[pfx] Re: gmail failing SPF/DKIM

On 11/27/23 07:40, Linkcheck via Postfix-users wrote: The forms also send a copy to the sender as confirmation. Most of these, as far as I know, get delivered but recently gmail has been rejecting them with the message: 550-5.7.26 This mail has been blocked because the sender is    

[pfx] Re: Stupid questions

On 9/18/23 08:09, Curtis Maurand via Postfix-users wrote: I'm running Postfix with rspamd which is a milter.  At what point in the email conversation does the DKIM lookup happen? Does Postfix handle that or am I asking on the wrong list and I should be asking the question on the rspamd list? 

[pfx] Re: Accepting mail from old Dell iDRAC

On 8/5/23 13:38, Viktor Drukhovni via Postfix-users wrote: If not for your sake, then perhaps for future readers, it would be great if you would confirm or deny what type of certificate is configured on the Postfix SMTP server end? If you switch to RSA, it should work with the iDRAC, the

[pfx] Re: Question on the CNAME

On 5/3/23 19:02, Ken Peng via Postfix-users wrote: I am just not sure, for this domain SpaceMail.com, who has a CNAME to CDN for the root domain, every query to this domain will get a CNAME. for instance, $ dig spacemail.com mx +nocmd +noall +answer spacemail.com. 60 IN

Re: Postfix with opendkim generates "ssl error"

On 2/11/23 08:41, nj140...@yahoo.com wrote: opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long Others running into something similar found that the file either was in DOS format or had a BOM at the beginning -- characters were present that

Re: Issue with Postfix

On 1/1/23 12:33, Bill Cole wrote: also, private IP ranges should be excluded from checking in DNS lists. Yes, but non sequitur... ... as your server connects to 192.168.1.160, I assume that servers sees your address to be from private range too. Nope, the connecting address is shown in the

Re: Issue with Postfix

On 1/1/23 07:23, Forums wrote: */postfix/smtp[23430]: 4972423BAF: to=/**/, relay=192.168.1.160[192.168.1.160]:25, delay=0.99, delays=0.06/0.03/0.8/0.1, dsn=5.7.1, status=bounced (host 192.168.1.160[192.168.1.160] said: 554 5.7.1 Service unavailable; Sender address [no-re...@mehl-family.fr]

Re: remailer for alias lists?

On 12/4/22 16:59, Dan Mahoney wrote: Or the "current version" of that one that takes not only a database but also four different packages plus a full nginx/django install to set up (mailman3) Some time ago, I had an install of mailman2 on Ubuntu that worked well.  The server that had that

Re: postfix 3.6.4 (ubuntu server 22.04 LTS) does not start - manually build 3.7.2 denies SASL although included in make command

On 10/2/22 14:42, Viktor Dukhovni wrote: On Sun, Oct 02, 2022 at 08:22:39PM +, Martin wrote: # postfix stop postfix/postfix-script: stopping the Postfix mail system Oct 02 16:24:11 derdickehase postfix/postfix-script[3222]: stopping the Postfix mail system

Re: no shared cipher revisited

On 10/1/22 20:44, Viktor Dukhovni wrote: I do have it listening on port 465, hopefully I got the config right so that does not allow authentication.  I think I also disabled TLS below 1.2 on port 587. What would be the use of "465" if SASL authentication is not allowed? It is should be

Re: no shared cipher revisited

On 10/1/22 18:04, Wietse Venema wrote: Look for the 'disconnect' logfile record, it will report if starttls was used, and if it was successful. A recent example: Sep 27 13:06:35 spike postfix/smtpd[78883]: disconnect from m227-25.mailgun.net[159.135.227.25] ehlo=1 starttls=0/1 commands=1/2

Custom dhparam

Each time I renew my certificate, I generate a new 4096 bit dhparam value and append it to the certificate file that I use with all my TLS-capable software. The pem-formatted certificate file contains 4 things:  The server cert, the letsencrypt issuing cert, the private key, and that newly

Re: no shared cipher revisited

On 10/1/22 16:16, Viktor Dukhovni wrote: 4096-bit RSA certificates mostly work, but are pointless crypto exhibitionism, waste CPU, can run into client implementation limitations, and so are not a good idea. Interesting.  This message is offtopic for the thread. My cert from letsencrypt is

Re: moving to virtual: some questions

On 5/25/2022 5:41 AM, lutz.niede...@gmx.net wrote: 1. x-original-to header When mail is sent by local processes without the domain part in the to address it will be appended by postfix.  But for the x-original-to header there is only the user part.  How can I manage to append the domain part

