[pfx] Re: Documentation update request
Ricardo F via Postfix-users: > > > Hello, > > I would like to suggest an addition to the documentation under > default_destination_rate_delay and default_destination_concurrency_limit > > As pointed in > https://mailing.postfix.users.narkive.com/yvG5ceqQ/balancing-destination-concurrency-rate-delay > > "As documented, rate_delay enforces a delay BETWEEN deliveries to > the same destination, and therefore, the concurrency to that > destination is always 1" > > So something like the following could be helpful and clear to > understand: > > With default_destination_rate_delay > 0, > default_destination_concurrency_limit is always 1. With one message per destination rate delay, why is that not obvious? Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Documentation update request
Hello, I would like to suggest an addition to the documentation under default_destination_rate_delay and default_destination_concurrency_limit As pointed in https://mailing.postfix.users.narkive.com/yvG5ceqQ/balancing-destination-concurrency-rate-delay "As documented, rate_delay enforces a delay BETWEEN deliveries to the same destination, and therefore, the concurrency to that destination is always 1" So something like the following could be helpful and clear to understand: With default_destination_rate_delay > 0, default_destination_concurrency_limit is always 1. Thanks, Ricardo F.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
Dnia 27.03.2024 o godz. 13:02:18 Wietse Venema via Postfix-users pisze: > > 1. From what I've read there's not a 'smarthost' option in the > > setup config. Would I just choose 'Internet Site'? Or does it > > matter at all if I'm just going to monkey with the conf anyway? > > > > You appear to be talking about some third-party configuration system > (Zimbra? Mail-in-a-Box?) If so, then postfix-users may not be the > right forum. He may be also talking about the config options you are asked for by Debian package installer when installing Postfix on a Debian machine. You get four or five (AFAIR) choices of configuration presets to start with, and "Internet Site" is one of them. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
My reading is that this will be a sending only host: This postfix server will only take mail from the [main] server and send it out, and return bounce/errors to the main host. It won't accept any incoming mail. We should probably ask how they expect to be receiving mail, then. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
On 3/27/2024 11:51 AM, Noel Jones via Postfix-users wrote: On 3/27/2024 11:25 AM, Samuel Goodies via Postfix-users wrote: Hi guys. I'm inheriting a job that has an email server hosting several domains, and I'm wanting to move them behind our firewall and route mail from the main mail server to an offsite postfix server that will in turn send them out to wherever they need to go, kind of like my own homemade smarthost. Because of security we need to keep it all in house, so a paid smarthost isn't an option. This postfix server will only take mail from the server and send it out, and return bounce/errors to the main host. It won't accept any incoming mail. Edit: I'll number these questions because wow they got out of hand the more I stressed about completely breaking our email serversHere goes...Bear with me please... 1. From what I've read there's not a "smarthost" option in the setup config. Would I just choose "Internet Site"? Or does it matter at all if I'm just going to monkey with the conf anyway? Postfix doesn't need any special configuration to be a smarthost. http://www.postfix.org/STANDARD_CONFIGURATION_README.html 2. And regarding the conf, any tips to make this run smoothly with minimal maintenance? Start with the minimal changes necessary, run it for a while and see if it does what you expect. If you make 20 changes at once it's hard to spot your error. Once you get postfix working like you want it, it should require little maintenance. 3. And is there a way to keep logging to a minimum so it doesn't fill up the server? Don't enable debug logging. Normal postfix logs contain what is necessary to see where make came from and where it went without a bunch of unnecessary stuff. That said, logs can get pretty big on a busy server. Postfix uses your system supplied syslog facility, which has settings to rotate and compress the logs periodically to keep them from getting too big. This is not controlled by postfix, and is something you will need to set up separately using your system-provided tools. 4. Can I force it to use a different outbound port than 25 so I can host it on the same machine that hosts our proxy server that sends traffic to our main server? Port 25 is on the receiving end. Your server will accept mail on port 25 (or 465, or 587), and send it to port 25 at the destination. To clarify, if this smarthost is the MX for your domains and proxys mail to your real mail server, you can configure postfix to accept mail on whatever port you want. Typically port 587 "submission" and port 465 "smtps" are used for this. This may depend on what settings are available on your internal mail server for using postfix as the smarthost. 