tfix is not just the best software today but it has been the best
software for the last quarter century!
Bob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
Internet connectivity. If having multiple MX
relays causes problems or confusion then reducing to exactly one where
everything is simplified should be sufficient for all but the largest
of email handling sites.
Spammers often target lower priority MX relays with the expectation
that they will b
xes between two sites that does
not use mail forwarding. Such as offlineimap3, isync, maildirsync,
and other such utilities. It's a different way to do things.
Bob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
not allowing them to make poor choices.
> Oh, actually majordomo.pl shouldn't work in perl5 since 5.10.
> It uses $* which was removed then (2007). That's wierd. It
> was still working for me in 2015.
Only a few changes are needed for perl 5.10. Needed since 2008 or so!
https://www.mail-archive.com/misc@openbsd.org/msg69481.html
Bob
h is self-consistent upon fresh
installation. Something is needed so something locally consistent was
chosen. Suitable only for local mail delivery. It is expected for
this to be re-configured appropriately for any network connected
hosts.
Bob
pecify the correct
> envelope sender address:
>
> /usr/bin/sendmail -f yom...@example.com recipient
WDYT about using a canonical table to map www-d...@example.com to
desi...@example.com? Then no Reply-To would be needed since the From:
address would be correct.
For the OP:
http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical
Bob
is required to be
fully active and tuned up or your reputation for spam will suffer due
to the passing through of it. I am using combined arms tactics with a
combination of CRM114 and SpamAssassin and find the result good.
Bob
y a problem now since it is really only @gmail.com addresses
specifically that run into this problem. Because of the prevalence of
exactly that one address to be a problem. And that is handled by the
scheme as described. So no burdensome problem to solve at this
moment.
Thanks for the help! :-)
Bob
Jaroslaw Rafa wrote:
> Dnia 15.06.2022 o godz. 22:00:45 Bob Proulx pisze:
> > It is interesting that mail to domains hosted at google that are not
> > @gmail.com but other named domains delivered okay. Google accepted
> > the exact same message to them fine.
>
>
. Having moved them to the right place as instructed I now see
them being transported to Google at the slow turtle rate.
And most important Google is now accepting the messages. The three
messages that Google has not been accepting since Monday has now been
accepted using the newly defined slow transport.
Thanks! :-)
Bob
up so that it will use the new
transport rather than the previous?
postsuper -r ALL # no effect
I tried the above but obviously that did not cause Postfix to
reprocess the message and then use the new transport. Is there a way
to have Postfix reprocess to use the new transport rules?
Thanks!
Bob
stfix.org:
And therefore I answered with a procmail specific hint. :-)
Bob
Daniel Azuelos wrote:
> I just found an email incorrectly filtered by my .procmailrc,
> because the To: wasn't postfix-users@postfix.org:
...
> To: postfix-us...@cloud9.net
Instead of filtering on the To the better idea is to use the standard
mail headers that the mailing list adds to the
enamehere
The POSIX standard mailx program will format the mail headers
correctly and then pass the message on to /usr/sbin/sendmail for
transport and delivery.
Bob
It would be a way to delegate configuration responsibility for them.
It could then relay the mail on to the main mail relay as you prefer.
That could even be a long haul across the Internet WAN using TLS with
certificates and everything.
Bob
test. But I would not expect to
see any significant problem.
Just do it!
Bob
fer without DKIM between those two coordinating sites.
SMTP is not designed to transfer large files such as this. It's not.
Much better to use a protocol designed for transfering large files.
Perhaps use email for notifications of and about the transfer only.
Bob
a way to detect that
the network attached block storage has been offline too long and that
the system when recovered from that needs to be rebooted.
Bob
Wietse Venema wrote:
> Postfix was only the messenger of bad news. It does not
> spontaneously self-destruct.
I have always found Postfix to be extremely reliable and robust.
Which was why this happening on two different systems was such an oddity.
Bob
stfix.
Good ideas though. Thank you for brainstorming along with me.
Bob
Wietse Venema wrote:
> Bob Proulx:
> > Any ideas on why postfix would not be running after such an event on
> > two of the systems but okay on the others?
