valid names for postfix services

Hello, I have to setup a special transport to send messages to a broken system. If I name the transport "foo", I could add transport specific setting in main.cf as foo_destination_rate_delay for example. Does that work too if I name the service "foo_smtp" so the settig must be named foo_s

Re: valid names for postfix services

lists _at_ rhsoft dot net: use foo_outgoing that's the point: the underscore in the service name It may be worth to think about not naming it _smtp but I just do that and have no problems. I'm only unsure if setting parameters ${transportname}_mumble in main.cf work if ${transportname} conta

CCERT autorization

Hello, Abstract problem: allow a external third party to relay messages with one fixed envelope sender. Certificates must be used to allow relay permissions. Do I really need additional UserID+Passwords to limit to a specific envelope sender or could information from the ccert be used?

Re: Milter problem

Christian Rößner: Unfortunately I found out that always the very first header of an earlier milter is not visible in my milter. christian, The milter API knows two ways to add header: 1) https://www.milter.org/developers/api/smfi_addheader 2) https://www.milter.org/developers/api/smfi_inshe

is 7bit conversion logged?

Hello, it may happen that postfix announce 8BITMIME SMTP extension and clients use that by submitting messages it may happen postfix has to relay such messages to a legacy server not supporting that extension. in this case postfix will recode the message. it that situation visible in the l

Re: Individual smtpd_tls_ask_ccert?

Patrick Ben Koetter: IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs ... It that is true ... Hello, I ask for client certs on every of my public mx servers without any compatibility issues for more the two years. Andreas

suggestion / log improvent

Hello, the last day I had to search messages in our "poor man's second chance" storage. ( an always_bcc solution ). *finding* messages was painful. using my logging I could follow any message by its queueid. But finally messages are delivered by a local transport telling 10 times: yes, I

smtp_fallback_relay

Hello, I'm looking for an alternative solution for smtp_fallback_relay that I'm currently forced to use. Mostly I hit servers also running postscreen or postgrey. postfix could deliver direct if it would get a second chance. But smtp_fallback_relay=... catch all deliveries after first fail. Y

logging from scripts executed by pipe

Hello, I've to rebuild a service: messages to an address are delivered via postfix pipe to a script. This script use syslog to write it's messages. That worked well for years. Now, postfix run in a different way, supervised via "postfix start-fg" (docker) Essentially the is no syslogd. My idea

Re: logging from scripts executed by pipe

Wietse Venema: A. Schulze: Is there a recommended/any way to log messages from a script via postfix? Not at this time. Making the postlog command setgid requires a security analysis and that may require some code restructuring before this can be done without opening up a security hole

strict_7bit_headers, strict_8bitmime and strict_8bitmime_body

Hello, the documentation say for these settings: > This feature should not be enabled on a general purpose mail server, because > it is likely to reject legitimate email Is it possible to activate a kind of log only mode similar to "warn_if_reject"? That would allow administrators to know, whic

Re: DMARC in postfix ?

Am 13.04.22 um 05:31 schrieb John Levine: > For doing DMARC validation, I know about the opendmarc milter. Is that what > everyone uses? Is there anything else used in pratice? Hello John, rspamd handle DMARC as well. But it's also a milter. This is intentional: Wietse / http://www.postfi

Re: dig reports NXDOMAIN but Postfix thinks otherwiese

Am 06.12.22 um 19:06 schrieb Fred Morris: This is a good use for DNS Response Policy Zones (RPZ) to prevent leakage, as well as an illustration of why doing some broad brush statistical monitoring of DNS traffic is a useful practice. it's easier to consequent avoid 'search' in /etc/resol

Re: may we suggest ICANN not run that many new tlds?