5. Our domains only send from 2 IPs, say 4.4.4.4 and 5.5.5.5, but have 22 different domains they'll send from. Is there a way to just filter relaying by IP address or would another form of security be better? Restricting postfix to accepting mail from only those IPs is sufficient. If your server can do TLS, you can require it by setting: # main.cf smtp_tls_security_level = encrypt see http://www.postfix.org/TLS_README.html#client_tls And of course I got that backwards... for receiving mail, use smtpd_tls_security_level = encrypt and the docs are found at http://www.postfix.org/TLS_README.html#server_tls -- Noel Jones I apologize for all the questions. I'm not a real email guy. I'm just a guy that fell into this job because everyone else was even worse equipped to handle it than me. A step by step would surely be appreciated. Start with http://www.postfix.org/documentation.html Many of the how-to sites you find on the internet are wrong in small or large ways. -- Noel Jones ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
Samuel Goodies via Postfix-users: [ text/html is unsupported, treating like TEXT/PLAIN ] > Hi guys. I'm inheriting a job that has an email server hosting > several domains, and I'm wanting to move them behind our firewall > and route mail from the main mail server to an offsite postfix > server that will in turn send them out to wherever they need to > go, kind of like my own homemade smarthost. Because of security we > need to keep it all in house, so a paid smarthost isn't an option. > This postfix server will only take mail from the server and send > it out, and return bounce/errors to the main host. It won't accept > any incoming mail. > > Edit: I'll number these questions because wow they got out of > hand the more I stressed about completely breaking our email > serversHere goes...Bear with me please... > > 1. From what I've read there's not a 'smarthost' option in the > setup config. Would I just choose 'Internet Site'? Or does it > matter at all if I'm just going to monkey with the conf anyway? > You appear to be talking about some third-party configuration system (Zimbra? Mail-in-a-Box?) If so, then postfix-users may not be the right forum. Anyway, the Postfix main.cf file has the "relayhost" parameter for this purpose. Specify one of: relayhost = [hostname] relayhost = [hostname]:port The [] are required to turn off DNS MX lookups. The port is needed if you want to connect to a port other than the default (25, smtp). You may also specify a list relayhost = [hostname1], [hostname2] (ports are also allowed here). > 2. And regarding the conf, any tips to make this run smoothly > with minimal maintenance? > 3. And is there a way to keep logging to a minimum so it doesn't > fill up the server? No. Just rotate logs daily and you should be fine. > 4. Can I force it to use a different outbound port than 25 so I > can host it on the same machine that hosts our proxy server that > sends traffic to our main server? Covered under question 1. > 5. Our domains only send from 2 IPs, say 4.4.4.4 and 5.5.5.5, but > have 22 different domains they'll send from. Is there a way to > just filter relaying by IP address or would another form of > security be better? Firewall rules could take care of this (allow connections to TCP port 25 only from specific network blocks). > I apologize for all the questions. I'm not a real email guy. I'm > just a guy that fell into this job because everyone else was even > worse equipped to handle it than me. A step by step would surely > be appreciated. This may be more than you bargained for. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Setting up another "smarthost" with Postfix
On 3/27/2024 11:25 AM, Samuel Goodies via Postfix-users wrote: Hi guys. I'm inheriting a job that has an email server hosting several domains, and I'm wanting to move them behind our firewall and route mail from the main mail server to an offsite postfix server that will in turn send them out to wherever they need to go, kind of like my own homemade smarthost. Because of security we need to keep it all in house, so a paid smarthost isn't an option. This postfix server will only take mail from the server and send it out, and return bounce/errors to the main host. It won't accept any incoming mail. Edit: I'll number these questions because wow they got out of hand the more I stressed about completely breaking our email serversHere goes...Bear with me please... 1. From what I've read there's not a "smarthost" option in the setup config. Would I just choose "Internet Site"? Or does it matter at all if I'm just going to monkey with the conf anyway? Postfix doesn't need any special configuration to be a smarthost. http://www.postfix.org/STANDARD_CONFIGURATION_README.html 2. And regarding the conf, any tips to make this run smoothly with minimal maintenance? Start with the minimal changes necessary, run it for a while and see if it does what you expect. If you make 20 changes at once it's hard to spot your error. Once you get postfix working like you want it, it should require little maintenance. 