Re: DMARC report analyzer - Open Source solution

[B. Reino]

Hello,

On December 26, 2019 7:54:02 PM UTC, Roberto Carna  
wrote:
>Dear, I'm receiving DMARC reports in one mail account from my domain.
>All
>the reports coming for Google and Yahoo mainly are attached in ZIP
>format,
>and they are XML files.
>
>Is there any open source DMARC report analyzer for a Linux platform ???
>I
>prefer Debian or Ubuntu.
>
>Thanks a lot !!!

I've used dmarc-cat for some time:

https://github.com/keltia/dmarc-cat

(nowadays I just ignore the reports..)

Cheers.

(I apologize if the formatting is off.. mobile phone..)

Re: Postfix: Variable meanings table

[B. Reino]

On 06/09/2019 20.25, Phil Stracchino wrote:

On 9/6/19 2:03 PM, @lbutlr wrote:
> On 6 Sep 2019, at 09:30, Phil Stracchino  wrote:
>> Can anyone by chance point me to any documentation that explains how to do 
this?
> 
> Not off hand, but what you are looking for on google is:
> 
> fail2ban "action.d”
> 
> (the quotes will force google to return results with action.d)
> 
> In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now).



Yeah, I've already had a browse through that, but it appears to me that
all of the prewritten actions assume you're talking to a *local*
firewall, and I don't know enough about fail2ban yet to feel confident
modifying it without something to work from.

I was *about to say* that every single document I've so far found seems
to assume a local firewall, but I just now stumbled across one with a
remote-firewall example that I think I can work with.


I use a custom script (/usr/local/sbin/fail2ban_action.sh) to block a 
given IP, from which I call nft to add the IP to a set,
by calling "nft $1 element inet filter fail2ban { $2 }" (where $1 is add 
or delete and $2 is the IP).


If you want that action to happen on a remote system you could just 
prepend "ssh " to the command
(assuming that your local root can login as root to the firewall system 
without user interaction..)


For reference, here is my /etc/fail2ban/action.d/local_block.conf:
[Definition]
actionban   = /usr/local/sbin/fail2ban_action.sh add 
actionunban = /usr/local/sbin/fail2ban_action.sh delete 
actioncheck =
actionstart =
actionstop =

[Init]

where in /etc/fail2ban/jail.local I have
..
banaction = local_block
..

Hope that helps!

Re: spam from own email address

[B. Reino]

On Tue, 23 Apr 2019, Ian Jones wrote:

I am getting emails like the one below, in which the header from is my own 
address. The emails contain text in a jpg image and claims my account has 
been hacked and demands $1000 paid to a bitcoin account. I would like to find 
a way to reject emails from my own addresses except from my own servers, but 
so far I have not succeeded. :-( The relevant parts of my configuration are 
below. I am probably duplicating some actions, since I have recently added 
restrictions in the hope of preventing these emails.


In case you find this interesting, I think most such e-mails always 
include a bogus List-Id header. Given that the number of mailing lists 
(and hence possible valid List-Id fields) is usually limited and rather 
static, one could use header checks to implement a kind of white list for 
this.


(I haven't tried this myself, since I rarely receive such e-mails, and 
just can just delete them..)


Cheers.

Re: Big problem with this mailing list and Majordomo regarding DMARC

[B. Reino]

On Fri, 19 Apr 2019, TG Servers wrote:


according to RFC this would be the full list for rspamd

 sign_headers = 'from:reply-to:subject:date:\
 to:cc:resent-to:resent-cc:resent-from:resent-date\
 in-reply-to:references:';

although they leave it open as "subjective" regarding message-id,
in-reply-to and references


Thanks for the clarification!

Yet, "subjective" (or trade-off, etc.) does not mean "will be changed 
remotely", so I fail to see the issue here (and man 5 opendkim.conf does 
not mention it AFAICT..)


Cheers.

