[1857]: C099F42B0143:
from=, size=240046, nrcpt=1 (queue active)
Mar 10 00:12:42 geko amavis[4998]: (04998-13) Passed CLEAN
{RelayedOutbound}, ORIGINATING LOCAL [119.42.117.134]:58287
[119.42.117.134]  -> , Queue-ID:
C099F42B0143, Message-ID:
<5262b5f4-18d5-b7fb-b09a-be37f1d61b9e@a_tld.com>, mail_id: qJth6ESNbOwS,
Hits: 0.222, size: 240858, queued_as: 145BB42B0149, 2796 ms
Mar 10 00:12:42 geko postfix/smtp[9497]: C099F42B0143:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=113,
delays=111/0.01/0.01/2.8, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 145BB42B0149)
Mar 10 00:12:42 geko postfix/qmgr[1857]: C099F42B0143: removed


# grep 145BB42B0149  /var/log/maillog
Mar 10 00:12:42 geko postfix/smtpd[9501]: 145BB42B0149:
client=localhost[127.0.0.1]
Mar 10 00:12:42 geko postfix/cleanup[9389]: 145BB42B0149:
message-id=<5262b5f4-18d5-b7fb-b09a-be37f1d61b9e@a_tld.com>
Mar 10 00:12:42 geko postfix/qmgr[1857]: 145BB42B0149:
from=, size=241161, nrcpt=1 (queue active)
Mar 10 00:12:42 geko amavis[4998]: (04998-13) Passed CLEAN
{RelayedOutbound}, ORIGINATING LOCAL [119.42.117.134]:58287
[119.42.117.134]  -> , Queue-ID:
C099F42B0143, Message-ID:
<5262b5f4-18d5-b7fb-b09a-be37f1d61b9e@a_tld.com>, mail_id: qJth6ESNbOwS,
Hits: 0.222, size: 240858, queued_as: 145BB42B0149, 2796 ms
Mar 10 00:12:42 geko postfix/smtp[9497]: C099F42B0143:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=113,
delays=111/0.01/0.01/2.8, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 145BB42B0149)
Mar 10 00:12:46 geko postfix/smtp[9502]: 145BB42B0149:
to=, relay=aspmx.l.google.com[172.217.194.26]:25,
delay=4, delays=0.01/0.02/1.9/2, dsn=2.0.0, status=sent (250 2.0.0 OK 
1583759565 i6si12263894pjk.13 - gsmtp)
Mar 10 00:12:46 geko postfix/qmgr[1857]: 145BB42B0149: removed

# grep 1707542B0143  /var/log/maillog
Mar 10 00:13:13 geko postfix/smtpd[9491]: 1707542B0143:
client=unknown[119.42.117.134], sasl_method=PLAIN,
sasl_username=bb@a_tld.com.au
Mar 10 00:13:16 geko postfix/cleanup[9389]: 1707542B0143:
message-id=
Mar 10 00:14:07 geko opendkim[1322]: 1707542B0143: DKIM-Signature field
added (s=default, d=a_tld.com)
Mar 10 00:14:08 geko opendmarc[1295]: 1707542B0143: SPF(mailfrom):
bb@a_tld.com fail
Mar 10 00:14:08 geko opendmarc[1295]: 1707542B0143: a_tld.com fail
Mar 10 00:14:08 geko postfix/qmgr[1857]: 1707542B0143:
from=, size=239372, nrcpt=1 (queue active)
Mar 10 00:14:09 geko amavis[4927]: (04927-14) Passed CLEAN
{RelayedOutbound}, ORIGINATING LOCAL [119.42.117.134]:58356
[119.42.117.134]  -> , Queue-ID:
1707542B0143, Message-ID:
, mail_id: Gkn3suP0kf4K,
Hits: 2.714, size: 240145, queued_as: 175C542B0146, 1052 ms
Mar 10 00:14:09 geko postfix/smtp[9497]: 1707542B0143:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=57,
delays=55/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 175C542B0146)
Mar 10 00:14:09 geko postfix/qmgr[1857]: 1707542B0143: removed

# grep 175C542B0146  /var/log/maillog
Mar 10 00:14:09 geko postfix/smtpd[9501]: 175C542B0146:
client=localhost[127.0.0.1]
Mar 10 00:14:09 geko postfix/cleanup[9389]: 175C542B0146:
message-id=
Mar 10 00:14:09 geko postfix/qmgr[1857]: 175C542B0146:
from=, size=240448, nrcpt=1 (queue active)
Mar 10 00:14:09 geko amavis[4927]: (04927-14) Passed CLEAN
{RelayedOutbound}, ORIGINATING LOCAL [119.42.117.134]:58356
[119.42.117.134]  -> , Queue-ID:
1707542B0143, Message-ID:
, mail_id: Gkn3suP0kf4K,
Hits: 2.714, size: 240145, queued_as: 175C542B0146, 1052 ms
Mar 10 00:14:09 geko postfix/smtp[9497]: 1707542B0143:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=57,
delays=55/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 175C542B0146)
Mar 10

t/s outbound 99% timeout on TBird?

2020-03-09 Thread lists 
I have a user with Tbird, reports
"when replying to an email with an embeded PNG image TBird reporting:

"Sending Mssage/Status Delivering mail.../Progress 99%"
then it times out"

looking in the log (I think at the correct transaction?) I see like:
not sure where/how/what to look to t/s this ??

log:

Mar 10 00:12:42 geko amavis[4998]: (04998-13) Passed CLEAN {RelayedOutbound},
ORIGINATING LOCAL [119.42.117.134]:58287 [119.42.117.134]  ->
, Queue-ID: C099F42B0143, Message-ID:
<5262b5f4-18d5-b7fb-b09a-be37f1d61b9e@a_tld.com>, mail_id: qJth6ESNbOwS,
Hits:
0.222, size: 240858, queued_as: 145BB42B0149, 2796 ms

Mar 10 00:12:42 geko postfix/smtp[9497]: C099F42B0143:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=113,
delays=111/0.01/0.01/2.8, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 145BB42B0149)

Mar 10 00:12:46 geko postfix/smtp[9502]: 145BB42B0149:
to=, relay=aspmx.l.google.com[172.217.194.26]:25,
delay=4, delays=0.01/0.02/1.9/2, dsn=2.0.0, status=sent (250 2.0.0 OK 
1583759565
i6si12263894pjk.13 - gsmtp)

Mar 10 00:14:09 geko amavis[4927]: (04927-14) Passed CLEAN {RelayedOutbound},
ORIGINATING LOCAL [119.42.117.134]:58356 [119.42.117.134]  ->
, Queue-ID: 1707542B0143, Message-ID:
, mail_id: Gkn3suP0kf4K,
Hits:
2.714, size: 240145, queued_as: 175C542B0146, 1052 ms

Mar 10 00:14:09 geko postfix/smtp[9497]: 1707542B0143:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=57,
delays=55/0/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 175C542B0146)

Mar 10 00:14:12 geko postfix/smtp[9502]: 175C542B0146:
to=, relay=aspmx.l.google.com[172.217.194.26]:25,
delay=3.6, delays=0.01/0.01/1.6/1.9, dsn=2.0.0, status=sent (250 2.0.0 OK
1583759652 y21si12154012pfm.184 - gsmtp)

Mar 10 00:20:16 geko amavis[4998]: (04998-15) Passed CLEAN {RelayedOutbound},
ORIGINATING LOCAL [119.42.117.134]:58409 [119.42.117.134]  ->
, Queue-ID: 57DB841A85FC, Message-ID:
<047f74f8-c3b0-15c7-98b8-6df16a0115ac@a_tld.com>, mail_id: saXIzyV4Xh2B,
Hits:
0.12, size: 156800, queued_as: E6C8E41A8691, 1084 ms

Mar 10 00:20:16 geko postfix/smtp[9769]: 57DB841A85FC:
to=, relay=127.0.0.1[127.0.0.1]:10026, delay=26,
delays=25/0.02/0.01/1.1, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E6C8E41A8691)

Mar 10 00:20:19 geko postfix/smtp[9773]: E6C8E41A8691:
to=, relay=aspmx.l.google.com[74.125.130.27]:25,
delay=3.5, delays=0.06/0.04/1.9/1.6, dsn=2.0.0, status=sent (250 2.0.0 OK
1583760019 f26si12249799pfn.45 - gsmtp)

Re: gmail reverse host issue

2020-02-17 Thread lists 
Thanks. I appreciate that postfix would kick out a different error. 




