Re: Add a disclaimer for all senders

> On 4 Feb 2022, at 9:05 am, Forums wrote: > > Using "smtpd" instead of "postscreen" doesn't change issue. You'll have to back up that claim with: # postfix reload ... submission of a new message via TCP port 25 ... ... logs showing that message entering and leaving the

Re: Add a disclaimer for all senders

> =On 4 Feb 2022, at 8:39 am, Forums wrote: > > smtp inet n - y - 1 postscreen > -o content_filter=disclaimer: The postscreen(8) program does not implement content filters. That setting should be for smtpd(8). -- Viktor.

Re: Accepting expired client certificate

On Thu, Feb 03, 2022 at 01:39:44PM -0500, Martin Hicks wrote: > The only configuration change I made in response to this discussion was > to disable smtpd_tls_ask_ccert - I'm not sure why this was ever enabled. > > I'll update in a week or two when I see another e-mail from aircanada. You can

Re: Accepting expired client certificate

On Thu, Feb 03, 2022 at 06:51:09PM +0100, Matus UHLAR - fantomas wrote: > sorry, the third one is not expired: > > Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 > Validity > Not Before: Jan 20 19:14:03 2021 GMT > Not After : Sep 30 18:14:03

Re: Accepting expired client certificate

On Thu, Feb 03, 2022 at 03:42:39PM +0100, Matus UHLAR - fantomas wrote: > Certificate chain > 0 s:CN = darwin.bork.org >i:C = US, O = Let's Encrypt, CN = R3 > 1 s:C = US, O = Let's Encrypt, CN = R3 >i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 > 2 s:C = US, O =

Re: Accepting expired client certificate

On Thu, Feb 03, 2022 at 08:24:07AM -0500, Martin Hicks wrote: > There is an smtp server that is trying to send e-mail to my > domain, but with an expired certificate: At this point, what's needed to help you are outputs from "postconf -nf" and "postconf -Mf" (verbatim with no changes in

Re: use of inet_protocols= option in policy maps?

On Thu, Feb 03, 2022 at 08:48:23AM -0500, PGNet Dev wrote: > i've a relay def'd in master.cf > > relay-test unix - - n - - smtp > ... > -o > smtp_tls_policy_maps=${def_db_type}:${conf_dir}/test/relay_tls_policy You can define multiple transports, each with its own

Re: Advanced content filter with Unix sockets

On Sun, Jan 30, 2022 at 12:28:06PM -0500, Wietse Venema wrote: > > > We could redesign the master.cf 'private' field, so that for > > > UNIX-domain sockets: > > > > > > master.cf directory mode > > > y private 0700 (no change) > > > n protected

Re: Advanced content filter with Unix sockets

On Sun, Jan 30, 2022 at 12:14:30PM -0500, Wietse Venema wrote: > Perhaps the time has come to get away from giving non-Postfix > programs access to a directory with Postfix internal sockets. > > We could redesign the master.cf 'private' field, so that for > UNIX-domain sockets: > > master.cf

Re: Advanced content filter with Unix sockets

On Sun, Jan 30, 2022 at 03:33:16PM +0100, Christoph Pleger wrote: > > You're mistaken. On input, Postfix provides no LMTP server, and no > > support for receiving messages from external programs via unix-domain > > sockets. > > I have the following line in master.cf: > > usmtp unix n

Re: Advanced content filter with Unix sockets

On Sun, Jan 30, 2022 at 02:39:32PM +0100, Christoph Pleger wrote: > the advanced content filter documentation in > http://www.postfix.org/FILTER_README.html describes how an email is > passed to a content filter listening on a TCP port on localhost, but > how is the email passed if the content

Re: main.cf += support (was: Debugging import_environment)

> On 28 Jan 2022, at 4:46 pm, raf wrote: > >> Well for things like "import_environment" or "proxy_read_maps", ... >> you really do want to know just the additions to the built-in >> defaults. > > Good point. Of course a cheap cop out to handle just these special cases is to include an

Re: main.cf += support (was: Debugging import_environment)

> On 28 Jan 2022, at 4:05 pm, raf wrote: > > nd if += is added, people will expect -= as well. > And it suddenly makes the order of parameter settings > significant. Sorry, I disagree. That has much more limited utility, but order still does not matter, because we're subtracting from the

Re: Inbound Mail Gateway Doubts

On Fri, Jan 28, 2022 at 09:41:40AM +0100, Matus UHLAR - fantomas wrote: > the delay is not a problem for remote servers, they can wait a few minutes > without problems (rfc 5321 section 4.5.3.2.6. explains that the DATA timeout > should be 10 minutes) Sure, but there's no Internet police, and a

Re: Transport based on domain?

