as failing
CAUTION: This email was sent from an external sender. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
On 24.07.23 16:03, Gomes, Rich via Postfix-users wrote:
>Clarification below:
I see no clarification, just added disclaimer.
Clarification below:
From: Gomes, Rich via Postfix-users
Sent: Monday, July 24, 2023 11:27 AM
To: postfix-users@postfix.org
Subject: [pfx] messages passing DMARC are being rejected as failing
CAUTION: This email was sent from an external sender. Do not click links or
open attachments unless
haven't
tried to engage with Gmail yet.
Has anyone see this specific behavior from Comcast and Gmail?
Thanks,
Rich
Rich Gomes | Aramark | Senior Systems Administrator | Messaging and
Collaboration Services
141 Longwater Drive
Norwell, MA 02061
P: 1 (781) 763
We have a requirement to sign outbound messages with DKIM keys. I have seen
discussions on this list for people using dkim-milter as well as opendkim.
dkim-milter hasn't been updated since 2009 while opendkim hasn't been updated
since 2015. dkimpy is more actively maintained but hasn't been updat
id and the From address?
Thanks in advance
Rich
Rich Gomes | Aramark | Senior Systems Administrator | Messaging and
Collaboration Services
141 Longwater Drive
Norwell, MA 02061
P: 1 (781) 763-4508
file?
CAUTION: This email was sent from an external sender. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
On 8/5/2021 12:07 PM, Gomes, Rich wrote:
> Good day
>
> I have a newly built postfix server which is ignoring it's transp
o)
mail_version = 2.6.6
New Server:
Red Hat Enterprise Linux Server release 7.9 (Maipo)
mail_version = 2.10.1
Could this be a versioning issue or do I need to look somewhere else?
Thanks,
Rich
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
Rich Wales
ri...@richw.org
't seem to
match the info I've been posting up till now about my server, that may
be why.
Rich Wales
ri...@richw.org
submission inet n - n - - smtpd -v
-o smtpd_enforce_tls=yes
-o soft_bounce=no
-o cleanup_service_name=msa-cleanup
-
on to "drop". I'm still waiting to
see if I have any more instances of open relay attempts from localhost
after having made this change. If the earlier open relay attempts are
in fact somehow (still unsure how?) being generated as a consequence of
the blacklisted connection, then
Postfix configuration for what this might be worth.
Thanks for any thoughts.
Rich Wales
ri...@richw.org
kind of attack. As a
very last resort, I may consider wiping and rebuilding the system, but
I'm not willing to expend the time and energy to do that without first
having some reasonably specific evidence indicating exactly what has
happened.
Rich Wales
ri...@richw.org
r which this web site is supposed to
recognize and do anything with is a "page=" parameter. Everything else
on the command line / URL should be disregarded.
Rich Wales
ri...@richw.org
none around the dates of interest.
And I have still not seen any further instances of the hacker attack in
the last several days.
Rich Wales
ri...@richw.org
return code.
The HTTP 302 responses to "GET /nette.micro" requests appear, as best I
can tell, to have all been simple redirections from HTTP to HTTPS. The
corresponding HTTPS GET requests were all rejected with 404 codes.
Rich Wales
ri...@richw.org
his wouldn't solve every problem,
but it seems to me like a very useful thing for Postfix to be able to
do. If this option is intentionally not and most likely never will be
part of Postfix, I would be grateful for an explanation of why it is not
actually helpful, even if it might appear to be at first glance.
Rich Wales
ri...@richw.org
mate e-mail passing through milters and such.
But what I want to know is if any such option exists at all.
Rich Wales
ri...@richw.org
be using e-mail or TCP connections
already for its own legitimate purposes, but being co-opted by a hacker
to nefarious ends? Or could *any* PHP script theoretically be infected
in a way that would cause this misbehaviour?
Rich Wales
ri...@richw.org
ame NAT/proxy path as the spam did.
I'll continue searching for any possible security hole on my firewall
appliance, though.