>
> LOGS. Postfix logs a sh*load, including processes that fail to
> start. If the systems were unable to recor
such an event on
two of the systems but okay on the others?
Bob
I am abbreviating everything because it was too large for the mailing
list on the first sending of this message. :-)
Here is one of the config files for the two where postfix was found
not running. I'll put the long details below
ro package init scripts copy resolv.conf into the
chroot. Prevent that and apply your own setting.
Bob
Viktor Dukhovni wrote:
> Bob Proulx wrote:
> > I am helping a friend with his system. As such things are not as I
> > would set them up. But just the same I can't figure out this
> > problem. So I come here seeking a second set of eyes on it. What is
> > the proble
sion of the file and
there have been no local changes. Confirmed by etckeeper.
So what am I missing that I will be astonished I did not see myself?
Thanks! :-)
Bob
things is off topic here
for Postfix I will just toss this in and then back away hoping not to
annoy the core group here too much with discussion not postfix
related.
Bob
r postfix running inside of a container with a different /tmp
than the one outside the container?
All appearances are that it is writing to /tmp/somefile and if it is
not there later then either it is getting removed or it is a different
/tmp.
Bob
the message went. It did not disappear. It was
delivered. And in your log your messages were the same. Those
messages were relayed as described by Bill in his response. I just
wanted to say that swaks is much easier and less error prone for
injecting test message probes than typing the protocol transaction in
manually from the keyboard.
Bob
sZ
I had completely forgotten about the possibility of json output.
That's just generally good to know for programatic use.
Thanks!
Bob
istently using local
time, US/Mountain here, if asked. (I should be using UTC.) Nothing
is setting TZ anywhere. However maybe something has creeped in
inadvertently. I now have something to look for.
Thanks!
Bob
and
sometimes the other way?
Yes I am on an older version of Postfix 3.1.15 on an older system that
I am behind on updating. But I wouldn't expect this part of the code
path to have changed recently.
Thanks!
Bob
P.S. Normally I am a UTC or GTFO for servers too. That avoids all of
these types
ect) before testing the change
would be good learning. I could probably avoid reloads entirely for
table updates moving forward in this case. And then only reload for
main.cf and master.cf file updates.
Thanks!
Bob
obably iptables.
+1. I agree. If you want something like tcpwrappers but completely
global then using the kernel firewall is a global solution that works
for *everything* on the machine.
Bob
on why the current features are not
working for you.
Bob
d not use the To: or Cc: for that filtering. The best
and expected header to use is the List-Id: header. That's the
standard mailing list header. See RFC2929.
RFC 2929 https://tools.ietf.org/html/rfc2919
All mail through this mailing list sets this header.
List-Id: Postfix users
Bob
P.S. It's
it out to
other users. Therefore the best DMARC policy for me is "none". And I
publish it so that sites like Google that score based upon the
presence or absense of a DMARC policy will not score me with demerits
for the absence of a DMARC policy.
Bob
ome annoying rate. I choose to avoid
failures like this. It's simple enough avoid the problem in this
case.
Bob
lse positives. But as
part of a larger scoring system it can add to the filter analysis.
Bob
r Best Practice is to
set up SPF, DKIM, DMARC for your own outgoing mail and other
anti-abuse for incoming mail.
Bob
a systemd module too. (Isn't there always yet
another systemd rewrite that does things almost correctly but subtly
buggy?) libnss_myhostname is a plugin module for the NSS Name Service
Switch part of libc and modifies the value returned by gethostname(2).
It's really quite a messy topic!
I myself set myhostname to the FQDN in main.cf and main.cf is
customized on every host. I recommend a system configuration
infrastructure as that will generally be useful. I wrote my own but
the popular ones are puppet, chef, salt, ansible, others...
Bob
ral security of the system with the security
of the web UI. Really no difference there. But it removes the need
to edit the cf files.
Let me gently suggest looking into holding the things you need to
change in database tables. And then interfacing with those with your
web UI. Then... Profit! :-)
Bob
drop back to
the default as part of the cleanup back to the mainstream.
Bob
number
of retries of other things.
Note that while Postfix has retries on fork() failures almost nothing
else on the system does that. Which means that if it is in a state
where fork() is failing then many other random things on the system
will also be failing as they will be unprotected.
