[pfx] Re: Behaviour in case of multiple relay hosts with multiple DNS records

On Fri, Jan 05, 2024 at 06:46:01PM +0100, Peter Wienemann via Postfix-users wrote: > > Unfortunately this says that RFC 5321 applies to LMTP deliveries, > > RFC 2033 says: "The LMTP protocol is identical to the SMTP protocol [SMTP] > [HOST-REQ] with its service extensions [ESMTP], except as

[pfx] Re: Postfix stopped logging lines with sender IP addresses after upgrade

On Tue, Jan 02, 2024 at 02:44:06PM -0500, Vince Heuser via Postfix-users wrote: > Jan 02 14:26:56 islou postfix/qmgr[2]: 4T4NC41vLCzQ1P: > from=, size=1258, nrcpt=1 (queue active) > Jan 02 14:26:56 islou postfix/smtp[22517]: 4T4N9z4tYzzQ1b: to=, > relay=127.0.0.1[127.0.0.1]:10024, delay=57,

[pfx] Re: Behaviour in case of multiple relay hosts with multiple DNS records

On Tue, Jan 02, 2024 at 11:12:28AM +0100, Peter Wienemann via Postfix-users wrote: > To avoid a potential misunderstanding: I do not see any reason to cast doubt > on the RFC compliance of Postfix. I think the issue discussed in this thread > rather goes beyond what is specified in RFCs. It

[pfx] Re: How to configure lmtp delivery

On Sun, Dec 31, 2023 at 08:25:42PM +0100, toganm--- via Postfix-users wrote: > >>>>> "VDvP" == Viktor Dukhovni via Postfix-users > >>>>> writes: > > VDvP> So the "hostname" form does not use "[]", which are only

[pfx] Re: How to configure lmtp delivery

On Sun, Dec 31, 2023 at 07:52:39PM +0100, Togan Muftuoglu via Postfix-users wrote: > so the following is all I need which I wrote in the first mail > (without the inet part) I don't need to set anything in master.cf > > mailbox_transport = lmtp:inet:[172.16.0.216]:24 > virtual_transport =

[pfx] Re: How to configure lmtp delivery

On Sun, Dec 31, 2023 at 06:47:25PM +0100, toganm--- via Postfix-users wrote: > When the documentation lacks what I am looking for then is there another way? > > WVvP> To integrate Dovecot, see Dovecot documentation for examples. > > That does not help because dovecot is not running on the

[pfx] Re: postfix 'non-interactive-package' build/install to non-default target location requires existence of /etc/postfix/{main,master}.cf ?

On Sat, Dec 30, 2023 at 07:54:56PM -0500, pgnd via Postfix-users wrote: > BUT, just-built 'postconf' FAILs, > > /usr/local/TMP/postfix-package/sbin/postconf mail_version > /usr/local/TMP/postfix-package/sbin/postconf: fatal: open > /etc/postfix/main.cf: No such file or

[pfx] Re: Behaviour in case of multiple relay hosts with multiple DNS records

On Fri, Dec 29, 2023 at 07:45:45PM +0100, Peter Wienemann via Postfix-users wrote: > > And then shows some examples that deminstarte that the using > > MX records is mutually exclusive with using address (A or ) records. > > I think what bears the potential for confusion is what you mean by

[pfx] Re: SMTP Smuggling, workarounds and fix // Clarification on BDAT

On Wed, Dec 27, 2023 at 11:40:56PM +0100, Damian via Postfix-users wrote: > > The attack can be mitigated by using BDAT. > > Can someone clarify? It really does not matter much, but leaving BDAT enabled can help in some cases. It is not necessary to go this deep down the rabbit hole. If both

[pfx] Re: WTF X-ANONYMOUSTLS ???

On Wed, Dec 27, 2023 at 06:45:27AM +0100, Ralph Seichter via Postfix-users wrote: > * Viktor Dukhovni via Postfix-users: > > > Microsoft ESMTP MAIL Service [...] > > Gee, who woulda thunk? ;-) That being said, perhaps somebody on the > "mailop" mailing list woul

[pfx] WTF X-ANONYMOUSTLS ???

