On Tue, Oct 26, 2021 at 08:41:20PM -0400, Viktor Dukhovni wrote:
> With `bash` inline /dev/fd/ files:
>
> $ diff -U0 <(postconf -x -o compatibility_level=2) <(postconf -x -o
> compatibility_level=3.6)
A handly abstraction to a couple function definitions would b
On Wed, Oct 27, 2021 at 11:34:57AM +1100, raf wrote:
> > Is there a way, given a new warning about compatibility_level (say
> > you've been running with 3_5, and you're now running 3_6), to see
> > what changes to your config are effectively made by enabling that
> > level? (effectively, to show
On Tue, Oct 26, 2021 at 09:05:46PM +, Cooper, Robert A wrote:
> Posftinger output:
> https://gist.github.com/racooper/a560c84080e2ee6c336d508918344f5a
Please avoid paste bins in the future. Also where are the (couple of)
requested log entries that show the problem behaviour?
On Tue, Oct 26, 2021 at 04:22:53PM +, Cooper, Robert A wrote:
> Howdy! We have noticed that certain email going through our outbound
> relay are ignoring the "relayhost = [smtp-relay.site.com]:25".
Sorry, that's not possible. The delivery of messages for *all*
recipients uses the same
On Tue, Oct 26, 2021 at 09:42:33AM -0400, Wietse Venema wrote:
> It does not complicate the code. I am more concerned about
> discoverability (how would a user even find out that the behavior
> has become configurable).
The best we can do is cross-reference the new parameter under
On Mon, Oct 25, 2021 at 09:35:35AM +, Vincent Pelletier wrote:
> I would rather postfix just stop sending emails altogether in such
> case, than send them from an unexpected ip: a delay is preferable to
> me to uncertainty as to how the emails were processed by recipient
> SMTPs.
>
> Is
On Fri, Oct 22, 2021 at 08:38:40AM +1000, Simon Wilson wrote:
> I have now setup Unbound as a caching name server on the Postfix
> server so it can resolve *anything*, but with Unbound configured to
> fwd to my local network BIND server for local domain addresses
> (private-address,
On Thu, Oct 21, 2021 at 04:34:23PM -0400, Craig Huckabee wrote:
> We’ve had requests for help making it work with Windows, specifically
> from Powershell. We tried connecting using the Powershell methods
> described by Microsoft for SMTP TLS auth, but while debugging from the
> Postfix side the
On Thu, Oct 21, 2021 at 07:15:19PM +0100, K.J. Petrie wrote:
> I have a server which is on 24 hours/day and a desktop which is on when
> I'm using it. Both have postfix used for delivering mail.
For ETRN to be useful, the frequently unreachable domain has to be
listed in $fast_flush_domains.
On Wed, Oct 20, 2021 at 10:03:10PM +0200, Damian wrote:
> > Oct 20 20:09:37 libertyfp postfix/smtpd[174449]: warning:
> > unknown[87.246.7.245]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> > Oct 20 20:09:37 libertyfp postfix/smtpd[174449]: disconnect from
> > unknown[87.246.7.245] ehlo=1
On Wed, Oct 20, 2021 at 03:24:12PM -0400, fp145 wrote:
> I use evolution as my mail client on the laptop.
Are you using TLS? Either port 587 with STARTTLS, or port 465 with
"implicit TLS" (some MUAs confuse things by calling this "SSL", and
reserve "TLS" for "STARTTLS").
> Oct 20 21:16:57
On Wed, Oct 20, 2021 at 02:57:27PM -0400, Dan Ziolkowski wrote:
> Oct 20 14:28:17 -OptiPlex-990 postfix/smtp[2522]: 2DA852E306A:
> to=, relay=none, delay=20, delays=0.13/0.02/20/0,
> dsn=4.4.3, status=deferred (Host or domain name not found.
