[pfx] said: 550 Mail was identified as spam
https://www.mail-archive.com/postfix-users@postfix.org/msg99219.html [1] https://www.mail-archive.com/postfix-users@postfix.org/msg99175.html provide more information: SMTP server log: May 16 08:41:14 smtp3 postfix-sen/qmgr[27776]: 3420CA2062F: from=, size=56791841, nrcpt=1 (queue active) May 16 08:41:31 smtp3 postfix-sen/smtp[10076]: 3420CA2062F: to=, relay=x.x.x.x[x.x.x.x]:25, delay=18, delays=0.52/0/0.1/17, dsn=5.0.0, status=bounced (host x.x.x.x[x.x.x.x] said: 550 Mail was identified as spam. (in reply to end of DATA command)) May 16 08:41:31 smtp3 postfix-sen/bounce[13268]: 3420CA2062F: sender non-delivery notification: B222BA204F5 May 16 08:41:31 smtp3 postfix-sen/qmgr[27776]: 3420CA2062F: removed Relay server log: May 16 08:41:14 smtp520 postfix-sen16/smtpd[28709]: connect from unknown[x.x.x.x] May 16 08:41:14 smtp520 postfix-sen16/smtpd[28709]: D2E6DFFFD7: client=unknown[x.x.x.x] May 16 08:41:31 smtp520 postfix-sen16/smtpd[28709]: lost connection after DATA (48169779 bytes) from unknown[x.x.x.x] May 16 08:41:31 smtp520 postfix-sen16/smtpd[28709]: disconnect from unknown[x.x.x.x] SMTP server config: POSTCONF -N: alias_database = hash:/etc/postfix/aliases alias_maps = hash:/etc/postfix/aliases allow_min_user = no authorized_submit_users = root bounce_queue_lifetime = 1d command_directory = /usr/sbin config_directory = /etc/postfix-sen/ daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix-sen debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 delay_warning_time = 0h disable_vrfy_command = yes enable_original_recipient = no header_checks = regexp:/etc/postfix-sen/header_checks html_directory = no inet_interfaces = x.x.x.x inet_protocols = ipv4 mail_owner = postfix mailbox_size_limit = 73400321 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man master_service_disable = maximal_backoff_time = 3600s maximal_queue_lifetime = 1d message_size_limit = 73400320 minimal_backoff_time = 60s multi_instance_enable = yes multi_instance_group = mta multi_instance_name = postfix-sen mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname mydomain = xxx myhostname = mynetworks = x.x.x.x, 127.0.0.1 myorigin = xx newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix-sen queue_run_delay = 60s readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES sample_directory = /usr/share/doc/postfix-2.11.0/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_bind_address = x.x.x.x smtp_data_init_timeout = 240s smtp_data_xfer_timeout = 600s smtpd_recipient_limit = 210 smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1: smtpd_reject_unlisted_sender = yes transport_maps = unknown_local_recipient_reject_code = 550 virtual_alias_domains = cat /etc/postfix-sen/header_checks /^X-CHENGMAILHOST: (.*)$/ FILTER smtp:$1 POSTCONF -MF: smtp inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache RELAY CONFIG: POSTCONF -N: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases authorized_submit_users = root bounce_queue_lifetime = 1d bounce_size_limit = 73400320 command_directory = /usr/sbin config_directory = /etc/postfix-sen16/ daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix-sen16 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = x.x.x.x inet_protocols = ipv4 mail_owner = postfix mailbox_size_limit = 73400321 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man master_service_disable = maximal_backoff_time = 3600s maximal_queue_lifetime = 1d message_size_limit = 73400320 minimal_backoff_time = 1000s multi_instance_enable = yes multi_instance_group = mta multi_instance_name = postfix-sen16 mydestination = $myhostname, localhost.$mydomain, localhost myhostname = hostname mynetworks = /etc/postfix/network_table newaliases_path =
[pfx] Re: A strange DMARC failure
> On Tue, May 16, 2023 at 10:15:35PM -0400, Bill Cole via Postfix-users > wrote: > >> On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800) >> Tom Reed via Postfix-users >> is rumored to have said: >> [...] >> > Since the message was sent to mailing list which rewrites envelope >> > address >> > and adds list signature, so: >> > >> > 1) SPF for header From: address won't get pass due to SRS. >> > 2) DKIM won't get pass due to list signature. >> > >> > So the DMARC failed totally and the message was rejected. >> > >> > How to improve this? >> >> Do not reject mail solely based on DMARC failure. >> >> DMARC is fragile and unreliable. It has WELL-KNOWN incompatibilities >> with >> traditional mailing list practices. The fact that DMARC exists does not >> imply that it is entirely usable as deployed. >> >> -- >> Bill Cole >> b...@scconsult.com or billc...@apache.org >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses) >> Not Currently Available For Hire > > Yes, it's best to let receiving MUAs deal with DMARC > failures, rather than mail servers (which should just > add Authentication headers). Then individual mail users > can decide how they personally want to deal with it. > Got it. Thanks for suggestions. -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