Bob
us as to the need for this management
interface. Setting up the Apache, PHP-FPM, Laravel, and associated
web management framework, and sudo, on the system natively would be
more complex than setting up Postifx natively.
Bob
> by this script user?
Extra files and extra directories in /etc/postfix won't be a problem
for the running of Postfix if the names do not collide with names that
are used by Postfix.
Bob
.goog
2001:4860:4802:32::97 mx1.smtp.goog
Bob
u? I expect it will be the same as
myhostname if that is a FQDN. And if not a FQDN then I think it
should be. And if so then I think it would be good to include
$myhostname in mydestination.
mydestination = $myhostname localhost.$mydomain localhost $mydomain
Bob
ntains:
> root: owner_d1
>
> and the file /etc/postfix/virtualusers contains:
>
> a...@d1.tld d1_a
> b...@d1.tld d1_b
> @d1.tld owner_d1
> @d2.tld owner_d2
Viktor Dukhovni wrote:
> Bob Proulx wrote:
> > I don't see anything wrong as such with
ppen after virtual mapping. Don't
quote me on that but I could see generic mapping causing confusion in
this path.
Hopefully you will get something different along the way and that will
provide a clue. Good luck!
Bob
My best guess is that your chroot does not have a working resolv.conf file.
Bob
, 2021, 5:40:51 PM PST, Viktor Dukhovni
wrote:
On Tue, Jan 12, 2021 at 01:10:56AM +, Bob Jones wrote:
> Our mail server (kolab 16 with postfix) has gone into a loop of some
> kind leading to constant retrying of bounced emails.
Your master.cf file is botched, listing an invalid defi
Our mail server (kolab 16 with postfix) has gone into a loop of some kind
leading to constant retrying of bounced emails.
Here is a segment of what I see in the maillog:
Jan 12 00:36:14 mail postfix/discard[3091]: warning: unexpected attribute
nrequest from bounce socket (expecting:
@lbutlr wrote:
> Bob Proulx wrote:
> > But so many people use Gmail these days that they have gotten used to
> > the way Gmail does things. And Gmail de-duplicates and saves the
> > first message with any particular message-id that arrives. And then
> > displays
e-id. That is one message with multiple recipients. If they
> were separate messages, they would have unique message-id headers.
That is not accurate. A single message to multiple recipients will
have one Message-Id. If you receive it by being the target of some of
those multiple recipients then you will receive multiple copies of the
message and all of the copies will have the same Message-Id.
Bob
pics. Gmail has one mailbox for
everything and multiple tags are possible on each message and only
displays the current display tag view of the mailbox. And since it is
one mailbox it de-duplicates by only showing the first message-id.
And people have gotten used to that paradigm. But it does cause some
odd behavior when dealing with mailing lists.
Bob
When the
primary came back online everything started working normally again.
Redundancy was configured but incorrectly for only 1 hour.
In all of these cases it was desirable for the mail in transit to
simply queue and retry later. In all of these cases mail delivered at
a later retry when things became functional and working again.
Bob
owever do not interpret this as me having any love for Mailman in any
way. I don't. It annoys me. But for this in particular it's not one
of the problems I don't like about Mailman.
Bob
e chroot jail so that it would accept that misspelling. Then
remove it after it had been delivered.
Bob
ill even write in to the list
admins asking that question. Yes these are actual events.
I think the best compromise is that mailing lists must rewrite the
headers when handling mail from sites with a strict DMARC policy.
Although there are others that have disagreed and wished their email
to be discarded rather than modified in any way.
Bob
ARC policy is why we are often
seeing "... via ..." in the From: addresses and the address rewritten
now when it is coming from a site that has set a strict DMARC policy.
Strict DMARC policy is suitable for banks and other direct mailing use
wishing higher security but is not suitable for a user's general email
where they want to send mail to mailing lists and have other
interactions with the community.
Bob
ent of running either Postfix or Apache servicing other names.
They are in many ways mostly unrelated. However Postfix will need to
have some of its own configuration such as $myhostname set properly.
Bob
nvestigation before an analyses
could be made however. Because for example they might be simply a
normal http redirection from http to https. Or similar. So they all
might turn out to be perfectly normal. You would have to look and
see.
