Re: Block MX from recipients

On Tue, May 31, 2022 at 12:55:42PM -0300, SysAdmin EM wrote: > I am checking the mail queue of my postfix server and I am seeing errors in > writing mail accounts, which refer to real domains of free mail providers > such as hotmail, gmail, yahoo. > > BC2CC607AF 881286 Tue May 31 05:19:53

Re: limit recipients

On Tue, May 31, 2022 at 05:38:07PM +0200, natan wrote: > > Wny do you have "lmtp_destination_recipient_limit = 1", that's a really > > bad idea. Set it to 100 or even 1000 (if Dovecot won't object), and all > > will be well. > > > I do not remember exactly but Some times ago I change from

Re: limit recipients

On Tue, May 31, 2022 at 04:52:58PM +0200, natan wrote: > lmtp_destination_concurrency_limit = 100 > lmtp_destination_recipient_limit = 1 > virtual_transport = lmtp:inet:10.xxx.xxx.5:24 Wny do you have "lmtp_destination_recipient_limit = 1", that's a really bad idea. Set it to 100 or even 1000

Re: AW: AW: RSA and ECDSA - warning: No certs for key at index 1

On Tue, May 31, 2022 at 02:18:35PM +0200, Maurizio Caloro wrote: > ## RSA > /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem > /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem > > >These are the same as the below. > Corrected now to other folder(writing error) > ## ECDSA

Re: limit recipients

On Tue, May 31, 2022 at 04:43:23PM +0200, natan wrote: > Increase the process limits in dovecot klaster is workaround (temporary) > solutions I thinking about restryctins like: Much better to configure your MTA to do *efficient* delivery, unasking the question. -- Viktor.

Re: limit recipients

On Tue, May 31, 2022 at 03:28:30PM +0200, natan wrote: > I have separate servers for outgoing and incomming e-mail like > > One user who have many alias group like: > > 1)alias...@domain1.ltd - 500 recipients > 2)alias...@domain1.ltd - 500 recipients > 3)alias...@domain1.ltd - 500 recipients >

Re: AW: RSA and ECDSA - warning: No certs for key at index 1

On Tue, May 31, 2022 at 01:05:57PM +0200, Maurizio Caloro wrote: > Today create new my key file RSA, and ECDSA, and signed with certbot. > > ## TLS/SSL > /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem > /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem What does "TLS/SSL" mean?

Re: International Domain Characters and Header Checks

On Thu, May 26, 2022 at 11:35:05PM +0200, Benny Pedersen wrote: > > SMTPUTF8 is enabled. > > so there is dns servers with domains in utf8 existing ? > > all my known dns servers uses idn, not eai, postfix imho need to convert > eai to idn dns to know if domain exists on dns > > to block

Re: International Domain Characters and Header Checks

On Thu, May 26, 2022 at 03:39:08PM -0500, Bryan K. Walton wrote: > For example, one of our domain names is courseleaf.com. We want to > block any mail that has similar domain names in the From header. An > example might be: coǔrṣeleaf.com 1. Note that corresponding IDN name is:

Re: RSA and ECDSA - warning: No certs for key at index 1

On Mon, May 30, 2022 at 08:52:21AM +0200, Maurizio Caloro wrote: > try to install RSA and ECDSA, but it's don't run like normal mode. Simplest in most cases (and quite sufficient) to stick to just one algorithm. Multiple algorithms require a deeper understanding of what you're doing. >

Re: devnull

> On 30 May 2022, at 2:03 pm, Juerg Reimann wrote: > >> In virtual_alias_maps: >> >> donotreply@some.domain devnull@localhost >> >> Assuming that localhost is listed in $mydestination. >> >> Wietse > > Thanks a lot, the @localhost did the trick! Using local aliases(5) to /dev/null for

Re: devnull

On Mon, May 30, 2022 at 11:38:19AM -0400, Bill Cole wrote: > Just use a check_sender_access map (in one of the smtpd_*_restrictions > lists) that maps the address to DISCARD. That discards the message for *all* recipients, which is not the stated goal. -- Viktor.