On Tue, May 16, 2023 at 10:15:35PM -0400, Bill Cole via Postfix-users wrote: > On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800) > Tom Reed via Postfix-users > is rumored to have said: > [...] > > Since the message was sent to mailing list which rewrites envelope > > address > > and adds list signature, so: > > > > 1) SPF for header From: address won't get pass due to SRS. > > 2) DKIM won't get pass due to list signature. > > > > So the DMARC failed totally and the message was rejected. > > > > How to improve this? > > Do not reject mail solely based on DMARC failure. > > DMARC is fragile and unreliable. It has WELL-KNOWN incompatibilities with > traditional mailing list practices. The fact that DMARC exists does not > imply that it is entirely usable as deployed. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire Yes, it's best to let receiving MUAs deal with DMARC failures, rather than mail servers (which should just add Authentication headers). Then individual mail users can decide how they personally want to deal with it. cheers, raf ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800) Tom Reed via Postfix-users is rumored to have said: [...] Since the message was sent to mailing list which rewrites envelope address and adds list signature, so: 1) SPF for header From: address won't get pass due to SRS. 2) DKIM won't get pass due to list signature. So the DMARC failed totally and the message was rejected. How to improve this? Do not reject mail solely based on DMARC failure. DMARC is fragile and unreliable. It has WELL-KNOWN incompatibilities with traditional mailing list practices. The fact that DMARC exists does not imply that it is entirely usable as deployed. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postsrsd question
On Mon, May 15, 2023 at 08:40:50PM +0800, Tom Reed via Postfix-users wrote: > Hello list, > > for Postsrsd, it rewrite all the sender addresses even if messages should > be delivered locally. > > how to setup it to not rewrite sender for local addresses? > > Thanks If you only forward emails for a small, fixed number of addresses, you can use github.com/zoni/postforward in combination with postsrsd, but it requires an entry for each affected address in /etc/aliases. It's not appropriate for more complex needs. cheers, raf ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
It appears that Tom Reed via Postfix-users said: >Since the message was sent to mailing list which rewrites envelope address >and adds list signature, so: > >1) SPF for header From: address won't get pass due to SRS. >2) DKIM won't get pass due to list signature. > >So the DMARC failed totally and the message was rejected. Right. Approximately every mailing list in the world has this problem. >How to improve this? There is no good answer. If your system is fairly small, make a whitelist of mailing lists (probably by IP) and skip the DMARC checks. Some lists apply ARC headers which let you look back and see what the DMARC result was before the list changed it, but most lists don't, and at this point there is no ARC milter I would want to use. R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] A strange DMARC failure
Greeting members, I found that, after I enable opendmarc to reject messages, there are some issues for list addresses. for example, this rejected message shows: : host mx1.dkinbox.com[193.106.250.86] said: 550 5.7.1 rejected by DMARC policy for radlogic.com.au (in reply to end of DATA command) And I checked that, radlogic.com.au does have a p=reject policy: _dmarc.radlogic.com.au. 3600IN TXT "v=DMARC1; p=reject; fo=1; rua=mailto:ad...@radlogic.com.au; Following their policy, I have the permission to reject it. Since the message was sent to mailing list which rewrites envelope address and adds list signature, so: 1) SPF for header From: address won't get pass due to SRS. 2) DKIM won't get pass due to list signature. So the DMARC failed totally and the message was rejected. How to improve this? Thank you. Tom -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
On Tue, May 16, 2023 at 06:54:47PM -0400, Alex wrote:
> > The problems with their DNS are:
> >
> > - ns1.apr.gov.rs: EDNS(0) option intolerance, but returns
> > FORMERR, so fallback to non-EDNS queries should (and does) work.
> > [...]
> > Disabling use of cookies in your BIND configuration would suffice.
> > [...]
> > Turn off coookies for queries to this domain, or generally.
> >
>
> Turning off cookies for this server solved the problem, but it's not a very
> scalable method. I realize this isn't bind-users, but can I ask if there is
> a way to fallback to not using cookies, instead of having to create a
> server {} section for each broken server?
>
> I have a bind-9.16.38 system and it's apparently able to query these broken
> servers without issue.
Perhaps BIND 9.18 does not fall back to non-EDNS queries as willingly,
and when using EDNS(0), assumes that cookies will be tolerated
(typically simply ignored, per RFC requirement for unknown/unsupported
options). Your question does indeed belong on bind-users.
If you do find out something actionable, you can post the solution here.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi,
On Tue, May 16, 2023 at 4:16 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Tue, May 16, 2023 at 11:27:52AM -0400, Alex via Postfix-users wrote:
>
> > > > $ host info.apr.gov.rs
> > > > Host info.apr.gov.rs not found: 2(SERVFAIL)
> >
> > There's definitely a problem with their name servers, but it also seems
> my
> > version of bind is not permissive enough for such failures, although my
> > bind-9.16.38 system is, using the same configuration.