I can't imagine what went on in the minds of the developers who thought it necessary to implement an "X-ANONYMOUSTLS" ESMTP extension. What's wrong with STARTTLS, that this was felt to be needed? Does anyone known where this might be, at least in part, documented? I've just run into a domain

[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix

On Thu, Dec 21, 2023 at 04:29:20PM -0500, Wietse Venema via Postfix-users wrote: > > > https://gitlab.com/ohisee/block-shodan-stretchoid-census > > > > I feel no particular urge to block them. > > They apparently flag a lot more Postfix MTAs than Exim ones. By "flag" you mean count instances

[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix

On Thu, Dec 21, 2023 at 03:08:57PM -0500, pgnd via Postfix-users wrote: > > This even includes "shodan" looking > > ugh. shodan. > > this can help a bit > > https://gitlab.com/ohisee/block-shodan-stretchoid-census I feel no particular urge to block them. -- Viktor.

[pfx] Re: [pfx-ann] SMTP Smuggling, workarounds and fix

On Thu, Dec 21, 2023 at 02:17:34PM -0500, Wietse Venema via Postfix-users wrote: > Kim Sindalsen via Postfix-users: > > I'm reading that either " smtpd_data_restrictions = > > reject_unauth_pipelining" or "smtpd_forbid_unauth_pipelining = yes" should > > *work* for shor-term workaround, right? >

[pfx] Re: SMTP Smuggling short & long term fixes

On Wed, Dec 20, 2023 at 05:48:43PM -0500, Wietse Venema via Postfix-users wrote: > Wietse Venema via Postfix-users: > > As part of a non-responsible disclosure process, SEC Consult has > > published an email spoofing attack that involves a composition of > > different mail service behaviors with

[pfx] Re: SMTP smuggling

On Wed, Dec 20, 2023 at 09:12:47PM +0100, John D'Orazio via Postfix-devel wrote: > I recently encountered on a server of my own a case of SMTP smuggling. I am very sceptical that this is in fact the case. Which is to say, very confident it is not. > I was befuddled by the fact that I received

[pfx] Re: Not all errors are postfix's fault

On Wed, Dec 20, 2023 at 03:21:03PM +, Linkcheck via Postfix-users wrote: > > > How does your milter decide which messages to sign? Does it perhaps > > look for: > > > > milter_macro_daemon_name=ORIGINATING > > I originally had this in place but could find no reason for it online nor >

[pfx] Re: Not all errors are postfix's fault

On Tue, Dec 19, 2023 at 04:07:11PM +, Linkcheck via Postfix-users wrote: > Sort of. I now have a problem where (it seems) ALL authenticated mail is not > being dkim signed How does your milter decide which messages to sign? Does it perhaps look for:

[pfx] Re: Using a second domain for outgoing mail

On Tue, Dec 19, 2023 at 12:34:55PM -0600, Richard Raether via Postfix-users wrote: > In addition, the boss just asked is there a way to restrict the group of > users that can send from that second domain? We are using ldap for > authentication. Please forgive any ignorance on my part. How does

[pfx] Re: Postfix authenticated sender and From: header verification

On Tue, Dec 19, 2023 at 10:42:14AM -0500, Wietse Venema via Postfix-users wrote: > First, there is one mistake in my last quoted paragraph above. In > the smuggled commands, an attacker can avoid an SMTP command > pipelining violation, by using use BDAT instead of DATA. > Below I'm indenting the

[pfx] Re: Postfix authenticated sender and From: header verification

On Tue, Dec 19, 2023 at 12:20:57AM +0100, r.barclay--- via Postfix-users wrote: > > For now, enforcement of pipelining is actually available, while > > enforcement of vs. is still only a hypothetical. > > As an average user without any special or legacy systems, I'd > appreciate if one could

[pfx] Re: Postfix authenticated sender and From: header verification

On Mon, Dec 18, 2023 at 05:40:49PM -0500, Wietse Venema wrote: > > - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting > > code as 3.9 snapshots, but the "smtpd_forbid_unauth_pipelining" > > parameter defaults to "no". > > Indeed, setting "smtpd_forbid_unauth_pipelining =

[pfx] Re: Postfix authenticated sender and From: header verification

On Mon, Dec 18, 2023 at 02:48:43PM -0500, Bill Cole via Postfix-users wrote: > > This research work has now been published by Sec Consult company, see > > link below . > > It is interesting that they seem to be unaware of some SMTP basics, such as > the fact that message bodies, message headers,

[pfx] Re: queue_lifetime clarification

On Thu, Dec 14, 2023 at 12:41:17PM +0100, Marek Podmaka via Postfix-users wrote: > > and used header_checks to hold the mails in queue. > > > > Now, as no decision is made, I want to continue to hold for another 13 > > days more. > > > > Will this change, hold the queue for another 13 days more?

