[pfx] Re: sender_login_maps and dovecot and roundcube
Hi, > > I've set up a domain with a catch-all to deliver emails to any address > > to a > > single recipient address by specifying it in my virtual_alias_maps. > > However, the user wants to be able to send mail as any user in that > > domain. > > The problem is that it's rejected with "sender address rejected" > > because > > the user isn't defined in the smtpd_sender_login_maps. > > That last sentence provides such a specific and clear problem > description that it virtually provides the solution: Add a suitable > entry to the sender_login_maps file. Run postmap on the file. > > That entry probably should look like: > > @example.com alex > Thank you - I initially didn't think the format supported that, but also just realized it. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] sender_login_maps and dovecot and roundcube
HI, I've set up a domain with a catch-all to deliver emails to any address to a single recipient address by specifying it in my virtual_alias_maps. However, the user wants to be able to send mail as any user in that domain. The problem is that it's rejected with "sender address rejected" because the user isn't defined in the smtpd_sender_login_maps. Mar 28 15:55:01 cipher roundcube: SMTP Error: Failed to add recipient 're...@gmail.com': 5.7.1 : Sender address rejected: not owned by user alex (Code: 553) in /usr/share/roundcubemail/program/lib/Roundcube/rcube.php on line 1794 (POST /webmail/?_task=mail&_unlock=loading1711655700954&_framed=1&_action=send) # postconf smtpd_sasl_security_options smtpd_sender_login_maps smtpd_sender_restrictions smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sender_login_maps = ${indexed}sender_login_maps smtpd_sender_restrictions = check_sasl_access ${indexed}sasl-access sasl-access is just: alexenforce_login I know this is something I've done with different identities in Thunderbird before, just by changing the From address, but dovecot apparently requests auth from submission? I also thought of using the recipient_delimiter, so sending something like user1+a...@mydomain.com might work, but it's not what was asked for. Maybe this is a dovecot config option I'm missing? Thanks for any ideas on what I'm missing here. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] pushing changes to remote system
Hi, I have a few postfix systems on fedora38 with nearly identical configurations. I'd like to be able to push changes to them from a third system without having to login to them directly to do so. What's the best/most secure way to do this? For example, I'd like to push the recipient access file to both systems since they both relay mail for the same domains. Currently I'm doing this with rsync/ssh as root but would like to use a regular user. Postifx complains when changing ownership of these files to a regular user, so I thought of using setfacl on the individual files I need. Will that cause a problem? # setfacl -m g:appuser:rwx /etc/postfix # setfacl -m g:appuser:wx /etc/postfix/client_checks.cidr # setfacl -m g:appuser:wx /etc/postfix/recipient_checks $ postmap recipient_checks $ ls -l recipient_checks* -rw-rwxr--+ 1 rootroot1065 Nov 15 2020 recipient_checks -rw-r--r-- 1 appuser appuser 2305 Mar 6 18:37 recipient_checks.cdb ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
Hi, On Mon, Feb 12, 2024 at 5:39 AM Jaroslaw Rafa via Postfix-users < postfix-users@postfix.org> wrote: > Dnia 11.02.2024 o godz. 17:47:05 Alex via Postfix-users pisze: > > My concern would be with multiple MX records for the same domain - is it > > possible it would come back to try again with another MX and be delayed > yet > > again? > > MX are the addresses that *receive* mail for a given domain, not the > addresses from which mail is sent. These would be specified in SPF record > (if present). > Yes, of course. I'm sorry I gave you another impression of what I was asking. I'll check out postscreen_cache_map in case it can do most of what I need, but my interest is from the server side, which is where postscreen is also run, of course. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: ARC or DKIM or SRS?
Hi, > It has multiple benefits against bots, like: > > - few seconds delay for refusing clients that send helo/ehlo before > > esmtp greeting (I have used this for years with sendmail) > > - dnwsl/dnsbl scoring system. > > > > These are pretty safe to use. > > These are the tests that are enabled by default. If you also enable the > other after-220 tests then postscreen will, after whitelisting the > connecting IP, give a 450 response which tells the sending server to > defer (disconnect and try again later). This is very similar to how > greylisting works. > My concern would be with multiple MX records for the same domain - is it possible it would come back to try again with another MX and be delayed yet again? The sqlgrey perl script has the ability to consult a database to see if enough time has elapsed as well as cluster servers to see if the client has attempted a connection to one of the other MX servers. I'm not sure I ever managed to set it up successfully, however. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] ARC or DKIM or SRS?
Hi, I'm hoping I could ask for some advice. We have a pretty large percentage of users who forward mail through our systems to personal Gmail accounts. Sometimes it is mail from bulk senders like mailgun and lanyon/cvent. Would ARC help here, or is DKIM enough for DMARC alignment with forwarded messages? Perhaps ARC will help in those cases where DKIM fails with forwarded messages? Is it used on the sending server or on the relay? Is it installed using a milter alongside openSPF/DKIM using openarc? https://github.com/trusteddomainproject/OpenARC/issues/139 I've also thought about implementing SRS over the years, but it has its own problems, so I wondered if people were still implementing that? This has become particularly important with the recent news about Google requiring senders (or forwarders, in my case) to do more to ensure delivery. https://support.google.com/a/answer/81126?visit_id=638429520681370280-1110640002=1#zippy=%2Crequirements-for-all-senders ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] client checks with suspect IPs
Hi, I need help with making a decision involved in determining whether to add an IP to my client_checks to bypass a blocklist entry on the Barracuda blocklist that is impacting one of our users. The problem is that this would also bypass the checks for other Zix hosted customers. Jan 16 12:04:30 xavier postfix-118/postscreen[1006916]: NOQUEUE: reject: RCPT from 74.203.184.40]:3602: 550 5.7.1 Service unavailable; client [74.203.184.40] blocked using DNS Blocklist (barracuda); from=< jbraz...@myclient.com>, to=, proto=ESMTP, helo=< zh-gw.zixsmbhosted.com> I was also thinking I could add a sender_check for users at myclient.com domain only, but that didn't work. The above entry relates to a client reject, but shouldn't a sender_check involving myclient.com work as well? smtpd_client_restrictions = permit_mynetworks, check_client_access ${indexed}client_checks, check_client_access pcre:$config_directory/client_checks.pcre, check_reverse_client_hostname_access pcre:$config_directory/reverse_client_hostname_access.pcre, check_client_access cidr:$config_directory/client_access_blocklist /etc/postfix-118/client_checks.pcre: /74\.203\.184\.40/ OK smtpd_sender_restrictions = permit_mynetworks, check_sender_access ${indexed}sender_checks, check_sender_access pcre:$config_directory/sender_checks.pcre, reject_unknown_sender_domain /etc/postfix-118/sender_checks.pcre: /myclient\.com/ permit Any ideas greatly appreciated. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] python-policyd-spf and whitelisting
Hi, I'm using python-policyd-spf with postfix as a check_policy_service and having some trouble with domains very broadly being whitelisted. My policy is to reject on mailfrom fail. However, we have few domains that need to be whitelisted, like mycuservices.com, because they are sending from an IP not in their SPF record. Oct 10 07:55:17 mail01 policyd-spf[590801]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=depositretu...@mycuservices.com;ip=74.203.184.40;r= However, whitelisting it also brings in all of the servers listed in their SPF record, including microsoft/outlook. I realize it's probably okay to whitelist microsoft/outlook anyway, but I'm unsure of the impact this has on spamassassin and its ability to use the SPF rules. Here is the postfix logs for outlook.com, despite only mycuservices.com being in the whitelist. Oct 13 09:05:40 mail01 policyd-spf[2127431]: prepend X-Comment: SPF skipped for whitelisted relay domain - client-ip=12.20.249.10; helo= zixgateway01.midatlanticcorporate.org; envelope-from= payme...@mycuservices.com; receiver= Header data from an email: >From depositretu...@mycuservices.com Tue Oct 10 07:55:25 2023 Return-Path: X-Comment: SPF skipped for whitelisted relay domain - client-ip=12.20.249.10; helo=zixgateway01.midatlanticcorporate.org; envelope-from=payme...@mycuservices.com; receiver= This is a header from a completely unrelated email, showing outlook.com and consequently this other random domain being whitelisted: X-Comment: SPF skipped for whitelisted relay domain - client-ip=40.107.237.65; helo=nam12-bn8-obe.outbound.protection.outlook.com; envelope-from=carl_willi...@nzinganet.net; receiver= Any ideas on how to handle this would be greatly appreciated. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: tls and cert problem for submission
Hi, > I think I'm having a problem with my certificate for submission not > > being configured properly. I'm trying to install roundcube but having > > a problem with properly configuring the cert for submission, but when > > using openssl to check, it reports a cert problem. This is a cert from > > Digicert. > > Which, you've decided to obfuscate, for little gain. :-( Certificates > are *public* data, anyone connecting to your server gets a copy as part > of the TLS handshake... > It's more a matter of being a little embarrassed that I couldn't figure it out on my own. Especially when, after putting this all together, I realized my mistake shortly thereafter. > I'm also using tls_server_sni_maps to support multiple domains. > > That's perhaps more advanced than you need. Do you really need multiple > MX hostnames for your various domains. A common MX hostname is MUCH > easier to manage, and does not then require SNI. > The problem is that I'm forced to use the mail.example.com cert and some users would be confused seeing Example, Inc. in the cert when it is not that company providing those services. Thank you so much for your help. Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] tls and cert problem for submission
Hi, I think I'm having a problem with my certificate for submission not being configured properly. I'm trying to install roundcube but having a problem with properly configuring the cert for submission, but when using openssl to check, it reports a cert problem. This is a cert from Digicert. openssl s_client -starttls smtp -connect mail.example.com:587 CONNECTED(0003) depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com verify return:1 Certificate chain 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN = mail.example.com i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) Regular email client users have no problem, but it still looks like something is missing. When going through the roundcube config process, it fails to connect for what also looks like a cert problem. This is from "smtpd -v" output: Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI cipher.example.com from cipher.example.com[209.216.111.60] not matched, using default chain Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error from cipher.example.com[209.216.111.60]: -1 Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: TLS library problem: error:0A000418:SSL routines::tlsv1 alert unknown ca:ssl/record/rec_layer_s3.c:1586:SSL alert number 48: I'm also using tls_server_sni_maps to support multiple domains. I've also tried concatenating the digicert crt file and the DigiCertCA.crt to create the mail.example.com-2023.crt chain file below. $ postconf -n |grep tls smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_tls_chain_files = /var/www/mail.example.com-443/ssl/mail.example.com-2023.key, /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map /etc/postfix/vmail_ssl.map: clients.example1.com /etc/letsencrypt/privkey.pem /etc/letsencrypt/fullchain.cer mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt $ ls -l *vmail* -rw-r--r-- 1 root root 468 May 14 10:53 vmail_ssl.map -rw-r--r-- 1 root root 36864 Aug 7 06:18 vmail_ssl.map.db $ postconf -fM ... submission inet n - n - - smtpd -v -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o receive_override_options=$submission_overrides -o smtp_tls_mandatory_protocols=TLSv1 -o syslog_name=postfix/submission I've also tried using "localhost" and "mail.example.com" and the actual hostname in the roundcube config: $config['smtp_host'] = 'tls://cipher.example.com:587'; Thank you so much for any ideas. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] error:0A0000C1:SSL routines::no shared cipher:ssl/st atem/statem_srvr.c:2220:
Hi, I have a postfix-3.7.4 server with openssl-3.0.9 on fedora38 and receiving the following errors in my logs: Sep 11 14:19:51 cipher postfix/smtps/smtpd[3992923]: warning: TLS library problem: error:0AC1:SSL routines::no shared cipher:ssl/statem/statem_srvr.c:2220: What kind of clients is this impacting? I found this post that says I can add ECDHE-RSA-AES256-SHA384 to the cipher list to fix this. https://encryp.ch/blog/amazon-ses-encryption-misconfiguration/ # postconf -n|grep -E 'cipher|protocol' smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_protocols = >=TLSv1.2 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 tls_preempt_cipherlist = yes ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Rate limiting gmail
Hi, I'm hoping I could ask what is probably an FAQ but I haven't seen anything on it recently. I've already implemented some type of rate limiting for delivering to gmail, but it's apparently not working satisfactorily for them. Notice it's already going through my throttled transport. This mail server unfortunately has quite a few users who use ~/.forward to forward mail through to their personal gmail account from their corporate account. Aug 22 15:33:08 cipher postfix-gmail/smtp[2551987]: 5EF9820E0E1E8: host gmail-smtp-in.l.google.com[64.233.176.27] said: 421-4.7.28 [209.216.111.60 15] Our system has detected an unusual rate of 421-4.7.28 unsolicited mail originating from your IP address. To protect our 421-4.7.28 users from spam, mail sent from your IP address has been temporarily 421-4.7.28 rate limited. Please visit 421-4.7.28 https://support.google.com/mail/?p=UnsolicitedRateLimitError to 421 4.7.28 review our Bulk Email Senders Guidelines. 185- transport_maps = regexp:/etc/postfix/transport_limit, regexp:/etc/postfix/transport_gmail, regexp:/etc/postfix/transport_yahoo, regexp:/etc/postfix/transport_microsoft, regexp:/etc/postfix/transport_fast gmail_initial_destination_concurrency = 1 gmail_destination_concurrency_limit = 4 gmail_destination_recipient_limit = 15 gmail_connect_timeout=3s gmail_connection_cache_on_demand=no /etc/postfix/transport_gmail: /googlemail.com$/ gmail: /gmail.com$/gmail: /google.com$/ gmail: /etc/postfix/master.cf: gmail unix - - n - - smtp -o syslog_name=postfix-gmail -o smtp_connect_timeout=$gmail_connect_timeout -o smtp_connection_cache_on_demand=$gmail_connection_cache_on_demand Any ideas for further tweaking? I'd imagine this is primarily for bulk email (as the message says), so perhaps I need a separate transport specifically for bulk email? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Troubleshooting mail loop issue
Hi, On Tue, Aug 15, 2023 at 8:49 AM Bill Cole via Postfix-users < postfix-users@postfix.org> wrote: > On 2023-08-14 at 17:23:34 UTC-0400 (Mon, 14 Aug 2023 17:23:34 -0400) > Alex via Postfix-users > is rumored to have said: > > > Hi, > > I have what appears to be a complicated mail loop problem that I can't > > figure out. I suspect that their receiving system (M365) is somehow > > reinjecting the message back to our mail server after it's been > > successfully delivered to them. > > For loose values of "success"... > > > > We are acting as MX for two small companies, and occasionally, when > > companyA emails companyB, it is first received by raven.example.com, > > 209.216.111.115, > > which is the MX we have created for them, processed by amavisd, then > > routed > > to the destination through our postfix-out instance > > xavier.example.com, > > 209.216.111.114. The companyB server accepts the message, but then > > somehow > > companyA appears to connect to our server again and send the same > > message > > again. > > Yes, it is a loop. The loop occurs inside MS365. Apparently Microsoft > does not understand how to get mail from CompanyA to CompanyB > internally, so they follow the DNS. > but it should then send it to another tenant, correct? The sending M365 server ultimately gets a "too many hops" error, reportedly by our xavier server, but we don't always have a record of that. Diagnostic information for administrators: Generating server: PH0PR02MB7736.namprd02.prod.outlook.com r...@companyb.com xavier.example.com Remote server returned '554 5.4.0 Error: too many hops' Here's one reported today: Aug 15 12:32:15 xavier postfix-out/smtp[223443]: 549A0305F4A07: to=, relay=companyB-com.mail.protection.outlook.com[52.101.40.2]:25, delay=2.1, delays=0.01/0/0.45/1.7, dsn=2.6.0, status=sent (250 2.6.0 < mw4pr02mb74739e55fd642380cc07b22ec2...@mw4pr02mb7473.namprd02.prod.outlook.com> [InternalId=154820686141293, Hostname= CH2PR02MB6806.namprd02.prod.outlook.com] 189859 bytes in 0.317, 583.850 KB/sec Queued mail for delivery) I can trace the queue ID here back to find the other four successful deliveries of this same message, as well as find it in my always_bcc user mbox. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Troubleshooting mail loop issue
Hi, On Tue, Aug 15, 2023 at 11:53 AM Paul Enlund via Postfix-users < postfix-users@postfix.org> wrote: > Hi > > One thing to check is that your MX server allowed recipients is in sync > with M365 allowed recipients. > Can you explain more of what you mean here? In this case, the recipient does exist. I don't believe it's ever happened with a non-existent recipient. We aren't pulling the list of valid recipients, but instead just letting their system send us the reject for non-existent recipients. Thanks, Alex > Regards Paul > On 14/08/2023 22:23, Alex via Postfix-users wrote: > > Hi, > I have what appears to be a complicated mail loop problem that I can't > figure out. I suspect that their receiving system (M365) is somehow > reinjecting the message back to our mail server after it's been > successfully delivered to them. > > We are acting as MX for two small companies, and occasionally, when > companyA emails companyB, it is first received by raven.example.com, > 209.216.111.115, > which is the MX we have created for them, processed by amavisd, then routed > to the destination through our postfix-out instance xavier.example.com, > 209.216.111.114. The companyB server accepts the message, but then somehow > companyA appears to connect to our server again and send the same message > again. > > It's very difficult to trace what's happening, so I hoped someone could > help. I think the sending server is somehow reconnecting to our server and > resending the same message, but it eventually dies with the sending server > saying "Error: too many hops". Our server never sees that message. They > have forwarded the bounce to me and I've pasted it here: > https://pastebin.com/ChcnDwjK > > It appears like it delivers five different copies, but each version has > all the received headers of the previous version. > > I'm sorry if this is confusing. I've spent probably six hours or more > reading through this one email trying to trace the problem and correlate it > with the postfix/amavis logs. I believe it's only happened a few times - I > don't quite understand all the circumstances under which it happens. We > also don't always see the reject/too many hops message. Here is a recent > one: > > Aug 4 09:01:13 xavier postfix-115/smtp[125455]: 88D5F246: to= > , > relay=127.0.0.1[127.0.0.1]:11024, delay=0.67, delays=0.21/0/0/0.45, > dsn=5.4.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.4.0 > id=136757-17 - Rejected by next-hop MTA on relaying, from > MTA(smtp:[127.0.0.1]:11025): 554 5.4.0 Error: too many hops (in reply to > end of DATA command)) > > Any ideas for either what's going on with this email or what I can do to > troubleshoot this further would really be appreciated. > > Thanks, > Alex > > > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Troubleshooting mail loop issue