>
> The problems with their DNS are:
>
> - ns1.apr.gov.rs: EDNS(0) option intolerance, but returns
> FORMERR, so fallback to non-EDNS queries should (and does) work.
>
> $ dig -t a +nocomment +nocookie +nostats +nocmd +norecur +nocl
> +nottl @ns1.apr.gov.rs info.apr.gov.rs.
> ;info.apr.gov.rs. IN A
> info.apr.gov.rs.A 195.178.56.17
>
> Disabling use of cookies in your BIND configuration would suffice.
>
> - ns2.apr.gov.rs: Supports EDNS(0), but returns SERVFAIL to all
> queries.
>
> $ dig -t a +noall +comment +norecur +noedns +nocl +nottl @
> ns2.apr.gov.rs info.apr.gov.rs.
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42971
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> > Public name servers also appear to have no issues. I'm currently
> > researching these FORMERR messages.
>
> Turn off coookies for queries to this domain, or generally.
>
Turning off cookies for this server solved the problem, but it's not a very
scalable method. I realize this isn't bind-users, but can I ask if there is
a way to fallback to not using cookies, instead of having to create a
server {} section for each broken server?
I have a bind-9.16.38 system and it's apparently able to query these broken
servers without issue.
>
> --
> Viktor.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
On 17/05/23 00:14, mailmary--- via Postfix-users wrote: I am talking about the authentication email, not MAIL FROM or RCPT TO. There is no "authentication email". There is a login username which can be just about anything and in your case likely just happens to match the user's email address. hmm, when using the -v parameter, just above the "SASL LOGIN authentication failed: UGFzc3dvcmQ6" log entry, I can clearly see the email/password What you are seeing is the direct SASL data being passed between the MUA and Dovecot server via Postfix. Postfix is not actually aware of what this content is, it just blindly passes it back and forth. thus postfix knows the email address being authenticated BEFORE the error message No it does not (see above). so why not report the email, instead of a base64 string? Postfix doesn't actually know what the login username is until after the login completes and is reported back to Postfix by the Dovecot server. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
On Tue, May 16, 2023 at 11:27:52AM -0400, Alex via Postfix-users wrote: > > > $ host info.apr.gov.rs > > > Host info.apr.gov.rs not found: 2(SERVFAIL) > > There's definitely a problem with their name servers, but it also seems my > version of bind is not permissive enough for such failures, although my > bind-9.16.38 system is, using the same configuration. The problems with their DNS are: - ns1.apr.gov.rs: EDNS(0) option intolerance, but returns FORMERR, so fallback to non-EDNS queries should (and does) work. $ dig -t a +nocomment +nocookie +nostats +nocmd +norecur +nocl +nottl @ns1.apr.gov.rs info.apr.gov.rs. ;info.apr.gov.rs. IN A info.apr.gov.rs.A 195.178.56.17 Disabling use of cookies in your BIND configuration would suffice. - ns2.apr.gov.rs: Supports EDNS(0), but returns SERVFAIL to all queries. $ dig -t a +noall +comment +norecur +noedns +nocl +nottl @ns2.apr.gov.rs info.apr.gov.rs. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42971 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > Public name servers also appear to have no issues. I'm currently > researching these FORMERR messages. Turn off coookies for queries to this domain, or generally. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
K.I.S.S. Because of forwarding, both SPF or DKIM signatures *could* be broken. This is what DMARC was introduced for. DMARC checks the results of both SPF and DKIM, and as long as one of those two passes then the mail is good so DMARC passes. If both SPF and DKIM fail, then DMARC fails, and *THEN* you reject the mail (policy permitting). So no, imo, you should not blindly reject based on the outcome of DKIM. Now, because not everyone understands or knows how all three SPF DKIM and DMARC play together and doesn't set all three up on their mail server... If you have the ability to fine tune your policy, one step further would be to reject on a DKIM fail *ONLY* if there is no DMARC and no SPF setup. And vise versa for SPF, if they are only using SPF and have no DKIM or DMARC then reject on a failed SPF. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
On 2023-05-16 at 12:19:03 UTC-0400 (Tue, 16 May 2023 18:19:03 +0200) Víctor Rubiella Monfort via Postfix-users is rumored to have said: For example for imap/pop login failures dovecot log email account that produces the failure. If you are using Dovecot for SASL and have auth_verbose enabled in Dovecot, it will log failures. For failed Postfix authentications, you will see lines logged by auth-worker in the info log with the username, remote IP, and failure type. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Bill Cole via Postfix-users skrev den 2023-05-16 17:34: I have no idea what the answer to that is, as I don't use OpenDMARC. You may want to figure out where, if anywhere, OpenDMARC support is available. http://www.trusteddomain.org/opendmarc/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
On Tue, May 16, 2023 at 09:44:41AM -0400, Wietse Venema via Postfix-users wrote: > Looks like you have a *local* DNS problem. Check your routing, > including netmasks. The domain is broken. See https://dnsviz.net/d/info.apr.gov.rs/dnssec/ On of the listed name servers is unresponsive and also different between glue record and in zone record. Also the remaining server is broken: | The response had an invalid RCODE (FORMERR) until the NSID EDNS option | was removed. Bastian -- Where there's no emotion, there's no motive for violence. -- Spock, "Dagger of the Mind", stardate 2715.1 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