[pfx] Re: 25 years today

On Thu, Dec 14, 2023 at 08:20:26AM -0500, Wietse Venema via Postfix-users wrote: > As a few on this list may recall, it is 25 years ago today that the > "IBM secure mailer" had its public beta release. This was accompanied > by a nice article in the New York Times business section. Many thanks.

[pfx] Re: TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.

On Thu, Dec 14, 2023 at 11:04:32AM +0100, Joachim Lindenberg via Postfix-users wrote: > I´d say Viktor is biased towards 3 1 1. It isn't a bias, it is a rational recommendation. There are multiple issues with "2 1 1": - With a public issuer CA, you're adding a redundant trusted party,

[pfx] TAKE NOTE 3: Upcoming new Let's Encrypt intemediate issuer CAs.

My previous post on this topic noted that covered Let's Encrypt are planning to *randomise* the choice of intermediate issuer CA used with each renewal. It now turns out that they will also be switching to new underlying intermediate CAs. So you'll a random choice of *new* issuers.

[pfx] Re: [ext] Why can't I get /etc/aliases to do anything?

On Tue, Dec 05, 2023 at 04:45:49PM +, Chris Green via Postfix-users wrote: > On Tue, Dec 05, 2023 at 05:41:11PM +0100, Ralf Hildebrandt via Postfix-users > wrote: > > * Chris Green via Postfix-users : > > > > > mydestination = > > > > no mail is delivered locally. Thus "/etc/aliases"

[pfx] Re: SELinux/SMTP Relay Handshake Failure

On Mon, Dec 04, 2023 at 07:20:08PM +1100, duluxoz via Postfix-users wrote: > This issue is definitely SELinux related, because it only crops up when > SELinux is enabled. > > I'm getting a `TLS handshake failed for service=smtp > peer=[104.199.96.85]:587` error when attempting to rely via

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Sat, Dec 02, 2023 at 11:37:55AM -0500, pgnd wrote: > > - dane:Same as "may" in the absence of DNSSEC MX and TLSA > > iiuc, this functions as > > dane, with DNSSEC MX and TLSA > may, without DNSSEC MX and TLSA > > is there an equivalent single form that functions as > >

[pfx] Re: Patch: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Sat, Dec 02, 2023 at 12:44:27PM +0100, Alexander Leidinger wrote: > > Actually "secure", which means that the match strategy is > > "nexthop:dot-nexthop" unless you specify additional command-line > > arguments to override the match list. > > > > switch (state->level) { > > case

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Sat, Dec 02, 2023 at 09:55:44PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > No, it's a pure security policy thing and an overlooked line in the mysql > > tls > > policy table. > > > > The policy "secure" (and I assume "dane-only") doesn't work, as github is > > not > > using DNSSEC.

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Fri, Dec 01, 2023 at 01:52:19PM +0100, Alexander Leidinger wrote: > > No. The problem you're reporting is with name matching. If the > > certificate chain failed to be constructed, that'd be reported instead. > > You'll only see name match errors if the chain construction succeeds, > > but

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Fri, Dec 01, 2023 at 09:53:25AM +0100, Alexander Leidinger via Postfix-users wrote: > > > Why should it expect reply.github.com? > > > > Because that name is securely known from the recipient address. Because, whether you're willing to understand the point or prefer to "dig in", verifying a

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via Postfix-users wrote: > > > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate > > > verification failed for in-9.smtp.github.com[140.82.112.31]:25: > > > num=62:hostname mismatch > > > > That is the error.

[pfx] Re: What does postfix do with malformed messages?

On Wed, Nov 29, 2023 at 10:17:01AM -0500, Wietse Venema via Postfix-users wrote: > > I see the cleanup program and all the options about when to run it and > > what to tell it to do, but in practice, will a typical system clean > > everything up, just locally submitted stuff, or soemthing else?

[pfx] Re: Turn Off Verify Service?

On Wed, Nov 29, 2023 at 03:00:24PM +1100, duluxoz via Postfix-users wrote: > I was reading an on-line guide about hardening Postfix and came across > a line that said that the Verify service could/should be turned off I > the master.cf file. > > Is this actually good advice, or is there some

[pfx] Re: What does postfix do with malformed messages?

On Tue, Nov 28, 2023 at 10:04:53PM -0500, John Levine via Postfix-users wrote: > If a malformed mail message shows up by SMTP (not local sendmail or > submission), will postfix generally try to clean it up or just > pass it along? You have to be a bit more specific. What does "malformed" mean?

