Re: Outlook TLS errors after Microsoft Windows Update

La da da da... Original message From: Phil Stracchino Date: 18/10/22 9:51 AM (GMT+12:00) To: postfix-users@postfix.org Subject: Re: Outlook TLS errors after Microsoft Windows Update On 10/17/22 16:08, Jaroslaw Rafa wrote:> Dnia 17.10.2022 o godz. 20:35:11 Gerald Galster

Re: submission configuration and RFC 6409

On 13/10/2022 8:04 am, Geert Hendrickx wrote: The HISTORY file says it is: 20041014-23 Postfix still appends $@myorigin or .$mydomain to headers from the Postfix sendmail command, or from clients listed with the new local_header_rewrite_clients parameter (default:

submission configuration and RFC 6409

Hi list. A couple of months ago an email I sent from my phone was bounced by the recipient's SMTP server because the email had no Message-ID header. It turns out the email app that I've been using on my phone for years doesn't generate a Message-ID, but this was the first time that this had

Re: no shared cipher revisited

On 2/10/2022 10:51 pm, Matus UHLAR - fantomas wrote: yes, Let's Encrypt clients generate 4096 keys by default, which is silly because intermediate R3 certificate is only 2048-bit. I configure let's encrypt clients to create 2048 keys. AFAICT Certbot still uses 2048-bit keys by default.

Re: Catch-all that pipes to script

On 25/06/22 11:17, Luc GMail wrote: echo 'mailbot unix - n n - 50 pipe' >> master.cf echo 'flags=R user=dropbox argv=/etc/postfix/script.sh -o SENDER=${sender} -m USER=${user} EXTENSION=${extension}' >> master.cf Hi Luc. I think you need some whitespace

Re: smtpd_recipient_restrictions usage question.

On 25/06/22 10:50, Gary Smith wrote: Would it be better to add IPs to an access hash list and use check_recipient_a_access so we can use update it when we need to on the fly?  If so can I add subnets (10.20.30.0/24) or just single IPs?  I’m

Re: Mail looping issue

On 22/05/22 17:42, Jeremy Hansen wrote: So what am I breaking by not having localhost defined in mynetworks.  I tested typical mail and it still delivers…. Hmm. Hi Jeremy. Removing localhost from mynetworks means that if any local process sent emails through this MTA using SMTP to 127.x.x.x,

Re: Mail looping issue

On 21/05/22 19:09, Jeremy Hansen wrote: Two MTAs, one is running Ciphermail.  The ciphermail host relays mail to the “permanent home” MTA where mail gets delivered to users and dovecot runs for retrieval of mail.  The hosts are internal only hosts.  SSH port forwarding is being used to

Re: milter_header_checks, pcre, chroot

On 19/03/22 01:46, Jesper Dybdal wrote: However, opendmarc milter requires those Authentication-Results headers for SPF and DKIM to be already present.  so you need spf/dkim milter(s) before opendmarc. I use Amavis to generate and verify DKIM signatures, and policyd-spf-python to perform SPF

Re: SASL hacking ?

On 20/02/22 05:35, Bill Cole wrote: We have listed all IPs. We can use a FW rule, but its heavy and hard to manage. A Postfix list may be easier. On Linux, using ipsets instead of putting IPs directly in rules helps a lot with managing large lists. Fail2ban can do its work via ipsets. An

Re: Adding a header on incoming mail, unintended consequences?

On 14/02/22 15:27, John Levine wrote: It appears that joea- lists said: So, back to my pondering. If I were, via some means, to add "Reply-To: The-right-list" this should solve the problem described above. However my "email foo (as distinct from "email fu" stops well short of knowing what

Re: Advanced content filter with Unix sockets

On 31/01/22 07:36, Wietse Venema wrote: Viktor Dukhovni: So I was wondering whether the directory currently named "public" should remain (permission-wise) protected, with the new (permission-wise) unprotected directly named something else? It could become mode 755, with dedicated per-app

Re: Getting Delivered-To when using LDAP?

On 12/11/21 00:46, Wietse Venema wrote: Jorgen Lundman: I suppose there is probably nothing I can do about it? http://www.postfix.org/postconf.5.html#prepend_delivered_header currenly immplements (and detects loops) with delivery to "|command", /file/name, or !$HOME/.forward. Doing this also

Re: Conditional milter_header_checks?