On Tue, May 16, 2023 at 07:32:55PM +0300, Eugene R via Postfix-users wrote: > Am I correct that the string in question should normally contain the SASL > response? While the "Password:" is apparently some interactive prompt, > indicating that something might be wrong with the connection or > configuration? No, this is part of the (broken?) LOGIN type. Use PLAIN and you don't have that problem. Bastian -- War isn't a good life, but it's life. -- Kirk, "A Private Little War", stardate 4211.8 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
Hello, Am I correct that the string in question should normally contain the SASL response? While the "Password:" is apparently some interactive prompt, indicating that something might be wrong with the connection or configuration? Eugene On 16.05.2023 17:06, Wietse Venema via Postfix-users wrote: mailmary--- via Postfix-users: In all honesty, the current situation of logging the base64 string "UGFzc3dvcmQ6" does not help us. Maybe we could reconsider, and actually log the data (raw or base64-decoded)? Absolutely not. As a matter of security principle, one does not log the content of login failures unless absolutely necessary. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
Hi, But what about show user login? Currently we have issues when fail2ban blocks IPS for a high number or failed logins, but is a customer with several mail accounts and he don't know which bad-configured account is causing the ban. Would be so healpfull shows the sasl_username that produces the failure. For example for imap/pop login failures dovecot log email account that produces the failure. El 16/5/23 a las 16:06, Wietse Venema via Postfix-users escribió: mailmary--- via Postfix-users: In all honesty, the current situation of logging the base64 string "UGFzc3dvcmQ6" does not help us. Maybe we could reconsider, and actually log the data (raw or base64-decoded)? Absolutely not. As a matter of security principle, one does not log the content of login failures unless absolutely necessary. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
On 2023-05-16 at 11:27:52 UTC-0400 (Tue, 16 May 2023 11:27:52 -0400) Alex via Postfix-users is rumored to have said: > Is there a way to control smtpd_recipient_restrictions on a per-domain > basis so I can relax some of these restrictions for cases like this, > instead of a more reactive approach where I'm always adding > sender_checks.pcre entries? Have you looked into using restriction classes? -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Alex: > Hi, > > > I have a postfix-3.7.3 fedora37 system and have a few users who want me to > > > disable reject_non_fqdn_sender because it seems many of their users have > > > DNS problems. For example, email from nore...@info.apr.gov.rs fails to > > > resolve with: > > > > > > $ host info.apr.gov.rs > > > Host info.apr.gov.rs not found: 2(SERVFAIL) > > > > $ host info.apr.gov.rs > > info.apr.gov.rs has address 195.178.56.17 > > > > Looks like you have a *local* DNS problem. Check your routing, > > including netmasks. > > > > There's definitely a problem with their name servers, but it also seems my > version of bind is not permissive enough for such failures, although my > bind-9.16.38 system is, using the same configuration. Public name servers > also appear to have no issues. I'm currently researching these FORMERR > messages. > > Is there a way to control smtpd_recipient_restrictions on a per-domain > basis so I can relax some of these restrictions for cases like this, > instead of a more reactive approach where I'm always adding > sender_checks.pcre entries? Instead of /etc/postfix/main.cf: smtpd_recipient_restrictions = ... reject_unknown_sender_domain ... Use /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_sender_access pcre:/etc/postfix/sender_access.pcre ... /etc/postfix/sender_access.pcre: /\.example\.com$/ DUNNO /./ reject_unknown_sender_domain Though I wonder how one would ever be able to reply to the sender. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
On 2023-05-16 at 10:11:39 UTC-0400 (Tue, 16 May 2023 22:11:39 +0800) Tom Reed via Postfix-users is rumored to have said: For OpenDMARC this setting: SPFSelfValidate true Can it handle the case when incoming message has rewritten envelope address by SRS then no SPF found for header From address? I have no idea what the answer to that is, as I don't use OpenDMARC. You may want to figure out where, if anywhere, OpenDMARC support is available. If opendmarc can implement SPF checks for header From address , That would be much better. Thanks On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800) Tom Reed via Postfix-users is rumored to have said: Hello list, Should we reject failed message on DKIM validation stage, or DMARC validation stage, or both? Generally, neither. IF (and ONLY IF) the "From: " header address domain aligns with the DKIM-signing domain AND that domain also has a DMARC record in DNS which specifies "p=reject" you may choose to reject a failed message. So, obviously, you cannot know whether rejection is reasonable before doing the full DKIM/DMARC analysis. NOTE WELL: DKIM signatures are notoriously fragile, and are broken by MTA behaviors which have been commonplace for the lifetime of the Internet. If you reject messages based on an existing DKIM signature not verifying, you will reject some entirely legitimate mail for no good reason. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi, > I have a postfix-3.7.3 fedora37 system and have a few users who want me to > > disable reject_non_fqdn_sender because it seems many of their users have > > DNS problems. For example, email from nore...@info.apr.gov.rs fails to > > resolve with: > > > > $ host info.apr.gov.rs > > Host info.apr.gov.rs not found: 2(SERVFAIL) > > $ host info.apr.gov.rs > info.apr.gov.rs has address 195.178.56.17 > > Looks like you have a *local* DNS problem. Check your routing, > including netmasks. > There's definitely a problem with their name servers, but it also seems my version of bind is not permissive enough for such failures, although my bind-9.16.38 system is, using the same configuration. Public name servers also appear to have no issues. I'm currently researching these FORMERR messages. Is there a way to control smtpd_recipient_restrictions on a per-domain basis so I can relax some of these restrictions for cases like this, instead of a more reactive approach where I'm always adding sender_checks.pcre entries? Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