On Thu, Jan 27, 2022 at 05:14:06PM -0500, Alex wrote: > I have postfix-3.5.10 configured as a multi-instance along with > amavisd for spam filtering. One of the key features of a multi-instance pipeline with separate input and output instances is that routing of messages into content filters

Re: Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab

On Thu, Jan 27, 2022 at 02:46:04PM -0500, Viktor Dukhovni wrote: > Perhaps your Kerberos (GSSAPI via SASL?) library is ignoring environment > variables in processes that change uids (smtpd starts as root and then > drops privs). Of course that makes sense for a setuid process, but not

Re: Debugging import_environment = KRB5_KTNAME=/etc/postfix/smtp.keytab

On Thu, Jan 27, 2022 at 02:18:23PM -0500, Brian J. Murrell wrote: > I have a Postfix postfix-3.5.8 installation on EL8 which I just > recently upgraded from 2.10.1 on EL7. > > The installation is configured to authenticate with GSSAPI and > accordingly has: > > import_environment =

Re: Inbound Mail Gateway Doubts

On Thu, Jan 27, 2022 at 06:57:12PM +0100, Víctor Rubiella Monfort wrote: > First of all if someone can provide some links with more info about > configuration and architecture on this kind of layered aproach > (GW->postfix->dovecot) I will be very grateful :D. (something more than > official

Re: Postfix "fatal: daemon initialization failure"

On Wed, Jan 26, 2022 at 11:22:53AM -0500, Wietse Venema wrote: > Sorry, master -w" DOES fork (it's re-implemented with clone() on LINUX). > >-w Wait in a dummy foreground process, while the real master daemon > initializes in a background process. The dummy foreground >

Re: Postfix "fatal: daemon initialization failure"

> On 26 Jan 2022, at 10:43 am, Laura Smith > wrote: > > On stdout I get a few lines of : > strace: decode_nlattr: [xlat 0x, dflt "AF_???", decoders 0x] size is > zero (going to pass nla_type as decoder argument), but opaque data (0x) > is not - will be ignored > > "fgrep fork

Re: DANE but DNS Provider dont support this

On Tue, Jan 25, 2022 at 04:58:49PM +, Antonio Leding wrote: > When you say “operate my own DNS”, do you mean your own DNS severs > at your location or maybe you manage your own zones via a DNS provider, > ISP, etc.? Or perhaps some other model of which I am not aware? Zone data, DNSSEC

Re: DANE but DNS Provider dont support this

On Mon, Jan 24, 2022 at 10:29:26PM +0100, Maurizio Caloro wrote: > > If your provider supports neither "TLSA" records, nor the generic > > (unknown type) encoding, switch to a more competent DNS provider. > > please, how did you solve this, also with an external provider, or running > this task

Re: [Announcement] First public release of PostQF

> "Why not use jq?" I hear you ask. While jq is undoubtedly powerful and > can handle pretty much any JSON data thrown at it, I found jq's syntax > rather cumbersome. PostQF is specifically designed to make filtering > Postfix queue data both easier and quicker, by means of simple command > line

Re: no TLSA records found?

On Sun, Jan 23, 2022 at 10:44:23PM +0100, Joachim Lindenberg wrote: > Thanks a lot! That´s the root cause. I added the CNAME to get LE to > verify the certificate shared by the MX addresses - and I prefer > CNAMEs to avoid double maintenance. I now exchanged CNAME with A and > it worked (or

Re: DANE but DNS Provider dont support this

On Sun, Jan 23, 2022 at 10:06:38PM +0100, Maurizio Caloro wrote: > In the mean time installed DANE on local machine, but my DNS-Provider > dont Support this feature? If your domain is hosted by a "managed DNS" provider, with some sort of web API for adding records, and there is no interface for

Re: no TLSA records found?

