date:20150726

User Nexus:
> My question now, is it correct to use 'check_sender_access' in
> 'smtpd_client_restrictions'
> section?

smtpd_client_restrictions (default: empty)
...
   Other restrictions that are valid in this context:

   o  SMTP  command specific restrictions that are described under the
  smtpd_helo_restrictions,  smtpd_sender_restrictions   or
  smtpd_recipient_restrictions  parameters.  When  helo, sender or
  recipient restrictions are  listed  under  smtpd_client_restric-
  tions, they have effect only with "smtpd_delay_reject = yes", so
  that $smtpd_client_restrictions is evaluated at the time of  the
  RCPT TO command.

Why read documentation when you can just ask someone?

Why write documentation when people don't read it?

Wietse

Re: max connection for inbound/outbound smtp

2015-07-26 Thread Michael Peter

Thank you very much for your reply, please find my comments below.

> Michael Peter:
> [ Charset ISO-8859-1 converted... ]
>> Hi,
>>
>> master.cf
>> smtp  inet  n   -   -   -   100  smtpd
>>
>> I understand that the default concurrent simultaneous incoming smtp
>> connections is 100?
>
> There is one connection per "smtpd" process.
>
>> but what about outgoing smtp connections to remote smtpd servers? how
>> many
>> connections postfix can establish for outgoing emails to different mail
>> servers simultaneously ?

Sorry, it is my mistake since i didn't ask my question correctly.

What i meant to ask, is how many outbound processes to remote email
servers can postfix handle simultaneously (in case sending emails to many
different remove hosts and not 1 specific host)

I understand that in case send to 1 host , then
transport_destination_concurrency_limit will apply. But my question is
that incase postfix is to send to 200 different remote smtpd hosts
simultaneously , then how many outbound process postfix can handle
simultaneously  as default ? and how to increase its value ?

Many thanks again.

Peter Michael

Re: check_client_access before reject_unknown_client_hostname in smtpd_client_restrictions block

User Nexus:
> I've found the answer on my questions in the official Postfix
> documentation. Feel free to skip answering on this email.
> Thanks again.

There still is hope for humanity.

Wietse

Re: max connection for inbound/outbound smtp

Wietse:
> There is one connection per "smtpd" process.

Michael Peter:
> >> but what about outgoing smtp connections to remote smtpd servers? how
> >> many
> >> connections postfix can establish for outgoing emails to different mail
> >> servers simultaneously ?
> 
> Sorry, it is my mistake since i didn't ask my question correctly.
> 
> What i meant to ask, is how many outbound processes to remote email
> servers can postfix handle simultaneously (in case sending emails to many
> different remove hosts and not 1 specific host)

There is one connection per "smtp" process. You configure the process
limit (and therefore the maximum number of connections) in master.cf. 

See also:
http://www.postfox.org/TUNING_README.html
http://www.postfox.org/QSHAPE_README.html

Wietse

Re: max connection for inbound/outbound smtp

2015-07-26 Thread Benny Pedersen


wie...@porcupine.org skrev den 2015-07-26 15:38:


See also:
http://www.postfox.org/TUNING_README.html
http://www.postfox.org/QSHAPE_README.html


incorrect domain

Re: Problems with incoming mails from outlook.com

On Sun, Jul 26, 2015 at 08:58:52AM +0200, Moritz Schmitt wrote:

> Thanks a lot for your very helpful reply!
> 
> I implemented all the changes you suggested and now it works. My late
> reply is due to the fact that I needed to wait for another mail from
> outlook.com to see if everything works.
> 
> What I find a little odd about outlook.com's behavior is that if it
> isn't able to establish a TLS connection to my server, that it doesn't
> retry an unencrypted connection. So in a sense they are treating my
> 'opportunistic TLS' as 'mandatory TLS'.

I am glad to hear that the recommended configuration tweaks worked.
This suggests that the problem analysis was very likely correct.

According to my outlook.com/microsoft contacts [Bcc'd], the expected
behaviour is cleartext retries.  I don't know why that did not
happen for your domain.

In any case, I am still optimistic that it will be possible to
improve the opportunistic TLS support on the outlook.com side.  I
don't think it makes sense to switch from TLS to cleartext just
becase the TLS crypto parameters were not "secure enough".  Surely
cleartext is not more secure than somewhat dated crypto algorithms!

That said, dated algorithms need not be supported in perpetuity,
rather with opportunistic TLS we support them while they are still
required for interoperability with a sufficient number of peers.

Once better options are nearly universally available, and disabling
the deprecated algorithms causes no significant uptick in cleartext
use, then the deprecated algorithms can be disabled.

In the case of "export" ciphersuites, as a result of "logjam" it
is possible to downgrade security even for clients that don't
support "export" ciphers.  Thus, just recently, Postfix 3.0.2 and
the other supported stable releases were all updated to by default
no longer use "export" ciphers, SSLv2, SSLv3, or single-DES.  None
of these are believed to be needed to interoperate with a non-negligible
number of mail servers on the public Internet.  Sites that still
need (say SSLv3) can reenable that as needed.

