Re: Outlook.com Max Connections

[Tom Sommer]

On 2020-09-01 00:28, @lbutlr wrote:

On 31 Aug 2020, at 10:08, Greg Sims  wrote:

  (1) continue to ignore the MaxConnection Messages/Deferrals
  (2) reduce the number of processes per transport to 1
  (3) reduce the number of outlook transports to 2


4) add a footer to mails going to outlook along the lines of
:"messages to outlook users may be delayed because outlook.com is a
garbage service."

I kid.

Sort of.


Truth

Re: Outlook.com Max Connections

[Tom Sommer]

On 2020-08-22 22:35, Wietse Venema wrote:

Wietse Venema:

Greg Sims:
> sender_dependent_default_transport_maps = randmap:{r235,r236,r237,r238}
>
> selects transports at random for delivering email.  Is it possible to
> schedule a set of transports using a round-robin discipline? This

man 5 tcp_table
man 5 socketmap_table

and implement a server that responds in round-sobin order.


However, if you want to limit the number of conections for each
Postfix SMTP client IP address, set the right process limit
in master.cf for those SMTP clients, and do "postfix reload".


The process limit would be an overall limit on the transport?

Is there a way to limit the number of concurrent connections for each 
destination IP?


---
Tom

Mail server without MX record.

[Jason Long]

Hello,
Can I use Postfix without MX record? I installed Postfix and Dovecot via 
"https://wiki.centos.org/HowTos/postfix"; tutorial and I want to know can I use 
it without MX record?

Thank you.

Re: PostFix not working after update

[Paul Lauzon]

Thanks for the help.

I have kept Postfix and many other services disabled at power-up since last
year and it works well for me that way.  I did that last year after I got
DDOS and spammed tons of mail with virus attachments and my server was so
overwhelmed that I could not use it for days and even login with putty took
several hours trying.  By starting my server with only the basic services,
when the DDOS/spam happens, I can just request a server reboot and I can
login easily and start the services after I am done.

I did not do these yet:
> postconf compatibility_level=2
> postfix reload

This is what I have in my master.cf file:
# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes

So that '-' would be what created the issue perhaps?   If so, is it better
to run postfix using chroot = yes since this is the new default?  I would
have to find a tutorial on how to reinstall it properly that way I guess.
Or I could just put a 'no' there but it would make it less secure?  I
prefer the most secure option.

For systemd (funny: abandon all hope, ye who enter), I would hope that a
'disabled' service is not considered 'uninstalled' so that when I updated
my certificates using "Let's Encrypt" it did not update the Postfix
certificates.  But any automation is a very good way to screw-up...  Just
like my update did.

On Mon, Oct 12, 2020 at 7:09 PM Bob Proulx  wrote:

> Paul Lauzon wrote:
> > PostFix does not seem to work anymore.
>
> There are an infinite number of ways for something to fail but only
> exactly one correct way for it to work.
>
> In addition to the other comments I see this:
>
> > # service postfix status
> >? postfix.service - Postfix Mail Transport Agent
> >   Loaded: loaded (/lib/systemd/system/postfix.service; disabled;
> vendor preset: enabled)
>
> Why is it disabled?  Is that the problem?  That it is not running?  Try
> enabling it.
> Since you are running systemd the systemd way to enable it is:
>
> systemctl enable postfix.service
>
> >Oct  9 05:35:00 ...: Postfix is running with backwards-compatible
> default settings
> >Oct  9 05:35:00 ...: See
> http://www.postfix.org/COMPATIBILITY_README.html for details
> >Oct  9 05:35:00 ...: To disable backwards compatibility use "postconf
> compatibility_level=2" and "postfix reload"
>
> The above might be a notification of a change but it is not going to
> be "the problem" you are chasing down.  I see you updated it with the
> following but I would have recommended to ignore it for the moment.
>
> > Do I really need to do these?
> >postconf compatibility_level=2
> >postfix reload
>
> Before doing this I would have asked what was the state of field 5 in
> the master.cf file.  If it is 'y' or 'n' then the above will not
> change anything.  But if it is '-' then note that the default changed
> from "no" previously to "yes" now in the newer version.  Running the
> above switches to using the new "yes" default instead of the previous
> "no" default.
>
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (yes)   (never) (100)
> #
> ==
> smtp   inet  n   -   y   -   -   smtpd
>
> >Oct  9 05:35:04 ...: warning: symlink leaves directory:
> /etc/postfix/./makedefs.out
> >Oct  9 05:35:04 ...: warning:
> /var/spool/postfix/etc/ssl/certs/ca-certificates.crt and
> /etc/ssl/certs/ca-certificates.crt differ
> >Oct  9 05:35:05 ...: warning:
> /var/spool/postfix/lib/i386-linux-gnu/libnss_systemd.so.2 and
> /lib/i386-linux-gnu/libnss_systemd.so.2 differ
> >Oct  9 05:35:05 ...: postfix/postqueue[...]: warning: Mail system is
> down -- accessing queue directly
>
> The theory goes that in Debian when the init script starts it runs a
> helper script /usr/lib/postfix/configure-instance.sh which will update
> all files that are needed for running inside the chroot.  If those
> files are out of sync then that is an indication that the init did not
> run that script and therefore did not run correctly.  Since you are
> running systemd (Lasciate ogne speranza, voi ch'intrate.) then the
> start process would be something like this.
>
> systemctl is-enabled postfix.service
> systemctl enable postfix.service
> systemctl start postfix.service
> systemctl status postfix.service
>
> Note that in the systemd architecture systemctl isn't the process that
> does the starting.  It simply sends a message to the running systemd.
> Therefore it never reports on the status of any action.  One must
> always remember to follow any action with a status request in order to
> know the success

Re: Mail server without MX record.

[A. Schulze]

Am 13.10.20 um 14:09 schrieb Jason Long:
> I want to know can I use it without MX record?
A records are used by default if no MX is available
That's nothing postfix specific - it's an RFC requirement for any MTA

Andreas

Re: Mail server without MX record.

[Richard]

> Date: Tuesday, October 13, 2020 12:09:28 +
> From: Jason Long 
>
> Hello,
> Can I use Postfix without MX record? I installed Postfix
> and Dovecot via "https://wiki.centos.org/HowTos/postfix"; tutorial
> and I want to know can I use it without MX record?

Yes. Some mail sites, incorrectly, think that one has to have an
MX-record for a site to be legit, but major ones know better. An
MX-record is related to inbound routing/deliverability, and not
specific to the MTA one is using.

You do need an A-, and for successful outbound deliverability, a
matching Rdns record. As noted in an earlier message chain, there is
a list of other things, e.g., SPF, DKIM, DMARC records, etc., that
will help in deliverability.

By the way, the documentation that you pointed to specifies that it
is written for Centos-5. As Centos-6 is EOL next month, C5 and
earlier are already EOL. So you should be using at least Centos-7,
and relevant documentation. Something in one of your messages
yesterday indicated that you were likely using Centos-6 or earlier.

Re: Mail server without MX record.

[Wietse Venema]

Jason Long:
> Hello,
> Can I use Postfix without MX record? I installed Postfix and?Dovecot
> via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want
> to know can I use it without MX record?

The SMTP standard (RFC 2821) does not *require* MX records. Some
uninformed mail operators may require one, but those are rare.

Wietse

Re: Mail server without MX record.

[Bill Cole]

On 13 Oct 2020, at 8:09, Jason Long wrote:


Hello,
Can I use Postfix without MX record? I installed Postfix and Dovecot 
via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want to 
know can I use it without MX record?


That is entirely dependent on what you intend to use Postfix for.

If you have a domain name for which you want to receive mail directly 
from the world at large, it must have either an A record that resolves 
to the address of your Postfix server or a MX record that points to a 
name that has an A record that resolves to the address of your Postfix 
server.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Mail server without MX record.

[Jason Long]

Thank you for all of your messages.
With that tutorial, which record or port is needed? 






On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema 
 wrote: 





Jason Long:

> Hello,
> Can I use Postfix without MX record? I installed Postfix and?Dovecot
> via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want
> to know can I use it without MX record?


