[pfx] Re: Contradicting Postfix documentation

STFU before telling me to crawl before run and RTFM. Also, stop thinking Postfix is flawless. You are living in a fantasy land. Lots of pilots thought their autopilot software was flawless, too, only to end up being killed by it. K Sent: Wednesday, May 03, 2023 at 5:51 am From: "An

[pfx] Re: Contradicting Postfix documentation

This looks a network and config issue rather than any defect in PF be that with the code or the docs... I would highly recommend you crawl before you try running so with that in mind, scale back your config to just use v4 and get that working. Also, if you really want help on this mailer,

[pfx] Re: Postfix refuses to accept email from video camera

“…maybe you can change the Postfix settings so that he makes friends with this camera and successfully receives mail from it…” PF already does this - in plain-text. PF handles TLS\SSL properly so asking to have PF modified to accommodate a client’s old & outdated firmware seems a bit like

[pfx] Re: Test Post - Please Ignore

Got it… Also, just an FYI - But I’ve always been able to confirm my posts are working properly by reviewing the list archive. Posts seem to appear almost as fast as received by the list members so typically a good way to verify everything is working ok… Just my .02…

Re: password security

“Well, if you believe that it's ok for you to use it.” Not sure if you mean I’m being presumptuous (not intended) or actually that I would see value in using it - I think you meant the latter but again, not sure…(lol) Anyway, I would see value in at least checking it out - seems

Re: password security

“On my personal to-do list is to implement a simple X.509-CA for issuing short-term client certs, with a CLI tool to directly manipulate Thunderbird and Firefox key/cert DB.” As in you are planning to build such a suite and put up on GH for all of us to use as well??? If so, would love to

Re: password security

, Antonio Leding wrote: “…I'm just saying it's [F2B] not a solution to modern brute-force attack on passwords/accounts….” It’s actually staggering that you say this because of how incredibly inaccurate this statement is… Presume someone goes brute-force against a PostFix server via v6 only

Re: password security

“…I'm just saying it's [F2B] not a solution to modern brute-force attack on passwords/accounts….” It’s actually staggering that you say this because of how incredibly inaccurate this statement is… Presume someone goes brute-force against a PostFix server via v6 only - so tons of addresses

Re: password security

I’m not really sure if you understand that F2B is just a set of scripts wrapped around iptables (a firewall) - but that’s all it is - the real-work is being done by iptables which can be very effective against DDoS. Plenty of articles, papers, etc. on this very topic so your assertion that F2B

Re: password security

Anyone who thinks that F2B merely “quiets logs” unfortunately has no idea what F2B actually does… - - - On 25 Apr 2022, at 1:00, Laura Smith wrote: Sent with ProtonMail secure email. --- Original Message --- On Monday, April 25th, 2022 at 08:50, Dan Mahoney wrote: Even if

Re: password security

I’ve been using F2B for over 4-5 years and it’s fantastic. F2B is just one of many very useful tools in the belt of any knowledgable infosec practitioner. To consider F2B as “only for the lazy” speaks more to a lack of truly understanding infosec than it does of the tool itself… - - - On

Re: Why the name Postfix?

This lore is BEYOND cool and Wietse is legend… - - - On 27 Mar 2022, at 15:00, Wietse Venema wrote: Viktor Dukhovni: On Sun, Mar 27, 2022 at 09:08:53AM +0530, Amarjeet Anand wrote: What?s the story behind choosing the name as ?Postfix?? One of the stories can be found here:

Re: DANE but DNS Provider dont support this

Great info - thanks Viktor… - - - On 25 Jan 2022, at 9:43, Viktor Dukhovni wrote: > On Tue, Jan 25, 2022 at 04:58:49PM +0000, Antonio Leding wrote: > >> When you say “operate my own DNS”, do you mean your own DNS severs >> at your location or maybe you manage your own zones

Re: DANE but DNS Provider dont support this

Hi Viktor - just curious… When you say “operate my own DNS”, do you mean your own DNS severs at your location or maybe you manage your own zones via a DNS provider, ISP, etc.? Or perhaps some other model of which I am not aware? - - - On 24 Jan 2022, at 23:19, Viktor Dukhovni wrote: On