Rich Wales
ri...@richw.org
Sorry, when I said "chronologically last 'Received:' line" in my earlier
e-mail, I meant to say "chronologically first (physically last)". Mea
culpa.
Rich Wales
ri...@richw.org
coming into and delivered via this server retain the
sending host's identity, btw, and are not rewritten to claim they came
from localhost.
Rich Wales
ri...@richw.org
ission would also help.
Thanks. I'll look into this.
Rich Wales
ri...@richw.org
v) for the "smtpd" line in my master.cf,
in hopes that this may capture some additional detail of inbound SMTP
sessions. Any other debugging suggestions would be welcomed.
I'll be back when I have something reasonably useful for you to look at.
Rich Wales
ri...@richw.org
get taken off the GBUDB blacklist site.
The next time I see this happen -- could be tomorrow, could be weeks
from now, I have no idea when -- I'll gladly forward a copy of my
"mailq" output. I deleted my earlier evidence, I'm afraid.
Rich Wales
ri...@richw.org
in question as probably coming via an open
relay, but it still passes them. What confuses me is that I would
expect Postfix to have identified and rejected these messages during the
initial SMTP dialogue with the sender, and they should never reach
amavisd-new.
Any suggestions gratefully w
On Wed, May 20, 2020 at 05:41:46PM -0400, Wietse Venema wrote:
> Rich Felker:
> [dnssec end-to-end probe, log a warning if for any reason results
> do not have the authentic data' bit set]'.
> > This sounds like a great plan that will also mitigate the problem of
&g
AD-stripping by default. FYI I've raised concerns about that
again on libc-alpha:
https://sourceware.org/pipermail/libc-alpha/2020-May/114174.html
> Postfix would still disable the res_nxxx() calls into libc-musl, but
> that would be safe, even if those calls end up to get added later.
Can you do this via the published __RES API version in resolv.h,
rather than probing ldd? The latter is flaky and will get wrong result
in various cases I mentioned before.
Rich
ng, though they also plan to patch musl so
they may end up not needing it.
I think with latest glibc though you'd also need to force the trust-ad
flag, or glibc would strip AD from the result. Given how AD interacts
with DANE, it seems like stripping it is a really bad idea (disables
DANE), and we should probably push for glibc to reconsider doing it at
all...
Rich
On Tue, May 19, 2020 at 06:51:57PM -0400, Viktor Dukhovni wrote:
> On Tue, May 19, 2020 at 04:08:32PM -0400, Rich Felker wrote:
>
> > I'm not encouraging any to do that; rather I've encouraged them to
> > take measures to both:
> >
> > (1) ensure that
On Tue, May 19, 2020 at 01:25:52PM -0400, Wietse Venema wrote:
> Rich Felker:
> > On Tue, May 19, 2020 at 11:11:56AM -0400, Wietse Venema wrote:
> > > Rich Felker:
> > > > On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> > > > > Ric
On Tue, May 19, 2020 at 11:11:56AM -0400, Wietse Venema wrote:
> Rich Felker:
> > On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> > > Rich Felker:
> > > > The is fundamentally no build-time test possible for this. Even if we
> > > > w
On Tue, May 19, 2020 at 10:23:18AM -0400, Wietse Venema wrote:
> Rich Felker:
> > The is fundamentally no build-time test possible for this. Even if we
> > were willing to make flags for each bug (or missing feature) that was
> > ever fixed indicating the change, that would
On Tue, May 19, 2020 at 09:22:59AM -0400, Wietse Venema wrote:
> Viktor Dukhovni:
> > Robust detection of MUSL features at build time would be much
> > appreciated. Precludes any tests that depend on live DNS queries.
