Wietse Venema via Postfix-users:
> Mihaly Zachar via Postfix-users:
> > Hi All,
> >
> > Here is my postscreen section of my config:
> >
> > # POSTSCREEN
> > postscreen_access_list = permit_mynetworks,
> > cidr:/etc/postfix/postscreen_access.
Mihaly Zachar via Postfix-users:
> On Sun, 7 May 2023 at 03:12, Mihaly Zachar wrote:
>
> > On Sun, 7 May 2023 at 03:05, Wietse Venema via Postfix-users <
> > postfix-users@postfix.org> wrote:
> >
> >>
> >> Look at output from:
> &g
Mihaly Zachar:
> On Sun, 7 May 2023 at 03:05, Wietse Venema via Postfix-users <
> postfix-users@postfix.org> wrote:
>
> >
> > Look at output from:
> >
> > (postconf -n; postconf -P) | grep soft_bounce
> >
>
> this gives an empty set...
Mihaly Zachar via Postfix-users:
> On Sun, 7 May 2023 at 13:59, Wietse Venema via Postfix-users <
> postfix-users@postfix.org> wrote:
>
> > > > Look at output from:
> > > >
> > > > (postconf -n; postconf -P) | grep soft_bounce
> > > >
Matus UHLAR - fantomas via Postfix-users:
> I looked at docs (*README) and haven't found any.
>
> I'd still prefer to explicitly note that virtual_alias_maps are applied
> even for non-local e-mail
> ...you use "all email deliveries", I wonder if something like
> "all emails processed (even
Sean Gallagher via Postfix-users:
> ADDRESS_CLASS_README:
>
> The most misleading place for me was the ADDRESS_CLASS_README
>
> For "The virtual alias domain class" it says:
> "Valid recipient addresses are listed with the virtual_alias_maps
> parameter"
> which is of course true, but there is
I updated the inet_interfaces documentation anmd clarified its
relationship with smtp_bind*_address and system-chosen source IP
addresses.
Wietse
When smtp_bind_address and/or smtp_bind_address6 are not specified, the
inet_interfaces setting may constrain the source IP address
Patrice Go via Postfix-users:
> hi,
>
> I ve a problem somewhere in my configuration, cause with the actual
> configuration i ve to configure the imap/smtp identification with just the
> "user" and not with "user@domain". I think it is on "mysql-virtual*" files
> that something is wrong, but i
Ken Peng via Postfix-users:
> Hello
>
> iCloud mail has two MX RR:
>
> icloud.com. 3600IN MX 10 mx01.mail.icloud.com.
> icloud.com. 3600IN MX 10 mx02.mail.icloud.com.
>
> But these two MX have the same IPs included.
>
> mx01:
>
SATOH Fumiyasu (TSUCHIDA Fumiyasu) via Postfix-users:
> I see the following problems.
>
> 1. `postconf -M bar/unix='foo unix ...'` will duplicates entries in master.cf.
> 2. `postconf -M foo/unix='foo unix ...' get segfault if multiple entries
> exist in master.cf.
Both problems with master.cf
Sean Gallagher via Postfix-users:
> It was more a rhetorical question in the context of documentation
> improvement. Specifically, the documentation doesn't actually say what
> [blank] means. I think something like the following would be an
> improvement..
>
> Specify "all" to receive mail on
Andrew Athan via Postfix-users:
> Thanks Viktor:
>
> > welcome to the internet
>
> Yeah :) I've been here for 30 years.
>
> > unlikely to be productive
>
> I simply want to help others avoid my points of confusion, in the belief I
> am not a uniquirely incapable or unintelligent reader.
>
> I
Paul Menzel via Postfix-users:
> Dear Postfix users,
>
>
> Some of our users, that relocate, ask for a custom message over the
> current one:
>
> user has moved to new_location
>
> For example:
>
> This address is out of service. For business please contact
>
We're thinking of adding a few new settings to the stable Postfix
releases that allow Postfix to regain some control over crypto
policies that do not necessarily improve matters for SMTP where
the main result would be more plaintext communication.
