Re: smtp_tls_CAfile and smtp_tls_CApath doc

On Thu, Feb 11, 2021 at 05:04:24PM +, bitozoid wrote: > > It can also contain intermediate CA certificates. Storing non-root CAs > > carries a risk that they may expire before you remove them, and then > > they may take precedence over non-expired intermediate CA certs that the > > remote

Re: Possible to "import" a file into postfix queue?

On Thu, Feb 11, 2021 at 07:49:30AM -0500, Wietse Venema wrote: > > So we thought it could be possible to somehow "import" such an affected > > message directly into postfix queue to leave out swaks which may fix > > something in the message. Is there such a postfix command to "import" a > > file

Re: double-bounce check applied to itself

> On Feb 11, 2021, at 6:29 PM, Eugene Podshivalov wrote: > > Assume reject_unverified_sender is set and an email is sent > From:u...@mydomain.com. This is an smtpd(8)/access(5) feature, and so only applies when email is received via SMTP and the restriction in question is applied to the

Re: smtpd_relay_restrictions and smtpd_recipient_restrictions evaluation order

> On Feb 11, 2021, at 12:39 PM, Damian wrote: > > postconf(5) states that smtpd_relay_restrictions apply before > smtpd_recipient_restrictions. This seems incorrect since > postfix-3.3-20180106.

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote: > As of today, doc says for 'smtp_tls_CAfile': > > "A file containing CA certificates of root CAs trusted to sign either > remote SMTP server certificates or intermediate CA certificates." It can also contain intermediate CA

Re: client and ehlo hostname mismatch

> On Feb 10, 2021, at 9:38 PM, Eugene Podshivalov wrote: > > Are there any wise cases for a legitimate client to provide a valid ehlo > hostname (which maps to some address) but that address will differ from > the address it connects from? I don't know about "wise", but this is not uncommon.

Re: client and ehlo hostname mismatch

On Thu, Feb 11, 2021 at 12:15:32AM +0300, Eugene Podshivalov wrote: > > Viktor Dukhovni: > > Postfix can check that the EHLO name resolves to some IP address. > > Then what is the sense of doing this if the name can be whoever else's name? Spam bots are sloppy, and typicall d

Re: HELO and nothing else

On Wed, Feb 10, 2021 at 01:20:30PM -0800, Ron Garret wrote: > I am working on a spam filter and so I find myself spending a lot more > quality time with mail logs than I used to. One of the things I have > noticed is that I will get a lot of connections that send a HELO > command and then

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Wed, Feb 10, 2021 at 09:05:03PM +, Chris Green wrote: > OK, but every system I know about has hostname as just the hostname > with no domain. Only because you configured it that way, perhaps via an "installer" that made that default choice for you, but all these systems allow you to

Re: client and ehlo hostname mismatch

On Wed, Feb 10, 2021 at 11:59:39PM +0300, Eugene Podshivalov wrote: > > Viktor Dukhovni: > > The actual expectation is that the EHLO name is a valid DNS hostname, > > and should resolve to the IP address of the client. > > Postfix does not seem to be able to check

Re: client and ehlo hostname mismatch

On Wed, Feb 10, 2021 at 01:20:23PM -0700, Bob Proulx wrote: > Eugene Podshivalov wrote: > > I've just received a spam email from a client who presented itself as > > emx.mail.ru but its ip 117.30.137.22 resolves to > > 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn > > > > Are reverse client

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Wed, Feb 10, 2021 at 05:41:49PM +, Chris Green wrote: > OK, what I want to do is as follows:- > > I have several headless machines which need to be able to send error > and other messages to me ch...@isbd.co.uk. Directly to that address, or indirectly by sending mail to various local

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Wed, Feb 10, 2021 at 05:14:57PM +, Chris Green wrote: > What exactly do you mean by "... have fully-qualified hostnames?". This means that the raw system hostname reported via `uname -n` or `hostname` commands (really the underlying system calls) is an FQDN. > I know what you mean by

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Wed, Feb 10, 2021 at 05:05:52PM +, Chris Green wrote: > So I have the FQDN everywhere:- > > chris@isbdGandi$ hostname > isbdGandi.isbd.uk > > ... and now postfix sends cron mail *to* ch...@isbd.uk as well as from > ch...@isbd.uk which doesn't help at all! I have an entry for

