Re: Taking over for another admin

On 04.02.2009 18:14, David Bishop wrote: [...] > So, the group-mind consensus is to use the following for a (relatively) > small virtual-hosting mail environment: > > postfix (obviously) + dovecot's SASL for smtp-auth and maildir > dovecot for imap/pop > maia for spam/virus filtering (with clamav)

Re: dkim-filter problem

On 04.06.2009 12:44, Murat Ugur Eminoglu wrote: > Dear All, i 'm using postfix 2.5.5 with Amavis-new. I 've installed > dkim-filter v2.6.0. i 've sent mail but dkim-filter says, "no signature > data" > > How i can solve this problem ? * make sure dkim-filter is operating in verify *and* sign mode.

Re: Auto-whitelist policy

On 12.01.2010 13:21, Stan Hoeppner wrote: > Daniel L. Miller put forth on 1/11/2010 5:03 PM: >> Does anyone have an auto-whitelisting policy daemon? I want to have a >> test early in sender checks that would bypass most of my other spam >> prevention if a sender is in the whitelist - and have that

Re: Linux users with mixed case names

On 31.01.2010 17:33, Miles Fidelman wrote: > It's not so much a bug as a direct violation of the SMTP spec. RFC2821, > par. 2.4, states: > > The local-part of a mailbox MUST BE treated as case sensitive. > Therefore, SMTP implementations > MUST take care to preserve the case of mailbox local-par

Re: Race condition in postmap?

On 12.02.2010 13:25, Richard Cooper wrote: > Feb 12 00:41:24 mail1 postfix/smtpd[24782]: NOQUEUE: reject: RCPT from > unknown[111.111.111.111]: 550 5.1.1 : Recipient > address rejected: User unknown in virtual alias table; > from= to=< recipi...@example.com > proto=SMTP > helo= > > This is a v

Re: Race condition in postmap?

On 12.02.2010 14:47, Richard Cooper wrote: > On 12 Feb 2010, at 12:12, Eray Aslan wrote: >> On 12.02.2010 13:25, Richard Cooper wrote: >>> Feb 12 00:41:24 mail1 postfix/smtpd[24782]: NOQUEUE: reject: RCPT from >>> unknown[111.111.111.111]: 550 5.1.1 : Recipient >>

Re: Postfix TLS requirements

On 02.03.2010 06:09, Alex wrote: > What encryption/cipher/key length, session key options, etc, choices > should I be making if I were to do this today? That is dificult to say without knowing what you are trying to protect, your threat model etc. If in doubt, go with the defaults. > Under what

Re: OpenSSL 0.9.8 <-> 1.0.0 CApath (in)compatibility

On 17.05.2010 03:02, Victor Duchovni wrote: > If you want to be really clever, you may be able to hash two copies > of the root CA directories with the same set of certificates each with > a different version of c_rehash (and corresponding utilities from the > appropriate OpenSSL version) and then

[patch] build failure against db-5.0

Berkeley DB 5.0 is out and provides an SQlite-compatible interface. Having an alternative to SQLite is considered a good thing and there is some interest in bringing db-5.0 into mainstream use. Postfix fails to build against Berkeley-DB-5.0.21: [...] gcc -Wmissing-prototypes -Wformat -DHAS_PCRE -D

Re: [patch] build failure against db-5.0

On 05/21/2010 01:33 AM, Victor Duchovni wrote: > On Thu, May 20, 2010 at 01:29:49PM +0300, Eray Aslan wrote: > Is this the default Berkeley-DB version for your system platform? No > If > not, you should generally avoid the temptation to use a non-default > Berkeley-DB. I maintai

Re: postfix as forwarder and backscatterer problem

On Thu, Jul 22, 2010 at 06:52:22PM +0400, Vasya Pupkin wrote: > You of course understand that this is not possible, right? Yes, I am sure he does. That was sarcasm. Anyway, If the amount of backscatter is small, do not change behaviour. But accept the fact that (prepare for) you might get blac

Re: TLS for dummies

On 26.08.2010 02:47, Security Admin (NetSec) wrote: > Is there an existing file or a weblink that would list the current accepted > global root CAs? Since the only one in the "exchange.pem" file is from my > Exchange Server, I could append to this file all the necessary trusted root > CAs. Don

Re: server configuration error

On 19.11.2009 06:02, K bharathan wrote: > now i understand ; > in my check_client_access cidr:/etc/postfix/spam_cidr there was a block > of IPs: > > 90.150.32.0/19 REJECT > 90.150.64.0/18 REJECT > 90.150.128.0/17

Re: Forwarding mail to other email addresses

On 17.12.2009 11:51, T D wrote: > My basic problem is that I can't work out how to forward email to more > than one recipient. For example, let's say I want o...@example.com to > 1) be delivered to its Cyrus mailbox as normal and 2) to be forwarded > to b...@blackberry.net and j...@vodafone.net.