Re: https://www.postfix.org/ in trouble

Not sure if this is a question for the community or just the devs but one of the credos this user swears by is “If it isn’t broken, then don’t go fixin’ it…” There’s this FUD out there that all sites MUST be https. Of course I disagree with this sentiment but perhaps there is something I’m

Re: SMTP Relay

To assist with this further, either here or on another list (preferable), I wouuld need to understand what is meant by “endpoint” as well as a little more detail re: the packet paths… - - - On 2 Aug 2021, at 7:29, Eric Shields | Mass Transit Honchkrow wrote: Hi again. I finally figured out

Re: Manual Clarification

I have to admit that when I first saw this, it was also a bit confusing as I was equating this with typical packet and session timeouts at the network level. What helped me better understand this was the phrase “one byte at a time” and then reading up on things like Slow Loris that Viktor

Re: Briteverify

"...complained to Amazon AWS about them to no avail...” I’m not privy to your specific scenario but if you are using AWS to provide unmanaged cloud VM services, such as EC2, then why would you complain to AWS re: any EM issue such as spam, verification, etc.? That’s not their job - that’s

Re: Speaking of Firefox and HTTP^H^H^H^HFTP...

file in a browser? Granted, a lot of that has been replaced by SFTP/SCP, but ftp is still useful. RobertC From: owner-postfix-us...@postfix.org on behalf of Antonio Leding Sent: Friday, April 23, 2021 15:45 To: Wietse Venema Cc: postfix-users@postfix.org

Re: Speaking of Firefox and HTTP^H^H^H^HFTP...

Exactly - I’ve always wondered why the fascination + hangup with FTP when one can just dump the exact same files into a directory (or even the same one) and serve it as http or https - a file is a file is a file - the protocol doesn’t care… - - - On 23 Apr 2021, at 7:58, Wietse Venema wrote:

Re: Certificate Postfix.org missing?

Another +1 that with vanilla FF v87 + macOS HS, the power is in the hands of the user (where it truly belongs) via a user-knob controlling whether or not FF complains about non-https… - - - On 22 Apr 2021, at 10:51, Richard wrote: Date: Thursday, April 22, 2021 19:26:57 +0200 From: Claus

Re: Certificate Postfix.org missing?

Perhaps I’m wrong here but I think Wietse meant www.postfix.org vs. just postfix.org — as in only the former exists… - - - On 21 Apr 2021, at 13:08, Jos Chrispijn wrote: Wietse Venema: There is neither a service at port 443, nor a postfix.org website. You mean you don't authorize this

Re: What am I missing here?

FWIW, I had very similar issues and implemented fail2ban with very tight parameters to essentially block offensive probing hosts. I went from something around 75k probes per month down to less than 50. Also, out of respect for our counterparts on this PF dedicated mailer, feel free to ping

Couple of questions re: IPBLs & DNSBLs

Hello all, 1. Where to place IPBL\DNSBL rules * Because the result of a hit against an IPBL\DNSBL is to REJECT, does it make sense to place these kind of rules earlier in the SMTPD_RESTRICTIONS eval chain (i.e. CLIENT) rather than later (i.e. RECIPIENT) as shown in the _Getting

Re: Getting my head around restriction lists

“Does this mean that a condition in smtpd_helo_restrcitiosn which triggers a "REJECT" will, upon entering RCPTO TO mode, result in the rejection with nothing else evaluated?” Yes but it doesn’t matter in which of the 5 lists it is encountered. Once REJECT is encountered, all evaluation ends…

Recipient & relay restriction evaluation order; log nomenclature

Hello all - couple of questions… Q1: Recipient & relay restriction evaluation order Regarding the evaluation order of the SMTPD_RECIPIENT & SMTPD_RELAY restriction lists, there have been a few message threads that discuss the disparity between the Postfix documentation and the actual

Getting my head around restriction lists

Hello all, I’ve been digging into restriction lists a bit more and grinding away on the rationale between seperating restrictions across each of the first four lists (CLIENT, HELO, SENDER, & RECIPIENT) vs. just placing them all in RECIPIENT. Let me also state that yes, I have read the

Re: Deprecated: white is better than black

Agreed — While my initial gut reaction is jump in and express myself directly about this change, my better angel (yes, I think I have only one) compels me to understand (a) this forum is not the right place to air any perspective for or against this change; (b) it’s done so get on with it.

