[pfx] Re: SMTP command trace

[postfix--- via Postfix-users]

Did you increase the level higher than 2?
debug_peer_level = 5 should show all SMTP commands issued.



Even at 5 I can see only inbound SMTP trace, but not outbound.
Even higher?



The levels go from 1 to 10. I don't know if you will get more commands going 
higher than 5. I was under the impression 5 included all commands and going 
higher just adds more internal workings. Like what is happening behind the 
scenes for each command. But i've yet to find clear documentation on what 
exactly each level does. Either Wietse or Viktor should know better about the 
levels.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[postfix--- via Postfix-users]

If I use the hash metod and follow https://www.postfix.org/SASL_README.html
I should write the config file like


/etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
us...@example.com   username1:password1
us...@example.net   username2:password2
# Login information for the default relayhost.
[mail.isp.example]  username:password
# Alternative form:
# [mail.isp.example]:submission username:password



Therefore I wrote
[smtp-relay.brevo.com]:587  x@y.z:123

But this will NOT work, I have instead write



If you specify the "[" and "]" in the relayhost destination, then you must use 
the same form in the smtp_sasl_password_maps file.
Are you using the same [ ] formatting in both places?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP command trace

[postfix--- via Postfix-users]

I tried with debug_peer_list and debug_peer_level, but it looked like not all 
commands are included


Did you increase the level higher than 2?
debug_peer_level = 5 should show all SMTP commands issued.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[postfix--- via Postfix-users]

Trouble Shooting Areas
==

Make sure mydestination contains localhost for postfix to know it gets 
delivered locally.

Also double check myhostname, mydomain, and myorigin for anything that doesn't 
look right.

Make sure nothing in /etc/aliases is sending root somewhere else.

Make sure /etc/hosts has 127.0.0.1 for localhost.

Check remote_header_rewrite_domain to see if its changing addresses.

The following maps have the ability to rewrite addresses, check if anything 
looks out of place in
  canonical_maps
  generic_maps
  virtual_alias_maps
  transport_maps
  relay_domains
  masquerade_domains
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[postfix--- via Postfix-users]

I have no idea where this r...@localhost.com is coming from. It must be a 
misconfiguration but I cannot find it.



Since root@localhost is rewritten in r...@localhost.com, I would also check in 
aliases/virtual_aliases, etc.



Not likely, but check if something wacky got into /etc/aliases as that would 
alter anything postfix tried sending to root of localhost.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] ehlo=2

[postfix--- via Postfix-users]

I have noticed in most deliveries, servers are issuing two ehlo commands. For 
example:

  postfix/smtpd[232271]: disconnect from talvi.dovecot.org[94.237.105.223] 
ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

Is this an indication that something might not be configured correctly to cause 
servers to have to retry? Or is it normal for servers to use ehlo twice? I did 
a quick telnet connection to see what the server is announcing:

  220 mail.example.com ESMTP Postfix
  ehlo test.example.com
  250-mail.example.com
  250-PIPELINING
  250-SIZE 3072
  250-STARTTLS
  250-ENHANCEDSTATUSCODES
  250-8BITMIME
  250-SMTPUTF8
  250 CHUNKING

Is anything missing? Any idea why the ehlo=2 is on most deliveries?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Which DKIM application for postfix 3.9.0

[postfix--- via Postfix-users]

I am upgrading to postfix 3.9.0.

I have not used DKIM in previous postfix installs, but I would like to 
start now with the new google rules.


I have done some research and opendkim is the most recommended, however, 
other research states the opendkim has been abandoned by it's maintainers.


So I am looking for a good alternative dkim software that will work with 
postfix that I can compile myself.


I do not run on any linux version, so therefore I can not just apt-get a 
new dkim application.


I run Solaris and therefore need to compile my applications, postfix and 
dkim.


Any good suggestions will be appreciated.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Amazon SES rejects text/rfc822-headers when header includes multipart content type - Workaround?

[postfix--- via Postfix-users]

Just a note to update the thread. Amazon reports that they've now 
corrected this issue in all of their regions, and sending the test case 
through I mentioned earlier in the thread now works, at least in our region.


Cheers!