  Original Message  


From: wie...@porcupine.org
Sent: February 17, 2020 6:55 AM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: gmail reverse host issue


> Feb 17 06:18:10 mydomain postfix/smtpd[2619]: NOQUEUE: reject:
> RCPT from unknown[209.85.219.177]: 550 5.7.1 Client host rejected:
> cannot find your reverse hostname, [209.85.219.177];
> from= to= proto=ESMTP
> helo=

What you see IS NOT the result of Postfix timeout while it looks
up a hostname with the getnameinfo() system library routine.

Postfix will reply with 450 if the hostname could not be looked up
(which is different from a "DOES NOT EXIST" result), as shown in
the code fragment below. Postfix is very careful to avoid making
that mistake.

More likely your system library (see nsswitch.conf) makes the basic
mistake of confusing "lookup error" with "does not exist" (solution:
use a better OS), or less likely some DNS resolver is making that
mistake (solution: use a better DNS resolver).

Wietse

static int reject_unknown_reverse_name(SMTPD_STATE *state)
{
    const char *myname = "reject_unknown_reverse_name";

    if (msg_verbose)
    msg_info("%s: %s", myname, state->reverse_name);

    if (state->reverse_name_status != SMTPD_PEER_CODE_OK)
    return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
    state->reverse_name_status == SMTPD_PEER_CODE_PERM ?
   var_unk_client_code : 450, "4.7.1",
    "Client host rejected: cannot find your reverse hostname, [%s]",
   state->addr));
    return (SMTPD_CHECK_DUNNO);
}

Re: warning: TLS library problem: routines:ssl_choose_client_version:unsupported protocol?

2020-02-07 Thread lists 
  https://access.redhat.com/solutions/120383Did you do the poodle block back in the day? From: hamdi201...@gmail.comSent: February 7, 2020 10:37 PMTo: postfix-users@postfix.orgSubject: warning: TLS library problem: routines:ssl_choose_client_version:unsupported protocol?  Hi everyone. I have a php contact form, that reports the following postfix error (getting that in maillog file): https://hastepaste.com/view/jr41NThe same applies for, when I send an e-mail to that e-mail address by using Outlook. Obviously my mail server having troubles sending e-mails to some servers in public, perhaps the remote e-mail server doesn't has SSL/TLS activated, maybe? But, I don't enforce/force smtp tls, having: smtp_tls_security_level = may  - in my main.cf.How can I solve this problem from my side? Thank you.

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

2020-01-07 Thread lists 

https://metacpan.org/pod/MIME::Lite

Sort of not recommended, but a few alternatives provided. Thanks. 





  Original Message  


From: will...@uubeta.com
Sent: January 7, 2020 12:51 AM
To: postfix-users@postfix.org
Subject: Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant 
future


You can use MIME::Lite (or something similiar) to build a message
including body and headers with wrong date format then forward the
message to Postfix for testing.

regards.

on 2020/1/7 16:47, lists wrote:
> Is there some easy way to send email with the wrong date to test this? We'll 
> other than setting the wrong date on the computer.
>

Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant future

2020-01-07 Thread lists 
Is there some easy way to send email with the wrong date to test this? We'll 
other than setting the wrong date on the computer. 





  Original Message  


From: r...@wagenaar.nu
Sent: January 7, 2020 12:37 AM
To: postfix-users@postfix.org
Reply-to: r...@wagenaar.nu
Subject: Re: Mail rejected with 5.7.1 HDR9020 Date header is in the distant 
future


Wietse Venema  wrote:

> Regexps that accept exactly one the year in the Date: field will bounce
> some email around the end of the year, because year changes don't happen
> globally at the same time, and email may be in transit for up to a few
> days.
>
> By the end of 2019 the patterns should be:
>
> /^Date: .* 2019/    DUNNO /^Date: .* 2020/
> DUNNO /^Date: .* [0-9][0-9][0-9][0-9]/    REJECT bad year
> in date
>
> And by the end of 2020:
>
> /^Date: .* 2020/    DUNNO /^Date: .* 2021/
> DUNNO /^Date: .* [0-9][0-9][0-9][0-9]/    REJECT bad year
> in date
>
> This could be automated by a cronjob.
>
> Wietse
>
>

SPOT on!

Thanks for the hint, an opportunity to revise all my checks, the majority
are a number of years old and apperantly need checking.


--
Roel Wagenaar,

telegram: 0630865765
Linux-User #469851 with the Linux Counter; http://linuxcounter.net/

Antw.: Omdat het de volgorde verstoord waarin mensen tekst lezen.
Vraag: Waarom is top-posting een slechte gewoonte?
Antw.: Top-posting.
Vraag: Wat is het meest ergerlijke in e-mail?

In a world without doors and walls who needs Windows and Gates?

Re: Block email based on reply field

2019-12-11 Thread lists 
Thanks. Not the smartest spammer. The "from" lasts a while but the "reply" is 
static for months. I just got tired of blocking the "from" periodically. 





  Original Message  


From: postfix-us...@dukhovni.org
Sent: December 11, 2019 6:57 PM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Block email based on reply field


> On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote:
>
> I have a spammer who uses all sorts of "from" addresses but the same
> "reply" address. Any way to block this spammer in Postfix.

  main.cf:
pcre = pcre:${config_directory}/
header_checks = ${pcre}header-checks.pcre
# Set empty, or keep existing non-default value
nested_header_checks =
mime_header_checks =

  header-checks.pcre:
    if /^Reply-To:/
    # Adjust to exactly match the observed header
    # Includes rule id in reject message
    /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001
    /^/ DUNNO no more Reply-To rules
    endif

--
Viktor.

Re: rejections after limiting access to smtp auth

2019-12-11 Thread lists 
Seriously is there ever a case not to use port 587?

Re: Advice: NFS, hardware, SATA vs SAS etc

2019-12-04 Thread lists 
  You ruled out cloud solutions? (Original text deleted for brevity.) 

Re: how to setup a privacy oriented mailserver

2019-11-26 Thread lists 
To make a long story short, in the past I used a hosting service. The email 
server was totally pwned by a Round Cube exploit from a hacker in a country I 
never occupied. Hence my advice to keep the server secure and reduce the attack 
surface.

Do hackers actually use their home ISPs? Yes if the country is basically 
lawless. You can't firewall your way to safety, but you can make these 
criminals do a little work.

I also maintain a file of server IP space. Some CIDRs are from the obvious big 
players. The rest are from hackers trying to mess with my web server. These 
CIDRs also can't access any email port other than 25.

The password guessers get anvil. I considered a fail2ban, but my passwords will 
not be guessed since they are randomly generated and high entropy. When I read 
the logs, most of the hackers are on Spectrum ISP, which is funny since 
Spectrum bans my VPS.

SPF, DKIM, and DMARC just make you look less spammy. You should set them up. 
This link will verify the settings.

https://dkimvalidator.com/





  Original Message  


From: postfixlists-070...@billmail.scconsult.com
Sent: November 25, 2019 9:48 PM
To: postfix-users@postfix.org
Subject: Re: how to setup a privacy oriented mailserver


On 25 Nov 2019, at 22:53, lists wrote:

> Security is privacy.

More precisely: Security includes privacy. Privacy is an essential *PART
OF* security.

The remit requested by the OP is really too broad to answer on a public
mailing list intended for discussion of a specific MTA (even though
Postfix would be a likely component...) because it could have very
different answers depending on the specific needs of a site and issues
like scale, threat model, risk tolerances, and available resources.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: how to setup a privacy oriented mailserver

2019-11-25 Thread lists 
Security is privacy. 





  Original Message  


From: postmas...@wsly.de
Sent: November 25, 2019 6:25 PM
To: li...@lazygranch.com; postfix-users@postfix.org
Subject: Re: how to setup a privacy oriented mailserver


Hi

on 2019/11/26 10:22, lists wrote:
> At a minimum, I would set it up to use port 587. Then block via firewall all 
> the email ports other than port 25 all countries from which you will not be 
> using the server.
>
> Keep the attack surface small. For example don't provide for web based email.


Sorry I didn't talk about security. I pay attention to privacy, such as
these ones, but run by myself.

https://restoreprivacy.com/secure-email/

Regards.

Re: how to setup a privacy oriented mailserver

2019-11-25 Thread lists 
At a minimum, I would set it up to use port 587. Then block via firewall all 
the email ports other than port 25 all countries from which you will not be 
using the server. 

Keep the attack surface small. For example don't provide for web based email. 







  Original Message  


From: postmas...@wsly.de
Sent: November 25, 2019 5:48 PM
To: postfix-users@postfix.org
Subject: how to setup a privacy oriented mailserver


Hi community,

I finally got a domain from registrar, if I want to run a privacy
oriented mail server, what steps should I take?