Am 19.11.19 um 10:58 schrieb Merrick: > may we suggest ICANN not open a new TLD anymore? yes, you can: https://www.icann.org/public-comments

different message_size_limit per smtpd

Hello, My goal is to allow different message size on MX and submission. As message_size_limit is a cleanup option, this is my (non working) setup based on http://www.postfix.org/BUILTIN_FILTER_README.html#mx_submission main.cf message_size_limit = 512 master.cf # define a sepa

Re: different message_size_limit per smtpd (solved)

Am 20.11.19 um 17:57 schrieb @lbutlr: >> The SMTP daemon also enforces the message size limit independently. >> You can therefore specify different limits on the submission and >> port25 services. >> >> However, those limits cannot be larger than the limit that is >> enforced by the cleanup daem

MDB_MAP_FULL: Environment mapsize limit reached

Hello, running postfix-3.4.7 on Debian 10 I found the following warning in my logs: postfix/tlsmgr[705]: warning: lmdb:/var/lib/postfix/smtp_tls_session_cache is unavailable. open database /var/lib/postfix/smtp_tls_session_cache.lmdb: MDB_MAP_FULL: Environment mapsize limit reached on

Re: Are there plans for a buld-in support of REDIS-tables?

Am 09.01.20 um 17:12 schrieb kris_h: > We distribute the more dynamic tables - e.g. cidr-tables with self-harvested > current spammer's IPs - actually by simply distributing those files with > rsync. we use an rbldnsd to build and serve an internal zone with similar data. Usual DNS lookups are

Re: Postfix restrictions

Am 07.06.20 um 11:51 schrieb Nicolas Kovacs: using "reject_unknown_helo_hostname" may trigger some false positives. Not every sender have such perfect setups. You may use "warn_if_reject reject_unknown_helo_hostname" for some time and check if loosing such traffic is acceptable for you. Andr

Re: Postfix restrictions

Am 07.06.20 um 14:38 schrieb yuv: > Is there a valid reason for a sender not to fix something so essential > as DNS configuration? no valid reason but reality. There are so many sendings hosts named "foobar.local". Via NAT they are visible with a public IP and a perfect DNS. But this hosts st

Re: Cannot assign requested address -- with "inet_protocol = ipv4" in main.cf

Am 25.06.20 um 20:58 schrieb Greg Sims: > I set "inet_protocol = ipv4" in main.cf . postconf inet_protocol postconf: warning: inet_protocol: unknown parameter postconf inet_protocols ? Andreas

debugging strategy

Hello, I operate a postfix server + some milters. Some messages running over this MTA generate some trouble on the receiver side. I nailed down the problem to be the content, I receive from the client. It's an application I personally don't control. To Debug the problem, I must ask an other pers

Re: Mail server without MX record.

Am 13.10.20 um 14:09 schrieb Jason Long: > I want to know can I use it without MX record? A records are used by default if no MX is available That's nothing postfix specific - it's an RFC requirement for any MTA Andreas

Re: Forward rejected by yahoo

Am 18.09.2015 schrieb Sebastian Nielsen: If the domain has strict identity alignment set up, then From: body must match MAIL FROM, which must match the SPF record. sorry, this is simply not correct. No wide spread "strict identity alignment" bind RFC5322.From (From: body) to RFC5321.MailFro

Re: Forward rejected by yahoo

Am 18.09.2015 um 16:23 schrieb Sebastian Nielsen: Thats exactly what im talking about, this DMARC Strict Identity Alignment. If a host only publishes a SPF record (no DKIM record), and sets up DMARC with Strict Identity Alignment, it's most probably not a very good DMARC setup then you will

Re: multiple IPs and postscreen

Eric Abrahamsen: It works fine, until I try to add postscreen into the mix. you did not post a complete config. but you may check your master.cf: master.cf without postscreen: smtp inet n - n - - smtpd master.cf with postscreen: smtp inet n - n - 1 postscreen smtpd pass - -

documentation error

Hello, the descriptive text for lmtp_address_verify_target (http://www.postfix.org/postconf.5.html#lmtp_address_verify_target) looks simply wrong... Andreas

Re: SV: Blocking TLDs

Sebastian Nielsen: Then paste all the DISCARD lines into a new file called /etc/postfix/banned_tlds (and also add some own TLDs there, its just to copy paste one line and then change the TLD), and also remove lines for TLDs you don’t want to block. Chmod the banned_tlds file to 666 to ensure t

send to ESP with broken STARTTLS

Hello, I hit an MX-Server with weak DH: # SLES-Host # posttls-finger iutax.de posttls-finger: Connected to iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25 posttls-finger: < 220 gmy2-mh901.smtproutes.com kath-5.0.3 ESMTP Ready posttls-finger: > EHLO idvmailout03.datev.de posttls-fing

