Please keep replies on-list only. Duplicates of anything sent to the
list are just a nuisance.
On 2021-07-14 at 20:51:03 UTC-0400 (Thu, 15 Jul 2021 10:51:03 +1000)
raf
is rumored to have said:
On Wed, Jul 14, 2021 at 09:07:54AM -0400, Bill Cole
wrote:
On 2021-07-14 at 03:43:57 UTC-0400
You can certainly take a pedantic view, that's contrary to the DKIM
RFCs and common sense, there's no Internet police to stop you. Just
keep in mind that rejecting failed DKIM signatures has no security
benefit.
Hm, there is always the possibility that I misunderstood the
specifications.
It is a really bad idea to reject messages whose DKIM signature is invalid.
DO NOT DO THIS.
Why exactly is it a really bad idea :) ?
Could you give us some more practical details/examples?
The point is that absent DMARC policy that promises DKIM signatures
aligned with the RFC2822.From
The DKIM standards are quite emphatically clear that bad signature == no
signature,
and that receiving systems MUST NOT reject a message just because a signature is
missing or fails to match. The treatment of messages that lack a signature is
covered by DMARC (and ARC).
It is a really bad idea
For example the following transaction will not show any errors in SYSLOG:
In: AUTH LOGIN
Out: 503 5.5.1 Error: authentication not enabled
In: QUIT
Out: 221 2.0.0 Bye
You can use the existing notify_classes based mechamism and pipe
that into syslog.
notify_classes = protocol, ...
For example the following transaction will not show any errors in
SYSLOG:
In: AUTH LOGIN
Out: 503 5.5.1 Error: authentication not enabled
In: QUIT
Out: 221 2.0.0 Bye
You can use the existing notify_classes based mechamism and pipe
that into syslog.
notify_classes = protocol, ...
Kevin N.:
For example the following transaction will not show any errors in SYSLOG:
In: AUTH LOGIN
Out: 503 5.5.1 Error: authentication not enabled
In: QUIT
Out: 221 2.0.0 Bye
You can use the existing notify_classes based mechamism and pipe
that into syslog.
notify_classes = protocol
It would be nice to have an option to enable logging to SYSLOG the SMTP
protocol errors that occur during a SMTP session, along with the SMTP
commands that caused them.
As far as I know, currently these errors can be logged to SYSLOG only by
one of the following methods:
1. By making the
This might help: http://www.postfix.org/BACKSCATTER_README.html
Cheers,
K.
On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote:
Ron Garret:
I have recently come under a backscatter spam attack from one
specific domain. This domain has blacklisted my server?s IP
address, and so bounce
Is there a way to reuse the same instance of the script, not spawn two
instances, and some how have the script know which restriction it was
called from?
Not sure if this helps, but maybe you could try to implement your policy
server as a standalone network server instead of calling it
I was curious so I did a quick test :) . As suspected, it does work.
Having a setup like:
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
...
check_policy_service { unix:private/policy-service,
policy_context=helo_restrictions_value }
...
Haven't tried it, but this might be what you are looking for.
http://www.postfix.org/SMTPD_POLICY_README.html#advanced
check_policy_service { inet:host:port,
timeout=10s, default_action=DUNNO
policy_context=submission }
...
From the SMTPD_POLICY_README:
Also, the "Delayed evaluation of SMTP access restriction lists" section
from the SMTPD_ACCESS_README page, might give you some answers.
http://www.postfix.org/SMTPD_ACCESS_README.html#timing
Cheers,
K
My educated guess would be it is checked at the end of the supplied
options for
My educated guess would be it is checked at the end of the supplied
options for smtpd_recipient_restrictions, is that correct?
On a very short glance at the source code, your guess does seem to be
correct.
src/smtpd/smtpd_check.c:
/*
* If the "reject_unlisted_recipient" restriction
reject_invalid_helo_hostname
Would reject an invalid host name such as "ho+st", but a valid hostname
such as "host" would pass
(https://datatracker.ietf.org/doc/html/rfc2821#section-2.3.5):
501 5.5.2 : Helo command rejected: Invalid name
reject_non_fqdn_helo_hostname
Would reject a
On 2021-07-07 09:59, Kevin N. wrote:
When using IP addresses in the email address, shouldn't the IP be
enclosed between []?
For example: noreply@[100.67.10.122] instead of noreply@100.67.10.122
Cheers,
K.
On 07/07/2021 17:49, j...@wrightthisway.com wrote:
Hello folks. I have set up a fresh insta
When using IP addresses in the email address, shouldn't the IP be
enclosed between []?
For example: noreply@[100.67.10.122] instead of noreply@100.67.10.122
Cheers,
K.
On 07/07/2021 17:49, j...@wrightthisway.com wrote:
Hello folks. I have set up a fresh instance of Postfix at my office to
Hi Keith,
You should really *not* post sensitive information on a public mailing
list especially since your server is accessible from the internet.
From what I can see, your posted auth logs contain the Base64 encoded
password which can be very easily decoded.
Cheers,
Kevin
On 05/07/2021
% postconf -A (SASL support in the SMTP+LMTP client)
I might be wrong, but I think that part of the document is actually
referring to the LMTP protocol in general and not necesarily to
Dovecot's LMTPD server.
https://en.wikipedia.org/wiki/Local_Mail_Transfer_Protocol
Cheers,
K.
Matus UHLAR - fantomas:
I was curious if I could do a script that would do the same, with the same
possible issues.
I can do perl, but it looks neither python nor perl have interface to postfix
what could e.g. expand maps without calling external commands.
Among other things, it mainly acted
Hi Viktor,
Thank you for the suggestion.
Are there any other general areas that I should be looking out for in
this kind of situations?
Cheers,
K.
It appears that some care has been taken to do it right. In principle
something like this should be sufficient. You'll need to review the
Hi Wietse,
Thank you for the detailed explanation.
This will limit scalability, but can work with low request rates.
However, there is an inherent danger to using arbitrary email
addresses from the internet in a shell command line.
Depending on how the commands are run, there may be shell
Hello everybody,
On one of our internal Postfix system I noticed that one of the
check_policy_service script is using postconf and postmap to perform
some alias lookups. It uses postconf to get the virtual_alias_maps
parameter, which is then used by postmap to perform the lookups.
Now, the
Super. Thank you for all the info :)
Cheers,
Kevin
On 28/06/2021 00:04, David Bürgin wrote:
Kevin N.:
Milters decide themselves where they want to insert headers, by index.
Depending on the order in which milters run, insertion done by one
milter can shift the insertion point of the next
Hi David,
Thank you for the detailed explanation.
Milters decide themselves where they want to insert headers, by index.
Depending on the order in which milters run, insertion done by one
milter can shift the insertion point of the next milter.
The sendmail milter API that milters use to
Thank you for the clarification,
Cheers,
Kevin
On 27/06/2021 02:36, Wietse Venema wrote:
Kevin N.:
3. From what I've read, the milters are called in the order they are
specified.
But does that mean that for each SMTP event Postfix will call the
milters in the specified order?
Yes. Each
Hello everybody,
I am using two milters to check incoming mail for DKIM signatures and
SPF records. They are specified in main.cf using the "smtpd_milters"
parameter.
Now,
when I place the DKIM milter before the SPF milter, like so:
smtpd_milters = inet:dkim-milter-host:port,
27 matches
Mail list logo