> Name service error for name=smtp.gmail.com
On Wed, Oct 20, 2021 at 02:29:26PM -0400, fp145 wrote:
> > > In summary, postfix mail works fine if VPN if off, does not work if
> > > VPN is on, any advice would be appreciated, thanks DAN
>
> Hey! I have exactly the same problem. [...]
Actually, nothing like the OP's problem...
> Oct 20
On Wed, Oct 20, 2021 at 01:46:57PM -0400, Dan Ziolkowski wrote:
> understood, i will gather them.. DAN
Just one or two log entires showing a delivery failure logged by
postfix/smtp (not smtpd), is sufficient. No need for bulk log data.
You can obfuscate the recipient address localparts,
On Wed, Oct 20, 2021 at 01:16:45PM -0400, Dan Ziolkowski wrote:
> I have postfix working fine sending mails though gmail while VPN not
> connected. When connected , sending mail fails.
http://www.postfix.org/DEBUG_README.html#mail
http://www.postfix.org/DEBUG_README.html#logging
> In
On Tue, Oct 19, 2021 at 10:35:41PM -0400, post...@ptld.com wrote:
> >> $ postconf smtpd_discard_ehlo_keywords
> >> smtpd_discard_ehlo_keywords = pipelining, chunking,
> >> silent-discard, DSN, ETRN
> >
> > Why did you decide to turn off PIPELINING and CHUNKING?
>
> Based on the last
On Tue, Oct 19, 2021 at 08:53:27PM -0400, post...@ptld.com wrote:
> $ postconf smtpd_discard_ehlo_keywords
> smtpd_discard_ehlo_keywords = pipelining, chunking, silent-discard, DSN,
> ETRN
Why did you decide to turn off PIPELINING and CHUNKING?
--
Viktor.
On Tue, Oct 19, 2021 at 06:55:15PM -0400, post...@ptld.com wrote:
> Is there a setting for disabling delivery status notification reports
> being emailed back to the sender address by MAILER-DAEMON? I could not
> find one searching in postconf.5.html
I generally disable the 'DSN' EHLO keyword
On Mon, Oct 18, 2021 at 09:50:33PM -0600, Bob Proulx wrote:
> I am helping a friend with his system. As such things are not as I
> would set them up. But just the same I can't figure out this
> problem. So I come here seeking a second set of eyes on it. What is
> the problem that I am not
On Mon, Oct 18, 2021 at 09:45:49PM +0800, Henrik Peng wrote:
> I have a domain in registrar saying it’s foo.com.
> Registrar has the email forwarding feature, so u...@foo.com will be
> forwarded to my gmail.
>
> I am not sure that, the registrar will forward email based on message
> header
On Sun, Oct 17, 2021 at 06:40:47PM +1300, Peter wrote:
> Just had someone come into the IRC chat with this issue and I was able
> to reproduce it quite easily, this is with Postfix 3.6.2. If your
> /etc/services has smtps listed but not submissions (or vice-versa) and
> you uncomment or add
On Fri, Oct 15, 2021 at 12:53:03AM -0500, Tyler Montney wrote:
> Perfect, all of that makes sense. Here's 3 more:
You might try the book by Patrick and Ralf, the basics haven't changed.
>- The way I understand master.cf is that it spins up services.
On demand, unless some idle instances of
On Fri, Oct 15, 2021 at 12:15:23AM -0500, Tyler Montney wrote:
> So by private, you mean services that end users shouldn't be able to
> interact with? Public services have CLI tools (as an interface) whereas
> private ones do not.
Yes.
> For wakeup, why would a service need wake up timer? It
On Thu, Oct 14, 2021 at 09:12:40PM -0500, Tyler Montney wrote:
> I am doing a deep dive on mail hosting and this includes Postfix. I have
> quite a number of questions about Postfix. Is this the best place to get
> those answered?
>
> To give a sample:
>
>- What does 'private' mean for
On Wed, Oct 13, 2021 at 03:38:47PM -0400, post...@ptld.com wrote:
> > You might want to use a UTF-8 encoding when creating the database and
> > choose the same on the client end.
