Re: ADVICE: Best Practice - Usernames with Domain components

[Nick Piggott]

Hi,

I'm not able to suppress the DOMAIN element of the username part on *this*
machine.

All the machines in the AD have a directive in their /etc/samba/smb.conf
file
winbind use default domain = yes
however this doesn't work on this machine acting as the AD-DC, and looking
at the Samba mailing lists, this is by design, and unlikely to change. It
does work on the workstations (where users are just shown as their
username).

So one "workaround" would be to work out how to suppress the DOMAIN through
Samba / Winbind on this machine. But I have not been able to achieve that
at all, so that's why I'm looking to fix it around postfix.

Nick


On Tue, 26 May 2020 at 13:49, mj  wrote:

> Hi,
>
> I have read your mail, and we're using a setup similar to yours (samba,
> postfix, debian) and we're using 'regular' usernames, without the domain
> prefix.
>
> Sometimes, but only in windows, we specify a domain name to make clear
> to windows that we mean the DOMAIN account username, and not a local
> account, or DOMAINB\username.
>
> But in common practise, we never login anywhere with DOMAIN\username
>
> And we also never have the issues you are describing, and no need fotr
> mappings of any kind.
>
> Are you *sure* you need your usernames in that format?
>
> MJ
>
>
> On 26/05/2020 13:50, Nick Piggott wrote:
> > Hello,
> >
> > Here's my setup:
> > * Ubuntu 18.04 LTS
> > * Postfix 3.3.0
> > * Mailutils 3.4
> > * Samba 4.7.6
> > * Active Directory (provided by Samba)
> >
> > My usernames are of the format:
> > * DOMAIN\username
> >
> > I can separately maintain a list of mappings between DOMAIN\username
> > and username.
> >
> > Here are the problems I'm looking to solve appropriately:
> > * mail - sends the origination user as "DOMAIN\username", which
> > postfix provides onto the destination mail exchanger, which rejects it
> > as being an incorrect format
> > * postfix - is configured with:
> > local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> > which flattens the return address to "domain\username", and creates a
> > mailbox in /var/mail as "domain\username". When the user types "mail"
> > to read their email, it opens "DOMAIN\username", so they never see
> > their newly received messages.
> >
> > Things I have tried:
> > * Using
> > sender_canonical_maps = hash:\etc\postfix\sender_canonical
> > to change a specific DOMAIN\username to username. It didn't work,
> > although I could see it parsing sender_canonical.db when sending. The
> > exact line was
> > DOMAIN\\username : username
> > Postfix still provided "DOMAIN\username" as the originator to the
> > destination mail exchanger.
> > * Using
> > recipient_canonical_maps = hash:\etc\postfix\recipient_canonical
> > to convert a specific username back to DOMAIN\username. That failed
> > because the output is still casefolded to domain\username before
> > writing to the mailbox file.
> >
> > Questions:
> > * Am I trying the right approach to rewriting the originating email
> > address from DOMAIN\username to username? What am I potentially
> > missing to get it working?
> > * As postfix will always fold the return address to lowercase (because
> > of the local_recipient_maps filter), should I just softlink together
> > the mailbox files DOMAIN\username and domain\username in /var/mail, or
> > is there a solution I can put into postfix to revert back to
> > DOMAIN\username before outputting to the mail file?
> >
> > Thanks in advance,
> >
>


-- 
Nick

Re: milter after queue

[Matus UHLAR - fantomas]

On 08.05.20 05:11, NBNabble wrote:

Hi Wietse,

I am not wietse but I hope it won't distract you.


I have a question to your hint using a null SMTP based listener.

I am Using Ciphermail as an encryption gateway.
Pre-Queue mails are send to an external milter for Spam/Virus Checks.
After that, post-queue, the encryption gateway is a content_filter.

I am looking for a solution to resend the mails to the milter again, after
the first content filter.
So in case there is malware in a decrypted mail, I also get that.

Do you have any idea, how I could recheck the mails again with the milter?
Post queue?


milter is SMTP-level option.
However, if you need to check something again, your decryption gateway can
return mail on a IP:port where milter will run too.

Note that you must take care of what happend if the second milter will
reject the mail - what will the decryption gateway do.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

Re: ADVICE: Best Practice - Usernames with Domain components

[mj]

Hi,

So, do I understand correctly that you are running postfix/mailutils etc 
directly on your ADDC, and you are using 'local' (=winbind) users?