For example, setup SSL over all, SPF, DKIM, DMARC, DNSSec, DoH,
encrypted storage, app special pasword, secondary authentication?

Is there any guide for it?

Thanks in advance.

regards.

Re: Dictionary attacks

2019-11-03 Thread lists 
https://www.sshguard.net/
This is a simpler alternative to fail2ban. It has hooks for postfix and 
dovecot. The only disadvantage is SSHGuard isn't in my repo. You have to build 
it. 

That said, I just use it for ssh. I use Anvil settings in postfix to slow down 
the occasional skid. Less is more. The desired email gets through. I don't see 
much in the way of dictionary attacks on my postfix.





  Original Message  



From: ph...@caerllewys.net
Sent: November 3, 2019 9:04 AM
To: postfix-users@postfix.org
Subject: Re: Dictionary attacks


On 2019-11-03 05:24, Allen Coates wrote:
>
>
> On 03/11/2019 02:42, Wietse Venema wrote:
>> John Schmerold:
>>> What is the best way to protect against dictionary attacks in Postfix?
>> 
>> Reportedly, fail2ban (no first-hand experience, because I have no
>> SASL clients).
>>
>> Wietse
>>
>
> I run a home-brewed fail2ban look-alike; I find it almost as useful as 
> postscreen.

I've been thinking about setting up exactly such a thing myself.  Trying
to figure out how to make fail2ban talk to a Shorewall firewall on a
different box is just too much of a pain for such a fundamentally simple
task.  It's like trying to set up a CNC mill when all you actually want
to do is file 2mm off a strike plate.


--
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958

Re: postfix filter to encrypt incoming emails with public gpg key

2019-10-27 Thread lists 
TLS makes no difference, but you might as run the server as close to normal as 
possible. 





  Original Message  



From: 400the...@gmx.ch
Sent: October 26, 2019 11:52 PM
To: postfix-users@postfix.org
Subject: Re: postfix filter to encrypt incoming emails with public gpg key


On 27/10/2019 07.27, lists wrote:
> Let me try again. So the email comes in. Some programs gets your public key 
> and then encrypts the email on the server.

I imagine, in theory it should work like this:

New email comes in, and as it moves through the Postfix mail delivery
pipeline, at some stage there is a simple filter, which performs an
action. There should be some possibility to define simple rules, such as

if recipeint = us...@mydomain.com
  perform action
else
  continue

Such process would need to have the users public key, obviously. But
that is the least of an issue.

I don't understand Postfix enough, to see how this can be implemented in
practice.

> Then when you retrieve your email, it sends it out in what it believes is 
> plain text or for that matter can to TLS on the file, but you get a GPG 
> message that you then decrypt.

When I retrieve my message over IMAP, it will be retrieved as any other
message, regardless whether it is encrypted or not. Also, TLS is
irrelevant here.

> So the reason this isn't normally done is a general purpose email server 
> would have to do this on  per client basis, somehow getting the proper public 
> key for each client.

I think the reason why this is not normally done, is that my request is
quite exotic. I understand that. I think average mail user does not need
this.

Re: postfix filter to encrypt incoming emails with public gpg key

2019-10-27 Thread lists 
Let me try again. So the email comes in. Some programs gets your public key and 
then encrypts the email on the server. Then when you retrieve your email, it 
sends it out in what it believes is plain text or for that matter can to TLS on 
the file, but you get a GPG message that you then decrypt. 

So the reason this isn't normally done is a general purpose email server would 
have to do this on  per client basis, somehow getting the proper public key for 
each client. 

Am I right? Close? 

If not I will shut up and wait for a guru to reply. 






  Original Message  



From: 400the...@gmx.ch
Sent: October 26, 2019 10:46 PM
To: postfix-users@postfix.org
Subject: Re: postfix filter to encrypt incoming emails with public gpg key


On 27/10/2019 06.26, lists wrote:
> My bank insists I use their website for anything secure. I don't get anything 
> in my email that would be a security problem.

I used bank just as an example. Feel free to substitute another
scenario, if you find mine hard to imagine.

> Wouldn't a private key have to be held on your server to do what you want? If 
> so, that hacker can get the key.

No. Definitely not.
Only public key is needed for asymmetric encryption.

> Personally I would harden the server. It sounds like this is a private 
> server. You can use the firewall to vastly limit the countries where your 
> email can be retrieved. That is filter the hell out of all email ports except 
> 25. Besides filtering countries, I have a file of about 30k of ipv4 cidrs 
> from data centers that I block from all email ports except 25 and all the web 
> ports. No eyeballs in datacenters.

Sure, I want to have both:
A secure server, AND encrypted emails. What is wrong with that ?

Re: postfix filter to encrypt incoming emails with public gpg key

2019-10-26 Thread lists 
My bank insists I use their website for anything secure. I don't get anything 
in my email that would be a security problem.

That said, have you inquired if your bank will use pgp? I know that sounds like 
crazy talk, but some banks have PGP. (OT but note Amazon can do PGP too.)

Wouldn't a private key have to be held on your server to do what you want? If 
so, that hacker can get the key.

Personally I would harden the server. It sounds like this is a private server. 
You can use the firewall to vastly limit the countries where your email can be 
retrieved. That is filter the hell out of all email ports except 25. Besides 
filtering countries, I have a file of about 30k of ipv4 cidrs from data centers 
that I block from all email ports except 25 and all the web ports. No eyeballs 
in datacenters.

Don't use roundcube or squirrelmail. Use email clients. Don't use cpanel or 
similar. Again keep the attack surface to a minimum. You can maintain a server 
strictly from command line. 

Use SSHGuard or fail2ban. 





  Original Message  



From: 400the...@gmx.ch
Sent: October 26, 2019 8:30 PM
To: postfix-users@postfix.org
Subject: postfix filter to encrypt incoming emails with public gpg key


Hello,

when new email arrives, and it is not already encrypted, I would like to
run it through a filter, which would encrypt the message with my public
gpg key, as if the original sender has sent the email encrypted.

Why do I want to do this ? Why not ask the sender to send encrypted
messages to start with ?

Lets say my bank sends me emails. I cannot forcer my bank to use gpg
encryption. I am happy they use email at all, instead of paper mail.

My email server is untrusted. It can be hacked into and emails stolen.
Full disk encryption will not help, because the disk must be decrypted
during runtime.

With my scheme, all emails would be stored encrypted on my server, and
decryption key does not exist on the server (emails are decrypted on my
local client)

What would be the best way to implement this ?

Can such filter work, without ever storing plaintext email on disk ?

Any other comments ?

thanks,

Re: block 'new style' TLDs ?

2019-10-23 Thread lists 
As an aside, I have stopped some real live human beings from getting these dumb 
TLDs. Apparently "design" is one that is becoming popular for obvious but wrong 
headed reasons. 

https://en.m.wikipedia.org/wiki/.design





  Original Message  



From: xxdpp...@yahoo.com
Sent: October 23, 2019 1:49 PM
To: postfix-users@postfix.org
Subject: Re: block 'new style' TLDs ?


I've had the same problem for some time. I put the following into access_helo 
and header_checks. It's pretty severe (and the list gets bigger every month) 
but the percentage of valid email coming from those domains is next to nil.

I use a 510 rather than a 554 reject so hopefully they won't try again.

# Invalid and disreputable TLDs

/\.asia$/ 510 Denied: Unacceptable TLD .asia
/\.best$/ 510 Denied: Unacceptable TLD .best
/\.bid$/ 510 Denied: Unacceptable TLD .bid
/\.club$/ 510 Denied: Unacceptable TLD .club
/\.date$/ 510 Denied: Unacceptable TLD .date
/\.domain$/ 510 Denied: Unacceptable TLD .domain
/\.faith$/ 510 Denied: Unacceptable TLD .faith
/\.host$/ 510 Denied: Unacceptable TLD .host
/\.icu$/ 510 Denied: Unacceptable TLD .icu
/\.internal$/ 510 Denied: Unacceptable TLD .internal
/\.lan$/ 510 Denied: Unacceptable TLD .lan
/\.loan$/ 510 Denied: Unacceptable TLD .loan
/\.local$/ 510 Denied: Unacceptable TLD .local
/\.ninja$/ 510 Denied: Unacceptable TLD .ninja
/\.online$/ 510 Denied: Unacceptable TLD .online
/\.party$/ 510 Denied: Unacceptable TLD .party
/\.pro$/ 510 Denied: Unacceptable TLD .pro
/\.ren$/ 510 Denied: Unacceptable TLD .ren
/\.review$/ 510 Denied: Unacceptable TLD .review
/\.science$/ 510 Denied: Unacceptable TLD .science
/\.site$/ 510 Denied: Unacceptable TLD .site
/\.space$/ 510 Denied: Unacceptable TLD .space
/\.stream$/ 510 Denied: Unacceptable TLD .stream
/\.tech$/ 510 Denied: Unacceptable TLD .tech
/\.top$/ 510 Denied: Unacceptable TLD .top
/\.trade$/ 510 Denied: Unacceptable TLD .trade
/\.vip$/ 510 Denied: Unacceptable TLD .vip
/\.website$/ 510 Denied: Unacceptable TLD .website
/\.win$/ 510 Denied: Unacceptable TLD .win
/\.zone$/ 510 Denied: Unacceptable TLD .zone

Re: How to hold a specific recipient

2019-10-17 Thread (lists) Denis BUCHER 

Le 17.10.2019 à 00:16, Noel Jones a écrit :

On 10/16/2019 4:48 PM, (lists) Denis BUCHER wrote:

Hello everyone,

I read a lot of emails on this ML and on the web without finding the 
solution, or I do something wrong.