[pfx] Re: [ext] gmail failing SPF/DKIM

On Mon, Nov 27, 2023 at 04:50:55PM +, Linkcheck via Postfix-users wrote: > Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkcheck.co.uk; > s=mail; > t=1701091213; bh=...; > h=Date:To:From:Reply-To:Subject:From; > b=... Have you tried leaving out the largely redundant "s=" from

[pfx] Re: [ext] gmail failing SPF/DKIM

On Mon, Nov 27, 2023 at 04:04:12PM +0100, Ralf Hildebrandt via Postfix-users wrote: > * Linkcheck via Postfix-users : > > > If someone wishes to check this, a typical form (which is sent to me with > > copy to "you") is at > > https://www.linkcheck.co.uk/ > > under menu option Contact &

[pfx] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Thu, Nov 23, 2023 at 07:48:33PM +1100, duluxoz via Postfix-users wrote: > Hi All, > > This may be a stupid Q, but we're getting a `postfix/tlsproxy[89206]: TLS > handshake failed for service=smtp peer=[104.199.96.85]:25` error in our logs > when trying to relay via an SMTP Relay Service (both

[pfx] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Thu, Nov 23, 2023 at 12:25:19PM +, Alan Munday via Postfix-users wrote: > > > It may be prudent to mark your calendar to check the Let's Encrypt > > > certificate page once or twice a year, and make appropriate changes if > > > new intermediate issuer CAs are introduced, or extant ones

[pfx] Re: No messages from freebsd.org

On Thu, Nov 23, 2023 at 05:44:47AM +0100, Jack Raats wrote: > You're absolutely right. I am ashamed that I didn't think that DANE was > perhaps the problem > Short term solution was to delete the TLSA record from the DNS. > After deleting the TLSA record the mails are getting in. So, you'll

[pfx] Re: No messages from freebsd.org

On Thu, Nov 23, 2023 at 04:32:02AM +0100, Jack Raats via Postfix-users wrote: > Can anyone help me to address the following problem. > > I'm receiving messages from the dovecot and postfix mailinglist. I can get > mail from gmail etc. but not from the freebsd mailing lists. > > I get the

[pfx] Re: How to temporarily pause virtual mail delivery?

On Wed, Nov 22, 2023 at 09:36:31PM +0100, Ralph Seichter via Postfix-users wrote: > * Viktor Dukhovni via Postfix-users: > > > https://www.postfix.org/postconf.5.html#defer_transports > > Indeed. In my backup scripts, I like to use something like the following > (fro

[pfx] Re: How to temporarily pause virtual mail delivery?

On Wed, Nov 22, 2023 at 07:32:06PM +, Matthias Nagel via Postfix-users wrote: > Am Mittwoch, 22. November 2023, 19:01:23 CET schrieb postfix--- via > Postfix-users: > > > I am looking for an option to temporarily pause delivery via LMTP and > > > defer mail while the Dovecot mailboxes are

[pfx] Re: Postfix + mysql connection lost after RCPT

On Wed, Nov 22, 2023 at 02:59:06PM -0300, Rafael Azevedo via Postfix-users wrote: > We're using Postfix + Mysql and we're getting this mysql connection > lost issue very often. > > Nov 22 14:38:28 smtp2 smtp2/smtpd[15858]: warning: > mysql:/etc/postfix/mysql_virtual_alias_maps.cf: query failed:

[pfx] Re: postfix does not use the MX of the parent domain

On Tue, Nov 21, 2023 at 04:24:35PM +0100, Vincent Lefevre via Postfix-users wrote: > When sending a mail to some @helpdesk.inria.fr address, postfix tries > to connect to helpdesk.inria.fr (which does not have a MX): > > Nov 21 15:43:26 joooj postfix/smtp[748304]: D1A104A9: >

[pfx] Re: Mail not for my domain

On Mon, Nov 20, 2023 at 10:00:01PM +0100, Joseph Castry via Postfix-users wrote: > On my postfix server I receive some mails who are not for my domain > (jcingenierie.fr) How do you determine whether the message is "for youd domain"? Are you looking in the mail logs, the "Received" headers or

[pfx] Re: Amazon SES rejects text/rfc822-headers when header includes multipart content type - Workaround?