mailmary--- via Postfix-users skrev den 2023-05-16 14:14: so why not report the email, instead of a base64 string? how usefull is decode of base64 here ? its what happens next it more usefull to log https://github.com/PowerDNS/weakforced ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
Wietse Venema via Postfix-users skrev den 2023-05-16 13:52: That is not the case. i know my weakforced is not perfekt but i see all detail before reject, even if postfix dont log it https://github.com/PowerDNS/weakforced ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
mailmary--- via Postfix-users skrev den 2023-05-16 11:50: Isn't the above useless? Should it say something like: SASL LOGIN authentication failed: failed@email.address PS: I know that I can add -v to the smtpd submission process to get thousands of debug lines and among them is the user/email address that failed, but that seems like a horrible hack to get around the silly base64 encoded string. want more control or detail, use weakforced https://github.com/PowerDNS/weakforced ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
Ralf Hildebrandt via Postfix-users skrev den 2023-05-16 15:20: * Scott Kitterman via Postfix-users : DKIM has no policy mechanism associated with it, so there's no basis in any standardized mechanism to determine if a DKIM failure should be cause for rejection. I don't think it makes logical sense to treat a message with a DKIM signature that failed to verify any more harshly than you would unsigned mail. DMARC does have such a policy component. Rejecting mail which fails DMARC for domains that have a policy of p=reject is common. DMARC does have a high error rate for some types of email, so I would recommend a careful evaluation of what you would be rejecting before you do so. I always thought DMARC was the policy component for DKIM. dmarc does not imho use ARC results yet :/ we all are useing unstable unfinished software, take it over to rspamd, make sure rspamd ARC-seal ARC-sign before mailman see maillist postimgs. then it works as designed, last thing dont dkim sign if not originating mails, how many rejects are there on digest maillist ? :=) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Scott Kitterman via Postfix-users skrev den 2023-05-16 15:04: DMARC does have such a policy component. Rejecting mail which fails DMARC for domains that have a policy of p=reject is common. DMARC does have a high error rate for some types of email, so I would recommend a careful evaluation of what you would be rejecting before you do so. on cloud9 it was okay to reject based on dmarc policy, but here in sys4 its now stupid since dmarc is breaked on purpose :( why is maillist accept dmarc reject post members ? and at the same time breaks dkim, or even preserve spf,dkim,damrc in arc sealing (arc-sign/arc-seal) first before mailman breaks it all ? i blame rspamd here coders can confirm or denied it, we live in a free world hopefully ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
João Silva via Postfix-users skrev den 2023-05-16 14:49: Yes, straight to a Spam folder. a bit silly if its a maillist, if its spam why not unsubscribe ? i loose maybe :/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Tom Reed via Postfix-users skrev den 2023-05-16 14:41: so for both DKIM and DMARC failure you send them to spam folder? what dmarc policy ?, none, quarantine, reject ? forget dkim here, its not designed to be a spam scanner ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Tom Reed via Postfix-users skrev den 2023-05-16 14:16: Should we reject failed message on DKIM validation stage, or DMARC validation stage, or both? if dkim is based on reject you will ignore dmarc policy, just dont reject is safe :) tip, add ipwhitelist in both so you never ever reject maillists, this will allow for reject direct mails to be rejected in dmarc policy, hopefully dkim will in comming updates have remove of reject code, it does not belong to be there in postfix do smtpd_milter_maps with cidr listnings of mailservs that run maillists with value DISABLE, then postfix will not do any milter tests for ips listed as maillists my point save resources ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
For OpenDMARC this setting: SPFSelfValidate true Can it handle the case when incoming message has rewritten envelope address by SRS then no SPF found for header From address? If opendmarc can implement SPF checks for header From address , That would be much better. Thanks > On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800) > Tom Reed via Postfix-users > is rumored to have said: > >> Hello list, >> >> Should we reject failed message on DKIM validation stage, or DMARC >> validation stage, or both? > > Generally, neither. > > IF (and ONLY IF) the "From: " header address domain aligns with the > DKIM-signing domain AND that domain also has a DMARC record in DNS which > specifies "p=reject" you may choose to reject a failed message. So, > obviously, you cannot know whether rejection is reasonable before doing > the full DKIM/DMARC analysis. > > NOTE WELL: DKIM signatures are notoriously fragile, and are broken by > MTA behaviors which have been commonplace for the lifetime of the > Internet. If you reject messages based on an existing DKIM signature not > verifying, you will reject some entirely legitimate mail for no good > reason. > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [pfx]: DKIM and DMARC