Re: send to ESP with broken STARTTLS

Viktor Dukhovni: iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25 Yes, this server has a 768-bit DH key. a larger email service provider :-/ see https://www.robtex.com/en/advisory/ip/94/186/192/102/ The 1024-bit lower limit is enforced internally by the OpenSSL library and cannot b

Howto avoid 8BITMIME

Hello, again I struggled about the 8BITMIME SMTP-Extension. The RFC - initial version published in 1993 - is not as widely adopted as one may expect. In fact even largest mailprovider do not announce 8BITMIME. That forces any RFC conforming MTA to reject or convert the message into valid 7-

Re: Ordering the preque filtering?

Am 22.05.2016 um 02:07 schrieb Phil Stracchino: My point stands: Making DMARC failure an automatic reject is a sound policy only if you're OK with losing legitimate mail because it passed through a forwarder who hasn't implemented DMARC yet. disagree DMARC in it's current definition describ

Re: Mails rejected due to SPF?

Am 31.05.2016 um 19:09 schrieb Johannes Bauer: Hello list, I know this is a bit off-topic, but I'm not sure if I misconfigured Postfix to result in this: Just today, an email of mine was rejected due to SPF reasons: host mx-ha03.web.de[212.227.15.17] said: 550-Requested action not taken: mai

Re: master.cf, arguments line, short form: newlines possible ?

Вадим Бажов: Hi, people ! Is it possible to multiline short form command arguments in master.cf file. For example, write this string: -o smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_sender_login_mismatch,reject_unlisted_sender,permit_sasl_authenti

Re: Feature-request: rfc5322_from_login_maps

Am 20.07.2016 um 18:03 schrieb Wietse Venema: In Postfix: require that MAIL FROM matches SASL login In Milter: require that MAIL FROM matches From: header. I took that suggestion and had a deeper look in OpenDKIM today. Parsing RFC5322.From /is/ complicated. But for my feeling OpenDKIM does

cosmetics: authentication success not logged

Hello, we implemented a submission server with SASL authentication. nothing special... also we use to grep for "sasl_username=$customer_with_trouble". today I noticed, the successful authentication was not logged because a sender address was rejected. Looks like sasl_username logging happen on

Re: cosmetics: authentication success not logged

Am 18.09.2016 um 14:31 schrieb Wietse Venema: No, that would log it too often in normal sessions. Instead it can be logged for rejected commands. reject: from host[addr] ...; from=, to=, proto=SMTP, helo=, sasl_username= Hello Wietse, that would be OK, too. It requires a code change

Re: cosmetics: authentication success not logged

Am 18.09.2016 um 14:39 schrieb Wietse Venema: As in the patch below. ups, you'r so fast... thanks! I'll try and report. Andreas

Re: cosmetics: authentication success not logged

A. Schulze: Am 18.09.2016 um 14:39 schrieb Wietse Venema: As in the patch below. Hello Wietse, there are multiple places where such loglines are written: $ find . -name '*.c' | xargs grep helo= ./src/cleanup/cleanup_message.c: vstring_sprintf_append(state->temp

Re: Is there a best-practices document available?

Am 28.09.2016 um 16:58 schrieb Stephen Satchell: For mail servers in general? I suggest MAAWG documents: https://www.m3aawg.org/published-documents Andreas

Re: SV: Restriction question

Hello, you may set "mynetworks_style = host" see http://www.postfix.org/postconf.5.html#mynetworks_style Andreas Am 18.10.2016 um 21:51 schrieb Sebastian Nielsen: > Set mynetworks to only contain the IPs or networks of the production server. > You can use /32 to list single IPs. > Like: > mynet

Re: Problem with ldap failover

Am 21.10.2016 um 13:49 schrieb MichalZ: > server_host = ldaps://ldap3.img.local:636 > ldaps://ldap2.img.local:636 > ldaps://ldap.img.local:636 did you check that every single server work without the others? try1: server_host = ldaps://ldap3.img.local:636 try2:

Re: Positive DSN if delay_warning_time is reached?

