Non-ASCII bytes in email header and similar

Looking for protocol expertise that some here might have … I understand that email header content should contain 7-bit ASCII-only. However, as an implementor of email software such as a milter, how do I best deal with non-conforming input? Say I receive a header line in my milter that isn’t

First cut of Rust bindings to libmilter available

Hello, I’ve published a first cut of Rust bindings to libmilter: https://crates.io/crates/milter You might find this interesting if the thought of writing milters in the Rust language appeals to you. This library doesn’t provide anything new, it just makes libmilter usable from Rust. I have

Re: Cannot sign with DKIM on same-server web and mail

On 01/12/2019 12:01, Linkcheck wrote: > I applied the recommendations from this thread (for which, many thanks!) with > some help from the spamassassin forum. Almost all of it works now with the > following exception. On postfix restart the following message is logged. > > "Could not retrieve

Re: Cannot sign with DKIM on same-server web and mail

On 01/12/2019 15:18, Linkcheck wrote: > But what about UNPARSEABLE_RELAY? How can I preoperly fix that? Do I really > have to nullify the rule or is there something in postfix that I've got wrong? Try appending _ to the default connect macros. That does it for me. milter_connect_macros = j

Re: Cannot sign with DKIM on same-server web and mail

On 02/12/2019 12:12, Linkcheck wrote: > Thanks, but I already had that. Although I had the "v" before the daemon_addr > when I first tried it... >   milter_connect_macros="i j {daemon_name} v {daemon_addr} _" > > I have now tried it with the v where you suggest it but still gives >

Re: Is the milter API function smfi_setsymlist supported?

If someone wants to try … Make sure you have libmilter installed. Compile and run: c99 -Wall nosetsymlist.c -lmilter -o nosetsymlist ./nosetsymlist Enable in /etc/postfix/main.cf with: smtpd_milters = inet:localhost:3000 Then both requested macros, _ and {client_port}, are *not* available

Re: Is the milter API function smfi_setsymlist supported?

On 15/01/2020 13:32, Wietse Venema wrote:> Please try any OTHER stage than connect. It might be a bug > that exists only in the connect handler. You would help > narrow down the search for me. You’re right, I just tried requesting _ for the data stage and that does work! I have to take a break

Re: PATCH: milter API function smfi_setsymlist

On 15/01/2020 16:37, Wietse Venema wrote: > As implemented in this patch: move the on-the-fly connect before > the macroi evaluation. Should work for Postfix 2.5 and later. Thank you very much. I would try it out, unfortunately I have never set up Postfix from the raw materials myself (I’m using

Is the milter API function smfi_setsymlist supported?

In section ‘What macros will Postfix send to Milters?’, MILTER_README says: > As of Sendmail 8.14.0, Milter applications can specify what macros > they want to receive at different Milter protocol stages. An > application-specified list takes precedence over a Postfix-specified > list. This

Re: Is the milter API function smfi_setsymlist supported?

On 14/01/2020 19:39, Wietse Venema wrote: >>>unsigned long *pf3) >>> { >>> if (set_macro_list) { >>> if (verbose) >>> printf("set symbol list %s to \"%s\"\n", >>>macro_states[set_macro_state], set_macro_list); >>>

Re: Is the milter API function smfi_setsymlist supported?

On 14/01/2020 18:22, Wietse Venema wrote: >> In section ?What macros will Postfix send to Milters??, MILTER_README >> says: >> >>> As of Sendmail 8.14.0, Milter applications can specify what macros >>> they want to receive at different Milter protocol stages. An >>> application-specified list

Re: Is the milter API function smfi_setsymlist supported?

Wietse, On 14/01/2020 18:58, Wietse Venema wrote: > smfi_setsymlist() is called by test_negotiate(): > > static sfsistat test_negotiate(SMFICTX *ctx, >unsigned long f0, >unsigned long f1, >

Re: Is the milter API function smfi_setsymlist supported?

On 14/01/2020 20:48, Wietse Venema wrote: >> test-milter confirms that smfi_setsymlist does not work: >> >> $ test-milter -v -p inet:3000@localhost -m connect -M >> '{client_connections}' >> set symbol list connect to "{client_connections}" >> negotiate f0=1ff *pf0 = 1ff f1=1f

Re: Is the milter API function smfi_setsymlist supported?