>
> Between character sets utf8mb3 and utf8mb4 does postfix work better with
> one over the other or are they same
On Wed, Oct 13, 2021 at 12:27:30PM -0400, post...@ptld.com wrote:
> I received the following logged errors
>
> query failed: Illegal mix of collations
>(latin1_swedish_ci,IMPLICIT) and
> (utf8mb4_general_ci,COERCIBLE) for operation '='
>
> query = SELECT email FROM aliases WHERE
On Thu, Oct 07, 2021 at 06:50:22PM +1300, AndrewHardy wrote:
> Looks like as long as STARTTLS is present in the server response then
> it doesn’t matter if it’s a hyphen or space and the s_client.c library
> suggests it just looks for that keyword so that confirms it. Helps to
> tell it to
On Thu, Oct 07, 2021 at 06:01:45PM +1300, Andrew Hardy wrote:
> The core of my issue is that the sending MTA receives the 250 STARTTLS
> from the receiving MTA but never replies with STARTTLS. The sending
> MTA has smtpd_tls_security_level = may defined.
There's you problem
On Wed, Oct 06, 2021 at 05:50:00PM -0400, Wietse Venema wrote:
> > I therefore suggest replacing any and all occurrences of
> >"http://tools.ietf.org;
> > with
> >"https://tools.ietf.org;
> > in the html documentation.
>
> Updated the mantools/postlink script to do this:
>
>
> On 6 Oct 2021, at 1:07 pm, Bill Cole
> wrote:
>
> That is surprising because the format is all wrong. Those freestanding ':'
> should make everything there useless. See the man page for transport(5). A
> hash map has exactly 2 tokens per line, whitespace delimited, with the second
>
On Mon, Oct 04, 2021 at 04:34:39PM +0200, Sam R wrote:
> Now it's working fine!
>
> I finally succeeded. I worked around by increasing only the value of the
> line_length_limit option to 12288 ( same value as the default for
> smtpd_sasl_response_limit )
That's the right thing to do when the
On Mon, Oct 04, 2021 at 02:17:33PM +0100, lejeczek wrote:
> Is relaying to an Exchange Online servers which - in my case is
> imposed as I'm a member of an org - employ MFA, possible with Postfix?
Unlikely. Postfix supports SASL, I don't know what would constitute
"MFA" with SASL.
> On
On Mon, Oct 04, 2021 at 09:25:51AM -0400, Wietse Venema wrote:
> /etc/postfix/main.cf:
> smtpd_dns_reply_filter = pcre:/etc/postfix/numeric-mx.pcre
>
> /etc/postfix/numeric-mx.pcre:
> # /domain. ttl IN MX pref address/ action, all case-insensitive.
>
On Mon, Oct 04, 2021 at 02:35:28PM +0200, Kristian wrote:
>$ dig +short mx traffordplazauk.com
>10 64.27.25.41.
>
> I guess my first question is, what is considered the proper behaviour
> for mail from such domains?
There is no specification that tells you what to do with mail from
On Fri, Oct 01, 2021 at 12:47:29PM -0400, Viktor Dukhovni wrote:
> > -- basics --
> > Postfix: 3.5.6
>
> Since you're using Postfix 3.5, which by default supports long SASL
> messages after the initial response, your client is in violation of the
> SMTP SASL specific
On Fri, Oct 01, 2021 at 04:17:03PM +0200, Sam R wrote:
> I added two keytab in /etc/krb5.keytab
There's your problem, the /etc/krb5.keytab file, given services like SSH
with GSSAPI authentication, contains secrets sufficient to login to the
host as any user, possibly including root. It must
The DANE survey continues to observe a "long tail" of MX hosts with TLSA
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also
be
On Thu, Sep 30, 2021 at 03:50:41PM +1000, raf wrote:
> > No, because you don't get to choose which CA signed your certificates.
I meant to say "your *peer's* certificates".