On May 16, 2023 1:20:53 PM UTC, Ralf Hildebrandt via Postfix-users wrote: >* Scott Kitterman via Postfix-users : > >> DKIM has no policy mechanism associated with it, so there's no basis in any >> standardized mechanism to determine if a DKIM failure should be cause for >> rejection. I don't think it makes logical sense to treat a message with a >> DKIM signature that failed to verify any more harshly than you would >> unsigned mail. >> >> DMARC does have such a policy component. Rejecting mail which fails DMARC >> for domains that have a policy of p=reject is common. DMARC does have a >> high error rate for some types of email, so I would recommend a careful >> evaluation of what you would be rejecting before you do so. > >I always thought DMARC was the policy component for DKIM. Sort of. DMARC is it's own protocol that is built on top of the email authentication information provided by DKIM and SPF. It uses both in ways that are somewhat different than what they were designed for, but more or less works (the less part leads to the failure cases). To the extent there is a policy component for DKIM, DMARC is it, but they are each their own thing. This is different than DomainKeys, which had policy built in. Scott K ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
mailmary--- via Postfix-users: > > In all honesty, the current situation of logging the base64 string > "UGFzc3dvcmQ6" does not help us. > > Maybe we could reconsider, and actually log the data (raw or base64-decoded)? Absolutely not. As a matter of security principle, one does not log the content of login failures unless absolutely necessary. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
In all honesty, the current situation of logging the base64 string "UGFzc3dvcmQ6" does not help us. Maybe we could reconsider, and actually log the data (raw or base64-decoded)? On Tue, 16 May 2023 09:30:44 -0400 (EDT) Wietse Venema via Postfix-users wrote: > mailmary--- via Postfix-users: > > > > I am talking about the authentication email, not MAIL FROM or RCPT TO. > > > > hmm, when using the -v parameter, just above the "SASL LOGIN > > authentication failed: UGFzc3dvcmQ6" log entry, I can clearly see > > the email/password > > > > thus postfix knows the email address being authenticated BEFORE > > the error message > > Postfix does not implement the SASL protocol. Postfix passes the > data to the Dovecot authentiation server or to the Cyrus SASL > library without parsing it. > > Also, logging the login details is not a good idea. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Alex via Postfix-users: > Hi, > I have a postfix-3.7.3 fedora37 system and have a few users who want me to > disable reject_non_fqdn_sender because it seems many of their users have > DNS problems. For example, email from nore...@info.apr.gov.rs fails to > resolve with: > > $ host info.apr.gov.rs > Host info.apr.gov.rs not found: 2(SERVFAIL) $ host info.apr.gov.rs info.apr.gov.rs has address 195.178.56.17 Looks like you have a *local* DNS problem. Check your routing, including netmasks. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Tom Reed via Postfix-users writes: > Hello list, > > Should we reject failed message on DKIM validation stage, or DMARC > validation stage, or both? I even DKIM-sign the mail one more time. For forwarding to Gmail. See https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/setup-policy.lua Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))// ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
mailmary--- via Postfix-users: > > I am talking about the authentication email, not MAIL FROM or RCPT TO. > > hmm, when using the -v parameter, just above the "SASL LOGIN > authentication failed: UGFzc3dvcmQ6" log entry, I can clearly see > the email/password > > thus postfix knows the email address being authenticated BEFORE > the error message Postfix does not implement the SASL protocol. Postfix passes the data to the Dovecot authentiation server or to the Cyrus SASL library without parsing it. Also, logging the login details is not a good idea. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] per-domain sender_checks?
Hi,
I have a postfix-3.7.3 fedora37 system and have a few users who want me to
disable reject_non_fqdn_sender because it seems many of their users have
DNS problems. For example, email from nore...@info.apr.gov.rs fails to
resolve with:
$ host info.apr.gov.rs
Host info.apr.gov.rs not found: 2(SERVFAIL)
and the following in my bind logs:
16-May-2023 09:01:37.082 resolver: DNS format error from 195.178.56.17#53
resolving ns2.apr.gov.rs/ for : server sent FORMERR
16-May-2023 09:01:37.082 lame-servers: received FORMERR resolving '
ns2.apr.gov.rs//IN': 195.178.56.17#53
16-May-2023 09:01:41.088 lame-servers: timed out resolving '
ns2.apr.gov.rs//IN': 212.62.49.194#53
16-May-2023 09:01:41.095 lame-servers: timed out resolving '
ns1.apr.gov.rs//IN': 212.62.49.194#53
Their name servers appear to be broken.
and in the (multi-instance) postfix logs I have the following:
May 16 07:23:53 iceman postfix-199/smtpd[2634611]: NOQUEUE: reject: RCPT
from unknown[195.178.56.17]: 450 4.1.8 : Sender
address rejected: Domain not found; from= to=<
sovljansk...@example.co.rs> proto=ESMTP helo=
Without a FQDN, I'm of course concerned about disabling any form of
spoofing protection, particularly for what appears to be mail from a
government agency domain, but we also can't just block mail because of
that. The return path is also the same domain, which means we also have no
ability to verify the email origin using SPF.