I just want that all emails to a specific recipient are put on hold.

I thought this would work, but it doesn't :

  * main.cf :
  o smtpd_relay_restrictions = check_recipient_access
    hash:/etc/postfix/recipient_access permit_mynetworks
    permit_sasl_authenticated defer_unauth_destination
  * /etc/postfix/recipient_access :
  o em...@domain.ch    HOLD
  * postmap /etc/postfix/recipient_access

Thanks in advance a lot for any hint or help !

Denis



That's (mostly) correct, although it should really be in 
smtpd_recipient_restrictions.


Some random thoughts:

Mail must arrive via SMTP for the smtpd restrictions to work. Mail 
arriving via postdrop or the "sendmail command" do no use smtpd 
restrictions.


The smtp restrictions work on the envelope recipient address, which 
may not be the same as displayed in the To: header.  The envelope 
recipient is what postfix shows in the logs.


Mail that is rejected is not placed on hold.

non-ascii garbage in main.cf or the access map can cause unexpected 
behavior.


be sure to run "postmap hash:/etc/postfix/recipient_access" and 
"postfix reload" after editing main.cf.



For further assistance, show your "postconf -nf"  and log lines 
showing the mail you're trying to hold.



  -- Noel Jones


Yes, that's great : it works now!

But my curent (working) configuration includes maybe too much :

 * smtpd_recipient_restrictions = check_recipient_access
   hash:/etc/postfix/recipient_access
 * smtpd_relay_restrictions = check_recipient_access
   hash:/etc/postfix/recipient_access  permit_mynetworks
   permit_sasl_authenticated defer_unauth_destination

I suppose that it would be more correct this way :

 * smtpd_recipient_restrictions = check_recipient_access
   hash:/etc/postfix/recipient_access
 * smtpd_relay_restrictions = permit_mynetworks
   permit_sasl_authenticated defer_unauth_destination

Is that right ?

Thank you very much for your help :-)

Denis

How to hold a specific recipient

2019-10-16 Thread (lists) Denis BUCHER 

Hello everyone,

I read a lot of emails on this ML and on the web without finding the 
solution, or I do something wrong.


I just want that all emails to a specific recipient are put on hold.

I thought this would work, but it doesn't :

 * main.cf :
 o smtpd_relay_restrictions = check_recipient_access
   hash:/etc/postfix/recipient_access permit_mynetworks
   permit_sasl_authenticated defer_unauth_destination
 * /etc/postfix/recipient_access :
 o em...@domain.ch    HOLD
 * postmap /etc/postfix/recipient_access

Thanks in advance a lot for any hint or help !

Denis

Re: Prevent sender address spoofing

2019-09-29 Thread lists 
Port 465 was deprecated for email. Port 587 is the way to go. 

The only email port I don't firewall on my server is 25.  On the rest of the 
email ports, I block all countries that I don't visit. In addition I use my 40k 
worth of CIDRs that from hosting companies, VSPs, etc. that have hacked my web 
server. I don't block ISPs, as much as Comcast deserves to be blocked. 

Firewalls do chew up RAM, but they use very little CPU. I believe you have a 
better server by blocking IP space that is just going to waste CPU cycles. 





  Original Message  



From: rich...@damon-family.org
Sent: September 29, 2019 5:29 PM
To: postfix-users@postfix.org
Subject: Re: Prevent sender address spoofing


On 9/29/19 8:04 PM, Hugo Florentino wrote:
> El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
>> [...]
>>
>> This makes no sense.  Portable devices use ports 587 or 465 with all
>> the other providers.  And there's no "change ports constantly", they
>> just use the same submission port.
>>
>> Remote MTAs connect to port 25, submission clients (MUAs) connect
>> to port 587.
>>
> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?
>
>
If an ISP allows you to run a mail server but won't allow access to
587/465 then you need a new ISP with a clue.

Some ISPs will block OUTGOING port 25 to prevent you from being a
spammer, requiring you to use their SMTP server for outgoing SMTP
transport, but I haven't heard of one that blocks 587 or 465 unless they
don't allow you to run servers and just block most server ports.

--
Richard Damon

Re: Unable to send or receive from Gmail

2019-06-22 Thread lists 
  OK, but then I would verify the cert your are using and would still fix this cert since ssllabs says it is not trusted.    From: secad...@netsecdesign.comSent: June 22, 2019 8:03 AMTo: li...@lazygranch.com; postfix-users@postfix.orgSubject: Re: Unable to send or receive from Gmail  
The website for “netsecdesign.com” is different than the one for my postfix gateway.  Different machine, different IP address, different cert.
 
 

From: <owner-postfix-us...@postfix.org> on behalf of lists <li...@lazygranch.com>
Date: Friday, June 21, 2019 at 10:13 PM
To: Security Admin <secad...@netsecdesign.com>, "postfix-users@postfix.org" <postfix-users@postfix.org>
Subject: Re: Unable to send or receive from Gmail


 



If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first. 


 






From:  secad...@netsecdesign.com


Sent: June 21, 2019 9:19 PM


To:  postfix-users@postfix.org


Subject: Unable to send or receive from Gmail



 





Within the last week or so I am suddenly unable to send or receive from Google Gmail.  Any help with this issue would be appreciated.
 
Receive Error from
mail.log:
 
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:error in error
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept error from
mail-wm1-f52.google.com[209.85.128.52]: -1
Jun 21 20:59:26 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL
 alert number 47:
Jun 21 20:59:26 portus postfix/smtpd[3726]: lost connection after STARTTLS from
mail-wm1-f52.google.com[209.85.128.52]
Jun 21 20:59:26 portus postfix/smtpd[3726]: disconnect from
mail-wm1-f52.google.com[209.85.128.52] ehlo=1 starttls=0/1 commands=1/2
 
 
 
 
Send Error from
mail.log:
 
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:error in error
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept error from
mail-pl1-f180.google.com[209.85.214.180]: -1
Jun 21 21:05:47 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL
 alert number 47:
Jun 21 21:05:47 portus postfix/smtpd[3726]: lost connection after STARTTLS from
mail-pl1-f180.google.com[209.85.214.180]
Jun 21 21:05:47 portus postfix/smtpd[3726]: disconnect from
mail-pl1-f180.google.com[209.85.214.180] ehlo=1 starttls=0/1 commands=1/2

Re: Unable to send or receive from Gmail

2019-06-21 Thread lists 
  If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first.    From: secad...@netsecdesign.comSent: June 21, 2019 9:19 PMTo: postfix-users@postfix.orgSubject: Unable to send or receive from Gmail  
Within the last week or so I am suddenly unable to send or receive from Google Gmail.  Any help with this issue would be appreciated.
 
Receive Error from mail.log:
 
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:error in error
Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept error from mail-wm1-f52.google.com[209.85.128.52]: -1
Jun 21 20:59:26 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47:
Jun 21 20:59:26 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-wm1-f52.google.com[209.85.128.52]
Jun 21 20:59:26 portus postfix/smtpd[3726]: disconnect from mail-wm1-f52.google.com[209.85.128.52] ehlo=1 starttls=0/1 commands=1/2
 
 
 
 
Send Error from mail.log:
 
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:error in error
Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept error from mail-pl1-f180.google.com[209.85.214.180]: -1
Jun 21 21:05:47 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47:
Jun 21 21:05:47 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-pl1-f180.google.com[209.85.214.180]
Jun 21 21:05:47 portus postfix/smtpd[3726]: disconnect from mail-pl1-f180.google.com[209.85.214.180] ehlo=1 starttls=0/1 commands=1/2

ot: dkim "fail (message has been altered)" ?