Re: devnull

On Mon, May 30, 2022 at 05:15:56PM +0200, Juerg Reimann wrote: > I'm trying to setup a mail address that basically gets devnulled. I > have virtual domains, so I did the usual: > > Excerpt from my main.cf: > > 30 alias_database = hash:/opt/local/etc/postfix/aliases > 31 alias_maps =

Re: Postfix+SASL chrooted - out of ideas (SASL_README tweak)

On Mon, May 30, 2022 at 12:48:46PM +1000, raf wrote: > I don't think that's entirely correct. On Debian, for > example, the default value of cyrus_sasl_config_path is > empty, and /etc/postfix/sasl is the directory that is > used. Well, how exactly does that happen? I don't see any patches to

Re: Postfix+SASL chrooted - out of ideas

> On 29 May 2022, at 5:15 pm, Jim Garrison wrote: > > One possible suggestion for Postfix: Since it appears Postfix was > never able to even establish contact with Cyrus SASL, it might be nice > to detect that condition and provide a different error message than > just "authentication failed",

Re: Postfix+SASL chrooted - out of ideas (SASL_README tweak)

On Sat, May 28, 2022 at 10:32:56PM -0400, Viktor Dukhovni wrote: > > This might be irrelevant, but the SASL readme mentions > > that on some systems Postfix is modified to look for > > the Cyrus SASL config in /etc/postfix/sasl or > > /var/lib/sasl2. On Debian, i

Re: Postfix+SASL chrooted - out of ideas

On Sun, May 29, 2022 at 12:12:29PM +1000, raf wrote: > On Sat, May 28, 2022 at 05:11:22PM -0700, Jim Garrison wrote: > > > For completeness here's everything I can think of that could be > > related: > > > > $ ls -ld /etc/sasl2 > > drwxr-xr-x 2 root root 4096 May 19 00:58 /etc/sasl2 > > > > $

Re: Postfix+SASL chrooted - out of ideas

On Sat, May 28, 2022 at 05:11:22PM -0700, Jim Garrison wrote: > Foreground saslauthd command, including debug output from > successful testsaslauthd but no log entries corresponding to the > immediately above extract from the Postfix log: > > $ sudo saslauthd -a pam -d -c -m

Re: Postfix+SASL chrooted - out of ideas

[ Please respect the "Reply-To" header] On Sat, May 28, 2022 at 12:47:24PM -0700, Jim Garrison wrote: > On 5/27/2022 8:31 PM, Viktor Dukhovni wrote: > > Why not just read the SASL_README that comes with Postfix, e.g. at: > > > > https://www.postfix.org/SASL_

Re: AW: transport map with TLS policies?

On Sat, May 28, 2022 at 03:09:40PM +0200, Joachim Lindenberg wrote: > I don´t get why defining a different transport per domain should be > easier than defining a tls policy per domain, and my configuration is > mostly automated anyway. Not *per-domain*, per TLS security level. All domains that

Re: Postfix+SASL chrooted - out of ideas

On Fri, May 27, 2022 at 06:22:01PM -0700, Jim Garrison wrote: > I'm migrating from an ancient Postfix 2.6.6 with SASL 2.1.23 on Centos > 6 to 3.5.6 with SASL 2.1.27 on Debian 11. I've got everything working > EXCEPT SASL authentication, and the amount of conflicting information > on Postfix+SASL

Re: tricky dual delivery challenge

On Fri, May 27, 2022 at 07:55:31AM -0400, charlie derr wrote: > Are there any suggestions on how we can make sure that both internally > generated and external email reach both Gmail and Dovecot mailboxes > without creating a routing loop? Yes, you should gateway the "Bcc" email traffic from

Re: transport map with TLS policies?

On Fri, May 27, 2022 at 09:21:23AM +0200, Joachim Lindenberg wrote: > I added a transport map (or “route” as mailcow-dockerized calls it) > that points to the alive MX What was the exact form of the transport entry? Presumably, something like: example.com smtp:[mx1.example.com] > plus

Re: Spamtrap email — milter that can still receive, but reject?

On Tue, May 24, 2022 at 04:14:33PM +0200, Dan Mahoney wrote: > Is there a milter of some sort that I can configure to reject (for > some to: addresses) at the end of DATA, but still forward the mail on? > Im dealing with some deleted users who both got a lot of spam, but > also were in the

Re: limit rewriting headers in canonical_maps

On Tue, May 24, 2022 at 08:02:15AM -0600, James Feeney wrote: > > I would like only to rewrite the original From: since that one is used for > > DKIM signatures. I haven't expected more headers to be rewritten. > > > > If there's no way to do this now, I'll have to search for one. > > Would

Re: Milter_Readme - Documentation Edit Request - "order", "reject" and "override" - multiple message modifications?