On Sun, Jan 23, 2022 at 10:13:17PM +0100, Joachim Lindenberg wrote: > I am really wondering why it works for one domain and doesn´t for mine. See: https://dnsviz.net/d/et.lindenberg.one/dnssec/ It appears that "et.lindenberg.one" is a CNAME for "io.lindenberg.one", and it is not valid to have

Re: no TLSA records found?

On Sun, Jan 23, 2022 at 06:48:50PM +0100, Joachim Lindenberg wrote: > To the best of my knowledge I added syntactically correct TLSAs > indirectly via CNAMEs except for mx01.et.lindenberg.one, and the > validator at >

Re: postfix and submission and amavis

On Sun, Jan 23, 2022 at 01:48:05PM +1100, raf wrote: > If your cleanup_submission service is managed outside > of Postfix somehow by something that creates a socket > in /var/spool/postfix/public/cleanup_submission, > perhaps it isn't functioning. THere is no mechanism for running cleanup(8)

Re: Relaying using certificate authentication?

On Sat, Jan 22, 2022 at 09:58:58PM -0500, Alex wrote: > I have a postfix-3.5.10 server on fedora35 and would like to > experiment with relaying outbound mail from my Microsoft 365 test > server through my postfix server to the recipient's final destination > using certificates as a way to

Re: postfix and submission and amavis

On Sat, Jan 22, 2022 at 04:18:27PM -0800, Noah wrote: > Jan 23 00:08:12 localhost postfix/smtpd[18628]: warning: connect #1 to > subsystem public/cleanup_submission: No such file or directory You've configured an instance of smtpd(8) to use a "cleanup_submission" service instead of the stock

Re: SASL questions

On Sat, Jan 22, 2022 at 05:56:31PM -0500, Joe Acquisto-j4 wrote: > >> > noauth unix - - n - - smtp > >> > -o smtp_sasl_enable=no > >> > -o smtp_sender_dependent_authentication=no > >> > -o smtp_sasl_password_maps= > >> > >> My

Re: SASL questions

On Sat, Jan 22, 2022 at 05:11:02PM -0500, Joe Acquisto-j4 wrote: > > Therefore your master.cf file needs to have an least one additional > > smtp-based transport, with either SASL disabled entirely, and/or > > sender-dependent authentication disabled, or perhaps a variant > > password table...

Re: SASL questions

On Sat, Jan 22, 2022 at 02:03:29PM -0500, Joe Acquisto-j4 wrote: > > IIRC Wietse already suggested a work-around, by making the > > sender-dependent authentication settings be transport-specific. > > > > In particular the internal nexthop that does not do SASL should be > > handled by a

Re: SASL questions

On Sat, Jan 22, 2022 at 08:01:27AM +1100, raf wrote: > > It is an issue with email that postfix has received, via fetchmail, and is > > attempting to deliver to another system. Authentication is being > > attempted, without it being required or requested, at least as far as I can > > tell. >

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 05:07:38PM -0500, Wayne Spivak wrote: > That was the solution for TLS failing when I start postfix: > > perl -lne print file1 file2 file3 And now your server has the intermediate issuer in its chain, and verification works: posttls-finger:

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 04:47:55PM -0500, Wayne Spivak wrote: > >My file looks like > > -BEGIN PRIVATE KEY- > ... base64 data ... > -END PRIVATE KEY- > -BEGIN CERTIFICATE- > ... base64 data ... > -END CERTIFICATE--BEGIN CERTIFICATE- (THIS IS HOW

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 04:40:29PM -0500, Wayne Spivak wrote: > I am creating the file by using cat file1 file2 file3 > ws.pem (which > is my test combo file) Does the last "line" of each of the files end in a newline character? A missing newline at the end of file1 or file2 will corrupt the

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 04:21:13PM -0500, PGNet Dev wrote: > following along & just curious, i checked a postfix 3.6.3 here that's using > LetsEncrypt certs, where conf includes > > smtpd_tls_cert_file = /usr/local/etc/postfix/sec/fullchain.rsa.crt.pem > smtpd_tls_eccert_file =