On Mon, Nov 20, 2023 at 11:02:15AM -0500, postfix--- via Postfix-users wrote: > > You'd need to apply "body checks" to internally generated mail, which is > > generally not recommended, and would apply regardless of context, not > > just to bounced header-only content. > > > > main.cf: > >

[pfx] Re: TLS server certificate verification fails

On Mon, Nov 20, 2023 at 04:01:05PM +0100, Marc Dierksen via Postfix-users wrote: > For the domain 'shieldersme.com' outbound TLS is configured via this entry > in the TLS policy map: > > shieldersme.com verify match=hostname:nexthop:dot-nexthop ciphers=high > protocols=>=TLSv1.2 > > When trying

[pfx] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Sat, Nov 18, 2023 at 04:33:46PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > or if you prefer: > > > > _25._tcp.mx1.org.example. IN CNAME _25._tlsa.org.example. > > _25._tcp.mx2.org.example. IN CNAME _25._tlsa.org.example. > > ... > > _25._tcp.mxN.org.example. IN CNAME

[pfx] Re: Return-path: == From:

On Fri, Nov 17, 2023 at 07:19:31PM +0100, Steffen Nurpmeso via Postfix-users wrote: >Remarks: many MTA installations and sites disallow setting an >explicit reverse-path, but for members of dedicated user >groups, or after MTA reconfiguration. > > I have no idea of how

[pfx] Re: Amazon SES rejects text/rfc822-headers when header includes multipart content type - Workaround?

On Thu, Nov 16, 2023 at 03:18:13PM -0500, postfix--- via Postfix-users wrote: > I'm thinking someone has probably already seen this and wondering if anyone > has a work around (other than send the bounce somewhere else which may or > may not be possible in my current situation, still

[pfx] TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

On Wed, Nov 15, 2023 at 04:53:17PM +0100, Geert Hendrickx via Postfix-users wrote: > On Wed, Nov 15, 2023 at 10:29:41 -0500, James Cloos via Postfix-users wrote: > > LE announced a while back that they would not renew the cross cert. > > Yes, but dropping the cross-signed X1 root cert from the

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

On Wed, Nov 15, 2023 at 09:44:18PM +0900, Byung-Hee HWANG via Postfix-users wrote: > > Bottom line, if you're relying on that "2 1 1" record matching the ISRG > > root to match your Let's Encrypt chain, you're about to be disappointed, > > if you aren't already. See: > > > >

[pfx] TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

The DANE/DNSSEC survey () has seen a recent spike in the number of MX hosts whose "2 1 1" TLSA records no longer match their certificate chain. The records in question all shar the same digest value, for various TLSA base domains: _25._tcp.mx1.example. IN TLSA

[pfx] Re: FOLLOW-UP Re: Re: [ext] list.sys4.de fails with starttls

On Tue, Nov 14, 2023 at 03:56:25PM +0100, Patrick Ben Koetter via Postfix-users wrote: > It turned out that RedHat's SELinux policy does not cover Postfix' tlsproxy > and whenever tlsproxy takes out to do what Postfix wants it to do SELinux will > interfere and prohibit it from doing that. That

[pfx] Re: LDAP - how to design a virtual domain alias table?

On Tue, Nov 14, 2023 at 06:32:55PM +0100, Francis Augusto Medeiros-Logeay via Postfix-users wrote: > I figured out all the queries I need, except one. You see, right now, > I use Postfixadmin and my query for virtual_mailbox_domains is like > this: > > query = SELECT goto > FROM alias,

[pfx] Re: content filters

On Fri, Nov 10, 2023 at 12:58:38AM +0100, Ralph Seichter via Postfix-users wrote: > * Viktor Dukhovni via Postfix-users: > > > The requested filter is much too crude. How would the OP, for example, > > have participated in this thread with that filter in place! > >

[pfx] Re: Virtual mailbox config

On Thu, Nov 09, 2023 at 05:50:20PM -0500, Phil Stracchino via Postfix-users wrote: > virtual_mailbox_domains = seanfenian.com fenianhouse.com > virtual_mailbox_maps= lmdb:/etc/postfix/vmailbox > > virtual: > seanfen...@fenianhouse.com sean.fen...@fenianhouse.com >

[pfx] Re: Replacing ancient Qmail with Postfix.

On Thu, Nov 09, 2023 at 03:27:22PM -0500, Shaun Erickson via Postfix-users wrote: > mailserver.fd.com: > Accepts all mail from our servers (including itself). If the mail is > destined for fd.com, it is – with the exception of ab...@fd.com, > postmas...@fd.com, and r...@fd.com – sent straight

[pfx] Re: content filters

On Thu, Nov 09, 2023 at 07:29:07PM +0100, Ralph Seichter via Postfix-users wrote: > * true kernel via Postfix-users: > > > What are the plugins or filters for postfix to stop sending a special > > message body? > > You could try milter-regex (https://www.benzedrine.ch/milter-regex.html). A