Then probably I ould change that: not use local users, but make 
everything mail-related talk to ldap only, and don't use local users.


Also...perhaps consider running it on a seperate machine. (perhaps even 
a VM on your samba ADDC)


MJ

On 5/27/20 12:40 PM, Nick Piggott wrote:

Hi,

I'm not able to suppress the DOMAIN element of the username part on 
*this* machine.


All the machines in the AD have a directive in their /etc/samba/smb.conf 
file

winbind use default domain = yes
however this doesn't work on this machine acting as the AD-DC, and 
looking at the Samba mailing lists, this is by design, and unlikely to 
change. It does work on the workstations (where users are just shown as 
their username).


So one "workaround" would be to work out how to suppress the DOMAIN 
through Samba / Winbind on this machine. But I have not been able to 
achieve that at all, so that's why I'm looking to fix it around postfix.


Nick


On Tue, 26 May 2020 at 13:49, mj > wrote:


Hi,

I have read your mail, and we're using a setup similar to yours (samba,
postfix, debian) and we're using 'regular' usernames, without the
domain
prefix.

Sometimes, but only in windows, we specify a domain name to make clear
to windows that we mean the DOMAIN account username, and not a local
account, or DOMAINB\username.

But in common practise, we never login anywhere with DOMAIN\username

And we also never have the issues you are describing, and no need fotr
mappings of any kind.

Are you *sure* you need your usernames in that format?

MJ


On 26/05/2020 13:50, Nick Piggott wrote:
 > Hello,
 >
 > Here's my setup:
 > * Ubuntu 18.04 LTS
 > * Postfix 3.3.0
 > * Mailutils 3.4
 > * Samba 4.7.6
 > * Active Directory (provided by Samba)
 >
 > My usernames are of the format:
 > * DOMAIN\username
 >
 > I can separately maintain a list of mappings between DOMAIN\username
 > and username.
 >
 > Here are the problems I'm looking to solve appropriately:
 > * mail - sends the origination user as "DOMAIN\username", which
 > postfix provides onto the destination mail exchanger, which
rejects it
 > as being an incorrect format
 > * postfix - is configured with:
 > local_recipient_maps = proxy:unix:passwd.byname $alias_maps
 > which flattens the return address to "domain\username", and creates a
 > mailbox in /var/mail as "domain\username". When the user types "mail"
 > to read their email, it opens "DOMAIN\username", so they never see
 > their newly received messages.
 >
 > Things I have tried:
 > * Using
 > sender_canonical_maps = hash:\etc\postfix\sender_canonical
 > to change a specific DOMAIN\username to username. It didn't work,
 > although I could see it parsing sender_canonical.db when sending. The
 > exact line was
 > DOMAIN\\username : username
 > Postfix still provided "DOMAIN\username" as the originator to the
 > destination mail exchanger.
 > * Using
 > recipient_canonical_maps = hash:\etc\postfix\recipient_canonical
 > to convert a specific username back to DOMAIN\username. That failed
 > because the output is still casefolded to domain\username before
 > writing to the mailbox file.
 >
 > Questions:
 > * Am I trying the right approach to rewriting the originating email
 > address from DOMAIN\username to username? What am I potentially
 > missing to get it working?
 > * As postfix will always fold the return address to lowercase
(because
 > of the local_recipient_maps filter), should I just softlink together
 > the mailbox files DOMAIN\username and domain\username in
/var/mail, or
 > is there a solution I can put into postfix to revert back to
 > DOMAIN\username before outputting to the mail file?
 >
 > Thanks in advance,
 >



--
Nick

discard(8) in a virtual mailbox environment

[Laura Smith]

Hi,

Is it somehow possilble to make use of discard(8) to /dev/null certain 
addresses in a virtual mailbox setup (e.g. virtual_alias_maps etc.) ?  Or can 
discard(8) only be applied to "real" receipients

Thanks

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[@lbutlr]

On 25 May 2020, at 11:47, Thomas  wrote:
> OK, I use now unkńown user NOREPLY
> NOREPLY 

As I said, use a valid domain THAT YOU CONTROL.

