It appears that Steffen Nurpmeso via Postfix-users said:
W> |I did not want to insult you!
> |In mind i had these canon..py snippets
> |
> | def strip_trailing_whitespace(content):
> |return re.sub(b"[\t ]+\r\n", b"\r\n", content)
> |
> |
> | def compress_whitespace(content):
> |return
It appears that Viktor Dukhovni via Postfix-users
said:
>On Wed, Apr 24, 2024 at 01:01:46AM -0000, John Levine via Postfix-users wrote:
>
>> >I must be interpreting this wrong because it appears postfix is not
>> >accepting that. Here is the complete process. A messa
work. BTDT.
This has nothing to do with MIME or wrapping, by the way. The SMTP
spec says that the *only* line ending is \r\n and bare \r or \n is
undefined. Postfix strips the \r on the way in and will add the \r on
the way out if you let it handle the SMTP sessions.
R's,
John
--
Regards,
John Le
Here's another question that might be answered in the documentation
but I can't find it. If I have a file delivery like this in
the /etc/aliases file
foo: /a/b/somefile
what userid writes to the file? postfix? nobody?
I realize that for user mailboxes it's the user, but
in this case, there's
I am trying to tidy up a complicated and messy postfix config that has
all the issues you'd expect in one that has been twiddled by many
people over a decade to handle multiple sort of related mail streams.
Today's issue is ensuring that we only do submission rewrites on
outgoing mail, not
It appears that Joachim Lindenberg via Postfix-users
said:
>Hello John,
>are you willing to share what direction you/IETF are working towards?
It's the EMAILCORE working group. You can see the documents here:
https://datatracker.ietf.org/wg/emailcore/documents/
>What I am really missing is
It appears that Phil Biggs via Postfix-users said:
>Where do see the "mandatory" requirement?
>
>Section 4.1.1.8 says:
>
> SMTP servers SHOULD support HELP without arguments and MAY support it
> with arguments.
SHOULD is IETF-ese for you have to, except that there might be reasons
not to
Over in the IETF we're slowly working on updating RFC 5321.
Today's topic is the HELP command. The current spec says that it is
mandatory to implment it. Most MTAs implement it by returning a fixed
string, or something close to fixed, e.g., gmail's answer appears to
include a code that tells you
This paper describes a clever hack that uses defective line endings to embed
a second SMTP session inside a first one, which has the practical effect
of letting you send fake authenticated mail from anyone else who uses the
same mail system you do. If that system is MS Outlook, that's a lot of
If a malformed mail message shows up by SMTP (not local sendmail or
submission), will postfix generally try to clean it up or just
pass it along?
I see the cleanup program and all the options about when to run it and
what to tell it to do, but in practice, will a typical system clean
everything
It appears that Viktor Dukhovni via Postfix-users
said:
>Postfix supports DANE, but there's no MTA-STS support. And I've not
>seen much by way of receiving MTAs advertising REQUIRETLS as a
>capability
I did a proof of concept implementation that advertises REQUIRETLS and then
ignores it.
As
It appears that Tom Reed via Postfix-users said:
>Since the message was sent to mailing list which rewrites envelope address
>and adds list signature, so:
>
>1) SPF for header From: address won't get pass due to SRS.
>2) DKIM won't get pass due to list signature.
>
>So the DMARC failed totally
It appears that Jaroslaw Rafa via Postfix-users said:
>Dnia 16.04.2023 o godz. 16:32:41 Gerald Galster via Postfix-users pisze:
>>
>> Mails classified as spam or external forwards seemingly take another route
>> via mout-xforward.web.de. These servers are SBL-listed by intention, most
>> likely
It appears that tom--- via Postfix-users said:
>$ dig -x 82.165.159.35 +short
>mout-xforward.web.de.
>
>Can anyone from web.de help with this?
The only people who should be able to send mail through that server are web.de
customers.
If you are a customer, what happened when you contacted them
It appears that Benny Pedersen said:
gmail.dk. 300 IN MX 0 .
>>>
>>> if nullMX is added then spf and dmarc can be removed
>>
>> You need both the null MX and the SPF. Null MX says you
>> don't receive mail, SPF -all says you don't send mail.
>
>why is spf
It appears that Benny Pedersen said:
>On 2022-04-13 19:27, Matus UHLAR - fantomas wrote:
>
>> however, they miss the nullmx record:
>>
>> gmail.dk. 300 IN MX 0 .