On Tue, May 24, 2022 at 08:12:57AM -0600, James Feeney wrote: > >> What I'm wondering is, is it possible - or even reasonable - to > >> have OpenDKIM "sign" outgoing messages, and have Rspand "verify" > >> incoming messages?  Or, that's not going to work? > > > > since milters run when message

Re: limit rewriting headers in canonical_maps

> On 24 May 2022, at 8:09 am, Matus UHLAR - fantomas wrote: > > I have customer where incoming messages have the > "message was received from external source" > banned added. > > The resulting messages don't have valid DKIM-signature: (or none at all), and > the only way to forward without

Re: limit rewriting headers in canonical_maps

> On 24 May 2022, at 5:24 am, Matus UHLAR - fantomas wrote: > > for SRS testing I set up rewriting of e-mail headers in outgoing e-mail: > > sender_canonical_maps=tcp:localhost:10001 > sender_canonical_classes=envelope_sender,header_sender > remote_header_rewrite_domain=fantomas.sk > > hoping

Re: matching envelope sender and a certain header

On Mon, May 23, 2022 at 09:41:39AM +0200, Ansgar Wiechers wrote: > > We got a request to match the envelope sender with a certain mail > > header (i.e. X-Something) on our relay servers for every outbound > > mails and reject the email if the sender and the value of this header > > don't match. >

Re: Change Recipient Case?

> On 22 May 2022, at 11:59 am, post...@ptld.com wrote: > > I am confused on this. > I read the pipe(8) and lmtp(8) pages and it is unclear to me how i would use > pipe flags with lmtp. > Do i need to replace using lmtp with pipe? Or does pipe work in conjunction > with lmtp? > I assume for lmtp

Re: Change Recipient Case?

> > On 21 May 2022, at 11:23 am, post...@ptld.com wrote: > > My goal is to have postfix deliver to LMTP lowercase recipient addresses to > overcome a dovecot shortcoming (delimited forwarding to special folders) that > dovecot doesn't appear interested in fixing. For each affected recipient

Re: Mail looping issue

On Sat, May 21, 2022 at 12:09:37AM -0700, Jeremy Hansen wrote: > What I experience when the port forward is enabled is suddenly > “things” out there are attempting to just email random addresses at > the AWS instance hostname. You don't have to accept such mail, or if you, you don't have to

Re: Change Recipient Case?

On Sat, May 21, 2022 at 10:07:57AM -0400, post...@ptld.com wrote: > What is the best option for changing the recipient address case such > as forcing all to be lowercase? > > > All you need is a case folding regexp before your real virtual table. > > > > /etc/postfix/main.cf: > > virtual_maps =

Re: International Domain Characters and Header Checks

On Fri, May 20, 2022 at 03:54:36PM -0500, Bryan K. Walton wrote: > We are trying to do some header checks that block on both the From and > Return Path header, but that also block some addresses with > international characters in them. Characters like: The "Return-Path" header is added during

Re: Migrate mbox from 2.6.6 to 3.5.6

> On 20 May 2022, at 9:09 am, Rob McGee wrote: > > It's also perhaps worth mentioning that Postfix has nothing to to with > mail once it has been delivered. This question should have been sent > to a mailing list for the unstated IMAP server. This is almost true. The main caveat is that either

Re: transport_maps with address extension (user+ext@domain)

On Thu, May 19, 2022 at 01:06:09PM +0200, Jan-Martin Raemer wrote: > /etc/postfix/transport: > user@domain smtp:[nondefault-relay.domain]:25 > user+ext@domain smtp:[nondefault-relay.domain]:25 Unsolicited advice, avoid per-user transport mappings, instead use virtual(5) rewriting to map special

Re: First world problem ...

> On 16 May 2022, at 9:35 pm, Matus UHLAR - fantomas wrote: > >> Any idea to whitlist ? > > perhaps the null address at outgoing server, so you don't reject your own > bounces No. Better to apply the reject rule only on the inbound side, where it should only lead to bounces on remote

Re: add alias without reload

> On 14 May 2022, at 8:20 pm, wilson wrote: > > postfix can know the alias was added even if there is no postfix reload. Unless the change is *urgent*, just make it, and it is noticed automatically, before too long. Changes in databases such LDAP, Postgres and MySQL are noticed right away.