Dan

On 11/20/2023 3:52 PM, postfix--- via Postfix-users wrote:



On 11/20/2023 2:07 PM, Viktor Dukhovni via Postfix-users wrote:
On Mon, Nov 20, 2023 at 11:02:15AM -0500, postfix--- via Postfix-users 
wrote:


You'd need to apply "body checks" to internally generated mail, 
which is

generally not recommended, and would apply regardless of context, not
just to bounced header-only content.

  main.cf:
  internal_mail_filter_classes = bounce
  bounce_body_checks = pcre:{ 
{~^(Content-Type:\s*multipart/)~ X-$${1}} }


  master.cf:
  bounce unix  -   -   n   -   0   
bounce

  -o { cleanup_service_name = bounce-cleanup }
  bounce-cleanup unix n    -   n   -   0   
cleanup

  -o { receive_override_options = no_milters }
  -o { disable_mime_input_processing = no }
  -o { body_checks = $bounce_body_checks }
  -o { header_checks = }
  -o { nested_header_checks = }



Thank you! This might work for us (and does for this specific test 
case).

But do I read you right that the danger is that if the full message is
returned in the third part of the report then this setup would alter 
those
headers as well (which would then presumably break the message, since 
it's

not meant to be headers-only)?


No. This will not break actual MIME headers in the returned message, but
may interfere with message content where the string:

Content-Type: multipart/mumble

occurs at the beginning of a message body line in contexts other than
returned headers.  Note that the configuraion is narrowly targetting
just the "bounce" service, and enables only "body_checks".  It is
as safe as I know how to make it...

The caveat is there to let you know that the rule is less surgically
precise than say a tailored Postfix feature to explicitly censor or
modify the headers to be included in a header-text-only bounce.

Given infinite cycles, Postfix would support some sort of
"header-checks" like syntax for deciding how to tweak the returned
headers.  But the cost here should be borne by the guilty party (Amazon)
and not Postfix.

Barring more compelling use-cases, We should not go out of our way to
help their broken MTA work.



All understood, thanks again. Your suggestion is working fine for us. 
For our purposes the risk of accidentally changing a body line that 
starts with that particular text is low enough that we're not overly 
concerned with it. In the meantime I do have the issue reported to 
Amazon, hopefully good things will come of it.


Cheers!

Dan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix + mysql connection lost after RCPT

[postfix--- via Postfix-users]

We're using Postfix + Mysql and we're getting this mysql connection
lost issue very often.



Our mysql settings are ok, running using IP instead of the host so no
DNS request is made.



Can you use unix socket instead of IP? Or other machine? Since you are going 
over IP, are you using the proxy: feature of postfix causing it to hold on to 
connections? One area i would investigate would be any kind of OS TCP timeouts.

The next thing i would look at is MySQL also has a connection timeout default.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to temporarily pause virtual mail delivery?

[postfix--- via Postfix-users]

I am looking for an option to temporarily pause delivery via LMTP and defer 
mail while the Dovecot mailboxes are being backed-up in order to get an 
consistent state.



Just take dovecot LMTP offline. Isn't the default behavior of postfix to queue 
undeliverable mail and once its able to deliver, it will? No need to bounce 
public mail with a 4xx error.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Amazon SES rejects text/rfc822-headers when header includes multipart content type - Workaround?

[postfix--- via Postfix-users]

On 11/20/2023 2:07 PM, Viktor Dukhovni via Postfix-users wrote:

On Mon, Nov 20, 2023 at 11:02:15AM -0500, postfix--- via Postfix-users wrote:


You'd need to apply "body checks" to internally generated mail, which is
generally not recommended, and would apply regardless of context, not
just to bounced header-only content.

  main.cf:
  internal_mail_filter_classes = bounce
  bounce_body_checks = pcre:{ {~^(Content-Type:\s*multipart/)~ X-$${1}} 
}

  master.cf:
  bounce unix  -   -   n   -   0   bounce
  -o { cleanup_service_name = bounce-cleanup }
  bounce-cleanup unix n-   n   -   0   cleanup
  -o { receive_override_options = no_milters }
  -o { disable_mime_input_processing = no }
  -o { body_checks = $bounce_body_checks }
  -o { header_checks = }
  -o { nested_header_checks = }



Thank you! This might work for us (and does for this specific test case).
But do I read you right that the danger is that if the full message is
returned in the third part of the report then this setup would alter those
headers as well (which would then presumably break the message, since it's
not meant to be headers-only)?


No. This will not break actual MIME headers in the returned message, but
may interfere with message content where the string:

Content-Type: multipart/mumble

occurs at the beginning of a message body line in contexts other than
returned headers.  Note that the configuraion is narrowly targetting
just the "bounce" service, and enables only "body_checks".  It is
as safe as I know how to make it...

