Re: Siteprotect.com and cp20.com dmarc/SPF fail

Ian Evans: > > So, your Postfix did send your message to cp20.com. > > > > cp20 forwarded it to some domain hosted at digitalhit.com. Because > > of the forwarding, the spf checks failed. > > > > cp20 also made some header and body modifications so that DKIM > > checks failed. > > Just to clarify

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 07:53:09PM -0400, Scott Hollenbeck wrote: > If you use them, you're going to need to do some scripting using the > Let's Encrypt renewal hooks and gcloud to update your TLSA record(s) > every time you renew your certificate(s). Viktor does some automated > checking that's

Re: Siteprotect.com and cp20.com dmarc/SPF fail

On Mon, Jul 27, 2020, 6:59 PM Wietse Venema, wrote: > Ian Evans: > > Looking at the Postfix logs it appears the email was sent to the same ip > > address for cp20.com: > > > > Jul 27 15:14:22 carson postfix/smtp[13747]: 9323F20309D: to=<[some coded > > letters that probably translate to the

RE: What is lost by using self-signed certs for TLS?

> -Original Message- > From: owner-postfix-us...@postfix.org > On Behalf Of Antonio Leding > Sent: Monday, July 27, 2020 6:56 PM > To: postfix-users@postfix.org > Subject: Re: What is lost by using self-signed certs for TLS? > > Thanks Victor - actually watching some of the presos now… >

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 10:55:31PM +, Antonio Leding wrote: > Thanks Victor - actually watching some of the presos now… > > BTW…any choice you like for DNSSEC providers? Google seems like a safe bet > but I figured you might have some feedback on this as well… I self-host, so my direct

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Ian Evans: > Looking at the Postfix logs it appears the email was sent to the same ip > address for cp20.com: > > Jul 27 15:14:22 carson postfix/smtp[13747]: 9323F20309D: to=<[some coded > letters that probably translate to the publicist email]@cp20.com>, relay= > mail.cp20.com[216.24.225.10]:25,

Re: What is lost by using self-signed certs for TLS?

Thanks Victor - actually watching some of the presos now… BTW…any choice you like for DNSSEC providers? Google seems like a safe bet but I figured you might have some feedback on this as well… > On Jul 27, 2020, at 3:36 PM, Viktor Dukhovni > wrote: > > On Mon, Jul 27, 2020 at 09:48:29PM

Re: Siteprotect.com and cp20.com dmarc/SPF fail

On Mon, Jul 27, 2020, 5:32 PM Wietse Venema, wrote: > Ian Evans: > > I'm a reviewer and sent an email from my site responding to one of their > > coverage requests. > > > > A few minutes later, my postmaster acct received this message: > > > > A message claiming to be from you has failed the

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 09:48:29PM +, Antonio Leding wrote: > Again, great feedback…I am definitely diving into DANE now…may have > more questions but I will try to keep those to a minimum. https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources -- Viktor.

Re: What is lost by using self-signed certs for TLS?

Again, great feedback…I am definitely diving into DANE now…may have more questions but I will try to keep those to a minimum. Thanks again Victor - very much appreciated… > On Jul 27, 2020, at 2:44 PM, Viktor Dukhovni > wrote: > > On Mon, Jul 27, 2020 at 08:58:19PM +, Antonio Leding

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 08:58:19PM +, Antonio Leding wrote: > > You can of course use an LE cert, it does not do any obvious harm, > > unless you also do DANE, and neither freeze the key, nor handle TLSA > > updates correctly (in advance of cert deployment). > > So I’m gathering (a) not much

Re: Siteprotect.com and cp20.com dmarc/SPF fail

Ian Evans: > I'm a reviewer and sent an email from my site responding to one of their > coverage requests. > > A few minutes later, my postmaster acct received this message: > > A message claiming to be from you has failed the published DMARC > policy for your domain. > > Sender Domain:

Re: What is lost by using self-signed certs for TLS?

> You can of course use an LE cert, it does not do any obvious harm, > unless you also do DANE, and neither freeze the key, nor handle TLSA > updates correctly (in advance of cert deployment). So I’m gathering (a) not much will be gained by using a public-A signed cert; and (b) the PROs of using

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 07:32:41PM +, Antonio Leding wrote: > I’ve always been dubious about the auth requirement by some (i.e. the > brain deads to which you refer) to allow TLS connections for > server-to-server communications. Without DANE or (weaker) MTA-STS, indeed X.509 authentication

Siteprotect.com and cp20.com dmarc/SPF fail

I'm a reviewer and sent an email from my site responding to one of their coverage requests. A few minutes later, my postmaster acct received this message: A message claiming to be from you has failed the published DMARC policy for your domain. Sender Domain: digitalhit.com Sender IP Address:

Re: What is lost by using self-signed certs for TLS?