On the other hand, systems that only support RC4 are still somewhat
common.  Though RC4 is deprecated, it is (for now) premature to
refuse TLS with such systems.

Not that when using unauthenticated opportunistic TLS, SMTP clients
ignore inability to authenticate server certificates (untrusted
chains and "wrong" subject names are tolerated).  It then makes
little sense to insist that no deprecated algorithms are used in
the ignored certificates.

Therefore, in unauthenticated opportunistic TLS, *all* certificate
"problems" should be ignored.  The threat model is passive-monitoring
not active attack.  Encrypt if at all possible, regardless of any
certificate chain defects.

https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-19#section-1.3

If for a particular destination, authentication is employed, *then*
make sure the certificate can be adequately trusted (but signature
algorithms in self-signed "root" certificates should still be
ignored).

Thanks for the follow-up message, good luck.

-- 
Viktor.

Going through Google spam filters

Hello,

I apologize in advance because my problem is not strictly related to
postfix, but I don't know another mailing list with helpful people with
enough knowledge of the of the subject.

I have my personal emails handled by my own setup hosted on a virtual
private server.  Since a while (I believe it is now a year or so) Gmail
classifies all my emails as spam. I believe I correctly setup SPF and
DKIM, and the headers in the messages as received on the Gmail side seem
to suggest that Gmail correctly validates both of those checks. However,
this does not not seem to help in making them going through.

The volume of email I send through this server is extremely low (it
handles only my personal email and I'm the only active user).

Currently I'm able to send emails to my address @gmail.com from the
email address I'm currently using without having them classified as
spam, but not from any email address having a different local part. I
believe this is because my @grinta.net email address is white listed for
my @gmail.com email address.

Of course, Google does not care about the issue.

There is something I can do to have my emails accepted by Google?

Thank you very much.

Cheers,
Daniele

Re: Going through Google spam filters

I have a similar setup and don't (as far as I know) have any issues.
Two things that will likely help you a lot:

1) Setup DMARC (SPF+DKIM) for your domain:
https://support.google.com/a/answer/2466580?hl=en.

2) Register/verify your domain(s) at https://postmaster.google.com/u/0/

HTH!
Regards,
Raman

On 07/26/2015 12:16 PM, Daniele Nicolodi wrote:
> Hello,
> 
> I apologize in advance because my problem is not strictly related to
> postfix, but I don't know another mailing list with helpful people with
> enough knowledge of the of the subject.
> 
> I have my personal emails handled by my own setup hosted on a virtual
> private server.  Since a while (I believe it is now a year or so) Gmail
> classifies all my emails as spam. I believe I correctly setup SPF and
> DKIM, and the headers in the messages as received on the Gmail side seem
> to suggest that Gmail correctly validates both of those checks. However,
> this does not not seem to help in making them going through.
> 
> The volume of email I send through this server is extremely low (it
> handles only my personal email and I'm the only active user).
> 
> Currently I'm able to send emails to my address @gmail.com from the
> email address I'm currently using without having them classified as
> spam, but not from any email address having a different local part. I
> believe this is because my @grinta.net email address is white listed for
> my @gmail.com email address.
> 
> Of course, Google does not care about the issue.
> 
> There is something I can do to have my emails accepted by Google?
> 
> Thank you very much.
> 
> Cheers,
> Daniele
>

Re: Going through Google spam filters

And:

3) Make sure the reverse DNS for the IP you use to send mail is
configured to point to your own domain and not your VPS provider's domain:

dig -x 

Regards,
Raman

On 07/26/2015 12:40 PM, Raman Gupta wrote:
> I have a similar setup and don't (as far as I know) have any issues.
> Two things that will likely help you a lot:
> 
> 1) Setup DMARC (SPF+DKIM) for your domain:
> https://support.google.com/a/answer/2466580?hl=en.
> 
> 2) Register/verify your domain(s) at https://postmaster.google.com/u/0/
> 
> HTH!
> Regards,
> Raman
> 
> On 07/26/2015 12:16 PM, Daniele Nicolodi wrote:
>> Hello,
>>
>> I apologize in advance because my problem is not strictly related to
>> postfix, but I don't know another mailing list with helpful people with
>> enough knowledge of the of the subject.
>>
>> I have my personal emails handled by my own setup hosted on a virtual
>> private server.  Since a while (I believe it is now a year or so) Gmail
>> classifies all my emails as spam. I believe I correctly setup SPF and
>> DKIM, and the headers in the messages as received on the Gmail side seem
>> to suggest that Gmail correctly validates both of those checks. However,
>> this does not not seem to help in making them going through.
>>
>> The volume of email I send through this server is extremely low (it
>> handles only my personal email and I'm the only active user).
>>
>> Currently I'm able to send emails to my address @gmail.com from the
>> email address I'm currently using without having them classified as
>> spam, but not from any email address having a different local part. I
>> believe this is because my @grinta.net email address is white listed for
>> my @gmail.com email address.
>>
>> Of course, Google does not care about the issue.
>>
>> There is something I can do to have my emails accepted by Google?
>>
>> Thank you very much.
>>
>> Cheers,
>> Daniele
>>

Re: Going through Google spam filters

Daniele Nicolodi:
> Currently I'm able to send emails to my address @gmail.com from the
> email address I'm currently using without having them classified as
> spam, but not from any email address having a different local part. I
> believe this is because my @grinta.net email address is white listed for
> my @gmail.com email address.
> 
> Of course, Google does not care about the issue.