On 15/07/21 1:07 am, Bill Cole wrote: If you want to post to discussion mailing lists, you should either use a From address in a domain without any DMARC record or publish one with a p=none policy and sign your messages with DKIM, even though they are likely to be broken by the mailing list.

Re: Looking for examples of separated MTA / MDA pairs

On 10/06/21 1:11 am, Dan White wrote: I am trying to rebuild a very old and very neglected set of mail servers. The basic design has a mail relay (MTA) “out front” for incoming traffic (SMTP, I think) If the incoming message gets past amazes, spam assassin and clamp, it is then sent to

Re: Want to configure domain localhost to support root

On 27/04/21 3:38 am, Michael White wrote: So updating mailer.conf got rid of sendmail.  So now I need to move to the next step which is to understand what the resulting messages are telling me: Apr 26 11:22:57 white-home postfix/pickup[23008]: DE94263846: uid=1002 from= Apr 26 11:22:57

Re: Milters and policy

On 3/04/21 3:14 pm, Simon Wilson wrote: Pypolicyd-spf then tags what has driven the result for later use: E.g. Apr  3 11:19:23 emp87 policyd-spf[1336326]: prepend Authentication-Results: mail.simonandkate.net; spf=pass (mailfrom) Apr  2 12:32:51 emp87 policyd-spf[1255235]: prepend

Re: Certificate Postfix.org missing?

On 22/04/2021 10:32 am, Gary Smith wrote: -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of Viktor Dukhovni Sent: Wednesday, April 21, 2021 3:02 PM To: Postfix users Subject: Re: Certificate Postfix.org missing? On Apr 21, 2021, at 4:34 PM, Gary Smith wrote:

Re: connect then disconnect; backscatter?

On 18/04/21 7:32 pm, li...@lazygranch.com wrote: And so it goes. I suppose if this really bugs me I can block the server in firewalld. I've yet to see it actually deliver mail. Or complain to the data center. https://serveroffer.lt Firewalling is definitely the best solution to the problem

RE: Problem with starttls / orange.fr

Original message  > smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2You have several issues in the line above. I suggest removing this line and using the default setting?Nick.

Re: Milter Behavior

On 11/03/21 11:37 am, Dan Mahoney wrote: This fix has been merged to the opendmarc “Develop” branch as of a few minutes ago and will likely be in a 1.4.1 that comes out in the next few weeks, and will default to *not* quaranting the mail. The option will be called HoldQuarantinedMessages

Re: ways to process HOLD queue

On 24/02/21 11:47 am, Joe Acquisto-j4 wrote: Added Virus scanning to a SOHO stetup. clamav-milter is directing (?) "infected" mail to postfix HOLD queue. Perhaps rather than having clamav-milter put the message on hold, it might be possible to have clamav-milter simply flag the message (by

Re: client and ehlo hostname mismatch

On 12/02/21 7:12 pm, Bill Cole wrote: Mail transport often involves MTAs not under the control of the original sender or ultimate recipient or the authorities for the sender's domain. Traditional forwarding (e.g. ~/.forward) still exists and many systems supporting it run Sendmail, which will

Re: client and ehlo hostname mismatch

On 12/02/21 6:57 pm, Bob Proulx wrote: Nick Tait wrote: Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then as long as you

Re: client and ehlo hostname mismatch

On 12/02/2021 5:49 pm, Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then as long as you don't mind rejecting emails from

Re: client and ehlo hostname mismatch

On 12/02/2021 8:50 am, Bill Cole wrote: On 11 Feb 2021, at 10:25, Benny Pedersen wrote: On 2021-02-11 15:12, Bill Cole wrote: On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? No. It very likely never will be,

Re: Cloud9.net related responses

On 12/02/2021 7:09 am, Jos Chrispijn wrote: Hi team, can it be that responses in this mailinglist are also send by cloud9.net instead of only postfix.org? Just asking to prevent contermination by importing parallel newsgroup source. All mail that I receive from this mailing list is relayed to