2019-06-01 Thread lists 
I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":

Authentication-Results: geko.sbt.net.au (amavisd-new);
dkim=pass (1024-bit key) header.d=dossierinfotech.in.net;
domainkeys=fail (1024-bit key)
reason="fail (message has been altered)"
header.from=mai...@dossierinfotech.in.net
header.d=dossierinfotech.in.net

is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?

thanks,

Voytek

Re: opendmarc.dat Permission denied issues

2019-05-29 Thread lists 
On Thu, May 30, 2019 12:52 am, Benny Pedersen wrote:
> li...@sbt.net.au skrev den 2019-05-29 06:09:

> change /var/run to /var/tmp
>
> if you reboot with your config you will loose data
>
> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot
>
>
> permission denied comes from that opendmarc starts as root, and drops
> privelges to user later, and that makes it permision denied for the dat
> file, show ls -l /var/run/ if need more help
>
> if the dat file is owned or created by root, delete it and restart
> opendmarc
>

Benny, thanks

following Dominic advice I've set "UMask 0002" as , and, also reverted to
default path, restarted some 10 hours ago, so far, so good, no more fopen
errors

I'll change to /var/tmp next

thanks for explanation,

Voytek


# ls -l /var/run/
total 32

drwxr-xr-x  3 root  root 80 May 28 22:09 NetworkManager
drwx--  2 opendkim  opendkim 60 May 28 22:09 opendkim
drwx--  2 opendmarc opendmarc60 May 29 18:25 opendmarc
drwxr-xr-x  2 root  root 40 May 28 22:08 plymouth
...

# ls -l /var/run/opendmarc
total 4
-rw-rw-r-- 1 opendmarc opendmarc 6 May 29 18:25 opendmarc.pid

# grep istory  /etc/opendmarc.conf
HistoryFile /var/spool/opendmarc/opendmarc.dat
# HistoryFile /var/run/opendmarc.dat

# ls -l /var/spool/opendmarc/
total 44
-rw-rw-r-- 1 opendmarc opendmarc 41543 May 30 06:42 opendmarc.dat

Re: opendmarc.dat Permission denied issues

2019-05-29 Thread lists 
On Wed, May 29, 2019 4:51 pm, Dominic Raferd wrote:
> On Wed, 29 May 2019 at 05:11,  wrote:

>
> I think you need to use a suitable UMask setting in /etc/opendmarc.conf
> e.g. 0002 - see UMask in man opendmarc.conf. And I don't think /var/run is
>  a logical place to put the history file. /var/log maybe?
>

Dominic, thanks

I've used
https://www.stevejenkins.com/blog/2015/03/installing-opendmarc-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

I can see now there is inconsistency in that writeup, with location of the
.dat

I currently have like:


UMask 007

UserID opendmarc:mail

what about default path /var/run/opendmarc.dat, maybe I'll try that

I'll try UMask 0002

thanks,

V

opendmarc.dat Permission denied issues

2019-05-28 Thread lists 
i'm trying to setup DKIM & DMARC, set it few days ago, it seemed to be
working ok(?), well, I did'nt notice errors

noticed today multiple "Permission denied" errors since last night, across
multiple domains

grep " Permission denied" /var/log/maillog | wc
   1943   19430  200491

May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied

# grep AAADD4E821C9 /var/log/maillog
May 29 13:41:41 geko postfix/smtpd[30596]: AAADD4E821C9:
client=mail01.hello.zendesk.com[142.0.163.127]
May 29 13:41:42 geko postfix/cleanup[30785]: AAADD4E821C9:
message-id=<32f4e19952284dd89d4be9c71563d796@2136619493>
May 29 13:41:42 geko opendmarc[27677]: AAADD4E821C9: SPF(mailfrom):
bounceb...@hello.zendesk.com pass
May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9: zendesk.com pass
May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied
May 29 13:41:43 geko postfix/cleanup[30785]: AAADD4E821C9: milter-reject:
END-OF-MESSAGE from mail01.hello.zendesk.com[142.0.163.127]: 4.7.1 Service
unavailable - try again later; from=
to= proto=ESMTP helo=


and, I don't have any such:

# ls /var/run/open*
/var/run/opendkim:
opendkim.pid

/var/run/opendmarc:
opendmarc.pid

in conf i have it as:

# grep opendmarc.dat opendmarc.conf
# HistoryFile /var/spool/opendmarc/opendmarc.dat
HistoryFile /var/run/opendmarc.dat

(the write up I was using suggested "/var/run/opendmarc.dat"


do I need to... re-create opendmarc.dat ..?
should it go in conf default path /var/spool/opendmarc ?

what did I screw up this time ?

meantime, removed dmarc from postfix main.cf

V

Re: DKIM doubled, which one to remove?

2019-05-24 Thread lists 
On Fri, May 24, 2019 9:31 pm, Matus UHLAR - fantomas wrote:

>> which one should be bypassed, and, how to do so ?
>
> very hard to say withoutmore info. What do milters on ports 8891 and 8893
> do?


OpenDKIM and OpenDMARC


I was just installing DKIM followed by DMARC using Steve Jenkins howto
https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/


thanks, V



>> from main.cf ..
>> content_filter = smtp-amavis:[127.0.0.1]:10024
>> smtp-amavis_destination_recipient_limit = 1 ..
>> smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
>> non_smtpd_milters = $smtpd_milters milter_default_action = accept
>>
>>
>> [1]
>> # grep  711344531867  /var/log/maillog
>> May 24 15:15:08 geko postfix/smtpd[20479]: 711344531867:
>> client=mail.wintemo.eu[89.163.128.70] May 24 15:15:09 geko
>> postfix/cleanup[20551]: 711344531867:
>> message-id= May 24 15:15:10
>> geko postfix/qmgr[6755]: 711344531867: from=,
>> size=201981, nrcpt=1 (queue active) May 24 15:15:46 geko amavis[19646]:
>> (19646-19) Passed CLEAN
>> {RelayedInbound}, [89.163.128.70]:37104 [185.48.248.138]
>>  -> , Queue-ID: 711344531867,
>> Message-ID: , mail_id:
>> HjCP4miqJx91, Hits: 0.206, size: 202014, queued_as: 49850456275B, 35718
>> ms May 24 15:15:46 geko postfix/smtp[20553]: 711344531867:
>> to=, relay=127.0.0.1[127.0.0.1]:10024, delay=79,
>> delays=43/0.02/0.01/36, dsn=2.0.0, status=sent (250 2.0.0 from
>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49850456275B)
>> May 24 15:15:46 geko postfix/qmgr[6755]: 711344531867: removed
>> #
>>
>>
>> # grep  49850456275B /var/log/maillog
>> May 24 15:15:46 geko postfix/smtpd[20563]: 49850456275B:
>> client=localhost[127.0.0.1] May 24 15:15:46 geko postfix/cleanup[20551]:
>> 49850456275B:
>> message-id= May 24 15:15:46
>> geko postfix/qmgr[6755]: 49850456275B: from=,
>> size=202478, nrcpt=1 (queue active) May 24 15:15:46 geko amavis[19646]:
>> (19646-19) Passed CLEAN
>> {RelayedInbound}, [89.163.128.70]:37104 [185.48.248.138]
>>  -> , Queue-ID: 711344531867,
>> Message-ID: , mail_id:
>> HjCP4miqJx91, Hits: 0.206, size: 202014, queued_as: 49850456275B, 35718
>> ms May 24 15:15:46 geko postfix/smtp[20553]: 711344531867:
>> to=, relay=127.0.0.1[127.0.0.1]:10024, delay=79,
>> delays=43/0.02/0.01/36, dsn=2.0.0, status=sent (250 2.0.0 from
>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49850456275B)
>> May 24 15:15:52 geko postfix/pipe[20565]: 49850456275B:
>> to=, relay=dovecot, delay=5.9, delays=0.11/0.03/0/5.8,
>> dsn=2.0.0, status=sent (delivered via dovecot service) May 24 15:15:52
>> geko postfix/qmgr[6755]: 49850456275B: removed
>>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> You have the right to remain silent. Anything you say will be misquoted,
> then used against you.
>

DKIM doubled, which one to remove?