Hi, On Tue, Aug 15, 2023 at 11:02 AM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Your loop, based on Received: headers, newer at the top, older at > the bottom: > > Received: from xavier.example.com (209.216.111.114) by > CO1PEPF44F7.mail.protection.outlook.com (10.167.241.197) with > Microsoft S > Received: from localhost by xavier.example.com (Postfix) with ESMTP id > 30B17305F4A07;Fri, 11 Aug 2023 11:57:49 -0400 (EDT) > Received: from xavier.example.com ([209.216.111.115]) by localhost > (amavis, port 11024) with ESMTP id HL0GE5Q4v_xp; Fri, 11 Aug 2023 > Received: from NAM11-BN8-obe.outbound.protection.outlook.com (using > TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) > Received: from CY5PR04CA0018.namprd04.prod.outlook.com by > SA1PR02MB9916.namprd02.prod.outlook.com (2603:10b6: > Received: from CY4PEPFEE3E.namprd03.prod.outlook.com by > CY5PR04CA0018.outlook.office365.com (2603:10 > Received: from xavier.example.com (209.216.111.114) by > CY4PEPFEE3E.mail.protection.outlook.com (10.167.242.18) with > Microsoft SM > > In summary: > > 1 xavier.example.com ([209.216.111.114]) sends a message to Microsoft > > 2 After some internal hops, Microsoft sends the message to the > inbound MX xavier.example.com (209.216.111.115) for company A, B, > which filters it with amavis. > > 3 GOTO 1. > > Which step is in error? > We are relay for both companyA and companyB. Both are also on M365, so mail originates from M365 at companyA, goes through our xavier, then out to M365 at companyB. I also see five relay=companyB entries in the logs, but companyB doesn't report ever receiving five copies. Thanks so much, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Troubleshooting mail loop issue
Hi, I have what appears to be a complicated mail loop problem that I can't figure out. I suspect that their receiving system (M365) is somehow reinjecting the message back to our mail server after it's been successfully delivered to them. We are acting as MX for two small companies, and occasionally, when companyA emails companyB, it is first received by raven.example.com, 209.216.111.115, which is the MX we have created for them, processed by amavisd, then routed to the destination through our postfix-out instance xavier.example.com, 209.216.111.114. The companyB server accepts the message, but then somehow companyA appears to connect to our server again and send the same message again. It's very difficult to trace what's happening, so I hoped someone could help. I think the sending server is somehow reconnecting to our server and resending the same message, but it eventually dies with the sending server saying "Error: too many hops". Our server never sees that message. They have forwarded the bounce to me and I've pasted it here: https://pastebin.com/ChcnDwjK It appears like it delivers five different copies, but each version has all the received headers of the previous version. I'm sorry if this is confusing. I've spent probably six hours or more reading through this one email trying to trace the problem and correlate it with the postfix/amavis logs. I believe it's only happened a few times - I don't quite understand all the circumstances under which it happens. We also don't always see the reject/too many hops message. Here is a recent one: Aug 4 09:01:13 xavier postfix-115/smtp[125455]: 88D5F246: to=, relay=127.0.0.1[127.0.0.1]:11024, delay=0.67, delays=0.21/0/0/0.45, dsn=5.4.0, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.4.0 id=136757-17 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:11025): 554 5.4.0 Error: too many hops (in reply to end of DATA command)) Any ideas for either what's going on with this email or what I can do to troubleshoot this further would really be appreciated. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: bounce management
Hi, > > We're only doing basic spam protection for them, > > What is the nature of the "basic spam protection"? Can it be done > pre-queue? > Yes, most likely, I would think. It's a basic spamassassin setup with a few rules looking for specific patterns, as well as some RBL network checks. The only plausible solution on your end is to not queue mail for this > domain, but rather proxy it through to the destination, with the > response to "." coming from the final downstream systems. This may be > possible with: > > http://www.postfix.org/postconf.5.html#smtpd_proxy_filter > > provided you can dedicate an IP address (port 25 smtpd(8) instance) for > this destination. So I would do this in place of the transport filter I currently have in place? example.comsmtp:mx1.hc4719.iphmx.com Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] bounce management
Hi, I have a postfix-3.7.3 system on fedora37 and we're routing mail for a business using an Ironport device at their border. Instead of accepting all messages from us as their MX, there are some messages that it has determined are spam or otherwise undeliverable, which are resulting in them bouncing them back to us, where our system is then queuing them. These messages are undeliverable (this one was from mail.sqribblepro.shop), so it just sits in our queue, continually trying to be delivered unsuccessfully until we either remove it or it expires. Aug 5 11:03:14 xavier postfix-out/smtp[224468]: 59291305F59C3: to=< nca...@example1.com>, relay=mx1.hc4719.iphmx.com[207.54.11.59]:25, delay=0.98, delays=0/0/0.8/0.18, dsn=5.0.0, status=bounced (host mx1.hc4719.iphmx.com[207.54.11.59] said: 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. (in reply to DATA command)) Aug 5 11:03:14 xavier postfix-out/cleanup[225801]: 55453305F59C9: message-id=<20230804150314.55453305f5...@xavier.example.com> Aug 5 11:03:14 xavier postfix-out/bounce[224445]: 59291305F59C3: sender non-delivery notification: 55453305F59C9 Aug 5 11:03:14 xavier postfix-out/qmgr[193207]: 55453305F59C9: from=<>, size=12276, nrcpt=1 (queue active) Aug 5 11:03:14 xavier postfix-out/qmgr[193207]: 59291305F59C3: removed We're only doing basic spam protection for them, and while this mail server may be on a blocklist now, it wasn't then. It's also not always spam that they reject, but otherwise legitimate messages that are blocked by policy. I also realize having them adjust their policy is probably the best solution, but that's not possible right now. How can I either immediately drop these messages or simply not allow them to refuse these messages? Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, On Mon, May 22, 2023 at 9:47 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Mon, May 22, 2023 at 06:06:00PM -0400, Alex wrote: > > > Yes, I wasn't aware that's how it worked. I've now explicitly defined the > > bcc-user to use the same transport, but the problem is that there is one > > bcc-user but multiple transports, each with their own policy. > > This is where recipient_bcc_maps comes into play, you can have a bcc > recipient per domain or per-user (the latter preserves the message > envelope as part of the BCC side-channel). > > Or (in a multi-instance configuration), you can add Bcc recipients > in a per-domain output (back-end) instance. > recipient_bcc_maps worked beautifully, thanks. Thanks so much for so selflessly helping the community. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, > > The BCC recipient is processed in much the same way as any other message > recipient. The only special handling that comes to mind is DSN, where > this recipient is treated as if NOTIFY=NEVER were specified. > > > local_transport = error:5.1.1 Mailbox unavailable > > default_transport = smtp:[127.0.0.1]:10024 > > relay_transport = $default_transport > > virtual_transport = $default_transport > > transport_maps = ${indexed}transport > > Perhaps the BCC recipient (domain) did not match any transport > table keys, but the real recipient did? > Yes, I wasn't aware that's how it worked. I've now explicitly defined the bcc-user to use the same transport, but the problem is that there is one bcc-user but multiple transports, each with their own policy. > > > /etc/postfix-120/transport > > domain1.comalex:[127.0.0.1]:10029 > > What is the domain part of the always BCC address. > It's the same as the hostname, while domain1.com (and domain2, domain3, etc) each use their own transport. Associating bcc-user with the policy that corresponds with domain would help me to better understand how the policy is being applied to users and be able to view header details as if they were to the actual user. Hopefully that makes sense. Email to one domain may be blocked with a given policy, while email to another domain may not, so it would be good to have the same policy applied to the always BCC user as every other user using that transport. Thanks, Alex > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, > According to the subject, you appear to be looking for per-domain > header/body check. That is not the right tool, and I would not > spend my cycles on a design for that. > > Instead I recommend filters between a front and back-end instance, > using transport_maps to select a filter depending on the domain. > I recall that you are familiar with Amavis as a content filter. > That would be a better tool for the job. Each domain can then have > its own Amavis config that receives mail on its own port. > I am coming to the same realization. Thank you so much. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, > > > > internet -> front-end Postfix instance -> filter -> back-end > > > Postfix > > > > > instance > > > > > > > > > > The front-end Postfix instance uses transport_maps to select a > suitable > > > > > filter. > > > > > > > > > > example.com: smtp: > > > > > example.org: smtp: > > > > > > > > > > Each filter then delivers to the back-end Postfix. > > > > > > > > This implies one IP per domain as well, correct? > > > > > > No. One front-end instance can receive mail for N domains, and they > > > can share (MX) IP addresses. > > > > > > You can have multiple front ends, again that is not required for > > > per-domain filters to work. > > > > I'm starting to understand and really appreciate your help. Can I ask you > > to provide me with an example of what you mean? Are you referring to > what's > > That is shown above, expressed in terms of transport maps and > customized content filters in-between general-purpose Postfix > instances. > > header/body checks don't generalize beyond narrow use cases. > I'm trying really hard, but I just don't understand what you mean. I set up multi-instance with Viktor's help some time ago, where each instance essentially processes mail for a somewhat related group of domains. Adding transport maps to the front-end instance would be different than what I remember doing with Viktor. I don't have any content filters set up in the front-end postfix. How do I connect the front-end postfix with the filters? I think this is something I can implement, but I need more of a description of how it should work, please. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, On Sun, May 21, 2023 at 4:41 PM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Alex via Postfix-users: > > > > I'd say, start with one instance per domain. The 'cost' of doing so > > > > is really small. > > > > > > Once you run out of IP addresses, you will need policy selection > > > based on the recipient domain. For example: > > > > > > internet -> front-end Postfix instance -> filter -> back-end > Postfix > > > instance > > > > > > The front-end Postfix instance uses transport_maps to select a suitable > > > filter. > > > > > > example.com: smtp: > > > example.org: smtp: > > > > > > Each filter then delivers to the back-end Postfix. > > > > > > > This implies one IP per domain as well, correct? > > No. One front-end instance can receive mail for N domains, and they > can share (MX) IP addresses. > > You can have multiple front ends, again that is not required for > per-domain filters to work. > I'm starting to understand and really appreciate your help. Can I ask you to provide me with an example of what you mean? Are you referring to what's outlined in FILTER_README as an after-queue filter? How would I reference my header_checks.pcre from within the shell script filter? example.com: smtp:/usr/bin/filter-example.com.sh I would then need to send the email to the port where amavisd is listening to process mail for that specific domain, correct? amavisd would then send the email to the back-end postfix to be delivered. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain header/body checks?
Hi, On Sun, May 21, 2023 at 12:39 PM Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Wietse Venema via Postfix-users: > > Alex via Postfix-users: > > > Hi, > > > I'm using multi-instance postfix-3.7.2 on fedora37 and would like to be > > > able to control which header and body checks apply to which domain in a > > > specific instance. I'm looking for advice on the best way to do this. > > > > > > I have about ten domains right now, and would probably need a number of > > > policies that control filtering for these domains. I was thinking I > could > > > create a new instance for each domain, but I only have a limited > number of > > > IP addresses. Is it possible to do this using content filters with a > > > multi-instance postfix configuration? Do you have any examples of how > this > > > might work? > > > > > > I also recall reading about using a milter for this, but would that > require > > > me to develop my own application for this? Or is there one already > created > > > and supported that might help here? > > > > > > I've used if/endif conditionals in check_recipient_access in the past, > but > > > this doesn't work for header/body checks? > > > > > > I'm not sure where to start, so I'm also not sure what other config > details > > > I should provide to help make this determination. > > > > I'd say, start with one instance per domain. The 'cost' of doing so > > is really small. > > Once you run out of IP addresses, you will need policy selection > based on the recipient domain. For example: > > internet -> front-end Postfix instance -> filter -> back-end Postfix > instance > > The front-end Postfix instance uses transport_maps to select a suitable > filter. > > example.com: smtp: > example.org: smtp: > > Each filter then delivers to the back-end Postfix. > This implies one IP per domain as well, correct? Which then also means one MX for each domain, plus a backup. This is my current postmulti setup for this server: $ postmulti -l - - y /etc/postfix postfix-out mta y /etc/postfix-out postfix-120 mta y /etc/postfix-120 In your above scenario, the filter instance is my postfix-120, correct? This is where I would add the header and body checks? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, Can I follow up on this? I can't figure out why always_bcc mail is being sent through the default content filter while mail designated for my domain-specific transport is sent through another in my multi-instance postfix config. I'd like the always_bcc user mail to still benefit from being filtered through amavis, but through the transport designed for the domain for which it was intended. local_transport = error:5.1.1 Mailbox unavailable default_transport = smtp:[127.0.0.1]:10024 relay_transport = $default_transport virtual_transport = $default_transport transport_maps = ${indexed}transport /etc/postfix-120/transport domain1.comalex:[127.0.0.1]:10029 I've tried adding "receive_override_options = no_address_mappings" in main.cf but it seems to be ignored. I thought it might be helpful to show the log entries (except for the more involved amavisd entries). cable.example.com is my mail router. domain1.com is the recipient domain. I believe this shows how the mail goes from gmail.com to the domain1.com transport on port 10029 (amavisd). Both emails were then sent back to postfix-out on 10025 to be relayed on (or the always_bcc user to be delivered locally). Maybe this is even the preferred approach? I'm not used to seeing it this way, but I would think the transport corresponding with the recipient would be the one that should be used for the always_bcc user. May 21 13:40:12 cable postfix-120/qmgr[3714211]: 494948B53: from=< mysqlstud...@gmail.com>, size=3214, nrcpt=2 (queue active) May 21 13:40:12 cable amavis[3558243]: (3558243-06) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20230521T020900-3558243-jefENl_V: < mysqlstud...@gmail.com> -> SIZE=3214 Received: from cable.example.com ([145.239.111.120]) by localhost (cable.example.com [127.0.0.1]) (amavis, port 10024) with ESMTP for ; Sun, 21 May 2023 13:40:12 -0400 (EDT) May 21 13:40:12 cable amavis[3558246]: (3558246-06) ESMTP [127.0.0.1]:10029 /var/spool/amavisd/tmp/amavis-20230521T032452-3558246-T4MBowCR: < mysqlstud...@gmail.com> -> Received: from cable.example.com ([145.239.111.120]) by localhost (cable.example.com [127.0.0.1]) (amavis, port 10029) with ESMTP for ; Sun, 21 May 2023 13:40:12 -0400 (EDT) May 21 13:40:18 cable amavis[3558246]: (3558246-06) yz4rjN5FRAbF FWD from < mysqlstud...@gmail.com> -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0671630014B43 May 21 13:40:18 cable amavis[3558243]: (3558243-06) 1GoUW-HU8Lsg FWD from < mysqlstud...@gmail.com> -> , BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 070A730014B58 May 21 13:40:18 cable postfix/alex/smtp[3719703]: 494948B53: to=< jre...@domain1.com>, relay=127.0.0.1[127.0.0.1]:10029, delay=6.9, delays=1.2/0.02/0.01/5.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 0671630014B43) May 21 13:40:19 cable postfix-out/smtp[3719782]: 0671630014B43: to=< jre...@domain1.com>, relay=68.195.111.42[68.195.111.42]:25, delay=1.2, delays=0.01/0.02/0.82/0.33, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as E293A8078BEB) Thanks, Alex >> > Maybe my issue is that the always_bcc user is going through a transport >> at >> > all, and instead should just be delivered locally, or perhaps processed >> > only by the local_transport? How can I do that? >> > >> > I recall many years ago doing that, before I set up multi-instance >> postfix. >> >> A not uncommon issue is that virtual alias expansion or other address >> rewriting actions are performed twice, once on each side of a >> content_filter. This is covered in the "Advanced content filter: >> requesting that all mail is filtered" section of: >> >> http://www.postfix.org/FILTER_README.html#advanced_filter >> >> (receive_override_options). >> >> And of course you can always go multi-instance, and configure suitable >> rewriting for the pre and post filter instances. >> > > Yes, that's exactly what I'd like to do. I have multi-instance already > configured, but adding always_bcc to postfix-out doesn't seem to work. > > I've also just experimented with "receive_override_options = > no_address_mappings" (I also remember doing that many years ago, but would > have never been able to figure that out on my own this time), and it now > just doesn't actually create a copy of the email for the always_bcc user. > > Ideas on how to do it in my postfix-out instance? Ideally, I'd like it to > have been processed by amavis so I can benefit from the additional header > info. > > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] per-domain header/body checks?