The caveat is there to let you know that the rule is less surgically
precise than say a tailored Postfix feature to explicitly censor or
modify the headers to be included in a header-text-only bounce.

Given infinite cycles, Postfix would support some sort of
"header-checks" like syntax for deciding how to tweak the returned
headers.  But the cost here should be borne by the guilty party (Amazon)
and not Postfix.

Barring more compelling use-cases, We should not go out of our way to
help their broken MTA work.



All understood, thanks again. Your suggestion is working fine for us. 
For our purposes the risk of accidentally changing a body line that 
starts with that particular text is low enough that we're not overly 
concerned with it. In the meantime I do have the issue reported to 
Amazon, hopefully good things will come of it.


Cheers!

Dan
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Amazon SES rejects text/rfc822-headers when header includes multipart content type - Workaround?

[postfix--- via Postfix-users]

On 11/16/2023 3:39 PM, Viktor Dukhovni via Postfix-users wrote:

On Thu, Nov 16, 2023 at 03:18:13PM -0500, postfix--- via Postfix-users wrote:


I'm thinking someone has probably already seen this and wondering if anyone
has a work around (other than send the bounce somewhere else which may or
may not be possible in my current situation, still investigating that).


News to me, FWIW.


In brief if a Postfix bounce message is sent through Amazon SES, and the
bounce message contains a third part with the Content-Type:
text/rfc822-headers, and the original message (and therefore the body part
of the text/rfc822-headers message) included a multipart Content-Type
header, Amazon rejects the bounce message with "554 Transaction failed:
Missing start boundary." I'm guessing this is an error on Amazon's part;
they shouldn't be expecting actual inner boundary delimiters in the
text/rfc822-headers part of the message. (Should they?)


They're definitely wrong.  It's a bug.


I'll include the setup I used to test this below in case I'm missing
something on my end but if not, is there a way around this? I.E., maybe some
way to exclude that header from the text/rfc822-headers part of the message
(for my particular usage I probably won't need it on a bounce; and if it's
between that and getting the message delivered I'd rather it be delivered).


You'd need to apply "body checks" to internally generated mail, which is
generally not recommended, and would apply regardless of context, not
just to bounced header-only content.

 main.cf:
 internal_mail_filter_classes = bounce
 bounce_body_checks = pcre:{ {~^(Content-Type:\s*multipart/)~ X-$${1}} }

 master.cf:
 bounce unix  -   -   n   -   0   bounce
 -o { cleanup_service_name = bounce-cleanup }
 bounce-cleanup unix n-   n   -   0   cleanup
 -o { receive_override_options = no_milters }
 -o { disable_mime_input_processing = no }
 -o { body_checks = $bounce_body_checks }
 -o { header_checks = }
 -o { nested_header_checks = }



Thank you! This might work for us (and does for this specific test 
case). But do I read you right that the danger is that if the full 
message is returned in the third part of the report then this setup 
would alter those headers as well (which would then presumably break the 
message, since it's not meant to be headers-only)?

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Return-path: == From:

[postfix--- via Postfix-users]

I ve a webserver allowed to send mails message (with PHP) to a postfix relay, 
which send it to recipients.

I'd want that the return-path be the same that the From sender.



You do this in PHP, PHP creates the email that postfix relays. Its done with 
the -f command line arg.

$to = "u...@example.com";
$from = "f...@example.com";
$subject = "Email Subject";
$headers = ['From' => $from];
$cmdLineParams = "-f $from";
$body  = "Body text line one.\nAnd line two.\n";
mail($to, $subject, $body, $headers, $cmdLineParams);
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Amazon SES rejects text/rfc822-headers when header includes multipart content type - Workaround?

[postfix--- via Postfix-users]

I'm thinking someone has probably already seen this and wondering if 
anyone has a work around (other than send the bounce somewhere else 
which may or may not be possible in my current situation, still 
investigating that).


In brief if a Postfix bounce message is sent through Amazon SES, and the 
bounce message contains a third part with the Content-Type: 
text/rfc822-headers, and the original message (and therefore the body 
part of the text/rfc822-headers message) included a multipart 
Content-Type header, Amazon rejects the bounce message with "554 
Transaction failed: Missing start boundary." I'm guessing this is an 
error on Amazon's part; they shouldn't be expecting actual inner 
boundary delimiters in the text/rfc822-headers part of the message. 
(Should they?)