Re: Multiple lookup entries in an SQL table

ngle result, then your query would need a LIMIT statement in it. On Feb 19, 2021, at 5:19 PM, Wietse Venema wrote: Antonio Leding: Ok? So if I have the following: example.com OK example.com REJECT Then the correct Postfix lookup behavior is to return OK,REJECT That is what the database cl

Re: Multiple lookup entries in an SQL table

more negative testing… - - - On 19 Feb 2021, at 15:33, Viktor Dukhovni wrote: On Fri, Feb 19, 2021 at 11:13:57PM +, Antonio Leding wrote: I wanted to ask about the expected behavior if there are multiple entries in an SQL table for the same lookup (IP address, network, domain, etc.) which

Multiple lookup entries in an SQL table

Hello Postfix Community, I wanted to ask about the expected behavior if there are multiple entries in an SQL table for the same lookup (IP address, network, domain, etc.) which specify either the same or different actions (REJECT, OK, etc.). - - - example #1 1.2.3.4 OK 1.2.3.4 REJECT

Re: Corner cases in SSL_shutdown.

You’re not doin’ well son…quit diggin’ and go back to rethink your approach. I dare say at least a majority on this list, including myself, will trust Viktor et al a far bit more than someone coming in from the cold who freely admits the are not “well versed” in the app, nor a key protocol

Re: bl.spamcop.net false positives

Great points - my view from earlier was that it really isn’t the registrar’s job to make sure someone’s doing is cfg’d properly. I would much rather have the registrar take a more hand-off approach to configuring domains rather than the alternative. Just imagine registrars who try and poke

Re: bl.spamcop.net false positives

of mistakes by SC… - - - On 1 Feb 2021, at 13:38, Jaroslaw Rafa wrote: Dnia 1.02.2021 o godz. 20:31:51 Antonio Leding pisze: That aside, IMHO, this is a huge screw-up for SC - not even in the realm of acceptable… On the other hand, why did the domain registrar put a blanket entry

Re: CentOS Linux 8 is being practically abolished

100% agree that PF mailer is not the best place to discuss this so absent any other suggestion, does Reddit make sense? Please let me know if anyone has picked up this discussion somewhere else… Thanks… - - - On 9 Dec 2020, at 9:35, Viktor Dukhovni wrote: I don't think this is the right

Fwd: Redirection using a 1:1 & domain wildcard alias

I found my answer - RFC-2821 - - - Forwarded message: From: Antonio Leding To: Jaroslaw Rafa Cc: postfix-users@postfix.org Subject: Re: Redirection using a 1:1 & domain wildcard alias Date: Mon, 5 Oct 2020 20:38:00 + Thanks Jaroslaw, Is any of this documented anywhere? I’ve

Re: Redirection using a 1:1 & domain wildcard alias

would like to know where… - - - On 5 Oct 2020, at 12:34, Jaroslaw Rafa wrote: Dnia 5.10.2020 o godz. 17:28:04 Antonio Leding pisze: * When both a 1:1 alias & a user are configured for a given email address, why are emails sent to the alias\user only delivered to the alias target? Bec

Fwd: Redirection using a 1:1 & domain wildcard alias

!!!). :=) - - - Forwarded message: From: Antonio Leding To: Postfix users Subject: Redirection using a 1:1 & domain wildcard alias Date: Mon, 5 Oct 2020 17:28:04 + Hello Postfix Community, First off, I apologize if answers to my questions are well-known but before posting, I did spend a

Redirection using a 1:1 & domain wildcard alias

Hello Postfix Community, First off, I apologize if answers to my questions are well-known but before posting, I did spend a fair amount of time researching all of the Postfix READMEs, HOWTOs, etc. to try and understand this but apparently I am not finding the right information. Thanks in

Re: Very selective relay

Hi Viktor, I never used this but am now curious — in reading the docs on this, it looks like the proper content in the “{ }” fields would be the IP or FQDN to\from one wishes to restrict traffic — do I have this correct? On 18 Sep 2020, at 9:09, Viktor Dukhovni wrote: On Fri, Sep 18,