Re: Sanity Check Request: smtpd_*_restrictions

On 5/17/2022 9:14 AM, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the

Re: password security

On 4/26/2022 7:15 PM, Demi Marie Obenour wrote: On 4/26/22 01:35, Antonio Leding wrote: Anyone who thinks that F2B merely “quiets logs” unfortunately has no idea what F2B actually does… Would you mind explaining? TL;DR for many: The fail2ban service watches logfiles for things that indicate

Re: Virtual domains

On 4/14/22 09:26, Emmett Culley wrote: I would include the output of postconf, but it is very large and I don't know how to narrow it down to what is needed to help resolve this issue. Try "postconf -n".  This should only show settings that are different from default. elyograg@bilbo:~$

Re: Setting up virtual mail users

On 12/3/2021 4:11 PM, bobby wrote: I noticed on her site, she has a section for: Create Virtual Mailboxes with PostfixAdmin (Ubuntu 18.04, Ubuntu 20.04) Trying to avoid a gui when/where possible, for security reasons.  I am running 20.04 by the way.  Just noticed the following bullet point

Major upgrade of mail server

I have a mail server in AWS that is currently running Ubuntu 18. Every time I log in, I am reminded that I can upgrade to Ubuntu 20. On Ubuntu 18, postfix is version 3.3.0-1ubuntu0.3. On Ubuntu 20, postfix would be upgraded to 3.4.10-1ubuntu1. Many other packages, probably including the

Re: Logging - Connect Order

On 5/28/2021 6:24 PM, post...@ptld.com wrote: Without recompiling postfix, is there a way to get the PTR hostname warning to come after the connect message in the logs? Adding to the reply from Wietse, which I have to agree with: On my Ubuntu 18 mail server, everything that postfix sends to

Re: A blog post that I hope will help people, can the community help me improve it?

On 10/25/2019 11:13 AM, Shawn Heisey wrote: I created a blog post for something I needed to get done and figured out how to do. https://purg.atory.org/2019/10/24/creating-a-discard-noreply-email-address-with-postfix-and-postfixadmin/ If the community has any pointers that would make

A blog post that I hope will help people, can the community help me improve it?

I created a blog post for something I needed to get done and figured out how to do. https://purg.atory.org/2019/10/24/creating-a-discard-noreply-email-address-with-postfix-and-postfixadmin/ If the community has any pointers that would make this better, or perhaps even a better way to

Re: Postfix is not open relay but send spam

On 10/15/2019 1:27 AM, Julien Michaux wrote: Time to time, my server is attack and he sends spam. All spam are from a specific address "cy...@mydomain.com" . I tried many things but nothing works. I have to stop postfix for some hours and attack ends until next time.

Re: Can postscreen whitelist?

On 4/15/2019 10:02 AM, Jim P. wrote: Sure. You want postscreen_access_list, which defaults to permit_mynetworks. Just add it to your config with a lookup table like so: postscreen_access_list = permit_mynetworks, hash:/etc/postfix/postscreen_access_list ~# cat

Can postscreen whitelist?

Something I did pretty recently on the various restrictions in main.cf was add a spam_lovers access file that allows me to whitelist certain recipients so that messages to them will bypass all the filtering. I did this because I've had people tell me about situations where they did not

Re: Monitoring amount of smtpd processes

On 10/20/2018 7:24 AM, Peer Heinlein wrote: we're monitoring the amount of active smtpd processes to make sure, that we do not reach the max-proc limit from master.cf. If a client disconnects very early, the smtpd is still "unused" and remains in server memory, waiting for the next connection.

Re: maximal_queue_lifetime (was Re: Postfix redirects emails to postmaster for non-existent users)

On 2/2/2017 12:07 PM, @lbutlr wrote: > On Feb 2, 2017, at 8:41 AM, Viktor Dukhovni > wrote: >>> maximal_queue_lifetime = 1d >> >> Perhaps too short. > > Curious for opinions on shortening this some from the default (5days, IIRC). > > I mean, 1d seems too short to

Re: sender is my domain, but coming from outside -- postfix/amavisd combo did NOT tag SPF violation!

On 7/22/2016 2:10 PM, Benny Pedersen wrote: > On 2016-07-22 19:53, Shawn Heisey wrote: > >> relay_domains = $mydestination, hash:/etc/postfix/local_domains > > if local_domains contains domains local, you can reject senders that > forge sender AFTER permit_sasl_auth.

Re: sender is my domain, but coming from outside -- postfix/amavisd combo did NOT tag SPF violation!