> > The tests need to *statically* test the features of the platform's
> > C lib
On Tue, May 19, 2020 at 05:06:10AM -0400, Viktor Dukhovni wrote:
> On Tue, May 19, 2020 at 01:44:30AM -0400, Rich Felker wrote:
>
> > > This sounds reasonable. Will there be a way for Postfix to detect the
> > > new library version, so that we don't disable DANE for
On Mon, May 18, 2020 at 10:38:14PM -0400, Viktor Dukhovni wrote:
> On Mon, May 18, 2020 at 09:37:36PM -0400, Rich Felker wrote:
>
> > > Mostly dig, unbound-host, ... Most of the platform C libraries support
> > > DO=1, which obviates the need for AD=1, so they
s_mkquery.
This ensures that even if there are some broken nameservers/networks
still that can't handle AD in queries, the standard, widely-used,
high-level lookup APIs will still work, and at worst res_query breaks.
Note that the netdb.h functions have no use for the AD bit and no way
to pass it back to the caller, so there is no reduction in
functionality by having them clear it.
Rich
res_mkquery, |='ing the AD bit into place, then
res_send. This is what I'll probably be recommending Alpine and other
distros do in the mean time (via a patch) until they have an upstream
solution, since it's a really easy and non-invasive change to make.
As stated before I'd also like to have a solution in next musl release
and hopefully will.x
Rich
On Sat, Apr 18, 2020 at 03:01:08PM -0400, Viktor Dukhovni wrote:
> On Sat, Apr 18, 2020 at 01:04:58PM -0400, Rich Felker wrote:
>
> > > You can consider libc-musl as unsupported from now on.
> >
> > I am really not appreciating the hostility and utterly petty
>
On Sat, Apr 18, 2020 at 10:59:51AM -0400, Wietse Venema wrote:
> Rich Felker:
> > > It would be a mistake to use TLSA records from an unsigned domain.
> > > That would be no more secure than accepting a random server
> > > certificate. All the pain of doing T
On Fri, Apr 17, 2020 at 06:59:53PM -0400, Wietse Venema wrote:
> Rich Felker:
> > I can see where it could be desirable to log whether delivery was made
> > based on a TLSA record in a signed domain vs an unsigned one, and this
> > necessitates being able to see the AD bit
On Fri, Apr 17, 2020 at 07:01:26PM -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 06:52:48PM -0400, Rich Felker wrote:
>
> > > There are (unsigned) domains where any attempt to look up TLSA records
> > > times out or otherwise fails. If DANE is to be downgrade
On Fri, Apr 17, 2020 at 06:27:27PM -0400, Viktor Dukhovni wrote:
> On Fri, Apr 17, 2020 at 06:19:18PM -0400, Rich Felker wrote:
>
> > This reasoning is why I consider it harmful to limit use of DANE
> > records to situations where the DNS lookup is "trusted" to have b
ch to "trust" servers
that shouldn't be trusted.
The right behavior (regardless of what any RFC says) is to use any
TLSA records you're able to lookup. If the configured nameservers are
validating DNSSEC and your link to them is secure, you get the full
protection DANE provides. If they're not, the behavior is no worse
(and in many ways better) than what you'd get by not having DANE at
all. Yes an attacker could perform DoS by giving you invalid TLSA
records or MITM the connection by providing ones for a key they
control, but if you switch DANE completely off then an attacker in the
same position can do these things anyway.
Rich
ponse: It
> reduces latency because that server is more likely to have the large
> response in its cache.
I'm not talking about future queries but other unfinished queries that
are part of the same operation (presently just concurrent A and
lookups).
Rich
On Wed, Apr 15, 2020 at 07:19:43PM +0200, Florian Weimer wrote:
> * Rich Felker:
>
> > This is true for users running local nameservers, which ideally will
> > eventually be everyone, but at present that's far from the case.
> > Differences like concurrent attempts
On Tue, Apr 14, 2020 at 02:16:20AM -0400, Viktor Dukhovni wrote:
> On Mon, Apr 13, 2020 at 11:53:03PM -0400, Rich Felker wrote:
>
> > > Your local nameserver has already done the TCP failover and paid the
> > > cost of obtaining the full RRset, your stub resolver is just
send the query
in-place (requires iovecs with sendmsg).