2019-05-24 Thread lists 
following earlier advice here, I've finally tried to set DKIM

I think I'm getting there, but I've noticed it's doubling up[1], with amavis

which one should be bypassed, and, how to do so ?

thanks, V

from main.cf
..
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1
..
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893
non_smtpd_milters = $smtpd_milters
milter_default_action = accept


[1]
# grep  711344531867  /var/log/maillog
May 24 15:15:08 geko postfix/smtpd[20479]: 711344531867:
client=mail.wintemo.eu[89.163.128.70]
May 24 15:15:09 geko postfix/cleanup[20551]: 711344531867:
message-id=
May 24 15:15:10 geko postfix/qmgr[6755]: 711344531867:
from=, size=201981, nrcpt=1 (queue active)
May 24 15:15:46 geko amavis[19646]: (19646-19) Passed CLEAN
{RelayedInbound}, [89.163.128.70]:37104 [185.48.248.138]
 -> , Queue-ID: 711344531867,
Message-ID: , mail_id:
HjCP4miqJx91, Hits: 0.206, size: 202014, queued_as: 49850456275B, 35718 ms
May 24 15:15:46 geko postfix/smtp[20553]: 711344531867:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=79,
delays=43/0.02/0.01/36, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49850456275B)
May 24 15:15:46 geko postfix/qmgr[6755]: 711344531867: removed
#

# grep  49850456275B /var/log/maillog
May 24 15:15:46 geko postfix/smtpd[20563]: 49850456275B:
client=localhost[127.0.0.1]
May 24 15:15:46 geko postfix/cleanup[20551]: 49850456275B:
message-id=
May 24 15:15:46 geko postfix/qmgr[6755]: 49850456275B:
from=, size=202478, nrcpt=1 (queue active)
May 24 15:15:46 geko amavis[19646]: (19646-19) Passed CLEAN
{RelayedInbound}, [89.163.128.70]:37104 [185.48.248.138]
 -> , Queue-ID: 711344531867,
Message-ID: , mail_id:
HjCP4miqJx91, Hits: 0.206, size: 202014, queued_as: 49850456275B, 35718 ms
May 24 15:15:46 geko postfix/smtp[20553]: 711344531867:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=79,
delays=43/0.02/0.01/36, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 49850456275B)
May 24 15:15:52 geko postfix/pipe[20565]: 49850456275B:
to=, relay=dovecot, delay=5.9, delays=0.11/0.03/0/5.8,
dsn=2.0.0, status=sent (delivered via dovecot service)
May 24 15:15:52 geko postfix/qmgr[6755]: 49850456275B: removed

Re: Blacklistd interaction

2019-05-06 Thread lists 
It had been my experience that the firewall uses more resources that SSHGuard. 
Certainly it uses more memory. 

The thing to bear in mind is what resources will be used if the offending IP 
address is not blocked.  Some of these bots that attack web servers will fire 
off a hundred useless hacks. The password guessers will hammer postfix all day, 
but fortunately those attacks are rare. At the moment I just use postfix rate 
limiting. 





  Original Message  



From: krem...@kreme.com
Sent: May 6, 2019 10:08 AM
To: postfix-users@postfix.org
Subject: Re: Blacklistd interaction


On 6 May 2019, at 06:33, Lefteris Tsintjelis  wrote:
> On 6/5/2019 15:14, @lbutlr wrote:
>> On 6 May 2019, at 02:10, Lefteris Tsintjelis  wrote:
>>> Fail2ban and equivalent log parsers are just too resource hungry,
>> No they aren't.
>
> Yes they are.

Not on my super powerful 7 year old i5 mail server with a whole 4GB of RAM that 
I bought for under $300. I'm sure there are people running mail servers on 
older and lousier hardware, but I'd guess it's not many.

>>> messy and more time consuming to maintain
>> Sounds like you are parting some false information others fed you. There is 
>> nothing to maintain, and they run silently and take no time at all.
>
> Sounds like you never used them but if you say so must be like that 

I have used both and currently use sshguard. I've never seen either show up on 
htop when sorting by CPU time.

Currently I am using sshguard

51842 root   52   0  6464  1544 S  0.0  0.0  0:00.00 sh 
/usr/local/sbin/sshguard -b /usr/local/etc/sshguard.blacklist -b 
120:/var/db/sshguard/blacklist.db -i /var/run/sshguard

0.0 CPU, 0.0 Mem, 00:00:00 Time

Re: Blacklistd interaction

2019-05-06 Thread lists 
SSHGuard now works for more than ssh. It has hooks for postfix and other 
services. 





  Original Message  



From: le...@spes.gr
Sent: May 6, 2019 1:11 AM
To: postfix-users@postfix.org
Subject: Re: Blacklistd interaction


On 6/5/2019 9:42, @lbutlr wrote:
> On 4 May 2019, at 15:52, Lefteris Tsintjelis  wrote:
>> Would be great to consider its future adoption and if possible to take it 
>> even further to interact with postscreen.
>
> Why would this be a good thing for postfix to do?
>
> There are already plenty of tools that generate block lists for the various 
> types of firewalls out there, and they do not require patching postfix.
>
> SSHGuard and Fail2Ban are two that seem to work very well.

SSHguard is similar but only for ssh, not for postfix. Fail2ban and
equivalent log parsers are just too resource hungry, messy and more time
consuming to maintain. blacklistd is offering simplicity, central
management, extreme speed compared to any log parser with minimal
resources. There is no comparison really between log parsers and
balcklistd or SSHguard.

Re: Blacklistd interaction

2019-05-06 Thread lists 
I like SSHGuard a lot, though I don't let it mess with my email. It is great 
for keeping the riff raff off of port 22 with very little effort to set up.

But now that you mention it, I think SSHGuard would be totally safe to block IP 
addresses that attempt to use the mail server as a relay. 





  Original Message  



From: krem...@kreme.com
Sent: May 5, 2019 11:43 PM
To: postfix-users@postfix.org
Subject: Re: Blacklistd interaction


On 4 May 2019, at 15:52, Lefteris Tsintjelis  wrote:
> Would be great to consider its future adoption and if possible to take it 
> even further to interact with postscreen.

Why would this be a good thing for postfix to do?

There are already plenty of tools that generate block lists for the various 
types of firewalls out there, and they do not require patching postfix.

SSHGuard and Fail2Ban are two that seem to work very well.


--
Love seekest only self to please, To bind another to its delight Joys in
another's loss of ease And builds a hell in Heaven's despite!

Re: spam from own email address

2019-04-23 Thread lists 
All these filtering schemes are like the old Christmas tree lights where if one 
bulb fails, the whole thing stops working. Well sort of. I believe the RBLs can 
fail, say time out, and postfix keeps working. My point though is you need to 
consider the possibility of the mail server going down due to too many tools in 
the chain.

I run on a VPS. I have a single point of failure. I manage the server and 
really don't want to drop everything to fix a clogged email queue. (Amavisd 
would do that to me.) I may not have a computer handy. 

You will never achieve spam blocking perfection, and false positives are an 
issue. I would just mark the email as spam when I ran spamassassin, so I ended 
up looking at the spam email anyway. 






  Original Message  



From: ph...@caerllewys.net
Sent: April 23, 2019 11:50 AM
To: postfix-users@postfix.org
Subject: Re: spam from own email address


On 4/23/19 2:40 PM, lists wrote:
> I would investigate using rspamd rather than spamassassin. At the moment
> I run neither since I have settled upon a nice mix of RBLs and check the
> reverse pointer. That Perl code to get rid of dynamic domains really
> helps nuke spammers.
>
> Spamassassin tends to use a lot of memory. When I was using it, I had it
> on a rather memory limited VPS and actually needed to use VM.


I'm using rspamd myself, though it's clear I still have a lot to learn
about configuring and training it.  I used to use DSpam, and was getting
excellent results with it — something over 99.97% accuracy — but it was
abandoned and eventually became unmaintainable.


--
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958

Re: spam from own email address

2019-04-23 Thread lists 
  I would investigate using rspamd rather than spamassassin. At the moment I run neither since I have settled upon a nice mix of RBLs and check the reverse pointer. That Perl code to get rid of dynamic domains really helps nuke spammers.Spamassassin tends to use a lot of memory. When I was using it, I had it on a rather memory limited VPS and actually needed to use VM.I get a fake email from my address about once a week. I can tolerate that.    From: pm...@iljones.netSent: April 23, 2019 9:11 AMTo: postfix-users@postfix.orgSubject: Re: spam from own email address  Thanks for all the suggestions:- I have an SPF record, but postfix not rejecting these,
  presumably because the enveloper sender is valid- I am not using SpamAssassin, but I'm coming round to the idea!- John: this idea seems simple and effective, I will give it a
  try.Many thanks,Ian
Le 23/04/2019 à 18:02, John Peach a
  écrit :
On
  4/23/19 11:54 AM, Ralph Seichter wrote:
  
  * John Peach:


/^From:.*\@example\.com/ REJECT
  


This header check will not catch the envelope sender, so I
suggest

adding "check_sender_access pcre:/path/to/sender_access" to the
mix

(file content according to your needs, of course).