Hi Victor… Thanks so much for the feedback…very helpful… I’ve always been dubious about the auth requirement by some (i.e. the brain deads to which you refer) to allow TLS connections for server-to-server communications. My view is this — when my server sends outbound mail, do I really care

Re: Installing sendmail in non-default location

> On Jul 27, 2020, at 1:18 PM, Viktor Dukhovni > wrote: > > >> make -f Makefile.init makefiles CCARGS='-DUSE_TLS -I/usr/local/ssl/include \ >> [...] >> -DDEF_SENDMAIL_PATH=\"/usr/local/sbin\"\ > > This is not correct, it lists the containing directory, rather than the > full path to the

Re: Installing sendmail in non-default location

On Mon, Jul 27, 2020 at 01:12:41PM -0500, Larry Stone wrote: > Which leads to a new question. In working on this, I modified my “make > makefiles” to add a sendmail_path argument (which worked to change the > default value) and later as I worked through this, a > -DDEF_SENDMAIL_PATH to CCARGS. Do

Re: Installing sendmail in non-default location

> On Jul 27, 2020, at 11:05 AM, Larry Stone wrote: > > I’m trying to figure out how to tell make {install | upgrade} to install > sendmail eleswhere? I tried sendmail_path=/usr/local/sbin as well as > -DDEF_SENDMAIL_PATH and while that changes the default value of > sendmail_path, it still

Installing sendmail in non-default location

I’m trying to figure out how to tell make {install | upgrade} to install sendmail eleswhere? I tried sendmail_path=/usr/local/sbin as well as -DDEF_SENDMAIL_PATH and while that changes the default value of sendmail_path, it still installs in /usr/sbin. Background: last week, I finally

Re: smtpd_recipient_restrictions Failure?

Gerald Galster: > <> is valid by definition and does not depend on mynetworks, besides you're > right that most external bounces are spam. The initial question was why > reject_non_fqdn_sender did not apply. The envelope sender address <> must not be blocked by reject_non_fqdn_sender. It would

Re: smtpd_recipient_restrictions Failure?

>>> Thanks, Gerald. I also have this in my main.cf configuration file: >>> smtpd_sender_restrictions = >>> permit_mynetworks, >>> reject_non_fqdn_sender, >>> reject_unknown_sender_domain, >>> check_client_access cidr:/etc/postfix/blacklist_cidr, >>> permit >>>

Re: Sending failure messages in separate mailbox

Stephan Seitz: > Hello! > > If a user sends a mail and postfix can?t deliver it (user unknown, > mailbox quota, etc.), this user gets the error message. > > Is it possible to configure postfix in such a way, that these error > messages are going to a different mailbox? The SMTP standard

Re: [RFE] - Resolving of SRV records

Tomas Korbar: > Hi guys, > I would like to start a discussion about support for SRV records, mainly > record for submission service of a domain. > As is stated in [0], domain can publish dns record, which tells services > where the submission service of this domain is. > This could be used for

Re: smtpd_recipient_restrictions Failure?

Gerald Galster skrev den 2020-07-27 14:40: Thanks, Gerald. I also have this in my main.cf configuration file: smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, check_client_access cidr:/etc/postfix/blacklist_cidr,

Re: smtpd_recipient_restrictions Failure?

> Thanks, Gerald. I also have this in my main.cf configuration file: > > smtpd_sender_restrictions = >permit_mynetworks, >reject_non_fqdn_sender, >reject_unknown_sender_domain, >check_client_access cidr:/etc/postfix/blacklist_cidr, >permit > > Shouldn't

RE: smtpd_recipient_restrictions Failure?

> -Original Message- > From: owner-postfix-us...@postfix.org > On Behalf Of Gerald Galster > Sent: Monday, July 27, 2020 6:47 AM > To: Postfix users > Subject: Re: smtpd_recipient_restrictions Failure? > > > > Lately I've been getting email sent from one persistent spammer that's > >

Re: smtpd_recipient_restrictions Failure?

> Lately I've been getting email sent from one persistent spammer that's > somehow getting through my smtpd_recipient_restrictions filters. Here are > the message headers: > > Return-Path: [...] > From:=?UTF-8?B?RGVybWFDb3JyZWN0?= [...] > smtpd_recipient_restrictions = >

Sending failure messages in separate mailbox

Hello! If a user sends a mail and postfix can’t deliver it (user unknown, mailbox quota, etc.), this user gets the error message. Is it possible to configure postfix in such a way, that these error messages are going to a different mailbox? Many greetings, Stephan -- |If your

[RFE] - Resolving of SRV records

Hi guys, I would like to start a discussion about support for SRV records, mainly record for submission service of a domain. As is stated in [0], domain can publish dns record, which tells services where the submission service of this domain is. This could be used for auto configuration of