I'll include the setup I used to test this below in case I'm missing 
something on my end but if not, is there a way around this? I.E., maybe 
some way to exclude that header from the text/rfc822-headers part of the 
message (for my particular usage I probably won't need it on a bounce; 
and if it's between that and getting the message delivered I'd rather it 
be delivered).


I have a support request in to Amazon as well but wanted to try here in 
case someone can shed some light on it.


To test, I basically followed the process below. The "mini_bounce" file 
I refer to came from a real bounce and then I just stripped it 
down/redacted it to what I felt like was necessary to convey the issue.


Thank you in advance!

Dan

# cat good_mini_bounce.txt
From: ad...@mydomain.com
Subject: Undelivered Mail Returned to Sender
To: sen...@mydomain.com
Content-Type: multipart/report; report-type=delivery-status;
boundary="480A5B8B67.1700153227/dev.mydomain.com"

This is a MIME-encapsulated message.

--480A5B8B67.1700153227/dev.mydomain.com
Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Your message bounced. Deal with it.

--480A5B8B67.1700153227/dev.mydomain.com
Content-Description: Delivery report
Content-Type: message/delivery-status

Action: Bounce-o-rama

--480A5B8B67.1700153227/dev.mydomain.com
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers
Content-Transfer-Encoding: 8bit

From: sen...@mydomain.com
To: recipi...@otherdomain.com
Subject: Testing SES Bounces
Content-Type: text/plain; charset=ISO-8859-1

--480A5B8B67.1700153227/dev.mydomain.com--

# sendmail -f ad...@mydomain.com -- sen...@mydomain.com < 
good_mini_bounce.txt

(above sent ok)

# diff -uw good_mini_bounce.txt bad_mini_bounce.txt
--- good_mini_bounce.txt2023-11-16 14:06:48.132974201 -0500
+++ bad_mini_bounce.txt 2023-11-16 14:11:28.080021179 -0500
@@ -27,6 +27,6 @@
 From: sen...@mydomain.com
 To: recipi...@otherdomain.com
 Subject: Testing SES Bounces
-Content-Type: text/plain; charset=ISO-8859-1
+Content-Type: multipart/mixed; boundary="TESTING.12345"

 --480A5B8B67.1700153227/dev.mydomain.com--

# sendmail -f ad...@mydomain.com -- sen...@mydomain.com < 
bad_mini_bounce.txt
(host said: 554 Transaction failed: Missing start boundary (in reply to 
end of DATA command))

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix mails accepted for delivery, but never received

[postfix--- via Postfix-users]

Sep 10 12:21:39 wopr postfix/smtp[25425]: 94E7840E5C: to=, 
relay=gmail-smtp-in.l.google.com[74.125.130.27]:25, delay=0.85, 
delays=0.03/0.04/0.56/0.22, dsn=2.0.0, status=sent (250 2.0.0 
38A5LeYj001108-38A5LeYl001108 Message accepted for delivery)



Reporting-MTA: dns; spamfilter-02.totbroadband.com



What’s suspicious here is the "Reporting-MTA: dns; 
spamfilter-02.totbroadband.com” line.




Man in the middle? Your ISP filtering port 25 with good intentions?

Try a telnet connection to those host (gmail/mail-tester) on 25 and see who 
actually answers.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dkim=none

[postfix--- via Postfix-users]

I have set up different txt record for dkim for each domain and the problem is 
that when I'm sending mail via the main domain (space), they are not dkim 
signed.. It either says dkim=none or the dkim header is totally missing.

If I send via the aliased domain I have no issues whatsoever.



Assuming you are using opendkim for signing the .eu domain, did you add the 
.space domain to the dkim config so it knows to sign both domains?
Check /etc/opendkim/SigningTable
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: PDS_OTHER_BAD_TLD

[postfix--- via Postfix-users]

Now I can send my mails (changing sender address from space to eu) using the 
same users I had (have) for the .space domain without issues, even to google 
but if I perform an online test for the .eu domain, it still references my 
.space domain and I don't know where that is coming from..

Here's my latest test: https://www.mail-tester.com/test-w8p3e18tf
For that test I also tried changing my server's hostname and PTR to make it 
point to the new eu domain, to no avail.
Can anyone help me solve this issue? If you need more info, just ask.



The PTR hasn't been fixed or hasn't finished propagating yet.

  > nslookup pandora.woodpeckersnest.eu
  Name:pandora.woodpeckersnest.eu
  Address: 51.195.43.203

  > nslookup 51.195.43.203
  Name:pandora.woodpeckersnest.space
  Address: 51.195.43.203

The IP still responds with .space
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Block based on subject and rcpt to

[postfix--- via Postfix-users]

Hi, Is it possible to discard an email based on the Subject and the destination 
email address?