Maybe this helps:

Go to your Mail settings and Accounts tab and add the address
you are forwarding from to 'Send mail as'. This is a new feature
from user requests, where Gmail will detect that you forwarded
from that account and help prevent displaying a phishing warning.

https://support.google.com/a/answer/175365?hl=en

Wietse

Re: Going through Google spam filters

On 26/07/15 18:47, Wietse Venema wrote:
> Daniele Nicolodi:
>> Currently I'm able to send emails to my address @gmail.com from the
>> email address I'm currently using without having them classified as
>> spam, but not from any email address having a different local part. I
>> believe this is because my @grinta.net email address is white listed for
>> my @gmail.com email address.
>>
>> Of course, Google does not care about the issue.
> 
> Maybe this helps:
> 
> Go to your Mail settings and Accounts tab and add the address
> you are forwarding from to 'Send mail as'. This is a new feature
> from user requests, where Gmail will detect that you forwarded
> from that account and help prevent displaying a phishing warning.
> 
> https://support.google.com/a/answer/175365?hl=en

Hello Wietse,

thanks for your reply. However, this is not the problem.

Maybe I was not clear in my explanation: I'm nor trying to forward
emails to Gmail accounts, I'm simply trying to deliver mail to Gmail
accounts. Sending emails with different source addresses to a Gmail
address I control is only a test I'm doing to check how Gmail handles my
emails.

Cheers,
Daniele

Re: Going through Google spam filters

On 26/07/15 18:46, Raman Gupta wrote:
> And:
> 
> 3) Make sure the reverse DNS for the IP you use to send mail is
> configured to point to your own domain and not your VPS provider's domain:
> 
> dig -x 
> 
> Regards,
> Raman
> 
> On 07/26/2015 12:40 PM, Raman Gupta wrote:
>> I have a similar setup and don't (as far as I know) have any issues.
>> Two things that will likely help you a lot:
>>
>> 1) Setup DMARC (SPF+DKIM) for your domain:
>> https://support.google.com/a/answer/2466580?hl=en.
>>
>> 2) Register/verify your domain(s) at https://postmaster.google.com/u/0/

Hello Raman,

thank for your reply.

I didn't know about the possibility of registering domains with google.
Even if I think this is a violation of the principle of a federated
service like email is supposed to be, and it is usggested only for bulk
email senders and I'm definitely not in the category, I registered my
domain now, let's see if this helps.

Reverse dns resolution, SPF, and DKIM are all set correctly. I don't
want to implement DMARC because it seem to play badly with most mailing
list managers.

Cheers,
Daniele

Exploring DANE and Postfix

2015-07-26 Thread Mike

Postfix 2.11.5 on FreeBSD 10.1 AMD64

I'm starting to look at implementing DANE on Postfix, and I have a
question or two...

Reading the info here:
http://www.postfix.org/TLS_README.html#client_tls_dane

I see the following prerequisite:
"A compile-time DNS resolver library that supports DNSSEC. Postfix
binaries built on an older system will not support DNSSEC even if
deployed on a system with an updated resolver library."


I'm running unbound as my local resolver, but I don't know what Postfix
was compiled with, as I installed it from a FreeBSD package.  Is there a
way to see if this prerequisite has been satisfied by the version of
Postfix I am running on my system.



Another question - let's suppose I have succeeded in implementing DANE.
 Will I see any evidence of that success in the Postfix logs or message
headers (such as I see for TLS)?

thx.

Re: Going through Google spam filters

Daniele Nicolodi:
> On 26/07/15 18:47, Wietse Venema wrote:
> > Daniele Nicolodi:
> >> Currently I'm able to send emails to my address @gmail.com from the
> >> email address I'm currently using without having them classified as
> >> spam, but not from any email address having a different local part. I
> >> believe this is because my @grinta.net email address is white listed for
> >> my @gmail.com email address.
> >>
> >> Of course, Google does not care about the issue.
> > 
> > Maybe this helps:
> > 
> > Go to your Mail settings and Accounts tab and add the address
> > you are forwarding from to 'Send mail as'. This is a new feature
> > from user requests, where Gmail will detect that you forwarded
> > from that account and help prevent displaying a phishing warning.
> > 
> > https://support.google.com/a/answer/175365?hl=en
> 
> Hello Wietse,
> 
> thanks for your reply. However, this is not the problem.
> 
> Maybe I was not clear in my explanation: I'm nor trying to forward

You did not try it. Good for you.