> > > Sorry, we actually need to know which records were validated in
> > > signed domains, and which are "insecure" responses from unsigned
> > > domains. That's what the AD bit is for, and you're not setting
> > > it in requests, and so it does not come back in the response.
> >
> > Can you describe why?
>
> I can, but you can just read RFC 7672 if you like, I've already
> explained it there. Bottom line, it is needed.
>
> > Is it only for the sake of not using TLSA
> > records in unsigned domains? That kind of policy can be implemented at
> > the resolver level
>
> It cannot and should not be implemented at the resolver level.
Noted that this is your position. :-)
Rich
On Mon, Apr 13, 2020 at 03:04:12PM -0400, Viktor Dukhovni wrote:
> On Mon, Apr 13, 2020 at 02:35:22PM -0400, Rich Felker wrote:
>
> > > The problem can be partly resolved by setting the "AD" bit in the
> > > outgoing DNS query header sent by the musl-libc st
something I'd like to have come out of this discussion.
>From my perspective, what would work best with what's always been the
intended DNSSEC usage model of musl would be if Postfix supported use
of DANE with smtp_dns_support_level=enabled, i.e. outsourcing all
DNSSEC functionality to the nameserver.
Rich
m to look in their spam folder. Sure enough, there sits the
original message (and attachments) I sent. That they don't think of looking
there on a daily basis, or when not receiving expected communications, is a
non-technical issue.
Glad you fixed your problem.
Rich
the sender and know the content is safe.
On Thu, Aug 22, 2019 at 05:19:37PM +, Gomes, Rich wrote:
> I am seeing a lot of Temporary lookup failure errors in the maillog.
> At first I thought it was an issue related to reverse DNS lookups as
> each of the sending servers had no reverse
ing to route it to the
preferred relay. This way localhost can handle the retries since the
application quits on anything other than a 200-level error.
Thanks,
Rich
Rich Gomes | Aramark | Senior Systems Administrator | Messaging and
Collaboration Services
141 Longwater Drive
Norwell,
The best English phrase to use here would be "unnecessary leading zeroes".
Rich Wales
ri...@richw.org
fferent
machine?
Must have copied that directory from the existing desktop.
Fixing the version number in main.cf allowed set_permissions
upgrade_configuration to run and upgrade master.cf too.
Thanks very much,
Rich
ot find the set-permissions script so I can fix the version error.
What is the proper way to resolve this issue?
TIA,
Rich
ead me to store corrections in a text file and it
was only this last upgrade that was different.
Many thanks for your all your efforts on postfix over the years.
Best regards,
Rich
On Thu, 4 Jul 2019, @lbutlr wrote:
Slackware issue?
Likely not. I've used the same build script for years.
All the directories in /var/spool/postfix are owned by postfix except for
pid, which is owned by root.
Thank you. That's why the logwatch warnings puzzled me.
Regards,
Rich
maildrop/
drwxr-xr-x 2 postfix root 4096 Jun 23 07:57 pid/
drwx-- 2 postfix postfix 4096 Jun 23 07:57 private/
drwx--x--- 2 postfix postdrop 4096 Jun 23 07:57 public/
drwx-- 2 postfix postfix 4096 Jun 23 07:57 saved/
drwx-- 2 postfix postfix 4096 Jun 23 07:57 trace/
Puzzled,
Rich
ation parameter to tell the
postscreen server to reject new(ish) clients for a specified minimum
period of time before stepping out of the way and allowing them to pass?
At the moment, it seems to me that requiring a minimum of 5 minutes
after the first soft rejection should be more than sufficient.
see the Postfix configuration docs (www.postfix.org/postconf.5.html)
propose using address_verify_poll_count=1 as "a crude form of
greylisting"; how well do people find this to work in practice?
Any other suggestions?
Rich Wales
ri...@richw.org
were listed separately by pflogsumm is not
obvious when I look at the list grep returned.
Thanks,
Rich
ce on how I can identify
these two messages in /var/log/maillog.1 among all the logged incoming
messages to this address.
