[pfx] Re: localhost.com in the logs

[Viktor Dukhovni via Postfix-users]

On Thu, Jun 06, 2024 at 04:01:06PM -0400, Wietse Venema via Postfix-users wrote:
> GDS via Postfix-users:
> > Hello, I am seeing hundreds of lines like the one below in my mail.log from 
> > this specific IP address, which belongs to Google. 
> > Jun  5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
> > to=, orig_to=, relay=none, delay=4099, 
> > delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily 
> > suspended: connect to localhost.com[74.125.224.72]:25: Connection timed out)
> > 
> 
> Maybe you have  "myhostname = something.com" and Postfix infers $mydomain 
> from that.

Indeed, when "mydomain" is not explicitly specified, one label is
dropped even if only two were present in $myhostname.

$ postconf -o myhostname=foo.com mydomain
mydomain = com

which, in combination with "append_dot_mydomain = yes", would match the
OP's report/observations.

It might be reasonable to infer "mydomain = $myhostname" when the latter
has two or fewer labels.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[Roy Bellingan via Postfix-users]

Thank you, was not aware of this detail.

Il 06/06/24 21:48, Wietse Venema via Postfix-users ha scritto:

Roy Bellingan via Postfix-users:

Good evening, I am not able to use this parameter.

My current version is the 3.9.2, I already have many other entity
configured to use mysql, but some reason this one is silently ignored
and produces no error.

If I use the hash metod and follow https://www.postfix.org/SASL_README.html
I should write the config file like

 /etc/postfix/sasl_passwd:
  # Per-sender authentication; see also /etc/postfix/sender_relay.
  us...@example.comusername1:password1
  us...@example.netusername2:password2
  # Login information for the defaultrelayhost  
.
  [mail.isp.example]  username:password
  # Alternative form:
  # [mail.isp.example]:submission username:password

Therefore I wrote
[smtp-relay.brevo.com]:587 x@y.z:123

But this will NOT work, I have instead write

smtp-relay.brevo.com:587 x@y.z:123

That form turns on MX record lookup. Postfix should not do such
lookups for smtp-relay.brevo.com.

Specify [smtp-relay.brevo.com]:587 in main.cf:relayhost (or whatever
you are getting the relay from).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[Wietse Venema via Postfix-users]

Roy Bellingan via Postfix-users:
> Good evening, I am not able to use this parameter.
> 
> My current version is the 3.9.2, I already have many other entity 
> configured to use mysql, but some reason this one is silently ignored 
> and produces no error.
> 
> If I use the hash metod and follow https://www.postfix.org/SASL_README.html
> I should write the config file like
> 
> /etc/postfix/sasl_passwd:
>  # Per-sender authentication; see also /etc/postfix/sender_relay.
>  us...@example.comusername1:password1
>  us...@example.netusername2:password2
>  # Login information for the defaultrelayhost  
> .
>  [mail.isp.example]  username:password
>  # Alternative form:
>  # [mail.isp.example]:submission username:password
> 
> Therefore I wrote
> [smtp-relay.brevo.com]:587 x@y.z:123
> 
> But this will NOT work, I have instead write
> 
> smtp-relay.brevo.com:587 x@y.z:123

That form turns on MX record lookup. Postfix should not do such
lookups for smtp-relay.brevo.com.

Specify [smtp-relay.brevo.com]:587 in main.cf:relayhost (or whatever
you are getting the relay from).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP command trace

[Wietse Venema via Postfix-users]

Joachim Lindenberg via Postfix-users:
> Hello,
> 
> I am trying to obtain a SMTP command trace for a specific destination.
> I tried with debug_peer_list and debug_peer_level, but it looked
> like not all commands are included but lots of other information
> that were distracting.

What commands are missing? Are you screwed by systemd throttling?

For SMTP commands and responses, a debug level of 1 will be sufficient.
The Postfix default setting "debug_peer_level  = 2" is higher than
needed, and may cause systemd to drop information.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP command trace

[postfix--- via Postfix-users]

Did you increase the level higher than 2?
debug_peer_level = 5 should show all SMTP commands issued.



Even at 5 I can see only inbound SMTP trace, but not outbound.
Even higher?



The levels go from 1 to 10. I don't know if you will get more commands going 
higher than 5. I was under the impression 5 included all commands and going 
higher just adds more internal workings. Like what is happening behind the 
scenes for each command. But i've yet to find clear documentation on what 
exactly each level does. Either Wietse or Viktor should know better about the 
levels.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[Roy Bellingan via Postfix-users]

Negative I was not aware I had to keep same sintax in the mysql table. I 
do not think i have seen the [ ] sintax used in that case.


Il 06/06/24 21:30, postfix--- via Postfix-users ha scritto:
If I use the hash metod and follow 
https://www.postfix.org/SASL_README.html

I should write the config file like


/etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
us...@example.com   username1:password1
us...@example.net   username2:password2
# Login information for the default relayhost.
[mail.isp.example]  username:password
# Alternative form:
# [mail.isp.example]:submission username:password



Therefore I wrote
[smtp-relay.brevo.com]:587  x@y.z:123

But this will NOT work, I have instead write



If you specify the "[" and "]" in the relayhost destination, then you 
must use the same form in the smtp_sasl_password_maps file.

Are you using the same [ ] formatting in both places?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[postfix--- via Postfix-users]

If I use the hash metod and follow https://www.postfix.org/SASL_README.html
I should write the config file like


/etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
us...@example.com   username1:password1
us...@example.net   username2:password2
# Login information for the default relayhost.
[mail.isp.example]  username:password
# Alternative form:
# [mail.isp.example]:submission username:password



Therefore I wrote
[smtp-relay.brevo.com]:587  x@y.z:123

But this will NOT work, I have instead write



If you specify the "[" and "]" in the relayhost destination, then you must use 
the same form in the smtp_sasl_password_maps file.
Are you using the same [ ] formatting in both places?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SMTP command trace

[postfix--- via Postfix-users]

I tried with debug_peer_list and debug_peer_level, but it looked like not all 
commands are included


Did you increase the level higher than 2?
debug_peer_level = 5 should show all SMTP commands issued.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Help to debug smtp_sasl_password_maps usage via hash or mysql

[Roy Bellingan via Postfix-users]

Good evening, I am not able to use this parameter.

My current version is the 3.9.2, I already have many other entity 
configured to use mysql, but some reason this one is silently ignored 
and produces no error.


If I use the hash metod and follow https://www.postfix.org/SASL_README.html
I should write the config file like

   /etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
us...@example.comusername1:password1
us...@example.netusername2:password2
# Login information for the defaultrelayhost  
.
[mail.isp.example]  username:password
# Alternative form:
# [mail.isp.example]:submission username:password

Therefore I wrote
[smtp-relay.brevo.com]:587 x@y.z:123

But this will NOT work, I have instead write

smtp-relay.brevo.com:587 x@y.z:123

Would you mind to amend the doc ?

Thank you.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SMTP command trace

[Joachim Lindenberg via Postfix-users]

Hello,

I am trying to obtain a SMTP command trace for a specific destination. I tried 
with debug_peer_list and debug_peer_level, but it looked like not all commands 
are included but lots of other information that were distracting.

Any tip?

The old recommendation to use Wireshark doesn´t work in an encrypted world.

Thanks, 

Joachim

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[Wietse Venema via Postfix-users]

GDS via Postfix-users:
> Hello, I am seeing hundreds of lines like the one below in my mail.log from 
> this specific IP address, which belongs to Google. 
> Jun  5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
> to=, orig_to=, relay=none, delay=4099, 
> delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily 
> suspended: connect to localhost.com[74.125.224.72]:25: Connection timed out)
> 

Maybe you have  "myhostname = something.com" and Postfix infers $mydomain from 
that.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[postfix--- via Postfix-users]

Trouble Shooting Areas
==

Make sure mydestination contains localhost for postfix to know it gets 
delivered locally.

Also double check myhostname, mydomain, and myorigin for anything that doesn't 
look right.

Make sure nothing in /etc/aliases is sending root somewhere else.

Make sure /etc/hosts has 127.0.0.1 for localhost.

Check remote_header_rewrite_domain to see if its changing addresses.

The following maps have the ability to rewrite addresses, check if anything 
looks out of place in
  canonical_maps
  generic_maps
  virtual_alias_maps
  transport_maps
  relay_domains
  masquerade_domains
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[GDS via Postfix-users]

 Thank you, I have checked all aliases, virtual and otherwise and there is 
nothing...This is strange...
Would adding a catchall alias (should be in /etc/aliases or virtual aliases?) 
for root perhaps do the trick of stopping to trying r...@localhost.com?
On Thursday, June 6, 2024 at 01:53:20 PM EDT, postfix--- via Postfix-users 
 wrote:  
 
 >> I have no idea where this r...@localhost.com is coming from. It must be a 
 >> misconfiguration but I cannot find it.

> Since root@localhost is rewritten in r...@localhost.com, I would also check 
> in aliases/virtual_aliases, etc.


Not likely, but check if something wacky got into /etc/aliases as that would 
alter anything postfix tried sending to root of localhost.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
  ___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[postfix--- via Postfix-users]

I have no idea where this r...@localhost.com is coming from. It must be a 
misconfiguration but I cannot find it.



Since root@localhost is rewritten in r...@localhost.com, I would also check in 
aliases/virtual_aliases, etc.



Not likely, but check if something wacky got into /etc/aliases as that would 
alter anything postfix tried sending to root of localhost.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[Erwan David via Postfix-users]

Le 06/06/2024 à 18:57, GDS via Postfix-users a écrit :

Hello,
I am seeing hundreds of lines like the one below in my mail.log from 
this specific IP address, which belongs to Google.


Jun 5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
to=, orig_to=, relay=none, 
delay=4099, delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery 
temporarily suspended: connect to localhost.com[74.125.224.72]:25: 
Connection timed out)



I have no idea where this r...@localhost.com is coming from. It must 
be a misconfiguration but I cannot find it.


I have grep-ed /etc/postfix for all instances of localhost and there 
is nowhere an instance of localhost.com...

Also, I have /etc/hosts with "127.0.0.1 localhost" and main.cf with:
"myhostname = mydomain.com" and
"mydestination = localhost, localhost.localdomain"
I am stumped...Anywhere else I should be looking?

Thank you,
Greg


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


Since root@localhost is rewritten in r...@localhost.com, I would also 
check in aliases/virtual_aliases, etc.


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] localhost.com in the logs

[GDS via Postfix-users]

Hello, I am seeing hundreds of lines like the one below in my mail.log from 
this specific IP address, which belongs to Google. 
Jun  5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
to=, orig_to=, relay=none, delay=4099, 
delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily 
suspended: connect to localhost.com[74.125.224.72]:25: Connection timed out)


 I have no idea where this r...@localhost.com is coming from. It must be a 
misconfiguration but I cannot find it.  
I have grep-ed /etc/postfix for all instances of localhost and there is nowhere 
an instance of localhost.com...Also, I have /etc/hosts with "127.0.0.1 
localhost" and main.cf with:"myhostname = mydomain.com" and "mydestination = 
localhost, localhost.localdomain" I am stumped...Anywhere else I should be 
looking?
Thank you, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [ext] ehlo=2

[Ralf Hildebrandt via Postfix-users]

* postfix--- via Postfix-users :
> I have noticed in most deliveries, servers are issuing two ehlo commands. For 
> example:
> 
>   postfix/smtpd[232271]: disconnect from talvi.dovecot.org[94.237.105.223] 
> ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

One EHLO before STARTTLS and one afterwards.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration
  Invalidenstraße 120/121 | D-10115 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | https://www.charite.de

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] ehlo=2

[postfix--- via Postfix-users]

I have noticed in most deliveries, servers are issuing two ehlo commands. For 
example:

  postfix/smtpd[232271]: disconnect from talvi.dovecot.org[94.237.105.223] 
ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7

Is this an indication that something might not be configured correctly to cause 
servers to have to retry? Or is it normal for servers to use ehlo twice? I did 
a quick telnet connection to see what the server is announcing:

  220 mail.example.com ESMTP Postfix
  ehlo test.example.com
  250-mail.example.com
  250-PIPELINING
  250-SIZE 3072
  250-STARTTLS
  250-ENHANCEDSTATUSCODES
  250-8BITMIME
  250-SMTPUTF8
  250 CHUNKING

Is anything missing? Any idea why the ehlo=2 is on most deliveries?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Emmanuel Seyman via Postfix-users]

* Bill Cole via Postfix-users [05/06/2024 12:33] :
>
> Others have said elsewhere that she posted it to her LinkedIn account
> as well, which you may be able to confirm.

https://www.linkedin.com/feed/update/urn:li:activity:7202108788026335233/

Emmanuel
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Bill Cole via Postfix-users]

On 2024-06-05 at 08:19:20 UTC-0400 (Wed, 5 Jun 2024 13:19:20 +0100)
Gilgongo via Postfix-users 
is rumored to have said:

> Hi Viktor,
>
> I'm not questioning the veracity of this, but equally I'm not sure I can
> justify turning off one of our more important RLBs just on the strength of
> an email on this list.

Perhaps you can corroborate the end of SORBS and justify disablement by its 
observed performance in the net few days.  FWIW, removal of SORBS rules from 
ASF SpamAssassin has been committed and so will not be in updates once the 
change makes it through the RuleQA pipeline.

> It would be good to have something from Proofpoint about the closure to
> refer to if possible. Google isn't coming up with any other information
> about it. Are you able to get back to Michelle to ask her?

I can confirm that she posted to the Mailop list, whose archives are private 
but which one can easily subscribe to for access. Others have said elsewhere 
that she posted it to her LinkedIn account as well, which you may be able to 
confirm.


> On Wed, 5 Jun 2024 at 08:48, Peter via Postfix-users <
> postfix-users@postfix.org> wrote:
>
>> On 5/06/24 19:23, Peter via Postfix-users wrote:
>>> On 5/06/24 16:20, Viktor Dukhovni via Postfix-users wrote:
 Original text:
>>>
>>> Is there a link to the announcement online?
>>
>> I see it's from the mailop list which, unfortunately has the archives
>> set private so it doesn't help me to be able to link to the original post.
>>
>>
>> Peter
>> ___
>> Postfix-users mailing list -- postfix-users@postfix.org
>> To unsubscribe send an email to postfix-users-le...@postfix.org
>>
>>
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org


-- 
Bill Cole
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Emmanuel Fusté via Postfix-users]

Le 05/06/2024 à 15:58, Matus UHLAR - fantomas via Postfix-users a écrit :
Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a 
écrit :
What I mean is: wildcard TXT (SPF) record for 
*.single-wild.porcupine.org only applies to wildcarded hosts, not to 
any other record explicitly defined in single-wild.porcupine.org zone.


Thus, when A record for mail01-t122.raystedman.org already exists, 
the *.raystedman.org TXT record will not cover it and explicit TXT 
for mail01-t122.raystedman.org must be created (I see it's been done)


On 05.06.24 14:55, Emmanuel Fusté via Postfix-users wrote:

No wildcard are for the defined record type.
A A record will not clobber a corresponding wildcard TXT record. 
These are two separate record.


RFC 1034 point 4.3.3

Wildcard RRs do not apply:
[...]

   - When the query name or a name between the wildcard domain and
 the query name is know to exist.  For example, if a wildcard
 RR has an owner name of "*.X", and the zone also contains RRs
 attached to B.X, the wildcards would apply to queries for name
 Z.X (presuming there is no explicit information for Z.X), but
 not to B.X, A.B.X, or X.

RFC 4592 section 2.2.1

  *.example.   3600 TXT   "this is a wildcard"
  *.example.   3600 MX    10 host1.example.
[...]
  host1.example.   3600 A 192.0.2.1
[...]
   The following responses would not be synthesized from any of the
   wildcards in the zone:

  QNAME=host1.example., QTYPE=MX, QCLASS=IN
   because host1.example. exists


Simply said, "*" works only for domains that do not exist and queries 
for which would return NXDOMAIN, not for anything that exists and 
query for it would return NOERROR/NODATA


Returning to original issue, that's why you must expliticly configure 
SPF record to every explicitly configured A, or MX record, if you 
want SPF to apply - wildcards don't apply there.




mail.example.com    A    192.0.2.1
mail.example.com    TXT    "v=spf1 a -all"
- query for mail.example.com will only return one of these

*.example.com    A    192.0.2.2
*.example.com    TXT    "v=spf1 -all"
and/or perhaps:
*.example.com    MX    .
- these won't be returned for mail.example.com.

But if you delete the mail.example.com TXT record, the TXT wildcard 
record will be returned for mail.example.com TXT requests.


As a proof of concept I have configured this on my bind server and 
observation matches what I have said.


Feel free to check at my server 195.80.174.185 (I will remove it in 
short time)


Does your nameserver work differently?