wietse: This turned out to be easier than expected. Manpage fragment for Postfix 2.12-20140907: confirm_delay_cleared (default: no) After sending a "your message is delayed" notification, inform the sender when the delay clears up. This can result in a sudden burst of notificatio

Re: Positive DSN if delay_warning_time is reached?

wietse: First, I think this is somewhat academic because many users will be confused when they receive more than one notification for the same email message, regardless of the content of that notification. right. Users tend to not read such messages :-/ Presently, we have a new feature to se

Re: ECDSA ciphers & MTA's

shmick: CONNECTED(0003) 139821090178704:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:762: medusa.blackops.org smtp *SERVER* just doesn't support the selected cipher. does that mean it cannot connect *to* me because it doesn't have any EC cip

Re: Address verification callable via sendmail?

Benny Pedersen: Ralf Hildebrandt skrev den 2014-09-19 11:20: Is the Address verification functionality callable via an invocation of the sendmail compatability binary? sendmail -bv root sure, simple :-) but would be nice to simply get a returncode 0/1 instead a message. I assume that's wh

Re: Address verification callable via sendmail?

wietse: sendmail -bt Whoops, -bt isn't documented :-) Andreas

Re: Input requested: append_dot_mydomain default change

wietse: Dammit, I want to hear from people who expect to have problems or not. OK, I don't expect problems for /my/ systems because I already explicit set 'append_dot_mydomain = no'. Andreas

Re: PATCH(2): Positive DSN if delay_warning_time is reached?

wietse: This is a minimal patch relative to the confirm_delay_cleared patch. This suppresses the notification when the user requests NOTIFY=FAILURE, or any NOTIFY features that do not include DELAY. I checked the cases mentioned here: http://marc.info/?l=postfix-users&m=141044783906935 and

OT: invalide DKIM signatures

wietse: Do you have a so-called security appliance in the path? Many have a history of tampering with email. Do you have other anti-spam software in the path that modifies mail headers such as X-Spam:? To be complete: there is an easy way to invalidate DKIM-Signatures: don't announce SMTP

Re: Discuss: safety net for other compatibility breaks

Mark Martinec: Some more archaisms that can be changed to: biff = no swap_bangpath = no allow_percent_hack = no funny, all of the already mentioned settings I also set explicit set here ... other suggestions: - disable_vrfy_command = yes - enable_long_queue_ids = yes - smtpd_tls_p

Re: Compiling new postfix same as the old postfix

LuKreme: What can I look at to figure out what the build options were for the currently installed version so I can try to match them as closely on the new compile? search a file makedefs.out for current buildoptions information about building: http://www.postfix.org/INSTALL.html for postf

postfix-2.12 BC-warnings: confusing linenumbers

Hello Wietse, I just installed 2.12-20140911 and got multiple BC warnings. The linenumbers are confusing... $ head -n 3 /etc/postfix/master.cf relay unix - - - - - smtp -o smtp_fallback_relay= # line with comment flush unix

postconf question

Hi all, while reading the COMPATIBILITY_README I asked me wasn't the command to edit the main.cf 'postconf -e mumble=foo' ? is '-e' a default action to edit main.cf? did I missed an update? "postconf mumble" display the value "postconf mumble=foo" set the variable and is exactly the sam

Re: postfix-2.12 BC-warnings: confusing linenumbers

wietse: $ head -n 3 /etc/postfix/master.cf relay unix - - - - - smtp -o smtp_fallback_relay= # line with comment flush unix n - y 1000? 0 flush How would Postfix know that "relay" ends at line 2? Comments may appear I

Re: postfix-2.12 BC-warnings: confusing linenumbers

Viktor Dukhovni: Try the patch below: works with one exception. my master.cf start with comment lines 1: # 2: # documentation 3: relay unix - - - - - smtp 4: -o smtp_fallback_relay= 5: 6: flush unix n - - 1000? 0 flush 7

Re: postfix-2.12 BC-warnings: confusing linenumbers

wietse: That's why I am implementint line RANGES to shut up people like you. honestly, I only try to help ...