/^Subject:.*Test email subject .*To:.*m...@me.com/ DISCARD



The postfix filters only work on one header at a time. You can not put 
conditions for multiple headers.
As already suggested, a milter would be able to do this.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: A new Postfix book in the making - "Run Your Own Mail Server"

[postfix--- via Postfix-users]

I would really look forward to this. I've been running my own mail server 
for over two decades. First with qmail, but the larger latter half with 
postfix. It's running pretty well, but there are still aspects that could 
be sharpened up, or configurations that I blindly relied on tutorials for 
without a full understanding of what is happening.


Before I reluctantly moved to Debian, your multiple editions of your 
FreeBSD book was my bible for years. Each edition was written excellently, 
without any sense of 'RTFM', and had a very human element (including 
humor). Your writing style makes it so painless to follow and truly learn 
the techniques.


I got to meet you some time ago at NYC*BSDcon and confirmed that you were 
just as cool as you came off in your writing.



Jonathan



On Sun, 6 Aug 2023, Michael W. Lucas via Postfix-users wrote:


On Sun, Aug 06, 2023 at 01:57:34PM -0500, Scott Techlist via Postfix-users 
wrote:

Michael W. Lucas is writing a book about "Run Your Own Mail Server"
featuring the Postfix mail server. Michael has written and published a
Chapter 0 that gives an impression what the book will contain. Besides
the technical aspects, the book will cover the email ecosystem and how
to fit well into this ecosystem.

The books Michael writes are little gems, nice to read, often funny,
always "to-the-point" and not expensive. This might be his most
important (technical) book.

Michael is self-publishing his books, and he collects sponsorship
money to be able to write this (and more) books. Please read Chapter 0
and consider sponsoring this new book:

Chapter 0: 

Sponsorship page: 





Anyone know of any progress on this book?



Progress is progressing.

How close to done? Hard to say. I never know until it's done.

==ml

--
Michael W. Lucashttps://mwl.io/
author of: Absolute OpenBSD, SSH Mastery, git commit murder,
Absolute FreeBSD, Butterfly Stomp Waltz, Forever Falls, etc...
### New books: DNSSEC Mastery, Letters to ed(1), $ git sync murder ###
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Getting Recipient when Message size limit is exceeded

[postfix--- via Postfix-users]

Currently Postfix do not show in log the Recipient of emails that exceed 
Meesage_size_limit becasue MAIL FROM comes before RCPTO TO... but
is there any nice way of forcing Postfix to reject that email after the RCPTO 
TO?



  http://www.postfix.org/postconf.5.html#smtpd_delay_reject

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF questions

[postfix--- via Postfix-users]

I saw some domains have MX pointing to 127.0.0.1. what does this mean?


This will tell the sender of the email to connect to 127.0.0.1 which is itself. 
It will send the mail program chasing its own tail.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: per-domain header/body checks?

[postfix--- via Postfix-users]

I'm using multi-instance postfix-3.7.2 on fedora37 and would like to be
able to control which header and body checks apply to which domain in a
specific instance. I'm looking for advice on the best way to do this.



I'd say, start with one instance per domain. The 'cost' of doing so
is really small.



Or the more specialized/complex way is to custom code a scripting milter with 
like MIMEDefang or MailMunge.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM and DMARC

[postfix--- via Postfix-users]

K.I.S.S.

Because of forwarding, both SPF or DKIM signatures *could* be broken. This is 
what DMARC was introduced for.
DMARC checks the results of both SPF and DKIM, and as long as one of those two 
passes then the mail is good so DMARC passes.
If both SPF and DKIM fail, then DMARC fails, and *THEN* you reject the mail 
(policy permitting).

So no, imo, you should not blindly reject based on the outcome of DKIM.

