Re: master.cf - multi IPv6 bindings but single IPv4 fallback in mixedmode possible??
On 08/27/2015 05:01 AM, dravion.sm...@gmx.net wrote: > Hi John > > I just moved the topic off the devel list > > >from the postfix side you can do it without multiple instances. You'd > >need an additional lmtp transport in master.cf with customized settings > >for lmtp_bind_address/lmtp_bind_address6 and myhostname (using the -o to > >set options), to which you would specifically direct email for that > >domain by setting up a transport table entry. > > Yeah i was able to figure thadt thing out. Dovecot now runs in > Multinstance mode and is connected > to postfix and diffrent -o smtp entries in master.cf for each mta per > domains smtp.mydomain01.com smtp.mydomain02.com > ect. But unfortently the Received from: Header in Thunderbird and > other Mailclients sill is pointing to smtp.mydomain01.com > also if it was sended to smtp.mydomain02.com. You are using lmtp not smtp to connect to dovecot. If you've set up new smtp entries in master.cf that will affect only email you're sending out to other mail servers, not the email you're delivering to dovecot. Also you would need per domain transport table entries. > > Maybe its an IPv6 to IPv4 translation problem and the mta falling back > to my secondary ipv4 mx entry because a lot of mail companys thems > to support IPv4 only and not accepting IPv6. > Although with enough time and effort you could get it to work between postfix and dovect to have the domain dependent host name in the dovecot received header, you'll never get a complete implementation. The email you hand off to other mail servers via your single ipv4 address will always come from the hostname you've set up for it. At this point you might consider if it is really worthi it.
postfix setup best practice question
Dear All, I would like to realize a postfix setup where: - I have 1 public IP address - at least 2 domains - one postfix instace After setting up (one) domain alias for the IP I experienced problem when sending mail. Since I have one IP I could set up only one PTR record which causes problems when recipient receives mails from domain which has no PTR (reverse IP lookup results the domain name which has PTR). My question: could you recommend postfix and environment setup best parctice for this situation? Any help appreciated. Regards, Zoli
Re: postfix setup best practice question
On Thu, 27 Aug 2015 09:53:19 +0200 z...@oper.hu wrote: > Dear All, > > I would like to realize a postfix setup where: > > - I have 1 public IP address > > - at least 2 domains > > - one postfix instace > > After setting up (one) domain alias for the IP I experienced problem > when sending mail. Since I have one IP I could set up only one PTR > record which causes problems when recipient receives mails from domain > which has no PTR (reverse IP lookup results the domain name which has > PTR). > > My question: could you recommend postfix and environment setup best > parctice for this situation? > > Any help appreciated. > > Regards, > Zoli > PTR can only map to 1 IP, one PTR for one IP is enough even using multiple domain with postfix.
Re: postfix setup best practice question
2015-08-27 10:04 időpontban Koko Wijatmoko ezt írta: > On Thu, 27 Aug 2015 09:53:19 +0200 > z...@oper.hu wrote: > >> Dear All, I would like to realize a postfix setup where: - I have 1 public >> IP address - at least 2 domains - one postfix instace After setting up (one) >> domain alias for the IP I experienced problem when sending mail. Since I >> have one IP I could set up only one PTR record which causes problems when >> recipient receives mails from domain which has no PTR (reverse IP lookup >> results the domain name which has PTR). My question: could you recommend >> postfix and environment setup best parctice for this situation? Any help >> appreciated. Regards, Zoli > > PTR can only map to 1 IP, one PTR for one IP is enough > even using multiple domain with postfix. Sure. I suppose too, however I got from a recipeint's reponse: : host mail..de[aaa.bbb.ccc.ddd] said: 511-Verification failed for 511-It appears that the DNS operator for .eu 511-has installed an invalid MX record with an IP address 511-instead of a domain name on the right hand side. 511-ICIR11 - sender's domain not valid 511 (http://domain.tld/eee.fff.ggg.hhh) (in reply to RCPT TO command)
Re: postfix setup best practice question
On 2015-08-27 Koko Wijatmoko wrote: > PTR can only map to 1 IP, one PTR for one IP is enough even using > multiple domain with postfix. Technically you can have PTR records resolve to multiple names, just like you can have A records resolving to multiple IP Addresses. It's just best practice to restrict PTR records to a single name. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: "stopped working"