Re: Alias and user same name: What happens?

On Tue, May 10, 2022 at 09:03:59AM +0200, lutz.niede...@gmx.net wrote: > userA and userB are real local users with a mailbox. What happens in > case of an aliases line like this: > > userA: userA, userB > > Does it deliver to local users userA and userB? I assume that it does not > loop.

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

On Mon, May 09, 2022 at 03:03:42PM -0400, Wietse Venema wrote: > > - I don't quickly have an example of bad things that can happen > > with Milter inspection of Postfix-generated mail. That doesn't mean > > that such bad things don't exist. > > So, with that caveat you can turn on DKIMM signing

Re: postscreen_access_list and SPF bypass

On Sat, May 07, 2022 at 02:55:36PM -0400, Alex wrote: > It appears that entries included in my postscreen_access_list are > being used to also bypass SPF checks by policyd-spf. Is this > intentional? Would someone explain to me how this works? This is not possible. Postscreen(8) just rejects

Re: Pass the environment variable to the smtpd daemon

> On 7 May 2022, at 12:57 pm, postfix-user wrote: > > Can you please tell me how to pass an environment variable (like > SSLKEYLOGFILE) to the smtpd daemon ? Maybe as an alternative, if the master > process can't allow this, there are examples of running smtpd directly from > systemd ?

Re: off-topic mta-sts/office.com question

On Mon, May 02, 2022 at 12:04:13PM +1000, raf wrote: > The test email bounced with the following report: > > > Diagnostic information for administrators: > > > > Generating server: ME3PR01MB8390.ausprd01.prod.outlook.com > > Receiving server: ME3PR01MB8390.ausprd01.prod.outlook.com > > > >

Re: header_checks and regexes

On Sun, May 01, 2022 at 03:54:16PM -0400, Alex wrote: > > Conditional header checks require a milter or content filter that > > can make such fine distinctions. Postfix built-in header checks > > are global. > > I need to find a way to have different policies for different domains > on the same

Re: check_client_access

On Sat, Apr 30, 2022 at 08:55:54PM +1000, raf wrote: > Ah yes, and access(5) says .domain.tld only matches > subdomains when smtpd_access_maps is not in > parent_domain_matches_subdomains, but it is there by > default, so ".domain.tld" wouldn't work at all. It > needs to be "domain.tld". I

Re: check_client_access

On Sat, Apr 30, 2022 at 10:28:06AM +1000, raf wrote: > > .domain.tld > > > > Matches subdomains of domain.tld, but only when the > > string smtpd_access_maps is not listed in the Postfix > > parent_domain_matches_subdomains configuration setting. > > The .domain.tld notation only covers a single

Re: Inconsistency between postconf(5) and IPV6_README

On Sat, Apr 30, 2022 at 12:49:30AM +, Pau Amma wrote: > I finally got around to this, or rather to the half that didn't have a > mention of NO_IPV6. While there, I noticed a stray uppercase letter > elsewhere (2x) and fixed that as well. Patch (generated from > postfix-3.8-20220421)

Re: password security

> On 27 Apr 2022, at 12:45 pm, Michael Ströder wrote: > > But my concern is rather that I would not connect my KDC to the Internet (for > now leaving aside approaches like proxy KCM). > > In general I'm leaning more towards using asymmetric keys for authc. On my > personal to-do list is to

Re: password security

> On 27 Apr 2022, at 12:27 pm, Michael Ströder wrote: > >> one way to authenticate may be using Kerberos. > > Not recommended for roaming users accessing submission service via public > Internet. Suitability depends on the user base, ... my personal mail server indeed supports SASL GSSAPI

Re: Exclude non-existing subdomains from checking

On Wed, Apr 27, 2022 at 08:42:25AM +0200, Varadi Gabor wrote: > > /\.that-domain\.com$/ OK > > /.*\.that-domain\.com$/ OK > > Tested in https://www.debuggex.com/?flavor=pcre No. The original form is better. The leading ".*" is unnecessary and may be less efficient. The OP

Re: for what file need to run postmap

On Wed, Apr 27, 2022 at 06:12:53PM +0800, al...@coakmail.com wrote: > I guess this kind of file doesn't need to run postmap against it? > > virtual_mailbox_domains = /etc/postfix/virtual_mailbox_domains > virtual_alias_domains = /etc/postfix/virtual_alias_domains These are "match lists", the

Re: TLS reporting

> On 26 Apr 2022, at 9:27 pm, Dan Mahoney wrote: > > So, alternate question then -- is there any level of debug logging that > postfix can emit that would let one construct these reports based a log trawl? I think the answer is still no. -- Viktor.