> This is what I was expecting to be the case:
>
> That the following extensions are needed for certificates that
>
On Thu, Sep 30, 2021 at 01:21:19PM +1000, raf wrote:
> You said that the following extensions are needed:
>
> basicConstraints = CA:true
> keyUsage = digitalSignature, keyCertSign, cRLSign
> extendedKeyUsage = serverAuth, clientAuth
>
> Is it the case that serverAuth is only required for
On Thu, Sep 30, 2021 at 12:45:31AM +1000, raf wrote:
> > postconf: warning: /etc/postfix/master.cf: undefined parameter:
> > submission_sender_restrictions
> > smtp inet n - n - - smtpd
> > submission inet n - n - - smtpd
> >
On Wed, Sep 29, 2021 at 02:33:05PM +0200, Bugz Bunny wrote:
> > Sent: Wednesday, September 29, 2021 at 8:25 AM
> > From: "Bugz Bunny"
> > To: postfix-users@postfix.org
> > Subject: Client certification verifications fails with not designated for
> > use as a CA certificate
>
> Sorry, forgot to
On Wed, Sep 29, 2021 at 02:19:53PM +1000, raf wrote:
> If you really have a problem that you think would be
> solved by relocating the hold queue, you could mount
> another file system over the hold queue directory.
> That might work. But it might a bad idea. Not sure.
Sorry, not possible.
On Wed, Sep 29, 2021 at 01:49:39AM +0200, (lists) Denis BUCHER wrote:
> When creating /var/spool/postfix/hold as symlink to another folder I get
> the following error from Postfix :
If any Postfix services are chrooted, the destination needs to be a
subdirectory of the Postfix queue directory
On Tue, Sep 28, 2021 at 08:38:33PM +0200, Maurizio Caloro wrote:
> Sep 28 15:11:22 nmail spamd[3826]: prefork: child states: II
The "spamd" server appears to be running...
> Sep 28 15:11:23 nmail spamc[4525]: connect to spamd on 127.0.0.1 failed,
> retrying (#1 of 3): Connection refused
> Sep
On Tue, Sep 28, 2021 at 03:50:06PM +0100, João Silva wrote:
> It would be nice to have a option to specify a list of allowed domains.
This is not meaningful, because the lookup result is a list of SASL
identities, which are just opaque octet strings, there's no notion of
"domain" there.
In
On Tue, Sep 28, 2021 at 09:50:11AM +0200, Christophe Lohr wrote:
> Well.. so, my question is: how to configure postfix to be more verbose?
> (not in the log files, but on the smtp connexions)
This would be a programming exercise. The relevant source files are:
src/smtpd/smtpd.c -
On Fri, Sep 24, 2021 at 07:05:00PM -0400, Alex wrote:
> I recently ran testssl.sh (https://github.com/drwetter/testssl.sh) on
> my mail server, and it's still showing TLS 1 and 1.1 still being
> offered, as well as DES:
You should generally ignore most issues misreported by SSL/TLS testing
sites
> On 24 Sep 2021, at 12:57 pm, Wietse Venema wrote:
>
>> It is perhaps time to drop support for some of the Postfix <= 2.2
>> TLS parameters. Which can simplify the pile of booleans to just
>> a single security level and then perhaps simply:
>>
>>tlsproxy_client_enable =
>>
On Sat, Sep 25, 2021 at 01:08:29AM +1000, raf wrote:
> Also, the following look like they are defined in
> mail_params.h but they aren't in postconf.proto
> (20210815 snapshot). This might be wrong. It's just a
> quick hacky audit. Some of them might not be real
> parameters.
There is no
On Fri, Sep 24, 2021 at 01:45:04AM +0200, Francesc Peñalvez wrote:
> I re-ask again since my postscreen responds to connections with dnsbl
> code 450 instead of a 5xx, with which those servers are trying to resend
> the mail again and again
>
> postfix/submission/postscreen[1724625]: NOQUEUE:
On Thu, Sep 23, 2021 at 10:02:26PM -0400, David Mandelberg wrote:
> With the settings below, postfix 3.5.6 and openssl 1.1.1k successfully
> connected to a server with a 2048-bit RSA key, which should be
> disallowed by openssl's security level 4.