3. And is there a way to keep logging to a minimum so it doesn't fill up the server? Don't enable debug logging. Normal postfix logs contain what is necessary to see where make came from and where it went without a bunch of unnecessary stuff. That said, logs can get pretty big on a busy server. Postfix uses your system supplied syslog facility, which has settings to rotate and compress the logs periodically to keep them from getting too big. This is not controlled by postfix, and is something you will need to set up separately using your system-provided tools. 4. Can I force it to use a different outbound port than 25 so I can host it on the same machine that hosts our proxy server that sends traffic to our main server? Port 25 is on the receiving end. Your server will accept mail on port 25 (or 465, or 587), and send it to port 25 at the destination. 5. Our domains only send from 2 IPs, say 4.4.4.4 and 5.5.5.5, but have 22 different domains they'll send from. Is there a way to just filter relaying by IP address or would another form of security be better? Restricting postfix to accepting mail from only those IPs is sufficient. If your server can do TLS, you can require it by setting: # main.cf smtp_tls_security_level = encrypt see http://www.postfix.org/TLS_README.html#client_tls I apologize for all the questions. I'm not a real email guy. I'm just a guy that fell into this job because everyone else was even worse equipped to handle it than me. A step by step would surely be appreciated. Start with http://www.postfix.org/documentation.html Many of the how-to sites you find on the internet are wrong in small or large ways. -- Noel Jones ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Setting up another "smarthost" with Postfix
Hi guys. I'm inheriting a job that has an email server hosting several domains, and I'm wanting to move them behind our firewall and route mail from the main mail server to an offsite postfix server that will in turn send them out to wherever they need to go, kind of like my own homemade smarthost. Because of security we need to keep it all in house, so a paid smarthost isn't an option. This postfix server will only take mail from the server and send it out, and return bounce/errors to the main host. It won't accept any incoming mail. Edit: I'll number these questions because wow they got out of hand the more I stressed about completely breaking our email serversHere goes...Bear with me please... 1. From what I've read there's not a "smarthost" option in the setup config. Would I just choose "Internet Site"? Or does it matter at all if I'm just going to monkey with the conf anyway? 2. And regarding the conf, any tips to make this run smoothly with minimal maintenance? 3. And is there a way to keep logging to a minimum so it doesn't fill up the server? 4. Can I force it to use a different outbound port than 25 so I can host it on the same machine that hosts our proxy server that sends traffic to our main server? 5. Our domains only send from 2 IPs, say 4.4.4.4 and 5.5.5.5, but have 22 different domains they'll send from. Is there a way to just filter relaying by IP address or would another form of security be better? I apologize for all the questions. I'm not a real email guy. I'm just a guy that fell into this job because everyone else was even worse equipped to handle it than me. A step by step would surely be appreciated. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: check_policy_service for customizing routing & load balancing
On Wed, Mar 27, 2024 at 10:41:08AM -0400, Wietse Venema via Postfix-users wrote: > Viktor Dukhovni via Postfix-users: > > On Tue, Mar 26, 2024 at 02:20:55PM -0400, Wietse Venema via Postfix-users > > wrote: > > > Viktor Dukhovni via Postfix-users: > > > > That's fine, the SRV records can be keyed by destination domain. > > > > > > Locally-managed SRV records, keyed by the final destination domain > > > name, to select a local relay host? > > > > Yes. The only tricky part is getting the queries to go to the right > > zone, which requires appending a suffix to the nexthop domain. > > This is a very clever approach based on configuration data in DNS > and Postfix. Would a routing policy help here? I'm thinking of a > declarative interface (like postfwd for access policies). Yes, that would be simpler, but the audience for this would likely be narrow (the hopefully legitimate bulk mailers delivering mail for hopefully legitimate customers), so if this is a lot of work, perhaps it should be sponsored by a suitably motivated party. > This may require a non-blocking client that supports multiple > outstanding requests. Yes. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: old TLS client
On Wed, Mar 27, 2024 at 03:28:38PM +0200, Levente Birta via Postfix-users wrote:
> Please help me out with the following error. It's a not very old DVR
> equipment sending notification emails on submission with TLS.