Wietse

Re: Going through Google spam filters

2015-07-26 Thread DTNX Postmaster

On 26 Jul 2015, at 18:16, Daniele Nicolodi  wrote:

> Hello,
> 
> I apologize in advance because my problem is not strictly related to
> postfix, but I don't know another mailing list with helpful people with
> enough knowledge of the of the subject.
> 
> I have my personal emails handled by my own setup hosted on a virtual
> private server.  Since a while (I believe it is now a year or so) Gmail
> classifies all my emails as spam. I believe I correctly setup SPF and
> DKIM, and the headers in the messages as received on the Gmail side seem
> to suggest that Gmail correctly validates both of those checks. However,
> this does not not seem to help in making them going through.
> 
> The volume of email I send through this server is extremely low (it
> handles only my personal email and I'm the only active user).
> 
> Currently I'm able to send emails to my address @gmail.com from the
> email address I'm currently using without having them classified as
> spam, but not from any email address having a different local part. I
> believe this is because my @grinta.net email address is white listed for
> my @gmail.com email address.
> 
> Of course, Google does not care about the issue.
> 
> There is something I can do to have my emails accepted by Google?
> 
> Thank you very much.

I am beginning to suspect that, if you're doing everything right in 
terms of configuration and whatnot, your only remaining option is 
basically to ask everyone you send mail to to check their spam folder 
and explicitly mark you as wanted, solicited mail. Google's spam AI 
system just gets it wrong too often these days, and you're basically 
without recourse if you don't have any weight to throw around.

You're certainly not the only one;
http://jacquesmattheij.com/ham-or-spam-gmail-not-to-be-trusted-for-important-mail

And I've seen similar unreliability with the accounts we have for 
testing and the like. Gmail isn't the only one either, we're seeing 
mail disappear within Hotmail's infrastructure as well, and it's pretty 
much impossible to get them to acknowledge this as a problem.

I would however have another look at your DNS configuration. Here's the 
relevant header;

==
Received: from zed.grinta.net (grinta.net [109.74.203.128])
by english-breakfast.cloud9.net (Postfix) with ESMTP id ABBED330874
for ; Sun, 26 Jul 2015 12:16:38 -0400 (EDT)
==

That's already a mismatch that might be throwing them off, triggering 
some kind of classification error. Pick a hostname, not a domain name, 
and stick to that for everything. One (1) hostname that matches every 
which way you might slice it.

So instead of this;

==
$ host 109.74.203.128
128.203.74.109.in-addr.arpa domain name pointer grinta.net.
==
$ host grinta.net
grinta.net has address 109.74.203.128
grinta.net mail is handled by 10 smtp.grinta.net.
==
$ host smtp.grinta.net
smtp.grinta.net is an alias for grinta.net.
grinta.net has address 109.74.203.128
grinta.net mail is handled by 10 smtp.grinta.net.
==
$ host zed.grinta.net
zed.grinta.net is an alias for grinta.net.
grinta.net has address 109.74.203.128
grinta.net mail is handled by 10 smtp.grinta.net.
==

Make everything 'zed.grinta.net', forward and reverse, including your 
MX record, and create CNAME records for your convenience, such as mail 
client configuration. If you need an A apex record, just create that 
separately, don't use it for sending mail.

HTH,
Joni

Re: Exploring DANE and Postfix

On Sun, Jul 26, 2015 at 01:50:58PM -0400, Mike wrote:

> I'm starting to look at implementing DANE on Postfix, and I have a
> question or two...
> 
> Reading the info here:
> http://www.postfix.org/TLS_README.html#client_tls_dane
> 
> I see the following prerequisite:
>
> "A compile-time DNS resolver library that supports DNSSEC. Postfix
> binaries built on an older system will not support DNSSEC even if
> deployed on a system with an updated resolver library."

Basically, support for the resolver flags "RES_USE_DNSSEC" and
"RES_USE_EDNS0", that's been in BSD systems for quite some time.

> I'm running unbound as my local resolver, but I don't know what Postfix
> was compiled with, as I installed it from a FreeBSD package.

It is the C and/or libresolv libraries on the build system that
determine DNS features.  If the FreeBSD release was not ancient,
you're likely fine.

> Is there a way to see if this prerequisite has been satisfied by the
> version of Postfix I am running on my system.

Send mail to one of the known DANE TLSA domains (after enabling DANE
per the documentation):

sendmail -bv postmas...@ietf.org
sendmail -bv postmas...@freebsd.org
sendmail -bv postmas...@debian.org
sendmail -bv postmas...@openssl.org
sendmail -bv postmas...@samba.org
sendmail -bv postmas...@torproject.org

and check the logs to see whether the TLS authentication status was
"Verified".

> Another question - let's suppose I have succeeded in implementing DANE.
>  Will I see any evidence of that success in the Postfix logs or message
> headers (such as I see for TLS)?

Just the logs, when you send mail to a DANE-enabled domain.  There
are not very many of these yet, but the numbers are growing, ~1550
in my survey, but only 21 "large enough" to appear in Google's
email "transparency" dataset.

https://www.google.com/transparencyreport/saferemail/

A very large fraction of the domains are in Germany, where
prominent adopters include:

bayern.de
bund.de
jpberlin.de
lrz.de
posteo.de
tum.de
unitymedia.de
mailbox.org

-- 
Viktor.