On 7/19/2016 2:53 PM, Benny Pedersen wrote: > sure, where is postconf -n ? :=) > > its simple with postfix to reject own domains in postfix port 25, and > reqire sasl auth on port 587 and port 465 > > it does not really need spf The server is *just* a spam-filtering relay. It does no

sender is my domain, but coming from outside -- postfix/amavisd combo did NOT tag SPF violation!

I'm reasonably certain that this is my own mistake, but I need help tracking down what I've done wrong. I have postfix/amavisd (and other software components) in a mail relay role, sitting between an Exchange server and the Internet. All email coming in from the Internet and all email heading

Re: File count mismatch in spool directories

On 3/23/2015 9:40 AM, Viktor Dukhovni wrote: The extra files are not a problem. Don't count files in defer. If you're using long queue-ids, and your clock is not prone to moving backwards, you can automate removal of defer files that are older than some reasonable multiple of the

File count mismatch in spool directories

I installed a monitor for the postfix queue directories to catch queue buildup problems before they become critical and cause mail delays of several hours. We've had problems with sudden email storms from misconfigured internal systems ... when you suddenly get 2 new messages in the queue,

Re: Postscreen rejecting with 450, on postfix restart, gets immediately through

On 2/11/2015 3:24 PM, li...@rhsoft.net wrote: just don't enable deep protocol tests if you don't want 450 rejects and rob0's example is nice but don't blindly follow howtos without real understanding http://www.postfix.org/POSTSCREEN_README.html

Postscreen rejecting with 450, on postfix restart, gets immediately through

Currently my production mail relay for work (sitting between Exchange and the Internet) uses Postfix 2.9.3 on Debian 6. I'm building up a new system using Postfix 2.11.0 on Ubuntu 14, and incorporating postscreen as the first line of defense. Almost all the software is installed with distro

Relay access denied, but destination address is in relay_recipients_map

This is postfix 2.11.0-1, from the Ubuntu 14 package repository. I'm building up a new postfix mail relay for my employer. Here's a redacted postconf -n: https://www.dropbox.com/s/lusodz50a94ujl2/nexus1-postconf-n.txt?dl=0 This is my first install with postscreen. I've modeled it on rob0's

Re: Relay access denied, but destination address is in relay_recipients_map

On 12/5/2014 10:29 AM, Shawn Heisey wrote: It's probably a simple newbie mistake ... but I can't see it. Can anyone point it out to me? I'm already using a similar setup on an older postfix version, but with policyd-weight instead of postscreen. It was indeed something simple that I

Re: Verifying relay recipients for upstream Exchange backend

On 6/2/2011 4:46 AM, Ansgar Wiechers wrote: I'm aware that this can be done in Perl. I just don't see any point in using VBScript to extract the data, and then switching to Perl for further processing. I also don't see any point in using awk to transform the output of a Perl script, BTW. I

Re: Verifying relay recipients for upstream Exchange backend

On 6/1/2011 12:57 PM, Ansgar Wiechers wrote: I'm aware of two ways to verify recipients when relaying mail to upstream Exchange servers: - Export recipient addresses from AD and use that list as $relay_recipient_maps. - Use an LDAP query in $relay_recipient_maps. I seem to recall that there

permit_mynetworks doesn't supersede reject_unauth_pipelining

I am having a problem that IMHO should be solved by the following in main.cf. I am using version 2.7.1 in Debian squeeze: smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce This says to me that if the host is listed in mynetworks, it

Re: permit_mynetworks doesn't supersede reject_unauth_pipelining

On 5/18/2011 2:57 PM, Noel Jones wrote: On 5/18/2011 3:39 PM, Shawn Heisey wrote: I am having a problem that IMHO should be solved by the following in main.cf. I am using version 2.7.1 in Debian squeeze: smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining

Re: permit_mynetworks doesn't supersede reject_unauth_pipelining

On 5/18/2011 5:09 PM, Wietse Venema wrote: This applies restrictions before RCPT TO, so you reported the wrong Postfix configuration, or you have parameter settings in master.cf that you should also report about. It's the right configuration. Just in case, I made sure I was on the right

Re: permit_mynetworks doesn't supersede reject_unauth_pipelining

On 5/18/2011 6:27 PM, Wietse Venema wrote: In master.cf you have smtpd_delay_reject = no. With this, Postfix will apply smtpd_sender_restrictions when it receives the MAIL FROM command, instead of waiting until the RCPT TO command. In your log, Postfix rejects the MAIL FROM command. This means