Honestly, this clobbering is something that was completely out of my memory.
The only recommendation is do not use wilcard. Always use provisioning.
One good paper on the subject: 
https://www.isc.org/docs/2022-webinar-dns-wildcards.pdf

Same conclusion: avoid wildcards.

Emmanuel.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Matus UHLAR - fantomas via Postfix-users]

Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a écrit :
What I mean is: wildcard TXT (SPF) record for 
*.single-wild.porcupine.org only applies to wildcarded hosts, not to 
any other record explicitly defined in single-wild.porcupine.org 
zone.


Thus, when A record for mail01-t122.raystedman.org already exists, 
the *.raystedman.org TXT record will not cover it and explicit TXT 
for mail01-t122.raystedman.org must be created (I see it's been 
done)


On 05.06.24 14:55, Emmanuel Fusté via Postfix-users wrote:

No wildcard are for the defined record type.
A A record will not clobber a corresponding wildcard TXT record. These 
are two separate record.


RFC 1034 point 4.3.3

Wildcard RRs do not apply:
[...]

   - When the query name or a name between the wildcard domain and
 the query name is know to exist.  For example, if a wildcard
 RR has an owner name of "*.X", and the zone also contains RRs
 attached to B.X, the wildcards would apply to queries for name
 Z.X (presuming there is no explicit information for Z.X), but
 not to B.X, A.B.X, or X.

RFC 4592 section 2.2.1

  *.example.   3600 TXT   "this is a wildcard"
  *.example.   3600 MX10 host1.example.
[...]
  host1.example.   3600 A 192.0.2.1
[...]
   The following responses would not be synthesized from any of the
   wildcards in the zone:

  QNAME=host1.example., QTYPE=MX, QCLASS=IN
   because host1.example. exists


Simply said, "*" works only for domains that do not exist and queries for 
which would return NXDOMAIN, not for anything that exists and query for 
it would return NOERROR/NODATA


Returning to original issue, that's why you must expliticly configure SPF 
record to every explicitly configured A, or MX record, if you want SPF 
to apply - wildcards don't apply there.




mail.example.com    A    192.0.2.1
mail.example.com    TXT    "v=spf1 a -all"
- query for mail.example.com will only return one of these

*.example.com    A    192.0.2.2
*.example.com    TXT    "v=spf1 -all"
and/or perhaps:
*.example.com    MX    .
- these won't be returned for mail.example.com.

But if you delete the mail.example.com TXT record, the TXT wildcard 
record will be returned for mail.example.com TXT requests.


As a proof of concept I have configured this on my bind server and 
observation matches what I have said.


Feel free to check at my server 195.80.174.185 (I will remove it in short 
time)


Does your nameserver work differently?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Emmanuel Fusté via Postfix-users]

Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a écrit :

Matus UHLAR - fantomas via Postfix-users:

>- Create a wild-card SPF policy for *.raystedman.org that permits
>all your SMTP client IP addresses.

Sorry: wildcard in DNS only applied for non-existing names and since
the hostname already exists:


On 04.06.24 13:02, Wietse Venema via Postfix-users wrote:

Perhaps you are confusing wildcards with CNAME. With CNAME, there
can be no other record type with the same name. There is no such
restriction for wildcards.

I have an example:

   *.single-wild.porcupine.org. IN A 168.100.3.4

This returns an A record for foo.single-wild.porcupine.org:

   % host -t a foo.single-wild.porcupine.org
   foo.single-wild.porcupine.org has address 168.100.3.4

But no TXT record for foo.single-wild.porcupine.org:

   % host -t txt foo.single-wild.porcupine.org
   foo.single-wild.porcupine.org has no TXT record

Here, the wildcard applies only to A queries.


What I mean is: wildcard TXT (SPF) record for 
*.single-wild.porcupine.org only applies to wildcarded hosts, not to 
any other record explicitly defined in single-wild.porcupine.org zone.


Thus, when A record for mail01-t122.raystedman.org already exists, the 
*.raystedman.org TXT record will not cover it and explicit TXT for 
mail01-t122.raystedman.org must be created (I see it's been done)

No wildcard are for the defined record type.
A A record will not clobber a corresponding wildcard TXT record. These 
are two separate record.


mail.example.com    A    192.0.2.1
mail.example.com    TXT    "v=spf1 a -all"
- query for mail.example.com will only return one of these

*.example.com    A    192.0.2.2
*.example.com    TXT    "v=spf1 -all"
and/or perhaps:
*.example.com    MX    .
- these won't be returned for mail.example.com.

But if you delete the mail.example.com TXT record, the TXT wildcard 
record will be returned for mail.example.com TXT requests.


Emmanuel.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] sorbs closing ???

[Jean-François Bachelet via Postfix-users]

Hello Michelle :)

Would it be possible to move that sorbs service to another place to see 
it continue its job ?


Thanks for the hard work anyway :)

Best regards,
Jeff
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Gilgongo via Postfix-users]

Hi Viktor,

I'm not questioning the veracity of this, but equally I'm not sure I can
justify turning off one of our more important RLBs just on the strength of
an email on this list.

It would be good to have something from Proofpoint about the closure to
refer to if possible. Google isn't coming up with any other information
about it. Are you able to get back to Michelle to ask her?

Thanks.



On Wed, 5 Jun 2024 at 08:48, Peter via Postfix-users <
postfix-users@postfix.org> wrote:

> On 5/06/24 19:23, Peter via Postfix-users wrote:
> > On 5/06/24 16:20, Viktor Dukhovni via Postfix-users wrote:
> >> Original text:
> >
> > Is there a link to the announcement online?
>
> I see it's from the mailop list which, unfortunately has the archives
> set private so it doesn't help me to be able to link to the original post.
>
>
> Peter
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Matus UHLAR - fantomas via Postfix-users]

Matus UHLAR - fantomas via Postfix-users:

>- Create a wild-card SPF policy for *.raystedman.org that permits
>all your SMTP client IP addresses.

Sorry: wildcard in DNS only applied for non-existing names and since
the hostname already exists:


On 04.06.24 13:02, Wietse Venema via Postfix-users wrote:

Perhaps you are confusing wildcards with CNAME. With CNAME, there
can be no other record type with the same name. There is no such
restriction for wildcards.

I have an example:

   *.single-wild.porcupine.org. IN A 168.100.3.4

This returns an A record for foo.single-wild.porcupine.org:

   % host -t a foo.single-wild.porcupine.org
   foo.single-wild.porcupine.org has address 168.100.3.4

But no TXT record for foo.single-wild.porcupine.org:

   % host -t txt foo.single-wild.porcupine.org
   foo.single-wild.porcupine.org has no TXT record

Here, the wildcard applies only to A queries.


What I mean is: wildcard TXT (SPF) record for *.single-wild.porcupine.org 
only applies to wildcarded hosts, not to any other record explicitly 
defined in single-wild.porcupine.org zone.


Thus, when A record for mail01-t122.raystedman.org already exists, the 
*.raystedman.org TXT record will not cover it and explicit TXT for 
mail01-t122.raystedman.org must be created (I see it's been done)


mail.example.comA   192.0.2.1
mail.example.comTXT "v=spf1 a -all"
- query for mail.example.com will only return one of these

*.example.com   A   192.0.2.2
*.example.com   TXT "v=spf1 -all"
and/or perhaps:
*.example.com   MX  .
- these won't be returned for mail.example.com.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Peter via Postfix-users]

On 5/06/24 19:23, Peter via Postfix-users wrote:

On 5/06/24 16:20, Viktor Dukhovni via Postfix-users wrote:

Original text:


Is there a link to the announcement online?


I see it's from the mailop list which, unfortunately has the archives 
set private so it doesn't help me to be able to link to the original post.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Jeff P via Postfix-users]

I do use spamhaus, spamcop, sorbs as rbl lists.
So I have to update the postscreen policy.
sorry to hear that and thanks Sorbs.

regards.




Naturally, if you're using SORBS as an RBL in postscreen, smtpd, or a content 
filter (amavis, rspamd, ...)

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

[Peter via Postfix-users]

On 5/06/24 16:20, Viktor Dukhovni via Postfix-users wrote:

Original text:


Is there a link to the announcement online?


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] FYI: SORBS Closing announcement from the mailop list.

[Viktor Dukhovni via Postfix-users]

Original text:

--
For those that haven't heard.  Proofpoint is retiring SORBS effective 
immediately(ish).

Zones will be emptied shortly and within a few weeks the SORBS domain will be 
parked on dedicated "decommissioning" servers.

I am being made redundant as part of the shutdown and my last day will be 30th 
June 2024.  I will be looking for new positions following that.

I would like to thank all the SORBS supporters over the years and Proofpoint 
for keeping it going for the community for the last 13 years.

Best regards,

Michelle Sullivan
SORBS.
--

Naturally, if you're using SORBS as an RBL in postscreen, smtpd, or a content 
filter (amavis, rspamd, ...)
now is a good time to discontinue such use.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Greg Sims via Postfix-users]

Someone asked what was being sent.  The email is being sent to a
mailbox collector of bounces at the Gmail level.  The email contains a
VERP address of the original sender.  We perform automated bounce
processing for all email that make it to the bounce address at the
Gmail level.  These bounces come from our Postfix server and from many
ISPs across the Internet. Please note that all of our MX Records point
to Google.  Our Postfix server is only accessible from a private
network shared by our virtual machines -- it has no inbound exposure
to the Internet.

I choose to create an SPF entry in DNS for each of our Postfix
Transports based on the feedback here.  This is kind of awkward  given
the number of SPF records we have in our zone now -- but I believe it
will work.

Thanks, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Matus UHLAR - fantomas via Postfix-users:
> >- Create a wild-card SPF policy for *.raystedman.org that permits
> >all your SMTP client IP addresses.
> 
> Sorry: wildcard in DNS only applied for non-existing names and since 
> the hostname already exists:

Perhaps you are confusing wildcards with CNAME. With CNAME, there
can be no other record type with the same name. There is no such
restriction for wildcards.

I have an example:

*.single-wild.porcupine.org. IN A 168.100.3.4

This returns an A record for foo.single-wild.porcupine.org:

% host -t a foo.single-wild.porcupine.org
foo.single-wild.porcupine.org has address 168.100.3.4

But no TXT record for foo.single-wild.porcupine.org:

% host -t txt foo.single-wild.porcupine.org
foo.single-wild.porcupine.org has no TXT record

Here, the wildcard applies only to A queries.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Matus UHLAR - fantomas via Postfix-users]

Greg Sims via Postfix-users:

We had another DMARC Failure last night.  The email ended up at the gmail level.

  X-Original-Authentication-Results: mx.google.com;

   spf=none (google.com: mail01-t122.raystedman.org does not
designate permitted sender hosts)
smtp.helo=mail01-t122.raystedman.org;
   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org

It appears that Google is looking for SPF information for one of the
transports we use in randmap.  Do we need to have SPF records in place
for all of our transports?


Greg:
what kind of mail was this?

I encountered DSNs from microsoft (exchange, outlook.com) addresses which 
had empty envelope from:<> but header From: was set e.g.  
postmas...@outlook.com, but those mails did NOT have DKIM signatures.


These did fail DMARC.
I just searched log for this and this behaviour still persists.

Do you send bounces? If so, you'll need to sign them.

On 04.06.24 11:02, Wietse Venema via Postfix-users wrote:

Google wants your smtp_helo_name (default: $myhostname) to have an SPF
policy.


This is expecially necessary when bounces are sent (yes, you chould 
generally not send bounces) because then, envelope from: does not exist and 
HELO name is checked for SPF. 


Options:

- Create an SPF policy for the SMTP helo name that permits the
corresponding SMTP client IP address.


+1


- Create a wild-card SPF policy for *.raystedman.org that permits
all your SMTP client IP addresses.



Sorry: wildcard in DNS only applied for non-existing names and since 
the hostname already exists:


mail01-t122.raystedman.org. 172800 IN   A   209.73.152.122

it needs its own explicit SPF record:

mail01-t122.raystedman.org. 172800 IN   TXT "v=spf1 a -all"


- Change the smtp_helo_name to a name that already has an SPF policy.
This is messy because the name should match the PTR record for the
SMTP client IP address.



I think this only applies for SPF records that have "ptr" option which is 
discouraged in SPF. Otherwise, the IP must be listed in SPF record which is 
a bit easier to achieve.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved

[Fred Morris via Postfix-users]

On Tue, 4 Jun 2024, Chris Green via Postfix-users wrote:

I run dnsmasq instead of systemd-resolved on all my systems.


You need to make sure you've disabled it and whatever associated 
scaffolding edits resolv.conf or that you understand the mechanism.



[...]
It turned out that the file /var/spool/postfix/etc/resolv.conf was:-

   nameserver 127.0.0.53


That's an artifact of systemd-resolved and the distributions which ship 
it.


You may also need to understand why postfix is using 
/var/spool/postfix/etc/resolv.conf instead of /etc/resolv.conf. Maybe it's 
copying it from /etc/resolv.conf. You might use that behavior to your 
advantage by having it copy from some other location which you maintain.


--

Fred Morris

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Emmanuel Fusté via Postfix-users]

Le 04/06/2024 à 17:02, Wietse Venema via Postfix-users a écrit :

Greg Sims via Postfix-users:

We had another DMARC Failure last night.  The email ended up at the gmail level.

   X-Original-Authentication-Results: mx.google.com;

spf=none (google.com: mail01-t122.raystedman.org does not
designate permitted sender hosts)
smtp.helo=mail01-t122.raystedman.org;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org

It appears that Google is looking for SPF information for one of the
transports we use in randmap.  Do we need to have SPF records in place
for all of our transports?

Google wants your smtp_helo_name (default: $myhostname) to have an SPF
policy.

Options:

- Create an SPF policy for the SMTP helo name that permits the
corresponding SMTP client IP address.

- Create a wild-card SPF policy for *.raystedman.org that permits
all your SMTP client IP addresses.


Please avoid DNS wildcards as much as possible.

Emmanuel.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Benny Pedersen via Postfix-users]

Wietse Venema via Postfix-users skrev den 2024-06-04 17:02:


- Create a wild-card SPF policy for *.raystedman.org that permits
all your SMTP client IP addresses.


just not make it random as a *

helo should be non shared aswell, but should at same time be on same 
domain


i remember policyd v1 where HRP tracked this

https://wiki.policyd.org/checkhelo#checkhelo_configuration
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> We had another DMARC Failure last night.  The email ended up at the gmail 
> level.
> 
>   X-Original-Authentication-Results: mx.google.com;
> 
>spf=none (google.com: mail01-t122.raystedman.org does not
> designate permitted sender hosts)
> smtp.helo=mail01-t122.raystedman.org;
>dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org
> 
> It appears that Google is looking for SPF information for one of the
> transports we use in randmap.  Do we need to have SPF records in place
> for all of our transports?

Google wants your smtp_helo_name (default: $myhostname) to have an SPF
policy.

Options:

- Create an SPF policy for the SMTP helo name that permits the
corresponding SMTP client IP address.

- Create a wild-card SPF policy for *.raystedman.org that permits
all your SMTP client IP addresses.

- Change the smtp_helo_name to a name that already has an SPF policy.
This is messy because the name should match the PTR record for the
SMTP client IP address.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Greg Sims via Postfix-users]

We had another DMARC Failure last night.  The email ended up at the gmail level.

  X-Original-Authentication-Results: mx.google.com;

   spf=none (google.com: mail01-t122.raystedman.org does not
designate permitted sender hosts)
smtp.helo=mail01-t122.raystedman.org;
   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=raystedman.org

It appears that Google is looking for SPF information for one of the
transports we use in randmap.  Do we need to have SPF records in place
for all of our transports?

More message headers and "collate" of this incident are available on request.

Thanks, Greg


On Sun, Jun 2, 2024 at 7:02 PM Greg Sims  wrote:
>
> OK.  I found the email in the bounce mailbox at the gmail level.  The
> issue seems to be consistent with what we could see from the email
> logs only.  The SPF fails because the email is being sent from domain
> mail01.raystedman.org. You tried (Wietse) for some time to control the
> "from domain" for this message.  I am not aware that we found a
> solution.  I believe it is time to add an SPF record for
> mail01.raystedman.org and see where this takes us.
>
> Thank you for breaking down this set of logs Wietse, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved

[Wietse Venema via Postfix-users]

Chris Green via Postfix-users:
> I run dnsmasq instead of systemd-resolved on all my systems.
> 
> I recently moved my dekstop server to new hardware running xubuntu
> 24.04 replacing my previous system that was running xubuntu 22.04.
> 
> I installed dnsmasq and removed systemd-resolved and all seemed well
> until I noticed I couldn't send E-Mail, I run a postfix 3.8.6 server
> which sends outgoing E-Mail via my ISP's smarthost.
> 
> In the mail.log I was seeing lots of messages like:-
> 
> 2024-06-02T00:10:30.652648+01:00 q957 postfix/smtp[8733]: 9763C3542024: 
> to=, relay=none, delay=8729, delays =8729/0.02/0/0, 
> dsn=4.4.3, status=deferred (Host or domain name not found. Name service error 
> for name=smtp-auth.mythic-beasts.com type=A: Host not found, try again)
> 
> But running 'host smtp-auth.mythic-beasts.com' returned a perfectly OK
> address.
> 
> It turned out that the file /var/spool/postfix/etc/resolv.conf was:-
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search zbmc.eu
> 
> Changing it to:-
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search zbmc.eu
> 
> Has fixed the problem.