Postfix explicitly overrides the security
On Thu, Sep 23, 2021 at 01:19:57PM -0400, David Mandelberg wrote:
> Is lmtp_tls_wrappermode safe to use even though it's not documented?
Yes, it is safe to use. The SMTP and LMTP client code Postfix is
largely a single code base that implements both protocols, with only
minor differences (no
> On 23 Sep 2021, at 6:46 am, Wietse Venema wrote:
>
> C and C++ are similar enough that C can easily be wrapped in C++.
> I'd love to adopt Gtest which I have been using internally at Google
> over the past 5+ years.
Sure, but these days you can write C in any language. :-)
By which I mean
On Thu, Sep 23, 2021 at 09:28:59AM +1000, raf wrote:
> > Thanks. This is the result of lazy coding in a nasty language.
> > I should stop hidden static buffers, or switch to a language
> > has automatic destructors like C++ or Go.
> >
> > Wietse
>
> or Rust! :-)
We all have our favourite
> On 22 Sep 2021, at 1:11 pm, Alex wrote:
>
>>smtpd_tls_session_cache_database
>
> This is defined to the default for all instances:
> smtpd_tls_session_cache_database =
> btree:/var/lib/postfix/smtpd_tls_session_cache
That's wrong. The session cache needs to be:
On Wed, Sep 22, 2021 at 10:35:45PM +1000, raf wrote:
> I just encountered a wierd thing (debian-11 stable, postfix-3.5.6-1+b1).
Thanks for the bug report.
> $ postconf -xdf proxy_read_maps
> proxy_read_maps = all127.0.0.0/8 a.b.c.d/32 [::1]/128
>[a:b:c:d::e]/128 [fe80::]/64
On Tue, Sep 21, 2021 at 07:57:12PM -0400, Alex wrote:
> Can someone help me troubleshoot why I'm periodically receiving these
> messages? It results in postfix stop responding to connections
> altogether.
>
> Sep 21 19:18:41 xavier postfix-116/smtpd[2485484]: warning: problem
> talking to server
On Sat, Sep 18, 2021 at 08:46:15PM +0300, Vladimir Mishonov wrote:
> I see. Would it be too much to ask to add a template for postmaster
> notifications as well then (notify_classes = protocol etc.)? Like I said
> before, it appears that MAILER-DAEMON is hardcoded in those, and it
> looks like
On Sat, Sep 18, 2021 at 08:39:41AM +0300, Vladimir Mishonov wrote:
> 1. You probably don't like when people shout at you, right? Well,
> all-caps looks a lot like someone's shouting at you. It'd look better if
> it were all-lowercase.
The "MAILER-DAEMON" form is a long-standing heritage from
On Sat, Sep 18, 2021 at 12:44:30AM +0200, Gerald Galster wrote:
> The question is how likely it is such a server is dropping tls support
> after that work. I'd guess it will be unlikely and errors mostly occur
> due to expired certificates or other (temporary) configuration issues.
As a matter
On Sat, Sep 18, 2021 at 12:44:30AM +0200, Gerald Galster wrote:
> > Sure, but the forensic value of the signal is rather weak, since you
> > learn nothing about the names in the certificate, and anyone can get
> > a certificate from Let's Encrypt. So your connection was to some
> > server that
On Fri, Sep 17, 2021 at 07:53:55PM +0200, Gerald Galster wrote:
> > I am curious why with opportunistic TLS (security level may), you're
> > bothering to take any action to tweak the entirely cosmetic certificate
> > path validation status?
>
> What about parsing the maillog and adding those
On Fri, Sep 17, 2021 at 01:38:43PM -0300, Fabio S. Schmidt wrote:
> Hello David and Gerald,
>
> Thank you for the answers. I'm reading the documentation and we need to
> adjust the smtp_tls_CAfile indeed. I will adjust this as soon as
> possible and I will report the result here.