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Wed, Feb 10, 2021 at 03:01:44PM +, Chris Green wrote: > Local hostname doesn't have FQDN by default though:- > > chris@isbdGandi$ hostname > isbdGandi > chris@isbdGandi$ hostname -f > isbdGandi.isbd.uk > > > Do your OS instances have their hostnames? > > See above. The

Re: User script for modifying main.cf and other config files

On Mon, Feb 08, 2021 at 03:47:27PM -0500, Alex wrote: > I still have to consider much of what you've written before I can > respond, but I wanted to be sure my design was clear here - it's not > so much that end-users are modifying the config in the same way as > webmin does, like making changes

Re: Mail from @somedomain.tld allowed only from some CIDR ranges?

On Sun, Feb 07, 2021 at 05:33:10PM +0100, Marek Kozlowski wrote: > Presumably it's my fault but I cannot find such an option. If so - thank > you for directing me to it. I'm wondering if it possible to limit > incoming mail with '...@somedomain.tld' specified as a sender address*) > to IPs

Re: TCP wrappers and Postfix

On Mon, Feb 08, 2021 at 02:17:46AM +0300, Eugene Podshivalov wrote: > Are there any reasons not to have Postfix compiled with TCP wrappers? Because that would likely be entirely redundant. Postfix already has IP-based access controls (local tables, RBL lookups, postscreen(8), ... and can also

Re: User script for modifying main.cf and other config files

On Sun, Feb 07, 2021 at 03:26:29PM -0500, Alex wrote: > > Quoting Zathros, "Cannot say. Saying, I would know. Do not know, so > > cannot say." It all depends upon your use of sudo. One can't say it > > won't be secure. The devil is in the details. > > I figured that if main.cf was owned by

Re: TLS is required, but was not offered

On Sun, Feb 07, 2021 at 11:09:42AM +0300, OzyMate wrote: > If I change smtp_tls_security_level = encrypt with > smtplmtp_tls_security_level =encrypt, all seem working. You completely ignored the bulk of my reply, and just fudged something random. :-( 0. An apparently working configuration

Re: TLS is required, but was not offered

On Sat, Feb 06, 2021 at 12:05:44PM +0100, OzyMate wrote: > I am trying to setup my postfix (on CentOS 8) to work with Amazon SES as > SMTP relay host. Will this be a relay for *all* or just some outbound email? I'll assume *all* for now. > Amazon SES requires: > > relayhost =

Re: Accessing local recipient from within an smtpd policy server: how?

On Fri, Feb 05, 2021 at 04:45:10PM -0500, Wietse Venema wrote: > > If recipient address rewriting is on input (virtual alias maps rather > > than on output (as with local(8) .forward, or local aliases(5)), then > > one way is perhaps with recipient_address_verification probes and a > > transport

Re: LDAP map: %S doesn't preserve case

On Fri, Feb 05, 2021 at 02:37:18PM -0500, Wietse Venema wrote: > > The feature to conditionally suppress case folding for some LDAP maps > > has not been implemented. Care to contribute a patch? > > > > src/global/dict_ldap.c > > Should not this be controlled one level up, in the

Re: Accessing local recipient from within an smtpd policy server: how?

On Fri, Feb 05, 2021 at 02:58:09PM -0500, Wietse Venema wrote: > For quota control, it is necessary to know EXACTLY what local user(s) > will receive the email. That means EXACTLY processing canonical_maps, > virtual_alias_maps, alias_maps and $HOME/.forward. > > So how would you propose for

Re: LDAP map: %S doesn't preserve case

On Fri, Feb 05, 2021 at 07:47:46PM +0100, Benoit Branciard wrote: > Le 05/02/2021 à 16:53, Wietse Venema a écrit : > > > > All Postfix table-driven mechanisms will case-fold the search key > > except when they use pcre, regexp, or tcp_table. > > This sounds like a acceptable choice for

Re: virtual-mailbox-users confusion

On Thu, Feb 04, 2021 at 02:39:06PM +0100, Jeff Abrahamson wrote: > I have a small site (virtual users and dovecot for delivery) that > handles mail for several domains: example.com, example.de, example.fr. > The "real" addresses are at example.fr, so I've done the following: In that case the

Re: Error checking for extra bars

On Wed, Feb 03, 2021 at 09:49:50AM +, Linkcheck wrote: > /trap this|/ > /|trap this/ > /trap||this/ > > Is there a Lint tool that can check for this or be adapted easily? Or > perhaps a different method? You can stage the PCRE tables from intended source tables to target tables via "make"

Re: Corner cases in SSL_shutdown.