Re: Big problem with this mailing list and Majordomo regarding DMARC

[B. Reino]

On Fri, 19 Apr 2019, Benny Pedersen wrote:


B. Reino skrev den 2019-04-19 15:48:


sign_headers = 'from:to:subject:date:message-id:in-reply-to:references';


man 5 opendkim.conf

dont sign headers that are added or changed remotely


I'm not sure I follow here. AFAIK all of the headers I mentioned above are 
user/MUA generated (.. I know Message-ID can be generated by MTA if the 
MUA sucks and doesn't do it itself).


Care to clarify?

Re: Big problem with this mailing list and Majordomo regarding DMARC

[B. Reino]

On Fri, 19 Apr 2019, TG Servers wrote:


Yes thanks Nick I am signing with rspamd and will have to check the
signed headers there
as this seems not compliant, I already checked that from the other
mails, thanks for the hint to you, too


I also use rspamd, and had exactly the same problem you're facing now.
I now (for some time already) use a more relaxed sign_headers in my 
local.d/dkim_signing.conf


sign_headers = 'from:to:subject:date:message-id:in-reply-to:references';

i.e. no oversigning and no "sender" in there.

(I also have policy=none and send received reports to /dev/null but don't 
tell anyone! :)


Cheers,
Bernardo.

Re: Relay Access Denied

[B. Reino]

On Mon, 25 Mar 2019, VP Lists wrote:


On Mar 25, 2019, at 1:37 AM, Viktor Dukhovni  wrote:

This must be some Apple-specific Postfix setting, are you running Apple's
Postfix binaries?


mail_version = 2.9.2


smtpd_relay_restrictions appeared only with 2.10. That explains the 
"unused parameter" warning.


Your (old) version should IIRC use only smtpd_recipient_restrictions.

But given that you have some weird version on a weird OS with a weird 
configuration, I will have to pass.


Best is to reinstall, from a trusted (non-Apple?) source, and start with 
default configuration, which is very sane. Only touch what you actually 
need to touch, and leave the rest to Viktor and Wietse, who seem to know 
what they do :)


Cheers and good luck.

Re: Relay Access Denied

[B. Reino]

Sorry for top posting. Mobile client here..

Your mynetworks has 192.168.0.0/24 but you say you use 192.168.x.x, i.e. 
192.168.0.0/16.

In the headers of your mail I see 192.168.1.4, which would thus not be in 
mynetworks.

So you may want to check that..
Cheers.


On March 24, 2019 8:35:59 PM UTC, VP Lists  
wrote:
>Hi folks.
>
>I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s
>running Postfix as a mail server.  
>
>My LAN has a 192.168.x.x range.  I’m getting that error when an app I’m
>developing, is trying to send an email out through this email server to
>the internet.  A gmail address specifically. 
>
>
>
>My main.cf:
>
>biff = no
>command_directory = /usr/sbin
>config_directory = /Library/Server/Mail/Config/postfix
>daemon_directory = /usr/libexec/postfix
>data_directory = /Library/Server/Mail/Data/mta
>debug_peer_level = 2
>debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>xxgdb $daemon_directory/$process_name $process_id & sleep 5
>dovecot_destination_recipient_limit = 1
>html_directory = /usr/share/doc/postfix/html
>imap_submit_cred_file = /Library/Server/Mail/Config/postfix/submit.cred
>inet_interfaces = loopback-only
>inet_protocols = all
>mail_owner = _postfix
>mailbox_size_limit = 0
>mailq_path = /usr/bin/mailq
>manpage_directory = /usr/share/man
>message_size_limit = 10485760
>mydomain_fallback = localhost
>mynetworks = 192.168.0.0/24 127.0.0.0/8# RF
>newaliases_path = /usr/bin/newaliases
>queue_directory = /Library/Server/Mail/Data/spool
>readme_directory = /usr/share/doc/postfix
>recipient_delimiter = +
>sample_directory = /usr/share/doc/postfix/examples
>sendmail_path = /usr/sbin/sendmail
>setgid_group = _postdrop
>smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
>permit
>smtpd_recipient_restrictions = permit_sasl_authenticated
>permit_mynetworks reject unauthdestination permit
>smtpd_tls_ciphers = medium
>smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
>tls_random_source = dev:/dev/urandom
>unknown_local_recipient_reject_code = 550
>use_sacl_cache = yes
>postconf: warning: /etc/postfix/main.cf: unused parameter:
>smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated
>reject_unauth_destination
>
>I’m hosting a handful of local and FQDN on the LAN, and I develop using
>a machine.local naming scheme.  Just wondering how I can whitelist my
>internal domains to get outgoing emails past my mail server.  Not
>really sure what to post here as well.
>
>Any insight appreciated.
>
>Cheers
>
>
>_
>Rich in Toronto @ VP