With stable releases, it would not be
You are ignoring my response. That is rude. Stop spamming
the postfix-users list with your repeated information.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
Tom Reed via Postfix-users:
>
> Hello,
>
> multiple items for a given directive, "," or space or "," + space all are
> valid delimiters. Am I right? Such as the following.
No, it is different for some.
> smtpd_relay_restrictions =
>
Matus UHLAR - fantomas via Postfix-users:
[ Charset ISO-8859-2 converted... ]
> >On 2023-05-16 at 12:19:03 UTC-0400 (Tue, 16 May 2023 18:19:03 +0200)
> >V?ctor Rubiella Monfort via Postfix-users
> >is rumored to have said:
> >>For example for imap/pop login failures dovecot log email account
>
Viktor Dukhovni via Postfix-users:
> On Sat, Aug 12, 2023 at 08:05:52PM -0400, Wietse Venema via Postfix-users
> wrote:
>
> > My preference would be:
> >
> > smtp_sasl_password_map_result_delimiter
> > printable character or C escape (like \t for TAB)
&
DL Neil via Postfix-users:
> The "Postfix Howtos and FAQs" is out-dated and requires
> correction/editing. To assist the web-master:-
Checking links takes timm, so thanks for doing that. I think it is
best to drop the page with 'howto' links. The page was created
almost a decade before sites
Viktor Dukhovni via Postfix-users:
> On Sun, Aug 13, 2023 at 01:47:05PM -0400, Wietse Venema via Postfix-users
> wrote:
>
> > > Any votes for JSON? :-)
> > >
> > > { "account": "user:foo", "base64password": "
zonie via Postfix-users:
>
>
> > Wietse Venema via Postfix-users :
> >
> > ?zonie via Postfix-users:
> >> Hello,
> >>
> >> currently it's not possible to specify a username containing a colon ?:?
> >> inside a ?smt
Barbara M.:
> On Tue, 23 Jan 2024, Wietse Venema via Postfix-users wrote:
>
> > Barbara M. via Postfix-users:
> >> Jan 23 00:11:34 auth postfix/smtpd[188544]: NOQUEUE: reject: RCPT from
> >> wp-host1.xyz.com[4.3.2.1]: 554 5.7.1 : Relay
> >> access
1) You can log full headers with a Milter. You will run into the
length limit of the syslog() client (historically, 2 kBytes) before
the Milter protocol limit (64 kBytes) which is less than the Postfix
header_size_limit (default: 102400).
2) You can uniqely identify all Postfix transactions with
Claus Assmann via Postfix-users:
> On Wed, Jan 24, 2024, Wietse Venema via Postfix-users wrote:
> > 1) You can log full headers with a Milter. You will run into the
> > length limit of the syslog() client (historically, 2 kBytes) before
> > the Milter protocol limit (64 kByte
Christophe Kalt via Postfix-users:
> Hi,
>
> I'm seeing regular postscreen segfaults on a test server with minimal
> traffic. The patterns I noticed from the logs is that it seems to happen
> when the server gets 2 ~simultaneous connections from the same host:
>
> 2024-02-04T14:33:31.876390 info
Doug Hardie via Postfix-users:
> > On Feb 8, 2024, at 01:56, Matus UHLAR - fantomas via Postfix-users
> > wrote:
> >
> > On 07.02.24 21:51, Christophe Kalt via Postfix-users wrote:
> >> +1 on setting up SRS, it helps with Gmail and I believe ARC does too
> >> (although I don't have hard data on
Jakob Cornell via Postfix-users:
> Hi Wietse,
>
> > I can add a debug log that a specific table is skipped for a specific name.
>
> Ah yes, that's a better fix. That would take care of my confusion with the
> logging.
>
> Do you have any thoughts on postconf(5) describing partial key
> lookups
Michael W. Lucas via Postfix-users:
> Hi,
>
> Running 3.8 on FreeBSD 14, with postfixadmin 3.4.
>
> I'm trying to send a message and got this bounce message.