Re: Monitor someone's mail?

On 21.12.2009 20:17, William Jordan wrote: > Is there a (easy and/or simple) way to get a copy of a person's inbound & > outbound mail sent to another mail user? We want to monitor a mail account. > I am pretty sure I can forward incoming mail but outbound mail I am not so > sure about. * Please

Re: Postfix & cyrus-sasl 2.1.25 issues

NETSCAPE LOGINDISABLED COMPRESS=DEFLATE IDLE] Success (no protection) Authenticated. Security strength factor: 0 a logout * BYE LOGOUT received a OK Completed Connection closed. There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl 2.1.25. But I can't reproduce it. -- Eray Aslan

Re: Postfix & cyrus-sasl 2.1.25 issues

On Fri, Jan 06, 2012 at 09:23:02AM -0800, Quanah Gibson-Mount wrote: > --On Friday, January 06, 2012 11:05 AM +0200 Eray Aslan > wrote: > > There are reports of broken PLAIN and LOGIN mechs with cyrus-sasl > > 2.1.25. But I can't reproduce it. > > That is what I

Re: Postfix 2.9 STABLE release candidate 1

On Wed, Jan 18, 2012 at 02:23:13PM -0500, Wietse Venema wrote: > Postfix 2.9.0-RC1 is ready for download. Please report any problems > that may remain after a few months of cleaning up. The last two entries in the HISTORY file seem to have the wrong date. FYI. -- Eray Aslan

Re: found a "bug" on postfix 2.9.1

init.d/postfix zap" to return postfix to stopped state, correct master.cf and start postfix again. This is arguably no different from any number of configuration errors resulting in a non working setup. In any case, bugs.gentoo.org or a gentoo mailing list is probably the correct place for this discussion. -- Eray Aslan

Re: found a "bug" on postfix 2.9.1

ble delay in startup for everyone but yes, it is better. Thanks. > I would also like to reiterate that the "postfix" command is the > sole supported interface for starting and stopping Postfix. Aye, noted. -- Eray Aslan

Re: found a "bug" on postfix 2.9.1

or the user. I am not sure if this is a recommended way to start a daemon. It surprises them - hence the original email. -- Eray Aslan

Re: [OT] Re: found a "bug" on postfix 2.9.1

tart up postfix *for everyone* - one has to wait a bit before running postfix status after postfix start. So, yes it is not a clear cut decision but for different reasons. This is getting really off topic. -- Eray Aslan

Re: [OT] Re: found a "bug" on postfix 2.9.1

t; reports an error, and returns a non-zero exit status. > > Will that work? Yes, that will work. Thank you. -- Eray Aslan

Re: PATCH: "postfix start" master initialization status

tart waits for master to initialize before returning with the correct return code. There is no noticeable delay during startup with a correct configuration. Differences are within margin of error. There is less incentive to start master directly. Thanks again. -- Eray Aslan --- src/master/Make

Re: How to set to use only trusted TLS connection to trusted networks?

nd no possibility to add own public TLS keys > somewhere? Check the fingerprints of the certificates: http://www.postfix.org/TLS_README.html#client_tls_fprint Read the whole document for your other options. -- Eray Aslan

Re: GSSAPI authentication

there any particular reason one would go the cron route? http://www.eyrie.org/~eagle/software/kstart/ -- Eray Aslan

non-root postfix status?

doers route? -- Eray Aslan

Re: non-root postfix status?

for postfix status output - it is not privileged info. But this is a moot point now after Wietse's answer. -- Eray Aslan

Re: Warning

Ralph Seichter seichter.de> writes: > I agree. Gentoo documentation states that "This is off by default, as > it may cause a substantial performance loss at sites with large hosts > files.", but large host files are no longer en vogue. > > Well, "multi on" did the trick, so thanks for your suppor