On Thu, 27 Aug 2015 07:39:48 +0200, Martin Skjöldebrand stated: > After a lot of head scratching and despair, I *think* I got the > problem down to sasl authentication didn't authenticate. I can now > send from one account (this) but not my main address with the same > settings (w/ change of user/pw naturally). Looking further into this. > > /Martin S I assume you have read: http://www.postfix.org/DEBUG_README.html#mail Specifically, if the problem is SASL related, consider including the output from the saslfinger tool. This can be found at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. -- Jerry
Re: postfix setup best practice question
Hi, On 2015-08-27 10:27, z...@oper.hu wrote: 2015-08-27 10:04 időpontban Koko Wijatmoko ezt írta: On Thu, 27 Aug 2015 09:53:19 +0200 z...@oper.hu wrote: Dear All, I would like to realize a postfix setup where: - I have 1 public IP address - at least 2 domains - one postfix instace After setting up (one) domain alias for the IP I experienced problem when sending mail. Since I have one IP I could set up only one PTR record which causes problems when recipient receives mails from domain which has no PTR (reverse IP lookup results the domain name which has PTR). My question: could you recommend postfix and environment setup best parctice for this situation? Any help appreciated. Regards, Zoli PTR can only map to 1 IP, one PTR for one IP is enough even using multiple domain with postfix. Sure. I suppose too, however I got from a recipeint's reponse: : host mail..de[aaa.bbb.ccc.ddd] said: 511-Verification failed for 511-It appears that the DNS operator for .eu 511-has installed an invalid MX record with an IP address 511-instead of a domain name on the right hand side. 511-ICIR11 - sender's domain not valid 511 (http://domain.tld/eee.fff.ggg.hhh) (in reply to RCPT TO command) The error is clear from the response, your MX records points to an ip instead of an A record as it should. Fix your DNS. It would be very helpful not to obfuscate the domain in question so people can check themselves. - c
Re: "stopped working"
Quoting Postfix User : I assume you have read: http://www.postfix.org/DEBUG_README.html#mail Specifically, if the problem is SASL related, consider including the output from the saslfinger tool. This can be found at http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. Yup, and now it's been fixed and is working again. /Martin S
Forwarding mail - SPF SRS
Hi, I have mail forwarders used for SPAM mitigation where the addresses appear on a public web page. With many ISPs using SPF, I'm concerned that it won't be too long before these forwarded messages start to be discarded. I have read that implementing a Sender Rewriting Scheme may solve this problem, and viewed a couple tutorials showing 'pfixtools' and 'postsrsd'. At least one of those schemes re-writes the envelope for every received message which seems overkill to me. Does anyone know if there's a table based way to get cleanup(8) to rewrite on matching the local alias? canonical(5)?? I will be pleased to read of any alternatives, if there are any. Best regards, Mick.
Re: Forwarding mail - SPF SRS
On Thu, Aug 27, 2015 at 02:02:36PM +0100, Mick wrote: > I have > read that implementing a Sender Rewriting Scheme may solve this problem, > and viewed a couple tutorials showing 'pfixtools' and 'postsrsd'. At least > one of those schemes re-writes the envelope for every received message which > seems overkill to me. That's what needs to be done. > Does anyone know if there's a table based way to get > cleanup(8) to rewrite on matching the local alias? canonical(5)?? No. Secure SRS rewriting that does not turn your machine into an open relay is too complex for lookup tables. -- Viktor.
Re: Forwarding mail - SPF SRS
Viktor Dukhovni: > On Thu, Aug 27, 2015 at 02:02:36PM +0100, Mick wrote: > > > I have > > read that implementing a Sender Rewriting Scheme may solve this problem, > > and viewed a couple tutorials showing 'pfixtools' and 'postsrsd'. At least > > one of those schemes re-writes the envelope for every received message which > > seems overkill to me. > > That's what needs to be done. > > > Does anyone know if there's a table based way to get > > cleanup(8) to rewrite on matching the local alias? canonical(5)?? > > No. Secure SRS rewriting that does not turn your machine into an > open relay is too complex for lookup tables. And that is not all. Depending on the original From: domain, receivers that enforce DMARC policy may also require that the original From: header address is replaced with one in the forwarder's domain. Wietse
Re: Forwarding mail - SPF SRS
On 27/08/2015 14:07, Viktor Dukhovni wrote: On Thu, Aug 27, 2015 at 02:02:36PM +0100, Mick wrote: At least one of those schemes re-writes the envelope for every received message which seems overkill to me. That's what needs to be done. Okay. I'm surprised though. Does anyone know if there's a table based way to get cleanup(8) to rewrite on matching the local alias? canonical(5)?? No. Secure SRS rewriting that does not turn your machine into an open relay is too complex for lookup tables. I'm don't understand how, but I don't doubt your words. Thank you for pointing this fact out. When choosing, is there is anything between 'pfixtools' and 'postsrsd' methods that you know of that makes one better than the other? If not, I will try 'postsrsd'. Best regards, Mick.