On 14/01/2020 20:31, Bill Cole wrote: > I can confirm that a milter absolutely can request and receive macros from > postfix, PROVIDED those macros are available. I use the MIMEDefang milter, > which optionally uses smfi_setsymlist() to request macros and includes > options to ask for specific

Re: Is the milter API function smfi_setsymlist supported?

On 14/01/2020 21:59, Bill Cole wrote: >> Beginning to get a little confused ... > > I can understand why. > > Is it certain that the macro you want is non-null when you're asking for it? I will post a minimal C reproducer some time later hopefully. As a summary, another quick illustration of

Best practice for milter sockets in postfix chroot

I’m revisiting an opendkim milter setup I have running locally. Is there some kind of ‘best practice’ regarding where milter sockets are placed inside a Postfix chroot in /var/spool/postfix, and with what permissions? I see no /run directory being created by default in the chroot, but I see two

Re: Being blocked with error 554 5.7.1

Dominic Raferd: > Are you able to fix the DMARC entry in your DNS? It has spurious escaped > quotes. The SPF record is invalid, too, ‘a:81.145.130.2’ is not valid syntax. Perhaps these add to some negative score for your messages.

Re: lightweight/milter Spamassassin-integtration options for Postfix -- current experience / faves?

I’ve been using my own spamassassin-milter (your third option) with Postfix 3.3.0 for a few months and am happy with it. This project is ‘done’, the initial development phase is through, but it is active. (I wrote about the why in these places:)

New SPF milter in development

Hello! I am developing a new SPF milter from scratch at https://gitlab.com/glts/spf-milter. It’s written in Rust. This project is not yet released, a work in progress. I’m announcing it now so that hopefully, if you’re interested, you can try it out and perhaps even help shape what the final

Re: Block spam messages to Unknown receiver

Eugene Podshivalov: > Is there a way to block spam messages like this? > Probably "receiver=" spf param might be the clue. >From RFC 7208, 9.1: > receiver the host name of the SPF verifier So not what you think it is. Ciao

How do you manage the ‘hold’ queue?

I’ve recently begun using the ‘hold’ queue, because of a milter that I use. A milter may ‘quarantine’ a message, which causes the message to be placed in the ‘hold’ queue (eg OpenDMARC does this when the DMARC policy requests quarantine). But how does one manage that queue? I know that

Milter rejection logged twice by Postfix

I’m running a milter that may perform rejection (SMFIS_REJECT) at the milter HELO stage. This condition appears in the system log as follows: Jan 04 13:50:07 mail postfix/smtpd[149922]: connect from unknown[156.0.64.217] Jan 04 13:50:07 mail spf-milter[147333]: mail.mydomain.org (helo): fail Jan

Re: Milter rejection logged twice by Postfix

Wietse Venema: > David B?rgin: >> I?m running a milter that may perform rejection (SMFIS_REJECT) at the >> milter HELO stage. This condition appears in the system log as follows: >> >> Jan 04 13:50:07 mail postfix/smtpd[149922]: connect from >> unknown[156.0.64.217] >> Jan 04 13:50:07 mail

Re: Milter rejection logged twice by Postfix

Me: > I’m running a milter that may perform rejection (SMFIS_REJECT) at the > milter HELO stage. This condition appears in the system log as follows: > > Jan 04 13:50:07 mail postfix/smtpd[149922]: connect from unknown[156.0.64.217] > Jan 04 13:50:07 mail spf-milter[147333]: mail.mydomain.org

Re: How do you manage the ‘hold’ queue?

Thanks everybody – I’ve decided that for me personally handling this is too much work, and I’ve disabled this particular milter. (There is an open issue in the OpenDMARC project that I have upvoted: https://github.com/trusteddomainproject/OpenDMARC/issues/77)

Re: SPF guidance

Alex: I've set up postfix to use policyd-spf using python-policyd-spf and have some questions. Hopefully this isn't off-topic, as my search returns results from only many years ago. Is this still the best SPF policy service for postfix integration on Linux? You can verify SPF using a policy

Re: "Authentication-Results" header order

Hi Kevin, > I am using two milters to check incoming mail for DKIM signatures and SPF > records. They are specified in main.cf using the "smtpd_milters" parameter. > > Now, > when I place the DKIM milter before the SPF milter, like so: > > > smtpd_milters = inet:dkim-milter-host:port,

Re: "Authentication-Results" header order

Kevin N.: > > Milters decide themselves where they want to insert headers, by index. > > Depending on the order in which milters run, insertion done by one > > milter can shift the insertion point of the next milter. > > > > The sendmail milter API that milters use to insert headers has a bit of