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 04:23:58PM -0500, Wayne Spivak wrote: > This is with the new combo certificate > > Mail log: > Jan 19 14:52:55 mcq postfix/smtpd[156224]: warning: TLS library problem: > error:0908F066:PEM routines:get_header_and_data:bad end > line:crypto/pem/pem_lib.c:856: > Jan 19

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 03:22:36PM -0500, Wayne Spivak wrote: > I set the server back, because otherwise my email wasn't working properly. And for some reason decided to not explain (show logs, ...) of what "not working properly" means. :-( Crystal ball very cloudy on my end... >

Re: Routing Gmail/Workspace mail through postfix first

On Wed, Jan 19, 2022 at 08:23:45AM -0500, Alex wrote: > I'm using postfix-3.5.10 and would like to use it to front-end a > domain currently being managed by Google Workspace to be able to send > mail through our filters first. I take it this means *inbound* mail sent from outside users to your

Re: Doing something wrong.

On Wed, Jan 19, 2022 at 03:07:29PM -0500, Wayne Spivak wrote: > Still not working... That's not particularly illuminating. You'll need to reply with "postconf -nf" and "postconf -Mf" output (inserted verbatim without any changes in linebreaks or other whitespace). Also with the output of

Re: TLS returning self-signed cert

On Wed, Jan 19, 2022 at 01:37:59PM -0500, Wayne Spivak wrote: > Thank you Victor. > > I will update the CAFile and report back. Updating the CAfile probably won't help you. You need to add append the intermediate certificates in questio to the server certificate file. -- Viktor.

Re: Appricate some help in understanding a connection refused situation.

On Wed, Jan 19, 2022 at 01:13:56PM -0500, James B. Byrne wrote: > Jan 19 12:49:29 mx31 postfix/smtp[81175]: 14FDA745F9: > to=, relay=none, delay=2877, > delays=2877/0.02/0.13/0, dsn=4.4.1, status=deferred (connect to > alt4.gmail-smtp-in.l.google.com[66.102.1.27]:25: Connection refused) Note

Re: TLS returning self-signed cert

On Wed, Jan 19, 2022 at 01:09:09PM -0500, Wayne Spivak wrote: > This from SSL Labs states "self-signed": Their report is misleading. > 1 Sent by server mcq.sbanetweb.com > Fingerprint SHA256: > 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe > Pin SHA256:

Re: How to filter email (DKIM) without keeping the message in memory and without writing it to disc twice?

On Sat, Jan 15, 2022 at 08:01:05PM +0100, Robert Siemer wrote: > I need to DKIM sign possibly huge emails (up to 150MB). No worries, you can do this with a milter, without storing an extra copy of the complete message. > Conceptually DKIM needs to go over the email twice: once to calculate >

Re: master_wakeup_timer_event

On Fri, Jan 14, 2022 at 12:48:10PM +0100, natan wrote: > Jan 14 12:34:25 thebe postfix/master[4925]: warning: > master_wakeup_timer_event: service qmgr(public/qmgr): Resource > temporarily unavailable > Jan 14 12:39:25 thebe postfix/master[4925]: warning: > master_wakeup_timer_event: service

Re: Virtual users with postfix and dovecot

On Wed, Jan 12, 2022 at 05:03:35PM +1100, Phil Biggs wrote: > Yes, I did have the content of two files mixed up. Apologies for that. > > vmailbox contains: > @pjb.cc all You can leave $virtual_mailbox_maps empty, since your virtual_alias_maps table suffices for recipient validation. But you

Re: Virtual users with postfix and dovecot

On Wed, Jan 12, 2022 at 04:51:41PM +1100, raf wrote: > The other main difference is that I have the large number of address > in /etc/postfix/virtual pointing to a small number of entries in > /etc/postfix/virtual_mailbox_maps. So the addresses go in virtual, and > the accounts go in vmailbox.