[pfx] Re: Redirecting mail with an mx record containing *.protection.outlook.com or *.prod.outlook.com to a different transport

On Wed, Nov 08, 2023 at 12:41:55PM +0100, Norbert Schmidt via Postfix-users wrote: > Am I right, at the current moment this cannot be done within Postfix but > would have to be done in the DNS system, right? Your local resolver (e.g. unbound) could "assume ownership" of

[pfx] Re: Redirecting mail with an mx record containing *.protection.outlook.com or *.prod.outlook.com to a different transport

On Tue, Nov 07, 2023 at 08:14:04AM -0500, Wietse Venema via Postfix-users wrote: > Another option would be to use the DNS resolver (Bind, unbound, etc) > support to manipulate zone lookups. But the OP wants a dedicated transport (for concurrency control and scheduling), not a change of

[pfx] Re: local domain email collection

On Mon, Nov 06, 2023 at 11:55:44AM +0100, lejeczek via Postfix-users wrote: > I'm thinking having each box's root I'd forward to _allmail@my.private_ - > probably it's how many, if not everybody, do it. > Here, my 'allmail' is a user which exists, via Dovecoto auth, on all boxes. > What I

[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)

On Sun, Nov 05, 2023 at 12:13:17PM +, Matthias Nagel via Postfix-users wrote: > Viktor, you recommend to use proxymap in combination with LDAP, Yes. > especially if all LDAP lookups use the same connection. Regardless of whether the connection settings are the same across all tables. But

[pfx] Re: When using LDAP over socket, „smtpd_sender_login_maps“ requires an LDAP socket relative to chroot in contrast to other map configurations (potential bug?)

On Sat, Nov 04, 2023 at 09:48:32AM -0400, Wietse Venema via Postfix-users wrote: > To be precise: Postfix opens your LDAP configuration file and asks > the LDAP library to create an LDAP client instance, before entering > the chroot jail and before accepting any SMTP client commmands. > >

[pfx] Re: Postfix Options Override Or Add When In Both mater.cfg & main.cfg

On Fri, Nov 03, 2023 at 02:29:55PM +1100, duluxoz via Postfix-users wrote: > Quick Q: Do the individual `-o` options in the `master.cfg` file *add to* or > *override* the equivalent option in the `main.cfg` file? https://www.postfix.org/master.5.html -- Viktor.

[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4

On Thu, Nov 02, 2023 at 09:35:47AM +0200, Jaco Lesch via Postfix-users wrote: > > I would have tried instead: > > > > PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig \ > > make makefiles dynamicmaps=yes shared=yes \ > > openssl_path="/usr/openssl/3/bin/openssl" \ > >   

[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4

On Wed, Nov 01, 2023 at 12:07:31PM +0200, Jaco Lesch via Postfix-users wrote: >    Building an OpenSSL Application >    The development files are available in the /usr/openssl/3/sub-directo- >    ries.  To  build  an  OpenSSL application, use the following cc command >    line

[pfx] Re: read postscreen database?

On Tue, Oct 31, 2023 at 01:38:13PM -0400, Michael W. Lucas via Postfix-users wrote: > That's what I would have thought. I can run postmap -s and postmap -q > on the usual db files in /etc/postfix just fine, but when I try it on > /var/db/postfix/postscreen_cache.db it just hangs: That's

[pfx] Re: submission behind haproxy, need to use a specific principal in keytab

On Tue, Oct 31, 2023 at 08:22:50AM -0400, Brendan Kearney via Postfix-users wrote: > > But since you mentioned haproxy and multiple nodes, you're still only > > working your way up to base-camp... > > > so, yes, full blown GSSAPI with all the fixin's. > The syncing of the keytab across the

[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4

On Tue, Oct 31, 2023 at 09:39:36AM -0400, Wietse Venema via Postfix-users wrote: > > make makefiles \ > > CC="/usr/bin/gcc" \ > > CCARGS="-m64 -DHAS_DB -DNO_NIS -DUSE_TLS -I/usr/openssl/3/include" > > \ > > AUXLIBS="-R/usr/openssl/3/lib -L/usr/openssl/3/lib -ldb -lssl

[pfx] Re: submission behind haproxy, need to use a specific principal in keytab

on Mon, Oct 30, 2023 at 08:19:16PM -0400, Brendan Kearney via Postfix-users wrote: > I am setting up submission behind haproxy and want to use kerberos > authentication via SASL. Do you mean *actual* Kerberos authentication (as in the SASL GSSAPI mechanism) with Kerberos tickets provided by the