Re: Postfix Active: active (exited) - (code=exited, status=0/SUCCESS)

[B. Reino]

On Fri, 22 Mar 2019, Davide Marchi wrote:


Hi Friends,
on a VPS Debian Stretch, Postfix 3.1.9-0, Dovecot 2.2.27-3, rspamd 1.8.3-1, 
Clamav 0.100.2, postfix-mysql 3.1.9-0, dovecot-mysql 2.2.27-3


running "systemctl -l status postfix" obtain:


● postfix.service - Postfix Mail Transport Agent
  Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor 
preset: enabled)

  Active: active (exited) since Thu 2019-03-21 22:04:46 CET; 18h ago
 Process: 4453 ExecReload=/bin/true (code=exited, status=0/SUCCESS)
 Process: 4644 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 4644 (code=exited, status=0/SUCCESS)
   Tasks: 0 (limit: 4915)
  Memory: 0B
 CPU: 0
  CGroup: /system.slice/postfix.service


I've try to, reload (Postfix+Dovecot), restart (Postfix+Dovecot), upgrade 
(Postfix) but the behavior stay the same.
The entire email server seems working fine, no error on /var/log/mail.err and 
the various features seem to be operating.


Is this one referable to this bug: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877992 ?


Could you suggest me how debug this issue, if problem is it?


It is not an issue.
Try systemctl status postfix@-

Postfix is configured as a multi-instance unit, or whatever systemd calls 
it.


Nothing to worry about.

Re: downgrading from postfix-3.4 fails - unix-dgram

[B. Reino]

On Fri, 1 Feb 2019, Eray Aslan wrote:


Downgrading from postfix-3.4 fails with:


[...]

bin/postconf: fatal: invalid type field "unix-dgram" in "postlog   unix-dgram n  -   
n   -   1   postlogd"

Just letting you know.


If you downgrade, you also have to "downgrade" the config :)
AFAIK postlogd didn't exist until 3.4

Cheers.
Bernardo Reino.

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

[B. Reino]

On 2018-11-15 12:24, Poliman - Serwis wrote:

I have few domains on the server. Some part of them use my server for 
send emails but few have
configured external mail service like Google. I need to disable using 
my mail service by
colonel.com.pl on my server. There need to be only google, nothing more 
but other domains need

to use my mail service.


Well then just leave it as it is. Obviously the warning you got from 
Google does not apply, because that SMTP server is taking care of other, 
unrelated, domains. Therefore you can safely ignore the warning, as it 
is wrong.

Re: G Suite mx checker complains "do not configure the mail service on the only domain name."

[B. Reino]

On 2018-11-14 08:21, Poliman - Serwis wrote:


2018-11-13 19:58 GMT+01:00 Wietse Venema :


You man still want to turn off the SMTP listener on colonel.com.pl,
because it will never receive legitimate email.

Wietse


Thank you for answer. I suppose I don't understand properly. How could 
I do this if this

domain has MX on Google?


If your e-mail is handled by Google, then you should not have an SMTP 
server running (listening) on colonel.com.pl.


So you should go (ssh) to colonel.com.pl and 
disable/deinstall/firewall/etc. postfix so that it does not accept 
incoming e-mails (e.g. ports 25, 465, 587).


If anyone wants to send you an e-mail, the MTA (sending server) will 
lookup colonel.com.pl and find the relevant MX record pointing to 
Google. The MTA will then send the e-mail to the Google server.


In severely broken situations an MTA might decide to try to send it 
directly to colonel.com.pl and -- surprise -- find a welcoming 
(listening) SMTP server. You don't want that, so, again, you should 
disable/remove/uninstall the SMTP server on colonel.com.pl


Hopefully this is clear now.