Re: Exploring DANE and Postfix

Mike:
> Postfix 2.11.5 on FreeBSD 10.1 AMD64
> 
> I'm starting to look at implementing DANE on Postfix, and I have a
> question or two...
> 
> Reading the info here:
> http://www.postfix.org/TLS_README.html#client_tls_dane
> 
> I see the following prerequisite:
> "A compile-time DNS resolver library that supports DNSSEC. Postfix
> binaries built on an older system will not support DNSSEC even if
> deployed on a system with an updated resolver library."

Postfix needs to be build on a system where libresolv supports
DNSSEC.  This is already available in a FreeBSD 7.2 virtual machine
that I have lying around.

freebsd72% grep RES_USE_DNSSEC /usr/include/resolv.h
#define RES_USE_DNSSEC  0x0020  /*%< use DNSSEC using OK bit in OPT */

> I'm running unbound as my local resolver, but I don't know what Postfix
> was compiled with, as I installed it from a FreeBSD package.  Is there a
> way to see if this prerequisite has been satisfied by the version of
> Postfix I am running on my system.

% strings /usr/libexec/postfix/smtp | grep -i tlsa
lmtp_tls_force_insecure_host_tlsa_lookup
smtp_tls_force_insecure_host_tlsa_lookup
TLSA lookup error for %s:%u
no TLSA records found
TLSA records unusable
 
> Another question - let's suppose I have succeeded in implementing DANE.
>  Will I see any evidence of that success in the Postfix logs or message
> headers (such as I see for TLS)?

With opportunistic TLSA, I suppose it will say something.

Wietse

Re: Going through Google spam filters

On Sun, Jul 26, 2015 at 07:59:48PM +0200, DTNX Postmaster wrote:

> Make everything 'zed.grinta.net', forward and reverse, including your 
> MX record, and create CNAME records for your convenience, such as mail 
> client configuration. If you need an A apex record, just create that 
> separately, don't use it for sending mail.

Read that carefully, the hostname in the MX record SHOULD NOT be
a CNAME:

Good:

example.com IN MX foo.example.com.
foo.example.com. IN A 192.0.2.1

Not good:

example.com IN MX foo.example.com.
foo.example.com. IN CNAME bar.example.com.
bar.example.com. IN A 192.0.2.1

The second form is tolerated by most MTAs, but violates RFC
reqirements to avoid CNAMEs on the right hand side of MX records.

-- 
Viktor.

Re: Going through Google spam filters

2015-07-26 Thread DTNX Postmaster

On 26 Jul 2015, at 20:12, Viktor Dukhovni  wrote:

> On Sun, Jul 26, 2015 at 07:59:48PM +0200, DTNX Postmaster wrote:
> 
>> Make everything 'zed.grinta.net', forward and reverse, including your 
>> MX record, and create CNAME records for your convenience, such as mail 
>> client configuration. If you need an A apex record, just create that 
>> separately, don't use it for sending mail.
> 
> Read that carefully, the hostname in the MX record SHOULD NOT be
> a CNAME:
> 
>Good:
> 
>   example.com IN MX foo.example.com.
>   foo.example.com. IN A 192.0.2.1
> 
>Not good:
> 
>   example.com IN MX foo.example.com.
>   foo.example.com. IN CNAME bar.example.com.
>   bar.example.com. IN A 192.0.2.1
> 
> The second form is tolerated by most MTAs, but violates RFC
> reqirements to avoid CNAMEs on the right hand side of MX records.

Yes, that's why I am saying 'forward and reverse' before MX :-)

As in, specific to the original poster's configuration, the DNS lookup 
results should look like this;

==
$ host zed.grinta.net
zed.grinta.net has address 109.74.203.128
==
$ host 109.74.203.128
128.203.74.109.in-addr.arpa domain name pointer zed.grinta.net.
==
$ host grinta.net
grinta.net has address 109.74.203.128
grinta.net mail is handled by 10 zed.grinta.net.
==
$ host smtp.grinta.net
smtp.grinta.net is an alias for zed.grinta.net.
zed.grinta.net has address 109.74.203.128
==

Mvg,
Joni

Re: Exploring DANE and Postfix

2015-07-26 Thread Mike

On 7/26/2015 2:06 PM, Viktor Dukhovni wrote:
> On Sun, Jul 26, 2015 at 01:50:58PM -0400, Mike wrote:
[snip]
> 
>> Is there a way to see if this prerequisite has been satisfied by the
>> version of Postfix I am running on my system.
> 
> Send mail to one of the known DANE TLSA domains (after enabling DANE
> per the documentation):
> 
>   sendmail -bv postmas...@ietf.org
>   sendmail -bv postmas...@freebsd.org
>   sendmail -bv postmas...@debian.org
>   sendmail -bv postmas...@openssl.org
>   sendmail -bv postmas...@samba.org
>   sendmail -bv postmas...@torproject.org
> 
> and check the logs to see whether the TLS authentication status was
> "Verified".

I happened to subscribe to the dane-users mailing list a few minutes ago
and [surprise!] its server is DANE-enabled.

>> Another question - let's suppose I have succeeded in implementing DANE.
>>  Will I see any evidence of that success in the Postfix logs or message
>> headers (such as I see for TLS)?
> 
> Just the logs, when you send mail to a DANE-enabled domain. 