Re: Virtual users with postfix and dovecot

On Wed, Jan 12, 2022 at 11:09:02AM +1100, Phil Biggs wrote: > Here's what I have so far. > > main.cf includes: > > # Route inbound for valid recipients to dovecot > virtual_transport = lmtp:unix:/var/spool/postfix/private/dovecot-lmtp > virtual_mailbox_maps =

Re: TLS ciphers

On Mon, Jan 10, 2022 at 07:15:46PM -0500, Alex wrote: > > The vulnerabilities I am aware of that justify sticking to v1.2/3 in > > web, IMAP, and database servers are not viable against SMTP because of > > the brief, non-repetitive, and largely unpredictable nature of the TLS > > sessions used by

Re: TLS ciphers

On Mon, Jan 10, 2022 at 11:17:12AM -0500, Alex wrote: > > NULL ciphers (no encryption) not offered (OK) > Anonymous NULL Ciphers (no authentication)offered (NOT ok) In addition to the text in TLS_README, see:

Re: multi instance and always_bcc

> On 11 Jan 2022, at 3:43 am, Wietse Venema wrote: > > Recipients added with always_bcc, xxx_bcc_maps, etc., are treated > just like any other recipients. All recipients are subject to > content_filter, relayhost, etc. Fortunately, they're also subject to transport table lookups, so it is

Re: Default TLS protocols

On Mon, Jan 10, 2022 at 12:50:49PM +0100, Kveta Kladov wrote: > RFC 8996 deprecated TLS 1.0 and TLS 1.1 . > > Would you consider to update default values for > > smtp_tls_mandatory_protocols > smtp_tls_protocols, > smtpd_tls_mandatory_protocols > smtpd_tls_protocols > > so that TLS 1.0 and

Re: TLS enforcement options?

On Mon, Jan 10, 2022 at 12:54:46PM +0100, Joachim Lindenberg wrote: > German data protection authorities level define kind of four > compliance levels for email encryption > > 0 - no encryption and thus definitely illegal > 1 - encryption (not clearly specified whether certs need to be

Re: TLS enforcement options?

On Mon, Jan 10, 2022 at 09:35:49AM +0100, Joachim Lindenberg wrote: > You could as well just turn off encryption. If you don´t care to whom > you disclose information, why not allow anyone to read it? https://datatracker.ietf.org/doc/html/rfc7435

Re: TLS enforcement options?

> On 10 Jan 2022, at 10:07 pm, Joachim Lindenberg > wrote: > > thanks for the insights. Based on my experience, the mail domain is almost > never in the SANs of a certificate, not even with self-hosted domains like > mine. In other words, secure is likely to cause a lot more manual >

Re: TLS enforcement options?

On Sun, Jan 09, 2022 at 10:22:36PM +0100, Joachim Lindenberg wrote: > I configured my Email server (actually a mailcow-dockerized which in > turn uses postfix) to enforce TLS for outbound mail. Obviously that > will fail occasionally, but I also have a daemon watching the postfix > queue and

Re: smtp_tls_security_level for mandatory TLS and optonal DANE

On Sat, Jan 08, 2022 at 12:00:45PM +1100, raf wrote: > When reading the documentation on smtp_tls_security_level, I thought > dane-falling-back-to-encrypt seemed to be a missing option. But I > thought it would never be used as a default, and for any non-default > specific remote server, you're

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

On Sat, Jan 08, 2022 at 01:05:41PM +1100, raf wrote: > Probably no real harm done. OCSP stapling is just a way to make it > more private and more efficient for a web browser to verify that a > website's certificate hasn't been revoked, by providing that > information in-band, so the browser

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

On Fri, Jan 07, 2022 at 06:17:45PM -0500, PGNet Dev wrote: > > Absent DANE, this is all security theatre. > > yup. which is why i'm doing the step1 cleanups etc to get my own > mistakes out of the way ... on the way to DNSSEC/DANE. Be sure to do it right, or not at all. It does nobody a

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

On Fri, Jan 07, 2022 at 05:47:55PM -0500, PGNet Dev wrote: > > Postfix has no CRL or OCSP support, and none is planned. > > other than reporting the bad result, does the current (bad) config > cause any actual mail delivery breakage? It could, if the sending MTA implements OCSP and honours the

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

On Fri, Jan 07, 2022 at 08:33:52AM -0500, PGNet Dev wrote: >Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems > to be rotated < daily Keys are rotated as soon as possible, which is 2 * active lifetime. Initially the key is used to encrypt new tickets, later it is

Re: smtp_tls_security_level for mandatory TLS and optonal DANE

On Fri, Jan 07, 2022 at 11:34:32AM +0100, Charlotte 劣 Delenk wrote: > I was trying to harden my postfix configuration and was looking into > making TLS mandatory, as well as verifying the TLS Certificate using > DANE wherever possible. TLS mandatory for delivery to the world at large? Or is