Re: what does these log lines mean?

[B. Reino]

On Tue, 6 Nov 2018, Poliman - Serwis wrote:


Thank you for answer. I attach .txt file with output of postconf -n.


Your original message showed amavis filtering on ports 10024 and 10026.
Your postfix configuration shows only amavis on port 10024.

I think your logs don't come from the postfix with the configuration you
posted.

In any case, what do you need to know?
Have YOU configured the postfix server, or are you trying to understand 
why something happens (your log lines) on a server which you DO NOT 
administer?


I don't think anybody here has time for puzzles.

Re: what does these log lines mean?

[B. Reino]

On Tue, 6 Nov 2018, Poliman - Serwis wrote:


Sorry for http markup, I got knowledge for the future. Thank you for brief
answer. Does each email is filtered by amavisd or only some kind of
suspicious?


You're the only one who can answer that question. Did you configure such 
filtering?


You could post your $(postconf -n)

Cheers.

Re: how set postfix server as non-functional

[B. Reino]

On 2018-10-26 14:36, Poliman - Serwis wrote:

Thank you for answer. I have static IP - I bought VPS from OVH. I have 
there
configured few domains with mailboxes. On the server are services like 
www,

ftp, mail. So, if I understood well, I should block port 25.


Maybe you can go back one step and explain why you think you need to 
block port 25?


I mean, if you want to be able to receive e-mails you need to allow 
incoming connections on port 25. If you want to send e-mails from your 
server then you need outgoing connections on port 25.


Or did I misunderstand you?

Re: TLSv1.2 only for auth connection

[B. Reino]

On Thu, 25 Oct 2018, Thomas Bourdon wrote:

Because mail providers send mail to my smtp server through this port, don't 
they ?


Le 25.10.2018 15:00, B. Reino a écrit :

On Thu, 25 Oct 2018, Thomas Bourdon wrote:

Is there a way to allow tlsv1.0 minimum for unauth connection and allow 
tlsv1.2 minimum for auth connection on port 465 ?


Why would you want unauthenticated connections on port 465? (smtps).
It's AFAIK a submission port.


SMTP<->SMTP is (should be) always on port 25, with or without STARTTLS.
Port 465 is submission with TLS wrapper-mode, and port 587 is submission 
(with or without STARTTLS).


I don't know if there are any smtp clients (in the sense of postfix smtp 
"client") using 465 for sending to a smtp server (in the sense of postfix 
smtpd..)

Re: TLSv1.2 only for auth connection

[B. Reino]

On Thu, 25 Oct 2018, Thomas Bourdon wrote:

Is there a way to allow tlsv1.0 minimum for unauth connection and allow 
tlsv1.2 minimum for auth connection on port 465 ?


Why would you want unauthenticated connections on port 465? (smtps).
It's AFAIK a submission port.

Re: postfix stops sending mail after sometime

[B. Reino]

On Tue, 23 Oct 2018, Dominic Raferd wrote:


On Tue, 23 Oct 2018 at 09:06, B. Reino  wrote:


On Sat, 20 Oct 2018, Wietse Venema wrote:


gaurav.parashar:

Hii,
I had installed postfix in Ubuntu 16.04 and it was working seamlessly.

Some

time back I upgraded it to Ubuntu 18.04 and suddenly emails stop coming

to

my inbox. It gave me this error:
postfix/postdrop[27466]: warning: mail_queue_enter: create file
maildrop/675261.27466: Permission denied


Somoene messed up file permissions, or someone decided
to break setgid programs.


It might be unrelated but in the dovecot debian package the
systemd service file includes (included?) the option
"NoNewPrivileges=false", which causes (caused..) many problems.

In my case, forwarding mails (via a sieve filter), didn't work because
dovecot/sieve could not use postdrop.

I don't know whether Ubuntu makes use of this option in either dovecot,
postfix, or both, but it may be worth checking..



I don't see this setting in Ubuntu 18.04's
/lib/systemd/system/dovecot.service. (It has ProtectSystem=full, which
doesn't cause me any problems.)