Do not create a fake address with someone else's domain. Do not use 
mudomain.com because you neither own nor control mydomain.com and do not use 
mydoamin.com as a substitute for example.com because, again, you neither own 
nor control mydomain.com. Do not think that "my domain.com is obviously fake" 
because it is not, it is a valid domain and has been for 25 years.




-- 
"Are you pondering what I'm pondering?"
"Uh, I think so, Brain, but we'll never get a monkey to use dental
floss."

Re: Uninstalling postgrey

[@lbutlr]

On 24 May 2020, at 19:04, Ian Evans  wrote:
> Based on another thread here, I want to move to using postscreen/postwhite 
> and ditch postgrey.
> 
> Just want to make sure I don't bungle stopping postgrey. 
> 
> So...
> 
> - edit main.cf and remove "check_policy_service inet:127.0.0.1:10023" from 
> smtpd_recipient_restrictions.

Comment it out.

And don't forget to comment out the corresponding section in master.cf

> - restart Postfix 

That will do it.

> - purge the postgrey package. 

Eventually. Don't need to rush.

> Then go about getting postscreen working. 

As other have said, I'd do that first. But it's really just a few lines.

These are my settings, -ish.

postscreen_access_list = cidr:$config_directory/postscreen_access.cidr

# Maybe start with warn if you're worried
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = 
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 1d
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
postscreen_greet_banner = mail.covisp.net ESTMP -- Please wait
postscreen_greet_wait = 11s

I've settled on 11s, but you should probably not set postscreen_greet_wait 
unless you need to as the default is there for a reason. I found for my server 
11s cut off a lot more mail, and I haven’t noticed missing anything I want.

Default:
postscreen_greet_wait = ${stress?{2}:{6}}s

The most complicated part is setting up and scoring the rbls, though searching 
the list archives for 'postscreen_dnsbl_sites' will find you some settings 
other people use and you can start from there. Be sure and check the specific 
RBLS to be sure that they allow open access and that they still exist. Zen is 
very popular an in my opinion the best one out there, but you need to pay for 
commercial access.



-- 
You'd be a very high-level X-Men like Emma Frost's Diamond Form.

Re: Postfix -> Whatapp

[@lbutlr]

On 26 May 2020, at 13:24, J Doe  wrote:
> You may want to investigate doing this at the MDA.  If you run Dovecot in 
> conjunction with Postfix, you could write a Sieve script that calls a shell 
> script that then sends the notification to whatever third-party service you 
> would like.

I used to do this with procmail to send notifications on important mails via an 
SMS gateway. For a time I was also able to post alerts to a private twitter 
account. That no longer seems to work (but I also haven’t investigated why or 
if I can fix it as the need passed).

But it *is* outside the scope of postfix-users.



-- 
The hippo of recollection stirred in the muddy waters of the mind.

Different smtp gateway for domain

[Matteo Cazzador]

Hi everybody,  i need to setup different smtp gateway for virtual domain 
on the same server.


I've 3 virtual domain hosted on server, example1.com example2.com 
example3.com.


I need to setup different smtp gateway for every domain.

I use transport file like:

example1.com     smtp:gw1.gateway.com

example2.com     smtp:gw2.gateway.com

example3.com     smtp:gw3.gateway.com

than i use make "postmap transport".

But when i send an email of every hosted domain (example1.com 
example2.com example3.com), postfix seems do not use transport condition.


Always sent mail with local smtp postfix server.

Can someone help me please.

Thanks

--

Rispetta l'ambiente: se non ti è necessario,  non stampare questa mail.


Le informazioni contenute in questa e-mail e nei files eventualmente
allegati sono destinate unicamente ai destinatari della stessa
e sono da considerarsi strettamente riservate.
E' proibito copiare, salvare, utilizzare,  inoltrare a terzi e diffondere
il contenuto della presente senza il preventivo consenso, ai sensi
dell'articolo 616 c.p. e della Legge n. 196/2003.
Se avete ricevuto questo messaggio per errore siete pregati di comunicarlo
immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto
senza procedere ad ulteriore o differente trattamento.


**
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: mat...@netlite.it
Web: http://www.netlite.it
**

Re: Preferred/maintained greylisting options?