Those two sets of lines are identical.

> However I'm sure this isn't the 'right' way to do this.  How do I get
> postfix to pick up the resolv.conf file that is used/created by dnsmasq?

Postfix does not import system files under /var/spool/postfix
(the list of files needed is OS-specific).

Those files are normally copied by OS-specific scripts that start
Postfix.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: managesieve filter not working

[Marek Podmaka via Postfix-users]

On Tue, 4 Jun 2024 at 11:19, Celal.Dikici via Postfix-users <
postfix-users@postfix.org> wrote:

> Hello,
> For the e-mail infrastructure we use roundcube 1.6.6 postfix 3.7.10,
> dovecot 2.3.19.1 installed on debian 12.05.  We use the larry theme as the
> interface. We use managesieve plugin for filtering. I have extracted some
> configurations below. Although the services are working properly, the
> filtering rules are not working. Although I have activated the Sieve logs,
> no negative logs are being sent. It is as if postfix/dovecot is not talking
> to managesieve. I wonder where I am doing wrong?
> Thank you for your help.
>
> *dovecot -n*
> protocol lmtp {
>
> mail_plugins = sieve
>
> }
>
> protocol lda {
>
> mail_plugins = sieve
>
> }
>
> *postconf -n*
> virtual_transport = lmtp:unix:private/dovecot
>

You seem to have enabled sieve in both lmtp and lda in dovecot (have you
restarted dovecot since then?).

Logs would help. Is postfix really delivering mail via dovecot? I see you
have virtual_transport defined, but don't see virtual users/domains. Are
you really using virtual users? Paste here log from postfix for delivering
email which should be filtered via sieve, something like this:

kenny postfix/pipe[22010]: 2431C: to=, orig_to=,
relay=dovecot, delay=1.8, delays=1.7/0/0/0.06, dsn=2.0.0, status=sent
(delivered via dovecot service)

LMTP/LDA should log info about sieve processing to the same log destination
as rest of dovecot, for example:

kenny dovecot: lda(marki@xxx)<26865>: sieve:
msgid=<20240603221836.xxx@xxx>: stored mail into mailbox 'INBOX'




-- 
  bye, Marki
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Jeff P via Postfix-users]

I have already been using postscreen for port 25.

smtp  inet  n   -   y   -   1   postscreen
smtpd pass  -   -   y   -   -   smtpd
dnsblog   unix  -   -   y   -   0   dnsblog
tlsproxy  unix  -   -   y   -   0   tlsproxy
submission inet n   -   y   -   -   smtpd

Thank you anyway.




Use postscreen on port 25, it will drop many bots from trying to connect 
and send mail through your server.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: managesieve filter not working

[John Fawcett via Postfix-users]

On 04/06/2024 11:18, Celal.Dikici via Postfix-users wrote:

Hello,
For the e-mail infrastructure we use roundcube 1.6.6 postfix 3.7.10, 
dovecot 2.3.19.1 installed on debian 12.05.  We use the larry theme as 
the interface. We use managesieve plugin for filtering. I have 
extracted some configurations below. Although the services are working 
properly, the filtering rules are not working. Although I have 
activated the Sieve logs, no negative logs are being sent. It is as if 
postfix/dovecot is not talking to managesieve. I wonder where I am 
doing wrong?

Thank you for your help.


Hi Celal

this is not a Postfix issue. You will probably find more help about 
sieve on the dovecot mailing list. Postfix itself does not have any 
direct interaction with managesieve or with sieve script interpreter.


I assume that you are using lmtp protocol to deliver email from postfix 
to dovecot. If that's the case then I guess you are missing the 
following dovecot setting for lmtp.


mail_plugins = $mail_plugins sieve

I'd also suggest checking which of your sieve scripts is active and 
therefore supposed to be running during mail delivery. The active one is 
pointed to by a link in the mail directory named dovecot.sieve.


John



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved

[Matus UHLAR - fantomas via Postfix-users]

On 04.06.24 10:00, Chris Green via Postfix-users wrote:

I run dnsmasq instead of systemd-resolved on all my systems.

I recently moved my dekstop server to new hardware running xubuntu
24.04 replacing my previous system that was running xubuntu 22.04.

I installed dnsmasq and removed systemd-resolved and all seemed well
until I noticed I couldn't send E-Mail, I run a postfix 3.8.6 server
which sends outgoing E-Mail via my ISP's smarthost.

In the mail.log I was seeing lots of messages like:-

   2024-06-02T00:10:30.652648+01:00 q957 postfix/smtp[8733]: 9763C3542024: 
to=, relay=none, delay=8729, delays =8729/0.02/0/0, 
dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for 
name=smtp-auth.mythic-beasts.com type=A: Host not found, try again)

But running 'host smtp-auth.mythic-beasts.com' returned a perfectly OK
address.

It turned out that the file /var/spool/postfix/etc/resolv.conf was:-

   nameserver 127.0.0.53
   options edns0 trust-ad
   search zbmc.eu

Changing it to:-

   nameserver 127.0.0.53
   options edns0 trust-ad
   search zbmc.eu

Has fixed the problem.


they look the same, didn't you set nameserver to 127.0.0.1 instead?


However I'm sure this isn't the 'right' way to do this.  How do I get
postfix to pick up the resolv.conf file that is used/created by dnsmasq?


restarting postfix does set up proper environment, should apply on Ubuntu.
After changing resolv.conf restarting postfix should fix this.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved

[Chris Green via Postfix-users]

On Tue, Jun 04, 2024 at 10:00:28AM +0100, Chris Green via Postfix-users wrote:
> I run dnsmasq instead of systemd-resolved on all my systems.
> 
> I recently moved my dekstop server to new hardware running xubuntu
> 24.04 replacing my previous system that was running xubuntu 22.04.
> 
> I installed dnsmasq and removed systemd-resolved and all seemed well
> until I noticed I couldn't send E-Mail, I run a postfix 3.8.6 server
> which sends outgoing E-Mail via my ISP's smarthost.
> 
> In the mail.log I was seeing lots of messages like:-
> 
> 2024-06-02T00:10:30.652648+01:00 q957 postfix/smtp[8733]: 9763C3542024: 
> to=, relay=none, delay=8729, delays =8729/0.02/0/0, 
> dsn=4.4.3, 
> status=deferred (Host or domain name not found. Name service error for 
> name=smtp-auth.mythic-beasts.com type=A: Host not found, try again) 
> 
> But running 'host smtp-auth.mythic-beasts.com' returned a perfectly OK
> address.
> 
> It turned out that the file /var/spool/postfix/etc/resolv.conf was:-
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search zbmc.eu
> 
> Changing it to:-
> 
> nameserver 127.0.0.53
> options edns0 trust-ad
> search zbmc.eu
> 
> Has fixed the problem.
> 
> However I'm sure this isn't the 'right' way to do this.  How do I get
> postfix to pick up the resolv.conf file that is used/created by dnsmasq?
> 
Ooops!!!

That should be Changing it to:-

 nameserver 127.0.0.1
 options edns0 trust-ad
 search zbmc.eu

of course!


On investigating further it seems that on older systems where I have
done this (moved from systemd-resolved to dnsmasq) I have simply
hand-edited /etc/resolv.conf and then postfix copies that version to
/var/spool/postfix/etc/resolv.conf and all is well.

So, is that as it should be?

-- 
Chris Green
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Matus UHLAR - fantomas via Postfix-users]

On 03.06.24 20:55, Jeff P via Postfix-users wrote:

I have closed sasl auth on port 25.
but users still can use port 587 for login with plain text.
how can I force users to use submission via start-tls only?
I know I can open port 465 for ssl connection. but for history reason 
the port 587 must be open.


I wonder how did you configure port 587, since the default master.cf contains 
instructions for requiring TLS and also disables unautenticated clients:


#submission inet n   -   n   -   -   smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
[...]
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

On 04.06.24 08:03, Jeff P via Postfix-users wrote:

After postfix and dovecot were installed, there are 4 ports open by default.

port 587
port 25
port 993
port 143

So I have improved them by implementing:

1. close public port 143
2. disable sasl auth on port 25
3. force smtp client to login using tls only on port 587


the 3. is implied by 2., although you can tune it a bit

e.g. my main.cf:

mua_client_restrictions = permit_sasl_authenticated, check_client_access 
static:{530 5.7.0 Authentication Required.}
and in master.cf:

submission inet n   -   y   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
[...]
smtps inet  n   -   y   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions




do you think there is any stuff I am missing?


Use postscreen on port 25, it will drop many bots from trying to connect and 
send mail through your server.


http://www.postfix.org/POSTSCREEN_README.html


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] managesieve filter not working

[Celal.Dikici via Postfix-users]

 Hello,
For the e-mail infrastructure we use roundcube 1.6.6 postfix 3.7.10, dovecot 2.3.19.1 installed on debian 12.05.  We use the larry theme as the interface. We use managesieve plugin for filtering. I have extracted some configurations below. Although the services are working properly, the filtering rules are not working. Although I have activated the Sieve logs, no negative logs are being sent. It is as if postfix/dovecot is not talking to managesieve. I wonder where I am doing wrong?  

Thank you for your help.






dovecot -n

# 2.3.19.1
(9b53102964): /etc/dovecot/dovecot.conf

# Pigeonhole version
0.5.19 (4eae2f79)

# OS: Linux
6.1.0-21-amd64 x86_64 Debian 12.5

# Hostname: gul2

auth_debug = yes

auth_verbose = yes

debug_log_path =
/var/log/dovecot-debug.log

first_valid_uid = 0

info_log_path =
/var/log/dovecot-info.log

log_path =
/var/log/dovecot.log

log_timestamp =
“%Y-%m-%d %H:%M:%S "

mail_debug = yes

mail_home =
/home/%u/sieve

mail_location =
mbox:~/mail:INBOX=/var/mail/%u

mail_plugins = quota

mail_privileged_group
= mail

managesieve_notify_capability
= mailto

managesieve_sieve_capability
= fileinto reject envelope encoded-character vacation subaddress
comparator-i;ascii-numeric relational regex imap4flags copy include
variables body enotify environment mailbox date index ihave duplicate
mime foreverypart extracttext

namespace inbox {

  inbox = yes

  location =

  mailbox Drafts {

special_use =
\Drafts

  }

  mailbox Junk {

special_use =
\Junk

  }

  mailbox Sent {

special_use =
\Sent

  }

  mailbox "Sent
Messages" {

special_use =
\Sent

  }

  mailbox Trash {

special_use =
\Trash

  }

  prefix =

}

passdb {

  driver = pam

}

plugin {

  quota =
dirsize:User quota

  quota_grace = 10%%

 
quota_max_mail_size = 1000M

 
quota_over_flag_lazy_check = yes

 
quota_over_flag_value = TRUE

  quota_over_script
= quota-warning mismatch %u

  quota_rule =
Inbox:storage=+10%

  quota_rule2 =
*:storage=5G

  quota_rule3 =
Trash:storage=+100M

  quota_rule4 =
SPAM:ignore

 
quota_status_nouser = DUNNO

 
quota_status_overquota = 552 5.2.2 Mailbox is full

 
quota_status_success = DUNNO

  quota_warning =
storage=95%% quota-warning 95 %u

  quota_warning2 =
storage=80%% quota-warning 80 %u

  quota_warning3 =
-storage=100%% quota-warning below %u

  sieve =
~/dovecot.sieve

  sieve_dir =
~/sieve

  sieve_global_dir =
/etc/dovecot/sieve/global/

  sieve_global_path
= /etc/dovecot/sieve/default.sieve

}

protocols = "
imap lmtp sieve pop3 sieve"

service auth {

  unix_listener
/var/spool/postfix/private/auth {

mode = 0666

  }

}

service dict {

  unix_listener dict
{

group =

mode = 0600

user =

  }

}

service
managesieve-login {

  inet_listener
sieve {

port = 4190

  }

}

service
quota-warning {

  executable =
script /usr/local/bin/quota-warning.sh

  unix_listener
quota-warning {

mode = 0666

user = dovecot

  }

  user = dovecot

}

ssl_cert =
/etc/dovecot/private/dovecot.pem

ssl_client_ca_dir =
/etc/ssl/certs

ssl_dh = # hidden,
use -P to show it

ssl_key = # hidden,
use -P to show it

userdb {

  driver = passwd

}

verbose_ssl = yes

protocol lmtp {

  mail_plugins =
sieve

}

protocol lda {

  mail_plugins =
sieve

}

protocol imap {

  mail_plugins =
quota imap_quota

}

protocol sieve {

 
managesieve_implementation_string = Dovecot Pigeonhole

 
managesieve_max_line_length = 64 k

}

protocol pop3 {

  mail_plugins =
quota

}








postconf -n

alias_database =
hash:/etc/aliases

alias_maps =
hash:/etc/aliases

append_dot_mydomain
= no

biff = no

compatibility_level
= 3.6

dovecot_destination_recipient_limit
= 1

inet_interfaces =
all

inet_protocols = all

mailbox_size_limit =
0

maillog_file =
/var/log/postfix.log

message_size_limit =
52428800

mydestination =
$myhostname, gul2.bim.gantep.edu.tr, mail2.gantep.edu.tr,
localhost.bim.gantep.edu.tr, localhost

myhostname =
mail2.gantep.edu.tr

mynetworks =
193.140.136.15/32 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128

myorigin =
/etc/mailname

readme_directory =
no

recipient_delimiter
= +

relayhost =

smtp_tls_CApath =
/etc/ssl/certs

smtp_tls_security_level
= may

smtp_tls_session_cache_database
= btree:${data_directory}/smtp_scache

smtpd_banner =
$myhostname ESMTP $mail_name (Debian/GNU)

smtpd_forbid_bare_newline
= yes

smtpd_forbid_bare_newline_exclusions
= $mynetworks

smtpd_recipient_limit
= 20

smtpd_relay_restrictions
= permit_mynetworks permit_sasl_authenticated
defer_unauth_destination

smtpd_tls_cert_file
= /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file =
/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_security_level
= may

spamassassin_destination_recipient_limit
= 1

virtual_transport =
lmtp:unix:private/dovecot








telnet localhost 
4190

Trying ::1...

Connected to
localhost.

Escape character is
'^]'.

"IMPLEMENTATION"
"Dovecot Pigeonhole"

"SIEVE"
"fileinto reject envelope encoded-character vacation subaddress

[pfx] Problem with /var/spool/postfix/etc/resolv.conf after removing systemd-resolved

[Chris Green via Postfix-users]

I run dnsmasq instead of systemd-resolved on all my systems.

I recently moved my dekstop server to new hardware running xubuntu
24.04 replacing my previous system that was running xubuntu 22.04.

I installed dnsmasq and removed systemd-resolved and all seemed well
until I noticed I couldn't send E-Mail, I run a postfix 3.8.6 server
which sends outgoing E-Mail via my ISP's smarthost.

In the mail.log I was seeing lots of messages like:-

2024-06-02T00:10:30.652648+01:00 q957 postfix/smtp[8733]: 9763C3542024: 
to=, relay=none, delay=8729, delays =8729/0.02/0/0, 
dsn=4.4.3, status=deferred (Host or domain name not found. Name service error 
for name=smtp-auth.mythic-beasts.com type=A: Host not found, try again)

But running 'host smtp-auth.mythic-beasts.com' returned a perfectly OK
address.

It turned out that the file /var/spool/postfix/etc/resolv.conf was:-

nameserver 127.0.0.53
options edns0 trust-ad
search zbmc.eu

Changing it to:-

nameserver 127.0.0.53
options edns0 trust-ad
search zbmc.eu

Has fixed the problem.

However I'm sure this isn't the 'right' way to do this.  How do I get
postfix to pick up the resolv.conf file that is used/created by dnsmasq?

-- 
Chris Green
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Jeff P via Postfix-users]

After postfix and dovecot were installed, there are 4 ports open by default.

port 587
port 25
port 993
port 143

So I have improved them by implementing:

1. close public port 143
2. disable sasl auth on port 25
3. force smtp client to login using tls only on port 587

do you think there is any stuff I am missing?

Thanks.



I'm updating the Postfix documentation that "smtpd_tls_security_level
= encrypt" will reject all plaintext commands except HELO, EHLO,
XCLIENT, STARTTLS, NOOP, QUIT, and HELP.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Jeff P via Postfix-users]

That's great. thanks all.