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Ralf Hildebrandt: When I have more time I can test other versions in between. you may force problematic destination to plaintext (smtp_tls_policy_maps) or ignore the STARTTLS announcement (smtp_discard_ehlo_keyword_address_maps) both not perfect but workarounds ... Andreas

Re: POODLE: smtpd_tls_mandatory_protocols question

Viktor Dukhovni: POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll now use cleartext with SSLv3-only SMTP peers. to calculate the damage, count: < inbound > # grep 'TLS connection established from' /var/lo

Re: POODLE: smtpd_tls_mandatory_protocols question

Harald Koch: (RC4 on the other hand - Google and Yahoo are both still using it by default... *sigh.) If *you* disable RC4, they *will* use other ciphers ...

Re: PATCH: Milter header position semantics

wietse: I have patches for evaluation: Postfix 2.12 released 20140918 or later: just compiling ... Postfix 2.8, 2.9. 2.10, 2.11, and Postfix 2.12 released before 20140918: ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20141017-milter-auto-header-hide-2.12.11.pa

Re: Postfix/milter benchmarking

Julian Mehnle: Are there any other tools people use to benchmark their Postfix setups or, more specifically, milters? Wietse told on talk I listened "Optimize both the worst case and the common case. Worst cases become normal cases" When developing milter applicaions that mean to me: -

Re: patch: smpd insert DSN request (Update)

wietse: /^(RCPT\s+TO:<.*>.*\s+NOTIFY=.*)/ $1 /^(RCPT\s+TO:<.*>.*)/ $1 NOTIFY=SUCCESS,DELAY,FAILURE the regex above don't match on 'RCPT TO: ' ( SPACE after colon ) I use now: /^(RCPT\s+TO:\s*<.*>.*\s+NOTIFY=.*)/ $1 /^(RCPT\s+TO:\s*<.*>.*)/ $1 NOTIFY=SUCCESS,DELAY,FAILURE Andreas

Re: patch: smpd insert DSN request (Update)

wietse: A. Schulze: wietse: /^(RCPT\s+TO:<.*>.*\s+NOTIFY=.*)/ $1 /^(RCPT\s+TO:<.*>.*)/ $1 NOTIFY=SUCCESS,DELAY,FAILURE the regex above don't match on 'RCPT TO: ' ( SPACE after colon ) That is invalid syntax. What software (other than home-grown script

warnings about symlinks in /etc/postfix/

Hello, I use to have symlinks in /etc/postfix to include files from other sources while building the local configuration. Since longer time I notice warnings from postfix-script every time I install a new postfix version. # postfix check postfix/postfix-script: warning: group or other writ

Re: TLS Encryption and Verification issue

Viktor Dukhovni: # perl collate /var/log/mail.log | qid=9277043E30 perl -ne ' BEGIN{$/="\n\n";$re=$ENV{qid}} print if m{$re}oi ' Wow, what a magic script! Thanks for publishing! Andreas

nice reject

Hi, a smtpd_recipient_restrictions for a submission service usually end with explicit "reject". That result in a smtp response string 554 5.7.1 : Recipient address rejected: Access denied Sometimes it's helpful to have a more detailed error, "please authenticate", "go away", "goto http://here.

Re: nice reject

Noel Jones: We use the built-in feature for this: http://www.postfix.org/postconf.5.html#smtpd_reject_footer Aha, good point It's a really nice idea, but in practice few people ever use the contact or correction info provided in a reject message -- some end-user mail programs seem to go to

Re: nice reject

wietse: An improved "static" table would do the job: check_recipient_access static:{reject you did this or that ...} I'll post a patch in a little while. This takes four lines of code. Don't hurry, the system I'm currently working on isn't up to date anyway. The perspective is enough fo

Re: google bouncing emails - ipv6 ptr problem?

Peter: Unfortunately the above solution assumes that all recipients that use the google MX servers will have email addresses with google.com or gmail.com domains. (@Wietse: correct me, if I'm wrong) that's a general consequence of postfix design. postfix is destination domain centric. It does

Re: google bouncing emails - ipv6 ptr problem?

wietse: A. Schulze: So instead implementing strange workarounds, one should search, find, understand and fix the real problem. Google bounced my mail because of a temp error. I changed nothing in my DNS or DKIM. It's their bug, not mine. I don't expect your setup is obviously

Re: Pick the transport based on the destination host, not domain?