Re: password security

On Tue, Apr 26, 2022 at 11:54:21PM +0900, Byung-Hee HWANG wrote: > > There is obviously a point where the server won't be capable of > > handling the load, always. But what are the odds with "just" a > > brute-force on passwords/accounts? > > Our outbound/internal mail gateway handles the traffic

Re: HELO regexp file not working to block unwanted sender

On Mon, Apr 25, 2022 at 09:38:50PM -0700, Greg Earle wrote: > >> All of the sending hostnames are of the form > >> > >> www-data@vNNN-NNN-NNN-NNN.*.static.cnode.io > > > > That's not a hostname, it is an email address, and not clear whether > > the > > envelope sender or the "From:" message

Re: HELO regexp file not working to block unwanted sender

On Mon, Apr 25, 2022 at 08:57:01PM -0700, Greg Earle wrote: > [root@isolar tmp]# postconf -Px |grep check_helo_access > submission/inet/mua_helo_restrictions = permit_mynetworks, > reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_invalid_hostname,

Re: HELO regexp file not working to block unwanted sender

On Mon, Apr 25, 2022 at 03:26:52PM -0700, Greg Earle wrote: > All of the sending hostnames are of the form > > www-data@vNNN-NNN-NNN-NNN.*.static.cnode.io That's not a hostname, it is an email address, and not clear whether the envelope sender or the "From:" message header. > For example, here

Re: secondary MX question

On Tue, Apr 26, 2022 at 08:47:22AM +0800, ミユナ (alice) wrote: > given the case my primary MX is in USA. if I deploy a secondary MX in > the EU, how can I setup EU MX to forward messages to the US one? > > using a internal MX record for destination? for instance, > internal.domain.com points to

Re: how other MTA talks to me

On Sun, Apr 24, 2022 at 04:59:11PM +0200, Matus UHLAR - fantomas wrote: > >smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > > keep this one, as you are the client supposed to have this data > > >smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > >

Re: how other MTA talks to me

On Sun, Apr 24, 2022 at 05:42:39PM +0200, Benny Pedersen wrote: > On 2022-04-24 15:08, Byung-Hee HWANG wrote: > >>> This is useful testing site: > >>> > > > > Also smtp*_tls_loglevel are useful to debug. > > more trees in the wood hide the real tree The

Re: how other MTA talks to me

On Sun, Apr 24, 2022 at 08:42:01PM +0800, ミユナ (alice) wrote: > Viktor Dukhovni wrote: > >> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > > You typically don't need this, session tickets make a server-side cache > > needless baggage. >

Re: how other MTA talks to me

On Sun, Apr 24, 2022 at 06:34:17PM +0800, ミユナ (alice) wrote: > but for smtp service on port 25, how other MTA talks to me? they are > using plain, startTLS or SSL? STARTTLS: https://datatracker.ietf.org/doc/html/rfc3207 > My configuration on main.cf include: > > smtp_use_tls = yes >

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

On Sun, Apr 24, 2022 at 01:19:49PM +0200, Michael Grimm wrote: > This time the maillog files are unedited (besides my local hostnames), > thus showing the real IPs. Some do resolve, some not. > > I reported in my first post that all those 'signal 11' events were > headed by 'BARE NEWLINE'

Re: question about certificates usage

On Sun, Apr 24, 2022 at 09:23:00AM +0800, ミユナ (alice) wrote: > since the MUA uses coakmail.com as smtp/imap servers, this has no problem. > > but my MX RR is: box.coakmail.com If you're using an https://mailinabox.email appliance, a suitable certificate will be obtained automatically. If not,

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

On Sat, Apr 23, 2022 at 10:28:37PM -0400, Wietse Venema wrote: > It would be invaluable to have a recording of a complete session > with that system. Something like: > > tcpdump -i name-of-interface is 2000 -w /file/name host 1.2.3.4 I think Wietse meant "-s 2000" rather than "is" 2000.