TIA,
Rich
On Sun, 28 Jan 2018, Wietse Venema wrote:
Please tell the maintainer that it they need to run the command, not the
user.
Wietse,
I'll do this.
Thanks,
Rich
t.
Thanks,
Rich
g out that the maintainer does write to run the
set-permissions script.
Regards,
Rich
lso see:
http://www.postfix.org/PACKAGE_README.html
Will do.
Thanks again,
Rich
se it) from now on.
Regards,
Rich
neglected in my post-installation
notes was to change the group to postdrop for those two scripts prior to
running set-gid on them.
Thanks very much,
Rich
system
Jan 28 09:31:55 salmo postfix/master[16126]: daemon started -- version 3.2.5,
configuration /etc/postfix
I've not seen these warnings in prior upgrades and would appreciate
learning what I need to change to remove them.
Regards,
Rich
On Tue, 16 Jan 2018, Rich Shepard wrote:
Running postfix-3.2.4 on Slackware-14.2. My server and workstation are on
the same host. Yesterday, about mid-day, messages to me stopped being
delivered to my INBOX. /var/spool/mail shows:
Earlier today I added another recipe to ~/procmail
On Wed, 17 Jan 2018, Matus UHLAR - fantomas wrote:
on some systems I maintain there was "VERBOSE=yes" and procmail logged
path to the created file within maildir. try setting VERBOSE=yes at the
begin of your procmail rc file.
Matus,
Thanks for clarifying. Here is ~/.procmailrc:
LOGFILE=/ho
list addresses.
If I mis-understand your question let me know what additional information
I can provide and I will send it.
Thanks,
Rich
.com"
Procmail then looks at each recipe for the mail lists and finds no
matches.
Nothing's changed here from before mail stopped being sent to the default
file. Now I need to find why it sees the default but is not passing mail
there.
Rich
rules for two mail lists.
Thanks,
Rich
reports or spam
that the filters missed.
In the 20+ years I've run postfix this has not before happened and I've no
idea how to identify the source of the issue. Please advise me on how I can
find the problem.
TIA,
Rich
quiti EdgeRouter-X failed the day after it
was put into service. I've contacted Amazon and they're sending a
replacement.
My thanks to everyone,
Rich
rting Saturday. I've put the old router back in service, but messages to
one mail list are still delayed.
Thanks,
Rich
ly do anything]
No FILTERs I've added; the final line is the end of this one:
#smtp_data_restrictions = reject_multi_recipient_bounce
Now on one line again.
soft_bounce = yes
This can make messages linger that should have bounced. Should
not be on long-term.
Thank you. Changed to 'no'.
Rich
transport
map.
I don't relay outbound mail any longer. Frontier Communications opens Port
25 by default on business accounts, and some messages are delivered.
Thanks,
Rich
On Mon, 13 Nov 2017, Viktor Dukhovni wrote:
http://www.postfix.org/DEBUG_README.html#mail
Victor,
I had looked at that page and checked many of the items.
Include logs showing the complete history of a delayed message (all
log entries with the problem queue-id).
The only one found in
Running postfix-3.2.4 here on Slackware-14.2. I am a professional services
sole practitioner, not a professional system or network admin.
After several years having outbound mail forwarded through my ISP's mail
server I changed ISPs and now have a static IP address. The other recent change
he
On Sun, 25 Jun 2017, Wietse Venema wrote:
See comment above: run "postfix set-permissons".
Thanks, Wietse. I ran 'chown -R root /var/spool/postfix/pid/' with postfix
stopped. When re-started nor warnings were displayed.
Regards,
Rich
I use a SlackBuilds.org script. Perhaps that's considered 'doing things by
hand,' but it's what I've used for almost two decades.
I'll contact the package maintainer about running postfix set-permissions.
Thanks,
Rich
running, but I would like
to understand why the warning is present.