Hi, I'm using multi-instance postfix-3.7.2 on fedora37 and would like to be able to control which header and body checks apply to which domain in a specific instance. I'm looking for advice on the best way to do this. I have about ten domains right now, and would probably need a number of policies that control filtering for these domains. I was thinking I could create a new instance for each domain, but I only have a limited number of IP addresses. Is it possible to do this using content filters with a multi-instance postfix configuration? Do you have any examples of how this might work? I also recall reading about using a milter for this, but would that require me to develop my own application for this? Or is there one already created and supported that might help here? I've used if/endif conditionals in check_recipient_access in the past, but this doesn't work for header/body checks? I'm not sure where to start, so I'm also not sure what other config details I should provide to help make this determination. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Viktor, On Thu, May 18, 2023 at 7:16 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Thu, May 18, 2023 at 09:20:38AM -0400, Alex via Postfix-users wrote: > > > Maybe my issue is that the always_bcc user is going through a transport > at > > all, and instead should just be delivered locally, or perhaps processed > > only by the local_transport? How can I do that? > > > > I recall many years ago doing that, before I set up multi-instance > postfix. > > A not uncommon issue is that virtual alias expansion or other address > rewriting actions are performed twice, once on each side of a > content_filter. This is covered in the "Advanced content filter: > requesting that all mail is filtered" section of: > > http://www.postfix.org/FILTER_README.html#advanced_filter > > (receive_override_options). > > And of course you can always go multi-instance, and configure suitable > rewriting for the pre and post filter instances. > Yes, that's exactly what I'd like to do. I have multi-instance already configured, but adding always_bcc to postfix-out doesn't seem to work. I've also just experimented with "receive_override_options = no_address_mappings" (I also remember doing that many years ago, but would have never been able to figure that out on my own this time), and it now just doesn't actually create a copy of the email for the always_bcc user. Ideas on how to do it in my postfix-out instance? Ideally, I'd like it to have been processed by amavis so I can benefit from the additional header info. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi, > Is there a way to control smtpd_recipient_restrictions on a per-domain > > basis so I can relax some of these restrictions for cases like this, > > instead of a more reactive approach where I'm always adding > > sender_checks.pcre entries? > > Instead of > > /etc/postfix/main.cf: > smtpd_recipient_restrictions = > ... reject_unknown_sender_domain ... > > Use > > /etc/postfix/main.cf: > smtpd_recipient_restrictions = > ... check_sender_access pcre:/etc/postfix/sender_access.pcre ... > > /etc/postfix/sender_access.pcre: > /\.example\.com$/ DUNNO > /./ reject_unknown_sender_domain > > Though I wonder how one would ever be able to reply to the sender. > There are a ton of entries like this, where it appears DNS for the sending domain is horribly broken, my name server isn't forgiving enough to allow for those misconfigurations, or both. May 18 18:24:00 cable postfix-120/smtpd[2919509]: NOQUEUE: reject: RCPT from send106.emailfilter.io[185.54.163.144]: 450 4.1.8 : Sender address rejected: Domain not found; from= to=< vojisla...@example.com> proto=ESMTP helo= If I interpret your instructions properly, this is kind of an as-needed fqdn bypass, when what I'm trying to do is allow non-fqdn senders just for certain recipient domains. The users apparently don't mind receiving the additional spam this may create, but I also realize if their DNS isn't working, then they likely have no SPF record either. Given my circumstance, perhaps there's another way to resolve this? I'm doing sender checks in smtpd_sender_restrictions, but you've also recommended adding the sender_access to recipient checks. smtpd_sender_restrictions = permit_mynetworks, check_sender_access ${indexed}sender_checks, check_sender_access pcre:$config_directory/sender_checks.pcre, check_sender_access ${default_database_type}:${meta_directory}/spamsources, check_sender_ns_access ${indexed}/blacklist_ns.cf, reject_unknown_sender_domain ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, Maybe my issue is that the always_bcc user is going through a transport at all, and instead should just be delivered locally, or perhaps processed only by the local_transport? How can I do that? I recall many years ago doing that, before I set up multi-instance postfix. Thanks, Alex On Thu, May 18, 2023 at 8:00 AM Alex wrote: > > > On Thu, May 18, 2023 at 4:39 AM Matus UHLAR - fantomas via Postfix-users < > postfix-users@postfix.org> wrote: > >> On 17.05.23 22:11, Alex via Postfix-users wrote: >> >I'm using postfix (postmulti) with amavisd and trying to have separate >> >content filters based on the domain so I can make decisions on the >> destiny >> >of the email from within amavisd. Currently all mail is processed by the >> >same amavisd policy_bank. >> >> so, amavis returns mail to postfix always the same way? >> >> > The problem now is that mail is being sent >> >through the content filter designated in my transport map as well as the >> >default transport filter. >> >> So, when amavis sends mail back to postfix, it gets filtered again. >> > > No, looking at this again, I think what's happening is the always_bcc user > is being sent through 10024, while the actual recipient is being sent > through 10029: > > May 18 06:57:43 cable amavis[2800375]: (2800375-01) ESMTP > [127.0.0.1]:10024 > /var/spool/amavisd/tmp/amavis-20230518T065743-2800375-wHC33xAt: < > mysqlstud...@gmail.com> -> SIZE=3161 > Received: from cable.example.com ([145.239.XXX.120]) by localhost ( > cable.example.com [127.0.0.1]) (amavis, port 10024) with ESMTP for < > bcc-u...@cable.example.com>; Thu, 18 May 2023 06:57:43 -0400 (EDT) > > May 18 06:57:43 cable amavis[2800376]: (2800376-01) ESMTP > [127.0.0.1]:10029 > /var/spool/amavisd/tmp/amavis-20230518T065743-2800376-nYSpx4LR: < > mysqlstud...@gmail.com> -> Received: from > cable.example.com ([145.239.XXX.120]) by localhost (cable.example.com > [127.0.0.1]) (amavis, port 10029) with ESMTP for ; Thu, > 18 May 2023 06:57:43 -0400 (EDT) > > Before I started experimenting with multiple ports, the always_bcc user > and the actual user(s) would be part of the same transport message. > > Thanks, > Alex > > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
On Thu, May 18, 2023 at 4:39 AM Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > On 17.05.23 22:11, Alex via Postfix-users wrote: > >I'm using postfix (postmulti) with amavisd and trying to have separate > >content filters based on the domain so I can make decisions on the destiny > >of the email from within amavisd. Currently all mail is processed by the > >same amavisd policy_bank. > > so, amavis returns mail to postfix always the same way? > > > The problem now is that mail is being sent > >through the content filter designated in my transport map as well as the > >default transport filter. > > So, when amavis sends mail back to postfix, it gets filtered again. > No, looking at this again, I think what's happening is the always_bcc user is being sent through 10024, while the actual recipient is being sent through 10029: May 18 06:57:43 cable amavis[2800375]: (2800375-01) ESMTP [127.0.0.1]:10024 /var/spool/amavisd/tmp/amavis-20230518T065743-2800375-wHC33xAt: < mysqlstud...@gmail.com> -> SIZE=3161 Received: from cable.example.com ([145.239.XXX.120]) by localhost (cable.example.com [127.0.0.1]) (amavis, port 10024) with ESMTP for ; Thu, 18 May 2023 06:57:43 -0400 (EDT) May 18 06:57:43 cable amavis[2800376]: (2800376-01) ESMTP [127.0.0.1]:10029 /var/spool/amavisd/tmp/amavis-20230518T065743-2800376-nYSpx4LR: < mysqlstud...@gmail.com> -> Received: from cable.example.com ([145.239.XXX.120]) by localhost (cable.example.com [127.0.0.1]) (amavis, port 10029) with ESMTP for ; Thu, 18 May 2023 06:57:43 -0400 (EDT) Before I started experimenting with multiple ports, the always_bcc user and the actual user(s) would be part of the same transport message. Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] content filter sends mail twice
Hi, I'm using postfix (postmulti) with amavisd and trying to have separate content filters based on the domain so I can make decisions on the destiny of the email from within amavisd. Currently all mail is processed by the same amavisd policy_bank. The problem now is that mail is being sent through the content filter designated in my transport map as well as the default transport filter. default_transport = smtp:[127.0.0.1]:10024 local_transport = error:5.1.1 Mailbox unavailable relay_transport = $default_transport transport_maps = ${indexed}transport virtual_transport = $default_transport /etc/postfix-120/transport: example.comrelay:[127.0.0.1]:10029 How do I exclude example.com from also being sent through 10024? Is it necessary to then disable the default transport altogether and explicitly list all relay_domains? I recall having some difficulty with transport maps when I first set up this multi-instance postfix, and Viktor helped me. I had content_filter defined as: content_filter = smtp-amavis[127.0.0.1]:10024 and the following service defined in master.cf: smtp-amavis unix- - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 but that was disabled when I moved to a multi-instance postfix in favor of transport maps, but I think I'm still confused. Thanks for any ideas you might have. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi, On Tue, May 16, 2023 at 4:16 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, May 16, 2023 at 11:27:52AM -0400, Alex via Postfix-users wrote: > > > > > $ host info.apr.gov.rs > > > > Host info.apr.gov.rs not found: 2(SERVFAIL) > > > > There's definitely a problem with their name servers, but it also seems > my > > version of bind is not permissive enough for such failures, although my > > bind-9.16.38 system is, using the same configuration. > > The problems with their DNS are: > > - ns1.apr.gov.rs: EDNS(0) option intolerance, but returns > FORMERR, so fallback to non-EDNS queries should (and does) work. > > $ dig -t a +nocomment +nocookie +nostats +nocmd +norecur +nocl > +nottl @ns1.apr.gov.rs info.apr.gov.rs. > ;info.apr.gov.rs. IN A > info.apr.gov.rs.A 195.178.56.17 > > Disabling use of cookies in your BIND configuration would suffice. > > - ns2.apr.gov.rs: Supports EDNS(0), but returns SERVFAIL to all > queries. > > $ dig -t a +noall +comment +norecur +noedns +nocl +nottl @ > ns2.apr.gov.rs info.apr.gov.rs. > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42971 > ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > > Public name servers also appear to have no issues. I'm currently > > researching these FORMERR messages. > > Turn off coookies for queries to this domain, or generally. > Turning off cookies for this server solved the problem, but it's not a very scalable method. I realize this isn't bind-users, but can I ask if there is a way to fallback to not using cookies, instead of having to create a server {} section for each broken server? I have a bind-9.16.38 system and it's apparently able to query these broken servers without issue. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: per-domain sender_checks?
Hi, > I have a postfix-3.7.3 fedora37 system and have a few users who want me to > > disable reject_non_fqdn_sender because it seems many of their users have > > DNS problems. For example, email from nore...@info.apr.gov.rs fails to > > resolve with: > > > > $ host info.apr.gov.rs > > Host info.apr.gov.rs not found: 2(SERVFAIL) > > $ host info.apr.gov.rs > info.apr.gov.rs has address 195.178.56.17 > > Looks like you have a *local* DNS problem. Check your routing, > including netmasks. > There's definitely a problem with their name servers, but it also seems my version of bind is not permissive enough for such failures, although my bind-9.16.38 system is, using the same configuration. Public name servers also appear to have no issues. I'm currently researching these FORMERR messages. Is there a way to control smtpd_recipient_restrictions on a per-domain basis so I can relax some of these restrictions for cases like this, instead of a more reactive approach where I'm always adding sender_checks.pcre entries? Thanks, Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] per-domain sender_checks?
Hi, I have a postfix-3.7.3 fedora37 system and have a few users who want me to disable reject_non_fqdn_sender because it seems many of their users have DNS problems. For example, email from nore...@info.apr.gov.rs fails to resolve with: $ host info.apr.gov.rs Host info.apr.gov.rs not found: 2(SERVFAIL) and the following in my bind logs: 16-May-2023 09:01:37.082 resolver: DNS format error from 195.178.56.17#53 resolving ns2.apr.gov.rs/ for : server sent FORMERR 16-May-2023 09:01:37.082 lame-servers: received FORMERR resolving ' ns2.apr.gov.rs//IN': 195.178.56.17#53 16-May-2023 09:01:41.088 lame-servers: timed out resolving ' ns2.apr.gov.rs//IN': 212.62.49.194#53 16-May-2023 09:01:41.095 lame-servers: timed out resolving ' ns1.apr.gov.rs//IN': 212.62.49.194#53 Their name servers appear to be broken. and in the (multi-instance) postfix logs I have the following: May 16 07:23:53 iceman postfix-199/smtpd[2634611]: NOQUEUE: reject: RCPT from unknown[195.178.56.17]: 450 4.1.8 : Sender address rejected: Domain not found; from= to=< sovljansk...@example.co.rs> proto=ESMTP helo= Without a FQDN, I'm of course concerned about disabling any form of spoofing protection, particularly for what appears to be mail from a government agency domain, but we also can't just block mail because of that. The return path is also the same domain, which means we also have no ability to verify the email origin using SPF. I've since added an entry to my sender_checks.pcre that appears to be working: /info\.apr\.gov\.rs/permit So my questions are related to this specific instance where email was being rejected from this domain, and the way I handled it, but also the more broader question about how to relax some of the DNS checks that we use to prevent sender fraud. How can I find a "happy medium" to limit fraud as much as possible, yet not reject all mail because they're having temporary DNS issues? $ postconf -fn -c /etc/postfix-120 ... smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rhsbl_sender [reject_rbls ...] ${indexed}check_backscatterer, check_helo_access pcre:$config_directory/helo_checks.pcre, check_helo_access ${indexed}helo_checks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:$config_directory/recipient_checks, check_recipient_access pcre:$config_directory/relay_recips_access, check_recipient_access, permit Thanks so much for any ideas. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postscreen and checking proper operation
Hi, I have postscreen implemented on postfix-3.7.3 on fedora37, and not sure I understand if it's working properly. Sometimes I see the postscreen/dnsblog combination ending with a simple DISCONNECT. In this case, it met the 8-point threshold to be rejected, but appears to only received a DISCONNECT: May 1 20:57:53 petra postfix-226/postscreen[1104961]: CONNECT from [95.214.27.139]:50021 to [5.196.7.226]:25 May 1 20:57:53 petra postfix-226/postscreen[1104961]: PREGREET 11 after 0.01 from [95.214.27.139]:50021: EHLO User\r\n May 1 20:57:53 petra postfix-226/dnsblog[1105023]: addr 95.214.27.139 listed by domain bl.mailspike.net as 127.0.0.2 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.4 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.2 May 1 20:57:53 petra postfix-226/dnsblog[1105041]: addr 95.214.27.139 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.9 May 1 20:57:53 petra postfix-226/dnsblog[1105024]: addr 95.214.27.139 listed by domain score.senderscore.com as 127.0.4.6 May 1 20:57:53 petra postfix-226/dnsblog[1105025]: addr 95.214.27.139 listed by domain sip-sip24.mykey.invaluement.com as 127.0.0.2 May 1 20:57:53 petra postfix-226/postscreen[1104961]: DNSBL rank 23 for [95.214.27.139]:50021 May 1 20:57:54 petra postfix-226/postscreen[1104961]: DISCONNECT [95.214.27.139]:50021 while other times I do see there is a NOQUEUE/reject involved: May 1 20:13:15 petra postfix-226/postscreen[1095132]: CONNECT from [185.146.23.43]:46126 to [5.196.7.226]:25 May 1 20:13:15 petra postfix-226/dnsblog[1095229]: addr 185.146.23.43 listed by domain score.senderscore.com as 127.0.4.89 May 1 20:13:15 petra postfix-226/dnsblog[1095233]: addr 185.146.23.43 listed by domain bb.barracudacentral.org as 127.0.0.2 May 1 20:13:15 petra postfix-226/dnsblog[1095232]: addr 185.146.23.43 listed by domain sip-sip24.mykey.invaluement.com as 127.0.0.2 May 1 20:13:21 petra postfix-226/postscreen[1095132]: DNSBL rank 13 for [185.146.23.43]:46124 May 1 20:13:21 petra postfix-226/postscreen[1095132]: NOQUEUE: reject: RCPT from [185.146.23.43]:46124: 550 5.7.1 Service unavailable; client [185.146.23.43] blocked using DNS Blocklist (invaluement); from=< simon...@server.sito-wp.com>, to=, proto=ESMTP, helo= What am I misunderstanding? Here is my postscreen config: postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 score.senderscore.com=127.0.4.[0..19]*5 score.senderscore.com =127.0.4.[20..29]*4 score.senderscore.com=127.0.4.[30..49]*3 score.senderscore.com =127.0.4.[50..59]*2 score.senderscore.com=127.0.4.[60..69]*1 score.senderscore.com =127.0.4.[70..79]*-1 score.senderscore.com=127.0.4.[80..89]*-2 score.senderscore.com =127.0.4.[90..100]*-3 bb.barracudacentral.org*7 mykey.zen.dq.spamhaus.net=127.0.0.[4..7]*6 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 mykey.zen.dq.spamhaus.net=127.0.0.3*4 sip-sip24.mykey.invaluement.com =127.0.0.2*8 ubl.unsubscore.com=127.0.0.2*1 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org =127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 8 postscreen_greet_action = enforce ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Sender address rejected, but domain is found?