Re: Catch a forged Return Path

On 6/02/21 2:23 am, Matus UHLAR - fantomas wrote: while I support using postscreen, I'm not sure it would be able to catch backscatter, becsuse backscatter often comes from servers who properly follow SMTP RFCs. The question here is whether this is really backscatter, or just spam taking

Re: AW: Controlling MS Azure Cloud Spam

On 30/12/2020 2:38 am, ludic...@gmail.com wrote: @Nick A check for a valid FQDN in From is in smtpd_sender_restrictions. At the point where it got to bounce message, SPF was skipped. Would OpenDMARC then still work? The smtpd_sender_restrictions that you specify are applied to the

Re: Controlling MS Azure Cloud Spam

Hi Ludi. One option might be to add OpenDMARC to your implementation? The reason for mentioning this is because in addition to checking DMARC policies, OpenDMARC also has an option to reject any message that doesn't have the mandatory headers according to RFC 5322: /RequiredHeaders

Re: Can a more useful bounce message be provided - correction

On 14/11/20 7:30 am, Phil Stracchino wrote: I think what the OP is asking here is, can Yahoo/Oath be compelled to provide a more useful failure message relaying the informative response provided by OP's Postfix instance. And the answer to that, unfortunately, is no. But by the look of things

Re: Limiting HELO spoofing in Postfix?

On 23/10/20 6:26 pm, Nick Tait wrote: In summary, you'd want to create a script in a language of your choice, which in the simplest case does this: 1. Reads in lines until a blank line. 2. Then sees if the lines that it read included the line "client_address=127.0.0.1". 3.

Re: sanity-check postfix XCLIENT usage ?

On 23/10/20 2:26 pm, Bob Proulx wrote: The tragicomical thing is that Gmail does follow policy and when the policy of the sending site is strict DMARC and the mailing list does not rewrite then Gmail subscribers to mailing lists will get automatically unsubscribed when/if the bounce ratio

Re: sanity-check postfix XCLIENT usage ?

On 22/10/20 6:13 am, PGNet Dev wrote: Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the specific intuit.com case above, that

Re: Forward mail and obey SPF and DKIM

On 18/10/20 7:10 am, IL Ka wrote: Thank you all. This is how I fixed it (after Bill Cole's email): I needed to substitute envelope (MAIL FROM:) to match my address, but the message (along with it's headers) shouldn't be touched. sender_canonical_classes = envelope_sender  # Only change

Re: Limiting HELO spoofing in Postfix?

On 22/10/20 7:24 am, Rich Wales wrote: I would still like to figure out a way, btw, to catch locally generated spam of this sort in Postfix. I've already asked here about rejecting HELO/EHLO when the client is localhost but the HELO/EHLO host is not localhost -- I still think this would make

Re: Accessing the sending user from a canonical(5) table

On 18/10/20 11:54 am, Demi M. Obenour wrote: To elaborate, my understanding is that site.net should use MAIL FROM:, but leave the body unchanged. domain.com will then accept the message, as it is from an IP in site.net's SPF record, and DKIM ignores the envelope. Demi Don't forget that in

Re: How to allow relaying per domain?

Hi Hans. I'm not sure if there is an easier way, but one way to achieve this is with a restriction class per server. (BTW I don't know much about LDAP so the example below is based on files...) main.cf: indexed = ${default_database_type}:${config_directory}/

Re: Forward mail and obey SPF and DKIM

> Thank you. > I see "SPF: SOFTFAIL" in my gmail message. > > Authentication results: > spf=softfail (google.com : domain of transitioning some_user@sender_domain does not designate MY_IP_ADDR as permitted sender) > > While the message is not blocked, it is still not good to

Re: Unable to receive emails from btinternet.com

On 19/06/20 8:28 pm, @lbutlr wrote: On 19 Jun 2020, at 02:18, Nick Tait wrote: 1. My server was using the default MTU of 1500 bytes. 2. My connection to my ISP uses PPPoE, which adds an 8-byte header onto all packets travelling between my home to my ISP, effectively reducing the maximum

Re: Unable to receive emails from btinternet.com

Hi David. I think I can guess what your problem is, because I had exactly the same symptom with a different bulk email provider... Basically this sounds like an MTU issue: The SMTP client (mailomta12-sa.btinternet.com[213.120.69.18] in your case) is able to establish the TCP connection to