[pfx] Re: Recommendation for dkim signing

On Mon, Oct 30, 2023 at 03:54:10PM -0400, Scott Kitterman via Postfix-users wrote: > > Scott Kitterman, when he gets around to reading this thread will I hope > > have more to say the subject. > > I've implemented the options from OpenDKIM that I thought made sense. If > it's > in the

[pfx] Re: Recommendation for dkim signing

On Mon, Oct 30, 2023 at 10:06:46AM +0100, Jens Hoffrichter via Postfix-users wrote: > We are looking into implementing DKIM signing for one of our services, > and there are multiple ways to implement that. > > So far I have found that you can do it with opendkim and amavis - any >

[pfx] Re: Recommended APP to build approved transport recipients from Exhange / AD / LDAP

On Thu, Oct 26, 2023 at 07:46:40PM -0400, Joey J via Postfix-users wrote: > My only concern is if there is as an example a recipient that has literally > 2K email addresses with LDAP/AD, which associates with how much inbound > mail wont that slow down delivery a good amount, and potentially

[pfx] Re: Recommended APP to build approved transport recipients from Exhange / AD / LDAP

On Thu, Oct 26, 2023 at 07:11:23PM -0400, Joey J via Postfix-users wrote: > To confirm, I'm creating the list of valid emails to accept and then > forward and if not in that list reject. No, my advice is to replace the "list" with live LDAP queries to AD, on demand during each SMTP transaction.

[pfx] Re: Recommended APP to build approved transport recipients from Exhange / AD / LDAP

On Thu, Oct 26, 2023 at 06:32:53PM -0400, Wietse Venema via Postfix-users wrote: > > I'm trying to see if someone has a good app to connect to an exchange or > > O365 server either via LDAP or AD to grab all of the legitimate email > > accounts, forwarding accounts and Groups in order to build a

[pfx] Re: forward_path setting not being processed correctly after upgrade

On Thu, Oct 26, 2023 at 01:56:40PM -0500, sandm...@rice.edu wrote: > > So the cases that use ${recipient_delimiter} will only match addresss that > > actually have an extension. If you want to use it unconditionally, you'll > > need to use a literal "+", instead. > > Wow! There is no need

[pfx] Re: forward_path setting not being processed correctly after upgrade

On Thu, Oct 26, 2023 at 12:38:22PM -0500, sandmant--- via Postfix-users wrote: > I am updating a system from postfix-2.10.1 to postfix-3.5.9 (and > RHEL7->RHEL9), and it seems my forward_path is no longer getting > processed correctly. The Postfix local delivery agent is extremently stable

[pfx] Re: logging username in a failed smtp attemps

On Tue, Oct 24, 2023 at 07:05:13PM +0200, Eric Doutreleau wrote: > then i have to check in the cyrus-sasl side Cyrus SASL is just a library. It isn't its job to make independent decisions about what to log. It may have a "debug level" knob that Postfix could tweak, but running in "debug mode"

[pfx] Re: logging username in a failed smtp attemps

On Tue, Oct 24, 2023 at 12:52:37PM +0200, Paul Menzel via Postfix-users wrote: > Jozsef Kadlecsik submitted a patch, and it was accepted and is going to be > available in the 3.9 release [1]. > > > 20231006 > > > > Cleanup: attempt to log the SASL username after authentication > >

[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

On Wed, Oct 18, 2023 at 10:17:52PM +0200, Markus Ueberall wrote: > On 18.10.23, 22:11 Markus Ueberall wrote via Postfix-users: > > I just tried an explicit "_25._tcp" CNAME as suggested above (using the > > shared RRset) /alongside/ the existing "*._tcp" CNAME which I did not > > want to

[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

On Tue, Oct 17, 2023 at 12:42:39PM -0400, Viktor Dukhovni via Postfix-users wrote: > > [...] it took a while to realize that the above "STARTTLS,QUIT" > > behaviour is due to the fact that said outbound systems do not like to come > > across non-matching TLSA entries

[pfx] Re: new waves of connect/disconnect from *.outlook.com; any add'l pfx configs useful for further remediation?