Darren Pilgrim: But now I have a second such doamin, and I'd like to head-off a maintenance problem. All such domains use the same set of MXes, so it's an obvious pattern to switch transports if the next hop is one of the offending MXes. if ipv4 is still working you could - modify your

Re: local delivery failing after years of working (OT)

Steve Drach: 1. the logs, especially the local daemon, indicates the message is delivered that question reminds me about a patch I wrote some months ago. I had a host receiving tons of bcc and saving them to a maildir. The challenge was to combine queue id and message files in the maildir. I

Re: local delivery failing after years of working (OT)

wietse: What is wrong with matching the time of delivery with "ls -t"? under pressure it's harder if you have 500 message files per minute. Remember that delivery status information can be sent to random people with NOTIFY=SUCCESS. Oh, you're right! I wasn't aware of that point. Thanks! An

Re: Transport based on next hop

Christen Rößner: Unfortunately the form does set a From:-header to an AOL address. (ask the customer to) fix that MX host is foo bar, use transport SMTP:[some.mta]:12345 There was as similar discussion on this list some days ago: http://marc.info/?t=14166878141 configure domain based

Re: Transport based on next hop

Christian Rößner: This server already has two ip addresses and routing can not be done on answer decisions. That exactly is the problem here. And the main MTA on port 25 enforces a policy. As you told in a previus message you run multiple instances on one host. I assume you have a clean se

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

s.small: It appears that a DNS lookup is first made with [ip].[rbl] and than with [ip].[rbl].[mydomain] if no entry has been found. general advise: check your /etc/resolv.conf usually there is no need for other lines then "nameserver $NAMESERVER_IP" especially check if "searchdomain" is prese

Re: Problem with reject_rbl_client when a wildcard entry for mydomain exists

Viktor Dukhovni: general advice: check your /etc/resolv.conf usually there is no need for other lines then "nameserver $NAMESERVER_IP" especially check if "searchdomain" is present and needed and should be removed. This advice is not right, Postfix works ... Yes, BUT: I had not only postf

trusted vs. verified TLS connection

Hello, while checking TLS to a destination domain I noticed a difference. posttls-finger say "Verified" but log say (only) "Trusted". # posttls-finger -c -F /etc/ssl/mail/trusted_cas.pem avira.com posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx.ames.avira.net postt

Re: Why does SPF fail sometimes?

wietse: DMARC "verifies" the From: header against SPF, DKIM or both, but only a poorly-informed person would require that the From: address *always* verifies with SPF. for that reason it's more important the existing DKIM signature is still valid when the mlm redistribute the message to all s

Re: problem with recipient address verification

wietse: If it is DATA, then address verification is possible but it requires source code changes to Postfix: - After successful RCPT TO, do not assume that the recipient exists, but send DATA and disconnect after the DATA response is received. This will cause extra noise in the logfile, t

Re: hold trigger dmarc milter notify_classes

wietse: Maybe you can ask the Milter's developers to make their unconditional "quarantine" action configurable. that would be a good solution, too. But this specific developer is _very_ busy. Andreas

Re: Signing-milter - are postfix tampering with messages?

Sebastian Nielsen: I have a problem with signing-milter (http://www.signing-milter.org) I setup a separate ML some weeks ago. Visit the updated homepage (https://signing-milter.org) for more information. that seem to be that postfix “sabotage” the signed mail in its post-processing by doing

Re: DKIM smtpd_milter before SA content-filter: still valid signing

André Peters: I run a smtpd_milter to sign mail via OpenDKIM. This happens before-queue, right? in your setup, right. Next this signed mail goes through a Spamassassin content-filter, which adds some X-Headers after-queue. How can this mail still have a valid DKIM signature? OpenDKIM don'

Re: Have tested lots of solutions now with signing-milter. What is the problem?