Now, because not everyone understands or knows how all three SPF DKIM and DMARC 
play together and doesn't set all three up on their mail server...
If you have the ability to fine tune your policy, one step further would be to 
reject on a DKIM fail *ONLY* if there is no DMARC and no SPF setup.
And vise versa for SPF, if they are only using SPF and have no DKIM or DMARC 
then reject on a failed SPF.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how to implement plus address

[postfix--- via Postfix-users]

Put the following in /etc/postfix/main.cf:

  recipient_delimiter = +

cheers,
raf



Just FYI;

If you are using dovecot and postfix is handing off delivery to dovecot (such 
as LMTP) you also need to make sure that setting is in the dovecot config or 
dovecot will backscatter as unknown user.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix refuses to accept email from video camera

[postfix--- via Postfix-users]

Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: connect from 
unknown[192.168.1.44]
Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: SSL_accept error from 
unknown[192.168.1.44]: Connection reset by peer
Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: lost connection after 
CONNECT from unknown[192.168.1.44]
Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: disconnect from 
unknown[192.168.1.44] commands=0/0



SSL_accept error


Either the camera doesn't want to use SSL, or there is an issue with your SSL 
certificate and a new one is needed.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] smtp_tls_security_level per user

[postfix--- via Postfix-users]

smtp_tls_security_level = may/encrypt sets global policy for the server. Is there a way 
to override that on a per user basis when delivering mail to another public server? For 
example if the server default is "may" can email being sent from 
a_select_u...@example.com behave as if smtp_tls_security_level = encrypt?

If one user doesn't ever want mail going out unencrypted but you don't want to 
force that on the entire server. My first thought is there is no way for 
Postfix to track who SASL sent the email after its been injected, but thought 
id ask if there are any options.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: list.sys4.de fails with starttls

[postfix--- via Postfix-users]

My server [204.10.37.139] also.

Mar 17 07:32:36 host postfix/smtpd[1474828]: connect from 
list.sys4.de[188.68.34.52]
Mar 17 07:32:36 host postfix/smtpd[1474828]: SSL_accept error from 
list.sys4.de[188.68.34.52]: lost connection
Mar 17 07:32:36 host postfix/smtpd[1474828]: lost connection after STARTTLS 
from list.sys4.de[188.68.34.52]
Mar 17 07:32:36 host postfix/smtpd[1474828]: disconnect from 
list.sys4.de[188.68.34.52] ehlo=1 starttls=0/1 commands=1/2

I have 12 of these attempts so far today.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: MySQL error from not all the receiver

[postfix--- via Postfix-users]

some times, for not all of address, my mail remaining in queue



what can i check?
is the problem the server configuration or the SPF record?



Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock'



The problem isn't SPF. The problem is postfix can't open the database to 
continue processing, so it has to give up and put the mail in queue to try 
again later. You need to figure out why postfix can't connect to the database. 
Is the database stopped? Is it on the same server as postfix? Does the socket 
have the correct permissions? Is postfix running in chroot denying access? 
Selinux issue?

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] [P-U] Re: The joke writes itself.

[postfix--- via Postfix-users]

If I'd change anything I would delete the '-' in the middle of the
current tag.


I'm all in favour, though I also be happy with [U], [D], and [A]. :-)



Or we all could be adults and not giggle like little girls at seeing [P-U]
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[postfix--- via Postfix-users]

The very much worth reading RFC 9057 of Dave Crocker defines an Author: field...


I like that idea better than my suggestion of footer or x-header.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[postfix--- via Postfix-users]

Is it the best idea to add a reply-to header to the author on mailing list 
emails?
The problem I see is many people will hit reply in their email client which 
will create an email from them to the author, bypassing the mailing list.
Unless they remember to manually alter the To: field to keep the conversation 
on the list, it wont be.

Was that the intent?



This (same-domain From: header and DKIM signature) is  DMARC damage control.

Wietse



I totally understand the benefit of putting the list address in the From: 
header.
But why does that mean something *HAS* to be put in the reply-to header?

It isn't important for me to know the author's address to answer the content of 
the list mail. If it's important for others to know who authored the email, the 
address can be include as tag line information in the footer that is already 
being appended by the list. Or make up an x-header for tracking/investigative 
purposes.

I just predict emails being replied to directly and not kept on list. Ive said 
my 2cents, i will let it go.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] New List Host and Reply-to Header

[postfix--- via Postfix-users]

Is it the best idea to add a reply-to header to the author on mailing list 
emails?
The problem I see is many people will hit reply in their email client which 
will create an email from them to the author, bypassing the mailing list.
Unless they remember to manually alter the To: field to keep the conversation 
on the list, it wont be.

Was that the intent?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

I am still seeing DKIM fails and two DKIM-Signatures.
Is this correct? Haven´t seen this with other mails but I cannot rule out a 
config issue on my side. Is someone else observing that?


Yes there will be two DKIM signatures due to the configuration of the mailing 
list.
The first DKIM signature is from the email author to the mailing list.
The second DKIM signature is added by the mailing list when it is resent to 
everyone on the list.