[@lbutlr]

On 26 May 2020, at 15:11, Marvin Renich  wrote:
> However, when I first set up greylisting on my family email server (it
> was exim way back then, but has long been postfix), I set it up so that
> all incoming mail was sent through spamassassin _during_ SMTP, prior to
> accept or reject.  Mail with a high enough spam score was rejected
> outright.  I then used greylisting _only_ for email whose spamassassin
> score was considered spam, but not high enough to reject outright.

This method can work, but for me anymore the zone between accept mail that 
might be spam and reject during MSTP has narrowed considerably over the years 
(anything over 5.0 in SA gets tagged as spam and anything over 7.0 gets 
rejected outright), so this is not that useful anymore.

And, somehow banks seemed to frequently send messages that appeared spammy 
(much less of a problem now), to was not rare to see a bank mail hitting a 
score that was high enough to kick in the greylist and then the banks would 
never retry.


-- 
Can I tell you the truth? I mean this isn't like TV news, is it?

Re: Different smtp gateway for domain

[@lbutlr]

On 27 May 2020, at 09:53, Matteo Cazzador  wrote:
> 
> example1.com smtp:gw1.gateway.com
> example2.com smtp:gw2.gateway.com
> example3.com smtp:gw3.gateway.com
> 
> than i use make "postmap transport".

And then you reload postfix?



-- 
"The sad thing about true stupidity is that you can do absolutely
nothing about it." -- Mr Bartlett

Re: Different smtp gateway for domain

[Matteo Cazzador]

Hi, yes i restart it after executing postmap.


On 27/05/2020 18:10, @lbutlr wrote:

On 27 May 2020, at 09:53, Matteo Cazzador  wrote:

example1.com smtp:gw1.gateway.com
example2.com smtp:gw2.gateway.com
example3.com smtp:gw3.gateway.com

than i use make "postmap transport".

And then you reload postfix?




--

Rispetta l'ambiente: se non ti è necessario,  non stampare questa mail.


Le informazioni contenute in questa e-mail e nei files eventualmente
allegati sono destinate unicamente ai destinatari della stessa
e sono da considerarsi strettamente riservate.
E' proibito copiare, salvare, utilizzare,  inoltrare a terzi e diffondere
il contenuto della presente senza il preventivo consenso, ai sensi
dell'articolo 616 c.p. e della Legge n. 196/2003.
Se avete ricevuto questo messaggio per errore siete pregati di comunicarlo
immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto
senza procedere ad ulteriore o differente trattamento.


**
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: mat...@netlite.it
Web: http://www.netlite.it
**

Re: Different smtp gateway for domain

[Dima Veselov]

Hi,

There is some misunderstanding in your setup. If you host 3 domains
then you will rather want to send mails FROM these domains into outer
world through different gateways. But your transport maps work when
postfix work with mail TO this domains.

If I am right you should remove transport map and add 
sender_dependent_relayhost_maps = hash:/usr/pkg/etc/postfix/bysender

to main.cf, create bysender like:
@example1.com smtp:gw1.gateway.com
@example2.com smtp:gw2.gateway.com
@example3.com smtp:gw3.gateway.com

run postmap /usr/pkg/etc/postfix/bysender
and reload postfix

On Wed, May 27, 2020 at 06:13:46PM +0200, Matteo Cazzador wrote:



example1.com smtp:gw1.gateway.com
example2.com smtp:gw2.gateway.com
example3.com smtp:gw3.gateway.com

than i use make "postmap transport".


--
Sincerely yours,
Dima Veselov
Physics R&D Establishment of Saint-Petersburg University

Re: ADVICE: Best Practice - Usernames with Domain components

[Matteo Cazzador]

Thank Dima, i make some changes in yuoi suggest:

I use

"sender_dependent_default_transport_maps"

and not

"sender_dependent_relayhost_maps"


#Main.cf part

sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay

#sender_relay content

@example1.com smtp:[gw1.gateway.com]


Thanks a lot.


Il 26/05/2020 14:49, mj ha scritto:
Attenzione: Questa e` la prima volta che ricevi un'email da questo 
mittente.

Attenzione: Assicurati che sia qualcuno di cui ti fidi.

Hi,

There is some misunderstanding in your setup. If you host 3 domains
then you will rather want to send mails FROM these domains into outer
world through different gateways. But your transport maps work when
postfix work with mail TO this domains.