Sebastian Nielsen: But how can I retain a copy of message before milter? Could then remove the hashcash milter and DKIM milter (since those does not change that -b does succeed validation and no -b does fail validation) and send a test mail. the milter implement a switch "-k ". there cop

Re: Have tested lots of solutions now with signing-milter. What is the problem?

wietse: How many other milters are there after the signing milter? If there are none, then your signing milter is defective (produces an incorrect signature). that's a valid assumption. and to be honest: it's more likely then inside postfix but the source is available ¹). Anybody is invited

Re: always_bcc

@lbutlr: I was hoping always_bcc would allow me to backup user’s incoming mail. have a look at recipient_bcc_maps ...

Re: Add all BCC-recipients to a header for archiving

Viktor Dukhovni: The alternative is to use recipient_bcc_maps instead of always_bcc, with a per-recipient archive address that encapsulates the original recipient address. perfect timing: I just was ask to improve a always_bcc setup :-) Thanks to André and Viktor! I now have the following se

wrong transport after error ?

Hello, I have a setup where all messages for a domain is forwarded to a remote SMTP server. Except one address is delivered by lmtp. transport: domain smtp:remote user@domain lmtp:remote that worked till remote died yesterday. After remote came up again, message to user@domain

Re: wrong transport after error ?

A. Schulze: Hello, I have a setup where all messages for a domain is forwarded to a remote SMTP server. Except one address is delivered by lmtp. transport: domain smtp:remote user@domain lmtp:remote that worked till remote died yesterday. After remote came up again, message to

logjam & SMTP

Hello, the crypto weakness of the month is named "logjam". If you could connect to https://dhe512.zmap.io your SSL-Client / Browser support weak crypto. What does that mean for postfix? We setup a postfix smtp server with smtpd_tls_dh1024_param_file = /path/to/dh_512.pem smtpd_tls_e

Re: logjam & SMTP

DTNX Postmaster: There are several problems with your configuration. Please refer to the mailinglist archive for how to configure Postfix to deal with Logjam. It has been discussed extensively in this thread; http://marc.info/?t=14323933481&r=1&w=2 I read this as "how do I provide strong

Re: logjam & SMTP

Viktor Dukhovni: Indeed, because such a policy would properly be an OpenSSL feature, not a Postfix feature. However, the whole attack is largely irrelevant for SMTP. Unless you're authenticating the server (DANE or Web PKI) you're subject to MiTM attacks with or without logjam. correct. W

Re: smarthost forwarding, restricted by TLS-no-SASL, rejecting outbound recipient.

PGNd: openssl x509 -pubkey -noout -in /etc/ssh/mail/commercial.crt | openssl pkey -pubin -outform DER | openssl dgst -sha1 -c take the output of "openssl x509 -sha1 -fingerprint -noout -in cert.pem" Andreas

Re: postfix 3.0.1 sasl connection

basteon: HELO test 250 mail.domain.ru AUTH PLAIN 502 5.5.1 Error: command not implemented use "EHLO test" to let postfix know, you understand SMTP extensions Andreas

Re: SMFIC errors in logs

Nick Winn: SELinux is disabled and I am still seeing these errors. Nick, such errors I saw years ago but not in current postfix releases. Could you please send - which milters do you use - postconf -n and postconf -M Andreas

Re: SMFIC errors in logs

Nick Winn: please keep on list... opendkim-2.10.3-1.el6.i686 (inet port 8891) opendmarc-1.3.1-4.el6.i686 (inet port 8893) pyspf (2.0.11) (inet port 8892) and a home grown c binary that samples our mail stream (inet port 21718) I've tried running postfix with just one and two milters running a

OT: milter.org is down

Hello, for whatever reasons Proofpoint (the current owner of sendmail) decided to shut down the milter.org website. Unfortunately the API documentation is unavailable now, too. An Proofpoint employee suggested to download the public available source distribution. ( ftp://ftp.sendmail.org/

Re: added milter (opendmarc). not processing, postfix logs show "abort all milters"?

PGNd: I've added an opendmarc milter to a service [127.0.0.1]:10031 inet n-n-- smtpd -o smtpd_milters=inet:localhost:8893 Why is the message not making it to that milter for processing? just answerd on opendmarc-users but for reference

Re: Postfix + OpenDKIM - milter reject, come back later

Istvan Prosinger: milter_protocol = 2 why do you enforce an old protocol version while MTA and OpenDKIM support the current one? Andreas

  1   2   3   >