Microsoft's DANE rollout for Exchange Online

Starting this month through May 2022, Microsoft will incrementally roll out outbound DANE support (*enabled by default*) for all hosted Exchange Online domains: https://m365admin.handsontek.net/upcoming-release-outbound-smtp-dane-and-dnssec-in-microsoft-365-exchange-online/ > As

Re: https://www.postfix.org/ in trouble

On Thu, Jan 06, 2022 at 10:34:19PM -0300, Nilo César Teixeira wrote: > First message on this group, thanks for all good advice so far. > > Regarding https, why not host Postfix website here: > https://pages.github.com/ ? The hosting arrangements for Postfix.org don't currently include HTTPS

Re: Adding Additional domains and outgoing email

On Fri, Jan 07, 2022 at 12:23:16PM +1100, raf wrote: > > I don't think that requiring client certs is a best practice. It > > precludes concurrent use of alternative authentication methods. Just > > asking is generally enough > > Thanks. But even so, it should probably still only be > a -o

Re: postconf -d smtpd_relay_restrictions

On Thu, Jan 06, 2022 at 08:13:11AM -0500, Jim Popovitch wrote: > Setting compatibility_level=2 doesn't reproduce the error message. As expected. > Removing the compatibility_level entirely does reintroduce the error > message (once per every inbound connection): Well, the default compatibility

Re: No delivery delay notification for particular recipients?

On Thu, Jan 06, 2022 at 01:08:33PM +0100, tobs...@brain-force.ch wrote: > Is somehow possible to use other delay notification settings for a > particular recipient address? No, this is a message-level property, same for all delayed recipients of the message. > My global setting is 30min which

Re: postconf -d smtpd_relay_restrictions

> On 6 Jan 2022, at 9:26 pm, John Fawcett wrote: > > I'd be very surprised to find that changing the compatibility_level from 2 to > 3.6, with a default setting for smtpd_relay_restrictions in version 3.6.3 > would resolve the fatal error "in parameter smtpd_relay_restrictions or >

Re: Adding Additional domains and outgoing email

On Thu, Jan 06, 2022 at 02:09:45PM +1100, raf wrote: > > is on - so it is asking for client certificates? > > But that is really not authetication, if I understand things. > > It's asking for them (from all clients, even for remote > mail servers sending you mail which isn't helpful), but > it's

Re: Adding Additional domains and outgoing email

On Wed, Jan 05, 2022 at 04:10:26AM -0500, Ruben Safir wrote: > queue_directory = /var/spool/postfix > smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache > smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache This is a mistake, these files don't belong

Re: Fatal: no SASL authentication mechanisms

On Tue, Jan 04, 2022 at 09:57:55PM -0500, Ken Wright wrote: > > Is "Dovecot" configured to create the /var/spool/postfix/private/auth > > socket?  Did that happen?  Is "Dovecot" willing to support the > > expected SASL mechanisms (typically "PLAIN")? > > > > I have: > > > >     service auth { >

Re: Fatal: no SASL authentication mechanisms

On Tue, Jan 04, 2022 at 09:14:45PM -0500, Ken Wright wrote: > > > Jan  4 19:08:47 grace postfix/smtps/smtpd[17286]: fatal: no SASL > > > authentication mechanisms > > > > The selected SASL backend (Cyrus or Dovecot) is not configured to > > support any usable SASL mechanisms. > >

Re: Fatal: no SASL authentication mechanisms

On Tue, Jan 04, 2022 at 07:20:43PM -0500, Ken Wright wrote: > My Postfix woes continue. Now I'm getting this error message: > > Jan 4 19:08:47 grace postfix/smtps/smtpd[17286]: fatal: no SASL > authentication mechanisms The selected SASL backend (Cyrus or Dovecot) is not configured to support

Re: SMTP over IPv6

On Mon, Jan 03, 2022 at 10:39:49PM -0500, post...@ptld.com wrote: >smtp_bind_address6 = [] > > If I remove the [ ] around the IPv6 the error goes away. The manual > says [ ] is supported. Is my version is too old? Im okay with not > using [ ]. Indeed the implementation does not match the

Re: Mail system is down

On Mon, Jan 03, 2022 at 08:02:20PM -0500, Ken Wright wrote: > $ sudo chmod g+s /usr/sbin/postdrop > $ ls -la /usr/sbin/postdrop > -r-xr-sr-x 1 postfix postdrop 22808 Sep 7 02:58 /usr/sbin/postdrop > > Wietse, is this what's expected? The expected permissions are recorded in the

Re: "ignoring DNS RR:" for only google.com MX ?