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

On Sat, Apr 23, 2022 at 09:02:09PM -0400, Wietse Venema wrote: > The PREGREET logging for those eight craashing sessions shows that > this client 1.2.3.4 was changing its TLS record version from 0x0303 > (\003\003) to 0x0302 (\003\002) to 0x0301 (\003\001). > > Mar 28 01:33:22 mail.lan

Re: Rewriting envelope-from of root mail (realname, not email address)

On Sat, Apr 23, 2022 at 05:18:06PM -0700, Dan Mahoney wrote: > Does postfix have any support at all for rewriting the non-email-address > portion of the from line? (The “Real name” portion). Only by way of override in sendmail(1) IIRC. The MTA does not rewrite display names in any systematic

Re: auth between postfix and dovecot?

On Sat, Apr 23, 2022 at 12:35:06PM +0800, ミユナ (alice) wrote: > service lmtp { > unix_listener /var/spool/postfix/private/dovecot-lmtp { > mode = 0600 > user = postfix > group = postfix > } This supports message delivery from Postfix to dovecot via LMTP. > unix_listener

Re: Rewriting envelope-from of root mail (realname, not email address)

> > On 23 Apr 2022, at 10:15 am, Demi Marie Obenour wrote: > >>> >>> I have no advice re DMARC, never have or will use it. >> >> Which indeed IS a word of advice. :) It wasn't. I have no need for DMARC, others are welcome to use it or not as they see fit. Ideally after understanding the

Re: Rewriting envelope-from of root mail (realname, not email address)

On Fri, Apr 22, 2022 at 06:54:56PM -0700, Dan Mahoney wrote: > masquerade_domains = !ops.foo.org, !support.foo.org, !gitlab.foo.org, > !lists.foo.org, isc.org > masquerade_exceptions = root Personally, I avoid masquerade_domains, because it does wildcard rewriting, and effectively breaks

Re: dkim setup with letsencrypt

On Fri, Apr 22, 2022 at 06:33:42PM -0400, Wietse Venema wrote: > (alice): > > I have made ssl with letsencrypt done :) I found either startssl or TLS > > works. so may i ask is there a guide for adding DKIM to the outgoing > > messages with the same letsencrypt certs? > > TLS is not DKIM. TLS

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

On Wed, Apr 20, 2022 at 08:26:16PM -0400, Viktor Dukhovni wrote: > > this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD > > 13.1-STABLE. > > You could install the "postfix" rather than "postfix-current" port. > I have: > >

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

On Wed, Apr 20, 2022 at 10:20:56PM +0200, Michael Grimm wrote: > this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD > 13.1-STABLE. You could install the "postfix" rather than "postfix-current" port. I have: -rw-r--r-- 1 root wheel 13544 Mar 17 17:23

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

> > On 20 Apr 2022, at 4:20 pm, Michael Grimm wrote: > > Apr 20 06:36:27 mail.lan postfix/postscreen[74803]: PREGREET 429 > after 0 from [1.2.3.4]:49074: > \026\003\003\001\250\001\000\001\244\003\003\327j\316\343\332\272\233\200\236\017\243`\342e\217\204\ That looks like a TLS client

Re: spam emails with "to:" line missing

On Tue, Apr 19, 2022 at 09:45:12PM -0600, @lbutlr wrote: > On 2022 Apr 15, at 16:53, Viktor Dukhovni wrote: > > On Fri, Apr 15, 2022 at 04:30:19PM -0600, @lbutlr wrote: > > > >> However, it is *very* common for a BBC email to have a To header with > >&

Re: Prepend add extra symbol in header

On Tue, Apr 19, 2022 at 03:25:53PM -0300, SysAdmin EM wrote: > should also be corrected in the file sender_canonical? > > /@gmail.com/ nore...@kiusys.com > > /@gmail.cl/ nore...@kiusys.com > > /@hotmail.com/ nore...@kiusys.com > > /@outlook.com/ nore...@kiusys.com > > /@satena.com/