If I am right you should remove transport map and add 
sender_dependent_relayhost_maps = hash:/usr/pkg/etc/postfix/bysender

to main.cf, create bysender like:
@example1.com smtp:gw1.gateway.com
@example2.com smtp:gw2.gateway.com
@example3.com smtp:gw3.gateway.com

run postmap /usr/pkg/etc/postfix/bysender
and reload postfix

On Wed, May 27, 2020 at 06:13:46PM +0200, Matteo Cazzador wrote:



example1.com smtp:gw1.gateway.com
example2.com smtp:gw2.gateway.com
example3.com smtp:gw3.gateway.com

than i use make "postmap transport".



--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati 
sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, 
utilizzare,  inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 
196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di 
cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


**
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: mat...@netlite.it
Web: http://www.netlite.it
**

Multiple ssl certs for virtual domain server

[Matteo Cazzador]

Hi everybody i've another question about postifx virtual domain server 
and multiple ssl certs.


My virtual postfix server has one public ip.

My postfix version is  3.4.10 (on virtualmin setup)

Is it possible to configure postfix to manage multiple ssl certs for 
ssl/tls with only one public ip address?


Something like

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem

butr every virtual domain with his own ssl certs?

Thank's a lot.

--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati 
sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, 
utilizzare,  inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 
196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di 
cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


**
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: mat...@netlite.it
Web: http://www.netlite.it
**

Re: Multiple ssl certs for virtual domain server

[Viktor Dukhovni]

On Wed, May 27, 2020 at 09:20:10PM +0200, Matteo Cazzador wrote:

> Hi everybody i've another question about postifx virtual domain server 
> and multiple ssl certs.
> 
> My virtual postfix server has one public ip.
> 
> My postfix version is  3.4.10 (on virtualmin setup)
> 
> Is it possible to configure postfix to manage multiple ssl certs for 
> ssl/tls with only one public ip address?

Yes, as of Postfix 3.4, however, just because it is possible, does not
make it a good idea.  If *at all* possible, at least for port 25, use a
MX indirection rather than virtual hosting:

example.org. IN MX 0 smtp.example.org.
example.net. IN MX 0 smtp.example.org.
example.edu. IN MX 0 smtp.example.org.
smtp.example.org. IN A 192.0.2.1

rather than:

example.org. IN MX 0 smtp.example.org.
example.net. IN MX 0 smtp.example.net.
example.edu. IN MX 0 smtp.example.edu.
smtp.example.org. IN A 192.0.2.1
smtp.example.net. IN A 192.0.2.1
smtp.example.edu. IN A 192.0.2.1

> Something like
> 
> smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
> smtpd_tls_key_file = /etc/postfix/postfix.key.pem
> 
> butr every virtual domain with his own ssl certs?

http://www.postfix.org/postconf.5.html#tls_server_sni_maps

So, yes possible, but avoid at all costs.  Only necessary o port 587 for
submission if you must support mail clients that have per-domain SMTP
server settings and the hosting of the submisison service moves around
from time to time.

-- 
Viktor.

Re: Multiple ssl certs for virtual domain server

[Matteo Cazzador]

Thank's a lot.

Il 27/05/2020 21:45, Viktor Dukhovni ha scritto:

On Wed, May 27, 2020 at 09:20:10PM +0200, Matteo Cazzador wrote:


Hi everybody i've another question about postifx virtual domain server
and multiple ssl certs.

My virtual postfix server has one public ip.

My postfix version is  3.4.10 (on virtualmin setup)

Is it possible to configure postfix to manage multiple ssl certs for
ssl/tls with only one public ip address?

Yes, as of Postfix 3.4, however, just because it is possible, does not
make it a good idea.  If *at all* possible, at least for port 25, use a
MX indirection rather than virtual hosting:

 example.org. IN MX 0 smtp.example.org.
 example.net. IN MX 0 smtp.example.org.
 example.edu. IN MX 0 smtp.example.org.
 smtp.example.org. IN A 192.0.2.1

rather than:

 example.org. IN MX 0 smtp.example.org.
 example.net. IN MX 0 smtp.example.net.
 example.edu. IN MX 0 smtp.example.edu.
 smtp.example.org. IN A 192.0.2.1
 smtp.example.net. IN A 192.0.2.1
 smtp.example.edu. IN A 192.0.2.1


Something like

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem

butr every virtual domain with his own ssl certs?

  
https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.postfix.org%2Fpostconf.5.html%23tls_server_sni_maps&e=9aacaa7d&h=6f763e90&f=y&p=y

So, yes possible, but avoid at all costs.  Only necessary o port 587 for
submission if you must support mail clients that have per-domain SMTP
server settings and the hosting of the submisison service moves around
from time to time.