I am curious
On Wed, Sep 15, 2021 at 04:17:40PM -0400, post...@ptld.com wrote:
> Doing main.cf:milter_rcpt_macros = $milter_rcpt_macros {tls_version}
That's a self-recursive definition that results in a variable expansion
loop.
> Are you supposed to be able to use $variables in milter_*_macros or is
> it
On Mon, Sep 13, 2021 at 07:58:26AM -0400, Wietse Venema wrote:
> > When a user clicks "send", the email client has to make some
> > tcp-connection to some ip address. What if the hostname configured
> > at the email client resolves to multiple ip addresses?
>
> It just seems unlikely that major
On Sat, Sep 11, 2021 at 08:22:46PM +0100, Nick Howitt wrote:
> I interpreted this, perhaps mistakenly, as if this were now the running
> config of postfix.
There is no such thing as "the running config of Postfix". There's just
main.cf, master.cf and various processes that have at some point
On Fri, Sep 10, 2021 at 11:22:30AM -0400, Viktor Dukhovni wrote:
> Largely no. A new internal internal interfaces (mostly transport
> lookup) have a 1-element LRU cache, but otherwise all queries are
> "fresh".
Distracted when typing, should have said:
> Largely no. A f
On Fri, Sep 10, 2021 at 01:40:29PM +0200, natan wrote:
> I can not find in docu how postfix cached map (via default)
>
> example:
> I have "smtpd_sender_login_maps" - query in ldap
>
> What I can:
> - smtpd_sender_login_maps =
> proxy:ldap:/etc/postfix/ldap_sender_login_maps.cf
> -
On Thu, Sep 09, 2021 at 03:21:02PM -0400, J Doe wrote:
> >> Sep 6 09:17:42 localhost postfix/smtpd[14622]: disconnect from
> >> unknown[77.247.110.240] ehlo=2 starttls=1 auth=0/1 commands=3/4
> >
> > That's AUTH probing. A bot on 77.247.110.240 has a big list of usernames
> > and password and
On Tue, Sep 07, 2021 at 02:50:09PM -0400, Viktor Dukhovni wrote:
> inetnum:77.247.110.0 - 77.247.110.255
> netname:PEENQ-NL-TLN-VPS-01
> country:NL
> geoloc: 52.370216 4.895168
> admin-c:PA10298-RIPE
> tech-c:
On Tue, Sep 07, 2021 at 07:42:33PM +0100, Adam Weremczuk wrote:
> It's postfix 3.1.6-0+deb9u1 on Debian 9.
>
> Since enabling STARTTLS on port 25 I'm getting lots of traffic looking
> like this (relay attempts?):
>
> Sep 6 09:17:42 localhost postfix/smtpd[14622]: connect from
>
On Mon, Sep 06, 2021 at 06:39:32PM +0200, Miriam Espana Acebal wrote:
> recently we were working on this bug:
> https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1885403.
> [...]
> posttls-finger: warning: connect to private/tlsmgr: No such file or directory
> posttls-finger: warning:
On Wed, Sep 01, 2021 at 09:49:21PM -0400, Steve Dondley wrote:
> > I would have opted for "client" rather than "sender" checks, provided a
> > sufficiently stable/comprehensive range of source IP addresses for the
> > forwarding host were available.