Re: TLS reporting

On Tue, Apr 19, 2022 at 05:33:50PM -0700, Dan Mahoney wrote: > Does postfix have any support for TLS reporting (RFC8460)? > > Technically, one need not be using MTA-STS to benefit from this. We > get monitoring of this with our dmarc monitoring provider, and it > feels like it would be useful

Re: Prepend add extra symbol in header

> On 19 Apr 2022, at 10:22 am, Wietse Venema wrote: > > If you must do this, why not copy the entire From: value? > >/^From:(.+@example\.com\b.+) Reply-To:$1 > > Note: the \b matches a word boundary, and the \. matches . instead > of every character. Since '\b' will also match before a

Re: spam emails with "to:" line missing

On Fri, Apr 15, 2022 at 04:30:19PM -0600, @lbutlr wrote: > However, it is *very* common for a BBC email to have a To header with > no email address in it at all, This violates RFC5322 and earlier versions. The "To:" header must contain at least one address (or group).

Re: match empty sender in hash: sender access map?

On Thu, Apr 14, 2022 at 12:25:11AM -0400, Greg Klanderman wrote: > > This is naturally documented in access(5), and also in postconf(5) > > under: > > > > smtpd_null_access_lookup_key (default: <>) > >The lookup key to be used in SMTP access(5) tables instead of the > >null

Re: connection timeout ?

On Wed, Apr 13, 2022 at 10:04:59PM -0400, John Levine wrote: > >in other words if a domain is nullMx postfix still reject it, aswell for > >senders > > Not all MTAs work the same. Not even Postfix :-) By default mail is accepted from NullMX envelope sender domains, to reject it one must elect

Re: Announcement: LetsDNS release 1.0 is now available

> On 12 Apr 2022, at 1:05 pm, Ralph Seichter wrote: > > I invite you and other interested parties to discuss this on GitHub [1] > rather than the Postfix mailing list. Release 1.0 is meant to provide > core functionality, and follows the "release erly and often" approach. > There is of course

Re: Announcement: LetsDNS release 1.0 is now available

> On 12 Apr 2022, at 12:36 pm, Erwan David wrote: > > Does it handle restarting/reloading a program when changing the certificate ? > Postfix does not need it, but dovecot does. My first impression reading the docs is that "letdns" is not involved in certificate rollovers. Its job is solely

Re: setup postfix to send email

> On 12 Apr 2022, at 10:30 am, Bill Cole > wrote: > > Most people do not need to run their own full-function mail server from the > OS up. You can cause yourself major headaches by trying to do so, and as a > 'newbie' you are likely to do so. If your registrar supports bi-directional > relay

Re: Solving reverse DNS problem with Postfix configuration?

On Mon, Apr 11, 2022 at 06:20:46PM +0200, Richard Rasker wrote: > That is a very friendly offer, but if I do, that would of course only be > temporary, so that I can send e-mail again, and I'd contact you in advance. > > Just to make sure: I guess I need to change my MX record for this to >

Re: Allow anonymous login

On Sun, Apr 10, 2022 at 12:29:36PM -0700, Noah wrote: > I am working in a software test environment and need to allow anonymous > logins to postfix. What configuration knobs does postfix need? Use a test login. The "need" to allow anonymous logins seems unmotivated. What SASL mechanism are

Re: match empty sender in hash: sender access map?

On Sun, Apr 10, 2022 at 02:27:33PM -0400, Greg Klanderman wrote: > Quick question, what is the correct syntax to match an empty sender in > a hash: sender access map (i.e. check_sender_access)? This is naturally documented in access(5), and also in postconf(5) under:

Re: Postfix 3.5.9 SSL accept error Microsoft Exchange

On Sun, Apr 10, 2022 at 10:44:05AM +0200, Admin Beckspaced wrote: > Dehydrated has the option for different certificate types so I went with > ECDSA and RSA > > https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md > > Added the following to main.cf > > # RSA default >

Re: access list ordering

On Sat, Apr 09, 2022 at 05:58:33PM -0400, Alex wrote: > Following up with my other email, I think I can ask the question more > directly. Off hand, I did not see any questions in your post. > I found it was necessary to have an entry in a check_recipient_access > map with the old address as

Re: Postfix 3.5.9 SSL accept error Microsoft Exchange

On Sat, Apr 09, 2022 at 10:55:03AM +0200, Admin Beckspaced wrote: > > That host has an ECDSA P384 certificate. This is liable to not be > > supported by older systems. For maximum interoperability, RSA is safer, > > or with ECDSA perhaps P256, though likely that too is not supported by > > a