Bob
@lbutlr wrote:
> Bob Proulx wrote:
> > Since 199.5.50.180 does not appear in the allowance for the SPF
> > records that I can see
>
> dig -x 199.5.50.180 +short
> br2.vw.com.
>
> VW does own Audi, so... mystery deepens?
That's simply the reverse DNS PTR record.
Bob Proulx wrote:
> The default PHP "mail()" method sends mail by using the system's
> /usr/sbin/sendmail interface rather than SMTP.
>
> https://www.php.net/manual/en/mail.requirements.php
> https://www.php.net/manual/en/function.mail.php
Oh! It depends
https://www.php.net/manual/en/mail.requirements.php
https://www.php.net/manual/en/function.mail.php
Bob
problems making it very
likely a spammer as the most simple explanation. Or simply very deeply
misconfigured if not.
Bob
m sure there are other alternatives too.
Bob
status=0/SUCCESS)
Main PID: 17680 (code=exited, status=0/SUCCESS)
Oct 13 14:31:15 madness systemd[1]: Starting Postfix Mail Transport Agent...
Oct 13 14:31:15 madness systemd[1]: Started Postfix Mail Transport Agent.
Again this is simply an example that I created to show the type of
thing that might be seen as an error in the log file.
What's in your log file?
Good luck! :-)
Bob
ostfix.service
systemctl start postfix.service
systemctl status postfix.service
Note that in the systemd architecture systemctl isn't the process that
does the starting. It simply sends a message to the running systemd.
Therefore it never reports on the status of any action. One must
always remember to follow any action with a status request in order to
know the success or failure of the previous action.
Bob
issue and just couldn't wrap my head around
> > > what was wrong, this solved things quite nicely.
>
> If you have different needs you should look into the links sent by Bob
> earlier in this thread, there's quite a number of possible policies
> available.
Here is an old
a lot more there for
blocking spam and other things. You should understand it before using
it and adjust it as needed for your environment.
Bob
Viktor Dukhovni wrote:
> Bob Proulx wrote:
> > > > ... http://postmaster.comcast.net/smtp-error-codes.php#RL01 (in
> > > > reply to MAIL FROM command))
> > >
> > > Look carefully at the log entry. The "421" is send in response to &q
Bastian Blank wrote:
> Bob Proulx wrote:
> > What's the best configuration for a web server that does not receive
> > mail but needs to send mail?
>
> Send only does not exist. Every e-mail can produce bounces, which are
> sent to the sender of the original e-mail
Viktor Dukhovni wrote:
> Bob Proulx wrote:
> > ... http://postmaster.comcast.net/smtp-error-codes.php#RL01 (in reply
> > to MAIL FROM command))
>
> Look carefully at the log entry. The "421" is send in response to "MAIL
> FROM", not "RCPT TO
Kris Deugau wrote:
> Bob Proulx wrote:
> > The problem is *other* sites. I am starting to get a trickle of
> > complaints from people who are not receiving password reset emails.
> > And the problem seems to be other sites that are requiring that
> > senders ha
one connection at a time, with one recipient per
message at a time, and then a small delay between sending of messages.
Does that seem about right?
Bob
Doug Hardie wrote:
> Bob Proulx wrote:
> > Sigh. I was hoping to be able to avoid this. But both of the
> > responses were basically, set up something to handle incoming mail.
>
> Check and see if DMA, Dragonfly mail agent, is available for your
> machine. It is a ve
Viktor Dukhovni wrote:
> On Wed, Sep 16, 2020 at 04:39:12PM -0600, Bob Proulx wrote:
> > What's the best configuration for a web server that does not receive
> > mail but needs to send mail?
>
> Send via a smarthost relay. Use a valid envelope sender domai
John Stoffel wrote:
> Bob> What's the best configuration for a web server that does not
> Bob> receive mail but needs to send mail? Password resets. Bug
> Bob> ticket update notifications. That type of email.
>
> I would push all the email to the mailserver for the dom
verification?
I am lost at sea thinking of this possible requirement for hosts that
do sender address verification types of things. I would appreciate
any wisdom that might be shared here with regards to a strategy for
this type of web site system.