  
  
  It is not meant to catch the envelope sender. That should be in
  your normal checks. This is specifically for the data From:, which
  is what these are using.
  
  
  
  

-Ralph

Re: GF 3.3, unsupported dictionary type: mysql

2019-04-06 Thread lists 
On Sat, April 6, 2019 8:47 pm, John Fawcett wrote:
> On 06/04/2019 01:43, li...@sbt.net.au wrote:

>> what did I do wrong ?
>
> no mysql file in dynamicmaps.cf.d ?
>
> I guess it should have been in the postfix3-mysql pacakge you installed
>
>
> yum --enablerepo=gf-plus whatprovides
> /etc/postfix/dynamicmaps.cf.d/mysql.cf


John, thanks

yes, I'm not sure what I did wrong, but, I've looked at a Centos 7 I
migrated recently, and, it did have both dynamicmaps.cf as well as
dynamicmaps.cf.d dir, so I simply created same on this, and, it seems I'm
one step further... no more errors..

so maybe I've missed something that required on C6, not sure

thanks again, V

GF 3.3, unsupported dictionary type: mysql

2019-04-05 Thread lists 
I'm trying to migrate server to new vm, installed postfix* from GF (1)

but, after copying over main.cf/master.cf get this:


Apr  6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type:   mysql
Apr  6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type:   mysql
...

postconf shows no mysql

Centos 6

daemon started -- version 3.3.3, configuration /etc/postfix


Linux 2.6.32-754.10.1.el6.x86_64 #1 SMP Tue Jan 15 17:07:28 UTC 2019
x86_64 x86_64 x86_64 GNU/Linux


what did I do wrong ?

# yum shell --enablerepo=gf-plus
Loaded plugins: fastestmirror
Setting up Yum Shell
> install postfix3 postfix3-ldap postfix3-mysql postfix3-pcre
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: ftp.swin.edu.au
 * epel: ucmirror.canterbury.ac.nz
 * extras: ftp.swin.edu.au
 * remi-safe: mirror.nsw.coloau.com.au
 * updates: mirror.ventraip.net.au
gf-plus  | 2.9 kB 00:00
Package 2:postfix3-3.3.3-1.gf.el6.x86_64 already installed and latest version
Package 2:postfix3-ldap-3.3.3-1.gf.el6.x86_64 already installed and latest
version
Package 2:postfix3-mysql-3.3.3-1.gf.el6.x86_64 already installed and
latest version
Package 2:postfix3-pcre-3.3.3-1.gf.el6.x86_64 already installed and latest
version
>

# postconf -m
btree
cidr
environ
fail
hash
inline
internal
memcache
nis
pipemap
proxy
randmap
regexp
socketmap
static
tcp
texthash
unionmap
unix

Re: Relay Access Denied

2019-03-25 Thread VP Lists 
> 
> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni  
> wrote:
> 
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Fixed.  I needed a “From” header for gmail to accept it.  That was inside the 
Ruby gem configuration.  

Cheers

_
Rich in Toronto @ VP

Re: Relay Access Denied

2019-03-25 Thread VP Lists 


> On Mar 25, 2019, at 11:28 AM, Viktor Dukhovni  
> wrote:
> 
> As for why "mynetworks" is not enough, perhaps time to look
> at your master.cf file...

Here it is:

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
#  Begin auto-generated section 
# This section of the master.cf file is auto-generated by the Server Admin
#  Mail backend plugin whenever mails settings are modified.
smtp  inet  n   -   n   -   1   postscreen
smtpd pass  -   -   n   -   -   smtpd
dnsblog   unix  -   -   n   -   0   dnsblog
tlsproxy  unix  -   -   n   -   0   tlsproxy
submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
smtp  unix  -   -   n   -   -   smtp
# === End auto-generated section ===
# Modern SMTP clients communicate securely over port 25 using the STARTTLS 
command.
# Some older clients, such as Outlook 2000 and its predecessors, do not properly
# support this command and instead assume a preconfigured secure connection
# on port 465. This was sometimes called "smtps", but such usage was never
# approved by the IANA and therefore conflicts with another, legitimate 
assignment.
# For more details about managing secure SMTP connections with postfix, please 
see:
#   http://www.postfix.org/TLS_README.html
# To read more about configuring secure connections with Outlook 2000, please 
read:
#   http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307772
# Apple does not support the use of port 465 for this purpose.
# After determining that connecting clients do require this behavior, you may 
choose
# to manually enable support for these older clients by uncommenting the 
following
# four lines.
#465  inet  n   -   n   -   -   smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628   inet  n   -   n   -   -   qmqpd
pickupfifo  n   -   n   60  1   pickup
  -o content_filter=
cleanup   unix  n   -   n   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
#qmgr fifo  n   -   n   300 1   oqmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n   -   0   bounce
trace unix  -   -   n   -   0   bounce
verifyunix  -   -   n   -   1   verify
sacl-cache unix -   -   n   -   1   sacl-cache
flush unix  n   -   n   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix  -   -   n   -   -   smtp
-o smtp_fallback_relay=
#   -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix  n   -   n   -   -   showq
error unix  -   -   n   -   -   error
retry unix  -   -   n   -   -   error
discard   unix  -   -   n   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   n   -   -   lmtp
anvil unix  -   -   n   -   1   anvil
scacheunix  -   -   n   -   1   scache
#
# 
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# 
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -   n   n   -   -   pipe
#  flags=DRhu user=vmail

Re: Relay Access Denied

2019-03-25 Thread VP Lists 


> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  
> wrote:
> 
>> 
>> # /var/log/mail.log:
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
>> [192.168.1.4]:52147 to [192.168.1.6]:25
>> Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
>> [192.168.1.4]:52147
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
>> unknown[192.168.1.4]
>> Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: 
>> RCPT from unknown[192.168.1.4]: 554 5.7.1 : Relay access 
>> denied; from= to= proto=ESMTP 
>> helo=
> 
> This is likely blocked by "smtpd_relay_restrictions", or your
> mynetworks setting had not yet taken effect for all the running
> smtpd(8) processes.

At the moment, that directive is commented-out.  I was getting reports that it 
was not being used:

$ sudo postfix reload
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: 
smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination
postfix/postfix-script: refreshing the Postfix mail system

Either way, with that directive active or not, same results: Relay access denied

>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
> 
> This is rather pointless.
> 
>> smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
>>reject unauthdestination permit
> 
> This is rather busted.

I don’t know why.  This is how the package came.  

>> smtpd_tls_ciphers = medium
>> smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
> 
> The default settings are better.

These are the defaults it came with.  

>> use_sacl_cache = yes
> 
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

They all are.  Yes this is Mountain Lion (10.8.5) Server.  Is there a default 
setup for LAN access?  I find their setup rather restrictive.  I’ve had issues 
with this setup before.  Security in the LAN is tight already, so I don’t need 
my mail server keeping me out.  

Cheers

_
Rich in Toronto @ VP

Re: Relay Access Denied

2019-03-25 Thread VP Lists 


> On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  
> wrote:
> 
> This must be some Apple-specific Postfix setting, are you running Apple's
> Postfix binaries?

mail_version = 2.9.2

_
Rich in Toronto @ VP

Re: Relay Access Denied

2019-03-24 Thread VP Lists 


> On Mar 24, 2019, at 6:31 PM, Viktor Dukhovni  
> wrote:
> 
> On Sun, Mar 24, 2019 at 05:36:56PM -0400, VP Lists wrote:
> 
>> smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated 
>> permit
> 
> What do you expect this to do?

At this point I have no clue.  I think it was in there from previous messing.  

>> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
>> reject_unauth_destination
>> 
>> Same error.  
> 
> Care to post logs?  Care to post "postconf -nf" (older versions
> "postconf -n") output?

# /var/log/mail.log:
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: CONNECT from 
[192.168.1.4]:52147 to [192.168.1.6]:25
Mar 24 18:37:35 alpha.mydomain.com postfix/postscreen[11964]: PASS OLD 
[192.168.1.4]:52147
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: connect from 
unknown[192.168.1.4]
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: NOQUEUE: reject: RCPT 
from unknown[192.168.1.4]: 554 5.7.1 : Relay access denied; 
from= to= proto=ESMTP 
helo=
Mar 24 18:37:35 alpha.mydomain.com postfix/smtpd[11966]: disconnect from 
unknown[192.168.1.4]

So below we see that mynetworks includes the LAN for relaying.  But above, it 
says my workstation (192.168.1.4) is unknown.  No clue why.  