>
> OK, took a quick look at the documentation
On Wed, Sep 01, 2021 at 04:05:55PM -0400, Steve Dondley wrote:
> Thank you. Problem solved. For the benefit of others:
>
> 1) Add /etc/postfix/sender_checks file:
>
> amazonses.com OK
>
> 2) Add check to smtpd_recipient_restrictions config in main.cf:
>
> smtpd_recipient_restrictions =
On Wed, Sep 01, 2021 at 06:37:59AM -0400, Steve Dondley wrote:
> So I followed the instructions at
> http://www.postfix.org/ADDRESS_REWRITING_README.html#generic for generic
> mapping and set that up. I modified main.cf with:
Which leads you to http://www.postfix.org/generic.5.html
TABLE
> On 31 Aug 2021, at 4:06 pm, post...@ptld.com wrote:
>
>> The query should be returning any of the "aliases" (email addresses),
>
> I think our confusion lies in our understanding of the word alias. You just
> said it should return the aliases. I believe this to be wrong. It should
> return
On Tue, Aug 31, 2021 at 02:59:09PM -0400, post...@ptld.com wrote:
> >> With login mismatch you shouldn't be returning all of the aliases a
> >> user is allowed to use,
> >
> > See above. You have the wrong lookup key, and the wrong value syntax.
>
> Im sorry my usage of English is difficult
On Mon, Aug 30, 2021 at 09:09:26AM -0400, post...@ptld.com wrote:
> > What is a limit (if exists) character limit in this map for one query
There is no explicit limit, large results are fine (thousands of entries
might incur some performance cost).
> > smtpd_sender_login_maps =
On Fri, Aug 27, 2021 at 11:47:22AM -0600, Jesse Norell wrote:
> I am trying to utilize 'reject_unverified_recipient' selectively, so
> that only addresses for domains which I host are verified, ahead of
> permitting sasl senders, in order to avoid bounces for unknown
> recipients of local
On Thu, Aug 26, 2021 at 04:29:27PM -0400, Viktor Dukhovni wrote:
> You can start with something like:
>
> $ postqueue -j |
> jq --argjson now "$(date +%s)" '
> ($now - .arrival_time) as $delay |
> select (.queue_name ==
On Thu, Aug 26, 2021 at 01:16:25PM -0700, Matt Corallo wrote:
> I’m not particularly worried about congestion on this server, but maybe delay
> is the wrong warning to focus on - I’d like postmaster notifications for some
> temporary bounces, as they can indicate IP reputation rate-limits,
> On 26 Aug 2021, at 4:02 pm, Matt Corallo wrote:
>
> I’d like to set an aggressive warning delay but only warn postmaster, not the
> sender. It appears delay_warning_time is used for both sender-warnings and
> notify_classes, so there doesn’t appear to be a way to do this.
The delay_warning
On Thu, Aug 26, 2021 at 01:33:46PM -0400, post...@ptld.com wrote:
> Something else strange, i have been trying to replicate this situation
> using a dummy server to send my server a message with From: and To:
> using the same invalid address. This time i got two reject messages in
> the logs:
On Thu, Aug 26, 2021 at 12:57:14PM -0400, post...@ptld.com wrote:
> NOQUEUE: reject: RCPT from unknown[196.188.245.169]: 550 5.1.0
> : Sender address rejected: User unknown in virtual
> mailbox table; from= to= proto=ESMTP
> helo=<[196.188.245.169]>
The built-in defaults are:
On Thu, Aug 26, 2021 at 11:22:51AM -0400, post...@ptld.com wrote:
> And only nerds program mail servers from scratch and only nerds run
> mail servers. So here we are, and i care. I care because this is
> something that NON-nerds interact with and I do like to consider user
> friendliness.
On Thu, Aug 26, 2021 at 06:28:04AM +0200, Benny Pedersen wrote:
> > The mailbox_transport setting on main.cf is set to
> > lmtp:unix:private/dovecot-lmtp. Dovecot is properly configured to use
> > LMTP. Could that be why? The guide Benny referred me to suggested
> > using virtual_transport for
On Wed, Aug 25, 2021 at 10:56:20PM +0800, Turritopsis Dohrnii Teo En Ming wrote:
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
You might note that the directory needs to be writable by the "postfix"
> On 24 Aug 2021, at 7:58 pm, Matt Corallo wrote:
>
> May be worth mentioning here that, sadly, Postfix does not support MTA-STS
> currently.