>
> Before (with Centos 7 and postfix 3.6) was working, but now, with rocky 8
> and postfix 3.10-20240310.
Please post a "tshark" decode of the SSL handshake, as explained in:
https://marc.info/?l=postfix-users=166005488423800=2
> postfix/submission/smtpd[1341984]: read from 55BE67365B00 [55BE67426AB3] (5
> bytes => 5 (0x5))
> postfix/submission/smtpd[1341984]: 16 03 01 00
> 96 .
> postfix/submission/smtpd[1341984]: read from 55BE67365B00 [55BE67426AB8]
> (150 bytes => 150 (0x96))
> postfix/submission/smtpd[1341984]: 01 00 00 92 03 03 dc 27|9c 04 2a 57
> 91 c4 fd 9f ...' ..*W
> [...]
Reading the hex dump is not fun, the tshark output is much easier to
work with.
> postfix/submission/smtpd[1341984]: warning: TLS library problem:
> error:14209175:SSL routines:tls_early_post_process_client_hello:
> inappropriate fallback:ssl/statem/statem_srvr.c:1767:
[ Seems you're using OpenSSL 1.1.1, which emits slightly more detailed
error strings than OpenSSL 3.x, where the function name is not
included. ]
It looks like the client's cipherlist indicated (SCSV codepoint) that it
performed a fallback (from TLS 1.3 to TLS 1.2 perhaps):
https://datatracker.ietf.org/doc/html/rfc7507#section-7
and since OpenSSL supports TLS 1.3, the fallback was rejected as a
downgrade attack:
ssl/statem/statem_srvr.c-} else if (SSL_CIPHER_get_id(c) ==
SSL3_CK_FALLBACK_SCSV &&
ssl/statem/statem_srvr.c-
!ssl_check_version_downgrade(s)) {
ssl/statem/statem_srvr.c-/*
ssl/statem/statem_srvr.c- * This SCSV indicates that the
client previously tried
ssl/statem/statem_srvr.c- * a higher version. We should
fail if the current version
ssl/statem/statem_srvr.c- * is an unexpected downgrade, as
that indicates that the first
ssl/statem/statem_srvr.c- * connection may have been
tampered with in order to trigger
ssl/statem/statem_srvr.c- * an insecure downgrade.
ssl/statem/statem_srvr.c- */
ssl/statem/statem_srvr.c-SSLfatal(s,
SSL_AD_INAPPROPRIATE_FALLBACK,
ssl/statem/statem_srvr.c:
SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
ssl/statem/statem_srvr.c-
SSL_R_INAPPROPRIATE_FALLBACK);
ssl/statem/statem_srvr.c-goto err;
ssl/statem/statem_srvr.c-}
Perhaps there was an earlier TLS handshake attempt that failed for a
different reason (untrusted certificate? Something else).