> On Feb 3, 2021, at 2:34 PM, @lbutlr wrote: > >> However, in my role as an admin, you just gave me excellent >> justification to never run Postfix. > > If you think that is a reason to not run Postfix then you can't run SMTP at > all. > > You do not get to redefine standards just on your

Re: Postfix advice requested

On Wed, Feb 03, 2021 at 03:33:01PM +1100, Mike Guelfi wrote: > > This is an easy question, that I was hoping someone else would field for > > a change. > > > > 1. Rewriting via virtual(5) is recursive, with recursion stopping > >either when there's no result, or a key maps to itself.

Re: Postfix advice requested

On Tue, Feb 02, 2021 at 06:12:01PM -0800, david wrote: > At 06:07 PM 2/2/2021, Viktor Dukhovni wrote: > >On Tue, Feb 02, 2021 at 06:46:32PM -0700, Bob Proulx wrote: > > > > > > > > > > a...@d1.tldd1_a > > > > b...@d1.tldd1_b > &

Re: Postfix advice requested

On Tue, Feb 02, 2021 at 06:46:32PM -0700, Bob Proulx wrote: > > > > a...@d1.tld d1_a > > b...@d1.tld d1_b > > @d1.tld owner_d1 > > @d2.tld owner_d2 > > I don't see anything wrong as such with the above. Seems like it > should work. And for me I have a very similar arrangement here.

Re: Postfix advice requested

On Tue, Feb 02, 2021 at 07:02:02PM -0500, Bryan L. Gay wrote: > Did you happen to try putting the catch-all addresses at the TOP of > the virtualusers hashmap file? Just a guess. > It's been a long time since I've manually setup Postfix... The order of entries makes no difference. --

Re: BCC action for header_checks + multiple recipients

On Tue, Feb 02, 2021 at 02:54:00PM -0500, Rick King wrote: > However, I haven't been able get BCC to multiple recipients to work; so far > I've tried... > > /^From:(.*)<(.*)@externaldomain.tld>(.*)/ BCC us...@internaldomain.tld, > us...@internaldomain.tld BCC recipients are subject to

Re: Postfix backscatter HELP !!!

On Tue, Feb 02, 2021 at 12:27:40PM +0200, George Papas wrote: > # Do not indent the patterns between "if" and "endif". > if /^[> ]*Received:/ > /^[> ]*Received: +from +ip53\.ip-139-99-176\.net / > reject forged sender name in Received: header: $1 > endif The above syntax is wrong. The "reject

Re: Corner cases in SSL_shutdown.

On Tue, Feb 02, 2021 at 09:39:22AM -0800, Leo Bicknell wrote: > I have found many opinions of the severity or urgency, but I have yet > in any previous community had anyone argue that dropping the TLS > connection was a good behavior. Postfix is NOT dropping the TLS connection, it sends a close

Re: Corner cases in SSL_shutdown.

On Tue, Feb 02, 2021 at 10:44:34AM -0500, Curtis Maurand wrote: > Jumping in as an observer with 25 years of admin experience with > public facing equipment and servers. This problem seems more of a > problem with the tls libraries. The SSL_shutdown() behaviour in sufficiently recent OpenSSL

Re: Corner cases in SSL_shutdown.

On Tue, Feb 02, 2021 at 08:09:54AM -0800, Leo Bicknell wrote: > Maybe you run your servers at 99.99% load, and that extra > 0.01 will put them over the edge. I can only tell you that I, > as one admin, would absolutely take the extra load to get proper > shutdown behavior. > > If I need

Re: Corner cases in SSL_shutdown.

On Tue, Feb 02, 2021 at 07:27:27AM -0800, Leo Bicknell wrote: > I won't attempt you change your mind, as you've clearly made it up. It appears we have reciprocity. > However, in my role as an admin, you just gave me excellent > justification to never run Postfix. The shutdown aspects of

Re: Corner cases in SSL_shutdown.

On Tue, Feb 02, 2021 at 06:49:31AM -0800, Leo Bicknell wrote: > In a message written on Tue, Feb 02, 2021 at 09:23:56AM -0500, Viktor > Dukhovni wrote: > > There is no issue, because SMTP is self-framing. The SMTP transaction > > is cleanly terminated via QUIT or RSET at the

Re: Corner cases in SSL_shutdown.