>
> : host mx.nixnet.email[5.161.67.119] said: 530 5.7.0
> Must issue a STARTTLS command first (in reply to MAIL FROM command)
>
>
>
Wietse Venema via Postfix-users:
> Doug Hardie via Postfix-users:
> > I used Viktor's collate to trace a specific email handling. There were a
> > number of these entries. However, I am only showing 2 of them:
> >
>
> This is host mx01.t-online.de[194.25.134.72]:
Doug Hardie via Postfix-users:
> I used Viktor's collate to trace a specific email handling. There were a
> number of these entries. However, I am only showing 2 of them:
>
This is host mx01.t-online.de[194.25.134.72]:
> Feb 10 03:15:40 mail postfix/smtp[60428]: 4TWjVT5qz7z2gF8w:
> to=,
>
Over 25 years, Postfix has accumulated some features that
are essentially obsolete.
- permit_mx_backup is fundamentally incompatible with recipient
address validation. There is no way to work around that with
reject_unverified_recipient, because that requires that a domain
is reachable, and in
Akshay Pushparaj via Postfix-users:
>
>
> >> I would like to know if i can configure postfix to forward mails if user
> >> not found in local recipient table.
> >
> > That is possible (with static: mapping) but not a good idea.
> May i know why it's not a good idea?
Forwarding ALL recipients
Geert Hendrickx via Postfix-users:
> On Tue, Feb 13, 2024 at 12:23:32 -0500, Wietse Venema via Postfix-users wrote:
> > - masquerade_domains complicates table-driven address validation.
> > Log a deprecation warning with compatibility_levels>=3.9.
>
>
Viktor Dukhovni via Postfix-users:
> On Tue, Feb 13, 2024 at 12:23:32PM -0500, Wietse Venema via Postfix-users
> wrote:
>
> > Over 25 years, Postfix has accumulated some features that
> > are essentially obsolete.
> >
> > - permit_mx_backup is fundamen
Jakob Cornell via Postfix-users:
> If I understand right the non-indexed skip is implemented by the
> 'continue' at global/maps.c:199, so a flag could be added to track
> whether execution has passed line 199 and if not, the log statement
> at 221 could be skipped.
I can add a debug log that a
Small edit for clarity.
Wietse
Doug Hardie via Postfix-users:
> Is there a way to configure postfix to drop the email if all the
> providers MTAs return a 5xx response?
We had a problem like that when some people wanted to make TLS
mandatory. The solution was not to bounce mail when a
Peter via Postfix-users:
> > A quick status update.
> >
> > First, several features have been logging warnings that they would
> > be removed for 10 years or more, so we could delete them in good
> > conscience (perhaps keeping the warning with the suggested alternative).
> > This change has not
Peter via Postfix-users:
> On 21/02/24 12:40, Wietse Venema via Postfix-users wrote:
> > Peter via Postfix-users:
> >>> A quick status update.
> >>>
> >>> First, several features have been logging warnings that they would
> >>> be remo
Matus UHLAR - fantomas via Postfix-users:
> I guess the inline code available since 3.7 supports this:
>
> header_checks = regexp:{ {/^Authentication-Results: $myhostname/ IGNORE} }
>
> This would only remove problem headers and exempt MX backups.
>
> >If it helps, header_checks happen before
Viktor Dukhovni via Postfix-users:
> On Wed, Feb 21, 2024 at 08:32:49AM +, Rune Philosof via Postfix-users
> wrote:
> > It seems a bit unclearly phrased
> > > 2 Also log levels during TLS negotiation.
>
> Indeed this is not very helpful. See the description of the "-L" option
> in
The Postfix Milter implementation is sometimes inconsistent about
the "first" header so that it can sometimes not be updated.
The fix below was in the queue for Postfix 3.5 - 3.8 a few days
before the SMTP smuggling shitshow happened. The last SMTP smuggling
patch was released on January 21. For
Taco de Wolff via Postfix-users:
> Thanks Wietse and Steffen, I forgot to mention that I'm using Postfix
> 3.5.8, but it appears the bug is thus still present in the latest version.