Try to capture a "fresh" (first attempt) TLS delivery, rather than a
fallback, if the client is indeed performing a fallback.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: check_policy_service for customizing routing & load balancing
Viktor Dukhovni via Postfix-users: > On Tue, Mar 26, 2024 at 02:20:55PM -0400, Wietse Venema via Postfix-users > wrote: > > Viktor Dukhovni via Postfix-users: > > > That's fine, the SRV records can be keyed by destination domain. > > > > Locally-managed SRV records, keyed by the final destination domain > > name, to select a local relay host? > > Yes. The only tricky part is getting the queries to go to the right > zone, which requires appending a suffix to the nexthop domain. This is a very clever approach based on configuration data in DNS and Postfix. Would a routing policy help here? I'm thinking of a declarative interface (like postfwd for access policies). This may require a non-blocking client that supports multiple outstanding requests. Wietse > So a socketmap transport lookup that maps: > > foo.example -> dnslb:foo.example.dnslb.local:smtp > > and a custom DNS authoritative server handling "dnslb.local" (or other > suitable suffix). > > To have separate load-balanced transport per-sender, one could have > > sender_dependent_transport: > example.com dnslb1 > example.net dnslb2 > ... > > And the socketmap would then leave the transport unchanged, and tweak > just the nexthop: > > foo.example -> :foo.example.dnslb.local:smtp > > Encoding both the sender domain and the recipient domain into a single > lookup, as with the policy service, is otherwise difficult, so if > all mail is single-recipient, one might use FILTER, and still SRV > lookups on the backend: > > sender domain: belongs to client1 > recipient = ...@example.net > > action = FILTER dnslb:example.net.client1.dnsbl.local > > Then the DNS server can parse out the destination and client id and do > as it pleases. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
On Wed, Mar 27, 2024 at 11:57:22AM +0100, Daniel Marquez-Klaka via
Postfix-users wrote:
> Why my setup looks like this? mail-server1 servs a couple of other mail
> domains, not only the one destined for the mailing lists. An access list
> here would affect all domains, right?
Only if the access rules in question apply to those domains. You should
be able to use "smtpd_restriction_classes" to apply some rules to just
the domain in question.
smtpd_restriction_classes = list_server_access
smtpd_recipient_restrictions =
check_recipient_access inline:{
{ list.example.org = list_server_access } }
...
list_server_access =
check_sender_access inline:{
{ a.example = permit_auth_destination },
{ b.example = permit_auth_destination },
{ c.example = permit_auth_destination } }
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] old TLS client
Hello Please help me out with the following error. It's a not very old DVR equipment sending notification emails on submission with TLS. Before (with Centos 7 and postfix 3.6) was working, but now, with rocky 8 and postfix 3.10-20240310. postfix/submission/smtpd[1341984]: initializing the server-side TLS engine postfix/submission/smtpd[1341984]: connect from unknown[x.x.x.x] postfix/submission/smtpd[1341984]: setting up TLS connection from unknown[x.x.x.x] postfix/submission/smtpd[1341984]: unknown[x.x.x.x]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH" postfix/submission/smtpd[1341984]: SSL_accept:before SSL initialization postfix/submission/smtpd[1341984]: read from 55BE67365B00 [55BE67426AB3] (5 bytes => -1 (0x)) postfix/submission/smtpd[1341984]: read from 55BE67365B00 [55BE67426AB3] (5 bytes => 5 (0x5)) postfix/submission/smtpd[1341984]: 16 03 01 00 96 . postfix/submission/smtpd[1341984]: read from 55BE67365B00 [55BE67426AB8] (150 bytes => 150 (0x96)) postfix/submission/smtpd[1341984]: 01 00 00 92 03 03 dc 27|9c 04 2a 57 91 c4 fd 9f ...' ..*W postfix/submission/smtpd[1341984]: 0010 e1 a0 af ef 17 62 d4 b3|10 0c c8 58 f3 3e 71 4b .b.. ...X.>qK postfix/submission/smtpd[1341984]: 0020 a1 40 a2 87 21 36 00 00|4a 00 a5 00 a3 00 a1 00 .@..!6.. J... postfix/submission/smtpd[1341984]: 0030 9f 00 6b 00 6a 00 69 00|68 00 39 00 38 00 37 00 ..k.j.i. h.9.8.7. postfix/submission/smtpd[1341984]: 0040 36 00 9d 00 3d 00 35 00|a4 00 a2 00 a0 00 9e 00 6...=.5. postfix/submission/smtpd[1341984]: 0050 67 00 40 00 3f 00 3e 00|33 00 32 00 31 00 30 00 g.