Re: Forwarding mail - SPF SRS
On 27/08/2015 14:26, Wietse Venema wrote: Viktor Dukhovni: On Thu, Aug 27, 2015 at 02:02:36PM +0100, Mick wrote: Does anyone know if there's a table based way to get cleanup(8) to rewrite on matching the local alias? canonical(5)?? No. Secure SRS rewriting that does not turn your machine into an open relay is too complex for lookup tables. And that is not all. Depending on the original From: domain, receivers that enforce DMARC policy may also require that the original From: header address is replaced with one in the forwarder's domain. Thanks Wietse. Mick. Wietse
Re: Forwarding mail - SPF SRS
Mick skrev den 2015-08-27 15:02: I will be pleased to read of any alternatives, if there are any. drop sender-id, drop srs use spf, sign with dkim monitor dmarc https://dmarcian.com/ i can only say good things about this domain, it have helped me on track with it all, even for domains that have there own server problems with spf, or servers where i just managed the dns for example.net if all the above is not possible stop forwarding
Re: Confusion about DANE
On 08/26/2015 09:52 PM, Viktor Dukhovni wrote: On Wed, Aug 26, 2015 at 09:43:39PM -0700, Alice Wonder wrote: Furthermore, support for 1->3 mappings might lead users to erroneously expect 0->2 mappings, but the latter are in fact problematic. So supporting neither of the potential mappings is simpler and cleaner. Okay, thank you. so 1 [0|1] 1 hash is not incorrect, just useless for opportunistic. Yes, liable to be treated as "unusable", and thus lead to mere unauthenticated TLS (analogous to Postfix "encrypt" security level). Is it safe to assume there are not any (current) downsides to using 1 [0|1] 1 hash w/ submission port 587? Given that there are no MUAs that support DANE, there's no upside either. As I said before, there is no security advantage to publishing "1 1 1" over "3 1 1", unless the latter is prohibited by the application protocol. When you think you want to publish "1 1 1", you're likely misled by bad advice, and should use "3 1 1" instead. Note that just because your certificate might be issued by some public CA is not reason to use a "1 1 1" TLSA record, certificates issued by public CAs (often via "intermediate issuers) are just as compatible with "3 1 1" as any other end-entity (leaf) certificate. Thank you. I think the root of my confusion may have been that TLSA as written gives the impression (at least to me) there is value to specifying a signed cert is signed in the TLSA record, but it seems that nothing implementing DANE actually benefits from that. Maybe 0 and 1 for Certificate Usage field should be deprecated in DANE altogether, especially if there ever are plans to move away from Certificate Authorities in the future.
Re: Confusion about DANE
On Thu, Aug 27, 2015 at 12:46:29PM -0700, Alice Wonder wrote: > Maybe 0 and 1 for Certificate Usage field should be deprecated in DANE > altogether, especially if there ever are plans to move away from Certificate > Authorities in the future. First win the user base, then win the standards war. It is unwise to invest upfront the enourmous political cost of trying to preemptively change the standard before substantial deployment of DANE of whatever variety. The time to invest precious energy into making such changes would be once DANE-TA(2)/DANE-EE(3) are widely deployed with no discernible or likely deployment of PKIX-TA(0)/PKIX-EE(1). By all means avoid deploying TLSA records with usages 0/1. You don't need them. -- Viktor.
Re: Forwarding mail - SPF SRS
Thanks for your reply Benny. On 27/08/2015 20:19, Benny Pedersen wrote: Mick skrev den 2015-08-27 15:02: I will be pleased to read of any alternatives, if there are any. drop sender-id, drop srs Dropping sender-id? Do you mean leave MAIL FROM: <> blank or have I got the wrong end of the stick and you mean modify the message headers? I'm not sure I could, or even if I'd want to do either, but thanks for the suggestion. I've now installed 'PostSRSd'. Should I be nervous of reverse SRS abuse or is the cryptographic signature and a time stamp enough to prevent this ? use spf, sign with dkim Yes, I use both. monitor dmarc https://dmarcian.com/ i can only say good things about this domain, it have helped me on track with it all, even for domains that have there own server problems with spf, or servers where i just managed the dns for example.net Fair that dmarcian.com only charge by the SPF passes and not the failures. They have a free service too which is definitely good. I've only touched on DMARC and wonder (at the moment) why you would need a service like that? My limited understanding is ; you publish a DMARC DNS text record with email address, then service providers email that address in the event of a rejection? I've probably got that all wrong. Something else to read up on as it's my next project. if all the above is not possible stop forwarding Yes, that is an option that I have considered. Best Regards, Mick.