Re: Postfix 3.5.9 SSL accept error Microsoft Exchange

On Sat, Apr 09, 2022 at 08:52:54AM +0200, Admin Beckspaced wrote: > Apr  8 09:53:07 cx20 postfix/smtpd[5402]: warning: TLS library problem: > error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared > cipher:ssl/statem/statem_srvr.c:2260: > smtpd_tls_cert_file = >

Re: rereading header_checks file after file modified

On Fri, Apr 08, 2022 at 06:20:12AM +0200, Fourhundred Thecat wrote: > I have header_checks configured in master.cf: > > header-check unix n -n-0 >cleanup >-o header_checks=regexp:/var/local/postfix/maps/header_checks > > when I edit the

Re: About smtp_fallback_relay parameter

On Thu, Apr 07, 2022 at 04:55:26PM +, Pedro David Marco wrote: > I have destinations not accepting email with a 451 return code. Some > of them are being sent by postfix to the smtp_fallback_relay and some  > of them are just sent to the deferred queue... Probably i am > misunderstanding

Re: Mail is being delivered to /var/mail/*user* instead of Maildir

On Thu, Apr 07, 2022 at 08:20:54AM -0500, Rob McGee wrote: > > IIUC, you are telling me to change local to virtual, in order to use > > virtual_mailbox_maps, so vmailbox_result_format => Maildir. > > "vmailbox_result_format" is not a setting, where did you see this > documented? Actually, it is

Re: wildcards in smtp_connection_cache_destinations

On Wed, Apr 06, 2022 at 07:33:41PM +0200, Matus UHLAR - fantomas wrote: > this is not an internal domain not out client, these are three subdomains of > remote domain/organization (different IPs from different IP range) I have no > relationship with. > > I have created special transport for

Re: wildcards in smtp_connection_cache_destinations

On Wed, Apr 06, 2022 at 02:41:04PM +0200, Matus UHLAR - fantomas wrote: > >I think that you can stick with the default settings, which > >keep connections open only when they can be reused immediately. > > this unfortunately did not work without listing destinations explicitly in >

Re: Q: configuring Postfix as a front for Exchange 365

On Tue, Apr 05, 2022 at 08:35:55PM +0200, Arrigo Triulzi wrote: > On 5 Apr 2022, at 18:38, Bastian Blank > wrote: > > Indeed, you did not but the virtual_alias_map is being ignored. Mmh, must > have done something stupid. The parameter name is "virtual_alias_maps". -- Viktor.

Re: Q: configuring Postfix as a front for Exchange 365

On Tue, Mar 22, 2022 at 08:38:39AM +0100, Arrigo Triulzi wrote: > Unfortunately I have a slight complication: for a subset of valid > email addresses I need to “bleed them” out to a different domain (and > also archive all email but that is simply done with always_bcc). > > For example: > >

Re: wildcards in smtp_connection_cache_destinations

On Tue, Apr 05, 2022 at 04:37:29PM +0200, Matus UHLAR - fantomas wrote: > >Why DISABLE on-demand connection caching? > > I was under impression that disabling caching on demand turns is on by > default. That's not the case, it just disables demand caching. > and having it on by default

Re: Solved (Was: Re: relay with permit_tls_clientcerts)

On Tue, Apr 05, 2022 at 12:54:55PM +0900, Byung-Hee HWANG wrote: > soyeomul@yw-1204:~$ cat /etc/postfix/relay_clientcerts > D7:5B:D1:A0:EA:A1:8D:9F:7A:4D:77:47:AD:DE:2D:07 yw-0919.doraji.xyz > 01:7A:51:89:E5:C0:07:17:51:66:0D:C5:77:F8:77:38 smtp.gmail.com These are "md5" hashes, which are

Re: unexpected: postfix tls deploy-server-cert + smtpd_tls_chain_files

> On 31 Mar 2022, at 10:48 am, Nikolai Lusan wrote: > > The process I use to update my certificates uses rsync to overwrite the > old certs/keys with the new ones. My thought process initially was that > restarting postfix would have it pick up the new files - eventually by > inspecting the

<    5   6   7   8   9   10   11   12   13   14   >