Re: postfix and MX

It’s important to differentiate between personal and professional use. In the former, I agree email’s relevance & importance is diminishing largely due to social media and IM platforms. But in the latter case, email will be with us for quite a long while… - - - On 18 Sep 2020, at 10:04,

Re: postfix and MX

dates back to April 201. I would expect that 19 years is sufficient time for the news to have reached Redmond, WA. I think thats actually 1819 years so most definitely long enough to get the memo… I stopped believing long ago that Microsoft adhered to any standard in earnest. To me, they

Re: postfix and MX

Just in case someone gets the wrong impression about MX records being required... TILT: MX records are not required for email to work — WOOT… I’m sure most of this group already knew this but alas, I did not…One more gem of the many I have gathered from this mailer thus far… Thanks Viktor…

Re: Feature suggestion: hook support for specific events?

Hi Phil, I presume you mean fail2ban here…if so, I must respectfully dissent… :=) I agree that early on, the docs were horrible (to say the least) but more recently, I think the dev has done a fair job making f2b easier to implement and use. Now granted, I do only use it for checking SASL

Re: What is lost by using self-signed certs for TLS?

t 09:48:29PM +0000, Antonio Leding wrote: > >> Again, great feedback…I am definitely diving into DANE now…may have >> more questions but I will try to keep those to a minimum. > > https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources > > -- >Viktor.

Re: What is lost by using self-signed certs for TLS?

Again, great feedback…I am definitely diving into DANE now…may have more questions but I will try to keep those to a minimum. Thanks again Victor - very much appreciated… > On Jul 27, 2020, at 2:44 PM, Viktor Dukhovni > wrote: > > On Mon, Jul 27, 2020 at 08:58:19PM +0000, An

Re: What is lost by using self-signed certs for TLS?

of using DANE + self-signed likely (or actually) outweigh going with an LE cert sans DANE. > On Jul 27, 2020, at 1:52 PM, Viktor Dukhovni > wrote: > > On Mon, Jul 27, 2020 at 07:32:41PM +, Antonio Leding wrote: > >> I’ve always been dubious about the auth requirem

Re: What is lost by using self-signed certs for TLS?

. In any event, people do what people do so I guess in order to ensure my server will employ the highest number of TLS sessions, I should use a CA-signed cert... Agreed? > On Jul 25, 2020, at 8:03 PM, Viktor Dukhovni > wrote: > > On Sun, Jul 26, 2020 at 02:45:38AM +0000, Antonio

What is lost by using self-signed certs for TLS?

Hello all, Please allow me to apologize in advance for any ignorance here…and also, I have researched and am just not seeing the entire picture here. My goal is to fully understand what is lost by using only self-signed certs on my PF server. Here’s what I think I know: — The fact that the

Re: Log entry timestamp

Thanks Wietse - rsyslog template it is then... > On Jun 30, 2020, at 3:43 PM, Wietse Venema wrote: > > Antonio Leding: >> Hello Postfix community, >> >> Does anyone know if it is possible to configure, within Postfix, >> the timestamp used for log messages? >

Log entry timestamp

Hello Postfix community, Does anyone know if it is possible to configure, within Postfix, the timestamp used for log messages? I know I can setup a template in rsyslog but would rather do this in Postfix if possible. Thanks in advance... — Tony —

Re: The historical roots of our computer terms

It goes without saying that this kind of a discussion\debate\etc. can easily turn into something wholly not intended…therefore, all I will offer is this… Someone said earlier that they refuse to use select words because "words matter"…I would agree. That said… I respectfully submit that

Re: may we suggest ICANN not run that many new tlds?

Demand is demand…it doesn’t matter from where it originates…. > On Nov 19, 2019, at 12:59 PM, Charles Sprickman wrote: > > >> On Nov 19, 2019, at 3:28 PM, Antonio Leding wrote: >> >> But I predict it will fall on deaf ears… >> >> Suggesting th

Re: may we suggest ICANN not run that many new tlds?

But I predict it will fall on deaf ears… Suggesting this is tantamount to suggesting the PSTN not increase the # of area codes or NXX numbers. Things like this are created as the demand grows…and due to the complete metamorphosis of the Internet over the last last 20 years, demand has

Re: ODMR/ATRN ?