> Looking forward to the fix :-)
Another solution is to adopt Postfix 3.9 (the development release)
where this was
dimi--- via Postfix-users:
> Dear fellow users,
>
> Unless my configuration isn't safe (not yet included), i may have found an
> unwanted behavior in Postfix.
>
> When i set the -v flag in master.cf for smtpd, my logs mail.log contains
> cleartext passwords for my SQL user database. This happens
Viktor Dukhovni via Postfix-users:
> On Tue, Feb 13, 2024 at 12:23:32PM -0500, Wietse Venema via Postfix-users
> wrote:
>
> > Over 25 years, Postfix has accumulated some features that
> > are essentially obsolete.
A quick status update.
First, several features have
Andre Rodier via Postfix-users:
> Hello, Postfix users.
>
> I am looking for a dynamic user mapping, if possible.
> For instance, something like lua, python or perl, to return a user lookup.
> What I need is something very simple and the language don't need to be
> advanced.
>
> I'd like to
Rune Philosof via Postfix-users:
> Mismatching between compatibility_level in overview and explanations for
> http://www.postfix.org/COMPATIBILITY_README.html#relay_restrictions
> and
> http://www.postfix.org/COMPATIBILITY_README.html#smtputf8_enable
>
> The overview lists them as
Akshay Pushparaj via Postfix-users:
> Hi,
> I would like to know if i can configure postfix to forward mails if user
> not found in local recipient table.
That is possible (with static: mapping) but not a good idea.
> Usecase:
>
> Users are split between LDAP in my server and a remote server
Maurizio Caloro via Postfix-users:
> Please, i see often on log file
See text after
> Feb6 time P postfix/tlsproxy[300980]: warning: TLS library problem:
> error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared
> cipher:../ssl/statem/statem_srvr.c:2283:
Doug Hardie via Postfix-users:
> Is there a way to configure postfix to drop the email if all the
> providers MTAs return a 5xx response?
We had a problem like that when some people wanted to make TLS
mandatory. The solution was not to bounce mail when a server did
not offer working TLS, but
Small edit for clarity.
Wietse
Doug Hardie via Postfix-users:
> Is there a way to configure postfix to drop the email if all the
> providers MTAs return a 5xx response?
We had a problem like that when some people wanted to make TLS
mandatory. The solution was not to bounce mail when a
Matthias Nagel via Postfix-users:
> > > How do I forward submitted mails under the identity of an email alias
> > > to all other members of that alias? Is that even possible with Postfix
> > > only?
> >
> > Yes, with sender_bcc_maps, and with the proviso that the BCC will be to
> > all the
Aleksandar Ivanisevic via Postfix-users:
>
> Is it true that masquerade_domains does not work for header From: in relayed
> emails? I have a fairly generic setup:
>
> masquerade_classes = envelope_sender, header_sender, header_recipient
> masquerade_domains = mydomain.com
>
> that does indeed
hawky--- via Postfix-users:
> Is there a way to stop resolving a second time the alias table with the
> after-queue approach?
With "pickup -o receive_override_options=no_address_mappings...",
but that disables virtual_alias_maps lookup for all submissions
through the Postfix sendmail command.
POstfix does not use he sender email addres for relay permission
checks, unless *you* configired Postfix to do so.
For further support we need output from:
postconf -n
postconf -P
and logging NON-DEBUG from postfix smtpd (the server).
Wietse
Currently, Postfix does not send the Postfix-generated Received:
header to Milters, because that is how Sendmail works, that is what
Milters expect, and changing the behavior unilaterally would break
compatibility with a large installed base.
This information would improve the Milter's analysis.
Jiri Bourek via Postfix-users:
> My response was quoting the message that mentions the patch changing
> behaviour of PREPEND - message from 10 Dec 2023 19:04:55 -0500 (EST). I
> now spotted the "With this, no change is needed to the Postfix SMTP
> daemon" sentence in message from 12 Dec 2023
Steffen Nurpmeso via Postfix-users:
> Wietse Venema via Postfix-users wrote in
> <4sr8hc44p7zj...@spike.porcupine.org>:
> |Currently, Postfix does not send the Postfix-generated Received:
> |header to Milters, because that is how Sendmail works, that is what
> ...