>
> The one implementation at
> https://github.com/Snawoot/postfix-mta-sts-resolver/ will reduce security
> rather than increase it as
On Tue, Aug 24, 2021 at 02:28:12PM -0400, Wietse Venema wrote:
> > I'll start adding RES_TRUSTAD support to the 3.3-3.5 stable releases.
> > It will combine nicely with the OpenSSL 3.x bitrot patch.
>
> RES_TRUSTAD support was already released last January with Postfix
> 3.3.9, 3.4.11, and
On Tue, Aug 24, 2021 at 11:32:01AM -0400, Wietse Venema wrote:
> > You probably need to set the "trust AD" option in /etc/resolv.conf
>
> Postfix 3.6 has this comment in dns_lookup.c:
>
> /* .IP RES_USE_DNSSEC
> /* Request DNSSEC validation. This flag is silently ignored
> /* when the
On Tue, Aug 24, 2021 at 04:24:30PM +0200, Bastien Durel wrote:
> Hello,
>
> Since I upgraded to debian 11 (postfix 3.5.6, was 3.4.14), my cluster
> fails inter-node deliveries.
You probably need to set the "trust AD" option in /etc/resolv.conf
> On 23 Aug 2021, at 2:31 am, wrote:
>
> recently we have noticed, that our postfix add a lowercase ‚d‘ when he append
> value missing Headers, concrete i mean to the mail by the Message-Id value.
> Is there a simple and less error way to change this behavior? So that our
> mails comply
On Sun, Aug 22, 2021 at 02:51:02PM -0400, post...@ptld.com wrote:
> So another way to look at it...
>
> address_verify_positive_refresh_time
> Is when the cached data becomes stale and any mail event after
> this time would cause another address query to refresh the cached
>
On Sun, Aug 22, 2021 at 12:42:26PM -0400, post...@ptld.com wrote:
> With address_verify_*_*_time im not understanding the difference in
> behavior between refresh and expire. The manual says:
Cached data is used until it *expires*. When a cache hit is *found*
it is immediately used to
> On 20 Aug 2021, at 4:59 pm, Michael Grimm wrote:
>
> Thanks for that information I didn't think about before.
>
> All of my domains are signed by KSK(13) and ZSK(13) and I do still rotate my
> ZSK's every 90 days after my migration from DSA keys. If I do understand you
> correctly, I could
On Thu, Aug 19, 2021 at 02:44:44PM +1000, raf wrote:
> > Is google / gmail using it yet?
> > Last i knew they weren't using DNSSEC or DANE.
>
> Nope.
Actually, yes to some extent. See my more detailed response.
> But it's still a very small percentage overall.
I'm tracking ~15.8 million
On Wed, Aug 18, 2021 at 10:03:06PM -0400, post...@ptld.com wrote:
> > The adoption of DNSSEC seems to have increased a lot in
> > the past 12 months (~30% increase).
>
> Is google / gmail using it yet?
There are 4 GMail MX hosts that are not publicised by Google,
but are DNSSEC signed:
> On 18 Aug 2021, at 4:35 pm, Ralph Seichter wrote:
>
> I still use RSA keys (algorithm 8). My main point is that I find it more
> convenient to only roll ZSK, and to only place KSK data into the parent
> zone. The latter requires me to ask my hosting provider to manually
> update key material
> On 18 Aug 2021, at 3:52 pm, Ralph Seichter wrote:
>
> Well, sort of. As per default settings, BIND does not appear to create a
> key signing key (KSK) / zone signing key (ZSK) pair, but instead one
> single key to sign each zone. That's sufficient from a technical
> perspective, but whenever
On Wed, Aug 18, 2021 at 12:27:36PM -0700, Ron Garret wrote:
> > Milters are primarily for content filtering,
>
> Sure, but...
>
> > they don't or shouldn’t affect address rewriting and message routing.
>
> That doesn’t make sense to me. One of the main uses of a milter is to
> sequester mail
1201 - 1300 of 6464 matches
Mail list logo