On Tue, Oct 17, 2023 at 05:47:11PM +0200, Markus Ueberall via Postfix-users wrote: > On 17.08.23, 01:48 Viktor Dukhovni wrote via Postfix-users: > > So far, the pattern of Microsoft's outbound systems disconnecting > > immediately after a completed TLS handshake strongly correlates with a > >

[pfx] Re: Domain-Specific inbound relay host rules

On Mon, Oct 16, 2023 at 10:08:37AM -0500, B Williams wrote: > Huge thank you to Viktor and Tom for their ideas. I ended up using > this route (without the hash maps as the config doesn’t change much). Note that Tom's suggestion doesn't quite work as advertised. The configuration parameters:

[pfx] Re: Postscreen dnsbl logs

On Mon, Oct 16, 2023 at 10:33:34AM +0300, Ivan Ionut via Postfix-users wrote: > Hi, I'm using postscreen dnsbl configuration to block some spam: > > postscreen_blacklist_action = drop > postscreen_dnsbl_threshold = 4 > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = >

[pfx] Re: Domain-Specific inbound relay host rules

On Sun, Oct 15, 2023 at 11:40:57AM -0400, Viktor Dukhovni via Postfix-users wrote: > > This is rather straightforward with access(5) rules: > > > > smtpd_restriction_classes = reject_unfiltered > > > > # Allow the filtering service IPv4/IPv6 CIDR blocks a

[pfx] Re: Domain-Specific inbound relay host rules

On Sun, Oct 15, 2023 at 08:52:18AM -0500, B Williams via Postfix-users wrote: > So what I’m trying to devise is a strategy that would allow me to > reject email for some domains if it didn’t come through the spam > filtering service, but allow messages for other domains to be > delivered that I

[pfx] Re: SMTP Require TLS Option?

On Fri, Oct 13, 2023 at 11:53:06AM +0200, Joachim Lindenberg via Postfix-users wrote: > Are there any ideas or plans to implement SMTP Require TLS Option (RFC > 8689) in postfix? No current plans. The most viable and useful part of the RFC is the part that allows a message to *opt out* of

[pfx] Re: Transport according to MX record

On Thu, Oct 12, 2023 at 02:02:55AM +0200, Daniel Ryšlink via Postfix-users wrote: > It's generally very useful to set up a specific transport for "sensitive" > domains like gmail.com with specific policy (throttling outgoing message > rate, etc). > > However, since more and more hosted domains

[pfx] Re: SASL username logging for failed authentications

On Fri, Oct 06, 2023 at 06:50:38PM -0400, Wietse Venema via Postfix-users wrote: > +} else { > + server->username = mystrdup(serverout); > + printable(server->username, '?'); I might note that when UTF8 is enabled, this does correctly leaves valid UTF8 characters undisturbed.

[pfx] Re: tls and cert problem for submission

On Thu, Oct 05, 2023 at 04:18:35PM -0400, Alex via Postfix-users wrote: > I think I'm having a problem with my certificate for submission not > being configured properly. I'm trying to install roundcube but having > a problem with properly configuring the cert for submission, but when > using

[pfx] Re: Filterring out invalidu...@mydomain.com

On Thu, Oct 05, 2023 at 10:44:43AM +0700, Olivier via Postfix-users wrote: > How is it possible to configure Postfix to filter messages of the > form: from invalidu...@mydomain.com to validu...@mydomain.com > > I have been receiving quite a lot recently and they are trash.

[pfx] Re: smtpd rate limiting

On Wed, Oct 04, 2023 at 04:18:43PM +0200, Kevin Cousin via Postfix-users wrote: > > We have a solution for that, and that is not slowing down message > > arrivals or speeding up deliveries. > > Mails are arriving fast, they arrive quicly enough to fill the active > queue. SHOULD all these

[pfx] Re: smtpd rate limiting

On Tue, Oct 03, 2023 at 06:29:08PM -0400, Wietse Venema via Postfix-users wrote: > > My first wild guess is setting in_flow_delay to a higher value might > > help. Note this may be completely inappropriate for your specific > > application. > >

[pfx] Re: How to hide Exim behind Postfix (Configuring Postfix as a proxy in front of Exim MTAs) (was: Possible (indirect) libspf2 security issues)

On Sun, Oct 01, 2023 at 05:41:22AM +0200, Paul Menzel wrote: > Am 30.09.23 um 22:47 schrieb Viktor Dukhovni via Postfix-users: > > Recent news of security issues in Exim appear to in part implicate > > libspf2. > > Off-topic for Postfix users, but Tobias Fiebig

[pfx] Re: Possible (indirect) libspf2 security issues

On Sat, Sep 30, 2023 at 01:58:17PM -0800, Mike via Postfix-users wrote: > This is probably obvious to most, but not being a current user of > DKIM/DMARC, why don't you verify DKIM, or enforce DMARC for inbound > mail? The "problems" that DMARC attempts to solve aren't an issue on my end. I don't

<    1   2   3   4   5   6   >