The SPF will pass, because the email is from the list and matches the SPF 
records.
The first DKIM signature created by the author will fail because the mailing 
list altered the email adding a footer and reply-to headers.
The second DKIM signature will pass because it was signed by the list before 
sending to you.

With the SPF pass, and one DKIM pass, DMARC should pass and the email should be 
accepted as legit.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

We'll generate a new 2024 Bit key pair and place the new key in DNS. When we
do that we'll also see to fix the h=sha256 problem. This will take place
within the next 12 hours. Mailman will be restarted in the end and the service
will be unavailable for about 30 seconds. No list mail will be lost.

p@rick



This is a test email to see if the changes above fixed the opendmarc issues.
Assuming the list is using the new key by now.



It worked. My setup no longer gets the "can't read SMFIC_BODYEOB" error,
and I don't need to include "list.sys4.de" in the opendmarc ignore list as a 
work around.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

We'll generate a new 2024 Bit key pair and place the new key in DNS. When we
do that we'll also see to fix the h=sha256 problem. This will take place
within the next 12 hours. Mailman will be restarted in the end and the service
will be unavailable for about 30 seconds. No list mail will be lost.

p@rick



This is a test email to see if the changes above fixed the opendmarc issues.
Assuming the list is using the new key by now.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

We'll generate a new 2024 Bit key pair and place the new key in DNS. When we
do that we'll also see to fix the h=sha256 problem. This will take place
within the next 12 hours. Mailman will be restarted in the end and the service
will be unavailable for about 30 seconds. No list mail will be lost.

p@rick



Can you announce on the list when this is completed so we can test if it 
resolves the issue with opendmarc failing? Thank you.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

No solution so far, I think there are 2-3 open bug reports on
github, but since the project is very dead, nobody has bothered to
fix the problem.



So what's the option for a more upto date version of DKIM milter for debian?


And what would be a dmarc replacement or solution for RHEL systems?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

OpenDMARC is segfaulting. That's what 'signal 11' means. Postfix fails to get 
an answer to its end-of-body milter call because of the segfault closing the 
other end of that socket. That failure results in Postfix sending a 4xx to the 
client.
First step is to verify your installation of OpenDMARC. Make sure you have a 
current version, that its dependencies are consistent with the build, etc.



I ran into the same problem. I found that the opendmarc package in Debian 
bullseye is vulnerable to CVE-2021-34555, and I believe this is the source of 
the crash (in combination with the new email headers from the mailing list 
transition).

I solved the problem by upgrading to the version of opendmarc in Debian testing.



I am using RHEL8 and after checking for updates I was able to update opendmarc 
to 1.4.2 (from 1.4.1) however it still has the error, only with mail from this 
list.
In the mean time as suggested, I added "list.sys4.de" to the ignorelist to be 
able to accept list mail again. However i would like to solve the problem and not rest on 
a band-aid.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

OpenDMARC is segfaulting. That's what 'signal 11' means. Postfix fails to get 
an answer to its end-of-body milter call because of the segfault closing the 
other end of that socket. That failure results in Postfix sending a 4xx to the 
client.

First step is to verify your installation of OpenDMARC. Make sure you have a 
current version, that its dependencies are consistent with the build, etc.



Yes, I understood the problem to be something is "breaking" in opendmarc and 
postfix is soft bouncing based on service/milter not available. What i don't understand 
is why this is happening only with the new list host. This hasn't happened with any other 
server and while this is going on my server is still accepting and delivering mail from 
other mail servers without issue. Right now all list mail is bouncing so please CC: me 
directly so i may receive replies.

As far as i know everything is up to date.

[root]# opendmarc -V
opendmarc: OpenDMARC Filter v1.4.1
SMFI_VERSION 0x101
libmilter version 1.0.1
Active code options:
WITH_SPF
WITH_SPF2

I know this is going out of scope so i will reach out to the opendmarc list.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

Reviewing logs I notice many soft bounces from the new list. Some emails from 
the new list have been accepted and I don't understand what the differences 
are. I have not seen these types of errors before and don't understand what is 
causing them. Here are just two examples:


Mar  7 13:05:25 host postfix/smtpd[1152692]: connect from 
list.sys4.de[188.68.34.52]
Mar  7 13:05:25 host opendmarc[1152829]: /etc/opendmarc.conf:
Mar  7 13:05:26 host postfix/smtpd[1152692]: 4PWNdy5lkcz4l3gy: 
client=list.sys4.de[188.68.34.52]
Mar  7 13:05:26 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: 
message-id=
Mar  7 13:05:26 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: info: header Subject: [P-U] Re: 
Poster Name not visible in Thunderbird from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:05:26 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: info: header From: Noel Jones via 
Postfix-users  from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:05:26 host opendkim[1883]: 4PWNdy5lkcz4l3gy: list.sys4.de 
[188.68.34.52] not internal
Mar  7 13:05:26 host opendkim[1883]: 4PWNdy5lkcz4l3gy: not authenticated
Mar  7 13:05:27 host opendkim[1883]: 4PWNdy5lkcz4l3gy: message has signatures 
from postfix.org, megan.vbhcs.org
Mar  7 13:05:27 host opendkim[1883]: 4PWNdy5lkcz4l3gy: DKIM verification 
successful
Mar  7 13:05:27 host postfix/cleanup[1152719]: warning: milter 
unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet 
header: Success
Mar  7 13:05:27 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: milter-reject: END-OF-MESSAGE 
from list.sys4.de[188.68.34.52]: 4.7.1 Service unavailable - try again later; 
from= to= proto=ESMTP 
helo=
Mar  7 13:05:27 host opendmarc[1877]: terminated with signal 11, restarting
Mar  7 13:05:27 host postfix/smtpd[1152692]: disconnect from 
list.sys4.de[188.68.34.52] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 
commands=6/7
Mar  7 13:05:27 host opendmarc[1152893]: OpenDMARC Filter v1.4.1 starting 
(args: -c /etc/opendmarc.conf -P /run/opendmarc/opendmarc.pid)
Mar  7 13:05:27 host opendmarc[1152893]: additional trusted authentication 
services: (none)


Mar  7 13:18:55 host postfix/smtpd[1153940]: connect from 
list.sys4.de[188.68.34.52]
Mar  7 13:18:55 host opendmarc[1153579]: /etc/opendmarc.conf:
Mar  7 13:18:57 host postfix/smtpd[1153940]: 4PWNxY2dFlz4l3gy: 
client=list.sys4.de[188.68.34.52]
Mar  7 13:18:57 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: 
message-id=<60a0790cfdbbe3f5c72786e4f6519...@ptld.com>
Mar  7 13:18:57 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: info: header Subject: [P-U] Re: 
Postfix lists are migrating to a new list server from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:18:57 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: info: header From: postfix--- via 
Postfix-users  from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: list.sys4.de 
[188.68.34.52] not internal
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: not authenticated
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: message has signatures 
from postfix.org, ptld.com
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: DKIM verification 
successful
Mar  7 13:18:58 host postfix/cleanup[1153970]: warning: milter 
unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet 
header: Success
Mar  7 13:18:58 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: milter-reject: END-OF-MESSAGE 
from list.sys4.de[188.68.34.52]: 4.7.1 Service unavailable - try again later; 
from= to= proto=ESMTP 
helo=
Mar  7 13:18:58 host opendmarc[1877]: terminated with signal 11, restarting
Mar  7 13:18:58 host opendmarc[1153979]: OpenDMARC Filter v1.4.1 starting 
(args: -c /etc/opendmarc.conf -P /run/opendmarc/opendmarc.pid)
Mar  7 13:18:58 host opendmarc[1153979]: additional trusted authentication 
services: (none)
Mar  7 13:18:58 host postfix/smtpd[1153940]: disconnect from 
list.sys4.de[188.68.34.52] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 
commands=6/7


What is broken on my end causing these DMARC SMFIC_BODYEOB errors?
Since most of the list mail is being bounced by my setup can someone email me 
directly and not through the list if they know the answer to fix this?

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

What date does this take effect and we start receiving list mail from the new 
server host?


7th March 2023 (today), 12:35 UTC (approx 5 hours ago).



Oh, silly me. I thought they said a footer would be added when it happened. 
Guess I read that wrong.
Looks like no issues and i didn't have to do anything, it just worked.

  Authentication-Results: dmarc=pass (p=quarantine dis=none) header.from=sys4.de
  Authentication-Results: spf=pass smtp.mailfrom=sys4.de
  Authentication-Results: dkim=pass (1024-bit key, secure) header.d=sys4.de 
header.i=@sys4.de header.a=rsa-sha256 header.s=20190903 header.b=mKunzef7

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

What date does this take effect and we start receiving list mail from the new 
server host?
So we can keep an eye out to make sure no issues on our side, whitelisting if 
needed.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org