The SMTP standard (RFC 2821) does not *require* MX records. Some
uninformed mail operators may require one, but those are rare.

    Wietse

Re: Mail server without MX record.

[IL Ka]

What are you trying to achieve?

There are alot of scenarios where Postfix may be used:
* "Send only" email server for your website (to give your website ability
to send emails). You never receive any emails from the outside.
* Forward only: it just accepts mails from your apps, and sends them via
smart host (SMTP server of your provider). Some people run it on their
laptops)
* Email hosting: users send and receive emails with your Postfix (as they
do with Gmail, for example)
etc

It is important to choose a scenario, because if you only need to send
emails from your website, then you do not need dovecot nor MX record and
you even do not need to listen for incoming connections to the public port,
but you may need DKIM and SPF.

In the "forward only via smart host" scenario you need almost nothing: no
MX, no SPF/DKIM, no public port.
If you want to receive emails, then having an MX record is a good idea.
You would also need to listen public port for incoming connections, and may
be one more port for clients (465 or 587)






On Tue, Oct 13, 2020 at 5:19 PM Jason Long  wrote:

> Thank you for all of your messages.
> With that tutorial, which record or port is needed?
>
>
>
>
>
>
> On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema <
> wie...@porcupine.org> wrote:
>
>
>
>
>
> Jason Long:
>
> > Hello,
> > Can I use Postfix without MX record? I installed Postfix and?Dovecot
> > via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want
> > to know can I use it without MX record?
>
>
> The SMTP standard (RFC 2821) does not *require* MX records. Some
> uninformed mail operators may require one, but those are rare.
>
> Wietse
>
>

Re: Mail server without MX record.

[Jason Long]

I have an Internet domain name and a Linux server and I want to have an email 
server for send and receive emails. For example, if my domain is "example.net" 
then I want to have a "i...@example.net" address for send and receive emails 
from the Internet.








On Tuesday, October 13, 2020, 06:09:06 PM GMT+3:30, IL Ka 
 wrote: 





What are you trying to achieve?

There are alot of scenarios where Postfix may be used:
* "Send only" email server for your website (to give your website ability to 
send emails). You never receive any emails from the outside.
* Forward only: it just accepts mails from your apps, and sends them via smart 
host (SMTP server of your provider). Some people run it on their laptops)
* Email hosting: users send and receive emails with your Postfix (as they do 
with Gmail, for example)
etc

It is important to choose a scenario, because if you only need to send emails 
from your website, then you do not need dovecot nor MX record and you even do 
not need to listen for incoming connections to the public port, but you may 
need DKIM and SPF.

In the "forward only via smart host" scenario you need almost nothing: no MX, 
no SPF/DKIM, no public port.
If you want to receive emails, then having an MX record is a good idea. 
You would also need to listen public port for incoming connections, and may be 
one more port for clients (465 or 587)






On Tue, Oct 13, 2020 at 5:19 PM Jason Long  wrote:
> Thank you for all of your messages.
> With that tutorial, which record or port is needed? 
> 
> 
> 
> 
> 
> 
> On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema 
>  wrote: 
> 
> 
> 
> 
> 
> Jason Long:
> 
>> Hello,
>> Can I use Postfix without MX record? I installed Postfix and?Dovecot
>> via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want
>> to know can I use it without MX record?
> 
> 
> The SMTP standard (RFC 2821) does not *require* MX records. Some
> uninformed mail operators may require one, but those are rare.
> 
>     Wietse
> 
> 

Re: Mail server without MX record.

[Bernardo Reino]

On Tue, 13 Oct 2020, Jason Long wrote:

I have an Internet domain name and a Linux server and I want to have an 
email server for send and receive emails. For example, if my domain is 
"example.net" then I want to have a "i...@example.net" address for send 
and receive emails from the Internet.


But then why no MX record?

It's absolutely common, normal and expected to have an MX record so that 
other MTAs know where you actually want to have your mail delivered.


I'd advise you to first read about postfix (i.e. the manual), rather than 
some random outdated tutorials (do you use the same nickname at the Debian 
forum? :)


Cheers.