Belt and suspenders (the first setting implies the second, and the third
should then never be used), in master.cf for the submission entry set:

 -o { smtpd_tls_security_level = encrypt }
 -o { smtpd_tls_auth_only = yes }
 -o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary }
 -o { smtpd_sasl_tls_security_options = noanonymous }

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Mon, Jun 03, 2024 at 08:55:11PM +0800, Jeff P via Postfix-users wrote:
> 
> > I have closed sasl auth on port 25.  but users still can use port 587
> > for login with plain text.  how can I force users to use submission
> > via start-tls only?  I know I can open port 465 for ssl connection.
> > but for history reason the port 587 must be open.
> 
> Belt and suspenders (the first setting implies the second, and the third
> should then never be used), in master.cf for the submission entry set:
> 
> -o { smtpd_tls_security_level = encrypt }
> -o { smtpd_tls_auth_only = yes }
> -o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary 
> }
> -o { smtpd_sasl_tls_security_options = noanonymous }

I'm updating the Postfix documentation that "smtpd_tls_security_level
= encrypt" will reject all plaintext commands except HELO, EHLO,
XCLIENT, STARTTLS, NOOP, QUIT, and HELP.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Viktor Dukhovni via Postfix-users]

On Mon, Jun 03, 2024 at 08:55:11PM +0800, Jeff P via Postfix-users wrote:

> I have closed sasl auth on port 25.  but users still can use port 587
> for login with plain text.  how can I force users to use submission
> via start-tls only?  I know I can open port 465 for ssl connection.
> but for history reason the port 587 must be open.

Belt and suspenders (the first setting implies the second, and the third
should then never be used), in master.cf for the submission entry set:

-o { smtpd_tls_security_level = encrypt }
-o { smtpd_tls_auth_only = yes }
-o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary }
-o { smtpd_sasl_tls_security_options = noanonymous }

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

[Erwan David via Postfix-users]

Le 03/06/2024 à 14:55, Jeff P via Postfix-users a écrit :

Hello

I have closed sasl auth on port 25.
but users still can use port 587 for login with plain text.
how can I force users to use submission via start-tls only?
I know I can open port 465 for ssl connection. but for history reason 
the port 587 must be open.


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


Just use the relevant options in your master.cf for submission port. I use

submission inet n   -   n   -   -   smtpd
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_sasl_authenticated_header=yes
 -o smtpd_tls_protocols=TLSv1.2,TLSv1.3

Important parts are tls_security_level, sasl_auth_enable and 
client_restriction which reject non authenticated email


(you may have different setting for chroot and tls_protocols)


--
Erwan David

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] force to use starttls on port 587

[Jeff P via Postfix-users]

Hello

I have closed sasl auth on port 25.
but users still can use port 587 for login with plain text.
how can I force users to use submission via start-tls only?
I know I can open port 465 for ssl connection. but for history reason 
the port 587 must be open.


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Greg Sims via Postfix-users]

OK.  I found the email in the bounce mailbox at the gmail level.  The
issue seems to be consistent with what we could see from the email
logs only.  The SPF fails because the email is being sent from domain
mail01.raystedman.org. You tried (Wietse) for some time to control the
"from domain" for this message.  I am not aware that we found a
solution.  I believe it is time to add an SPF record for
mail01.raystedman.org and see where this takes us.

Thank you for breaking down this set of logs Wietse, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Jeff P via Postfix-users]

Some receiving systems may use a different search algorithm.  See, for
example (expired draft):

 https://www.ietf.org/archive/id/draft-levine-dmarcwalk-00.html


Thanks Viktor. I will check the doc you mentioned.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Jeff P via Postfix-users]

Because - as you have found - Google will anyway apply the DMARC record for
the parent domain eu.org, over which you have no control, I think it is
still better to have the own one.


I just enabled DMARC on cloudflare where I hosted the domain.

_dmarc.stackops.eu.org.	300	IN	TXT	"v=DMARC1;  p=none; 
rua=mailto:ff3847f20ff8426680ccac3f8443b...@dmarc-reports.cloudflare.net;



Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Jaroslaw Rafa via Postfix-users]

Dnia  3.06.2024 o godz. 06:26:53 Jeff P via Postfix-users pisze:
> 
> I would like to set a seperated DMARC for xxx.eu.org.
> But I have no control over the sender smtp server, so dkim is not
> possible to be added.
> do you think if it's still right to add a dmarc?

If DKIM is absent, DMARC will be checked based on SPF only.

Because - as you have found - Google will anyway apply the DMARC record for
the parent domain eu.org, over which you have no control, I think it is
still better to have the own one.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Jeff P via Postfix-users]

I would like to set a seperated DMARC for xxx.eu.org.
But I have no control over the sender smtp server, so dkim is not 
possible to be added.

do you think if it's still right to add a dmarc?

Thanks.


Use DMARC for your own domain to clearly signal that your xxx.eu.org domain
and the parent eu.,org domain are NOT the same entity.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Capture Bounced Email Headers & Content

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> On Tue, May 28, 2024 at 8:12?AM Greg Sims  wrote:
> >
> > On Tue, May 28, 2024 at 6:49?AM Wietse Venema via Postfix-users 
> >  wrote:
> >
> > > In recent experience with my personal porcupine.org email address,
> > > they not only want SPF or DKIM, they *also* want a DMARC policy
> > > with p=quarantine or p=reject.
> >
> > We have run p=reject for years.  DMARC is currently p=none because of the 
> > issue you are helping with.  I feel like we have a solution now -- time 
> > will tell.  I hope to be p=reject once again soon!
> >
> > Thanks Wietse, Greg
> 
> We have our bounce messages being stored in a local mailbox
> bounce-local -- this is working well.  Unfortunately the SPF Failure
> we see in the logs is not being sent to bounce-local.  Please see the
> following "collate" sequence:
> 
>   Jun 02 02:19:21 mail01.raystedman.org postfix/bounce[26402]:
> B9A1C305D596: sender non-delivery notification: EF978305D5BA

EF978305D5BA is a non-delivery notification for message B9A1C305D596.

>   Jun 02 02:19:21 mail01.raystedman.org postfix/cleanup[26400]:
> EF978305D5BA: message-id=<20240602091921.ef978305d...@mail01.raystedman.org>
>   Jun 02 02:19:21 mail01.raystedman.org postfix/qmgr[1311]:
> EF978305D5BA: from=<>, size=36846, nrcpt=1 (queue active)
>   Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
> Trusted TLS connection established to
> aspmx.l.google.com[142.251.2.26]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature ECDSA (P-256) server-digest SHA256
>   Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
> EF978305D5BA: host aspmx.l.google.com[142.251.2.26] said: 421-4.7.26
> Your email has been rate limited because it is unauthenticated. Gmail
> 421-4.7.26 requires all senders to authenticate with either SPF or
> DKIM. 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM
> = did not pass 421-4.7.26  SPF [] with ip: [209.73.152.121] = did not
> pass 421-4.7.26  421-4.7.26  For instructions on setting up
> authentication, go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> d2e1a72fcca58-70242b097aasi4749745b3a.183 - gsmtp (in reply to end of
> DATA command)

Google rejects non-delivery notification message EF978305D5BA after
receiving End-of-DATA. The SMTP reply is 421, therefore Postfix
will try to deliver EF978305D5BA to an alternate Google server.

>   Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
> Trusted TLS connection established to
> alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature ECDSA (P-256) server-digest SHA256
>   Jun 02 02:19:23 mail01.raystedman.org postfix/t121/smtp[26247]:
> EF978305D5BA: 
> to==icloud@devotion.raystedman.org>,
> relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.3,
> delays=0/0/0.89/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK  1717319963
> ca18e2360f4ac-7eafe6365f9si240806939f.105 - gsmtp)
>   Jun 02 02:19:23 mail01.raystedman.org postfix/qmgr[1311]:
> EF978305D5BA: removed

Postfix tried alt2.aspmx.l.google.com and was able to deliver the 
non-delivery notification message EF978305D5BA(delivery status
notification for B9A1C305D596).

If you are interested in the content of that message, you might
find it in the mailbox for en-devo-bounce+=icloud.com

> Two things caught my eye here:
>   * Please note the message is being sent from=<> (qmgr).  This is
> likely the cause of the SPF failure as there is no domain that can be
> used to lookup the SPF record.

Isn't SPF supposed to apply policy to the EHLO/HELO argument?
Especially when the sender address has no domain.

>   * The goal for the past period of time is to get a look at the
> headers of this message. Unfortunately the message is not being sent
> to bounce-local.  No entry from process "local" above to send the
> message to the bounce-local user's mailbox.

Message EF978305D5BA is a non-delivery notification. It has sender
address <> and is a "single bounce".  I contains an attachment with
the headers of message B9A1C305D596 that you want to see. It was
delivered to the mailbox for en-devo-bounce+=icloud.com

If for some reason you cannot access the above message with the
headers of message B9A1C305D596, then you can receive a message
with a copy of those headers by configuring in Postfix main.cf:

notify_classes = bounce, resource, software 

This message has a double-bounce sender address, and is by default
sent to postmaster. You can change that with:

bounce_notice_recipient = bounce-local

Or something else, if you prefer.

HOWEVER the bounce daemon does not log the queue ID of that message,
and "collate" can't tell you wat the queue was.

But, assuming that double-bounce messages will be rare, you should
have no difficulty finding them in the logs.

Wietse
___

[pfx] Re: Capture Bounced Email Headers & Content

[Greg Sims via Postfix-users]

On Tue, May 28, 2024 at 8:12 AM Greg Sims  wrote:
>
> On Tue, May 28, 2024 at 6:49 AM Wietse Venema via Postfix-users 
>  wrote:
>
> > In recent experience with my personal porcupine.org email address,
> > they not only want SPF or DKIM, they *also* want a DMARC policy
> > with p=quarantine or p=reject.
>
> We have run p=reject for years.  DMARC is currently p=none because of the 
> issue you are helping with.  I feel like we have a solution now -- time will 
> tell.  I hope to be p=reject once again soon!
>
> Thanks Wietse, Greg

We have our bounce messages being stored in a local mailbox
bounce-local -- this is working well.  Unfortunately the SPF Failure
we see in the logs is not being sent to bounce-local.  Please see the
following "collate" sequence:

  Jun 02 02:19:21 mail01.raystedman.org postfix/bounce[26402]:
B9A1C305D596: sender non-delivery notification: EF978305D5BA
  Jun 02 02:19:21 mail01.raystedman.org postfix/cleanup[26400]:
EF978305D5BA: message-id=<20240602091921.ef978305d...@mail01.raystedman.org>
  Jun 02 02:19:21 mail01.raystedman.org postfix/qmgr[1311]:
EF978305D5BA: from=<>, size=36846, nrcpt=1 (queue active)
  Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
Trusted TLS connection established to
aspmx.l.google.com[142.251.2.26]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature ECDSA (P-256) server-digest SHA256
  Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
EF978305D5BA: host aspmx.l.google.com[142.251.2.26] said: 421-4.7.26
Your email has been rate limited because it is unauthenticated. Gmail
421-4.7.26 requires all senders to authenticate with either SPF or
DKIM. 421-4.7.26  421-4.7.26  Authentication results: 421-4.7.26  DKIM
= did not pass 421-4.7.26  SPF [] with ip: [209.73.152.121] = did not
pass 421-4.7.26  421-4.7.26  For instructions on setting up
authentication, go to 421 4.7.26
https://support.google.com/mail/answer/81126#authentication
d2e1a72fcca58-70242b097aasi4749745b3a.183 - gsmtp (in reply to end of
DATA command)
  Jun 02 02:19:22 mail01.raystedman.org postfix/t121/smtp[26247]:
Trusted TLS connection established to
alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature ECDSA (P-256) server-digest SHA256
  Jun 02 02:19:23 mail01.raystedman.org postfix/t121/smtp[26247]:
EF978305D5BA: to==icloud@devotion.raystedman.org>,
relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.3,
delays=0/0/0.89/0.41, dsn=2.0.0, status=sent (250 2.0.0 OK  1717319963
ca18e2360f4ac-7eafe6365f9si240806939f.105 - gsmtp)
  Jun 02 02:19:23 mail01.raystedman.org postfix/qmgr[1311]:
EF978305D5BA: removed

Two things caught my eye here:
  * Please note the message is being sent from=<> (qmgr).  This is
likely the cause of the SPF failure as there is no domain that can be
used to lookup the SPF record.
  * The goal for the past period of time is to get a look at the
headers of this message. Unfortunately the message is not being sent
to bounce-local.  No entry from process "local" above to send the
message to the bounce-local user's mailbox.

Here is the current main.cf setup:

  notify_classes = bounce, resource, software
  bounce_notice_recipient = bounce-local
  virtual_alias_maps = hash:/etc/postfix/virtual

Would changing this to the following make any difference?

  notify_classes = 2bounce, bounce, resource, software
  bounce_notice_recipient = bounce-local
  2bounce_notice_recipient = bounce-local
  virtual_alias_maps = hash:/etc/postfix/virtual

We really need to see this message!

Thanks, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> I have changed the $myhostname string and it still says it loops
> back to myself. Port 25 must be forwarded for incoming mail. Postfix
> isn't supposed to be listening to any ports. In fact, I only have
> smtpd enabled, and not smtp. This is very confusing. :(

Wietse Venema:
> To inform the Postfix SMTP client that this Postfix instance does
> not receive mail from the network, specify:
> 
> main.cf:
> inet_interfaces =

Mailman29 via Postfix-users:
> I thought that may be right, but if I comment out the "inet_interfaces"
> it fails to take mail from the main server for outbound delivery.

We appear to be talking aobut different servers: one that: "isn't
supposed to be listening to any ports", yet ssomehow should be able
to receive mail.  and one that should listen: "if I comment out the
"inet_interfaces" it fails to take mail from the main server for
outbound delivery".

Coming back to the diagram:

public IP address, port 25: haproxy -> 

non-public port or address: frontend.example.com MTA with transport_maps -> 

non-public port or address: backend.example.com MTA

I understand from your response that the backend MTA should send
mail to the internet through the frontend MTA.  All that is possible
but it requires careful configuration:

1) The backend.example.com MTA receives inbound mail from the frontend,
   delivers mail locally for example.com, localhost, backend.example.com,
   frontend.example.com, and sends outbound mail through the frontend.

/etc/postfix/main.cf:
# This example assumes delivery with the local(8) delivery agent,
# with valid recipients specified in local_recipient_maps
# (default: $alias_maps unix:passwd.byname).
# Instead, one could deliver with virtual_transport, list the
# domains with virtual_mailbox_domains, and list valid recipients
# with virtual_mailbox_maps.
mydestination = example.com localhost 
backend.example.com frontend.example.com
# Use a distinct MTA name to avoid name-based loop detection.
myhostname = backend.example.com
relayhost = [127.0.0.1]:frontend-outbound-port
inet_interfaces = 127.0.0.1

/etc/postfix/master.cf:
# Use a port other than 25 to disable IP address based loop detection.
127.0.0.1:backend-inbound-port  .. .. .. .. .. .. .. smtpd

2) The frontend.example.com MTA forwards mail to the backend for
   example.com, localhost, *.example.com:

/etc/postfix-frontend/main.cf:
# Use a distinct MTA name to avoid name-based loop detection.
myhostname = frontend.example.com
# Forward example.com, *.example.com, localhost.
relay_domains = example.com localhost 
# This assumes you have a list of valid recipients.
relay_recipient_maps = ...list with valid recipients...
transport_maps = hash:/etc/postfix-frontend/transport
mydestination =
proy_interfaces = the haproxy public IP address
inet_interfaces = 127.0.0.1

/etc/postfix-frontend/transport:
# Forward example.com, *.example.com, localhost to the backend.
# Execute "postmap hash:/etc/postfix-frontend/transport after
# editing the file.
example.com relay:[127.0.0.1]:backend-inbound-port
.example.com relay:[127.0.0.1]:backend-inbound-port
localhost relay:[127.0.0.1]:backend-inbound-port

/etc/postfix-frontend/master.cf:
# The port that receives inbound mail through haproxy.
127.0.0.1:frontend-inbound-port .. .. .. .. .. .. .. smtpd
-o syslog_name=postfix/frontend-inbound
-o smtpd_upstream_proxy_protocol=haproxy
# The port that receives outbound mail from the backend MTA.
# Use a port other than 25 to disable IP address based loop detection.
127.0.0.1:frontend-outbound-port .. .. .. .. .. .. .. smtpd
-o syslog_name=postfix/frontend-outbound
-o smtpd_upstream_proxy_protocol=

There's probably a setting that I'm overlooking but this
should cover most of it.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Scott Kitterman via Postfix-users]

On June 2, 2024 3:05:58 PM UTC, Jaroslaw Rafa via Postfix-users 
 wrote:
>Dnia  2.06.2024 o godz. 07:19:38 Jeff P via Postfix-users pisze:
>> 
>> I am using a subdomain xxx.eu.org for sending email.
>> Though I have not set a dmarc for xxx.eu.org, but gmail says DMARC pass.
>> So i checked that eu.org does have a DMARC record:
>> 
>> _dmarc.eu.org.   7200IN  TXT 
>> "v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org;
>> 
>> 
>> My question is, for my sender email - u...@xxx.eu.org, which domain
>> should be checked for DMARC? xxx.eu.org, or eu.org?
>
>As I am also using an *.eu.org domain, I strongly suggest using the DMARC
>record for your domain. I think the DMARC record for the whole eu.org domain
>is a mistake by the domain maintainers, because eu.org is a publicly
>available suffix, kinda like a TLD, and having DMARC record on eu.org is
>similar to having a DMARC record on the top-level .com domain for example.
>
>The various xxx.eu.org domains belong to different entities so they should
>not be processed under a common "umbrella".
>
>Use DMARC for your own domain to clearly signal that your xxx.eu.org domain
>and the parent eu.,org domain are NOT the same entity.