Good to know :)

BTW note that the "wrong" setting is NoNewPrivileges=true. I got it 
backwards in the previous e-mail (because I copied what I have...)

Re: postfix stops sending mail after sometime

[B. Reino]

On Sat, 20 Oct 2018, Wietse Venema wrote:


gaurav.parashar:

Hii,
I had installed postfix in Ubuntu 16.04 and it was working seamlessly. Some
time back I upgraded it to Ubuntu 18.04 and suddenly emails stop coming to
my inbox. It gave me this error:
postfix/postdrop[27466]: warning: mail_queue_enter: create file
maildrop/675261.27466: Permission denied


Somoene messed up file permissions, or someone decided
to break setgid programs.


It might be unrelated but in the dovecot debian package the 
systemd service file includes (included?) the option 
"NoNewPrivileges=false", which causes (caused..) many problems.


In my case, forwarding mails (via a sieve filter), didn't work because 
dovecot/sieve could not use postdrop.


I don't know whether Ubuntu makes use of this option in either dovecot, 
postfix, or both, but it may be worth checking..


Cheers,

--
Bernardo.

Re: Multiple sasl configuration

[B. Reino]

On Mon, 22 Oct 2018, Emmanuel Jaep wrote:

You are also right that openrelay.customer.com has a non-working 
STARTTLS. They actually have neither authentication nor encryption. This 
is actually my current 'challenge': how to set this relay up without 
encryption and authentication while keeping our current config for other 
relays (encryption + authentication).


If OK, you might also want to change:

smtp_tls_security_level = encrypt
to
smtp_tls_security_level = may

so that TLS is opportunistic rather than enforced.

Cheers,

--
Bernardo.

Re: Outbound DKIM signing milter options for Postfix?

[B. Reino]

On Thu, 11 Oct 2018, Benny Pedersen wrote:


B. Reino skrev den 2018-10-11 09:48:


I can recommend rspamd. The DKIM module is very flexible, supports
multiple domains, etc.


rspamd is a bit of overkill for dkim signing


If you only want DKIM signing, then yes.

In my case, rspamd does DKIM signing, DKIM/SPF/DMARC checking (+ DMARC 
Reporting), plus of course its core task of spam filtering.


One milter to rule them all, so to speak :)

Cheers.

Re: Outbound DKIM signing milter options for Postfix?

[B. Reino]

On 2018-10-11 04:08, pg...@dev-mail.net wrote:

I'm setting up outbound DKIM signing for a Postfix instance.

I'd prefer something other that OpenDKIM or Amavisd.

Other than DIY, is there a solid/stable milter for outbound signing
folks are successfully using with Postfix?

Appreciate any references!


I can recommend rspamd. The DKIM module is very flexible, supports 
multiple domains, etc.


Cheers.

Re: BCC to a local account

[B. Reino]

(Excuse the off-topic message but, see below, I cannot reach Mr. Carville)

Dear Mr. Carville,

I noticed that when you send an e-mail to the postfix mailing list, my 
mail server (mail.reinob.de, 5.189.132.144) tries to send a DMARC report 
to your mail server, i.e. to dmarc-...@lereta.com, as per your DMARC 
record (it is also sent to dmarc_...@emaildefense.proofpoint.com, which 
does not cause any problems).


However your server then rejects my DMARC report:

: host mx02.lereta.com[198.204.112.74] said:
554 5.7.1 : Client host rejected:
reject_by_client blacklist (in reply to RCPT TO command)

AFAIK mail.reinob.de is not in any blacklist and has never been used to 
send spam (it's my private e-mail server, used strictly by me and my 
family).


Could you let me know which blacklists you are using?
(and if you manage the list, could you please remove my server from it?)

Thank you in advance,

--
Bernardo Reino.

Re: spf dkim authentication-failure

[B. Reino]

On Mon, 24 Sep 2018, Maurizio Caloro wrote:


Since last week i become everytime this messages if send any Email, i don't
find me mistake

Please can you give me the right search way that i need to view.. Or what
are here me trouble.



opendkim[714]: 8D328402FC: DKIM-Signature field added (s=mail, d=caloro.ch)



This is a spf/dkim authentication-failure report for an email message

received from IP 149.20.1.60 on Mon, 24 Sep 2018 11:41:36 +0800.