This is what I see in the log with a TLS-enabled server:

 postfix/smtp: Trusted TLS connection established to ...

This is what I see for a DANE-enabled server:

 postfix/smtp: Verified TLS connection established to ...

Now I need to wait a few more days for my MTA's domain to transfer to a
DNSSEC-capable registrar and I'll set up it for DANE.

Many thanks for the comments.

Re: Exploring DANE and Postfix

2015-07-26 Thread Mike

On 7/26/2015 2:11 PM, Wietse Venema wrote:
[snip]
> 
> Postfix needs to be build on a system where libresolv supports
> DNSSEC.  This is already available in a FreeBSD 7.2 virtual machine
> that I have lying around.

I'm running on FreeBSD 10.1, and it looks fine.

Many thanks for the comments.

Re: Going through Google spam filters

On 26/07/15 19:59, DTNX Postmaster wrote:
> I would however have another look at your DNS configuration. Here's the 
> relevant header;
> 
> ==
> Received: from zed.grinta.net (grinta.net [109.74.203.128])
>   by english-breakfast.cloud9.net (Postfix) with ESMTP id ABBED330874
>   for ; Sun, 26 Jul 2015 12:16:38 -0400 (EDT)
> ==
> 
> That's already a mismatch that might be throwing them off, triggering 
> some kind of classification error. Pick a hostname, not a domain name, 
> and stick to that for everything. One (1) hostname that matches every 
> which way you might slice it.

[snip]

> Make everything 'zed.grinta.net', forward and reverse, including your 
> MX record, and create CNAME records for your convenience, such as mail 
> client configuration. If you need an A apex record, just create that 
> separately, don't use it for sending mail.

Hello Joni,

thanks for the hint.

Just to be sure, you are suggesting to make zed.grinta.net an A record,
instead of a CNAME, have the MX record point to zed.grinta.net, and
change smtp.grinta.net from being a CNAME of grinta.net to being a CNAME
of zed.grinta.net.

It definitely makes sense. Doing it now.

Thanks. Cheers,
Daniele

Re: Going through Google spam filters

On 26/07/15 19:51, Wietse Venema wrote:
> Daniele Nicolodi:
>> On 26/07/15 18:47, Wietse Venema wrote:
>>> Daniele Nicolodi:
 Currently I'm able to send emails to my address @gmail.com from the
 email address I'm currently using without having them classified as
 spam, but not from any email address having a different local part. I
 believe this is because my @grinta.net email address is white listed for
 my @gmail.com email address.

 Of course, Google does not care about the issue.
>>>
>>> Maybe this helps:
>>>
>>> Go to your Mail settings and Accounts tab and add the address
>>> you are forwarding from to 'Send mail as'. This is a new feature
>>> from user requests, where Gmail will detect that you forwarded
>>> from that account and help prevent displaying a phishing warning.
>>>
>>> https://support.google.com/a/answer/175365?hl=en
>>
>> Hello Wietse,
>>
>> thanks for your reply. However, this is not the problem.
>>
>> Maybe I was not clear in my explanation: I'm nor trying to forward
> 
> You did not try it. Good for you.

Hello Wietse,

I may have dismissed what you proposed a bit too quickly but I don't
really understand how setting this option for a test account will affect
my ability to send email to other Gmail accounts.

Do you have empirical evidence of this setting somehow influencing the
reputation of a domain as seen by the Google infrastructure?

Thank you. Cheers,
Daniele

Re: Going through Google spam filters

On 07/26/2015 01:04 PM, Daniele Nicolodi wrote:
> On 26/07/15 18:46, Raman Gupta wrote:
>> And:
>>
>> 3) Make sure the reverse DNS for the IP you use to send mail is
>> configured to point to your own domain and not your VPS provider's domain:
>>
>> dig -x 
>>
>> Regards,
>> Raman
>>
>> On 07/26/2015 12:40 PM, Raman Gupta wrote:
>>> I have a similar setup and don't (as far as I know) have any issues.
>>> Two things that will likely help you a lot:
>>>
>>> 1) Setup DMARC (SPF+DKIM) for your domain:
>>> https://support.google.com/a/answer/2466580?hl=en.
>>>
>>> 2) Register/verify your domain(s) at https://postmaster.google.com/u/0/
> 
> Hello Raman,
> 
> thank for your reply.
> 
> I didn't know about the possibility of registering domains with google.
> Even if I think this is a violation of the principle of a federated
> service like email is supposed to be, and it is usggested only for bulk
> email senders and I'm definitely not in the category, I registered my
> domain now, let's see if this helps.

Agreed, but given that Gmail has 900 million users [1], I can allow
Google some slack on this.

[1] https://plus.google.com/+Gmail/posts/AjktcDswdKh

> Reverse dns resolution, SPF, and DKIM are all set correctly. I don't
> want to implement DMARC because it seem to play badly with most mailing
> list managers.

It does, but you probably shouldn't be worried about that. According
to your initial description, you are likely not hosting any mailing
lists on your domain, so DMARC's problems in this area don't apply to you.