On Tuesday, October 13, 2020, 06:09:06 PM GMT+3:30, IL Ka 
 wrote:





What are you trying to achieve?

There are alot of scenarios where Postfix may be used:
* "Send only" email server for your website (to give your website ability to 
send emails). You never receive any emails from the outside.
* Forward only: it just accepts mails from your apps, and sends them via smart 
host (SMTP server of your provider). Some people run it on their laptops)
* Email hosting: users send and receive emails with your Postfix (as they do 
with Gmail, for example)
etc

It is important to choose a scenario, because if you only need to send emails 
from your website, then you do not need dovecot nor MX record and you even do 
not need to listen for incoming connections to the public port, but you may 
need DKIM and SPF.

In the "forward only via smart host" scenario you need almost nothing: no MX, 
no SPF/DKIM, no public port.
If you want to receive emails, then having an MX record is a good idea. 
You would also need to listen public port for incoming connections, and may be 
one more port for clients (465 or 587)






On Tue, Oct 13, 2020 at 5:19 PM Jason Long  wrote:

Thank you for all of your messages.
With that tutorial, which record or port is needed? 






On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema 
 wrote:





Jason Long:


Hello,
Can I use Postfix without MX record? I installed Postfix and?Dovecot
via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want
to know can I use it without MX record?



The SMTP standard (RFC 2821) does not *require* MX records. Some
uninformed mail operators may require one, but those are rare.

    Wietse

Re: Mail server without MX record.

[@lbutlr]

On 13 Oct 2020, at 09:45, Bernardo Reino  wrote:
> On Tue, 13 Oct 2020, Jason Long wrote:
> 
>> I have an Internet domain name and a Linux server and I want to have an 
>> email server for send and receive emails. For example, if my domain is 
>> "example.net" then I want to have a "i...@example.net" address for send and 
>> receive emails from the Internet.
> 
> But then why no MX record?
> 
> It's absolutely common, normal and expected to have an MX record so that 
> other MTAs know where you actually want to have your mail delivered.

It is also somewhat suspicious to have a mail server without an MX record. 
Sure, it’s ALLOWED, but it’s still weird.

-- 
99 percent of police give the rest a bad name.

Re: Mail server without MX record.

[Jason Long]

I can't have MX record because the DNS server have another MX record for other 
mail server.
I'm thankful if anyone tell me how can I solve my problem without MX record. Is 
t possible with A record?






On Tuesday, October 13, 2020, 07:19:56 PM GMT+3:30, @lbutlr  
wrote: 





On 13 Oct 2020, at 09:45, Bernardo Reino  wrote:

> On Tue, 13 Oct 2020, Jason Long wrote:
> 
>> I have an Internet domain name and a Linux server and I want to have an 
>> email server for send and receive emails. For example, if my domain is 
>> "example.net" then I want to have a "i...@example.net" address for send and 
>> receive emails from the Internet.
> 
> But then why no MX record?
> 
> It's absolutely common, normal and expected to have an MX record so that 
> other MTAs know where you actually want to have your mail delivered.


It is also somewhat suspicious to have a mail server without an MX record. 
Sure, it’s ALLOWED, but it’s still weird.

-- 
99 percent of police give the rest a bad name.

Re: Mail server without MX record.

[IL Ka]

> DNS server have another MX record for other mail server.
Then all mail to your domain will go to that mail server. No way to change
it. This is how SMTP works:


If one or more MX RRs are found for a given name, SMTP systems MUST
NOT utilize any A RRs


https://tools.ietf.org/html/rfc2821#section-5



You need to contact the DNS administrator. You would need DNS anyway,
because serious MTAs need SPF and DKIM: both are DNS records.