I've since added an entry to my sender_checks.pcre that appears to be
working:
/info\.apr\.gov\.rs/permit
So my questions are related to this specific instance where email was being
rejected from this domain, and the way I handled it, but also the more
broader question about how to relax some of the DNS checks that we use to
prevent sender fraud. How can I find a "happy medium" to limit fraud as
much as possible, yet not reject all mail because they're having temporary
DNS issues?
$ postconf -fn -c /etc/postfix-120
...
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unlisted_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
reject_unauth_destination, reject_rhsbl_sender
[reject_rbls ...]
${indexed}check_backscatterer, check_helo_access
pcre:$config_directory/helo_checks.pcre, check_helo_access
${indexed}helo_checks, reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname, check_policy_service
unix:private/policy-spf,
check_policy_service inet:127.0.0.1:2501, check_recipient_access
pcre:$config_directory/recipient_checks, check_recipient_access
pcre:$config_directory/relay_recips_access, check_recipient_access,
permit
Thanks so much for any ideas.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Dnia 16.05.2023 o godz. 20:16:21 Tom Reed via Postfix-users pisze: > > Should we reject failed message on DKIM validation stage, or DMARC > validation stage, or both? There is no rule ststing what you "should" do in these cases. It depends on what you *want* to do, that is - what exact result you want to obtain. Myself, I would recommend neither. But everyone has different needs and goals. My goal is to lose as little legitimate mail as possible, so I completely ignore SPF, DKIM and DMARC on incoming mail. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: DKIM and DMARC
* Scott Kitterman via Postfix-users : > DKIM has no policy mechanism associated with it, so there's no basis in any > standardized mechanism to determine if a DKIM failure should be cause for > rejection. I don't think it makes logical sense to treat a message with a > DKIM signature that failed to verify any more harshly than you would unsigned > mail. > > DMARC does have such a policy component. Rejecting mail which fails DMARC > for domains that have a policy of p=reject is common. DMARC does have a high > error rate for some types of email, so I would recommend a careful evaluation > of what you would be rejecting before you do so. I always thought DMARC was the policy component for DKIM. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800) Tom Reed via Postfix-users is rumored to have said: Hello list, Should we reject failed message on DKIM validation stage, or DMARC validation stage, or both? Generally, neither. IF (and ONLY IF) the "From: " header address domain aligns with the DKIM-signing domain AND that domain also has a DMARC record in DNS which specifies "p=reject" you may choose to reject a failed message. So, obviously, you cannot know whether rejection is reasonable before doing the full DKIM/DMARC analysis. NOTE WELL: DKIM signatures are notoriously fragile, and are broken by MTA behaviors which have been commonplace for the lifetime of the Internet. If you reject messages based on an existing DKIM signature not verifying, you will reject some entirely legitimate mail for no good reason. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
On May 16, 2023 12:16:21 PM UTC, Tom Reed via Postfix-users wrote: >Hello list, > >Should we reject failed message on DKIM validation stage, or DMARC >validation stage, or both? No and it depends. DKIM has no policy mechanism associated with it, so there's no basis in any standardized mechanism to determine if a DKIM failure should be cause for rejection. I don't think it makes logical sense to treat a message with a DKIM signature that failed to verify any more harshly than you would unsigned mail. DMARC does have such a policy component. Rejecting mail which fails DMARC for domains that have a policy of p=reject is common. DMARC does have a high error rate for some types of email, so I would recommend a careful evaluation of what you would be rejecting before you do so. Scott K ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
Yes, straight to a Spam folder. On 16/05/2023 13:41, Tom Reed via Postfix-users wrote: On 16/05/2023 13:16, Tom Reed via Postfix-users wrote: Hello list, Should we reject failed message on DKIM validation stage, or DMARC validation stage, or both? Just my opinion... I see lots (and I mean lots) of DKIM failures due to mails sent to mailing lists that have clueless administrators. I also see lots of DMARC failures arriving to mailboxes of people that insist that forwards are a proper way to handle mail. (Please, if I am wrong or otherwise forgetting the proper way to handle the above situations give suggestions, they will be welcomed) So, instead of a plain reject (that may have the side effect of discarding legitimate email) I send those to a Spam folder. so for both DKIM and DMARC failure you send them to spam folder? Thanks ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
