https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
"...
you can use DMARC with only SPF – and absolutely should, at least as far as
enabling reporting –
..."
On Mon, Apr 27, 2020, 3:55 PM Ralph Seichter wrote:
> * pe...@pajamian.dhs.org:
>
> > DKIM is not required for
Fwiw I keep a pre-queue instance of milter-regex
https://www.benzedrine.ch/milter-regex.html
in place, for just such 'emergencies', as well as longer-term header
match/action.
Although it's a bit long in the tooth, and not actively supported, it still
works well enough.
It's a clean, easy
I missed the "message id" ...
You should be able to match/block any valid header name.
Add it to, or replace, what's in the match -- up to you. Personally, I've
never received a valid email from 'anything' @qq.com. YMMV.
If you're shutting down a flood, more extreme, blunt instrument
It ain't pretty, or recommended for the long term, but something like this
should slow it down
/etc/postfix/main.cf
header_checks = pcre:/etc/postfix/header_checks.pcre
/etc/postfix/header_checks.pcre
IF /^(To|From|Cc|Reply-To|Sender|Return-Path): /
/@qq\.com/i
fyi, if you prefer a dedicated user approach, just need to make sure you're
consistent,
groupdel opendkim
groupadd opendkim
useradd opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M
usermod -a -G opendkim postfix
id opendkim
uid=5117(opendkim) gid=5117(opendkim)
Already read, with an apparent bad assumption on my part.
In this case, since the check's against the ccert's fingerprint, I'd
assumed 'trusted' to mean trusted if the fprint matches. Having
added the ccert's fingerprint to a lookup table on the server seemed
appropriate, similar to trust in
Viktor
That's consistent with, and explains, what I've been seeing -- that,
with smtpd_tls_req_ccert = yes
, ccert restriction works with a commercial crt's fingerprint
specified, but not with my self-signed cert.
I was digging in the self-signed cert itself, and having trouble
figuring out what
Noel
Have you tried with the default setting of smtpd_tls_ccert_verifydepth?
No.
At
http://www.postfix.org/postconf.5.html#smtpd_tls_ccert_verifydepth
smtpd_tls_ccert_verifydepth (default: 9)
Changed
--o smtpd_tls_ccert_verifydepth=2
+-o smtpd_tls_ccert_verifydepth=9
I'm locking down a postfix smarthost.
Goal is to only accept submissions to the smarthost from clients that
match known TLS fingerprints.
smarthost' service config is
[172.30.6.19]:587 inet n - n - - smtpd
-o syslog_name=postfix/smarthost
-o