--
Rispetta l'ambiente: se non ti è necessario, non stampare questa mail.

Le informazioni contenute in questa e-mail e nei files eventualmente allegati 
sono destinate unicamente ai destinatari della stessa e
sono da considerarsi strettamente riservate. E' proibito copiare, salvare, 
utilizzare,  inoltrare a terzi e diffondere il contenuto della presente
senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 
196/2003. Se avete ricevuto questo messaggio per errore siete
pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di 
cancellarne il contenuto senza procedere ad ulteriore o differente trattamento.


**
Ing. Matteo Cazzador
NetLite snc di Cazzador Gagliardi
Corso Vittorio Emanuele II, 188 37069
Villafranca di Verona VR
Tel 0454856656
Fax 0454856655
Email: mat...@netlite.it
Web: http://www.netlite.it
**

Relationship between relay and transport

[Scott A. Wozny]

I’m trying to get a better understanding of the relationship between relay and 
transport.


In the standard config on an email gateway in 
(http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall) the 
proposed config has relay_domains set for example.com and transport_maps set to 
a hash with example.com using smtp:[inside-gateway.example.com]. My question 
is, how is this functionally different from setting relayhost to 
[inside-gateway.example.com]? Are transport maps used to replace relayhost when 
more granularity is needed? And how does this configuration indicate that 
outbound email should be delivered directly? Just that it’s not in the 
relay_domains list? If I wanted email to my domain to go to and internal 
gateway and email to the outside world to be delivered directly, is it the lack 
of a * entry in the transport_maps hash file that tells the server to look up 
the MX record and start attempting deliveries to those servers?


I’m sorry for such n00b questions. I thought I knew a fair bit about SMTP but 
with SO many parameters I feel like I’m suffering an information overload 
nervous breakdown trying to figure out how to set up my environment.


Thanks,


Scott

Re: Uninstalling postgrey

[Ian Evans]

On Wed, May 27, 2020, 11:44 AM @lbutlr,  wrote:

> On 24 May 2020, at 19:04, Ian Evans  wrote:
> > Based on another thread here, I want to move to using
> postscreen/postwhite and ditch postgrey.
> >
> > Just want to make sure I don't bungle stopping postgrey.
> >
> > So...
> >
> > - edit main.cf and remove "check_policy_service inet:127.0.0.1:10023"
> from smtpd_recipient_restrictions.
>
> Comment it out.
>
> And don't forget to comment out the corresponding section in master.cf
>
> > - restart Postfix
>
> That will do it.
>
> > - purge the postgrey package.
>
> Eventually. Don't need to rush.
>
> > Then go about getting postscreen working.
>
> As other have said, I'd do that first. But it's really just a few lines.
>
> These are my settings, -ish.
>
> postscreen_access_list = cidr:$config_directory/postscreen_access.cidr
>
> # Maybe start with warn if you're worried
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = 
> postscreen_dnsbl_threshold = 3
> postscreen_dnsbl_ttl = 1d
> postscreen_dnsbl_whitelist_threshold = -1
> postscreen_greet_action = enforce
> postscreen_greet_banner = mail.covisp.net ESTMP -- Please wait
> postscreen_greet_wait = 11s
>
> I've settled on 11s, but you should probably not set postscreen_greet_wait
> unless you need to as the default is there for a reason. I found for my
> server 11s cut off a lot more mail, and I haven’t noticed missing anything
> I want.
>
> Default:
> postscreen_greet_wait = ${stress?{2}:{6}}s
>
> The most complicated part is setting up and scoring the rbls, though
> searching the list archives for 'postscreen_dnsbl_sites' will find you some
> settings other people use and you can start from there. Be sure and check
> the specific RBLS to be sure that they allow open access and that they
> still exist. Zen is very popular an in my opinion the best one out there,
> but you need to pay for commercial access.
>

Thanks for the further suggestions.