@.?.>. 3.2.1.0. postfix/submission/smtpd[1341984]: 0060 9c 00 3c 00 2f 00 16 00|13 00 10 00 0d 00 0a 00 ..<./... postfix/submission/smtpd[1341984]: 0070 ff 56 00 01 00 00 1f 00|0d 00 16 00 14 06 01 06 .V.. postfix/submission/smtpd[1341984]: 0080 02 05 01 05 02 04 01 04|02 03 01 03 02 02 01 02 postfix/submission/smtpd[1341984]: 0090 02 00 0f 00 01 01 .. postfix/submission/smtpd[1341984]: SSL_accept:before SSL initialization postfix/submission/smtpd[1341984]: write to 55BE67365B00 [55BE6742EC70] (7 bytes => 7 (0x7)) postfix/submission/smtpd[1341984]: 15 03 03 00 02 02 56 ..V postfix/submission/smtpd[1341984]: SSL3 alert write:fatal:unknown postfix/submission/smtpd[1341984]: SSL_accept:error in error postfix/submission/smtpd[1341984]: SSL_accept error from unknown[x.x.x.x]: -1 postfix/submission/smtpd[1341984]: warning: TLS library problem: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback:ssl/statem/statem_srvr.c:1767: postfix/submission/smtpd[1341984]: lost connection after STARTTLS from unknown[x.x.x.x] postfix/submission/smtpd[1341984]: disconnect from unknown[x.x.x.x] ehlo=1 starttls=0/1 commands=1/2 # postconf -n | grep smtpd_tls smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_security_level = may submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_reject_unlisted_recipient=no -o smtpd_peername_lookup=no -o milter_macro_daemon_name=ORIGINATING Thank you Levi ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
Dnia 27.03.2024 o godz. 11:57:22 Daniel Marquez-Klaka via Postfix-users pisze: > True as well that mailman can restrict senders to list members only > but I have a couple of open lists that should be addressable by all > participating domains/company’s, no one else. If you have a list of domains from which mail should be accepted, you can configure that in mailman too. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: strict access restrictions and bounces
Hiya, thanks for your reply’s. My solution was as easy as adding the line “/^([<]+[>])$/ OK" to my access map. Changing smtpd_null_access_lookup_key didn’t seem to have any effect. Why my setup looks like this? mail-server1 servs a couple of other mail domains, not only the one destined for the mailing lists. An access list here would affect all domains, right? Also, by moving the access part to the satellite server, it keeps the config on mail-server1 straight. True as well that mailman can restrict senders to list members only but I have a couple of open lists that should be addressable by all participating domains/company’s, no one else. Cheers, Daniel -- Anything that is unrelated to elephants is irrelephant. Am 25.3.2024 18:05, schrieb Jaroslaw Rafa via Postfix-users: Dnia 25.03.2024 o godz. 16:11:47 Daniel Marquez-Klaka via Postfix-users pisze: 2 postfix mail server, one, mail-server1, is connected to the internet, the second, calling it list-server1, which serves a few mailing lists, is only reachable thru mail-server1. On mail-server1 a transport map entry sends everything for @list-dom.de to list-server1, list-server1 does his work and sends all back to mail-server1 which then delivers to the final destination. On list-server1, to prevent the whole world sending mails, I have installed a check_sender_access map to accept a few allowed domains, reject everything else. I don't understand what is actually your scenario and what exactly are you trying to prevent. From what you write, I assume that only mail-server1 is open to receive mail from the Internet, and it forwards only messages that should reach list-server1 to that server. I assume list-server1 does not accept mails directly from the Internet, so there is no possibility of "whole world sending mails" to it. (If it isn't the case, then just block list-server1 from receiving mails from anywhere except mail-server1 using check_client_access). Maybe you want the people who are not subscribed to the mailing lists on list-server1 to not be able to send mail to those lists? But you can do this directly on mailing list level, every mailing list software has controls that allow to specify who is able to send to the list (usually the choice is everyone/subscribers only/moderators only, sometimes additionally you can block or allow particular senders). So please describe more clearly, what do you actually want to do. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