On Tue, Oct 13, 2020 at 6:53 PM Jason Long  wrote:

> I can't have MX record because the DNS server have another MX record for
> other mail server.
> I'm thankful if anyone tell me how can I solve my problem without MX
> record. Is t possible with A record?
>
>
>
>
>
>
> On Tuesday, October 13, 2020, 07:19:56 PM GMT+3:30, @lbutlr <
> krem...@kreme.com> wrote:
>
>
>
>
>
> On 13 Oct 2020, at 09:45, Bernardo Reino  wrote:
>
> > On Tue, 13 Oct 2020, Jason Long wrote:
> >
> >> I have an Internet domain name and a Linux server and I want to have an
> email server for send and receive emails. For example, if my domain is "
> example.net" then I want to have a "i...@example.net" address for send
> and receive emails from the Internet.
> >
> > But then why no MX record?
> >
> > It's absolutely common, normal and expected to have an MX record so that
> other MTAs know where you actually want to have your mail delivered.
>
>
> It is also somewhat suspicious to have a mail server without an MX record.
> Sure, it’s ALLOWED, but it’s still weird.
>
> --
> 99 percent of police give the rest a bad name.
>

Re: Mail server without MX record.

[Richard]

> Date: Tuesday, October 13, 2020 15:52:41 +
> From: Jason Long 
>
> I can't have MX record because the DNS server have another MX
> record for other mail server. I'm thankful if anyone tell me how
> can I solve my problem without MX record. Is t possible with A
> record?

Either you misstated the issue or someone has a poor understanding of
DNS.

You might want to step back and get a more complete understanding of
the workings of mail and DNS. Without that, simply following
"cookbooks" will likely not get you where you want to be.

[by the way, while I don't think that this list is hardcore on
posting order, most technical lists frown on top posting.]

OpenDMARC milter domain based

[Egoitz Aurrekoetxea]

Good afternoon,

Can a Postfix instance have a destination based milter (for being able to
bypass DMARC check for some customers that ask for it) and finally for
everybody a filter action calling Amavis?.

I mean can a content filter be called from a restriction class (with filter
for instance)?. But, later the mandatory filter action for Amavis, should
happen for everybody. I say this, because I know that only one FILTER
action can exist...

How do you usually do this?. Or you just pass DMARC for every users?.

Regards,

-- 
Egoitz Aurrekoetxea

Re: Mail server without MX record.

[Chris Green]

On Tue, Oct 13, 2020 at 04:42:31PM +, Richard wrote:
> 
> 
> > Date: Tuesday, October 13, 2020 15:52:41 +
> > From: Jason Long 
> >
> > I can't have MX record because the DNS server have another MX
> > record for other mail server. I'm thankful if anyone tell me how
> > can I solve my problem without MX record. Is t possible with A
> > record?
> 
> Either you misstated the issue or someone has a poor understanding of
> DNS.
> 
> You might want to step back and get a more complete understanding of
> the workings of mail and DNS. Without that, simply following
> "cookbooks" will likely not get you where you want to be.
> 
I think it *may* be that the OP doesn't realise he can/should change
the MX record.  If you have a domain hosted at your average hosting
service the A record gets to point at whatever you need (home system,
virtual host, whatever) but the MX record is left pointing at the
hosting company's mail servers.  It's quite a rarity in the general
run of things that the MX record gets changed.


-- 
Chris Green

Re: Mail server without MX record.

[Fred Morris]

Notwithstanding, any "fully qualified domain name" (FQDN) can have email 
sent to it; typically only the FQDN immediately below the zone cut, and 
also the subject of SOA and NS records, has MX records.


But any other FQDN in the zone which has an A record should be 
deliverable, if it's routable and accepting traffic from the source. If 
you have joe.example.com (undelegated) and it has an A or  record and 
traffic from the sender can be routed to it nothing in mail or DNS 
prevents delivery to it, although senders may choose not to send to it 
based on local policy considerations.


On Tue, 13 Oct 2020, IL Ka wrote:


Date: Tue, 13 Oct 2020 19:06:05 +0300
From: IL Ka 
To: Jason Long 
Cc: Postfix users , "@lbutlr" 
Subject: Re: Mail server without MX record.


DNS server have another MX record for other mail server.

Then all mail to your domain will go to that mail server. No way to change
it. This is how SMTP works:

If one or more MX RRs are found for a given name, SMTP systems MUST
NOT utilize any A RRs

https://tools.ietf.org/html/rfc2821#section-5

You need to contact the DNS administrator. You would need DNS anyway,
because serious MTAs need SPF and DKIM: both are DNS records.