Since eu.org is listed in the Public Suffix List, its DMARC record should not 
be consulted for any of its subdomains.  I don't know how reliably existing 
implementations handle this case, but there's nothing wrong with them having a 
DMARC record for their own mail.

Given the potential for buggy or incomplete implementation of DMARC, I think 
your point still stands, but more as a backup, just in case.  

They (eu.org) will need to make a small change in their record to support the 
upcoming IETF update to DMARC, which thankfully won't use the PSL anymore, but 
that's a longer term concern.

Anyone who wants to follow up on this should probably email me directly as 
we're getting pretty far away from Postfix.

Scott K
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Jaroslaw Rafa via Postfix-users]

Dnia  2.06.2024 o godz. 07:19:38 Jeff P via Postfix-users pisze:
> 
> I am using a subdomain xxx.eu.org for sending email.
> Though I have not set a dmarc for xxx.eu.org, but gmail says DMARC pass.
> So i checked that eu.org does have a DMARC record:
> 
> _dmarc.eu.org.7200IN  TXT 
> "v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org;
> 
> 
> My question is, for my sender email - u...@xxx.eu.org, which domain
> should be checked for DMARC? xxx.eu.org, or eu.org?

As I am also using an *.eu.org domain, I strongly suggest using the DMARC
record for your domain. I think the DMARC record for the whole eu.org domain
is a mistake by the domain maintainers, because eu.org is a publicly
available suffix, kinda like a TLD, and having DMARC record on eu.org is
similar to having a DMARC record on the top-level .com domain for example.

The various xxx.eu.org domains belong to different entities so they should
not be processed under a common "umbrella".

Use DMARC for your own domain to clearly signal that your xxx.eu.org domain
and the parent eu.,org domain are NOT the same entity.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

[Viktor Dukhovni via Postfix-users]

On Sun, Jun 02, 2024 at 07:19:38AM +0800, Jeff P via Postfix-users wrote:

> I am using a subdomain xxx.eu.org for sending email.
> Though I have not set a dmarc for xxx.eu.org, but gmail says DMARC pass.
> So i checked that eu.org does have a DMARC record:
> 
> _dmarc.eu.org.7200IN  TXT 
> "v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org;
> 
> 
> My question is, for my sender email - u...@xxx.eu.org, which domain should
> be checked for DMARC? xxx.eu.org, or eu.org?

There is no definitive answer.  Only rough guidance:

https://datatracker.ietf.org/doc/html/rfc7489#section-3.2

Some receiving systems may use a different search algorithm.  See, for
example (expired draft):

https://www.ietf.org/archive/id/draft-levine-dmarcwalk-00.html

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] dmarc domain question

[Jeff P via Postfix-users]

Hello

I am using a subdomain xxx.eu.org for sending email.
Though I have not set a dmarc for xxx.eu.org, but gmail says DMARC pass.
So i checked that eu.org does have a DMARC record:

_dmarc.eu.org.		7200	IN	TXT 
"v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org;



My question is, for my sender email - u...@xxx.eu.org, which domain 
should be checked for DMARC? xxx.eu.org, or eu.org?


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Masters.cf

[John Fawcett via Postfix-users]

Sorry for following up on my own post, but I want to correct the record. 
Please disregard my previous email. I realize now I made a blunder 
during the analysis, since I was working on two similar questions one 
unrelated to postfix and I mixed up the data sets without realizing it. 
Sorry for the noise.


What I should have posted is that for postfix and xbl for submission 
service, if I take last 30 days of data, xbl blocked 100% of probes 24 
out of 30 days. When probes do get through they tend to do quite a few 
attempts at authenticating, often from the same ip address, so adding 
fail2ban on top has the potential (in my case) to bring the blocking to 
near 100%. The probes that get through generally seem low risk since 
they mainly but not always are for random and inexistent users.


One thing to bear in mind is that the number of probes explicitly 
blocked by xbl as evidenced by the logs may be lower than the number of 
probes being avoided by using it. This would be the case if the probe 
scripts have an adaptive behaviour, increasing the probes where they 
start getting real responses to AUTH and backing off if they get 
disconnected before AUTH.


John

On 29/05/2024 17:46, John Fawcett via Postfix-users wrote:



On 29/05/2024 14:07, Viktor Dukhovni via Postfix-users wrote:

On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:


The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.


    465    inet  n   -   n   -   -   smtpd
     -o smtpd_delay_reject=no
     -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
     -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     ...

     submission inet  n   -   n   -   -   smtpd
     -o smtpd_delay_reject=no
     -o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
     -o 
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject

All set up this way.
I will let it run overnight and see what hits.

Works like  a charm.

  1   SASL authentication failed ---

Only one.

Perhaps a bit of luck?  For me, the XBL only catches around 10% of the
SASL probes.  May your luck hold up.


The majority of the probes I see that are not stopped by XBL are 
relatively harmless and don't get to try the AUTH command. They mainly 
come from ips that repeat in a short space of time (where potentially 
fail2ban could be used) and


  * fail in the starttls for protocol or cipher issues
  * disconnect without issuing starttls so never get to the AUTH command
  * try issuing AUTH without starttls so get disconnected for too many
invalid commands

The cases I have where AUTH has been tried and failed are relatively 
few. They mainly come from fast varying ips so fail2ban is not that 
useful unless I want to start banning based on a single probe. They 
usually appear to target specific existing users.


John



___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

I thought that may be right, but if I comment out the "inet_interfaces" it 
fails to take mail from the main server for outbound delivery. 



Sent with Proton Mail secure email.

On Friday, May 31st, 2024 at 1:32 PM, Wietse Venema via Postfix-users 
 wrote:

> Mailman29 via Postfix-users:
> 
> > I have changed the $myhostname string and it still says it loops
> > back to myself. Port 25 must be forwarded for incoming mail. Postfix
> > isn't supposed to be listening to any ports. In fact, I only have
> > smtpd enabled, and not smtp. This is very confusing. :(
> 
> 
> To inform the Postfix SMTP client that this Postfix instance does
> not receive mail from the network, specify:
> 
> main.cf:
> inet_interfaces =
> 
> This change requires "postfix reload".
> 
> We're solving this one micro step at a time, because there
> are no clear design and requirements.
> 
> Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Gerben Wierda via Postfix-users]

> On 31 May 2024, at 16:13, Wietse Venema via Postfix-users 
>  wrote:
> 
> Gerben Wierda via Postfix-users:
>>> On 31 May 2024, at 14:53, Wietse Venema  wrote:
>>> 
>>> Gerben Wierda via Postfix-users:
 
> On 31 May 2024, at 13:20, pat...@patpro.net wrote:
> 
> Hello,
> 
> Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
> errors/abuse/half-baked connections?
 
 Not blacklisting as I understand it, but as HAproxy makes a connection to 
 test if the service is up and then breaks the connection I always see this 
 on both systems:
 
 On the postfix 3.9 instance
 May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
 router.rna.nl[192.168.2.2]
 May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
 pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
 May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
 router.rna.nl[192.168.2.2] commands=0/0
>>> 
>>> Yep, turn off smtpd_forbid_unauth_pipelining and try again..
>>> 
>>> Wietse
>> 
>> Actually, changing the health check on submission to 
>> 
>> "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\n"
>> 
>> (without the added "QUIT\r\n") did the trick as well. It might
>> have been that in a previous situation HAproxy would 'never' finish
>> the health check, I don't recall why I added "QUIT\r\n". Maybe it
>> is needed for postscreen or dovecot and I just copied it to all
>> and now it stopped working for submission.
> 
> Does not work?
> 
> - Logging would be extremely helpful.
> 
> - A machine-readable before-after configration diff would also be extremely 
> helpful. 

Maybe I was unclear.

My problem was solved by removing the extra "QUIT" line from the data HAproxy 
sends to submission as a health check. Simply sending that single "PROXY TCP4 
192.168.2.2 192.168.2.2 65535 587\r\n" line returns a "220" result, which 
enable HAproxy to detect that the service is available.

G___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> I have changed the $myhostname string and it still says it loops
> back to myself. Port 25 must be forwarded for incoming mail. Postfix
> isn't supposed to be listening to any ports. In fact, I only have
> smtpd enabled, and not smtp. This is very confusing. :(

To inform the Postfix SMTP client that this Postfix instance does
not receive mail from the network, specify:

main.cf:
inet_interfaces =

This change requires "postfix reload".

We're solving this one micro step at a time, because there
are no clear design and requirements.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

I have changed the $myhostname string and it still says it loops back to 
myself. Port 25 must be forwarded for incoming mail. Postfix isn't supposed to 
be listening to any ports. In fact, I only have smtpd enabled, and not smtp. 
This is very confusing. :(




Sent with Proton Mail secure email.

On Friday, May 31st, 2024 at 2:45 AM, Viktor Dukhovni via Postfix-users 
 wrote:

> On Fri, May 31, 2024 at 12:33:34AM +, Mailman29 via Postfix-users wrote:
> 
> > Yeah, so even changing the domain name on the server (Ubuntu) itself
> > doesn't fix the issue. It must be ip based. Since the proxy and
> > Postfix share an IP address, Postfix will always think it's looping
> > back to itself. Is that correct?
> 
> 
> The Postfix SMTP client checks for its own IP address, and its own
> hostname in the EHLO response only when relaying to port 25, on other
> ports the loop checks are suppressed.
> 
> If you must forward via port 25, you need to ensure that the remote IP
> is not listed in "inet_interfaces" and the hostname in the remote EHLO
> response is not the same as $myhostname.
> 
> --
> Viktor.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Gerben Wierda via Postfix-users:
> > On 31 May 2024, at 14:53, Wietse Venema  wrote:
> > 
> > Gerben Wierda via Postfix-users:
> >> 
> >>> On 31 May 2024, at 13:20, pat...@patpro.net wrote:
> >>> 
> >>> Hello,
> >>> 
> >>> Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
> >>> errors/abuse/half-baked connections?
> >> 
> >> Not blacklisting as I understand it, but as HAproxy makes a connection to 
> >> test if the service is up and then breaks the connection I always see this 
> >> on both systems:
> >> 
> >> On the postfix 3.9 instance
> >> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
> >> router.rna.nl[192.168.2.2]
> >> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
> >> pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
> >> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
> >> router.rna.nl[192.168.2.2] commands=0/0
> > 
> > Yep, turn off smtpd_forbid_unauth_pipelining and try again..
> > 
> > Wietse
> 
> Actually, changing the health check on submission to 
> 
> "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\n"
> 
> (without the added "QUIT\r\n") did the trick as well. It might
> have been that in a previous situation HAproxy would 'never' finish
> the health check, I don't recall why I added "QUIT\r\n". Maybe it
> is needed for postscreen or dovecot and I just copied it to all
> and now it stopped working for submission.

Does not work?

- Logging would be extremely helpful.

- A machine-readable before-after configration diff would also be extremely 
helpful. 

Wietse


Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Gerben Wierda via Postfix-users]

> On 31 May 2024, at 14:53, Wietse Venema  wrote:
> 
> Gerben Wierda via Postfix-users:
>> 
>>> On 31 May 2024, at 13:20, pat...@patpro.net wrote:
>>> 
>>> Hello,
>>> 
>>> Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
>>> errors/abuse/half-baked connections?
>> 
>> Not blacklisting as I understand it, but as HAproxy makes a connection to 
>> test if the service is up and then breaks the connection I always see this 
>> on both systems:
>> 
>> On the postfix 3.9 instance
>> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
>> router.rna.nl[192.168.2.2]
>> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
>> pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
>> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
>> router.rna.nl[192.168.2.2] commands=0/0
> 
> Yep, turn off smtpd_forbid_unauth_pipelining and try again..
> 
>   Wietse

Actually, changing the health check on submission to 

"PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\n"

(without the added "QUIT\r\n") did the trick as well. It might have been that 
in a previous situation HAproxy would 'never' finish the health check, I don't 
recall why I added "QUIT\r\n". Maybe it is needed for postscreen or dovecot and 
I just copied it to all and now it stopped working for submission.

G___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Greg Sims via Postfix-users]

On Fri, May 31, 2024 at 8:01 AM Wietse Venema via Postfix-users
 wrote:
>
> Greg Sims via Postfix-users:
> > I set the following in main.cf
> >
> > mydestination = localhost
> >
> > and received the following in our logs:
> >
> >   May 31 04:42:27 mail01.raystedman.org postfix/local[3978]:
> > 7CE5C30F558E: to=, orig_to=,
> > relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1, status=bounced
> > (unknown user: "bounce-local")
>
> Well duh, where should she deliver the message?

Yes, this was unfortunate.

New rhel user created and verified at /var/spool/mail.

Thanks, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Fri, May 31, 2024 at 02:01:50PM +0200, Gerben Wierda via Postfix-users 
> wrote:
> 
> > It sends: "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\nQUIT\r\n"
> > It expects a response that matches regex ^220
> 
> Don't send "QUIT\r\n", just send the PROXY handshake and wait for 220,
> and then drop the connection, or if not difficult to specify, send QUIT
> *after* the 220.

Viktor is correct. Your probe talks SMTP too soon, and the real
fix is to not send QUIT before Postfix responds.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> I set the following in main.cf
> 
> mydestination = localhost
> 
> and received the following in our logs:
> 
>   May 31 04:42:27 mail01.raystedman.org postfix/local[3978]:
> 7CE5C30F558E: to=, orig_to=,
> relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1, status=bounced
> (unknown user: "bounce-local")

Well duh, where should she deliver the message?

Alternatives:

- create a user, deliver to mailbox /var/mail/bounce-local

- create a user, specify command in ~bounce-local/.forward

"|path/to/command args..."

- create a local alias in /etc/aliases

bounce-local: /path/to/file

- create a local alias in /etc/aliases

bounce-local: "|path/to/command args..."

After editing /etc/aliases execute the command "newaliases".

Wietse

>   May 31 04:42:27 mail01.raystedman.org postfix/bounce[3970]: warning:
> 7CE5C30F558E: undeliverable postmaster notification discarded
> 
> It appears we are trying to deliver locally now -- a step in the right
> direction.
> 
> bounce-local is not a rhel user of the local machine -- please note
> the entry we have in virtual.
> 
> I updated main.cf as follows hoping this will help:
> 
> mydestination = $myhostname, localhost.$mydomain, localhost
> 
> We know that the SPF error for the double-bounce was trying to be sent
> to domain mail01.raystedman.org -- thus $myhostname.
> 
> Thanks, Greg
> 
> On Thu, May 30, 2024 at 2:52?PM Wietse Venema  wrote:
> >
> > Greg Sims via Postfix-users:
> > > On Thu, May 30, 2024 at 12:27?PM Greg Sims  wrote:
> > > >
> > > > I believe I am ready to capture the double-bounce locally.
> > > >
> > > > This is main.cf:
> > > >   # 24-05-30 save the bounces locally at bounce-local
> > > >   notify_classes = 2bounce, bounce, resource, software
> > > >   bounce_notice_recipient = bounce-local
> > > >   2bounce_notice_recipient = bounce-local
> > > >   virtual_alias_maps = hash:/etc/postfix/virtual
> > > >
> > > > This is virtual:
> > > >   bounce-localbounce-local@localhost
> > > >
> > > > and ran postmap /etc/postfix/virtual.
> > >
> > > This does not look good --
> > >
> > >  May 30 11:30:40 mail01.raystedman.org postfix/t121/smtp[52641]: <<< NOTE 
> > > SMTP
> > > 4FE9D3061EF0: to=, orig_to=,
> > > relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail
> > > for localhost loops back to myself)
> >
> > You are delivering mail for localhost with the Postfix SMTP CLIENT.
> >
> > Add localhost to main.cf:mydestination and do "postfix reload".
> >
> > Then, Postfix will use the local delivery agent for localhost mail.
> >
> > Wietse
> >
> > >
> > >  May 30 11:30:40 mail01.raystedman.org postfix/bounce[52732]: warning:
> > > 4FE9D3061EF0: undeliverable postmaster notification discarded
> > >
> > > The only changes were to set up the local mailbox.
> > >
> > > Thanks, Greg
> > > ___
> > > Postfix-users mailing list -- postfix-users@postfix.org
> > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > >
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Gerben Wierda via Postfix-users:
> 
> > On 31 May 2024, at 13:20, pat...@patpro.net wrote:
> > 
> > Hello,
> > 
> > Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
> > errors/abuse/half-baked connections?
> 
> Not blacklisting as I understand it, but as HAproxy makes a connection to 
> test if the service is up and then breaks the connection I always see this on 
> both systems:
> 
> On the postfix 3.9 instance
> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
> router.rna.nl[192.168.2.2]
> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
> pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
> May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
> router.rna.nl[192.168.2.2] commands=0/0

Yep, turn off smtpd_forbid_unauth_pipelining and try again..