On Tue, Feb 02, 2021 at 05:26:52AM -0800, Leo Bicknell wrote: > I have been recently debugging some corner cases in OpenSSL's > SSL_shutdown call in sendmail (I ask your forgiveness) and now that > I seem to have it right there I have decided to look at other mailers > for similar issues. There

Re: Address rewrite and DKIM (was: sender rewrite for specific receiver domain)

On Mon, Feb 01, 2021 at 10:21:32PM +0100, Gerben Wierda wrote: > What I suspect here is that DKIM is the problem. As trivial-rewrite > changes the message, the DKIM signature is no longer valid. @gmail.com > reports the fail (spf is OK) but delivers anyway. Office365 is more > strict it seems.

Re: Reverse canonical for a certain receiver domain only?

On Mon, Feb 01, 2021 at 03:43:55PM +0100, Gerben Wierda wrote: > > Yes, at the cost of a dedicated transport whose master.cf entry contains > > an override for smtp_generic_maps: > > > >master.cf: > >mycanon unix ... smtp > >-o smtp_generic_maps=$mycanon_generic_maps > >

Re: way to test delivery to me

On Mon, Feb 01, 2021 at 12:09:38PM +, pat...@patpro.net wrote: > It's a risk I can take if I'm stuck but I'm willing to try the dual-sign > method. I should mention that given the humongous sizes of your current signatures, dual signing will make things noticeably worse in the meantime,

Re: way to test delivery to me

On Mon, Feb 01, 2021 at 12:09:38PM +, pat...@patpro.net wrote: > I do run BIND 9.16.x and I've just read a few things about > dnssec-keymgr and dnssec-policy.conf that I need to dig in > (https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named). Good luck, feel free to post your

Re: way to test delivery to me

On Mon, Feb 01, 2021 at 09:54:47AM +, pat...@patpro.net wrote: > > but more importantly, your DNSSEC implementation is FUBAR: > > I've chosen to go with huge keys from the start to be "future proof", > not so smart I guess. Yes, turned out to just be a source of problems, with no benefit.

Re: way to test delivery to me

On Sun, Jan 31, 2021 at 07:15:05PM +0100, Patrick Proniewski wrote: > fixed: > > $ telnet mail.patpro.net 25 > Trying 193.30.227.216... > Connected to mail.patpro.net. > Escape character is '^]'. > 220-rack.patpro.net Do not say anything yet You might also throw "ESMTP" in there:

Re: Stucked with "unable to look up host"

On Sat, Jan 30, 2021 at 09:39:01PM -0700, Bob Proulx wrote: > My best guess is that your chroot does not have a working resolv.conf file. Certainly a good place to start. The only odd detail is that the errors are 5.3.0 errors, so the lookup returned a definitive "no such host", rather than

Re: rejecting 'fancy' TLDs, allowing a specified one ?

On Sat, Jan 30, 2021 at 01:20:13PM -0500, Phil Stracchino wrote: > I'm looking at implementing a rule to discard all > four-letter-and-above TLDs except whitelisted ones, because I'm tired > of playing whack-a-mole. I'd like to strongly advise against filtering by TLD. This is a very low

Re: Trouble with STARTTLS...Connection lost

t;> - please correct me if I'm wrong > > On 29.01.21 15:09, Viktor Dukhovni wrote: > >You're wrong. The "a" in aNULL ciphers stands for "authentication". > >These ciphers just do anonymous Diffie-Hellman, but do not authenticate > >either party. They

Re: Trouble with STARTTLS...Connection lost

On Fri, Jan 29, 2021 at 06:53:09PM +0100, Matus UHLAR - fantomas wrote: > >> smtpd_tls_exclude_ciphers=MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4,3DES > >> smtpd_tls_mandatory_exclude_ciphers=aNULL > > > >Mostly harmless, but not necessary. > > yes, but when the policy is encryption

Re: Trouble with STARTTLS...Connection lost

On Fri, Jan 29, 2021 at 08:21:46AM +, Chu, Uy wrote: > Thank you for your suggestion, I made the changes as you suggested, > but still seeing the same error. - What does the *client* report when this happens? - Capture a PCAP file with a single session between the client and this server.