Below is some detail information about this message:



1. SPF-authenticated Identifiers: none;  2. DKIM-authenticated Identifiers:

none;  3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC
mechanism >check failures;


Hello,


From what I can see, at least in the message I'm responding to:


Authentication-Results: mail.reinob.de;
dkim=pass header.d=caloro.ch;
dmarc=pass (policy=none) header.from=caloro.ch

so at least my mail server didn't complain about your message.

The only thing that looks odd is that your message is DKIM-signed twice.

However you've only shown the received DMARC failure report, and not the 
original message, so it's hard to know what the problem was.


Cheers,

--
Bernardo Reino.

Re: Double-Bounce

[B. Reino]

On 2018-09-14 11:11, Benny Pedersen wrote:

B. Reino skrev den 2018-09-14 10:52:

So in a way this message is just a test, but hopefully also a 
clarification :)


Authentication-Results: linode.junc.eu;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=bbmk.org header.i=@bbmk.org header.b=I6ED3eZq;

do not sign all headers :)


I was just using the default in rspamd. After failing this time and 
removing the Sender header I think my messages to the list are now being 
validated OK.


DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbmk.org; 
s=default;

t=1536915126; h=from:from:sender:subject:subject:date:date:to:to:cc:
 in-reply-to:in-reply-to:references:references;

2 header lines with from ?

2 header lines with subject ?

2 header lines with references ?


DKIM Oversigning (https://tools.ietf.org/html/rfc6376#section-5.4.2)
Should not hurt, but I might remove that as well..

Cheers and thanks a lot.

Re: Double-Bounce

[B. Reino]

On 2018-09-14 10:52, B. Reino wrote:


I think the postfix ML is not so "DKIM safe". In my case, it causes my
DKIM signature to fail. I have now compared a message sent by me
against other messages sent e.g. by Benny Pedersen, and concluded that
my configuration (using rspamd) was signing way too many fields. I
have now reduced the number of fields and hopefully this message
should now come back from the postfix ML with a valid DKIM signature.

So in a way this message is just a test, but hopefully also a 
clarification :)


Cheers,
Bernardo Reino.


Well I guess the above test failed :(
I forgot to exclude the "Sender:" header as well.
This is however my last test. I don't want to spam the list.

Sorry and cheers,

--
Bernardo Reino.

Re: Double-Bounce

[B. Reino]

On 2018-09-14 10:36, Dominic Raferd wrote:


On Fri, 14 Sep 2018 at 07:14, Benny Pedersen  wrote:


Benny Pedersen skrev den 2018-09-14 08:08:

Dominic Raferd skrev den 2018-09-14 07:33:
On Fri, 14 Sep 2018 at 00:29, Julian Opificius 


wrote:


Why is it that my system marks everything from you as spam, Benny? 
Is

it
your tld? I've added you to my address book, but my server keeps
spitting you out.


Because the domain that he uses to send emails through this mailing
list has DMARC p=quarantine setting:
# dig +short _dmarc.junc.eu TXT
"v=DMARC1; p=quarantine; rua=mailto:report_...@dmarc.junc.eu; fo=d;
adkim=r; aspf=r; sp=none"


postfix maillist is dkim safe, so if it breaks, show the link that
breaks it, whitelist postfix maillist so it does not go into
quarantine

can i help more ?

i get dmarc pass back on my post here


DMARC-Filter: OpenDMARC Filter v1.3.2 linode.junc.eu 2C5B31BE06F
Authentication-Results: linode.junc.eu; dmarc=pass (p=quarantine
dis=none) header.from=junc.eu
Authentication-Results: linode.junc.eu;
dkim=pass (1024-bit key) header.d=junc.eu header.i=@junc.eu
header.b=Aedk3uHj;
dkim-atps=neutral
Received-SPF: none (postfix.org: No applicable sender policy 
available)

receiver=localhost.junc.eu; identity=mailfrom;
envelope-from="owner-postfix-us...@postfix.org";
helo=russian-caravan.cloud9.net; client-ip="2604:8d00:0:1::4"


Sorry you are right: your emails pass DKIM and also, when going through 
postfix mailing list (but not all others), pass DKIM alignment, so they 
pass DMARC. However, when sent through mailing lists, they fail SPF, 
and (for DMARC) SPF alignment, so servers that make decisions based 
only on this (which is not the DMARC way) may choose to treat them as 
spam. Mine don't, but I have seen your emails quarantined (or, 
previously, blocked) on other mailing lists, hence my original comment.