On Tue, Oct 13, 2020 at 6:53 PM Jason Long  wrote:


I can't have MX record because the DNS server have another MX record for
other mail server.
I'm thankful if anyone tell me how can I solve my problem without MX
record. Is t possible with A record?


See top post.


[...]
On 13 Oct 2020, at 09:45, Bernardo Reino  wrote:


On Tue, 13 Oct 2020, Jason Long wrote:

I have an Internet domain name and a Linux server and I want to have 
an email server for send and receive emails. For example, if my 
domain is "example.net" then I want to have a "i...@example.net"

address for send and receive emails from the Internet.


If you have MX for example.net then it overrides A record for example.net 
domain name. But please remember that "domain name" in DNS is a 
mathematical concept, it does not mean "a domain name having an SOA or 
equivalently immediately below a zone cut".


--

Fred Morris

Re: OpenDMARC milter domain based

[Wietse Venema]

Egoitz Aurrekoetxea:
> Good afternoon,
> 
> Can a Postfix instance have a destination based milter (for being able to
> bypass DMARC check for some customers that ask for it) and finally for
> everybody a filter action calling Amavis?.

SMTP does not receive any destination until after the fourth step:

1 - receive connection
2 - receive ehlo
3 - receive mail from
4 - receive rcpt too (there may be more than one!)
5 - receive data
6 - receive headers
7 - receive body
8 - receive end of nessage

Engaging a Milter in the middle of an SMTP conversation is problematic,
especially because Millters cannot skip SMTP protocol stages, and
because Milters can reply with 'reject' at many SMTP protocol stages.

Wietse

Re: Mail server without MX record.

[@lbutlr]

On 13 Oct 2020, at 12:03, Fred Morris  wrote:
> Notwithstanding, any "fully qualified domain name" (FQDN) can have email sent 
> to it; typically only the FQDN immediately below the zone cut, and also the 
> subject of SOA and NS records, has MX records.

Pretty sure it is prefect fine to have different MX records for subdomains.

example.com MX  10  mail.example.com.
foo MX  10  mail.sub1.example.com.
Bar MX  10  mail.sub2.example.com.

Universities used to often have different MX servers for different 
departments/machines, though now it seems they are using external services for 
MX (maybe lucky, I checked five and all were using google or outlook for MX).

-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but Tuesday Weld isn't a complete sentence."

Re: Mail server without MX record.

[Fred Morris]

Hello. Real example of someone with this setup, and all records for the 
FQDNs in question, or it didn't happen.


On Tue, 13 Oct 2020, @lbutlr wrote:

On 13 Oct 2020, at 12:03, Fred Morris  wrote:
Notwithstanding, any "fully qualified domain name" (FQDN) can have 
email sent to it; typically only the FQDN immediately below the zone 
cut, and also the subject of SOA and NS records, has MX records.


Pretty sure it is prefect fine to have different MX records for subdomains.

example.com MX  10  mail.example.com.
foo MX  10  mail.sub1.example.com.
Bar MX  10  mail.sub2.example.com.

Universities used to often have different MX servers for different 
departments/machines, though now it seems they are using external 
services for MX (maybe lucky, I checked five and all were using google 
or outlook for MX).


Nothing here says that they haven't delegated e.g. foo.example.com.

Here, like this:

MariaDB [DNS]> SELECT name, type FROM Resource WHERE name IN (select name 
from Resource where name like '%.washington.edu.' and type = 'MX') GROUP 
BY name, type ORDER BY name, type;

+---+--+
| name  | type |
+---+--+
| marge.cac.washington.edu. | A|
| marge.cac.washington.edu. | MX   |
| marge.cac.washington.edu. | NS   |
| math.washington.edu.  | MX   |
| math.washington.edu.  | NS   |
| staff.washington.edu. | MX   |
| staff.washington.edu. | NS   |
| u.washington.edu. | MX   |
| u.washington.edu. | NS   |
| www.atmos.washington.edu. | A|
| www.atmos.washington.edu. | MX   |
| www.atmos.washington.edu. | NS   |
+---+--+

--

Fred Morris

Re: Mail server without MX record.