>
>if nullMX is added then spf and dmarc can be removed
You need both the null MX and the SPF. Null MX
For doing DMARC validation, I know about the opendmarc milter. Is that what
everyone uses? Is there anything else used in pratice?
I know about perl and python libraries but they don't seem to have
milters or other ready to use integrations into MTAs.
TIA,
John
It appears that Byung-Hee HWANG said:
>Hellow,
>
>My final Inbox Provider is Gmail(soyeo...@gmail.com) for 13 years. Also
>i added paid plan of Google Workspace for
>
>Someday far later i have to plan. That is to forward into
>soyeo...@gmail.com all emails (on soyeo...@doraji.xyz). (If True)
It appears that @lbutlr said:
>On 2022 Feb 25, at 08:55, Viktor Dukhovni =
>wrote:
>> The moment TLS enters into the picture, you start to need much more
>> complicated certificate management to get MUAs to see an acceptable
>> certificate for its expected name on ports 587 and 465,
Also for
t;what this might break upon replying with this doctored header.
>That is, will it cause "breakage" of certain SPAM/Malware checks, or email
>tamper detectors.
List software does that all the time. It won't cause any problems that you
don't already have from
the routine changes that
It appears that Benny Pedersen said:
>On 2022-01-15 20:01, Robert Siemer wrote:
>
>> I need to DKIM sign possibly huge emails (up to 150MB).
>
>insane
agreed
>> A DKIM signer can do this by either keeping the message in memory (a
>> no-go for me) or write it to a file.
>
>will a mount point on
It appears that Viktor Dukhovni said:
>I'd use CDB for this. I think the inputs will not change frequently
>enough or be anywhere near sufficiently many to make the CDB map
>creation time to be something to worry about.
>
>CDB has a very stable disk format and API, I trust it more than
>either
It appears that Viktor Dukhovni said:
>> For an application I'm working on, we need to set up about 50,000 forwarding
>> addresses.
>You should be able to use an LMDB, Berkeley DB or CDB database with
>millions of entries.
>
>Though I don't think you're asking about 1-to-very-many forwarding,
For an application I'm working on, we need to set up about 50,000 forwarding
addresses.
If we just put them into a hash or btree lookup table, would that be a problem?
It doesn't
seem like a very big database.
R's,
John
It appears that Wietse Venema said:
>Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks.
>
>https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/
Just wondering, did you add the anti-http stuff because of ALPACA or was it
People in the web world are in a kerfuffle about an attack called ALPACA which
(leaving out
a lot of details) gets a web browser to send requests to a non-web server and
then get the
browser to interpret the responses in unfortunate ways. Most of the
unfortunateness comes
from the server
time.
It is a fairly recent change, perhaps a year ago, that they return the .254 and
.255
codes rather than just ignoring the request, as a hint that you need to fix your
configuration.
--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please
It appears that Benny Pedersen said:
>On 2021-04-30 18:34, John Levine wrote:
>
>>> We've just released OpenDMARC 1.4.1 over at
>>> https://github.com/trusteddomainproject/OpenDMARC
>>
>> Thanks. Is there a downloadable tarball available? Sourceforg
It appears that Dan Mahoney (Gushi) said:
>Hey there,
>
>A cross post because there's enough dmarc discussion to be relevant.
>
>We've just released OpenDMARC 1.4.1 over at
>https://github.com/trusteddomainproject/OpenDMARC
Thanks. Is there a downloadable tarball available? Sourceforge only
It appears that Viktor Dukhovni said:
>[ Wietse's upstream FTP site for Postfix source tarballs will soon no
> longer be browser-accessible. :-( ]
If you use a Mac, FTP is built into the Finder. Who needs a browser?
It appears that Jaroslaw Rafa said:
>Dnia 22.04.2021 o godz. 12:04:23 John Levine pisze:
>>
>> Safari and Brave also show a Not Secure warning. Firefox won't connect
>> at all unless you manually edit the https to http in the address box.
>> Pick your poison.
>
It appears that Nick Tait said:
>>> Chrome shows it as "Not secure" followed by postfix.com by gracefully
>>> hiding the implied www.
>> I think you meant to write "by disgracefully hiding...".