I think the postfix ML is not so "DKIM safe". In my case, it causes my 
DKIM signature to fail. I have now compared a message sent by me against 
other messages sent e.g. by Benny Pedersen, and concluded that my 
configuration (using rspamd) was signing way too many fields. I have now 
reduced the number of fields and hopefully this message should now come 
back from the postfix ML with a valid DKIM signature.


So in a way this message is just a test, but hopefully also a 
clarification :)


Cheers,
Bernardo Reino.

Re: multiple/simultaneous virtual_transports?

[B. Reino]

On Tue, 4 Sep 2018, Noel Jones wrote:


To override the transport for a single recipient, use a
transport_maps entry with the recipient address as the key. No
change needed for the existing virtual_transport.

something like:
# /path/to/transport_file
u...@example.com  lmtp:[someotherhost]:port

# main.cf
transport_maps = hash:/path/to/transport_file



OK! Thanks for the confirmation :)


===

Delivering one mail to multiple servers is more complicated.  Add a
virtual_alias_maps entry to add a second recipient for the message,
then deliver the second recipient to the alternate server.  If
necessary, you can use lmtp_generic_maps to rewrite the recipient
back to the original name during delivery.

# virtual_alias
u...@example.com   u...@example.com  u...@other.example.com

# transport
u...@other.example.com  lmtp:[other.example.com]:port

# lmtp_generic
other.example.com  example.com

# main.cf
virtual_alias_maps = hash:/path/to/virtual_alias
transport_maps = hash:/path/to/transport
lmtp_generic_maps = hash:/path/to/lmtp_generic


Double thanks for this!

I still need to clarify what to do with that domain (I host it for a 
friend, but I'd rather he keeps his own IMAP server/storage while I take 
care of incoming/outgoing e-mails (postfix)).


The multiple delivery would allow me to verify that his own IMAP server 
(which still needs to be prepared) receives and serves the e-mails 
correctly. Then I'd "pull the plug" and switch to the first option 
described above (delivering directly, and only, to his own IMAP server).


Thanks again! (to Viktor too for confirming!)

multiple/simultaneous virtual_transports?

[B. Reino]

Hello,

I currently host three virtual domains with a postfix instance. Delivery 
is, for all accounts, to a (local, using unix socket) dovecot server using 
LMTP.


For one of those virtual domains I'd like to have a separate (remote) 
dovecot server, while keeping the SMTP (postfix) at the current server.


Thus I'd need something like:
 virtual_transport = lmtp:[hostname]:port
  (if recipient is in the now-external domain)
  (using [] to deliver via lmtp to hostname directly)

 virtual_transport = lmtp:unix:private/dovecot-lmtp
  (otherwise)

I believe the correct way to do this is defining the default virtual 
transport with

 virtual_transport = lmtp:unix:private/dovecot-lmtp

and then:
 transport_maps = hash:/etc/postfix/virtual_transport

having in /etc/postfix/virtual_transport
 external.domain lmtp:[hostname]:port

Q1) does the above make sense?
i.e. will it work as intended (as explained above), so that e.g. if the 
(valid, as otherwise rejected) recipient domain is not found in the hash 
table then the (default) virtual_transport will be used?


(otherwise, and assuming the above would work, I could just define the 
remaining domains also in the table, but I'd prefer keeping it as generic 
as possible).


Q2) would it also be possible to -- during a testing period -- have TWO 
virtual_transports for a single virtual domain?


This way I could deliver via LMTP to the existing server (via unix socket) 
as well as to the new remote server (lmtp via inet).


Thanks a lot in advance for any replies or clarifications!