Re: Trouble with STARTTLS...Connection lost

On Fri, Jan 29, 2021 at 02:08:48PM +0100, Matus UHLAR - fantomas wrote: > Excluding aNULL should not be needed on smtp port, but apparently > is useful on ports with mandatory encryption. It is only ever *needed* on the client side, when *authenticating* the server. Postfix does that

Re: Trouble with STARTTLS...Connection lost

On Thu, Jan 28, 2021 at 09:48:13PM +, Chu, Uy wrote: > smtp_tls_CAfile = /etc/postfix/ca.crt > smtp_tls_ciphers = high > smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, RC4, aNULL > smtp_tls_loglevel = 2 Not sure why you want to disable aNULL, or set the log level > 1. >

Re: Trouble with STARTTLS...Connection lost

On Thu, Jan 28, 2021 at 08:18:05PM +, Chu, Uy wrote: > I am having trouble with one of our application server not being able > to connect to send emails. I noticed the issue of connection lost > after STARTTLS. Is it a configuration on the SMTP server or the > application? > > Jan 28

Re: Reverse canonical for a certain receiver domain only?

On Thu, Jan 28, 2021 at 04:51:13PM +0100, Gerben Wierda wrote: > I have an alias that I use for a certain external web site. Mail sent > to that alias ends up in my mailbox. > > Is it possible in some way to have — for mail sent to that domain only > — to have a canonical rewrite of the

Re: Problems with .cf files for LDAP

On Thu, Jan 28, 2021 at 12:45:30AM +0100, Michael Agbaglo wrote: > While the test using postmap was successful, the test with sendmail > fails. The debug show that for some reason '%s' is holding just the > domain. Why is that? $ postconf -d virtual_mailbox_domains

Re: rewrite to value of reply-to

> On Jan 27, 2021, at 9:40 PM, Andy Smith wrote: > > Correct, its a dynamic value. It can only be known by reading the reply-to > value from the headers of the same message. One way to do this entirely in Postfix is to: 1. Delete the evil "From:" header that matches the "www" user on input

Re: rewrite to value of reply-to

On Wed, Jan 27, 2021 at 05:30:25PM -0500, Wietse Venema wrote: > It's simple enough to replace all instances of w...@example.com with > something else: > > /etc/postfix/main.cf: > canonical_maps = > inline:{ > { w...@example.com = other@address } > } > > That will

Re: mail loops back to me with multi-instance config

On Wed, Jan 27, 2021 at 03:01:43PM -0500, Alex wrote: > Some time ago I configured postfix to be multi-instance and now I'm > realizing some mail being generated locally by new crontab entries are > bouncing because apparently the main postfix instance doesn't know > where to send these emails

Re: rewrite to value of reply-to

On Wed, Jan 27, 2021 at 07:05:37PM +0100, Andy Smith wrote: > In my case it is safe to assume that all mail from this user (www user) > will always have "Reply-To" as they are generated by the program Request > Tracker which always includes this header. If it were an issue I guess > before the

Re: rewrite to value of reply-to

On Wed, Jan 27, 2021 at 06:12:35PM +0100, Andy Smith wrote: > I need to rewrite an address (known/fixed, is the localaddress of the > user sending the email) I am having trouble parsing this. Email messages have: - An envelope-sender, specified via the SMTP "MAIL FROM:" command prior

Re: Usage of posttls-finger

On Tue, Jan 26, 2021 at 07:25:45PM -0500, vi...@vheuser.com wrote: > posttls-finger -c -lmay "[example.com]" > returns "posttls-finger: Server is anonymous" > > What should the server return? >   How it his configured? You can try "-lsecure" instead, this will disable anon-DH ciphers. --

Re: scanning oitgoing e-mail via spcyfic transport

On Tue, Jan 26, 2021 at 06:44:44PM +0100, natan wrote: > In main.cf I use: > ... > smtpd_milters =inet:localhost:12301 > non_smtpd_milters = inet:localhost:12301 > ... > > But I need to add scan outgoing e-mail only for specific transport (for > users who use this transport) is correct to to add

Re: trouble talking to NYC Government

On Tue, Jan 26, 2021 at 02:17:00PM -0500, Ruben Safir wrote: > www2:~ # postconf -M | awk '$8 == "smtp" {print $1,$5}' > smtp n > relay n So it looks like no chroot. You can double-check with: $ postconf -F smtp/unix/chroot $ postconf -F relay/unix/chroot but no need to post results

Re: How do you manage the ‘hold’ queue?