Thanks!
Bob
would be this one. Which on my system is
updated when the service script starts postfix.
/var/spool/postfix/etc/resolv.conf
Bob
ail I would need to
look at the message headers (Show original message...) in the mailer.
That would show me the Received: and Message-id: headers and I would
use that to identify the system.
Hope this helps!
Bob
nue
since it would have been due to this other configuration anyway.
The answer is almost certainly in the mail logs. What do they say?
Look in /var/log/maillog and /var/log/messages files. Potentially use
journalctl to dump out the systemd logs. Look with 'mailq' to see
what is still in the queue.
Bob
a long time. It's now part of the status quo there. Changing that
would be very disruptive. I understand that completely. It's a
problem. A problem without any good solutions. I can only suggest
that you be aware that it is "thin ice" and keep looking for a
solution. Along with the rest of us.
Bob
is
not a free service however and you would need to pay Google for it.
Bob
n Postfix is started the networking is not
yet available.
The problem as described seems not to involve Postfix so much as the
init system that is starting daemons needing the network without
waiting for the network to finish initializing.
Bob
ail-relay/
And this one is in the www.postfix.org/docs.html page.
http://souptonuts.sourceforge.net/postfix_tutorial.html
Bob
relayhost = smtp.proulx.com:587
And so it is possible to use that Debian specific installation
option. Any more details here should be on a Debian specific mailing
list.
However personally I always simply choose Internet Site and then
configure everything I want on top of that template. It's a good
default to start from but I always want more specific customizations
on top of it.
Bob
are made that the more possibilities for unexpected bad
combinations resulting in an "impossible" result.
Thanks for sharing that story case. It was interesting reading! It
motivates me to try extra hard to stay on the main path now. :-)
Bob
ning: /etc/postfix/main.cf: unused parameter:
policy-spf_time_limit=3600s
What more can I look for? I really want to help this user, and it is baffling
me why I can't see Postfix trying to deliver the email.
Bob
few if any significant reasons to want to send or receive over
> IPv6. If one has a working IPv4-only mail system, adding IPv6 is pure work
> for no discernible benefit.
How are working and available IPv6 DNSBLs progressing? That's a
critical component which I would love to hear is no longer a missing
component.
Bob
sn't the SpamAssassin users list I
will simply suggest gently that something is wrong with the milter
configuration for it interfacing to Postfix.
Bob
have a system that is an open relay and has been found by
spammers who are exploiting it. Spammers often use forged from
addresses. Which if so would explain why you are getting rejects from
those email providers.
Bob
ould accept the message. If not,
and here it is not a valid addres, then it is rejected at SMTP time.
No bounce message is created.
Hope that helps clarify things.
Bob
Peter wrote:
> Bob Proulx wrote:
> >iptables -A OUTPUT -o 93.184.216.34 -m tcp --dport 25 -j ACCEPT
> >iptables -A OUTPUT -m tcp --dport 25 -j REJECT
> >
> > But replace 93.184.216.34 with the IP address of your VPN relay host.
> > I simply used an
5 then repeat those lines
with port 587.
BTW... +1 for Bastian's very simple and elegant suggestion. :-)
Bob
It's definitely a target for spam. Which must be repelled. As
spammers routinely target lower priority MX relays expecting to find
them less well maintained than the highest priority one.
Bob
example, this following would work only
when the VPN is up.
$ nc 172.16.10.101 25
220 mail.example.com ESMTP Postfix
If you can't connect and get a banner then Postfix can't connect and
get a banner.
Bob
Scott Kitterman wrote:
> On Monday, March 23, 2020 7:47:25 PM EDT Bob Proulx wrote:
But don't forget I also said:
> > I know you said you are running Fedora but I imagine that Fedora
> > has something like this but in a different place. Doesn't Fedora
> > have a /etc/sysc
have been vague about how I am port forwarding. I am using AutoSSH
from https://www.harding.motd.ca/autossh/ which is clever. But
probably not for everyone. OpenVPN is the most industrial strength.
'sshuttle' has interesting use cases too. I use the tool that fits
the best in each situation.
1 - 100 of 161 matches
Mail list logo