Good luck…you’ll get it figured... :=) > On Jun 9, 2019, at 5:03 PM, Ronald F. Guilmette > wrote: > > > In message <14936220-5b2f-e44a-2f3a-5301e4153...@opendmz.com>, > cvandesa...@opendmz.com wrote: > >> $ cat /etc/postfix/transport_maps >> # Mail to anyone at opendmz.com is sent via

Re: ODMR/ATRN ?

Chris is the one who mentioned it (haproxy) and FWIW, based on the requirements you’ve stated in this thread, Chris’s setup seem to be pretty almost exactly what you want to do. In case it got overlooked, I include the key EM here: ### BEGIN ### I have 3 instances of postfix running

Re: ODMR/ATRN ?

I think you want this tool that Chris mentioned earlier… http://www.haproxy.org > On Jun 9, 2019, at 4:13 PM, Ronald F. Guilmette > wrote: > > > In message <45mw9x6zlnzj...@spike.porcupine.org>, > Wietse Venema wrote: > >>> and then use something like fetchmail

Re: ODMR/ATRN ?

ort and thresholds… > On Jun 9, 2019, at 3:58 PM, Ronald F. Guilmette > wrote: > > > In message > <0100016b3e41b455-b95a3601-7822-4541-823a-6230f277bf1b-00@email. > amazonses.com>, Antonio Leding wrote: > >> Security: >> >> With some VMs, you wi

Re: ODMR/ATRN ?

to one of the local sites (again, non-standard > ports and whitelisted IP) > > It's nowhere perfect but I don't know what is. > > > On 09/06/2019 23:38, Antonio Leding wrote: >> Just practicing the Au-rule…treat other as… :=) >> >> I would definitely agree

Re: ODMR/ATRN ?

s haproxy which will loadbalance IMAPS connections > back to either of the 2 local Dovecot sites. So I always have access to > my email wherever I happen to find myself. > > Chris. > > > On 09/06/2019 23:19, Antonio Leding wrote: >> Hi Chris, >> >>

Re: ODMR/ATRN ?

Just thinking out loud here but because you would want to harden the cloud server in any case, I’m not sure what having a VPN gets you if also using IMAPS and SMTP + SSL between the cloud and the client. I guess one could argue that if you forget to set the SSL on the client side, you’re still

Re: ODMR/ATRN ?

server emails never leave the local LAN > (except to be replicated to the other local site). > > Hope that makes sense. > > Chris. > > > On 09/06/2019 23:00, Antonio Leding wrote: >> AHHH - yes, thank you Paul - I did mean “cloud” based Postfix… >>

Re: ODMR/ATRN ?

AHHH - yes, thank you Paul - I did mean “cloud” based Postfix… > On Jun 9, 2019, at 2:53 PM, Pau Amma wrote: > > On Sun, June 9, 2019 9:29 pm, Ronald F. Guilmette wrote: >> >> In message >> <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-000000@email. >

Re: ODMR/ATRN ?

s re: cloud-based mail security but those issues are manageable if proper infosec is implemented… > On Jun 9, 2019, at 2:29 PM, Ronald F. Guilmette > wrote: > > > In message > <0100016b3e069855-f95cf3e2-9649-4a55-8290-24a9d44f80cc-00@email. > amazonses.com>, Ant

Re: ODMR/ATRN ?

Hey rfg, Just curious…any reason to not use use the could-based Postfix server + something like Dovecot and then have your clients access that directly? I have this now for at least 20 domains and it works awesome. I’m not understanding why the need to relay the mail to your local Postifix

Re: Forwarding received mail through AWS SES

Clarifying - I have both SES and EC2. EC2 is my main postfix box but the SMTP side is a backup for SES which is my main outbound email… > On Jan 19, 2019, at 7:16 PM, Antonio Leding wrote: > > FWIW - I’ve been using AWS for outbound SMTP well over 5 years with no > issues…ma

Re: Forwarding received mail through AWS SES

FWIW - I’ve been using AWS for outbound SMTP well over 5 years with no issues…maybe one-time have I bad an email rejected due to blacklisting…and this was resolved within 30 minutes… > On Jan 19, 2019, at 7:13 PM, Durga Prasad Malyala > wrote: > > > On Sat, Jan 19, 2019, 23:26 Yasuhiro