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: whitelisting and greylisting

[Matus UHLAR - fantomas via Postfix-users]

On 31.05.24 12:19, Gerben Wierda via Postfix-users wrote:

smtpd_milters = 
unix:/opt/local/var/spool/postfix/opt/local/var/run/rspamd/milter.sock




But it gets greylisted anyway:

May 31 12:02:13 hermione smtp/smtpd[58412]: connect from 
66-220-155-148.mail-mail.facebook.com[66.220.155.148]
May 31 12:02:14 hermione smtp/smtpd[58412]: 32BB7CA4F79E: 
client=66-220-155-148.mail-mail.facebook.com[66.220.155.148]
May 31 12:02:14 hermione postfix/cleanup[58416]: 32BB7CA4F79E: 
message-id=
May 31 12:02:15 hermione postfix/cleanup[58416]: 32BB7CA4F79E: milter-reject: END-OF-MESSAGE from 
66-220-155-148.mail-mail.facebook.com[66.220.155.148]: 4.7.1 Try again later; 
from= to= proto=ESMTP 
helo=<66-220-155-148.mail-mail.facebook.com>
May 31 12:02:20 hermione smtp/smtpd[58412]: disconnect from 
66-220-155-148.mail-mail.facebook.com[66.220.155.148] ehlo=2 starttls=1 mail=1 
rcpt=1 data=0/1 rset=1 quit=1 commands=7/8

What am I doing wrong?


It's the milter that tempfailed the message, it's not postfix.
perhaps you need allow facebook mail at milter level.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Greg Sims via Postfix-users]

I set the following in main.cf

mydestination = localhost

and received the following in our logs:

  May 31 04:42:27 mail01.raystedman.org postfix/local[3978]:
7CE5C30F558E: to=, orig_to=,
relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1, status=bounced
(unknown user: "bounce-local")

  May 31 04:42:27 mail01.raystedman.org postfix/bounce[3970]: warning:
7CE5C30F558E: undeliverable postmaster notification discarded

It appears we are trying to deliver locally now -- a step in the right
direction.

bounce-local is not a rhel user of the local machine -- please note
the entry we have in virtual.

I updated main.cf as follows hoping this will help:

mydestination = $myhostname, localhost.$mydomain, localhost

We know that the SPF error for the double-bounce was trying to be sent
to domain mail01.raystedman.org -- thus $myhostname.

Thanks, Greg

On Thu, May 30, 2024 at 2:52 PM Wietse Venema  wrote:
>
> Greg Sims via Postfix-users:
> > On Thu, May 30, 2024 at 12:27?PM Greg Sims  wrote:
> > >
> > > I believe I am ready to capture the double-bounce locally.
> > >
> > > This is main.cf:
> > >   # 24-05-30 save the bounces locally at bounce-local
> > >   notify_classes = 2bounce, bounce, resource, software
> > >   bounce_notice_recipient = bounce-local
> > >   2bounce_notice_recipient = bounce-local
> > >   virtual_alias_maps = hash:/etc/postfix/virtual
> > >
> > > This is virtual:
> > >   bounce-localbounce-local@localhost
> > >
> > > and ran postmap /etc/postfix/virtual.
> >
> > This does not look good --
> >
> >  May 30 11:30:40 mail01.raystedman.org postfix/t121/smtp[52641]: <<< NOTE 
> > SMTP
> > 4FE9D3061EF0: to=, orig_to=,
> > relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail
> > for localhost loops back to myself)
>
> You are delivering mail for localhost with the Postfix SMTP CLIENT.
>
> Add localhost to main.cf:mydestination and do "postfix reload".
>
> Then, Postfix will use the local delivery agent for localhost mail.
>
> Wietse
>
> >
> >  May 30 11:30:40 mail01.raystedman.org postfix/bounce[52732]: warning:
> > 4FE9D3061EF0: undeliverable postmaster notification discarded
> >
> > The only changes were to set up the local mailbox.
> >
> > Thanks, Greg
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> >
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Viktor Dukhovni via Postfix-users]

On Fri, May 31, 2024 at 02:01:50PM +0200, Gerben Wierda via Postfix-users wrote:

> It sends: "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\nQUIT\r\n"
> It expects a response that matches regex ^220

Don't send "QUIT\r\n", just send the PROXY handshake and wait for 220,
and then drop the connection, or if not difficult to specify, send QUIT
*after* the 220.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] whitelisting and greylisting

[Gerben Wierda via Postfix-users]

I have a whitelist file rna_rbl_whitelist_clients that contains:
# Part of smtpd_recipient_restrictions (greylisting is managed per recipient)
# These are the CLIENTS that are allowed to bypass greylisting
/\.facebook\.com$/  OK
/\.facebookmail\.com$/  OK

and the.db file is up to date

And my main.cf says:

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access 
regexp:/opt/local/etc/postfix/rna_rbl_whitelist_clients,
reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
permit

and

# Rspamd milter [email broken_richtext.eml to test]
milter_protocol = 6
# if rspamd is down, don't reject mail
milter_default_action = accept
# Use rspamd's socket (add 
$queue_directory/opt/local/var/run/rspamd/milter.sock in chroot)
smtpd_milters = 
unix:/opt/local/var/spool/postfix/opt/local/var/run/rspamd/milter.sock
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

But it gets greylisted anyway:

May 31 12:02:13 hermione smtp/smtpd[58412]: connect from 
66-220-155-148.mail-mail.facebook.com[66.220.155.148]
May 31 12:02:14 hermione smtp/smtpd[58412]: 32BB7CA4F79E: 
client=66-220-155-148.mail-mail.facebook.com[66.220.155.148]
May 31 12:02:14 hermione postfix/cleanup[58416]: 32BB7CA4F79E: 
message-id=
May 31 12:02:15 hermione postfix/cleanup[58416]: 32BB7CA4F79E: milter-reject: 
END-OF-MESSAGE from 66-220-155-148.mail-mail.facebook.com[66.220.155.148]: 
4.7.1 Try again later; from= to= 
proto=ESMTP helo=<66-220-155-148.mail-mail.facebook.com>
May 31 12:02:20 hermione smtp/smtpd[58412]: disconnect from 
66-220-155-148.mail-mail.facebook.com[66.220.155.148] ehlo=2 starttls=1 mail=1 
rcpt=1 data=0/1 rset=1 quit=1 commands=7/8

What am I doing wrong?

Gerben Wierda (LinkedIn , Mastodon 
)
R IT Strategy  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate 
YouTube Channel 
PS. More config on smtpd:

smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access 
regexp:/opt/local/etc/postfix/rna_rbl_whitelist_clients,
reject_unknown_reverse_client_hostname,
reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
permit
# Drop any SMTP client that talks before its turn (spam botnets in a hurry)
postscreen_greet_action = drop
# Drop any SMTP client that is in the DNSBL
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
postscreen_dnsbl_action = drop
smtpd_delay_reject = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit
smtpd_sender_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_sender_domain
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unlisted_recipient
smtpd_data_restrictions =
reject_unauth_pipelining,
permit_mynetworks,
permit_sasl_authenticated,
reject_multi_recipient_bounce

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Viktor Dukhovni via Postfix-users]

On Fri, May 31, 2024 at 01:06:20PM +0200, Gerben Wierda via Postfix-users wrote:

> Hmm, I just noticed (all outgoing smtp was going to a backup server
> that works) that one of my postfix instances cannot send mail (smtp
> doesn't work, postscreen and smtpd work fine).

What *exactly* do you mean by "smtp" doesn't work?  What concrete
evidence can you post to substantiate and detail this?

> # submission (587)
> submission inet n   -   n   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_tls_auth_only=yes
>   -o syslog_name=submission
> 990 inet n   -   n   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_tls_auth_only=yes
>   -o syslog_name=submission_haproxy
>   -o smtpd_upstream_proxy_protocol=haproxy
> 
> The one that haproxy sees as down has been recently updated to postfix 3.9

Often, Postfix updates are part of a broader update of other system
packages, perhaps the issue is with one of those.

> So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down.
> In reality, both are up.

How could "haproxy" "see" "smtp" as down, the smtp(8) delivery agent
is not a network listener and haproxy does not connect to it.  If you
mean incoming SMTP on port 25 (the "smtp/inet" service in master.cf),
that's still "smtpd", so best to not call it "smtp".

Also why not post that master.cf entry?  And some logging for
"postfix/smtpd" (assuming default syslog_name).

> What should I do? Revert to postfix 3.8? I rather not, I rather would
> upgrade the other to 3.9 (but if I do that, I probably lose all smtp
> behind HAproxy for now)

Reverting Postfix is unlikely to help, Postfix is very stable software,
and a configuration that isn't working with 3.9 likely won't work also
with 3.8.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Gerben Wierda via Postfix-users]

> On 31 May 2024, at 13:20, pat...@patpro.net wrote:
> 
> Hello,
> 
> Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
> errors/abuse/half-baked connections?

Not blacklisting as I understand it, but as HAproxy makes a connection to test 
if the service is up and then breaks the connection I always see this on both 
systems:

On the postfix 3.9 instance
May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: connect from 
router.rna.nl[192.168.2.2]
May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: improper command 
pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
May 26 05:31:33 hermione submission_haproxy/smtpd[21485]: disconnect from 
router.rna.nl[192.168.2.2] commands=0/0

On the postfix 3.8.6 instance:
May 25 22:02:16 snape submission_haproxy/smtpd[28756]: connect from 
router.rna.nl[192.168.2.2]
May 25 22:02:16 snape submission_haproxy/smtpd[28756]: improper command 
pipelining after CONNECT from router.rna.nl[192.168.2.2]: QUIT\r\n
May 25 22:02:16 snape submission_haproxy/smtpd[28756]: disconnect from 
router.rna.nl[192.168.2.2] quit=1 commands=1

And the test that HAproxy does if port 25 is up are identical too:

On the postfix 3.9 instance
May 26 05:39:29 hermione smtp_haproxy/postscreen[21786]: CONNECT from 
[192.168.2.2]:65535 to [192.168.2.2]:25
May 26 05:39:29 hermione smtp_haproxy/postscreen[21786]: ALLOWLISTED 
[192.168.2.2]:65535
May 26 05:39:29 hermione smtp/smtpd[21788]: connect from 
router.rna.nl[192.168.2.2]
May 26 05:39:29 hermione smtp/smtpd[21788]: disconnect from 
router.rna.nl[192.168.2.2] quit=1 commands=1

On the postfix 3.8.6 instance:
May 25 22:10:57 snape smtp_haproxy/postscreen[28766]: CONNECT from 
[192.168.2.2]:65535 to [192.168.2.2]:25
May 25 22:10:57 snape smtp_haproxy/postscreen[28766]: ALLOWLISTED 
[192.168.2.2]:65535
May 25 22:10:57 snape smtp/smtpd[28768]: connect from router.rna.nl[192.168.2.2]
May 25 22:10:57 snape smtp/smtpd[28768]: disconnect from 
router.rna.nl[192.168.2.2] quit=1 commands=1

Actually, it looks like the response from postfix 3.9 has changed with respect 
to postfix 3.8.6 so in the HAproxy log I see

2024-05-23T01:28:29 Alert   haproxy Server mail.rna.nl.990/hermione-990 is 
DOWN. 0 active and 1 backup servers left. Running on backup. 0 sessions active, 
0 requeued, 0 remaining in queue.
2024-05-23T01:28:29 Notice  haproxy Health check for server 
mail.rna.nl.990/hermione-990 failed, reason: Layer7 invalid response, info: 
"TCPCHK did not match content (regex) at step 2", check duration: 45ms, status: 
0/2 DOWN.   
2024-05-23T01:27:23 Notice  haproxy Health check for backup server 
mail.rna.nl.991/snape-991 succeeded, reason: Layer7 check passed, code: 0, 
info: "(tcp-check)", check duration: 14ms, status: 3/3 UP.

HAproxy is configured:
It sends: "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\nQUIT\r\n"
It expects a response that matches regex ^220

Now, weirdly enough, when I send "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587" 
via nc both react the same:

On the postfix 3.8.6 instance:

root@hermione ~ # nc -v 192.168.2.125 990
Connection to 192.168.2.125 port 990 [tcp/ftps] succeeded!
PROXY TCP4 192.168.2.2 192.168.2.2 65535 587
220 mail.rna.nl
^C

On the postfix 3.9 instance
root@hermione ~ # nc -v 192.168.2.86 990 
Connection to 192.168.2.86 port 990 [tcp/ftps] succeeded!
PROXY TCP4 192.168.2.2 192.168.2.2 65535 587
220 mail.rna.nl
^C

Could it be that the immediate QUIT command in that health check is creating 
this problem on 3.9 because it is sent before 220 is received?

G

> 
> May 31, 2024 1:06 PM, "Gerben Wierda via Postfix-users" 
>  >
>  wrote:
> Hmm, I just noticed (all outgoing smtp was going to a backup server that 
> works) that one of my postfix instances cannot send mail (smtp doesn't work, 
> postscreen and smtpd work fine).
> # submission (587)
> submission inet n - n - - smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_auth_only=yes
> -o syslog_name=submission
> 990 inet n - n - - smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_auth_only=yes
> -o syslog_name=submission_haproxy
> -o smtpd_upstream_proxy_protocol=haproxy
> The one that haproxy sees as down has been recently updated to postfix 3.9
> So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down. In 
> reality, both are up.
> It probably started to behave this when I installed postfix 3.9 on one side, 
> though I cannot exclude that I updated HAproxy too, so I am not 100% certain.
> What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade 
> the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy 
> for now)
> Gerben Wierda (LinkedIn , Mastodon 
> )
> R IT Strategy 

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Wietse Venema via Postfix-users]

Gerben Wierda via Postfix-users:
> Hmm, I just noticed (all outgoing smtp was going to a backup server that 
> works) that one of my postfix instances cannot send mail (smtp doesn't work, 
> postscreen and smtpd work fine).
> 
> # submission (587)
> submission inet n   -   n   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_tls_auth_only=yes
>   -o syslog_name=submission
> 990 inet n   -   n   -   -   smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_tls_auth_only=yes
>   -o syslog_name=submission_haproxy
>   -o smtpd_upstream_proxy_protocol=haproxy
> 
> The one that haproxy sees as down has been recently updated to postfix 3.9
> 
> So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down. In 
> reality, both are up.

Postfix logging for failed haproxy connections would be extremely
informative.

There was a change in how Postfix detects clients that talk too early
(smtpd_forbid_unauth_pipelining = yes). This was disabled prior to
Postfix 3.9. Perhaps haproxy falls into this trap.

Wietse

> It probably started to behave this when I installed postfix 3.9 on one side, 
> though I cannot exclude that I updated HAproxy too, so I am not 100% certain.
> 
> What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade 
> the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy 
> for now)
> 
> Gerben Wierda (LinkedIn , Mastodon 
> )
> R IT Strategy  (main site)
> Book: Chess and the Art of Enterprise?Architecture 
> 
> Book: Mastering ArchiMate 
> YouTube Channel 

> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[patpro--- via Postfix-users]

Hello,

Any sign of postfix 3.9 blacklisting HAproxy because of SMTP 
errors/abuse/half-baked connections?
May 31, 2024 1:06 PM, "Gerben Wierda via Postfix-users" 
 wrote:
Hmm, I just noticed (all outgoing smtp was going to a backup server that works) 
that one of my postfix instances cannot send mail (smtp doesn't work, 
postscreen and smtpd work fine).
# submission (587)

submission inet n - n - - smtpd

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_tls_auth_only=yes

-o syslog_name=submission

990 inet n - n - - smtpd

-o smtpd_tls_security_level=encrypt

-o smtpd_sasl_auth_enable=yes

-o smtpd_tls_auth_only=yes

-o syslog_name=submission_haproxy

-o smtpd_upstream_proxy_protocol=haproxy

The one that haproxy sees as down has been recently updated to postfix 3.9

So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down. In 
reality, both are up.

It probably started to behave this when I installed postfix 3.9 on one side, 
though I cannot exclude that I updated HAproxy too, so I am not 100% certain.