That being said, you may have an objection to DMARC *in principle*
because of its known problems with mailing lists, and therefore refuse
to implement it on your own domains. That's your choice of course, but
the fact is that very large ESPs including Yahoo, Microsoft, and
Google [2] are all using it extensively, and your deliverability
percentages will almost certainly be better with it enabled. Plus you
can get great feedback on deliverability and your domain's mail
origination points. For example, I identified a few little
misconfigurations of various smartphones and such after implementation
on my domains.

Personally I think DMARC is pretty good because it enables feedback
loops for everyone, rather than just those players big enough to
arrange private back-channels with ESPs.

[2] https://dmarcian.com/dmarc-status/

Regards,
Raman

Re: Going through Google spam filters

Daniele Nicolodi:
> >>> Maybe this helps:
> >>>
> >>> Go to your Mail settings and Accounts tab and add the address
> >>> you are forwarding from to 'Send mail as'. This is a new feature
> >>> from user requests, where Gmail will detect that you forwarded
> >>> from that account and help prevent displaying a phishing warning.
> >>>
> >>> https://support.google.com/a/answer/175365?hl=en
> >>
> >> Hello Wietse,
> >>
> >> thanks for your reply. However, this is not the problem.
> >>
> >> Maybe I was not clear in my explanation: I'm nor trying to forward
> > 
> > You did not try it. Good for you.
> 
> Hello Wietse,
> 
> I may have dismissed what you proposed a bit too quickly but I don't
> really understand how setting this option for a test account will affect
> my ability to send email to other Gmail accounts.

Based on this:

"Currently I'm able to send emails to my address @gmail.com
from the email address I'm currently using without having them
classified as spam, but not from any email address having a
different local part."

The problem is that different accounts in your domain receive
different treatments, when they send mail to one Gmail account.

I didn't read that as a problem sending mail to different Gmail
accounts.

> Do you have empirical evidence of this setting somehow influencing the
> reputation of a domain as seen by the Google infrastructure?

No, but I have empirical evidence that Google documentation should
sometimes not be taken too literally (disclosure: I work there).

That said, perhaps I should not have taken your question too
literally, either. What started as a problem with different senders
in your domain sending mail to one Gmail recipient, has become a
problem with sending mail to different Gmail recipients.

With the Google pointer one can tell Gmail to treat some addresses
as "equivalent". I don't know if it works only when those different
addresses are used as a recipient (as when mail is forwarded), or
if it also applies when those different addresses are used as a
sender (as in your original question). That's the part about taking
documentation not too literally.

In any case, I agree that you need to clean up your DNS, so that
the Received: header shows zed.grinta.net as the sending host, not
grinta.net.

Definitely:
grinta.net. IN MX pref zed.grinta.net.
zed.grinta.net. IN A 109.74.203.128
128.203.74.109.in-addr.arpa. IN PTR zed.grinta.net.

Maybe:
grinta.net. IN A 109.74.203.128

Not:
128.203.74.109.in-addr.arpa. IN PTR grinta.net.

Wietse

Re: Going through Google spam filters

Oh one more thing that is a total guess on my part and I have no idea
whether it would help or not... but it couldn't hurt: implement IPv6
on your domain and publish a  record for your MX (with the
appropriate reverse DNS).

My wild-ass reasoning: a lot of spam-bots are home machines that still
do not have IPv6 addresses, whereas most serious non-spam servers
almost certainly would publish them. Perhaps Google's filtering
recognizes this and negatively scores a lack of IPv6 on the
originating server and/or domain. I do note that most of the
connections inbound to my systems from Google are IPv6 connections so
Google definitely looks for  addresses.

Regards,
Raman

On 07/26/2015 12:46 PM, Raman Gupta wrote:
> And:
> 
> 3) Make sure the reverse DNS for the IP you use to send mail is
> configured to point to your own domain and not your VPS provider's domain:
> 
> dig -x 
> 
> Regards,
> Raman
> 
> On 07/26/2015 12:40 PM, Raman Gupta wrote:
>> I have a similar setup and don't (as far as I know) have any issues.
>> Two things that will likely help you a lot:
>>
>> 1) Setup DMARC (SPF+DKIM) for your domain:
>> https://support.google.com/a/answer/2466580?hl=en.
>>
>> 2) Register/verify your domain(s) at https://postmaster.google.com/u/0/
>>
>> HTH!
>> Regards,
>> Raman
>>
>> On 07/26/2015 12:16 PM, Daniele Nicolodi wrote:
>>> Hello,
>>>
>>> I apologize in advance because my problem is not strictly related to
>>> postfix, but I don't know another mailing list with helpful people with
>>> enough knowledge of the of the subject.
>>>
>>> I have my personal emails handled by my own setup hosted on a virtual
>>> private server.  Since a while (I believe it is now a year or so) Gmail
>>> classifies all my emails as spam. I believe I correctly setup SPF and
>>> DKIM, and the headers in the messages as received on the Gmail side seem
>>> to suggest that Gmail correctly validates both of those checks. However,
>>> this does not not seem to help in making them going through.
>>>
>>> The volume of email I send through this server is extremely low (it
>>> handles only my personal email and I'm the only active user).
>>>
>>> Currently I'm able to send emails to my address @gmail.com from the
>>> email address I'm currently using without having them classified as
>>> spam, but not from any email address having a different local part. I
>>> believe this is because my @grinta.net email address is white listed for
>>> my @gmail.com email address.
>>>
>>> Of course, Google does not care about the issue.
>>>
>>> There is something I can do to have my emails accepted by Google?
>>>
>>> Thank you very much.
>>>
>>> Cheers,
>>> Daniele
>>>
>

Re: PATCH: Wildcard key and inline-maps

2015-07-26 Thread Dominik Chilla

Hello Wietse,

thank you for your extremly fast solution! Of course I´ll test your
patch ASAP.