On Tue, Jan 26, 2021 at 08:13:01AM +0100, David Bürgin wrote: > I’ve recently begun using the ‘hold’ queue, because of a milter that I > use. A milter may ‘quarantine’ a message, which causes the message to be > placed in the ‘hold’ queue (eg OpenDMARC does this when the DMARC policy > requests

Re: trouble talking to NYC Government

On Tue, Jan 26, 2021 at 10:46:04AM -0500, Ruben Safir wrote: > I am getting this strange rejections to talk to NYC government > > Final-Recipient: rfc822; cdeut...@council.nyc.gov > Original-Recipient: rfc822;cdeut...@council.nyc.gov > Action: delayed > Status: 4.4.3 > Diagnostic-Code:

Re: thunderbird problem after update to v.78.6

On Tue, Jan 26, 2021 at 07:46:01AM +0200, Tsakiridis Sotiris wrote: > Recently we've encounter a strange behaviour regarding thunderbird > (v78.6) and postfix 3.4.13 . Some clients can't recieve emails, some > others can't send and others have no problem at all!  I think it has > something to

Re: 1st MX connection fails, 2nd successful

On Mon, Jan 25, 2021 at 10:38:46PM +0100, Jörg Backschues wrote: > # TLS > tls_high_cipherlist = > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 Limiting the ciphers

Re: 1st MX connection fails, 2nd successful

On Mon, Jan 25, 2021 at 10:38:46PM +0100, Jörg Backschues wrote: > can someone explain me why the 1st connection to the remote MX fails and > the 2nd connection is successful? Both delivery attempts fail to establish a TLS session on the first TCP connection. > Jan 25 21:14:56 mx00

Re: Spam relay problems - need some config assistance

On Mon, Jan 25, 2021 at 03:53:54AM +0100, Benny Pedersen wrote: > /etc/postfix/main.cf: > proxy_interfaces = 1.2.3.4 (the proxy/NAT external network address) This does not solve the issue at hand. It just prevents mail forwarding loops in the smtp(8) delivery agent. -- Viktor.

Re: Spam relay problems - need some config assistance

On Sun, Jan 24, 2021 at 06:30:43PM -0600, P. Ik. wrote: > 172.17.0.* are the container ip's > .1 is the postfix host You have *source NAT* between the Internet and your MTA, so that all external connections appear to originate from the same source. With such a configuration, you MUST NOT trust

Re: New postfix server, authentication confusion

On Sun, Jan 24, 2021 at 12:42:49PM +0100, Jeff Abrahamson wrote: > 1.  Users need to provide user + password to send (smtps) and receive > (imaps).  I see where I've configured this for dovecot, which is > /etc/dovecot/passwd.db.  That file contains lines like this: > >

Re: Recipient and sender dependent relay hosts

On Fri, Jan 22, 2021 at 02:34:58AM -0500, François Hétu wrote: > I'm having some difficulty figuring out how to configure both recipient and > sender dependent relay hosts. > > 1. Some of my users need to send mail through specific relay hosts with > login:password; > 2. Other users on the same

Re: Make Postfix show expired certificate path

On Thu, Jan 21, 2021 at 06:46:41PM -0500, Theodore Knab wrote: > I think I keep mine simpler,so mine shouldn't fail in April as long as > my cronjob auto updates the SSL Cert. If you're not using SNI with indexed file tables (cdb, lmdb, hash, or btree), then your certificate chains are read

Re: Make Postfix show expired certificate path

On Thu, Jan 21, 2021 at 06:32:04PM -0500, Viktor Dukhovni wrote: > > That's the one I use now: > > smtpd_tls_chain_files = > > /etc/letsencrypt/live/webeloping.es/privkey.pem, > > /etc/letsencrypt/live/webeloping.es/fullchain.pem > > smtp_tls_chain_fil

Re: Make Postfix show expired certificate path

On Fri, Jan 22, 2021 at 12:24:28AM +0100, Pau Peris wrote: > That's the one I use now: > smtpd_tls_chain_files = > /etc/letsencrypt/live/webeloping.es/privkey.pem, > /etc/letsencrypt/live/webeloping.es/fullchain.pem > smtp_tls_chain_files= $smtpd_tls_chain_files That's your primary