On Mon, Jan 03, 2022 at 12:32:03PM -0500, Wietse Venema wrote: > > offhand, is that generally needed/beneficial for google.com MXs? > > I don't know, does anyone want to be the guinea pig and discover > if they still randomly bounce email over IPv6? Last I heard the Google MX host policy is not

Re: Some DNSSEC/DANE questions

On Mon, Jan 03, 2022 at 09:47:44AM -0800, Dan Mahoney wrote: > Also...the server I'm sending to has a legit signed cert that matches > its hostname, so the message I get is: > > Trusted TLS connection established to prime.gushi.org[149.20.68.142]:25: > TLSv1.2 with cipher

Re: https://www.postfix.org/ in trouble

On Mon, Jan 03, 2022 at 03:19:36PM +0100, Jaap van Wingerde wrote: > > try plaintext http: http://www.postfix.org/ currently works for me. > > Firefox (with 'only-https' off, still redirects to https). Then you've failed to completely turn off 'only-https'. The pages at

Re: Some DNSSEC/DANE questions

On Mon, Jan 03, 2022 at 05:49:05AM -0800, Dan Mahoney (Gushi) wrote: > We run validating resolvers at the day job, but by default not on the box > where postfix runs. (I.e. we rely on the AD bit). "Relying in the AD bit" is independent of whether the validating resolver is local or remote.

Re: After network outage postfix found not running

Could a watchdog timer have killed master(8) if it were suspended long enough? > On 23 Dec 2021, at 1:57 pm, Wietse Venema wrote: > >> My intuition is that either some timeout somewhere got hit, or that >> some I/O failed (rather than being queued forever) and caused an error >> paging in some

Re: recipient_bcc_maps using mysql

On Mon, Dec 13, 2021 at 09:42:41AM -0800, Fred Morris wrote: > http://www.postfix.org/MYSQL_README.html For general background. For table syntax: http://www.postfix.org/mysql_table.5.html -- Viktor.

Re: Are large alias files a problem?

> On 6 Dec 2021, at 6:05 pm, John Levine wrote: > > This is the IETF's forwarding addresses for works that are or were > (hence the large number) in progress. Each entry has as many targets > as the draft has authors so it's rarely more than 2 or 3. You will not face any meaningful limits with

Re: Newbie question - main.cf.proto

On Mon, Dec 06, 2021 at 03:18:11PM -0500, Herndon Elliott wrote: > I am just getting started with trying to install postifx and get it running > on a single Ubuntu 18.04 server. The documentation talks at length about > changes to be made in "/etc/postfix/main.cf" file, but there is no such >

Re: Are large alias files a problem?

On Mon, Dec 06, 2021 at 02:29:18PM -0500, John Levine wrote: > For an application I'm working on, we need to set up about 50,000 forwarding > addresses. I take this to be 50k *LHS* addresses. That is 50k input addresses each get forwarded to corresponding output addresses. > If we just put

Re: Can case-folding for lookup tables be disabled?

On Sun, Nov 21, 2021 at 01:42:49PM -0800, Mel Pilgrim wrote: > > But at this point it is unclear who's relying on the current behaviour, > > so changing LDAP to not case by default does not seem like a safe > > choice. It would be easy to customise just the LDAP driver to > > take an extra named

Re: Can case-folding for lookup tables be disabled?

On Sat, Nov 20, 2021 at 07:37:56PM -0800, Mel Pilgrim wrote: > I need Postfix to be case-preserving. Postfix does not change the case of recipient addresses unless you rewrite them (virtual(5) or local aliases). Earlier you said you want case-sensitive map lookups (preserve case of table lookup

Re: Can case-folding for lookup tables be disabled?