Hi, On Tue, Apr 25, 2023 at 1:03 PM Gerald Galster via Postfix-users < postfix-users@postfix.org> wrote: > Hi, I realize this is probably one of the most frequently asked questions, > but I really can't figure out why this was rejected. > > Apr 25 12:06:01 petra postfix-226/smtpd[592344]: NOQUEUE: reject: RCPT > from mail.email.eurobank.rs[195.242.76.237]: 450 4.1.8 < > u...@eurobank-direktna.rs>: Sender address rejected: Domain not found; > from= to= > proto=ESMTP helo= > > What am I missing? eurobank-direktna.rs and > mail.email.eurobank-direktna.rs both have forward and reverse DNS entries. > > I thought maybe it just didn't resolve properly at the time the email was > received, but it's been happening for hours. > > > Negative dns answers may be cached but usually not for hours. > Verify that the resolver running on the postfix server can > resolve that domain because this sounds like a dns problem. > > https://www.postfix.org/postconf.5.html#reject_unknown_sender_domain > > Query the resolvers listed in /etc/resolv.conf directly, e.g. > > dig @127.0.0.1 eurobank-direktna.rs a > dig @127.0.0.1 eurobank-direktna.rs mx > That was the problem, thanks. I think it may be due to a low memory issue on the mail server. Simply restarting bind fixed it, but it is definitely curious to me that it was responding properly for so long. Thanks for taking the time to help. > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
letsencrypt and SSL alert number 80
Hi, I'm seeing periodic entries like this in my maillog: Dec 12 13:12:47 xavier postfix-116/smtpd[1683671]: warning: TLS library problem: error:0A000438:SSL routines::tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80: I've searched quite a bit for more info on this error, including in the letsencrypt and openssl blogs, and haven't been able to find much. I previously was requiring TLS >= TLSv1.0, but have now relaxed that restriction and still seeing these messages. Here are my tls config options. Does anything else stand out as a possible cause that I could troubleshoot further? # grep -E 'tls|ssl' main.cf|grep -v '\#' smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/privkey.pem smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/privkey.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache Thanks so much for any ideas. Alex
Re: postscreen_dnsbl_reply_map and dnsblog
Hi, I'm still struggling with this, and now wondering if it's even a problem. Are dnsblog entries like this supposed to be mapped, or just the rejection that the client sees? Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.11 Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.3 Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.4 Thanks, Alex On Sat, Dec 10, 2022 at 8:24 PM Alex wrote: > Hi, I hoped someone could help me clear up some confusion. I > understand postscreen_dnsbl_reply_map is for postscreen_dnsbl_sites, but I > have dnsblog entries revealing my spamhaus key from entries in the > postscreen_dnsbl_sites section, not smtp_recipient_restrictions. > > postscreen_dnsbl_sites = > mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 > ... > > postscreen_dnsbl_reply_map = > texthash:/etc/postfix/postscreen_dnsbl_reply_map > postscreen_blacklist_action = drop > postscreen_dnsbl_action = enforce > rbl_reply_maps = hash:/etc/postfix/dnsbl_reply_map > > /etc/postfix/postscreen_dnsbl_reply_map: > mykey.zen.dq.spamhaus.net DNS Blocklist (spamhaus) > > I've also tried including variations, including these: > mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8DNS Blocklist > (spamhaus8) > mykey.zen.dq.spamhaus.net=127.0.0.[10;11] DNS Blocklist > (spamhaus8) > > Entries in my logs appear like: > Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by > domain mykey.zen.dq.spamhaus.net as 127.0.0.11 > Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by > domain mykey.zen.dq.spamhaus.net as 127.0.0.3 > Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by > domain mykey.zen.dq.spamhaus.net as 127.0.0.4 > > I've even commented out all the spamhaus entries in > smtpd_recipient_restrictions to be sure it wasn't coming from there. There > are also postscreen entries which appear to be mapping the key properly: > > Dec 10 20:12:42 mail03 postfix/postscreen[52702]: NOQUEUE: reject: RCPT > from [89.155.61.127]:40377: 550 5.7.1 Service unavailable; client > [89.155.61.127] blocked using D > NS Blocklist (spamhaus); from=, to=< > hina.s...@example.com>, proto=ESMTP, helo= > > It seems like for every postscreen entry that is mapped, there is also at > least one dnsblog entry that is not properly mapped. > > I'm assuming it's okay to use DNSBLs in both postscreen and recipient > restrictions because recipient restrictions is able to check other things > not available to postscreen at that time, correct? > > > >
postscreen_dnsbl_reply_map and dnsblog
Hi, I hoped someone could help me clear up some confusion. I understand postscreen_dnsbl_reply_map is for postscreen_dnsbl_sites, but I have dnsblog entries revealing my spamhaus key from entries in the postscreen_dnsbl_sites section, not smtp_recipient_restrictions. postscreen_dnsbl_sites = mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8 ... postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce rbl_reply_maps = hash:/etc/postfix/dnsbl_reply_map /etc/postfix/postscreen_dnsbl_reply_map: mykey.zen.dq.spamhaus.net DNS Blocklist (spamhaus) I've also tried including variations, including these: mykey.zen.dq.spamhaus.net=127.0.0.[10;11]*8DNS Blocklist (spamhaus8) mykey.zen.dq.spamhaus.net=127.0.0.[10;11] DNS Blocklist (spamhaus8) Entries in my logs appear like: Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.11 Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.3 Dec 10 20:09:39 mail03 postfix/dnsblog[54775]: addr 5.170.224.57 listed by domain mykey.zen.dq.spamhaus.net as 127.0.0.4 I've even commented out all the spamhaus entries in smtpd_recipient_restrictions to be sure it wasn't coming from there. There are also postscreen entries which appear to be mapping the key properly: Dec 10 20:12:42 mail03 postfix/postscreen[52702]: NOQUEUE: reject: RCPT from [89.155.61.127]:40377: 550 5.7.1 Service unavailable; client [89.155.61.127] blocked using D NS Blocklist (spamhaus); from=, to=< hina.s...@example.com>, proto=ESMTP, helo= It seems like for every postscreen entry that is mapped, there is also at least one dnsblog entry that is not properly mapped. I'm assuming it's okay to use DNSBLs in both postscreen and recipient restrictions because recipient restrictions is able to check other things not available to postscreen at that time, correct?
Re: TLS config confirmation
Hi, On Thu, Dec 8, 2022 at 2:17 AM Matus UHLAR - fantomas wrote: > On 07.12.22 12:28, Alex wrote: > >smtp_tls_security_level = may > >smtpd_tls_security_level = may > >smtp_tls_mandatory_protocols= !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > >smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > > so, you don't enforce TLS on a server-server communication (correct), but > you disable tlsv1 and tlsv1.1 protocols. > > This means, if you communicate with older server supporting up to TLS 1.1 > or > 1.0, communication will be unencrypted. > > This does not make much sense - tls1.0 is better than plaintext. > I think I assumed there was a vulnerability, like there is with SSLv3, that lead me to disable it. I've now changed it to just: smtpd_tls_mandatory_protocols = >=TLSv1.0 Can I also ask if it's a security risk from an information disclosure perspective to have multiple domains on the same letsencrypt cert? Each postfix instance I have configured processes mail for a number of different domains, so it's possible a user could ascertain info about those other clients by querying the cert directly. It certainly makes it easier for me to maintain the certs, but wanted to consider at what cost to privacy or the disclosure of that info.
TLS config confirmation
Hi, I have a few mail relays using Lets Encrypt certs to provide TLS. I'm pretty sure I've configured them properly, but hope someone would confirm. I've seen a few errors that I believe are a result of a poorly configured client, but I wanted to be sure. Dec 7 10:27:32 armor postfix-110/smtpd[5701]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:308: Dec 7 06:00:58 armor postfix-110/smtpd[4066575]: warning: TLS library problem: error:0A000438:SSL routines::tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80: Here is the config I'm using for all hosts. All hosts are listed in the same cert. smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_mandatory_protocols = >=TLSv1.2 smtp_tls_mandatory_protocols= !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high #smtpd_tls_protocols = >=TLSv1.2 smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/cert.pem smtpd_tls_key_file = /etc/letsencrypt/privkey.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache
postscreen_dnsbl_reply_map ignored
Hi, I have a fedora36 system with postfix-3.6.4 and trying to get postscreen_dnsbl_reply_map to work properly. I have it working with the same configuration on a fedora37 system and postfix-3.7.3, although I can't imagine postfix versions would be the problem here. postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map mykey.zen.dq.spamhaus.net DNS blocklist (spamhaus) Nov 17 22:55:50 xavier postfix-117/smtpd[467504]: NOQUEUE: reject: RCPT from unknown[124.225.146.6]: 554 5.7.1 Service unavailable; Client host [124.225.146.6 ] blocked using mykey.zen.dq.spamhaus.net; https://www.spamhaus.org/sbl/query/SBLCSS / https://www.spamhaus.org/query/ip/124.111.146.6; from= to= proto=SMTP helo=<209.111.90.117> What could I possibly be doing wrong? texthash doesn't require it be mapped, but I've also tried specifying cdb and mapping it. $ postmap -c /etc/postfix-117 -q mykey.zen.dq.spamhaus.net texthash:/etc/postfix/postscreen_dnsbl_reply_map DNS blocklist (spamhaus) Ideas greatly appreciated.
PBL and rejects
Hi, I'm hoping I can ask this question here. Somehow the PBL considered the IP addresses given to us by our ISP (I can share this if needed) as ineligible to send email, resulting in any recipient domain that checks the PBL to reject our email, including every email sent to a Microsoft 365 domain. This is also despite having a rule to bypass spam filtering on the M365 side with our own M365 domain - apparently that is not bypassed? Does anyone know how this might happen? I've now delisted all of our IPs successfully, and mail is again flowing, but it obviously resulted in a pretty significant impact on our delivery. I'm also trying to confirm I've configured my system properly to best utilize RBLs. smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org=127.0.0.[2..11] reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rbl_client b.barracudacentral.org=127.0.0.2 ... Any suggestions greatly appreciated. Thanks, Alex
Re: policy-spf and whitelisting
> > > > This appears to indicate that generalatlantic.com is using the workday > > service to send email, but the generalatlantic.com SPF record does not > > include myworkday.com on the list of authorized senders. > > > > I've added the following to my sqlgrey FQDN whitelisting entries, but > > somehow it's still being rejected: > > *.myworkday.com > > generalatlantic.com > > > > And the IP range to the IP whitelist: > > 209.177.165.0/24 > > > > Here is my smtpd_recipient_restrictions: > > > > smtpd_recipient_restrictions = > > reject_non_fqdn_recipient, > > reject_non_fqdn_sender, > > reject_unlisted_recipient, > > reject_unknown_recipient_domain, > > permit_mynetworks, > > reject_unauth_destination, > > With Postfix, between reject_unauth_destination and policy-spf, > insert: > > check_sender_access inline:{{workday_supp...@generalatlantic.com = > permit}} > > or > > cleck_client_access inline:{{myworkday.com = permit}} > > to exclude such email from further restrictions. > Thank you so much for your help. In my rush between projects, I not only confused sqlgrey with postscreen, but I also forgot that I already have a postscreen section as well: postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr, cidr:/etc/postfix/gmail_whitelist.cidr, cidr:/etc/postfix/postscreen_spf_whitelist.cidr, cidr:/etc/postfix/bec-ranges.cidr, cidr:/etc/postfix/serverion-bec.cidr I've added it there as well, but I'm not sure I understand the priorities. Adding the check_client_access or check_sender_access would be consulted before postscreen? Is the postscreen_access_list just another way of segmenting the checks? Thanks again. >
policy-spf and whitelisting
Hi, I'm using sqlgrey for my greylisting service and having trouble with a particular entry. I need to make sure email from this sender doesn't get blocked, so would like to confirm that I can add something to my recipient restrictions to bypass the SPF check for this domain. Nov 2 18:02:30 armor policyd-spf[3053263]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r= Nov 2 18:02:30 armor postfix-113/smtpd[3053261]: NOQUEUE: reject: RCPT from wd1-az-mail-nat.myworkday.com[209.177.165.161]: 550 5.7.23 < repo...@example.com>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=workday_supp...@generalatlantic.com;ip=209.177.165.161;r=; from= to= proto=ESMTP helo= This appears to indicate that generalatlantic.com is using the workday service to send email, but the generalatlantic.com SPF record does not include myworkday.com on the list of authorized senders. I've added the following to my sqlgrey FQDN whitelisting entries, but somehow it's still being rejected: *.myworkday.com generalatlantic.com And the IP range to the IP whitelist: 209.177.165.0/24 Here is my smtpd_recipient_restrictions: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, check_sender_access ${indexed}check_backscatterer, check_helo_access pcre:$config_directory/helo_checks.pcre, check_helo_access ${indexed}helo_checks, check_helo_access ${pcre}non-fqdn-helo.pcre #reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:$config_directory/recipient_checks, reject If I add a check_sender_access entry above the policy-spf policy service check, and add generalatlantic.com to it, will it bypass that SPF check altogether so it doesn't continue to reject this mail? How can I otherwise permit the 209.177.165.0/24 network? Thanks, Alex
Re: Unexpected record type 'X'
In my case, a single alias was used that expands to 5000 or more addresses in a virtual_alias_maps table (after increasing virtual_alias_expansion_limit). The error is reproduced both when sending an email to this alias address and when just checking with 'sendmail -bv'. John On 10/6/22 16:37, Wietse Venema wrote: How was your Postfix queue file with 5000 recipients created? - with Postfix virtual_alias_maps expansion, - with Postfix alias_maps expansion (/etc/aliases), - by submitting a message with 5000 recipients over SMTP? - ??