Re: Make Postfix show expired certificate path

On Fri, Jan 22, 2021 at 12:00:25AM +0100, Pau Peris wrote: > I'm running the following command which shows the content of the > expired certificate but I'm getting crazy finding the certificate even > when I have the content of it. For sure it's not in /etc, ... Postfix loads certificates

Re: Make Postfix show expired certificate path

On Thu, Jan 21, 2021 at 11:19:13PM +0100, Pau Peris wrote: > Does someone know how I can make postfix show the absolute path for the > TLS certificate used? There is no such feature. But if you're not using SNI, the certificate chain is the same for all clients, and you can just connect to your

Re: Copying settings in main.cf from postfix 3.5.6 to postfix 3.3.0 - any major issues?

On Thu, Jan 21, 2021 at 09:15:01PM +, Chris Green wrote: > The VPS has postfix version 3.3, my desktop has version 3.5.6, am I > likely to encounter any problems with a similar main.cf on the older > version? I realise I have to change the myorigin, mydestination and > myhostname but I'm

Re: refused mail/host not found -- confusion about error source

On Thu, Jan 21, 2021 at 03:44:04PM +0100, Jeff Abrahamson wrote: > >> http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions > >> > >> reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname) > >> Reject the request when the HELO or EHLO hostname has no DNS A or MX > >>

Re: Ignoring a failing dictionary ?

On Thu, Jan 21, 2021 at 09:58:30AM +0100, Ganael Laplanche wrote: > On Wednesday, January 20, 2021 6:23:22 PM CET Curtis Maurand wrote: > Natan> Or use two ldap - master- slave and use haproxy like > Natan> [...] > Natan> tcp-check send-binary 04008000 # name, simple authentication > Natan>

Re: Inconsistency between postconf(5) and IPV6_README

On Thu, Jan 21, 2021 at 04:37:19AM +, Pau Amma wrote: > http://www.postfix.org/postconf.5.html#inet_protocols says: > inet_protocols = all (DEFAULT) > http://www.postfix.org/IPV6_README.html says: inet_protocols = ipv4 > (DEFAULT: enable IPv4 only) > > The inconsistency should be

Re: Ignoring a failing dictionary ?

On Tue, Jan 19, 2021 at 03:03:49PM +0100, Ganael Laplanche wrote: > > http://www.postfix.org/memcache_table.5.html > > Maybe memcache with a *very* long TTL could be used here, but I was looking > for a pseudo-dictionay such as unionmap (maybe something like 'noretrymap') > that would ignore

Re: How to determine queue status

On Sun, Jan 17, 2021 at 11:02:51AM -0500, Alex wrote: > I have a postfix-3.5.8 system with amavisd on fedora33. I'm trying to > get an idea of how many emails are queued because they can't be > delivered in a timely manner by analyzing the logs, instead of just > periodically running "mailq" in a

Re: restricted inbound on 587

On Sat, Jan 16, 2021 at 11:37:50PM -0700, Gary Aitken wrote: > >> /etc/postfix/master.cf: > >> #smtp inet n - y - - smtpd > >> submission inet n - y - - smtpd > > > > This looks like a submission service, so you

Re: restricted inbound on 587

On Sat, Jan 16, 2021 at 03:11:58PM -0700, Gary Aitken wrote: > I'm trying to set up a postfix-server on a google-compute-engine vm that > works as follows: > > * outgoing mail from local machine (aaa.xxx.com) to a select few specific >addresses and any address on a specific domain (yyy.com)

Re: Conditional relayhost based on message size

On Sat, Jan 16, 2021 at 04:48:22AM -0500, Viktor Dukhovni wrote: > On Sat, Jan 16, 2021 at 08:14:34AM +, Alexander wrote: > > > My goal is to conditionally select the relayhost based on the total size > > of the outgoing message. The rationale is that I'm us

Re: Conditional relayhost based on message size

On Sat, Jan 16, 2021 at 08:14:34AM +, Alexander wrote: > My goal is to conditionally select the relayhost based on the total size > of the outgoing message. The rationale is that I'm using Amazon AWS SES > for the most part. Alas, SES only accepts messages up to 10 MB in size > (this