Rich
, 2017 2:43 PM
To: Postfix users
Subject: Re: dict_ldap_lookup questions
> On Feb 10, 2017, at 2:27 PM, Gomes, Rich wrote:
>
> The reason the query is setup like that is we have several internal
> domains and a user may have an alias for one or all of them depending
> on t
done | time postmap -q - ldap:/table/file.cf
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Gomes, Rich
Sent: Friday, February 10, 2017 2:49 PM
To: Postfix users
Subject: RE: dict_ldap_lookup questions
I am using ldap:
I w
: Re: dict_ldap_lookup questions
> On Feb 10, 2017, at 2:27 PM, Gomes, Rich wrote:
>
> The reason the query is setup like that is we have several internal
> domains and a user may have an alias for one or all of them depending
> on their employment history.
You've fai
eeing.
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Viktor Dukhovni
Sent: Friday, February 10, 2017 1:38 PM
To: Postfix users
Subject: Re: dict_ldap_lookup questions
> On Feb 10, 2017, at 1:15 PM, Gomes, Ric
randompassword
# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
leaf_result_attribute = proxyAddresses
Thanks for the assistance
Rich
-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Viktor Du
ruary 10, 2017 12:33 PM
To: postfix-users@postfix.org
Subject: Re: dict_ldap_lookup questions
On Fri, Feb 10, 2017 at 05:21:18PM +, Gomes, Rich wrote:
> Can you point me in the right direction for indexing?
> All I can find is adding this line to the config:
> result_attribute = mem
...@postfix.org]
On Behalf Of Viktor Dukhovni
Sent: Friday, February 10, 2017 12:09 PM
To: Postfix users
Subject: Re: dict_ldap_lookup questions
> On Feb 10, 2017, at 12:01 PM, Gomes, Rich wrote:
>
> warning: dict_ldap_lookup: Search error -5: Timed out
You've probably neglected to index t
merandom...@someinternaldomain.com>
each time it received an email for it within a specified time-frame.
Thanks,
Rich
A word to the wise. Message received.
Again, thanks!
I'm sorry Viktor, but it seems I didn't make my goal clear. Here it is
again restated.
Our canonical domain is example.com
Two of our hosted domains are domainA.com, and domainB.com. These are not
subdomains of example.com, but rather separate domains entirely that are
delivered locally.
The goal
Thank you. I understand, but this requirement is imposed by my business
unit...
I haven't tried canonical_maps yet, but I was about to head down that road.
I'll give it a shot.
On Sun, Jan 15, 2017 at 1:12 PM, Viktor Dukhovni wrote:
> On Sun, Jan 15, 2017 at 01:02:37PM -0500
masquerade, we edit sendmail.cf
and add a CN entry.
Easy peasy.
On Sun, Jan 15, 2017 at 1:02 PM, Richie Rich wrote:
> Thanks for the replies. I really appreciate the help.
>
> I am already leveraging /etc/postfix/virtual to route traffic to my
> "hosted domains".
>
> The
Thanks for the replies. I really appreciate the help.
I am already leveraging /etc/postfix/virtual to route traffic to my "hosted
domains".
The problem I'm trying to solve, simply stated, is that I need to be able
to selectively masquerade inbound email to my hosted domains.
So, u...@doma.com wil
Thanks for the quick response. Can you point me in a direction to
accomplish what I'm trying to do?
I'm totally new to postfix.
Again, thanks.
On Sat, Jan 14, 2017 at 2:54 PM, Viktor Dukhovni wrote:
>
> > On Jan 14, 2017, at 2:51 PM, Richie Rich wrote:
> >
> >
My company, "myco.com", accepts mail for many other domains (doma.com,
domb.com, etc.)
All of these domains are listed in $mydestination, and are routed via
/etc/aliases, or /etc/postfix/virtual.
masquerade_domains = doma.com, domb.com, myco.com
If I send mail to a subdomain of myco.com, like u
is there, I'm afraid I'm misunderstanding the
documentation and am missing the answer.
Rich Wales
ri...@richw.org
1 - 100 of 347 matches
Mail list logo