Re: Unexpected record type 'X'
Hi, I encountered the same issue on two FreeBSD 13.1 + Postfix 3.7.2 installations. It only occurs when trying to send an email with >4999 recipients (the mail queue is otherwise empty). This issue does not happen on another machine with FreeBSD 13.0 + Postfix 3.6.3. After some search I found that it is caused by the following addition in qmgr_message.c in 3.7 (line 441): if (strchr(expected_rec_types, rec_type) == 0) { msg_warn("Unexpected record type '%c' at offset %ld", rec_type, (long) curr_offset); rec_type = REC_TYPE_ERROR; break; } in combination with the pre-existing (line 385): /* Keep interrupt latency in check. */ if (recipient_limit > 5000) recipient_limit = 5000; If I remove the code that was introduced in 3.7, the mail is delivered without issue. I also tried changing 5000 to 10001 and the email was again succesfully delivered to up to 1 recipients. So it seems this issue occurs whenever the mail queue total recipient count reaches 5000 addresses. John On 8/30/22 10:20, Frank Brendel wrote: Hi, sporadically I get the error Unexpected record type 'X' at offset ... and the message is moved to the corrupt queue. E.g. postfix/smtpd[19574] 010EDD6443: client=unknown[1.2.3.4] postfix/cleanup[98995] 010EDD6443: message-id=<> postfix/qmgr[63719] 010EDD6443: from=, size=14197, nrcpt=24 (queue active) postfix/qmgr[63719] warning: Unexpected record type 'X' at offset 17542 postfix/qmgr[63719] warning: saving corrupt file "010EDD6443" from queue "active" to queue "corrupt" The message looks OK to me. It is multipart/mixed with multiple recipients. The offset is always at the end of the message. postcat -do 010EDD6443 ... 17481 78 boundary_641_fc5671dc-1c1d-438e-a827-019b96ffe19b-- 17538 78 17540 78 17542 88 *** HEADER EXTRACTED 010EDD6443 *** 17544 69 *** MESSAGE FILE END 010EDD6443 *** Postfix version is 3.7.0 and runs on FreeBSD 12.3. I have no idea what HEADER EXTRACTED means an why it appears or why it shouldn't. Messages were sent with different email clients. So what could be wrong with the message? Thanks Frank Frank Brendel Administrator Rechenzentrum Telefon: +49 811 9595-157 Telefax: +49 811 9595-199 Internet: https://www.eurolog.com EURO-LOG AG Am Söldnermoos 17, D-85399 Hallbergmoos Vorstand: Jörg Fürbacher Aufsichtsratsvorsitzender: Markus Quicken Registergericht: AG München HRB 140857 Steuer-Nr.: 115/118/10169 Ust-ID-Nr.: DE 811547361 Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Rejecting mail from localhost.localdomain
Hi, I was surprised to see I received an email with localhost.localdomain as the envelope sender. It was a legitimate email, but not from my mail host. Jun 16 16:15:29 armor policyd-spf[55040]: prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=50.210.225.242; helo=vw-00301802261d.localdomain; envelope-from=asterisk@localhost.localdomain; receiver= Jun 16 16:15:30 armor postfix-110/qmgr[54319]: 6A2E22000341F: from=, size=1340777, nrcpt=2 (queue active) Is it safe to add something like this to my helo_checks.pcre: smtpd_helo_restrictions = permit_mynetworks check_helo_access ${indexed}helo_checks check_helo_access pcre:$config_directory/helo_checks.pcre permit /*.localdomain/ REJECT and my sender_checks.pcre smtpd_sender_restrictions = permit_mynetworks, check_sender_access ${indexed}sender_checks, check_sender_access pcre:$config_directory/sender_checks.pcre, check_sender_access ${indexed}spamsources, check_sender_ns_access ${indexed}blacklist_ns.cf, reject_unknown_sender_domain /*.localdomain/ REJECT Thanks, Alex
Re: postfix-policyd-spf-python
Hi, >I also posted a question about pypolicyd-spf, so I posted it here, not at > >the above link. Is this related? > > > >My question involves understanding how the whitelist works - hosts seem to > >be whitelisted even though they're not in my Domain_Whitelist or > >skip_addresses list in my policyd-spf.conf file. How does it determine > when > >to skip SPF > > > >May 13 08:11:11 xavier policyd-spf[2230289]: prepend X-Comment: SPF > skipped > >for whitelisted relay domain - client-ip=54.240.14.218; helo= > >a14-218.smtp-out.amazonses.com; envelope-from= > > > 01000180bd5476c0-5cfcde84-8ec2-4b76-a4bf-f0b4ce69ce04-000...@mail.connectedcommunity.org > ; > >receiver= > > > >https://answers.launchpad.net/pypolicyd-spf/+question/701685 > > > >The problem I'm having is that it seems to affect how my welcomlist_auth > >entries work with spamassassin. > > I renamed pypolicyd-spf spf-engine when I added the option of using the > milter interface. That's the right place to ask questions. > I posted a question on the spf-engine page some time ago, and hoped I could prompt you to review for me. https://answers.launchpad.net/spf-engine/+question/701789 Thanks so much, Alex > > Scott K >
Re: postfix-policyd-spf-python
> >> Not sure if this is the right place to post the question concerning > >> postfix-policyd-spf-python but I can't seem to find any working links > >> for the openspf project. > >> > > > >You should start here, > > > > https://launchpad.net/spf-engine > > > >but the author is also on this list (I believe) and may reply directly. > > > Thanks. Yes. If you have additional questions, please ask questions/file > bugs there. > I also posted a question about pypolicyd-spf, so I posted it here, not at the above link. Is this related? My question involves understanding how the whitelist works - hosts seem to be whitelisted even though they're not in my Domain_Whitelist or skip_addresses list in my policyd-spf.conf file. How does it determine when to skip SPF May 13 08:11:11 xavier policyd-spf[2230289]: prepend X-Comment: SPF skipped for whitelisted relay domain - client-ip=54.240.14.218; helo= a14-218.smtp-out.amazonses.com; envelope-from= 01000180bd5476c0-5cfcde84-8ec2-4b76-a4bf-f0b4ce69ce04-000...@mail.connectedcommunity.org; receiver= https://answers.launchpad.net/pypolicyd-spf/+question/701685 The problem I'm having is that it seems to affect how my welcomlist_auth entries work with spamassassin. Thanks, Alex
Multiple relays in transport maps for same domain?
Hi, Is it possible to specify multiple relay hosts in a transport map for load balancing/fault tolerance? example.com smtp:server1.com example.com smtp:server2.com I have a relay server set up as an MX for example.com. After mail is processed, I'd like to forward it on to either of the two mail servers where users receive their mail. This is in my postfix-out instance. How can I do this? I remember using something related to a fallback_transport or fallback_relay many years ago, but not sure that's what I want here? Perhaps it should just be done with DNS round-robin? Thanks, Alex
postscreen_access_list and SPF bypass
Hi, It appears that entries included in my postscreen_access_list are being used to also bypass SPF checks by policyd-spf. Is this intentional? Would someone explain to me how this works? smtpd_recipient_restrictions = ... check_policy_service unix:private/policy-spf, postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr, cidr:$config_directory/gmail_whitelist.cidr, cidr:$config_directory/postscreen_spf_whitelist.cidr, cidr:$config_directory/bec-ranges.cidr The gmail_whitelist and postscreen_spf_whitelist are auto-generated by the stevejenkins postwhite scripts. It is here where the IPs for domains like salesforce, gmail/google, microsoft and amazonaws are listed which are being whitelisted. The problem I'm having is policyd-spf adds an X-Comment header in the email which I believe is related to how my welcomelist_auth entries work with spamassassin. Even though the email passes SPF and/or DKIM, it doesn't pass my welcomelist_auth entries initially. X-Comment: SPF skipped for whitelisted relay domain - client-ip=13.110.6.221; helo=smtp14-ph2-sp4.mta.salesforce.com; envelope-from=re...@support.meridianlink.com; receiver= Somehow policyd-spf is impacting my welcomelist_auth entries and I don't understand how.
Re: header_checks and regexes
Hi, On Thu, Mar 10, 2022 at 5:23 PM Viktor Dukhovni wrote: > > > On 10 Mar 2022, at 3:48 pm, Alex wrote: > > > > Can I use sender_checks to bypass a host like mail.coupahost.com? The > > client IP will constantly change, but I can rely on the sending domain > > to remain the same. > > Conditional header checks require a milter or content filter that > can make such fine distinctions. Postfix built-in header checks > are global. I need to find a way to have different policies for different domains on the same IP address, such as to be able to reject mail from one sender to one domain but accept that sender to another. Are there existing content filters that can do this, or is the process explained somewhere? I've looked at a few examples but these distinctions don't seem to be made. Building a milter from scratch to do this sounds like a daunting process. The milter docs mention it's possible to analyze headers, but don't appear to provide any details on how this would even be done.
Re: access list ordering
Hi, > > Following up with my other email, I think I can ask the question more > > directly. > > Off hand, I did not see any questions in your post. Yes, I think I was just generally confused :-) > > I found it was necessary to have an entry in a check_recipient_access > > map with the old address as well as in my virtual map that redefines > > the old address with the new one, and I don't understand why. > > The virtual(5) alias table is not access policy, in smtpd(8) it is used > to determine only whether an address is *valid*, not whether it is > permitted to receive email. Invalid addresses are rejected as > non-existent, valid addresses are subject to access control. That makes sense. I think I was just expecting the conversion to take place prior to the recipient access map check being performed.
access list ordering
Hi, Following up with my other email, I think I can ask the question more directly. I found it was necessary to have an entry in a check_recipient_access map with the old address as well as in my virtual map that redefines the old address with the new one, and I don't understand why. It looks like it finds it in the virtual map first: Apr 9 17:49:20 xavier postfix-116/smtpd[5101]: maps_find: virtual_alias_maps: cdb:/etc/postfix-116/virtual(0,lock|fold_fix|utf8_request): user...@example.com = u...@example.com but then continues processing the recipient restrictions and rejects it because there's a REJECT at the bottom and no specific entry for user...@example.com Apr 9 17:49:20 xavier postfix-116/smtpd[5101]: maps_find: pcre:/etc/postfix-116/property_map: pcre:/etc/postfix-116/property_map(0,lock|fold_fix|utf8_request): user...@example.com = REJECT I also realized the format I was using in my virtual_alias_maps was wrong. The example in the documentation just says "Wietse.Venema" maps to "wietse" without the FQDN, but that didn't work for me until I used the full address.
Re: Merging accounts/home directories
Hi, > >> >How does using virtual_alias_maps affect my existing configuration if > >> >I'm not currently using virtual domains or virtual maps? Currently the > >> >server is processing mail for one domain listed in relay_domains. > >> > >> virtual_alias_maps is processed each time a mail is received, so you are > >> able to alias any mail recipient, even those in remote domains: > >> > >> http://www.postfix.org/ADDRESS_REWRITING_README.html#virtual > > > >Okay, I'll experiment with that. > > later (e.g. in a year) you can convert those redirects in virtual_alias_maps > to relocated. I'm still having a problem. I didn't previously explain that there are mail relays in front of the server that's responsible for mail for this domain, and I can't figure out why virtual_alias_maps doesn't work there. I'm currently using a check_recipient_access table to list all the existing users, then a transport to forward them from the mail relays to the server responsible for this domain. Do I also need the virtual_alias_maps entries on the relays, or should I just leave them in the check_recipient_access table and deal with it at the final destination mail server? If I remove the entries from the check_recipient_access table on the mail relays and add them to the virtual_alias_maps table, mail is rejected. On the mail relays: smtpd_recipient_restrictions = ... check_recipient_access pcre:$config_directory/recipient_checks, virtual_alias_maps = ${indexed}virtual $config_directory/recipient_checks /^name@example\.com$/ DUNNO ${indexed}virtual: name123 name Apr 9 11:57:01 armor postfix-110/smtpd[769690]: maps_find: virtual_alias_maps: cdb:/etc/postfix-110/virtual(0,lock|fold_fix|utf8_request): name...@example.com = n...@example.com That looks like a match, but then it continues through the rest of the checks until it's rejected. Should the virtual_alias_maps entry be enough to match and then for it to use the transport to be sent to the final destination, or even to check the check_recipient_access table to find the new name after it's been converted/aliased in the virtual_alias_maps table?
mailer-daemon sent by invalid host
Hi, I'm having trouble figuring out why this header check doesn't reject a mailer-daemon bounce email with ".lan" in the From address: /^From:.*\.lan>$/ REJECT Invalid domain It works if I use postmap directly, but not when the bounce message is received. Does it have something to do with it being a bounce message? $ postmap -q 'From: Mail Delivery System ' pcre:/etc/postfix-110/header_checks.pcre REJECT Invalid domain /etc/postfix-110/main.cf: header_checks = regexp:/etc/postfix-110/header_checks pcre:$config_directory/header_checks.pcre Apr 5 03:33:44 armor postfix-110/smtpd[1323082]: connect from mail.nrtc.syn-alias.com[129.213.214.220] Apr 5 03:33:45 armor policyd-spf[1323084]: prepend Received-SPF: None (no SPF record) identity=no SPF record; client-ip=129.213.214.220; helo=mail.nrtc.syn-alias.com; envelope-from=<>; receiver= Apr 5 03:33:45 armor postfix-110/smtpd[1323082]: 3EA5320055E46: client=mail.nrtc.syn-alias.com[129.213.214.220] Apr 5 03:33:45 armor postfix-110/cleanup[1323942]: 3EA5320055E46: message-id=<6e.b8.17947.1d0fb...@smtp03.nrtc.email-ash1.sync.lan> Apr 5 03:33:45 armor postfix-110/qmgr[1314349]: 3EA5320055E46: from=<>, size=4906, nrcpt=2 (queue active) The message is then quarantined by amavis because of the From address having ".lan". Return-Path: <> X-Envelope-From: <> Received: from mail.nrtc.syn-alias.com (mail.nrtc.syn-alias.com [129.213.214.220]) Received: from [127.0.0.1] ([local]) by smtp03.nrtc.email-ash1.sync.lan (envelope-from <>) (ecelerity 4.3.1.69410 r(Core:4.3.1.0)) with INTERNAL id 6E/B8-17947-1D0FB426; Tue, 05 Apr 2022 03:33:37 -0400 From: Mail Delivery System To: u...@example.com Subject: Mail Delivery Failure Message-ID: <6e.b8.17947.1d0fb...@smtp03.nrtc.email-ash1.sync.lan> I've pasted the entire message here https://pastebin.com/zEkxMzuq How should I handle this? Ideas greatly appreciated. Thanks, Alex
Re: Merging accounts/home directories
> >The best course of action is to bounce the messages with a > >relocated_maps entry and force the sender to resend? > > "the best" is subjective. using relocated_maps > http://www.postfix.org/relocated.5.html > you make sure people will not receive mail to the old address, and any mail > must be re-sent to new address to pass. The plan was to migrate the existing username/passwords to the new n...@example.com format and have the users configure their mail client to login to receive their mail from the new address only. The original recommendation involved setting the Reply-To address to be the new address, but I'm not sure of the point of that - is the expectation here that the user will login to both the new and old accounts? If the recommendation is also to reject/bounce mail to the old address, when is someone ever going to see an email from the old address that they would need the reply-to info? > someone may take this for unnecessary work for senders, which aren't > responsible for recipient who wished to change their address. Perhaps "best practices" would have been better language, then. > >How does using virtual_alias_maps affect my existing configuration if > >I'm not currently using virtual domains or virtual maps? Currently the > >server is processing mail for one domain listed in relay_domains. > > virtual_alias_maps is processed each time a mail is received, so you are > able to alias any mail recipient, even those in remote domains: > > http://www.postfix.org/ADDRESS_REWRITING_README.html#virtual Okay, I'll experiment with that.
Re: Merging accounts/home directories
[note: quoted content modified slightly; it was rejected for some reason previously] > Not a lot. In as far as this pertains to postfix, just ch-ange the primary > add-ress and add aliases for the old ones. The reply-to address should be set > to the new address. > See virtual_alias_maps and relocated_maps for details. The best course of action is to bounce the messages with a relocated_maps entry and force the sender to resend? How does using virtual_alias_maps affect my existing configuration if I'm not currently using virtual domains or virtual maps? Currently the server is processing mail for one domain listed in relay_domains. Thanks, Alex > > Op 6 apr. 2022 20:33 schreef Alex : > > Hi, > > We hae a set of users who wish to change their account names from > name123@ to just name@ and I'm trying to determine the best way to > manage that. The accounts are set up using actual password/shadow > entries with check_client_access to recipient restrictions. Users > retrieve mail using dovecot. > > I've been thinking one approach would be to create password/shadow > entries for these new users and set their home directories to be the > same as their old ones, then also add new entries to the > check_client_access map. Does that make sense? > > Thanks, > Alex > >
Merging accounts/home directories
Hi, We hae a set of users who wish to change their account names from name123@ to just name@ and I'm trying to determine the best way to manage that. The accounts are set up using actual password/shadow entries with check_client_access to recipient restrictions. Users retrieve mail using dovecot. I've been thinking one approach would be to create password/shadow entries for these new users and set their home directories to be the same as their old ones, then also add new entries to the check_client_access map. Does that make sense? Thanks, Alex
Re: header_checks and regexes
Hi, I now have these mime_header_checks working properly, but it turns out there are companies sending legitimate invoices as HTML attachments, ugh. Mar 8 07:49:05 xavier postfix-118/cleanup[2084042]: C01C310024593: reject: header Content-Disposition: attachment;? filename=purchase_order.html from a31-88.smtp-out.amazonses.com[54.240.31.88]; from=<0100017f6993716e-42efe44-02df-4144-a0cb-35f9b82890b7-000...@mail.coupahost.com> to= proto=ESMTP helo=: 5.7.1 ".html" file attachment types not allowed Can I use sender_checks to bypass a host like mail.coupahost.com? The client IP will constantly change, but I can rely on the sending domain to remain the same. If so, how do I control the ordering to be sure the mime_header_checks are processed after the sender_checks? On Fri, Mar 4, 2022 at 5:15 PM Alex wrote: > > Hi, > > > > I believe there's a dot missing in the first one, as in '.(386' but > > > it's more than that, because I experimented with that too. > > > > No, it would have to be: \.(386|...) > > otherwise '.' just matches any character. Your RE pattern is sloppy > > in places, ... correct REs take some care. > > Yes, that is what I meant. I believe there were problems with the > regex that I fixed, but I was also using header_checks instead of > mime_header_checks. > > Just for completeness, here's what worked for me. > > Given the following attachment: > --caef4405d964f4b8 > Content-Type: text/html; charset="US-ASCII"; name="download.html" > Content-Disposition: attachment; filename="download.html" > Content-Transfer-Encoding: base64 > Content-ID: > X-Attachment-Id: f_l0chj96g0 > > TWFpbGd1biBNYWduaWZpY2VudCBBUEk= > --caef4405d964f4b8-- > > $ postmap -c /etc/postfix -q 'Content-Disposition: attachment; > filename="download.html"' pcre:/etc/postfix/mime_header_checks.pcre > REJECT ".html" file attachment types not allowed > > mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre > > /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ > REJECT ".$3" file attachment types not allowed > > Can I also ask a more general question? How are other people handling > attachments such as those I've listed which really have no purpose > these days but to spread malware? > > The vast majority of HTML attachments we receive are not malicious, > but just silently quarantining them was leading to too many support > requests. > > Thanks so much for your help.