Re: Allowing Special Characters in Email addresses

Paul Fowler: Is it possible allow the use of special characters safely in the local part of a email address. We have a need to be able to accept emails that include special characters like ! e.g. joe!b...@example.com Have you tried what happens when you quote the

Re: opedmarc and opendkim

Dominic Raferd: On 31/03/2021 17:29, Benny Pedersen wrote: On 2021-03-31 18:21, Dan Mahoney wrote: problem is your setup used Sender-ID with is long time depricated Why would you advise not using libspf2? atleast not in opendmarc, sid-milter is imho fine but it bulds in both cases of

Re: Untrusted TLS connection when sending emails to Google

‘What do "Anonymous", "Untrusted", etc. in Postfix logging mean?’ http://www.postfix.org/FORWARD_SECRECY_README.html#status

Re: Conditional milter_header_checks?

post...@ptld.com: After hearing all sides, i decided to try using policy settings recommended by Viktor. Since then I've had two emails from this list rejected by DMARC which now confuses me. The email didn't fail SPF or DKIM. postfix/smtpd[226953]: connect from

Re: How do I prevent bogus HELO ?

White, Daniel E. (GSFC-770.0)[NICS]: > How do I stop junk like… > > HELO example.com > > … without having to create a huge "check_helo_access" table ? (This is not a general answer but perhaps interesting still.) SPF validation (RFC 7208) can also be applied to a HELO name, which is useful

Re: are my helo restrictions too strict ?

Fourhundred Thecat: > Hello, > > I have strict helo checks: > >   smtpd_helo_required = yes >   smtpd_helo_restrictions = reject_non_fqdn_helo_hostname, >     reject_invalid_helo_hostname, >     reject_unknown_helo_hostname Anecdotal: I used to have these exact

Re: what's best guess record for SPF

Piper H wrote: > I sent an email from my t-online.de account to gmail. > Gmail shows SPF pass by best guessing: > > Received-SPF: pass (google.com : best guess record for > domain of x...@t-online.de designates 194.25.134.18 > as

Re: TLS ciphers

This question is answered regularly on this list. http://www.postfix.org/TLS_README.html#server_cipher > By default anonymous ciphers are enabled. … One can't force a remote > SMTP client to check the server certificate, so excluding anonymous > ciphers is generally unnecessary.

Re: Received-SPF: Temperror

post...@ptld.com: > If you are going to use DMARC then you do not need to mess around with or > install policyd-spf. > OpenDMARC has built in SPF lookup, it adds a header with the SPF results, and > uses it in deciding if the email passes DMARC or not. OpenDMARC’s is a defective implementation

Re: smtpd_milter_maps and XFORWARD

Jesper Dybdal: > Are smtpd_recipient_restrictions, particularly policy services, evaluated > before milters, so that I could use policyd_spf to check SPF, and have > amavis and opendmarc milters in that same smtpd instance - so the milters > could use the Authentication-Results header from

Re: Prevent local mail from going via spamassassin milter

Linkcheck: > I have a relatively new installation of postfix with clamav and spamassassin > milters. In general it seems to work fine. > > The debian server sends a variety of notifications from localhost through > postfix to a domain mailbox ad...@example.co.uk. On the way it's filtered by >

Re: DMARC milter question

Scappatura Rocco: > These are the top lines of my master.cf: > > # == > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (yes) (never) (100) > #

Re: DMARC milter question

Scappatura Rocco: > I have one postfix server (say, 'myserver.domain.tld') acting as MX for some > domains and as SMTP relay for the SASL authenticated user from the same > domains. > > On that server I have enabled DMARC milter (other than I have set up DKIM, > and it works fine): > >

Re: Milter_Readme - Documentation Edit Request - "order", "reject" and "override" - multiple message modifications?

As was suggested upthread, do check the sendmail milter documentation for questions about the milter protocol. Technical design, API, interaction of multiple milters, succession of milter callback stages, it’s all there. On Ubuntu or Debian install package sendmail-doc and start at

Re: questions to postfix's behavior

Henry R: > Hello list, > > As a receiver MTA (postfix), if DKIM, SPF or DMARC has got failed to the > sender domain, what action postfix will take for this incoming message? > reject or greylist it? > > I have setup the mail system (as this domain openmbox.net) but not sure about > it.

Find out whether a sender is authenticated in a milter?