> > On 16/05/2023 13:16, Tom Reed via Postfix-users wrote: >> Hello list, >> >> Should we reject failed message on DKIM validation stage, or DMARC >> validation stage, or both? > > Just my opinion... > > I see lots (and I mean lots) of DKIM failures due to mails sent to > mailing lists that have clueless administrators. > > I also see lots of DMARC failures arriving to mailboxes of people that > insist that forwards are a proper way to handle mail. > > (Please, if I am wrong or otherwise forgetting the proper way to handle > the above situations give suggestions, they will be welcomed) > > So, instead of a plain reject (that may have the side effect of > discarding legitimate email) I send those to a Spam folder. > >> so for both DKIM and DMARC failure you send them to spam folder? Thanks -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DKIM and DMARC
On 16/05/2023 13:16, Tom Reed via Postfix-users wrote: Hello list, Should we reject failed message on DKIM validation stage, or DMARC validation stage, or both? Just my opinion... I see lots (and I mean lots) of DKIM failures due to mails sent to mailing lists that have clueless administrators. I also see lots of DMARC failures arriving to mailboxes of people that insist that forwards are a proper way to handle mail. (Please, if I am wrong or otherwise forgetting the proper way to handle the above situations give suggestions, they will be welcomed) So, instead of a plain reject (that may have the side effect of discarding legitimate email) I send those to a Spam folder. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] DKIM and DMARC
Hello list, Should we reject failed message on DKIM validation stage, or DMARC validation stage, or both? Thanks. -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
I am talking about the authentication email, not MAIL FROM or RCPT TO. hmm, when using the -v parameter, just above the "SASL LOGIN authentication failed: UGFzc3dvcmQ6" log entry, I can clearly see the email/password thus postfix knows the email address being authenticated BEFORE the error message so why not report the email, instead of a base64 string? On Tue, 16 May 2023 07:52:08 -0400 (EDT) Wietse Venema via Postfix-users wrote: > You appear to believe that > > - The Postfix SMTP server already knows the MAIL FROM or RCPT TO > address when the remote SMTP client sends the AUTH command, > > or that > > - The Postix SMTP server can predict the future MAIL FROM or RCPT > TO address when it receives the AUTH command. > > That is not the case. > > Wietse > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: said: 550 Mail was identified as spam
lty--- via Postfix-users: > SMTP server og: > > May 16 08:41:14 smtp3 postfix-sen/qmgr[27776]: 3420CA2062F: > from=, size=56791841, nrcpt=1 (queue active) > May 16 08:41:31 smtp3 postfix-sen/smtp[10076]: 3420CA2062F: > to=, relay=x.x.x.x[x.x.x.x]:25, delay=18, > delays=0.52/0/0.1/17, dsn=5.0.0, status=bounced (host x.x.x.x[x.x.x.x] > said: 550 Mail was identified as spam. (in reply to end of DATA > command)) > > Relay server log: > > May 16 08:41:14 smtp520 postfix-sen16/smtpd[28709]: connect from > unknown[x.x.x.x] > May 16 08:41:14 smtp520 postfix-sen16/smtpd[28709]: D2E6DFFFD7: > client=unknown[x.x.x.x] > May 16 08:41:31 smtp520 postfix-sen16/smtpd[28709]: lost connection > after DATA (48169779 bytes) from unknown[x.x.x.x] > May 16 08:41:31 smtp520 postfix-sen16/smtpd[28709]: disconnect from > unknown[x.x.x.x] There is a spam filter betwen the sending and the receiving server. The spam filter drops the connection to the relay server after 48169779 bytes, and replies "550 Mail was identified as spam". If Postfix has blocked the message, it would have sent an RFC 3463 enhanced status code like 550 5.7.x Mail was identified as spam Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: logging strangeness
mailmary--- via Postfix-users: > > Out of curiosity, why does postfix display the base64 encoded "Password:" > string on failed authentication, instead of the user/email that actually > failed? > > eg: > warning: unknown[59.2.250.144]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 ... > > Isn't the above useless? Should it say something like: > > SASL LOGIN authentication failed: failed@email.address You appear to believe that - The Postfix SMTP server already knows the MAIL FROM or RCPT TO address when the remote SMTP client sends the AUTH command, or that - The Postix SMTP server can predict the future MAIL FROM or RCPT TO address when it receives the AUTH command. That is not the case. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] logging strangeness
Out of curiosity, why does postfix display the base64 encoded "Password:" string on failed authentication, instead of the user/email that actually failed? eg: warning: unknown[59.2.250.144]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[1.219.223.120]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[14.34.85.245]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[5.202.234.36]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[37.25.36.50]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[58.242.86.203]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[43.129.246.148]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[60.29.100.218]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[218.28.30.132]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 warning: unknown[65.210.80.9]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Isn't the above useless? Should it say something like: SASL LOGIN authentication failed: failed@email.address PS: I know that I can add -v to the smtpd submission process to get thousands of debug lines and among them is the user/email address that failed, but that seems like a horrible hack to get around the silly base64 encoded string. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