>
Did you mean instead of
inside Postix -> outside Postfix -> remote MTAs in the Internet
Use
inside Postfix -reverse haproxy-> remote MTAs in the Internet
Theat is currently not implemented, and no design exists.
Wietse
___
Viktor Dukhovni via Postfix-users:
> - Postfix 3.9 (pending official release soon), rejects unuthorised
> pipelining by default: "smtpd_forbid_unauth_pipelining = yes".
>
> - Postfix 3.8.1, 3.7.6, 3.6.10 and 3.5.20 include the same supporting
> code as 3.9 snapshots, but the
Wietse:
> - Don't accept mail with a broken end-of-data sequence (Postfix
> currently allows zero or more followed by ). Or more
> generally, don't accept or that aren't part of a
> sequence. Postfix does not support BDAT with BINARYMIME, so there
> is no valid use of stray or bytes.
Vijay
Bill Cole via Postfix-users:
> On 2023-12-18 at 11:31:47 UTC-0500 (Mon, 18 Dec 2023 16:31:47 +)
> Vijay S Sarvepalli via Postfix-users
> is rumored to have said:
>
> > Hello Viktor, Wietse,
> > (I am copying the Postfix community as the report is out in the public
> > now)
> >
> > First of
Wietse;
> inside Postfix -reverse haproxy-> remote MTAs in the Internet
> That is currently not implemented, and no design exists.
Joachim Lindenberg via Postfix-users:
> Hello Wietse,
> Yes, exactly, no second instance. Ok, implies I haven't overlooked
> something. Is this an option you are
Kristoff via Postfix-users:
> Dec 17 04:32:05 smtp postfix/smtp[725772]: 4F58E6A10A0:
> to=u...@example.com,
> orig_to=SRS0=zxmM=H4=example.com=u...@ourhobbyclubdomain.com,
> relay=mail.example.com[A.B.C.D]:25, delay=0.16, delays=0.05/0/0.08/0.02,
> dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
The www.postfix.org home page links to my personal home page.
My personal home page contains my email address and PGP key.
There are no process requirements, just talk to me.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To
[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.8.4.html]
Fixed with Postfix 3.8.4:
* Security: this release adds support to defend
against an email spoofing attack (SMTP smuggling) on
recipients at a Postfix server. For
Tim Weber via Postfix-users:
> Hi Wietse,
>
> thanks for getting back to me so quickly. Please rest assured that
> I'm not looking for someone to blame. My motivation is to try to
> find out whether SEC's release process really has been as responsible
> as they claim:
Sorry, you are talking to
[Reposted, as I din't see the response show up]
CERT/CC reached out to Postfix developers. At no point were we made
aware that there was a successful SPF spoofing attack that required
the combination of TWO email services with SPECIFIC DIFFERENCES in
the way they handle line endings other than .
We had no indication thet there was a succesful spoofing attack
that required the composition of TWO servers with specific differences
in their handling of non-standard line endings in SMTP.
Otherwise, we would certainly have convinced SEC Consult to change
their time schedule until after people
[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.7.9.html]
Fixed with Postfix 3.7.9:
* Security: this release adds support to defend
against an email spoofing attack (SMTP smuggling) on
recipients at a Postfix server. For
Wietse Venema via Postfix-users:
> Viktor Dukhovni via Postfix-users:
> [. in BDAT payload]
> > > If my suspicion is correct, a dwnstream server may receive the
> > > normal and suggled content as two separate messages.