Re: bypassing invalid helo
> > Mar 7 13:25:36 armor postfix-113/smtpd[4009829]: NOQUEUE: reject: > > RCPT from unknown[173.213.231.144]: 504 5.5.2 : Helo command > > rejected: need fully-qualified hostname; from=<> > > to= proto=ESMTP helo= > > > > reject_non_fqdn_helo_hostname, > > > It also appears that smtpd_helo_required is still set to the default > > 'no', but wouldn't it normally be advisable to enable that check? > > Replace "reject_non_fqdn_helo_hostname" with: > > main.cf: > pcre = pcre:${config_directory}/ > > # In the client, helo, sender or recipient restriction list > smtpd_..._restrictions = > ... > check_helo_access ${pcre}non-fdqn-helo.pcre > ... > > non-fdqn-helo.pcre: > /^cp4435$/ DUNNO > /^/ reject_non_fqdn_helo_hostname Okay, very interesting. I hadn't realized I could add commands to files referenced in restrictions. But I still want to leave the reject_invalid_helo_hostname parameter? I've now added the check_helo_access to smtpd_recipient_restrictions and smtpd_helo_restrictions, but do I really need smtpd_helo_restrictions if I'm also adding them to smtpd_recipient_restrictions? Thanks so much for your help.
bypassing invalid helo
Hi, I have what appears to be a machine-generated email that's sending with an invalid hostname and invalid helo hostname. In lieu of being able to have the sender fix their broken email, I'd like to add entries to bypass these checks for this specific host. I don't otherwise have a trust relationship with the sender. Mar 7 13:25:36 armor postfix-113/smtpd[4009829]: NOQUEUE: reject: RCPT from unknown[173.213.231.144]: 504 5.5.2 : Helo command rejected: need fully-qualified hostname; from=<> to= proto=ESMTP helo= smtpd_helo_restrictions = permit_mynetworks check_helo_access ${indexed}helo_checks check_helo_access pcre:$config_directory/helo_checks.pcre permit I've already added an entry in helo_checks.pcre, but it still failed. /etc/postfix-118/helo_checks.pcre /cp4435/OK I've also tried adding helo_checks to my smtpd_recipient_restrictions: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, #check_sender_access ${indexed}check_backscatterer, check_helo_access pcre:$config_directory/helo_checks.pcre, check_helo_access ${indexed}helo_checks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:$config_directory/recipient_checks, permit It also appears that smtpd_helo_required is still set to the default 'no', but wouldn't it normally be advisable to enable that check? What am I missing? Thanks, Alex
Re: header_checks and regexes
Hi, > > I believe there's a dot missing in the first one, as in '.(386' but > > it's more than that, because I experimented with that too. > > No, it would have to be: \.(386|...) > otherwise '.' just matches any character. Your RE pattern is sloppy > in places, ... correct REs take some care. Yes, that is what I meant. I believe there were problems with the regex that I fixed, but I was also using header_checks instead of mime_header_checks. Just for completeness, here's what worked for me. Given the following attachment: --caef4405d964f4b8 Content-Type: text/html; charset="US-ASCII"; name="download.html" Content-Disposition: attachment; filename="download.html" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l0chj96g0 TWFpbGd1biBNYWduaWZpY2VudCBBUEk= --caef4405d964f4b8-- $ postmap -c /etc/postfix -q 'Content-Disposition: attachment; filename="download.html"' pcre:/etc/postfix/mime_header_checks.pcre REJECT ".html" file attachment types not allowed mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$3" file attachment types not allowed Can I also ask a more general question? How are other people handling attachments such as those I've listed which really have no purpose these days but to spread malware? The vast majority of HTML attachments we receive are not malicious, but just silently quarantining them was leading to too many support requests. Thanks so much for your help.
Re: header_checks and regexes
Hi, > > It's still not working, and I suspect the reason is that I somehow > > screwed up when I pasted it. Can I ask you to take a look at the > > attached? > > I don't see any rules below that would do that. There's a rule > for "mhtml" files, and a rule for ".pdf.html" files, but I fail > to see one for ".html". > > > /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ > > WARN ".$2" file attachment types not allowed > > /^Content-(Disposition|Type):\s+.+?(file)?name="?[^"]+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ > > REJECT ".com" file attachment types not allowed > > /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/ > > REJECT jimsun1 > > /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN jimsun1 > > /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.pdf\.html\b/ > > REJECT pdf.html not allowed Now I feel silly because I was experimenting with adding "html" to the first regex, but apparently left it out when I sent the email, but neither the .pdf.html nor the html in the first regex works and I just don't understand why. I believe there's a dot missing in the first one, as in '.(386' but it's more than that, because I experimented with that too. Thanks so much, Alex
Re: header_checks and regexes
Hi Viktor, > > Content-Type: text/html; charset="US-ASCII"; name="download.html" > > Content-Disposition: attachment; filename="download.html" > > > > And this is the regex I currently have. Hopefully it wraps properly. > > > /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ > > REJECT ".$2" file attachment types not allowed > > The above regular expression is malformed, instead of: > > /...name="?.+?\(386|.../ > > it should be: > > /...name="?.+?(386|.../ > > It works as expected without the extaneous "\". It's still not working, and I suspect the reason is that I somehow screwed up when I pasted it. Can I ask you to take a look at the attached? > > -- > Viktor. /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ WARN ".$2" file attachment types not allowed /^Content-(Disposition|Type):\s+.+?(file)?name="?[^"]+?\.com(\.\S{2,4})?(\?=)?"?(;|$)/ REJECT ".com" file attachment types not allowed /^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/ REJECT jimsun1 /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/WARN jimsun1 /^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.pdf\.html\b/ REJECT pdf.html not allowed
header_checks and regexes
Hi, Many years ago I picked up a regex pattern that would reject different attachment types, but it no longer seems to match properly. Perhaps someone here can help me with the regex so I don't inadvertently start rejecting mail that I shouldn't? This is what the string that I'd like to reject looks like now: --17a7a105d9467429 Content-Type: text/html; charset="US-ASCII"; name="download.html" Content-Disposition: attachment; filename="download.html" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_l0abi2410 TWFpbGd1biBNYWduaWZpY2VudCBBUEk= --17a7a105d9467429-- And this is the regex I currently have. Hopefully it wraps properly. /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\(386|exe|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|html|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xlw|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed Thanks so much, Alex
mailer-daemon/bounce messages tagged as spam
Hi, I'm not sure if this is a postfix config problem or an amavis/SA problem. I have a multi-instance postfix config, and my mailer-daemon messages are being filtered by my amavisd/SA config, many of which are being quarantined as spam instead of being returned to the sender. Of course it's possible a spammer could craft a message that appears to be a bounce/failure report, but isn't a characteristic that they have a null envelope sender? I don't think my postfix config would even allow this unless it was part of an actual bounce? The messages are apparently being received on port 25 then being treated as regular messages instead of actual bounces. Shouldn't these undeliverable messages be determined before postfix finishes delivering the actual message? Feb 24 09:45:07 xavier postfix-116/smtpd[842535]: connect from mail-qb1can01hn2020.outbound.protection.outlook.com[52.100.145.20] Feb 24 09:45:08 xavier postfix-116/smtpd[842535]: 05D1E10002E4E: client=mail-qb1can01hn2020.outbound.protection.outlook.com[52.100.145.20] Feb 24 09:45:08 xavier postfix-116/cleanup[839994]: 05D1E10002E4E: message-id=<71b19f68-beae-4f20-ba7d-6c8cd374...@yqbpr0101mb6167.canprd01.prod.outlook.com> Feb 24 09:45:08 xavier postfix-116/qmgr[580062]: 05D1E10002E4E: from=<>, size=81447, nrcpt=2 (queue active) I was going to include some of my config, but I really don't know what to include. I suspect it's related to my transport configs, but I think they are pretty much the defaults. smtp_send_xforward_command = yes relay_transport = $default_transport local_transport = error:5.1.1 Mailbox unavailable virtual_transport = $default_transport Here's the master.cf config for amavisd: 127.0.0.1:10025 inet n - n - 16 smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8,209.216.00.0/24,209.216.99.153/29 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings -o local_header_rewrite_clients=
SPF and policyd
Hi, I'm using the SPF policyd service recommended here some time ago. I hoped I could ask some questions about how it works since it doesn't appear to have any other direct support avenues available. I'm trying to understand the following log entry: Feb 20 10:01:59 armor policyd-spf[2466782]: prepend X-Comment: SPF skipped for whitelisted relay domain - client-ip=168.245.99.219; helo=o25.sg.marketing.agoda.global; envelope-from=bounces+8548506-62a0-05448=hotel.example.com@marketing.agoda.global; receiver= None of the IPs or domains listed above are in my local whitelist, but the IP is listed in the SPF record for marketing.agoda.global. Is that what it is referring to? I tried tracing the code, but I'm not much of a python programmer. It appears to check the SPF record for the domain in the whitelist, not the sending domain. bypass_list_list is the whitelist entries in my config. for domain in bypass_list_list: res = spf.check2(ip, domain, domain, querytime=configData.get('Whitelist_Lookup_Time')) if domain_res[0] == 'Pass': ... and if it results in "Pass", then it returns True if the domain in the whitelist entry, not the sending domain? Here's how I have it set up: policy-spf unix - n n - - spawn user=nobody argv=/usr/libexec/postfix/policyd-spf And the relevant info from my policyd-spf.conf: skip_addresses = 139.138.56.0/24,127.0.0.0/8,209.216.90.0/24,:::127.0.0.0/104,::1,52.128.98.0/24,74.203.184.0/24,74.200.60.0/24,209.222.82.0/24 Domain_Whitelist = harrimanre.com,ventusnetworks.com,digi.com
Re: Multi-instance and outbound fails SPF
Hi, > > This problem has apparently been all over the internet for years, so I > > don't think it's an unintentional bug by Microsoft. > > https://answers.microsoft.com/en-us/msoffice/forum/all/routing-to-exchange-online-results-in-spf-softfail/367e14ac-a3ce-46a2-8949-ffbc8f66edc7 > > If you're the primary MX operator for your own domain, and forwarding to > Microsoft for actual mailbox hosting, your forwarding arrangement to > Microsoft should be via some dedicated authenticated (or at least IP- > restricted) channel, where Microsoft does not apply any SPF or DKIM > checks, they should trust your server as authorised to forward mail > into your users' mailboxes. > > Just relaying externally originated content to their public port 25 > service is not a good idea. Yes, I have set up a mail filter to bypass restrictions for my IPs, but after having read a bit more, I believe it's not possible to bypass SPF checks - it apparently is only a soft fail and not rejected. However, after reading your message, I disabled the mail filter, and it resulted in a soft fail anyway, effectively just accepting mail from my postfix server without any restrictions anyway. Obviously not best practice, so I'll continue to investigate. > You're barking up the wrong tree... SPF is key of the envelope > sender, which isn't your domain. The real problem is not failing > SPF, it is sending to Microsoft in a manner than has them doing > any SPF or DKIM checks at all. Yes, makes sense. All indications are that a mail filter can be used to bypass the SPF checks, but I'm going to research further. Would this be a use-case for SRS? Thanks, as always. Alex
Re: Multi-instance and outbound fails SPF
Hi, > > I have a multi-instance postfix config and am trying to figure out why > > Microsoft 365 is marking my email from the outbound instance as SPF > > softfail. > > Because you're forwarding email received from an external domain, > and it is *that* (envelope sender) domain's SPF records that count, > not yours. Oh yes, I also thought that may have been a possibility, thanks. > > Authentication-Results: spf=softfail (sender IP is 209.222.90.109) > > smtp.mailfrom=gmail.com; dkim=pass (signature was verified) > > header.d=gmail.com;dmarc=pass action=none > > header.from=gmail.com;compauth=pass > > reason=100 > > Unless you're "google.com", or "google.com" lists your IPs in its SPF > records, SPF is *supposed* to fail. This is why DKIM was invented, it > survives simple verbatim forwarding. So signing my message as it leaves my server is the right approach, or are you referring to Gmail signing the mail as it's sent from their server originally? This problem has apparently been all over the internet for years, so I don't think it's an unintentional bug by Microsoft. https://answers.microsoft.com/en-us/msoffice/forum/all/routing-to-exchange-online-results-in-spf-softfail/367e14ac-a3ce-46a2-8949-ffbc8f66edc7 It doesn't look like the EHLO from my server is recorded anywhere in the email headers, but it does hit on SPF_HELO_NONE from spamassassin, apparently from Gmail: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.208.49; helo=mail-ed1-f49.google.com; envelope-from=mysqlstud...@gmail.com; receiver= Would $smtp_helo_name apply here? The postfix instance is processing mail for a number of domains, so if so, I'm unsure how I would set it other than the $myhostname default. I've also added SPF records to each host to include itself ("v=spf1 a -all"). But is it even necessary, considering no mail actually originates on this server?
Multi-instance and outbound fails SPF
Hi, I have a multi-instance postfix config and am trying to figure out why Microsoft 365 is marking my email from the outbound instance as SPF softfail. I am trying to send mail from my gmail account to the multi-instance postfix system through to my Microsoft 365 account, where I've set up mail filters to accept mail from all postfix instances without blocking or filtering. All IPs involved are listed in the SPF record for the domain: example.org.978 IN TXT "v=spf1 ip4:209.222.90.0/24 include:spf.protection.outlook.com -all" There are two MX records set for this domain - relay1.example.com (209.222.90.118) and relay2.example.com (209.222.90.113). I believe the problem is that mail is leaving through the postfix-out instance (209.222.90.109), and although all IPs are listed in the SPF record, it appears Microsoft doesn't like that it's not being sent from the same IP as it was received? I suppose my question is why is SPF failing when the sending IP is included in the SPF record? Should I be thinking about a postfix config change here, or is this inherent to SPF? I've also set up DKIM and it is correctly signing the outgoing message, it appears. I believe this is the relevant info from the mail headers after it's received on my Microsoft 365 account: Received: from MW2NAM12FT043.eop-nam12.prod.protection.outlook.com (2603:10b6:300:81:cafe::10) by MWHPR14CA0068.outlook.office365.com (2603:10b6:300:81::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4951.12 via Frontend Transport; Fri, 4 Feb 2022 18:18:44 + Authentication-Results: spf=softfail (sender IP is 209.222.90.109) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning gmail.com discourages use of 209.222.90.109 as permitted sender) Received: from armor.example.com (209.222.90.109) by MW2NAM12FT043.mail.protection.outlook.com (10.13.180.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4975.5 via Frontend Transport; Fri, 4 Feb 2022 18:18:43 + Received: from localhost (localhost [127.0.0.1]) by armor.example.com (Postfix) with ESMTP id AAF593A448A; Fri, 4 Feb 2022 13:18:42 -0500 (EST) Authentication-Results-Original: armor.example.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from iceman.example.com ([209.222.90.113]) by localhost (armor.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oQI7eXvdPtSt; Fri, 4 Feb 2022 13:18:39 -0500 (EST) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=209.85.218.50; helo=mail-ej1-f50.google.com; envelope-from=exam...@gmail.com; receiver= X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com [209.85.218.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by iceman.example.com (Postfix) with ESMTPS id D5356600025CF for ; Fri, 4 Feb 2022 13:18:39 -0500 (EST) Received: by mail-ej1-f50.google.com with SMTP id j2so21487350ejk.6 for ; Fri, 04 Feb 2022 10:18:39 -0800 (PST)
Transport based on domain?
Hi, I have postfix-3.5.10 configured as a multi-instance along with amavisd for spam filtering. Amavis is limited in its ability to create different filtering policies for individual domains, so I wanted to be able to have amavisd run on one port for one domain and another port for another domain. Is it possible to somehow use the default_transport on some type of per-domain basis? Currently I have it configured like: default_transport = smtp:[127.0.0.1]:10024 The thinking would be to send mail for domain1 to 10024, mail for domain2 to 10025, etc. Perhaps a better approach would be to use transport_maps? Maybe something like: /etc/postfix-117/transport domain1 relay:[127.0.0.1]:10024 domain2 relay:[127.0.0.1]:10025 Ideas/direction would be greatly appreciated. btw, off-topic, but is anyone using fuglu in place of amavisd, which seems kind of dead now? Thanks, Alex
Relaying using certificate authentication?