What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade 
the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy for 
now) 

Gerben Wierda (LinkedIn (https://www.linkedin.com/in/gerbenwierda), Mastodon 
(https://newsie.social/@gctwnl))
R IT Strategy (https://ea.rna.nl/) (main site)
Book: Chess and the Art of Enterprise Architecture (https://ea.rna.nl/the-book/)
Book: Mastering ArchiMate (https://ea.rna.nl/the-book-edition-iii/)
YouTube Channel (http://www.youtube.com/@GerbenWierda)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

[Gerben Wierda via Postfix-users]

Hmm, I just noticed (all outgoing smtp was going to a backup server that works) 
that one of my postfix instances cannot send mail (smtp doesn't work, 
postscreen and smtpd work fine).

# submission (587)
submission inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o syslog_name=submission
990 inet n   -   n   -   -   smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o syslog_name=submission_haproxy
  -o smtpd_upstream_proxy_protocol=haproxy

The one that haproxy sees as down has been recently updated to postfix 3.9

So, HAproxy sees smtpd as up on postfix 3.9 but it sees smtp as down. In 
reality, both are up.

It probably started to behave this when I installed postfix 3.9 on one side, 
though I cannot exclude that I updated HAproxy too, so I am not 100% certain.

What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade 
the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy for 
now)

Gerben Wierda (LinkedIn , Mastodon 
)
R IT Strategy  (main site)
Book: Chess and the Art of Enterprise Architecture 
Book: Mastering ArchiMate 
YouTube Channel 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Viktor Dukhovni via Postfix-users]

On Fri, May 31, 2024 at 12:33:34AM +, Mailman29 via Postfix-users wrote:

> Yeah, so even changing the domain name on the server (Ubuntu) itself
> doesn't fix the issue. It must be ip based. Since the proxy and
> Postfix share an IP address, Postfix will always think it's looping
> back to itself. Is that correct? 

The Postfix SMTP client checks for its own IP address, and its own
hostname in the EHLO response only when relaying to port 25, on other
ports the loop checks are suppressed.

If you must forward via port 25, you need to ensure that the remote IP
is not listed in "inet_interfaces" and the hostname in the remote EHLO
response is not the same as $myhostname.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

Yeah, so even changing the domain name on the server (Ubuntu) itself doesn't 
fix the issue. It must be ip based. Since the proxy and Postfix share an IP 
address, Postfix will always think it's looping back to itself. Is that 
correct? 





On Thursday, May 30th, 2024 at 5:55 PM, Wietse Venema via Postfix-users 
 wrote:

> Mailman29 via Postfix-users:
> 
> > Have a good pub visit.
> > Changing the "myhostname" line in postfix has zero effect. It still says 
> > "loops back to myself" :(
> 
> 
> Having a problem? https://www.postfix.org/DEBUG_README.html#mail
> 
> Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> Have a good pub visit. 
> Changing the "myhostname" line in postfix has zero effect. It still says 
> "loops back to myself" :(

Having a problem?  https://www.postfix.org/DEBUG_README.html#mail

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

Have a good pub visit. 
Changing the "myhostname" line in postfix has zero effect. It still says "loops 
back to myself" :(





On Thursday, May 30th, 2024 at 4:07 PM, Wietse Venema via Postfix-users 
 wrote:

> Mailman29 via Postfix-users:
> 
> > The network diagram you have is correct. I'm afraid I don't
> > understnad the "use loopback for internal communication". There's
> > no internal communication. Should I just put 127.0.0.1 in my main.cf
> > in place of "mail2"?
> 
> 
> - External: communication from internet to haproxy.
> 
> - Internal: communication between haproxy and front-end MTA.
> 
> - Internal: communication between front-end MTA and back-end MTA.
> 
> The internal communication endpoints are supposed to be hidden from
> the public internet, so that mail from outside can only flow over
> the intended path, not around it.
> 
> It's time to go to the pub. Cheers.
> 
> Wietse
> 
> > Sent with Proton Mail secure email.
> > 
> > On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users 
> > postfix-users@postfix.org wrote:
> > 
> > > Mailman29 via Postfix-users:
> > > 
> > > > myhostname is set to "mail2" in main.cf, but the mx record points
> > > > to mail.somedomain.com, (they share the same IP though) would it
> > > > be doing an ip lookup first? I guess I need to "trick" it into
> > > > thinking it's not the same if it's IP based.
> > > 
> > > Postfix requires transport_maps to forward mail from a front-end
> > > MTA to a backend MTA. Other approaches are not supported.
> > > 
> > > Based on your earlier description I expect something like:
> > > 
> > > public IP address, port 25: haproxy ->
> > > 
> > > hidden port or address: frontend MTA with transport_maps ->
> > > 
> > > hidden port or address: backend MTA
> > > 
> > > If all this runs on a single host, and you use loopback (127.0.0.1)
> > > for internal communication, then Postfix won't care whether servers
> > > use the same MTA name.
> > > 
> > > If you use a non-routable network such as 10.* or 192.168.* for
> > > internal communication, then you will need distinct MTA names.
> > > 
> > > However, for sanity sake, I'd always recommend that different MTA
> > > instances identify themselves with different names. Otherwise youir
> > > logging will be incomprehensible.
> > > 
> > > Wietse
> > > 
> > > > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
> > > > postfix-users@postfix.org wrote:
> > > > 
> > > > > Mailman29 via Postfix-users:
> > > > > 
> > > > > > Well the logs say this, which doesn't help.
> > > > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > > > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > > > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > > > > > loops back to myself)
> > > > > 
> > > > > On the contrary, it says that you have configured a mailer loop,
> > > > > or that you have two different mail services that use the same MTA
> > > > > name (in Postfix parlance, the MTA name is the myhostname setting).
> > > > > 
> > > > > > The domain and the postfix server do share the same IP (haproxy
> > > > > > server), but if Postfix would deliver the bounce message it would
> > > > > > get passed through the proxy to the mail server backend. Is there
> > > > > > a way to force this?
> > > > > 
> > > > > 1) If the Postfix machine is a front-end for a backend server, then
> > > > > Postfix must be configured as a mail gateway, and there should be
> > > > > a transport_maps setting that routes mail for the domain to the
> > > > > backend instead of sending it to the public internet address. See
> > > > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> > > > > 
> > > > > 2) If your Postfix server is behind an inbound proxy server, then
> > > > > you MUST specify the external address with main.cf:proxy_interfaces,
> > > > > so that Postfix will know that it should not try to connect there.
> > > > > https://www.postfix.org/postconf.5.html#proxy_interfaces
> > > > > 
> > > > > 3) If you really have more than one mail server, then they must
> > > > > have different MTA names (In Postfix parlance the MTA name is the
> > > > > myhostname setting).
> > > > > 
> > > > > Wietse
> > > > > 
> > > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via 
> > > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > > 
> > > > > > > Mailman29:
> > > > > > > 
> > > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my 
> > > > > > > > mail server!
> > > > > > > > 
> > > > > > > > Now, how do I get postfix to send failures etc to my server? It
> > > > > > > > seems they just disappear into the ether!
> > > > > > > 
> > > > > > > Look in your logs: 
> > > > > > > https://www.postfix.org/DEBUG_README.html#logging
> > > > > > > 
> > > > > > > If you don't understand an error or warning message, report the
> > > > > > > problem on the postfix-users mailing list.
> > > > > > > 

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> 
> 
> The network diagram you have is correct. I'm afraid I don't
> understnad the "use loopback for internal communication". There's
> no internal communication. Should I just put 127.0.0.1 in my main.cf
> in place of "mail2"?

- External: communication from internet to haproxy.

- Internal: communication between haproxy and front-end MTA.

- Internal: communication between front-end MTA and back-end MTA.

The internal communication endpoints are supposed to be hidden from
the public internet, so that mail from outside can only flow over
the intended path, not around it.

It's time to go to the pub. Cheers.

Wietse

> Sent with Proton Mail secure email.
> 
> On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29 via Postfix-users:
> > 
> > > myhostname is set to "mail2" in main.cf, but the mx record points
> > > to mail.somedomain.com, (they share the same IP though) would it
> > > be doing an ip lookup first? I guess I need to "trick" it into
> > > thinking it's not the same if it's IP based.
> > 
> > 
> > Postfix requires transport_maps to forward mail from a front-end
> > MTA to a backend MTA. Other approaches are not supported.
> > 
> > Based on your earlier description I expect something like:
> > 
> > public IP address, port 25: haproxy ->
> > 
> > 
> > hidden port or address: frontend MTA with transport_maps ->
> > 
> > 
> > hidden port or address: backend MTA
> > 
> > If all this runs on a single host, and you use loopback (127.0.0.1)
> > for internal communication, then Postfix won't care whether servers
> > use the same MTA name.
> > 
> > If you use a non-routable network such as 10.* or 192.168.* for
> > internal communication, then you will need distinct MTA names.
> > 
> > However, for sanity sake, I'd always recommend that different MTA
> > instances identify themselves with different names. Otherwise youir
> > logging will be incomprehensible.
> > 
> > Wietse
> > 
> > > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
> > > postfix-users@postfix.org wrote:
> > > 
> > > > Mailman29 via Postfix-users:
> > > > 
> > > > > Well the logs say this, which doesn't help.
> > > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > > > > loops back to myself)
> > > > 
> > > > On the contrary, it says that you have configured a mailer loop,
> > > > or that you have two different mail services that use the same MTA
> > > > name (in Postfix parlance, the MTA name is the myhostname setting).
> > > > 
> > > > > The domain and the postfix server do share the same IP (haproxy
> > > > > server), but if Postfix would deliver the bounce message it would
> > > > > get passed through the proxy to the mail server backend. Is there
> > > > > a way to force this?
> > > > 
> > > > 1) If the Postfix machine is a front-end for a backend server, then
> > > > Postfix must be configured as a mail gateway, and there should be
> > > > a transport_maps setting that routes mail for the domain to the
> > > > backend instead of sending it to the public internet address. See
> > > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> > > > 
> > > > 2) If your Postfix server is behind an inbound proxy server, then
> > > > you MUST specify the external address with main.cf:proxy_interfaces,
> > > > so that Postfix will know that it should not try to connect there.
> > > > https://www.postfix.org/postconf.5.html#proxy_interfaces
> > > > 
> > > > 3) If you really have more than one mail server, then they must
> > > > have different MTA names (In Postfix parlance the MTA name is the
> > > > myhostname setting).
> > > > 
> > > > Wietse
> > > > 
> > > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via 
> > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > 
> > > > > > Mailman29:
> > > > > > 
> > > > > > > Brilliant! I had a loop with haproxy that pointed it back at my 
> > > > > > > mail server!
> > > > > > > 
> > > > > > > Now, how do I get postfix to send failures etc to my server? It
> > > > > > > seems they just disappear into the ether!
> > > > > > 
> > > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > > > > > 
> > > > > > If you don't understand an error or warning message, report the
> > > > > > problem on the postfix-users mailing list.
> > > > > > 
> > > > > > Wietse
> > > > > > 
> > > > > > > Sent with Proton Mail secure email.
> > > > > > > 
> > > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via 
> > > > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > > > 
> > > > > > > > Mailman29 via Postfix-users:
> > > > > > > > 
> > > > > > > > > HI guys.
> > > > > > > > > I'm having an awful time getting postfix to work in one form 
> > > > > > > > > only.
> > > 

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

The network diagram you have is correct. I'm afraid I don't understnad the "use 
loopback for internal communication". There's no internal communication. Should 
I just put 127.0.0.1 in my main.cf in place of "mail2"?


Sent with Proton Mail secure email.

On Thursday, May 30th, 2024 at 3:39 PM, Wietse Venema via Postfix-users 
 wrote:

> Mailman29 via Postfix-users:
> 
> > myhostname is set to "mail2" in main.cf, but the mx record points
> > to mail.somedomain.com, (they share the same IP though) would it
> > be doing an ip lookup first? I guess I need to "trick" it into
> > thinking it's not the same if it's IP based.
> 
> 
> Postfix requires transport_maps to forward mail from a front-end
> MTA to a backend MTA. Other approaches are not supported.
> 
> Based on your earlier description I expect something like:
> 
> public IP address, port 25: haproxy ->
> 
> 
> hidden port or address: frontend MTA with transport_maps ->
> 
> 
> hidden port or address: backend MTA
> 
> If all this runs on a single host, and you use loopback (127.0.0.1)
> for internal communication, then Postfix won't care whether servers
> use the same MTA name.
> 
> If you use a non-routable network such as 10.* or 192.168.* for
> internal communication, then you will need distinct MTA names.
> 
> However, for sanity sake, I'd always recommend that different MTA
> instances identify themselves with different names. Otherwise youir
> logging will be incomprehensible.
> 
> Wietse
> 
> > On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
> > postfix-users@postfix.org wrote:
> > 
> > > Mailman29 via Postfix-users:
> > > 
> > > > Well the logs say this, which doesn't help.
> > > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > > > loops back to myself)
> > > 
> > > On the contrary, it says that you have configured a mailer loop,
> > > or that you have two different mail services that use the same MTA
> > > name (in Postfix parlance, the MTA name is the myhostname setting).
> > > 
> > > > The domain and the postfix server do share the same IP (haproxy
> > > > server), but if Postfix would deliver the bounce message it would
> > > > get passed through the proxy to the mail server backend. Is there
> > > > a way to force this?
> > > 
> > > 1) If the Postfix machine is a front-end for a backend server, then
> > > Postfix must be configured as a mail gateway, and there should be
> > > a transport_maps setting that routes mail for the domain to the
> > > backend instead of sending it to the public internet address. See
> > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> > > 
> > > 2) If your Postfix server is behind an inbound proxy server, then
> > > you MUST specify the external address with main.cf:proxy_interfaces,
> > > so that Postfix will know that it should not try to connect there.
> > > https://www.postfix.org/postconf.5.html#proxy_interfaces
> > > 
> > > 3) If you really have more than one mail server, then they must
> > > have different MTA names (In Postfix parlance the MTA name is the
> > > myhostname setting).
> > > 
> > > Wietse
> > > 
> > > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
> > > > postfix-users@postfix.org wrote:
> > > > 
> > > > > Mailman29:
> > > > > 
> > > > > > Brilliant! I had a loop with haproxy that pointed it back at my 
> > > > > > mail server!
> > > > > > 
> > > > > > Now, how do I get postfix to send failures etc to my server? It
> > > > > > seems they just disappear into the ether!
> > > > > 
> > > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > > > > 
> > > > > If you don't understand an error or warning message, report the
> > > > > problem on the postfix-users mailing list.
> > > > > 
> > > > > Wietse
> > > > > 
> > > > > > Sent with Proton Mail secure email.
> > > > > > 
> > > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via 
> > > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > > 
> > > > > > > Mailman29 via Postfix-users:
> > > > > > > 
> > > > > > > > HI guys.
> > > > > > > > I'm having an awful time getting postfix to work in one form 
> > > > > > > > only.
> > > > > > > > Accept mail from one ip address only, regardless of the sender's
> > > > > > > > domain name, and send it out to the recipients. Postfix has no
> > > > > > > > accounts, and accepts no incoming mail. It's only for sending 
> > > > > > > > from
> > > > > > > > my local server.
> > > > > > > > 
> > > > > > > > Here's my main.cf, as you can see I have it set up to accept 
> > > > > > > > mail
> > > > > > > > from my IP address only, but every time I try to send mail 
> > > > > > > > through
> > > > > > > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > > > > > > 
> > > > > > > > --> EHLO mail!
> > > > > > > > 

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> myhostname is set to "mail2" in main.cf, but the mx record points
> to mail.somedomain.com, (they share the same IP though) would it
> be doing an ip lookup first? I guess I need to "trick" it into
> thinking it's not the same if it's IP based.

Postfix requires transport_maps to forward mail from a front-end
MTA to a backend MTA. Other approaches are not supported.

Based on your earlier description I expect something like:

public IP address, port 25: haproxy -> 

hidden port or address: frontend MTA with transport_maps -> 

hidden port or address: backend MTA

If all this runs on a single host, and you use loopback (127.0.0.1)
for internal communication, then Postfix won't care whether servers
use the same MTA name.

If you use a non-routable network such as 10.* or 192.168.* for
internal communication, then you will need distinct MTA names.

However, for sanity sake, I'd always recommend that different MTA
instances identify themselves with different names. Otherwise youir
logging will be incomprehensible.