[Jason Long]

I'm really thankful for all information and help.Excuse me, I have some 
questions and I'm thankful if anyone answer to them by number:1- Each domain 
can have a MX record?2- If a company need multi MX record then it must have 
multi DNS server too?3- Other methods like forwarding need MX record too?
Thank you.

Sent from Yahoo Mail on Android 
 
  On Tue, Oct 13, 2020 at 10:12 PM, @lbutlr wrote:   On 13 
Oct 2020, at 12:03, Fred Morris  wrote:
> Notwithstanding, any "fully qualified domain name" (FQDN) can have email sent 
> to it; typically only the FQDN immediately below the zone cut, and also the 
> subject of SOA and NS records, has MX records.

Pretty sure it is prefect fine to have different MX records for subdomains.

example.com    MX    10    mail.example.com.
foo        MX    10    mail.sub1.example.com.
Bar        MX    10    mail.sub2.example.com.

Universities used to often have different MX servers for different 
departments/machines, though now it seems they are using external services for 
MX (maybe lucky, I checked five and all were using google or outlook for MX).

-- 
"Are you pondering what I'm pondering?"
"I think so, Brain, but Tuesday Weld isn't a complete sentence."
  

Re: Mail server without MX record.

[IL Ka]

>1- Each domain can have a MX record?
If you want to receive email for this domain then yes, you should have an
MX record for it. Without it  "A" record will be used, but it is better to
have MX.


>2- If a company need multi MX record then it must have multi DNS server
too?
You can have multiple MX records with different priorities. Sender's MTA
will try first one first.
Number of DNS servers doesn't affect the number of MX records: in most
cases all public servers must have the same records.

>3- Other methods like forwarding need MX record too?
No, if you only want to send email, you are not required to have an MX
record. Some MTAs may decline messages from domains without of MX, but most
of them accept such mails.
But if you have no MX, then you can't get replies and non delivery reports.

There are some books about Postfix: "The book of Postfix", "Postfix: The
Definitive Guide". It may be a good idea to read some of them: they cover
how postfix works with DNS and MX.



On Tue, Oct 13, 2020 at 10:15 PM Jason Long  wrote:

> I'm really thankful for all information and help.
> Excuse me, I have some questions and I'm thankful if anyone answer to them
> by number:
> 1- Each domain can have a MX record?
> 2- If a company need multi MX record then it must have multi DNS server
> too?
> 3- Other methods like forwarding need MX record too?
>
> Thank you.
>
>
> Sent from Yahoo Mail on Android
> 
>
> On Tue, Oct 13, 2020 at 10:12 PM, @lbutlr
>  wrote:
> On 13 Oct 2020, at 12:03, Fred Morris  wrote:
>
> > Notwithstanding, any "fully qualified domain name" (FQDN) can have email
> sent to it; typically only the FQDN immediately below the zone cut, and
> also the subject of SOA and NS records, has MX records.
>
>
> Pretty sure it is prefect fine to have different MX records for subdomains.
>
> example.comMX10mail.example.com.
> fooMX10mail.sub1.example.com.
> BarMX10mail.sub2.example.com.
>
> Universities used to often have different MX servers for different
> departments/machines, though now it seems they are using external services
> for MX (maybe lucky, I checked five and all were using google or outlook
> for MX).
>
> --
> "Are you pondering what I'm pondering?"
> "I think so, Brain, but Tuesday Weld isn't a complete sentence."
>
>

Re: Mail server without MX record.

[Ron Wheeler]

You want an MX record.
Why would you not want an MX record? What is the downside?

Where is your dns?



On 2020-10-13 11:04 a.m., Jason Long wrote:

I have an Internet domain name and a Linux server and I want to have an email server for send and 
receive emails. For example, if my domain is "example.net" then I want to have a 
"i...@example.net" address for send and receive emails from the Internet.








On Tuesday, October 13, 2020, 06:09:06 PM GMT+3:30, IL Ka 
 wrote:





What are you trying to achieve?