Re: Need real examples of `no resolvable FQDN' host sending thru smtp relay

On Thu, Jan 14, 2021 at 04:09:30PM -0500, Harry Putnam wrote: > > http://www.postfix.org/SOHO_README.html > > http://www.postfix.org/SOHO_README.html#fantasy > > Thx, those are helpful but I'm appartently still not getting it > right. Still failing like so: > > postfix/pickup[23288]:

Re: behavior when connecting client triggers several errors

On Thu, Jan 14, 2021 at 11:40:34AM -0500, Wietse Venema wrote: > > Unfortunately, smtpd_recipient_restrictions runs *before* > > smtpd_relay_restrictions (in recent Postfix releases), and there was > > some discussion of making that configurable, but I forget where that > > ended up... I agree

Re: behavior when connecting client triggers several errors

On Thu, Jan 14, 2021 at 10:14:49AM -0500, Bill Cole wrote: > > to log all parameters, like mail from: and rcpt to: > > Helps much when digging logs why was someone's mail refused. > > Also, technically, because smtpd_delay_reject is "yes" which is the > default in recent versions of Postfix.

Re: Need real examples of `no resolvable FQDN' host sending thru smtp relay

On Mon, Jan 11, 2021 at 12:18:15PM -0500, Harry wrote: > Where can I find real examples of /etc/postfix/main.cf setup on host > with no resolvable FQDN relaying throu smtp Smarthost with > authentication? http://www.postfix.org/SOHO_README.html

Re: Crazy retries for bounced (and a small number of successful) emails

> On Jan 12, 2021, at 10:19 PM, sckall...@yahoo.com wrote: > > I was able to locate the files that pykolab was using to create this mayhem. > Thank you so much Viktor! You're welcome. Your penance is going to be to spend a bit more time getting familiar with how to read your logs... :-) --

Re: Crazy retries for bounced (and a small number of successful) emails

On Tue, Jan 12, 2021 at 02:28:44PM -0800, sckall...@yahoo.com wrote: > > There are no "Received:" headers here, are you sure you've posted *all* the > > headers? All messages received by Postfix get a "Received" header > > prepended. Where are they? However, we do see that the message went > >

Re: Crazy retries for bounced (and a small number of successful) emails

On Tue, Jan 12, 2021 at 01:17:34PM -0800, sckall...@yahoo.com wrote: > > The message was created by something other than local submission, since it > arrived via SMTP to 127.0.0.1. > Here are the mail headers of the non-delivery email: > --- > > Return-Path: <> >

Re: Crazy retries for bounced (and a small number of successful) emails

On Tue, Jan 12, 2021 at 12:36:58PM -0800, sckall...@yahoo.com wrote: > Jan 12 17:56:26 mail postfix/smtpd[17788]: connect from xxx[127.0.0.1] > Jan 12 17:56:26 mail postfix/smtpd[17788]: AED108DFA2: client=xxx[127.0.0.1] > Jan 12 17:56:28 mail postfix/cleanup[17791]: AED108DFA2: >

Re: Crazy retries for bounced (and a small number of successful) emails

On Tue, Jan 12, 2021 at 10:18:33AM -0800, sckall...@yahoo.com wrote: > Here is what I see now with the same email going out again and again: The logs are rather a jumble, please collate the logs by queue-id, avoiding mixing different messages together, and show all logs for any queue-id that's

Re: Crazy retries for bounced (and a small number of successful) emails

On Mon, Jan 11, 2021 at 09:59:36PM -0800, sckall...@yahoo.com wrote: > I changed the last column in bounce line to bounce (it used to be > discard) in master.cf. Once your master.cf file is correct, it is no longer of much interest. What matters now is logs and main.cf. > Now I get NDRs every

Re: Crazy retries for bounced (and a small number of successful) emails

On Mon, Jan 11, 2021 at 11:48:25PM -0500, Bill Cole wrote: > On 11 Jan 2021, at 21:49, Bob Jones wrote: > > > Also, what does all this mean essentially (in English)? > > The man page for master(5) is written in English and provides a standard > answer. Is there something unclear there? That's

Re: Crazy retries for bounced (and a small number of successful) emails

On Tue, Jan 12, 2021 at 02:49:38AM +, Bob Jones wrote: > You are absolutely right about the master.cf. The bounce line looks like the > following: > > bounce  unix    -   -   n   -   0   > discard That is an invalid configuration. Nowhere is it

<    12   13   14   15   16   17   18   19   20   21   >