Re: upgrade behavior when smtpd_relay_restrictions is explicitly empty in main.cf

is not a high priority issue. -- Eray Aslan

Re: TLS Library Problem? Postfix 2.9.6

On Tue, Feb 12, 2013 at 04:51:33PM +, Viktor Dukhovni wrote: > Do you know how you accidentally ended-up with a 512-bit RSA key? > [ Did you use the snake-oil key-pair included with the O/S? ] No. The snake-oil key-pair is 1024 bit rsa in gentoo. -- Eray Aslan

Re: quiet or broken

On 3/12/13 2:33 AM, Viktor Dukhovni wrote: > Nah, it's just that the 2.10.0 release is perfect and nobody has > any questions anymore. :-) Well, we are waiting for the DANE implementation. New shiny toy to play around with :) -- Eray Aslan

postfix-2.11-20131031 lmdb make failure

^ compilation terminated. make: *** [slmdb.o] Error 1 -- Eray Aslan

typo in script [was Re: OT - Dane, TLSA]

On Sat, Dec 14, 2013 at 06:30:15PM +, Viktor Dukhovni wrote: > Well, you're unlikely to have working TLSA RRs for your SMTP service > just by happenstance. If you want to create a TLSA RRset for your > SMTP server, run the attached "tlsagen" shell script as follows: > > $ tlsagen cert.pem

Re: Request for data points: DANE-enabled receiving domains

On Fri, Apr 25, 2014 at 03:00:42PM +, Viktor Dukhovni wrote: > Oh, and by the way, I see your domain has working TLSA RRs. [...] > If anyone else on this list has a DNSSEC signed domain and adds MX > host TLSA records, please feel free to drop me a note. I'll connect > to your domain from my h

underlinking? ld.gold

I am getting undefined_symbol errors when using gold for linking. 1/ With bfd: $ make tidy $ make -j7 makefiles shared=yes dynamicmaps=no shlib_directory=/usr/lib64/postfix/MAIL_VERSION DEBUG= CC=x86_64-pc-linux-gnu-gcc 'OPT=-march=native -O2 -pipe -Wno-comment' 'CCARGS=-DHAS_PCRE -DHAS_LDAP -DUS

Re: Proposed patch: (underlinking? ld.gold)

On Tue, Jul 15, 2014 at 02:31:59AM +, Viktor Dukhovni wrote: > Actually, AUXLIBS should come before SYSLIBS, so the correct patch is: > > diff --git a/makedefs b/makedefs Thanks. Works for me. Any chance of using ${CC} for the linking stage as well? Perhaps something along the lines of: -

Re: Experimental TLS auth fallback code

On Tue, Jul 15, 2014 at 04:42:32AM +, Viktor Dukhovni wrote: > smtp_tls_fallback_level (default: empty) > >Optional fallback levels for authenticated TLS levels. Nice. I am guessing the motivation is making dane easier to deploy, especially for early adaptors, by decreasing

Re: Proposed patch: (underlinking? ld.gold)

On Tue, Jul 15, 2014 at 07:15:38AM +, Viktor Dukhovni wrote: > We need a compiler that is known to support the requisite options, > so this is not clear. Since we're only using gcc for linking, if > it is present, it is a reasonable choice. The reason to use ${CC} > is if per-chance gss is no

cross compiling postfix (Re: Proposed patch)

On Tue, Jul 15, 2014 at 11:06:42AM +, Viktor Dukhovni wrote: > On Tue, Jul 15, 2014 at 10:07:30AM +0000, Eray Aslan wrote: > > I am trying to support those who cross compile postfix. They do have > > gcc installed but it is not the linker they want. > > Makes sense,

Re: PCRE2 Support

pport for > PCRE2 before 3.7. I don't know about anyone else. Agreed. We certainly can but there isnt really a need to backport this change. -- Eray Aslan

linux 6 release

Yet another linux major version about to be released (at rc4 currently) with "nothing fundamentally different". diff --git a/makedefs b/makedefs index 2839f3a..be60de4 100644 --- a/makedefs +++ b/makedefs @@ -627,7 +627,8 @@ EOF : ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}

build failure with gcc-10

gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in the following errors while building postfix-3.5-20200112. Simple reproducer on an older gcc is to add -fno-common to CFLAGS. /usr/x86_64-pc-linux-gnu/gcc-bin/10.0.0-pre/gcc -shared -Wl,-soname,libpostfix-global.so -Wl,--en