> >
> > I don't see why. It shouldn'
Wietse Venema via Postfix-users:
> Wietse Venema via Postfix-users:
> > Tim Weber via Postfix-users:
> > > Hi Wietse,
> > >
> > > thanks for getting back to me so quickly. Please rest assured that
> > > I'm not looking for someone to blame. My motivat
[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.6.13.html]
Fixed with Postfix 3.6.13:
* Security: this release adds support to defend
against an email spoofing attack (SMTP smuggling) on
recipients at a Postfix server. For
Wietse Venema via Postfix-users:
> Tim Weber via Postfix-users:
> > Hi Wietse,
> >
> > thanks for getting back to me so quickly. Please rest assured that
> > I'm not looking for someone to blame. My motivation is to try to
> > find out whether SEC's release proce
[An on-line version of this announcement will be available at
https://www.postfix.org/announcements/postfix-3.5.23.html]
Fixed with Postfix 3.5.23:
* Security: this release adds support to defend
against an email spoofing attack (SMTP smuggling) on
recipients at a Postfix server. For
Peter Uetrecht via Postfix-users:
> Hello everyone,
>
> I need an easy way to add a custom header that depends on the domain part
> of the envelope rcpt to. If the receiving domain matches the custom header
> should be added. I know about header_checks, but that can?t be used because
> the
John D'Orazio via Postfix-users:
> I believe some users are in fact confusing DMARC and DKIM. DMARC is a
> policy that lets receiving servers know how to deal with mail that seems to
> be coming from your server but has *not* passed SPF and DKIM checks. From
> the Google support forum:
>
> DMARC
Tim Weber via Postfix-users:
> I think this is a very good way to look at it, and a helpful lesson
> from this situation. Especially since, reading the article as it
> was published, it is obvious that SEC must have known the impact
> to Postfix and Sendmail. I understand their urge to notify
Bill Sommerfeld via Postfix-users:
> On 12/22/23 17:30, Vijay S Sarvepalli via Postfix-users wrote:
> > Arguably the second server is at fault
> > here for "SPF" signing two emails, nevertheless the vulnerability is due
> > to the combinatorial or Composition Attack as Wietse has identified.
>
Geert Hendrickx via Postfix-users:
> On Sat, Dec 23, 2023 at 18:09:10 -0500, Wietse Venema via Postfix-users wrote:
> > Note that only the encapsulating message can contain a DKIM signature
> > by the authenticated sender's domain. The smuggled message caannot
> > con
Peter Wienemann via Postfix-users:
> On 2023-12-12 15:51:58 +0100, Wietse Venema via Postfix-users wrote:
> > Peter Wienemann via Postfix-users:
> >> Dear Postfix experts,
> >>
> >> checking the documentation for the relayhost parameter [0] I find no
> &g
saunders.nicholas--- via Postfix-users:
> /etc/postfix/sasl/sasl_passwd is where I have it. The example is:
That file is mainained by Cyrus SASL. Questions about implementation
details are bettere asked there.
Wietse
___
Postfix-users mailing
Wietse Venema via Postfix-users:
> Wietse:
> > I asked for a copy of the (headers of the) resulting message that
> > Postfix delivers.
> > - Does it have a Received-SPF header?
> > - Does it have two?
>
> Carlos Velasco:
> > 1. Deleting the header in th
Carlos Velasco via Postfix-users:
> *** And there is the milter, is custom made ***
You need to reduce complexity.
- If you remove the Milter, is the header still duplicated?
- If you keep the milter and rmeove the polocy lookup, is eom other
header duplicated?
Wietse
Carlos Velasco via Postfix-users:
> Wietse Venema via Postfix-users escribi? el 10/12/2023 a las 19:44:
> > Carlos Velasco via Postfix-users:
> >> *** And there is the milter, is custom made ***
> > You need to reduce complexity.
> >
> > - If you remove the Mi
Carlos Velasco via Postfix-users:
>
> Wietse Venema via Postfix-users escribi? el 10/12/2023 a las 21:53:
> > Carlos Velasco via Postfix-users:
> >> Wietse Venema via Postfix-users escribi? el 10/12/2023 a las 19:44:
> >>> Carlos Velasco via Postfix-users:
&
Wietse:
> I asked for a copy of the (headers of the) resulting message that
> Postfix delivers.
> - Does it have a Received-SPF header?
> - Does it have two?
Carlos Velasco:
> 1. Deleting the header in the milter or doing nothing in the milter
> has the same result: final email has only 1
Patch below.