>
>I'm not hearing many reasons to use HTTPS... Just lots of reasons not to
>use Chrome? ;-)
Safari
It appears that IL Ka said:
>-=-=-=-=-=-
>
>>
>>
>> There is neither a service at port 443, nor a postfix.org website.
>>
>>
>I believe this is about http://www.postfix.org/
>There is no https there.
>
>It should be easy to install Letsencrypt certificate there, but I am not
>sure if it's worth
It appears that Wietse Venema said:
>According to Exim documentation (link below) the '!' and '%' are
>not special in email addresses, so we know that at least it does
>not appear to break legitimate usage.
Technically, that is correct. According to the local-part syntax in RFCs 5321
and 5322,
It appears that Wietse Venema said:
>With uniform or compressed payloads, 256 bytes become 261 on average,
>thus it takes 978.9 bytes on average to expand into 998. Add CR
>and LF to the 998, and we have an expansion of 1000/978.9=1.022 or
>just a little over 2%.
That was my estimate too. I
It appears that Wietse Venema said:
>> BINARYMIME avoids the 33% size increase of base64. If people cared
>> about that, since every MTA now supports 8BITMIME it would be easy
>> to invent a quoted-unprintable content-transfer-encoding which
>> escaped only the few characters that are special in
It appears that Wietse Venema said:
>Demi Marie Obenour:
>> How useful would BINARYMIME support be? It does mean that DKIM signing
>> would need to be done in the sending path, but I cannot think of any
>> reasons that would be a blocker. Having DKIM and DMARC built-in to
>> Postfix would be a
It appears that LoneStarKen said:
>Possibly. Since I am unsure why the package maintainer disabled
>CHUNKING I am concerned enabling it, we might have a broken
>implementation of BDAT or even worse something else breaks.
>Since this is a production server, I'm going to err on the
>side of
In article <20210214181714.ga238...@wzv.porcupine.org> you write:
>On Sun, Feb 14, 2021 at 10:49:52AM -0500, John Levine wrote:
>> I'm using postfix 3.5.8 on FreeBSD 12.2, the packaged version
>>
>> I have set up a Chinese EAI domain with some Chinese a
<0969fd79d37ce0b524e84319a8f21...@junc.eu> you write:
>On 2021-02-14 16:49, John Levine wrote:
>> I'm using postfix 3.5.8 on FreeBSD 12.2, the packaged version
>>
>> I have set up a Chinese EAI domain with some Chinese addresses.
>>
>> The domain is in virtual_alias_domains, and
P�M-^B�件�M-^K�M-^U.中�M-^[�> proto=ESMTP
helo=
Feb 14 10:31:52 eaicheck postfix/smtpd[48813]: disconnect from
gal.iecc.com[64.57.183.53] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies
Content inspection is evil by-design and doomed to fail. This is just
another example.
Unfortunately, there's no alternative unless your users don't care
about getting mail from large providers with the occasional spam
infestation.
I suspect either it's just a mistake, or stuff that actually
submission 587/udp
I've been doing this for a long time, and I've never seen anyone try
to do SMTP over anything other than TCP.
Regards,
John Levine, postmas...@cauce.org, CAUCE postmaster
http://www.cauce.org
In article cahb6j2njd-vzhw_rejndnmnwyv5yv2gvypw3ucpti7yod3f...@mail.gmail.com
you write:
-=-=-=-=-=-
It's possible to modify the Date field on MUA side, if one were so
inclined, right?
If so, how would that be accomplished?
The easiest way is to change the clock in your computer, then send the
There is a somewhat popular convention that if a domain publishes an
MX like this:
whatever.example MX 0 .
it means the domain does not receive mail. There was a draft about it
in 2005 but it's never been formally standardized and the question has
arisen how widely imlplemented it is.
I
This is inaccurate. Postfix will not perform A/ lookups for ..
True. But postfix is not the only MTA, even if it is the one that gets
discussed on this list. :-)
I would say that if there are A or records for . we have worse
problems than whether some poorly addressed mail bounces.
If someone doesn't want a domain name to get email, the solution is simple.
Don't start an SMTP
listener. For bonus points, don't publish MX records for the domain either.
Avoid having A or
records too, or at least make sure they go somewhere that doesn't listen for
SMTP.
That works, but
Does any MTA other than Postfix implement nullmx?
I did some experiments. My qmail system rejects on nullmx immediately
for roughly the same reason postfix does, a general rejection on bad
MX records.