Hi, I have a postfix-3.5.10 server on fedora35 and would like to experiment with relaying outbound mail from my Microsoft 365 test server through my postfix server to the recipient's final destination using certificates as a way to authenticate the sending Microsoft 365 server. Is this possible? My postfix server is configured to receive mail for my domain (example.com), then forward the mail after having processed it through amavis, through to Microsoft 365 using inbound Connector. I have also built an outbound Connector in Microsoft 365 that routes all outbound mail for my domain to my postfix server so it can be scanned there before being delivered. Inbound mail works fine - my MX record is set to the postfix server, which accepts the mail and sends it through to my Microsoft 365 instance. I can also successfully send outbound mail through this Connector from my Microsoft 365 system to my postfix server, but mail not delivered to the local server is rejected because the Microsoft 365 server is not authorized to relay mail for my domain: Jan 22 12:03:52 xavier postfix-117/smtpd[2918841]: NOQUEUE: reject: RCPT from mail-dm3nam07lp2040.outbound.protection.outlook.com[104.47.56.40]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= I would like to set up a digital certificate that's used as a way to authenticate the Microsoft 365 client server connecting to the postfix server in order for it to be able to relay mail to mail servers on the Internet. I recall reading about that many years ago, but I haven't been able to find anything that isn't related to using Microsoft 365 as the relay, or that is using SASL to relay mail TO Microsoft 365, not FROM it. Thanks, Alex
Re: Routing Gmail/Workspace mail through postfix first
Hi, > > I'm using postfix-3.5.10 and would like to use it to front-end a > > domain currently being managed by Google Workspace to be able to send > > mail through our filters first. > > I take it this means *inbound* mail sent from outside users to your > users, whose mailboxes are ultimately hosted by Gmail, but you want > to process the mail on your MX hosts first. Yes, that's it exactly, and I've also thought about the points you've raised about spam/SPF/DKIM/forwarding. I was hoping there was an interface for managing this within Google Workspace. I was envisioning some type of API being involved that provides that layer of authentication?
Routing Gmail/Workspace mail through postfix first
Hi, I'm using postfix-3.5.10 and would like to use it to front-end a domain currently being managed by Google Workspace to be able to send mail through our filters first. I know I'll need to redirect the MX, but how do I obtain a user list so I'm not just forwarding all email received for the domain through as a relay, and instead only to those users with current accounts? In the past, I believe it was using LDAP, but perhaps that's changed now? All references I currently see are using SASL and require the username/password combination of the user accounts. Any guidance on how best to do this would be appreciated. Thanks, Alex
Re: TLS ciphers
Hi, > > I have a postfix-3.5.10 system and having a little trouble configuring > > it to ensure I'm not including any vulnerable ciphers. I had > > previously posted about this issue in September, and thought I > > followed the instructions I was given, but a recent security scan > > (onsecurity) shows port 25 is still vulnerable to the SWEET32 attack. > > But it actually isn't. Sweet32 can only be used against very long-lived > TLS sessions using obsolete ciphers. You have to do some hacking on > OpenSSL code to get it to support a vulnerable cipher in recent > versions. > > Fire that vendor, they lie to you. I later learned they basically just ran testssl.sh against port 25 and reported back. It's apparently a one-size-fits-all approach. It's either "secure" or it's not. > > Here are my current settings: > > # postconf -n -c /etc/postfix-117|grep -E 'tls|cipher' > > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > > smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > > smtp_tls_security_level = may > > This means that you will use plaintext for sending to many sites, rather > than falling back to the almost universally supported TLSv1.0 on sites > that can't do 1.2 or 1.3. > > The vulnerabilities I am aware of that justify sticking to v1.2/3 in > web, IMAP, and database servers are not viable against SMTP because of > the brief, non-repetitive, and largely unpredictable nature of the TLS > sessions used by SMTP. Would you explain what specifically about the above that's removed any ability for clients to build an encrypted connection and require cleartext? Is it the exclusion of the use of any TLS version above 1.2? Maybe the part I'm not understanding is whether it's possible to somehow compromise the server if we offer older versions of TLS? What is my exposure for allowing older versions of TLS? > Very few people have the cryptography chops to usefully evaluate an > extensive list of specific ciphers for maximal safety. 99.9% of such > lists that you will find published are cargo-cult artifacts at some > point, if only when you read the list from RH and drop it in to Postfix > without deep analysis. If you're going to be like almost everyone and > trust a third party to do such deep analysis, you have to choose your > trusted authorities carefully. Trusting the Postfix developers (and > perhaps the official packagers for your platform) is at least as safe as > pulling a list from a RH page, and you get the bonus of your cipherlists > being maintained by SOMEONE ELSE as long as you keep updating > diligently. Yes, which is exactly why I'm coming here, asking questions, and trying to understand, instead of just blindly implementing something from the interwebs. Just to be clear, here's my current config: smtpd_tls_security_level = may smtp_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/cert.pem smtpd_tls_key_file = /etc/letsencrypt/privkey.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom smtpd_tls_mandatory_protocols = >=TLSv1.2 smtp_tls_mandatory_protocols= !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION Is excluding SSL and TLS for smtpd_tls_protocols above the same as stipulating >=TLSv1.2 with smtpd_tls_mandatory_protocols? Thanks, Alex
Re: TLS ciphers
Hi, here is some follow-up info I received that provides more details on what the vulnerability scan is reporting: Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication)offered (NOT ok) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsoleted CBC ciphers (AES, ARIA etc.)offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Example NMAP Output of Anonymous Cipher Suites Nmap scan report for 209.XX.XX.117 25/tcp open smtp | ssl-enum-ciphers: | TLSv1.2: | TLS_DH_anon_WITH_AES_256_GCM_SHA384 (dh 2048) - F | TLS_DH_anon_WITH_AES_256_CBC_SHA256 (dh 2048) - F | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 (dh 2048) - F | TLS_ECDH_anon_WITH_AES_256_CBC_SHA (ecdh_x25519) - F | TLS_DH_anon_WITH_AES_256_CBC_SHA (dh 2048) - F | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - F | TLS_DH_anon_WITH_AES_128_GCM_SHA256 (dh 2048) - F | TLS_DH_anon_WITH_AES_128_CBC_SHA256 (dh 2048) - F | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 (dh 2048) - F | TLS_ECDH_anon_WITH_AES_128_CBC_SHA (ecdh_x25519) - F | TLS_DH_anon_WITH_AES_128_CBC_SHA (dh 2048) - F | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - F This is a LetsEncrypt cert - do I need to make changes there, or is this all done with postfix configs? And what nmap command can be run to probe port 25 for its cipher suite? Thanks, Alex On Mon, Jan 10, 2022 at 11:08 AM Alex wrote: > > Hi, > > I have a postfix-3.5.10 system and having a little trouble configuring > it to ensure I'm not including any vulnerable ciphers. I had > previously posted about this issue in September, and thought I > followed the instructions I was given, but a recent security scan > (onsecurity) shows port 25 is still vulnerable to the SWEET32 attack. > > For reference to previously discussion: > https://www.mail-archive.com/postfix-users@postfix.org/msg92857.html > > This system is just a general smtp/submission/pop/imap box with no > mandatory crypto/certificate requirements. We also don't need to > maintain compatibility with legacy systems. > > Here are my current settings: > # postconf -n -c /etc/postfix-117|grep -E 'tls|cipher' > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtp_tls_security_level = may > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/letsencrypt/cert.pem > smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED > smtpd_tls_key_file = /etc/letsencrypt/privkey.pem > smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = > btree:${data_directory}/smtpd_tls_session_cache > tls_preempt_cipherlist = yes > tls_random_source = dev:/dev/urandom > tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION > > What am I missing? Is this redhat.com article accurate? > https://access.redhat.com/articles/1468593 > > I believe I was told that trying to explicitly define the cipher list > was a bad idea. > > Thanks, > Alex
TLS ciphers
Hi, I have a postfix-3.5.10 system and having a little trouble configuring it to ensure I'm not including any vulnerable ciphers. I had previously posted about this issue in September, and thought I followed the instructions I was given, but a recent security scan (onsecurity) shows port 25 is still vulnerable to the SWEET32 attack. For reference to previously discussion: https://www.mail-archive.com/postfix-users@postfix.org/msg92857.html This system is just a general smtp/submission/pop/imap box with no mandatory crypto/certificate requirements. We also don't need to maintain compatibility with legacy systems. Here are my current settings: # postconf -n -c /etc/postfix-117|grep -E 'tls|cipher' smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtp_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/cert.pem smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED smtpd_tls_key_file = /etc/letsencrypt/privkey.pem smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache tls_preempt_cipherlist = yes tls_random_source = dev:/dev/urandom tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION What am I missing? Is this redhat.com article accurate? https://access.redhat.com/articles/1468593 I believe I was told that trying to explicitly define the cipher list was a bad idea. Thanks, Alex
Re: Mail system is down
Am 04.01.2022 um 16:25 schrieb Wietse Venema: Alex JOST: Am 04.01.2022 um 02:02 schrieb Ken Wright: $ sudo chmod g+s /usr/sbin/postdrop $ ls -la /usr/sbin/postdrop -r-xr-sr-x 1 postfix postdrop 22808 Sep 7 02:58 /usr/sbin/postdrop Wietse, is this what's expected? AFAICT you are lacking write permission for the user. This program must NOT be writable by users. On my Fedora system the file is owned by root. grep postdrop /etc/postfix/postfix-files $command_directory/postdrop:f:root:$setgid_group:2755:u I just downloaded the postfix package for Ubuntu 20.04 and it's the same. -- Alex JOST
Re: Mail system is down
Am 04.01.2022 um 02:02 schrieb Ken Wright: $ sudo chmod g+s /usr/sbin/postdrop $ ls -la /usr/sbin/postdrop -r-xr-sr-x 1 postfix postdrop 22808 Sep 7 02:58 /usr/sbin/postdrop Wietse, is this what's expected? AFAICT you are lacking write permission for the user. -- Alex JOST
Re: virtual mailbox domains??
Am 07.12.2021 um 16:25 schrieb post...@aecperformance.com: Sorry I sent this from the wrong email address. VPS Ubuntu 20.04 postfix 3.4.13 and dovecot 2.3.7.2 I'm making progress but still not there. Any help would be greatly appreciated. I'm getting the errors: warning: SASL: Connect to private/auth failed: Connection refused fatal: no SASL authentication mechanisms I have a param in main.cf: smtpd_sasl_path = private/auth I do not have a folder /etc/postfix/private/auth I do have a folder /etc/postfix/auth but nothing is in it. How can I fix this error? Did you install the 'libsasl2-modules' package? What's the output of 'postconf -A'? -- Alex JOST
Re: tlsmgr timeout
Hi, > >>smtpd_tls_session_cache_database > > > > This is defined to the default for all instances: > > smtpd_tls_session_cache_database = > > btree:/var/lib/postfix/smtpd_tls_session_cache > > That's wrong. The session cache needs to be: > >smtpd_tls_session_cache_database = > ${data_directory}/smtpd_tls_session_cache > > with (enforced by postmulti) distict values of `data_directory` > for each instance. Only the default instance gets to scribble > in "/var/lib/postfix". Ah yes, of course. Thank you.
best TLS crypto settings?
Hi, I recently ran testssl.sh (https://github.com/drwetter/testssl.sh) on my mail server, and it's still showing TLS 1 and 1.1 still being offered, as well as DES: Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1offered (deprecated) TLS 1.2offered (OK) TLS 1.3offered (OK): final Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication)not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export) offered (NOT ok) Triple DES Ciphers / IDEA offered Obsoleted CBC ciphers (AES, ARIA etc.)offered Strong encryption (AEAD ciphers) with no FS offered (OK) Forward Secrecy strong encryption (AEAD ciphers) offered (OK) Testing server's cipher preferences Has server cipher order? no (NOT ok) Negotiated protocol TLSv1.3 Negotiated cipherTLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) (limited sense as client will pick) What are the proper crypto settings for the safest configuration? Here's what I currently have: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_loglevel = 1 smtp_tls_exclude_ciphers = 3DES smtpd_tls_security_level = may smtp_tls_security_level = may smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 tls_ssl_options = NO_COMPRESSION smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers=high tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA smtpd_tls_auth_only = yes smtpd_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer = yes smtpd_tls_ask_ccert = yes smtpd_tls_req_ccert = no smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1
Re: tlsmgr timeout
Hi, > > Can someone help me troubleshoot why I'm periodically receiving these > > messages? It results in postfix stop responding to connections > > altogether. > > > > Sep 21 19:18:41 xavier postfix-116/smtpd[2485484]: warning: problem > > talking to server private/tlsmgr: Connection timed out > > Sep 21 19:25:38 xavier postfix-117/smtpd[2491054]: warning: problem > > talking to server private/tlsmgr: Connection timed out > > What databases if any are using for TLS session caches? Are any > of the instances inadvertently sharing their TLS session caches > databases? Yes, that's probably what's happening. > smtp_tls_session_cache_database This is undefined for all instances. > smtpd_tls_session_cache_database This is defined to the default for all instances: smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache > Also, what is the configure random source, and what OS? > > tls_random_source This is fedora34: tls_random_source = dev:/dev/urandom Thanks, Alex
Re: logging directly to database?
Hi, > Why you shouldn’t log into db > > https://medium.com/@marton.waszlavik/why-you-shouldnt-log-into-db-e700c2cb0c8c > > I'm not suggesting that this person is correct, just > mentioning it. After all, there are many successful > companies with products that put staggering quantities > of log data into some kind of database for operational > analysis. They can't all be wrong, but they won't be > using SQL databases. Yes, great point. Is something like mongodb better suited for doing these things? > Rsyslog is probably fine. I'm not aware of any web > front-end, but I doubt that one is really needed. > If your database is ready, it's probably just a > matter of adding a few lines to its configuration file. > > If you are referring to a web front-end for examining > the logs in the SQL database, you might want to rethink > that and investigate the ELK Stack instead > (Elasticsearch, Logstash, Kibana). It'll be overkill, > but well worth learning, as it will be useful for all > manner of log analysis needs. I meant a web front-end for querying historical data based on subject or sender or "all emails sent between these dates" or "today's rejected email to Joe" to see if an email he was expecting was instead rejected. Thanks, Alex
Re: logging directly to database?
Hi, > > I'm interested in having postfix log directly to a mariadb or mongodb > > database so I can then query it for different info like sender, > > recipient and subject, etc. Does anyone know the best way to go about > > doing this? > > I don't know if this is the best way, but one option is to send all mail > logs from rsyslog to a custom script, have that script parse the log > line and save it to your database. > > postfix -> rsyslog -> script -> sql > > For Redhat flavor OS: > /etc/rsyslog.d/custom.conf: > mail.* ^/etc/rsyslog.d/your_script_that_saves_to_sql Yes, thanks. I realize I can do that - it's the "your_script_that_saves_to_sql" part that would be very helpful :-) There's also great difficulty with correlating log lines from postscreen, smtpd. local, etc, and tracing all of the processes from the initial CONNECT through to the eventual delivery. Thanks, Alex
logging directly to database?
Hi, I'm interested in having postfix log directly to a mariadb or mongodb database so I can then query it for different info like sender, recipient and subject, etc. Does anyone know the best way to go about doing this? Any particular reason output to sql hasn't been implemented in postfix already? I see there are several github projects available, but many haven't been updated in many years. Any guidance on the best implementation, pros/cons, and perhaps even an existing web front-end to do this would be greatly appreciated. Thanks, Alex
tlsmgr timeout
Hi, Can someone help me troubleshoot why I'm periodically receiving these messages? It results in postfix stop responding to connections altogether. Sep 21 19:18:41 xavier postfix-116/smtpd[2485484]: warning: problem talking to server private/tlsmgr: Connection timed out Sep 21 19:25:38 xavier postfix-117/smtpd[2491054]: warning: problem talking to server private/tlsmgr: Connection timed out This is a from a multi-instance postfix implementation. It does appear to occur on multiple instances. This is also a very infrequent occurrence, but I have no idea what happens leading up to it or what causes it. I have the following in master.cf for both instances: tlsmgrunix - - n 1000? 1 tlsmgr Ideas greatly appreciated. Thanks, Alex
SPF guidance
Hi, I've set up postfix to use policyd-spf using python-policyd-spf and have some questions. Hopefully this isn't off-topic, as my search returns results from only many years ago. Is this still the best SPF policy service for postfix integration on Linux? smtpd_recipient_restrictions = ... check_sender_access pcre:$config_directory/sender_checks.pcre, check_policy_service unix:private/policy-spf, My problem is with allowing mail from domains using servers not listed in the domain's SPF record. I would like to allow mail from domain1 being processed by secureserver.net to bypass SPF restrictions for mydomain.com. Jun 21 15:14:52 xavier postfix-117/smtpd[1636578]: NOQUEUE: reject: RCPT from p3plsmtpa06-06.prod.phx3.secureserver.net[173.201.192.107]: 550 5.7.23 : Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=pharri...@domain1.com;ip=173.201.192.107;r=; from= to= proto=ESMTP helo= Perhaps I add a check_sender_access check above the policy check, and bypass the policyd altogether? The problem I have is how to allow domain1.com, and obviously not secureserver.net. Also, any idea on a replacement for the incredibly helpful openspf.net/Why service from some years ago? I've tried the following, but I believe it is operating on the connecting server level, not the client domain level. # grep -Ev '^$|^#' policyd-spf.conf debugLevel = 1 TestOnly = 1 HELO_reject = Fail Mail_From_reject = Fail PermError_reject = False TempError_Defer = False skip_addresses = 127.0.0.0/8,209.216.99.0/24,:::127.0.0.0/104,::1 Domain_Whitelist = domain1.com Reject_Not_Pass_Domains = domain1.com
body checks per domain?