Re: build failure with gcc-10

On Mon, Jan 20, 2020 at 10:38:09AM -0500, Wietse Venema wrote: > Eray Aslan: > > gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in > > the following errors while building postfix-3.5-20200112. Simple > > reproducer on an older gcc is to add -fno-common to

Re: build failure with gcc-10

On Mon, Jan 20, 2020 at 06:57:34PM +0300, Eray Aslan wrote: > On Mon, Jan 20, 2020 at 10:38:09AM -0500, Wietse Venema wrote: > > Eray Aslan: > > > gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in > > > the following errors while building po

Re: build failure with gcc-10

On Mon, Jan 20, 2020 at 06:57:34PM +0300, Eray Aslan wrote: > On Mon, Jan 20, 2020 at 10:38:09AM -0500, Wietse Venema wrote: > > Eray Aslan: > > > gcc-10 flipped a default from -fcommon to -fno-common[1] resulting in > > > the following errors while building po

postfix tls feature request

I am looking for a quick way to determine whether the client and server tls setting are at their default values. Something similar to the attached patch perhaps. Use case: If ssl support is requested by the user, I am hoping to issue postfix tls all-default-client && postfix tls enable-client

Re: postfix tls feature request

On Wed, Feb 10, 2016 at 06:04:59PM +, Viktor Dukhovni wrote: > Well "postfix tls enable-client|server" already checks whether the > key client or server TLS settings are at their defaults, and if > not only suggests recommended settings without making any changes. > > Are you looking to avoid

Re: Input requested: append_dot_mydomain default change

= yes is a bad idea. Partially qualified names should have never been made to work - not just in email but in the whole networking universe. In this case, it is still not too late to break the bad stuff. I vote for changing the default fwiw. -- Eray Aslan

Re: Add --version option to postfix

On Mon, Sep 29, 2014 at 08:13:38AM -0400, Charles Marcus wrote: > On 9/28/2014 3:01 PM, LuKreme wrote: > > Yes, it’s (postfinger) a separate package. > > Yeah, and unavailable in gentoo repo... :( It is a shell script. You can just download and run it on your system. -- Eray

Re: Please add support for Linux Kernel 4

On Fri, Mar 27, 2015 at 08:56:39AM +0100, hydra wrote: > With Linux Kernel 4.0 around the corner, it would be nice to have the > possibility to compile Postfix on it. Currently it fails: Linux-4.0 has been released on April 12th. No major changes: https://lkml.org/lkml/2015/4/12/178: Official su

missing COMPATIBILITY_README

COMPATIBILITY_README and its html version seems to be missing from the final installation. --- postfix-files 2014-06-25 20:06:00.0 + +++ postfix-files 2015-07-22 15:38:57.0 + @@ -274,6 +274,7 @@ $readme_directory/BASIC_CONFIGURATION_README:f:root:-:644 $readme

Re: Postfix 20 years ago

On Mon, Feb 13, 2017 at 09:57:56AM +0100, Patrick Ben Koetter wrote: > Postfix is Postfix because you made it that way. It breathes your spirit, > Wietse - your standards, your strictness and your mindset. I've learned a lot > from you over all the years. > > Postfix is my role model for good soft

Re: Outbound opportunistic TLS by default?

On Wed, Dec 06, 2017 at 05:22:19PM -0600, Noel Jones wrote: > I was thinking "make install" rather than "make upgrade" is a good > enough indicator of first time install. Deciding if TLS is available > might be trickier. Source based distros like Gentoo make install to a seperate destination dir a

Re: PATCH: Keep Postfix running in the foreground

On Tue, Dec 19, 2017 at 10:01:53AM -0500, Wietse Venema wrote: > I suppose one approach is to make a Postfix container disposable, > i.e. a container is never updated with a new Postfix version, but > it is replaced with a newer one That is the common Docker approach. Images are immutable. > and

Re: PATCH: Keep Postfix running in the foreground

On Tue, Dec 19, 2017 at 10:53:38AM -0500, Wietse Venema wrote: > Postfix will bail out if it knows that the queue or data directory > are shared, because that can result in data corruption. > > How do I enforce that constraint when directories are imported into > a container from the host? I don'

Re: Keep Postfix running in the foreground

On Mon, Apr 02, 2018 at 01:21:41PM -0400, Viktor Dukhovni wrote: > A simple minder process that propagates signal to its child process > would probably solve this issue. On a somewhat related note, dumb-init[1] and tini[2] are populer choices to run as pid 1 inside containers. Perhaps, they offer