Among web mail, Yahoo rejects immediately, Gmail and AOL don't reject
immediately and I don't
As I think I said, the person who asked
has a domain a typo away from a very popular one, and would like to
get rid of the unwanted traffic efficiently while still having his
web server or whatever on the A record.
Tough. Whoever is in that position is presumably making enough money from the
Qmail ( which i know very few ) seem a bit autistic when talking
to non FQDN distants servers or with MX misconfigured.
I'm not surprised, it's pretty picky about non-standard behavior.
my idea is to add a postfix instance on this machine which will
send emails to the Internet.
In my plan Qmail
RFC 5321 says that if a mail server gives an initial banner with a 554
status code, that means no mail server here, so the client should do
whatever it normally does on a connection failure, looking for another
MX at equal or lower priority.
This is different from 554 later in the SMTP session,
The jungle drums has been rumbling about SPF2, as a result I started to
do some reading up on the new standard.
Not to cast aspersions, but the Sender-ID spec was published in 2006.
Must be a big jungle.
But the answer is simple: Sender-ID is dead, even Microsoft doesn't
use it any more. You
Don't use spamcop, or use it only with small weight in a scoring system.
I agree that Spamcop used to be awful, with vast numbers of false
alarms. But since Ironport bought them several years ago, there's
been a nearly complete turnover of staff and it's much better run.
Take another look. I
You want to share one dedicated external source IP address among
multiple Postfix SMTP clients. If there were only one dedicated
external source IP address, then a NAT router would suffice.
That would be my first suggestion. For a cheap experiment, get
something like a Cisco E2500, configure it
I would like to configure Postfix to send a mail after
e.g. 4 hours that the delivery has failed and that the system will try
to send the message for another 5 days. Is this possible?
Considering how incredibly annoying those messages were when sendmail
used to send them, I hope not.
R's,
My current config is as follows:
This one:
reject_rbl_client zen.spamhaus.org,
Includes these three, so there's no point in using them.
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
This one:
reject_rbl_client t1.dnsbl.net.au,
that.
Outsource your list to a competent ESP who already knows how to do it
correctly. The modest cost is well worth it. For a list of that size,
I'd look at Mailchip and Constant Contact.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies,
Please consider the environment
Sadly, the opendkim library does not support applying two signatures in
parallel (set up two signing contexts, pass the message content through
once, get two sigatures). So I have to pass the message through the
library twice, to apply two signatures. Not a show-stopper, but annoying.
If we ask
Here's some recipies for Postfix SUBMIT
---BeginMessage---
On 11/8/2010 9:28 PM, John Levine wrote:
A friend is trying to set up a Postfix submit server on port 587, so
it requires SMTP AUTH but doesn't use the DNSBLs that his regular port
25 server uses.
This is surely a FAQ, but we must both
Sorry about that. Stupid helpful mail program.
R's,
John
PS: What's worse is that I programmed the helpful bits myself.
Should we mention that these should only be used to reduce FPs from
blacklists that follow, and that are expected to not list legitimate
clients. ...
Depends on the whitelist.
I'm working on Spamhaus' new whitelist where our goal is to list only
mail sources clean enough that you can skip the
My apologies for shouting, but this wrong idea just won't go away:
If Postfix can't determine the client's reverse domain
(tempfail) and therefore cannot even ask SpamHaus whether the
(verified) client (PTR) domain is on the whitelist,
NO! NO, NO, NO!
Do NOT look up rDNS in the DWL. If
Anyone opposed to the postfix.org domain publishing an SPF record?
Yes. Now, can you go away, please?
R's,
John, MAAWG senior technical advisor, among other things
dkim can help as one component of a content filtering solution.
Current versions of Spamassassin can do DKIM checking. Don't turn on
ADSP reject because I say so checks (I say this as one of the
authors of the ADSP RFC), but you can adjust your config to list a few
heavily phished DKIM signers
Should I disable SAV for some domains to prevent blacklisting? Which domains?
Yes. All of them.
SAV is widely considered to be abusive, since it is technically
indistinguishable from spammer address verification. It's also rather
ineffective since great amounts of spam now uses random sender
Last time I used majordomo was in the 90's, I don't know if there is a
web interface. Can you tell me if there is a official one? Or can you
recommend another software to ease the management?
Majordomo2 is a complete rewrite from scratch. All it shares with mj1
is the basic commands used in
66 matches
Mail list logo