Hi, Is it possible to implement body checks and header checks on a per-domain basis? I'd like to reject mail from domain1.com for one domain while allowing it to another. Currently I have the following: header_checks = regexp:$config_directory/header_checks pcre:$config_directory/header_checks.pcre body_checks = regexp:$config_directory/body_checks regexp:$config_directory/body_checks.pcre relay_domains = $mydestination, example1.com, example2.com Perhaps it's something that can be done with the regexp itself?
Re: zendesk and relay denied
Hi, > > > This was rejected by "reject_unauth_destination". > > > > Thank you so much. I had included my smtpd_recipient_restrictions > > earlier in this thread, but should have been more complete. This is > > the multi-instance postfix you helped me configure some time ago. Mail > > is first processed by this postfix-117 instance, sent to amavisd, then > > forwarded to postfix-out where it's sent to the recipient. > > One would expect to find anti-relay policies only at the input stage, > with the downstream output instance(s) accepting all mail sent by the > upstream instance(s). > > Is the below the configuration of the input or output instance? This is from the input instance. > > mydestination = > > relay_domains = $mydestination, example.com, nnnhelp.zendesk.com > > Addresses in "relay_domains" would typically be accepted. Is > "nnnhelp.zendesk.com" verbatim the domain that's getting refused? I'm sorry for all the obfuscation. Here is the real info: May 12 23:01:18 xavier postfix-117/smtpd[3481869]: NOQUEUE: reject: RCPT from mail-mw2nam10lp2104.outbound.protection.outlook.com[104.47.55.104]: 554 5.7.1 : Relay access denied; from=<> to= proto=ESMTP helo= I believe I solved this part by adding smartmlshelp.zendesk.com to relay_domains. We've created an outbound O365 connector to route outbound mail through our servers before being delivered to their final destination - I believe this is effectively relaying mail from outbound.protection.outlook.com: May 12 23:04:00 xavier postfix-117/smtpd[3482092]: NOQUEUE: reject: RCPT from mail-mw2nam12lp2048.outbound.protection.outlook.com[104.47.66.48]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= This outbound connector process is described here (option 3): https://docs.microsoft.com/en-us/Exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365 > > smtpd_recipient_restrictions = > > reject_non_fqdn_recipient, > > reject_non_fqdn_sender, > > reject_unlisted_recipient, > > reject_unknown_recipient_domain, > > permit_mynetworks, > > reject_unauth_destination, > > This should not reject domains listed in $relay_domains. Any > relevant overrides in master.cf? (See "postconf -Mf" output). # postconf -c /etc/postfix-117 -Mf policy-spf unix - n n - - spawn user=nobody argv=/usr/libexec/postfix/policyd-spf smtp inet n - n - - smtpd pickup unix n - n 60 1 pickup cleanupunix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewriteunix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o syslog_name=postfix/$service_name showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discardunix - - n - - discard local unix - n n - - local virtualunix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache postlogunix-dgram n - n - 1 postlogd > > /etc/postfix-117/nnnhelp-zendesk: > >/example\.com$/permit > > Use of a PCRE table for relay control is a bad idea. The above matches > more domains than you actually intended. The "relay_domains" setting > should be enough. [ I assume it is not actually "example.com"... ] I've tried with cdb (my default db) but unsure how to do wildcards. /etc/postfix-117/smartmls-com # cat smartmls /smartmls.com/ permit j...@smartmls.compermit # postmap smartmls # postmap -c /etc/postfix-117 -q j...@smartmls.com cdb:/etc/postfix-117/smartmls permit > What is your (built-in default?) setting of "smtpd_relay_restrictions"? # postconf -c /etc/postfix-117 smtpd_relay_restrictions smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}}
Re: zendesk and relay denied
Hi, > > > That is not valid relay_domains syntax. For more help, see: > > > > > > http://www.postfix.org/DEBUG_README.html#mail > > > > Just to be clear, I forgot to note that the check_recipient_access was > > part of my smtpd_recipient_restrictions, not relay_domains: > > Posting tiny fragments of your configuration wastes everyone's time. :-( > > If you want help post the complete output of "postconf -nf" preserving > all whitespace, ... (not folding or unfolding of lines). > > > May 12 23:02:35 xavier postfix-117/smtpd[3481802]: NOQUEUE: reject: > > RCPT from > > mail-dm6nam10lp2107.outbound.protection.outlook.com[104.47.58.107]: > > 554 5.7.1 : Relay access denied; > > from= to= proto=ESMTP > > helo= > > This was rejected by "reject_unauth_destination". Thank you so much. I had included my smtpd_recipient_restrictions earlier in this thread, but should have been more complete. This is the multi-instance postfix you helped me configure some time ago. Mail is first processed by this postfix-117 instance, sent to amavisd, then forwarded to postfix-out where it's sent to the recipient. always_bcc = bcc-user authorized_submit_users = root body_checks = regexp:$config_directory/body_checks regexp:$config_directory/body_checks.pcre bounce_queue_lifetime = 2d command_directory = /usr/sbin compatibility_level = 2 config_directory = /etc/postfix-117 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix-117 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 default_database_type = cdb default_process_limit = 500 default_transport = smtp:[127.0.0.1]:10024 header_checks = regexp:$config_directory/header_checks pcre:$config_directory/header_checks.pcre pcre:$config_directory/header_checks-jimsun.pcre html_directory = no indexed = ${default_database_type}:${config_directory}/ inet_interfaces = 209.216.111.117 inet_protocols = ipv4 initial_destination_concurrency = 20 local_header_rewrite_clients = local_recipient_maps = local_transport = error:5.1.1 Mailbox unavailable mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man master_service_disable = maximal_queue_lifetime = 100d meta_directory = /etc/postfix mime_header_checks = pcre:$config_directory/mime_header_checks multi_instance_enable = yes multi_instance_group = mta multi_instance_name = postfix-117 mydestination = mynetworks = 127.0.0.0/8, 209.216.111.0/24 newaliases_path = /usr/bin/newaliases.postfix policy-spf_time_limit = 3600s postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = texthash:$config_directory/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = score.senderscore.com=127.0.4.[0..19]*5 score.senderscore.com=127.0.4.[20..29]*4 score.senderscore.com=127.0.4.[30..49]*3 score.senderscore.com=127.0.4.[50..59]*2 score.senderscore.com=127.0.4.[60..69]*1 score.senderscore.com=127.0.4.[70..79]*-1 score.senderscore.com=127.0.4.[80..89]*-2 score.senderscore.com=127.0.4.[90..100]*-3 bb.barracudacentral.org*7 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 sip-sip24.mykey.invaluement.com=127.0.0.2*8 ubl.unsubscore.com=127.0.0.2*1 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 dnsbl.sorbs.net=127.0.0.[10;14]*8 dnsbl.sorbs.net=127.0.0.5*7 dnsbl.sorbs.net=127.0.0.7*4 dnsbl.sorbs.net=127.0.0.6*3 dnsbl.sorbs.net=127.0.0.[8;9]*2 dnsbl.sorbs.net=127.0.0.4*1 postscreen_dnsbl_threshold = 8 postscreen_greet_action = enforce postscreen_whitelist_interfaces = static:all 68.195.111.40/29 107.155.111.2 209.216.111.0/24 209.216.112.0/24 queue_directory = /var/spool/postfix-117 readme_directory = /usr/share/doc/postfix/README_FILES recipient_delimiter = + relay_domains = $mydestination, example.com, nnnhelp.zendesk.com relay_transport = $default_transport sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_data_done_timeout = 1200s smtp_destination_recipient_limit = 1000 smtp_send_xforward_command = yes smtp_tls_CAfile = /etc/letsencrypt/chain.pem smtp_tls_security_level = may smtpd_client_port_logging = no smtpd_client_restrictions = permit_mynetworks, check_client_access ${indexed}client_checks, check_reverse_client_hostname_access pcre:$config_directory/fqrdns-042715a.pcre, check_reverse_client_hostname_access pcre:$config_directory/reverse_client_hostname_access.pcre, check_client_access cidr:$config_directory/client_access_blocklist smtpd_helo_restrictions = permit_mynetworks check_helo_access ${indexed}helo_checks check_helo_access
Re: zendesk and relay denied
Hi, > > relay_domains = $mydestination, example.com > > check_recipient_access pcre:$config_directory/nnnhelp-zendesk, > > That is not valid relay_domains syntax. For more help, see: > > http://www.postfix.org/DEBUG_README.html#mail Just to be clear, I forgot to note that the check_recipient_access was part of my smtpd_recipient_restrictions, not relay_domains: smtpd_recipient_restrictions = ... check_recipient_access pcre:$config_directory/nnnhelp-zendesk, /etc/postfix-117/nnnhelp-zendesk: /example\.com$/permit My problem now, I think, is in allowing the O365 servers responsible for this domain to communicate with my postfix instance to relay mail for our domain. May 12 23:02:35 xavier postfix-117/smtpd[3481802]: NOQUEUE: reject: RCPT from mail-dm6nam10lp2107.outbound.protection.outlook.com[104.47.58.107]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= Their server is not dedicated to us, so I can't add it to relay_domains, but maybe there's a way to allow *.outbound.protection.outlook.com to relay just for our example.com domain?
Re: zendesk and relay denied
Hi, >> I've set up postfix to be the mail relay for a domain so we can >> process it through amavis/spamassassin prior to it being forwarded on >> to our O365 domain. > > You need to add this domain to the "relay_domains" Ah yes, of course. >> I've set up a recipient check to allow relaying for our zendesk >> support domain, but for some reason it's still being rejected. Is it >> due to the empty envelope sender? > > SMTPD checks "smtpd_relay_restrictions" also. > By default it accepts email from unauthenticated users/networks to > mydestination and relay_domains only. I realized I'm also having difficulty with outbound mail being routed from O365 to our mail server: May 12 23:04:54 xavier postfix-118/smtpd[3482092]: NOQUEUE: reject: RCPT from mail-mw2nam12lp2043.outbound.protection.outlook.com[104.47.66.43]:554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= So I'm unable to send mail as a...@mydomain.com to any domain other than the ones managed by our mail server. How do I convince postfix that it should route mail for mydomain.com from outbound.protection.outlook.com? I've added spf.protection.outlook.com to our SPF record - what am I missing? >> main.cf: >> relay_domains = $mydestination, example.com > > Add "nnnhelp.zendesk.com" here. > Be sure Postfix knows how to deliver email there (there must be MX record or > record in "transport(5)" table) This is working now, thanks. >> check_recipient_access pcre:$config_directory/nnnhelp-zendesk, > > Did you add it to the "smtpd_recipient_restrictions" ? Oops, yes, that's where I added it. smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, check_helo_access pcre:$config_directory/helo_checks.pcre, check_helo_access ${indexed}helo_checks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:2501, check_recipient_access pcre:$config_directory/nnnhelp-zendesk, permit > Check this doc carefully: http://www.postfix.org/SMTPD_ACCESS_README.html > It has examples and very useful table Thank you.
zendesk and relay denied
Hi, I've set up postfix to be the mail relay for a domain so we can process it through amavis/spamassassin prior to it being forwarded on to our O365 domain. I've set up a recipient check to allow relaying for our zendesk support domain, but for some reason it's still being rejected. Is it due to the empty envelope sender? May 12 18:49:41 xavier postfix-117/smtpd[3341387]: NOQUEUE: reject: RCPT from mail-dm6nam.outbound.protection.outlook.com[104.47.59.171]: 554 5.7.1 : Relay access denied; from=<> to= proto=ESMTP helo= Our domain is example.com below, and our zendesk support domain is nnnhelp.zendesk.com. nnnhelp-zendesk: /nnnhelp.zendesk.com$/ permit main.cf: relay_domains = $mydestination, example.com check_recipient_access pcre:$config_directory/nnnhelp-zendesk,
fallback_relay and transports
Hi, I have a postfix-3.5.10 system and am trying to process mail prior to it being forwarded to another domain that has multiple MX records. Many years ago I used fallback_relay in master.cf but now it appears to be referenced as smtp_fallback_relay? I don't understand the syntax for adding multiple relays and whether I'm even doing it the right way. master.cf: orion unix- - n - - smtp -o smtp_fallback_relay=192.168.10.10,192.168.11.11 relay_domains = $mydestination, example.com, example1.com transport: example.comorion:192.168.9.9 Also, on a somewhat related note, is it possible to configure a transport for relay_domains and a separate transport for virtual_alias_domains?
Re: Configuring always_bcc
Hi, > > > > I thought I said transport... > > > > > > Postfix instance 1 > > > > > > main.cf > > > always_bcc = f...@example.com > > > > > > transport_maps > > > f...@example.com -> Postfix instance 2 > > > all other mail -> content filter -> Postfix instance 2 > > > > > > Perhaps a picture is worth 1e3 words. > > > > Does this mean modifying my existing default_transport to send mail to > > be filtered through a transport instead? > > No, it means a transport(5) table entry for special-casing > the BCC recipients. Somehow I was confusing transports with transport maps. > You leave your default transport alone, it is used for normal > recipients. You route the BCC recipients via the transport > table. Now I understand. I've used transport maps a dozen times before but never thought about it this way. > Some explanation would help to understand which instance receives new mail, > which instances send into and receive from filter, and why you need three > instances. I created multiple instances to assign each one to a different IP for different domains to be able to associate their domain with separate MX records and separate body/header checks, etc. Thanks so much, Alex
Re: Configuring always_bcc
Hi, > Wietse: > > Postfix instance 1 > > > > main.cf > > always_bcc = f...@example.com > > > > transport_maps > > f...@example.com -> Postfix instance 2 > > all other mail -> content filter -> Postfix instance 2 > > > > Perhaps a picture is worth 1e3 words. > > Alex: > > Does this mean modifying my existing default_transport to send mail to > > be filtered through a transport instead? > > > > # postconf -c /etc/postfix-117 default_transport > > default_transport = smtp:[127.0.0.1]:10024 > > That will work, assuming that Postfix instance 1 does not try to > make its own final deliveries (i.e. mydestination is smpty, ditto > for virtual_mailbox_domains). > > > And this is a separate solution from Victor's, correct? > > It is more or less Viktor's suggestion. > > Some details will be missing: relay_domains needs to be set u so > that Postfix instance 1 won't reject mail with "relay access denied". Thanks for sticking with me here. That's a pretty big change for me. Victor helped me create the multi-instance setup initially, but I don't understand enough to set up the transports in this way. mydestination and virtual_mailbox_domains are empty. # postmulti -l - - y /etc/postfix postfix-out mta y /etc/postfix-out postfix-109 mta y /etc/postfix-109 postfix-110 mta y /etc/postfix-110 # postconf -nc /etc/postfix-109 |grep transport default_transport = smtp:[127.0.0.1]:10024 local_transport = error:5.1.1 Mailbox unavailable relay_transport = $default_transport transport_maps = virtual_transport = $default_transport
Re: Configuring always_bcc
> > > I'm currently using the default_transport to route mail to 10025 for > > > amavisd. Would I then just use the local transport for local mail then > > > define it in the transport file? > > > > No, because presumably the Bcc mail is supposed to be delivered > > somewhere else via SMTP. Instead, you would use a separate logical > > domain for Bcc recipients, and route that domain (via a suitable > > transport table entry) to a separate transport (perhaps bypass amavis > > entirely, unless you need amavis to do something special with Bcc mail). > > > > > Or perhaps local_recipient_maps? mydestination is not currently > > > defined for this instance. > > > > I thought I said transport... > > Postfix instance 1 > > main.cf > always_bcc = f...@example.com > > transport_maps > f...@example.com -> Postfix instance 2 > all other mail -> content filter -> Postfix instance 2 > > Perhaps a picture is worth 1e3 words. Does this mean modifying my existing default_transport to send mail to be filtered through a transport instead? # postconf -c /etc/postfix-117 default_transport default_transport = smtp:[127.0.0.1]:10024 And this is a separate solution from Victor's, correct?