On Sat, Nov 20, 2021 at 11:05:25AM -0500, Wietse Venema wrote: > - If you must use other tables, update src/util/dict.h > > #define DICT_FLAG_FOLD_FIX (0) /* case-fold key with fixed-case map */ > #define DICT_FLAG_FOLD_MUL (0) /* case-fold key with fixed-case map */ > > This will

Re: Can case-folding for lookup tables be disabled?

On Fri, Nov 19, 2021 at 05:07:21PM -0800, Mel Pilgrim wrote: > I read in transport(5), virtual(5), et al that Postfix will case-fold > query strings, but for one specific project I need it to not do that. > Are there any tunables for this? I didn't see anything in postconf -d > output that

Re: Sender Rewriting Scheme and backup MX

> On 18 Nov 2021, at 12:28 pm, Togan Muftuoglu wrote: > > Thanks for the clarification. One more thing having the backup MX listed in > the SPF records of the domain and opendkim signing the relayed mails does not > break the validations in the primary MX when it receives mail from the backup, >

Re: dnssec DS set, but no RRSIG

On Mon, Nov 15, 2021 at 11:58:02AM +0800, Philip Paeps wrote: > On 2021-11-15 11:36:00 (+0800), Benny Pedersen wrote: > > plantmarknaden.com > > > > https://dane.sys4.de/smtp/plantmarknaden.com > > https://dnsviz.net/d/plantmarknaden.com/dnssec/ > > > > why diffrent results ? > > I don't see

Re: Postfix unable to locate opendmarc.sock file

> On 12 Nov 2021, at 8:00 pm, post...@ptld.com wrote: > > While it will technically work, i believe it is bad practice and sockets > should be under the /run/ directory. Im not 100% on this but i think running > it under /var/spool/ uses the hard drive while under /run/ its a ram-drive > only

Re: Various questions about Postfix

On Fri, Nov 12, 2021 at 03:47:22PM -0600, Tyler Montney wrote: > In my effort to be a little less flexible (to get more encryption), it > seems I'll do the opposite. I'll change that. Speaking of which... > > smtp_tls_mandatory_protocols Applies when sending mail to destinations for which TLS

Re: How to reject generic FCrDNS clients

On Thu, Nov 11, 2021 at 08:53:01PM +0100, Togan Muftuoglu wrote: > Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" > > Matus> (trailing . should avoid matching IP Addresses) That "." would need to be a "[.]" (or "\."), otherwise it'll match the last digit, of a 2 or 3

Re: Postfix spawn

On Mon, Nov 08, 2021 at 02:32:58PM -0300, Rafael Azevedo wrote: > We're testing a custom filter for PHP using spawn services. Make sure your script loops reading multiple requests until it sees a connection close from the client (smtpd(8)). Reading just one request and exiting can lead to

Re: recipient_delimiter and bounced mail

On Sun, Nov 07, 2021 at 09:51:09PM +0100, Jeff Abrahamson wrote: > > j...@p27.eu j...@p27.eu > > I added it to virtual, where it did not exist. > > > and make sure to remove (not include) "virtual" in: > > > > propagate_unmatched_extensions = canonical > > > > the default setting

Re: delete from hold queue

On Sun, Nov 07, 2021 at 04:39:34PM -0300, Rafael Azevedo wrote: > This is the kind of knowledge that comes from Mars... The `jq` interpreter is a rather handy tool. It is is worth learning if you spend enough time working with JSON data. No Martian passport required, just enough incentive and

Re: Postfix-fg and maillog_file to stdout

to temporarily disable AppArmor. And you've already demonstrated that you know to turn chroot on/off in master.cf. I merely asked that you report results of tests with ideally all 8 of the below combinations of settings: > Em sáb., 6 de nov. de 2021 às 12:28, Viktor Dukhovni > escreveu: > >

Re: recipient_delimiter and bounced mail

> On 6 Nov 2021, at 3:43 pm, Jeff Abrahamson wrote: > > In main.cf I have set > > recipient_delimiter = + > > Reading the docs, I don't see anything else I ought to set for this to > work: postfix should first try delivery to jeff+post...@p27.eu, then > j...@p27.eu, and this second is

<    7   8   9   10   11   12   13   14   15   16   >