Wietse
--- /var/tmp/postfix-3.9-20231210/src/smtpd/smtpd.c 2023-10-12
11:34:40.0 -0400
+++ src/smtpd/smtpd.c 2023-12-10 18:52:56.0 -0500
@@ -3404,13 +3404,6 @@
}
/*
- * PREPEND message headers above our own Received: header.
- */
-
Peter Wienemann via Postfix-users:
> Dear Postfix experts,
>
> checking the documentation for the relayhost parameter [0] I find no
> indication how Postfix behaves in case of multiple relay hosts with
> multiple DNS entries. Let us assume the following setting:
for each destination d in
Carlos Velasco via Postfix-users:
>
> Wietse Venema via Postfix-users escribi? el 11/12/2023 a las 22:30:
> > Wietse Venema:
> >> Patch below.
> > Carlos Velasco:
> >> Tested patch against 3.8.3, now it works as expected. Thank you.
> >> No dupl
Carlos Velasco via Postfix-users:
> > Thus, the Postfix code that handles header update/delete requests
> > was still naively skipping the first header, making calls to delete
> > the prepended Received-SPF: header ineffective, and mis-directing
> > calls to delete the first Milter-visible
Pedro David Marco via Postfix-users:
> To my understanding, the Smuggled email contains SMTP data plus
> headers, plus body... , so what is the problem if filters check
> them as well?
The problem is that Postfix receives TWO messages.
https://www.postfix.org/smtp-smuggling.html#impact
Pedro David Marco:
> To my understanding, the Smuggled email contains SMTP data plus
> headers, plus body... , so what is the problem if filters check
> them as well?
Wietse:
> The problem is that Postfix receives TWO messages.
> https://www.postfix.org/smtp-smuggling.html#impact
Pedro David
John Levine via Postfix-users:
> Over in the IETF we're slowly working on updating RFC 5321.
>
> Today's topic is the HELP command. The current spec says that it is
> mandatory to implment it. Most MTAs implement it by returning a fixed
> string, or something close to fixed, e.g., gmail's answer
Damian via Postfix-users:
> > It really does not matter much, but leaving BDAT enabled can help in
> > some cases. It is not necessary to go this deep down the rabbit hole.
>
> So what could be smuggled into a Postfix that defines
> "reject_unauth_pipelining" but does not define
>
Dmitry Katsubo via Postfix-users:
> Dear Postfix team,
>
> In some rare cases when OS is CPU-loaded, the log is overflowed with the
> following messages from Postfix, which fills up log space very quickly:
>
> 2023-12-24 18:04:41.016972 postfix/tlsmgr[105819]: warning: end-of-input
> while
Wietse
> This means that nginx ignores the source port in the proxy protocol.
> Is that documented somewhere?
Joachim Lindenberg:
> It does not ignore it, the variable exists. My configuration doesn't
> use it for outbound, as plenty of ports are in used, and dynamic
> is ok for the use case.
Viktor Dukhovni via Postfix-users:
[. in BDAT payload]
> > If my suspicion is correct, a dwnstream server may receive the
> > normal and suggled content as two separate messages.
>
> I don't see why. It shouldn't matter how Microsoft's MTA ends up
> with a message containing "." or (.), so long
Joachim Lindenberg via Postfix-users:
> >Is there a technical spec of that protocol? Does it look in any
> way like HaProxy protocol version 1 or 2? What are the source IP
> address and port?
> https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#:~:text=Enables%20the%20PROXY%20protocol
>
As part of a non-responsible disclosure process, SEC Consult has
published an email spoofing attack that involves a composition of
different mail service behaviors with respect to broken line endings.
A short-term fix may deployed now, before the upcoming long holiday:
- Postfix 3.9 (stable
Linkcheck via Postfix-users:
> On 20/12/2023 3:51 pm, Wietse Venema via Postfix-users wrote:
> > "smtpd_forbid_unauth_pipelining = yes
>
> I tried that (3.7.6) and got...
> warning: unknown smtpd restriction: "smtpd_forbid_unauth_pipelining"
>
> Where sh
301 - 400 of 627 matches
Mail list logo