$ postconf -nf

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.1.0/24, 192.168.1.23, 192.168.1.4, 127.0.0.0/8, [::1]/128 
# RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks
reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes


_
Rich in Toronto @ VP

Re: Relay Access Denied

2019-03-24 Thread VP Lists 


> On Mar 24, 2019, at 5:20 PM, B. Reino  wrote:
> 
> Sorry for top posting. Mobile client here..

No problem.  I don’t mind top-posting anywhere.

> Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 
> 192.168.0.0/16.
> 
> In the headers of your mail I see 192.168.1.4, which would thus not be in 
> mynetworks.

Yes, it’s now corrected.

mynetworks = 192.168.1.0/24 127.0.0.0/8

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = loopback-only
config_directory = /Library/Server/Mail/Config/postfix

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks 
reject unauthdestination permit

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination


Same error.  


> So you may want to check that..

_
Rich in Toronto @ VP

Relay Access Denied

2019-03-24 Thread VP Lists 
Hi folks.

I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s running 
Postfix as a mail server.  

My LAN has a 192.168.x.x range.  I’m getting that error when an app I’m 
developing, is trying to send an email out through this email server to the 
internet.  A gmail address specifically. 



My main.cf:

biff = no
command_directory = /usr/sbin
config_directory = /Library/Server/Mail/Config/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /Library/Server/Mail/Data/mta
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb 
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 10485760
mydomain_fallback = localhost
mynetworks = 192.168.0.0/24 127.0.0.0/8 # RF
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks 
reject unauthdestination permit
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
use_sacl_cache = yes
postconf: warning: /etc/postfix/main.cf: unused parameter: 
smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination

I’m hosting a handful of local and FQDN on the LAN, and I develop using a 
machine.local naming scheme.  Just wondering how I can whitelist my internal 
domains to get outgoing emails past my mail server.  Not really sure what to 
post here as well.

Any insight appreciated.

Cheers


_
Rich in Toronto @ VP

intermittent sasl auth fails?

2019-03-17 Thread lists 
I have a user with TBird saying they get ocassional error when trying to
send with SASL AUTH, looking at log, I see this;

Mar 17 22:10:44 postfix/smtpd[11975]: connect from
111-222-333-444.static.tpgi.com.au[111.222.333.444]
Mar 17 22:10:45 postfix/smtpd[11975]: Anonymous TLS connection established
from 111-222-333-444.static.tpgi.com.au[111.222.333.444]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 17 22:10:47 postfix/smtpd[11975]: warning:
111-222-333-444.static.tpgi.com.au[111.222.333.444]: SASL PLAIN
authentication failed:
Mar 17 22:10:53 postfix/smtpd[11975]: warning:
111-222-333-444.static.tpgi.com.au[111.222.333.444]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6
Mar 17 22:10:59 postfix/smtpd[11975]: warning:
111-222-333-444.static.tpgi.com.au[111.222.333.444]: SASL PLAIN
authentication failed: UGFzc3dvcmQ6
Mar 17 22:11:05 postfix/smtpd[11975]: warning:
111-222-333-444.static.tpgi.com.au[111.222.333.444]: SASL LOGIN
authentication failed: UGFzc3dvcmQ6
Mar 17 22:11:59 postfix/smtpd[11975]: disconnect from
111-222-333-444.static.tpgi.com.au[111.222.333.444] ehlo=2 starttls=1
auth=0/4 quit=1 commands=4/8

Mar 17 22:14:37 postfix/smtpd[12089]: connect from
111-222-333-444.static.tpgi.com.au[111.222.333.444]
Mar 17 22:14:38 postfix/smtpd[12089]: Anonymous TLS connection established
from 111-222-333-444.static.tpgi.com.au[111.222.333.444]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 17 22:14:42 postfix/smtpd[12089]: 5425745329A0:
client=111-222-333-444.static.tpgi.com.au 111.222.333.444],
sasl_method=PLAIN, sasl_username=m...@tld.com.au
Mar 17 22:14:42 postfix/smtpd[12089]: disconnect from
111-222-333-444.static.tpgi.com.au[111.222.333.444] ehlo=2 starttls=1
auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Mar 17 22:14:43 amavis[11177]: (11177-17) Passed CLEAN {RelayedOutbound},
ORIGINATING LOCAL [111.222.333.444]:54608 [111.222.333.444] 
-> , Queue-ID: 5425745329A0, Message-ID:
<7252a376-030e-0a85-cede-d204206bf...@autopack.com>, mail_id:
WUkk9VvorFcd, Hits: 0.076, size: , queued_as: BAE5645329A6, 1303 ms


h, as I was munging the email address, I've noticed that:

the sasl username is 'm...@tld.com.au' BUT on next line they have
'm...@tld.com' (both domains are valid, tld.com as well as tld.com.au) -
could that be a problem ?

how else to t/s this ?

V

Re: DKIM setup writeup for multi domain?

2019-03-17 Thread lists 


> I found my notes. This is for RHEL:

thanks for all the replies, all very helpful, half way there


V

DKIM setup writeup for multi domain?

2019-03-12 Thread lists 
I;m looking at adding DKIM to my Postfix

is there some up to date DKIM setup write up for multi domain Postfix
setup ? most of the ones I've found are for single domain, and, use
different setups, hence I'm trying to figure out what's the best way to
set this up.

V

Re: server migration question

2019-03-08 Thread lists 
On Sat, March 9, 2019 4:53 am, Bill Cole wrote:
> On 8 Mar 2019, at 7:33, li...@sbt.net.au wrote:

>> is that an OK idea ?
>
> That's how I always do it, and it works well. Make sure you reduce the
> TTL value of the A record to a short value for at least twice the normal
> TTL before doing the switch. I like to use 300s just to give myself a
> slow ramp-up on a new machine that I can watch for trouble, but if you
> don't have constant flow you can go as low as 60s before oddball resolvers
> show their quirks. So if your current TTL is 86400 (1 day) you should
> reduce the TTL and wait 2 days before cutting over. In principle, 1 TTL
> should work, but in practice, there are weird DNS practices out there in
> the wild.

Bill, thank you

looking at A record TTLs, they were at 3600, changed to 300
(it seems the idiot who done last DNS never reverted it back to 86400,
typical (that's me, of course...))

>> what do I then need to set the old server to forward all mail to new
>> server ?
>
> The more important question is: WHY?
>
>
> Shut down Postfix on the old server, start the new server, switch the A
> record. The worst that is likely to happen is a handful of sites will cache
> the old A too long, try and fail to connect to send a message, and retry a
> few minutes later to the new server. The absolute worst possible effect is
> if somewhere someone has a hardcoded route for your mail by IP or a broken
> MTA that only ever retries deferred messages on the same IP,
> their mail to you will fail. Those senders will be accustomed to their mail
> being broken on a regular basis...
>
> The risk of leaving the old server up and relaying to the new server is
> that the old server may become a clearer path for unwanted email than
> directly to the new server.

thanks for explaining! makes it simpler. I'll leave Dovecot running but
shut down Postfix on old server

server migration question

2019-03-08 Thread lists 
I have Postfix/Dovecot/Mysql on Centos 7 with mail_version = 3.2.4

setup new server same hostname as old server with mail_version = 3.3.3
using same hostname as old server

the thought was to change A records to point mailserver hostname to new
server IP at switch over time

is that an OK idea ?

what do I then need to set the old server to forward all mail to new server ?

Re: hostname is being appended to the From name

2018-11-20 Thread lists 

Thank you. This should only happen for email from "mynetworks", right?


On 2018-11-20 3:34 pm, Wietse Venema wrote:

li...@mbchandler.net:
I'm trying to understand why this is happening and how to prevent it. 
I

have a relay where if an email is sent to it with just a name in the
Header From, then the server's hostname is added to the end of it. For
example,  if I telnet to the server and send an email with 
"From:Test",

then I'll get an email from Test@hostname.


See http://www.postfix.org/postconf.5.html#myorigin

myorigin (default: $myhostname)
The domain name that locally-posted mail appears to come from,
and that locally posted mail is delivered to. The default,
$myhostname, is adequate for small sites. If you run a domain
with multiple machines, you should (1) change this to $mydomain
and (2) set up a domain-wide alias database that aliases each
user to user@that.users.mailhost.

Postfix does not support domain-less addresses.

Wietse

  1   2   3   4   5   >