I appreciate your work very much.

A lot of greetings from Germany,
Dominik

Am 26.07.2015 um 01:46 schrieb Wietse Venema:

Wietse Venema:

I'm thinking of adding multi-table lookup (similar to canonical_maps,
transport_maps, and other _maps features that can search more than
one table. Then one could say:

check_mumble_access maps:{inline:{key=value, ...}, static:{reject text...}}

Being able to search multiple maps can be useful as a general feature.

Based on the analysis in my previous response I have implemented

check_mumble_access {type1:name1, ..., typeN:nameN}

The difference with the syntax in my first reply is that there is
no "maps:" before the "{".

The queries are now implemented with the same code that is already
used for all Postfix features whose name ends in _maps. This
eliminates a problem in the earlier design involving queries for
substrings of a domain name, of an email address, or of a network
address.

If you feel adventurous you can try this patch for Postfix 3.0 and
later. It passes regression tests, but has not been used in real life.

ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20150725-multi-access-maps.gz
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20150725-multi-access-maps.gz.asc
ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20150725-multi-access-maps.gz.sig

Wietse

Re: SPF and forwarding

2015-07-26 Thread Alex Regan


Hi,

On 07/26/2015 01:34 AM, Robert Schetterer wrote:

Am 26.07.2015 um 03:04 schrieb Alex:

Hi,

I have a postfix-2.10.5 server on fedora, and have several users that
forward their mail through to gmail. This is apparently enough to
break SPF and make gmail think I'm the originator of the email,
instead of the actual sender. Consequently, gmail considers it spam
and moves it to a spam folder.

Is there anything I can do, including somehow rewriting the email, to
get gmail (and others, for that matter) to accept these forwarded
emails without considering them spam?

Can they be rewritten using our SPF information, somehow?


...





https://de.wikipedia.org/wiki/Sender_Rewriting_Scheme

perhaps with fedora read

https://www.mind-it.info/forward-postfix-spf-srs/
https://github.com/roehling/postsrsd


That sounds like a great solution, but it appears to rewrite every 
address, not just those which are to be forwarded:


- Due to the way PostSRSd is integrated with Postfix, sender addresses
  will always be rewritten even if the mail is not forwarded at all.
  This is because the canonical maps are read by the cleanup daemon,
  which processes mails at the very beginning before any routing
  decision is made.

Have you used this? Is that the proper way to interpret what it does, 
that it affects every "From" address?


Thanks,
Alex

Re: PATCH: Wildcard key and inline-maps

2015-07-26 Thread Dominik Chilla

I applied your patch to version 3.1-20150721 successfully and specified 
the map like this:


smtpd_sender_restrictions =
[...]
  check_sender_access { inline:{ send...@example.org=OK }, static: { 
REJECT BAD SENDER } }


Unfortunately, while reloading/restarting postfix following 
warning/error appears:


/usr/sbin/postconf: warning: main.cf: syntax error after '}' in "{ 
send...@zwackl.de=OK }, static: { REJECT BAD SENDER } }"


What am I doing wrong?

Dominik


Am 26.07.2015 um 23:28 schrieb Dominik Chilla:

Hello Wietse,

thank you for your extremly fast solution! Of course I´ll test your 
patch ASAP.


I appreciate your work very much.

A lot of greetings from Germany,
Dominik

Am 26.07.2015 um 01:46 schrieb Wietse Venema:

Wietse Venema:

I'm thinking of adding multi-table lookup (similar to canonical_maps,
transport_maps, and other _maps features that can search more than
one table.  Then one could say:

  check_mumble_access maps:{inline:{key=value, ...}, static:{reject 
text...}}


Being able to search multiple maps can be useful as a general feature.

Based on the analysis in my previous response I have implemented

 check_mumble_access {type1:name1, ..., typeN:nameN}

The difference with the syntax in my first reply is that there is
no "maps:" before the "{".

The queries are now implemented with the same code that is already
used for all Postfix features whose name ends in _maps.  This
eliminates a problem in the earlier design involving queries for
substrings of a domain name, of an email address, or of a network
address.

If you feel adventurous you can try this patch for Postfix 3.0 and
later. It passes regression tests, but has not been used in real life.

ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20150725-multi-access-maps.gz 

ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20150725-multi-access-maps.gz.asc 

ftp://ftp.porcupine.org/mirrors/postfix-release/experimental/feature-patches/20150725-multi-access-maps.gz.sig 



Wietse

Re: TLS Quick start question