Wietse

> On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29 via Postfix-users:
> > 
> > > Well the logs say this, which doesn't help.
> > > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > > loops back to myself)
> > 
> > On the contrary, it says that you have configured a mailer loop,
> > or that you have two different mail services that use the same MTA
> > name (in Postfix parlance, the MTA name is the myhostname setting).
> > 
> > > The domain and the postfix server do share the same IP (haproxy
> > > server), but if Postfix would deliver the bounce message it would
> > > get passed through the proxy to the mail server backend. Is there
> > > a way to force this?
> > 
> > 1) If the Postfix machine is a front-end for a backend server, then
> > Postfix must be configured as a mail gateway, and there should be
> > a transport_maps setting that routes mail for the domain to the
> > backend instead of sending it to the public internet address. See
> > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> > 
> > 2) If your Postfix server is behind an inbound proxy server, then
> > you MUST specify the external address with main.cf:proxy_interfaces,
> > so that Postfix will know that it should not try to connect there.
> > https://www.postfix.org/postconf.5.html#proxy_interfaces
> > 
> > 3) If you really have more than one mail server, then they must
> > have different MTA names (In Postfix parlance the MTA name is the
> > myhostname setting).
> > 
> > Wietse
> > 
> > > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
> > > postfix-users@postfix.org wrote:
> > > 
> > > > Mailman29:
> > > > 
> > > > > Brilliant! I had a loop with haproxy that pointed it back at my mail 
> > > > > server!
> > > > > 
> > > > > Now, how do I get postfix to send failures etc to my server? It
> > > > > seems they just disappear into the ether!
> > > > 
> > > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > > > 
> > > > If you don't understand an error or warning message, report the
> > > > problem on the postfix-users mailing list.
> > > > 
> > > > Wietse
> > > > 
> > > > > Sent with Proton Mail secure email.
> > > > > 
> > > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via 
> > > > > Postfix-users postfix-users@postfix.org wrote:
> > > > > 
> > > > > > Mailman29 via Postfix-users:
> > > > > > 
> > > > > > > HI guys.
> > > > > > > I'm having an awful time getting postfix to work in one form only.
> > > > > > > Accept mail from one ip address only, regardless of the sender's
> > > > > > > domain name, and send it out to the recipients. Postfix has no
> > > > > > > accounts, and accepts no incoming mail. It's only for sending from
> > > > > > > my local server.
> > > > > > > 
> > > > > > > Here's my main.cf, as you can see I have it set up to accept mail
> > > > > > > from my IP address only, but every time I try to send mail through
> > > > > > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > > > > > 
> > > > > > > --> EHLO mail!
> > > > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to 
> > > > > > > meet you
> > > > > > 
> > > > > > THAT IS NOT Postfix. You can tweak settings and it will have no 
> > > > > > effect,
> > > > > > because you are not taking to Postfix.
> > > > > > 
> > > > > > I suggest that you look in the maillog file to fid out what
> > > > > > program is answering the connection..
> > > > > > 
> > > > > > Wietse
> > > > > > ___
> > > > > > Postfix-users mailing list -- postfix-users@postfix.org
> > > > > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > > > 
> > > > 

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

myhostname is set to "mail2" in main.cf, but the mx record points to 
mail.somedomain.com, (they share the same IP though) would it be doing an ip 
lookup first? I guess I need to "trick" it into thinking it's not the same if 
it's IP based. 






On Thursday, May 30th, 2024 at 2:34 PM, Wietse Venema via Postfix-users 
 wrote:

> Mailman29 via Postfix-users:
> 
> > Well the logs say this, which doesn't help.
> > May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> > to=prvs=1880817b8e=myem...@somedomain.com, relay=none, delay=5.2,
> > delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> > loops back to myself)
> 
> 
> On the contrary, it says that you have configured a mailer loop,
> or that you have two different mail services that use the same MTA
> name (in Postfix parlance, the MTA name is the myhostname setting).
> 
> > The domain and the postfix server do share the same IP (haproxy
> > server), but if Postfix would deliver the bounce message it would
> > get passed through the proxy to the mail server backend. Is there
> > a way to force this?
> 
> 
> 1) If the Postfix machine is a front-end for a backend server, then
> Postfix must be configured as a mail gateway, and there should be
> a transport_maps setting that routes mail for the domain to the
> backend instead of sending it to the public internet address. See
> https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall
> 
> 2) If your Postfix server is behind an inbound proxy server, then
> you MUST specify the external address with main.cf:proxy_interfaces,
> so that Postfix will know that it should not try to connect there.
> https://www.postfix.org/postconf.5.html#proxy_interfaces
> 
> 3) If you really have more than one mail server, then they must
> have different MTA names (In Postfix parlance the MTA name is the
> myhostname setting).
> 
> Wietse
> 
> > On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
> > postfix-users@postfix.org wrote:
> > 
> > > Mailman29:
> > > 
> > > > Brilliant! I had a loop with haproxy that pointed it back at my mail 
> > > > server!
> > > > 
> > > > Now, how do I get postfix to send failures etc to my server? It
> > > > seems they just disappear into the ether!
> > > 
> > > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > > 
> > > If you don't understand an error or warning message, report the
> > > problem on the postfix-users mailing list.
> > > 
> > > Wietse
> > > 
> > > > Sent with Proton Mail secure email.
> > > > 
> > > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via 
> > > > Postfix-users postfix-users@postfix.org wrote:
> > > > 
> > > > > Mailman29 via Postfix-users:
> > > > > 
> > > > > > HI guys.
> > > > > > I'm having an awful time getting postfix to work in one form only.
> > > > > > Accept mail from one ip address only, regardless of the sender's
> > > > > > domain name, and send it out to the recipients. Postfix has no
> > > > > > accounts, and accepts no incoming mail. It's only for sending from
> > > > > > my local server.
> > > > > > 
> > > > > > Here's my main.cf, as you can see I have it set up to accept mail
> > > > > > from my IP address only, but every time I try to send mail through
> > > > > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > > > > 
> > > > > > --> EHLO mail!
> > > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to 
> > > > > > meet you
> > > > > 
> > > > > THAT IS NOT Postfix. You can tweak settings and it will have no 
> > > > > effect,
> > > > > because you are not taking to Postfix.
> > > > > 
> > > > > I suggest that you look in the maillog file to fid out what
> > > > > program is answering the connection..
> > > > > 
> > > > > Wietse
> > > > > ___
> > > > > Postfix-users mailing list -- postfix-users@postfix.org
> > > > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > > 
> > > ___
> > > Postfix-users mailing list -- postfix-users@postfix.org
> > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > > ___
> > > Postfix-users mailing list -- postfix-users@postfix.org
> > > To unsubscribe send an email to postfix-users-le...@postfix.org
> 
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Wietse Venema via Postfix-users]

Greg Sims via Postfix-users:
> On Thu, May 30, 2024 at 12:27?PM Greg Sims  wrote:
> >
> > I believe I am ready to capture the double-bounce locally.
> >
> > This is main.cf:
> >   # 24-05-30 save the bounces locally at bounce-local
> >   notify_classes = 2bounce, bounce, resource, software
> >   bounce_notice_recipient = bounce-local
> >   2bounce_notice_recipient = bounce-local
> >   virtual_alias_maps = hash:/etc/postfix/virtual
> >
> > This is virtual:
> >   bounce-localbounce-local@localhost
> >
> > and ran postmap /etc/postfix/virtual.
> 
> This does not look good --
> 
>  May 30 11:30:40 mail01.raystedman.org postfix/t121/smtp[52641]: <<< NOTE SMTP
> 4FE9D3061EF0: to=, orig_to=,
> relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail
> for localhost loops back to myself)

You are delivering mail for localhost with the Postfix SMTP CLIENT.

Add localhost to main.cf:mydestination and do "postfix reload".

Then, Postfix will use the local delivery agent for localhost mail.

Wietse

> 
>  May 30 11:30:40 mail01.raystedman.org postfix/bounce[52732]: warning:
> 4FE9D3061EF0: undeliverable postmaster notification discarded
> 
> The only changes were to set up the local mailbox.
> 
> Thanks, Greg
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Change Domain of "from="

[Greg Sims via Postfix-users]

On Thu, May 30, 2024 at 12:27 PM Greg Sims  wrote:
>
> I believe I am ready to capture the double-bounce locally.
>
> This is main.cf:
>   # 24-05-30 save the bounces locally at bounce-local
>   notify_classes = 2bounce, bounce, resource, software
>   bounce_notice_recipient = bounce-local
>   2bounce_notice_recipient = bounce-local
>   virtual_alias_maps = hash:/etc/postfix/virtual
>
> This is virtual:
>   bounce-localbounce-local@localhost
>
> and ran postmap /etc/postfix/virtual.

This does not look good --

 May 30 11:30:40 mail01.raystedman.org postfix/t121/smtp[52641]:
4FE9D3061EF0: to=, orig_to=,
relay=none, delay=0, delays=0/0/0/0, dsn=5.4.6, status=bounced (mail
for localhost loops back to myself)

 May 30 11:30:40 mail01.raystedman.org postfix/bounce[52732]: warning:
4FE9D3061EF0: undeliverable postmaster notification discarded

The only changes were to set up the local mailbox.

Thanks, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> Well the logs say this, which doesn't help. 
> May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501:
> to=, relay=none, delay=5.2,
> delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com
> loops back to myself)

On the contrary, it says that you have configured a mailer loop,
or that you have two different mail services that use the same MTA
name (in Postfix parlance, the MTA name is the myhostname setting).

> The domain and the postfix server do share the same IP (haproxy
> server), but if Postfix would deliver the bounce message it would
> get passed through the proxy to the mail server backend. Is there
> a way to force this?

1) If the Postfix machine is a front-end for a backend server, then
Postfix must be configured as a mail gateway, and there should be
a transport_maps setting that routes mail for the domain to the
backend instead of sending it to the public internet address. See
https://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

2) If your Postfix server is behind an inbound proxy server, then
you MUST specify the external address with main.cf:proxy_interfaces,
so that Postfix will know that it should not try to connect there.
https://www.postfix.org/postconf.5.html#proxy_interfaces

3) If you really have more than one mail server, then they must
have different MTA names (In Postfix parlance the MTA name is the
myhostname setting).

Wietse

> On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29:
> > 
> > > Brilliant! I had a loop with haproxy that pointed it back at my mail 
> > > server!
> > > 
> > > Now, how do I get postfix to send failures etc to my server? It
> > > seems they just disappear into the ether!
> > 
> > 
> > Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> > 
> > If you don't understand an error or warning message, report the
> > problem on the postfix-users mailing list.
> > 
> > Wietse
> > 
> > > Sent with Proton Mail secure email.
> > > 
> > > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users 
> > > postfix-users@postfix.org wrote:
> > > 
> > > > Mailman29 via Postfix-users:
> > > > 
> > > > > HI guys.
> > > > > I'm having an awful time getting postfix to work in one form only.
> > > > > Accept mail from one ip address only, regardless of the sender's
> > > > > domain name, and send it out to the recipients. Postfix has no
> > > > > accounts, and accepts no incoming mail. It's only for sending from
> > > > > my local server.
> > > > > 
> > > > > Here's my main.cf, as you can see I have it set up to accept mail
> > > > > from my IP address only, but every time I try to send mail through
> > > > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > > > 
> > > > > --> EHLO mail!
> > > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet 
> > > > > you
> > > > 
> > > > THAT IS NOT Postfix. You can tweak settings and it will have no effect,
> > > > because you are not taking to Postfix.
> > > > 
> > > > I suggest that you look in the maillog file to fid out what
> > > > program is answering the connection..
> > > > 
> > > > Wietse
> > > > ___
> > > > Postfix-users mailing list -- postfix-users@postfix.org
> > > > To unsubscribe send an email to postfix-users-le...@postfix.org
> > 
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

Well the logs say this, which doesn't help. 
May 30 14:01:02 mail2 postfix/smtp[1390778]: C5DCBA0501: 
to=, relay=none, delay=5.2, 
delays=0/0/5.2/0, dsn=5.4.6, status=bounced (mail for somedomain.com loops back 
to myself)

The domain and the postfix server do share the same IP (haproxy server), but if 
Postfix would deliver the bounce message it would get passed through the proxy 
to the mail server backend. Is there a way to force this?


On Thursday, May 30th, 2024 at 1:46 PM, Wietse Venema via Postfix-users 
 wrote:

> Mailman29:
> 
> > Brilliant! I had a loop with haproxy that pointed it back at my mail server!
> > 
> > Now, how do I get postfix to send failures etc to my server? It
> > seems they just disappear into the ether!
> 
> 
> Look in your logs: https://www.postfix.org/DEBUG_README.html#logging
> 
> If you don't understand an error or warning message, report the
> problem on the postfix-users mailing list.
> 
> Wietse
> 
> > Sent with Proton Mail secure email.
> > 
> > On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users 
> > postfix-users@postfix.org wrote:
> > 
> > > Mailman29 via Postfix-users:
> > > 
> > > > HI guys.
> > > > I'm having an awful time getting postfix to work in one form only.
> > > > Accept mail from one ip address only, regardless of the sender's
> > > > domain name, and send it out to the recipients. Postfix has no
> > > > accounts, and accepts no incoming mail. It's only for sending from
> > > > my local server.
> > > > 
> > > > Here's my main.cf, as you can see I have it set up to accept mail
> > > > from my IP address only, but every time I try to send mail through
> > > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > > 
> > > > --> EHLO mail!
> > > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you
> > > 
> > > THAT IS NOT Postfix. You can tweak settings and it will have no effect,
> > > because you are not taking to Postfix.
> > > 
> > > I suggest that you look in the maillog file to fid out what
> > > program is answering the connection..
> > > 
> > > Wietse
> > > ___
> > > Postfix-users mailing list -- postfix-users@postfix.org
> > > To unsubscribe send an email to postfix-users-le...@postfix.org
> 
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29:
> Brilliant! I had a loop with haproxy that pointed it back at my mail server! 
> 
> Now, how do I get postfix to send failures etc to my server? It
> seems they just disappear into the ether!

Look in your logs: https://www.postfix.org/DEBUG_README.html#logging

If you don't understand an error or warning message, report the
problem on the postfix-users mailing list.

Wietse

> Sent with Proton Mail secure email.
> 
> On Thursday, May 30th, 2024 at 12:50 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> > Mailman29 via Postfix-users:
> > 
> > > HI guys.
> > > I'm having an awful time getting postfix to work in one form only.
> > > Accept mail from one ip address only, regardless of the sender's
> > > domain name, and send it out to the recipients. Postfix has no
> > > accounts, and accepts no incoming mail. It's only for sending from
> > > my local server.
> > > 
> > > Here's my main.cf, as you can see I have it set up to accept mail
> > > from my IP address only, but every time I try to send mail through
> > > it I get the error : (somedomain.com is placeholder for my FQDN)
> > > 
> > > --> EHLO mail!
> > > <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you
> > 
> > 
> > THAT IS NOT Postfix. You can tweak settings and it will have no effect,
> > because you are not taking to Postfix.
> > 
> > I suggest that you look in the maillog file to fid out what
> > program is answering the connection..
> > 
> > Wietse
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Frustrated and sad - Authentication required

[Wietse Venema via Postfix-users]

Mailman29 via Postfix-users:
> HI guys.
> I'm having an awful time getting postfix to work in one form only.
> Accept mail from one ip address only, regardless of the sender's
> domain name, and send it out to the recipients. Postfix has no
> accounts, and accepts no incoming mail. It's only for sending from
> my local server.
> 
> Here's my main.cf, as you can see I have it set up to accept mail
> from my IP address only, but every time I try to send mail through
> it I get the error : (somedomain.com is placeholder for my FQDN)
> 
> --> EHLO mail!
>   <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you

THAT IS NOT Postfix. You can tweak settings and it will have no effect,
because you are not taking to Postfix.

I suggest that you look in the maillog file to fid out what
program is answering the connection..

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Frustrated and sad - Authentication required

[Mailman29 via Postfix-users]

HI guys.
I'm having an awful time getting postfix to work in one form only. Accept mail 
from one ip address only, regardless of the sender's domain name, and send it 
out to the recipients. Postfix has no accounts, and accepts no incoming mail. 
It's only for sending from my local server.

Here's my main.cf, as you can see I have it set up to accept mail from my IP 
address only, but every time I try to send mail through it I get the error : 
(somedomain.com is placeholder for my FQDN)

--> EHLO mail!
  <-- 250-relay.somedomain.com Hello mail [IPaddress], pleased to meet you
  <-- 250-ETRN
  <-- 250-AUTH LOGIN CRAM-MD5 PLAIN
  <-- 250-8BITMIME
  <-- 250-ENHANCEDSTATUSCODES
  <-- 250-PIPELINING
  <-- 250-CHUNKING
  <-- 250-REQUIRETLS
  <-- 250 SIZE
  --> MAIL From: SIZE=1698
  --> RCPT To:somemail...@gmail.com
  --> DATA
  <-- 530 5.7.0 Authentication required
  --> QUIT

Main.cf:
#See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
maximal_queue_lifetime = 1d
delay_warning_time = 0h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6

# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_tls_security_level=may
#smtpd_tls_security_level=encrypt

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
myhostname = mail2
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.$mydomain, localhost, mail2.somedomain.com
relayhost =
mynetworks = 127.0.0.0/8 myipaddress/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
default_destination_concurrency_limit = 1#transport_maps = 
hash:/etc/postfix/transport.map

Sorry for the text dump, but I'm so frustrated here. Any ideas are appreciated.___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org