Previously in a milter I have used presence of sendmail macro ‘{auth_authen}’ to decide whether a sender is authenticated. Now, in another milter I am using presence of macro ‘{auth_type}’ to make that decision. What is the recommended way of telling whether a sender is authenticated using

Re: Replacing initial "Received:" line on submission?

Charles Sprickman: > I'm thinking that for my personal mail server I would like to stop showing > the world the IP that I'm sending email from, for various reasons, but mostly > privacy. > > I see lots of sketchy options out there using header checks, but I'd ideally > like to not just strip

Re: Planning my migration: preventing open relay

raf: > On Fri, Dec 23, 2022 at 06:20:08PM +0100, Gerben Wierda > wrote: > > What is the best way to do this? Or is it too troublesome and should > > I just use postfix outside of docker, installing it with apt? I would > > rather like to have a single (docker) deployment model which would > >

[pfx] Re: Recommendation for dkim signing

Viktor Dukhovni: > Though dkimpy-milter is likely the more future-proof choice, perhaps > OpenDKIM is slightly more polished at present, be it also dated ( > lacking some of the newer algorithms). > > For signing, lack of bleeding-edge algorithms is less important, so if > you're not also

[pfx] Re: Recommendation for dkim signing

https://crates.io/crates/dkim-milter is yet another option that I’m working on. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Possible (indirect) libspf2 security issues

OpenDMARC only uses libspf2 if (a) it was compiled with SPF support and with libspf2 includes (configure options --with-spf --with-spf2-include --with-spf2-lib) and (b) configuration parameter SPFSelfValidate is enabled. Item (a) is the case for example in the Debian and Ubuntu package,

[pfx] Re: Integrating a new milter with Postfix

EML: > I can run the milter as a service, if necessary, instead of adding an entry > in master.cf, but this feels like the wrong way to do this. Thanks. But note that this is how milters are normally operated, eg milters installed from a distro package.

[pfx] Re: SPF: HELO does not publish an SPF Record

Jaroslaw Rafa: > Dnia 12.04.2023 o godz. 15:43:07 Fourhundred Thecat via Postfix-users pisze: >> OK, I see. >> So should the client (mail.example.com) then have it's own SPF record, >> in addition to the domain itself (example.com) ? > > If you plan to send mail with senders addresses as >

[pfx] Re: Deny any sender address with subdomain

Gerd Hoerst: > question 1st : is it a good idea to reject any email which is not sent from a > domain  (means sen...@domain.tld) any other like sen...@sub.domain.tld or > sub.sub.domain.tld is rejected ? > > at least i tried with header checks in pcre > > /^From:\.*@.*\.*\.*/    DISCARD NO

[pfx] Re: Not all errors are postfix's fault

To find out why a milter signs or does not sign, it would be helpful to see the milter’s configuration. With OpenDKIM, the setting ‘LogWhy yes’ is useful for debugging such issues. ___ Postfix-users mailing list -- postfix-users@postfix.org To

[pfx] removing Authentication-Results, how?

Matus UHLAR - fantomas: > Do you remove those headers on your servers? In my chain of milters, the very first one simply deletes incoming Authentication-Results whose authserv-id equals $myhostname … The rest of the milters can then assume that no such headers are present.

[pfx] Re: removing Authentication-Results, how?

Matus UHLAR - fantomas: > Which milter is that? > Does it support trusted hosts? Yes, I think so. It’s my https://crates.io/crates/spf-milter Ciao, ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to

[pfx] Re: Are multiple white spaces allowed in a date in headers?

Michael Storz: > FWS =   ([*WSP CRLF] 1*WSP) /  obs-FWS > > A FWS can be a single WSP or a folded line. > > Therefore the date "Fri,  5 Jan 2024 16:48:37 -0500 (EST)" is syntactically > incorrect, because there can be only one blank between "," and "5", not two > by the syntax of

[pfx] Re: smtp_header_checks and opendkim

Note: OpenDKIM does not require the (ancient, obsolete) setting ‘milter_protocol = 2’. It’s a cargo cult setting. Just drop it and leave it at the default. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to

[pfx] Re: A functional lightweight reverse alias?

Gerben Wierda: > Aliases are nice, to receive mail. But when you reply, the address behind the > alias is exposed. I’m puzzling a bit over this statement … I also use aliases but was not aware that they would expose my real address? As a test I’m sending this message from a virtual alias

[pfx] Re: long header folding and DKIM fails

Remember that Postfix has supported DKIM via various milters for 15+ years without issues. So no, practically there is no problem with DKIM and header folding in Postfix. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an