Re: Keep Postfix running in the foreground

On Tue, Apr 03, 2018 at 07:46:42PM -0400, Wietse Venema wrote: > I updated both the postfix-script file and the master daemon. > > I'd appreciate it if someone could verify that this will run the > master daemon with PID 1, and that 'postfix stop' in the container > will stop the master daemon. If

Re: Keep Postfix running in the foreground

On Wed, Apr 04, 2018 at 07:19:56PM -0400, Wietse Venema wrote: > I also need you guys to verify that with the Postfix master running > as PID=1, "docker stop" will no longer leave the master daemon > running until Docker times out and forcibly terminates everything. > > By default, "docker stop" s

Re: Outbound opportunistic TLS by default?

On Wed, Dec 19, 2018 at 02:36:50PM -0500, Viktor Dukhovni wrote: > If there are no objections, I can change the default to "may" when > TLS is compiled in. No objections for setting smtp_tls_security_level. Thanks for your effort. -- Eray

downgrading from postfix-3.4 fails - unix-dgram

Downgrading from postfix-3.4 fails with: [...] Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/smtp.8... Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/smtpd.8... Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/sp

Re: downgrading from postfix-3.4 fails - unix-dgram

On Fri, Feb 01, 2019 at 07:11:30AM -0500, Wietse Venema wrote: > Eray Aslan: > > Downgrading from postfix-3.4 fails with: > > As documented in RELEASE_NOTES. > > Incompatible changes with snapshot 20190126-nonprod > =

build failure with glibc-2.30

glibc-2.30 removed RES_INSECURE1, RES_INSECURE2 and RES_USE_INET6 symbols[1] resulting in: dns_str_resflags.c:55:13: warning: RES_AAONLY is deprecated 55 | "RES_AAONLY", RES_AAONLY, | ^ dns_str_resflags.c:57:13: warning: RES_PRIMARY is deprecated

Re: build failure with glibc-2.30

On Mon, Aug 19, 2019 at 08:51:47AM -0400, Wietse Venema wrote: > Eray Aslan: > > dns_str_resflags.c:63:22: error: ?RES_INSECURE1? undeclared here (not in a > > function); did you mean ?RES_RECURSE?? > >63 | "RES_INSECURE1", RES_INSECURE1, > > etc. Fi

Re: Segmentation fault in xsasl_dovecot_server.c

On Sun, Aug 25, 2019 at 01:23:09PM -0400, Wietse Venema wrote: > Updated patch follows. I would appreciate it if someone could verify > that this reports no errors with a real Dovecot server. PLAIN / LOGIN works as expected for me on a lightly loaded server. -- Eray

[pfx] broken links in postfix.org

Some links seem to be broken in postfix.org downloads page http://ftp.porcupine.org/mirrors/postfix-release/index.html. Example: http://ftp.porcupine.org/mirrors/postfix-release/experimental/postfix-3.9-20230419.tar.gz I also do not see a link to postfix-3.7.5, 3.6.9 etc -- Eray

[pfx] Re: Value of client certificates, was: Re: Re: [ext] list.sys4.de fails with starttls

On Mon, Sep 25, 2023 at 05:51:05PM -0400, Viktor Dukhovni via Postfix-users wrote: > Not, dangerous, just largely pointless, with *potential* complications, > unless there are servers that can actually make use of said > certificates. Can a case be made for promoting anonymous ciphers? I feel the

[pfx] DEF_DB_TYPE change?

About 10 years ago, Oracle switched the licencing for Berkeley DB to AGPL. As a result, most distributions decided to stick to the versions prior to the licence change and there were (and are) some initiatives throughout the years to stop shipping Berkeley DB at the distro level. I am also not sure

[pfx] Re: DEF_DB_TYPE change?

On Wed, Nov 01, 2023 at 09:41:07AM -0400, Wietse Venema via Postfix-users wrote: > Eray Aslan via Postfix-users: > > Having said that, Berkeley DB is mature software and it works and is > > widely available in various *nixes. Still, would it be prudent or worth > > the effort

[pfx] Re: 25 years today

On Thu, Dec 14, 2023 at 08:20:26AM -0500, Wietse Venema via Postfix-users wrote: > As a few on this list may recall, it is 25 years ago today that the > "IBM secure mailer" had its public beta release. This was accompanied > by a nice article in the New York Times business section. Thanks a lot. N