There are alot of scenarios where Postfix may be used:
* "Send only" email server for your website (to give your website ability to 
send emails). You never receive any emails from the outside.
* Forward only: it just accepts mails from your apps, and sends them via smart 
host (SMTP server of your provider). Some people run it on their laptops)
* Email hosting: users send and receive emails with your Postfix (as they do 
with Gmail, for example)
etc

It is important to choose a scenario, because if you only need to send emails 
from your website, then you do not need dovecot nor MX record and you even do 
not need to listen for incoming connections to the public port, but you may 
need DKIM and SPF.

In the "forward only via smart host" scenario you need almost nothing: no MX, 
no SPF/DKIM, no public port.
If you want to receive emails, then having an MX record is a good idea.
You would also need to listen public port for incoming connections, and may be 
one more port for clients (465 or 587)






On Tue, Oct 13, 2020 at 5:19 PM Jason Long  wrote:

Thank you for all of your messages.
With that tutorial, which record or port is needed?






On Tuesday, October 13, 2020, 04:31:34 PM GMT+3:30, Wietse Venema 
 wrote:





Jason Long:


Hello,
Can I use Postfix without MX record? I installed Postfix and?Dovecot
via "https://wiki.centos.org/HowTos/postfix"; tutorial and I want
to know can I use it without MX record?


The SMTP standard (RFC 2821) does not *require* MX records. Some
uninformed mail operators may require one, but those are rare.

     Wietse




--
Ron Wheeler
Artifact Software
438-345-3369
rwhee...@artifact-software.com

Re: PostFix not working after update

[Bob Proulx]

Paul Lauzon wrote:
> I have kept Postfix and many other services disabled at power-up since last
> year and it works well for me that way.  I did that last year after I got
> DDOS and spammed tons of mail with virus attachments and my server was so
> overwhelmed that I could not use it for days and even login with putty took
> several hours trying.  By starting my server with only the basic services,
> when the DDOS/spam happens, I can just request a server reboot and I can
> login easily and start the services after I am done.

Gotcha.  It's unusual.  But shouldn't be "the problem".

> I did not do these yet:
> > postconf compatibility_level=2
> > postfix reload
> 
> This is what I have in my master.cf file:
> # ==
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #   (yes)   (yes)   (yes)   (never) (100)
> # ==
> smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes

Since the chroot field is a "-" that means it will use the default
value.  Postfix documents this here.

http://www.postfix.org/COMPATIBILITY_README.html#chroot

Summary: If it is 0 then it assumes that default is 'y' and if it is
set to 2 then it assumes it is 'n'.  But in case I made a typo there
ignore me and read the authoritative documentation which I am sure has
been proofread carefully!

Which means that changing compatibility_level from 0 to 2 will change
the chroot configuration to stop using it in your case now when you
were using the chroot by default before.

If you simply want to silence the warning message "using
backwards-compatible default setting chroot=y" then setting that field
explicitly to 'y' before doing should keep the exact same
configuration that you had before making that change but the warning
would be silenced.

smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes

> So that '-' would be what created the issue perhaps?

It is what created the warning message "using backwards-compatible
default setting chroot=y".  But let me assure you that there are
zillions of Debian systems out there emitting that warning because no
one changed anything and things are working okay regardless.  It seems
very unlikely to be related to whatever is "the problem" that you are
currently experiencing.

> If so, is it better to run postfix using chroot = yes since this is
> the new default?  I would have to find a tutorial on how to
> reinstall it properly that way I guess.  Or I could just put a 'no'
> there but it would make it less secure?  I prefer the most secure
> option.

I prefer keeping in the middle of the wildebeest herd as it crosses
the river.  The crocodile predators most often take the weak ones from
the edge first.  Debian has for many years been defaulting to the
chroot configuration.  You have apparently been using the chroot
configuration.  Therefore I would continue.  I am myself using the
chroot configuration.  I would investigate why the init start of
postfix did not update the chroot properly.  But again I don't think
that is "the problem" you are currently experiencing.

> For systemd (funny: abandon all hope, ye who enter), I would hope that a
> 'disabled' service is not considered 'uninstalled' so that when I updated
> my certificates using "Let's Encrypt" it did not update the Postfix
> certificates.  But any automation is a very good way to screw-up...  Just
> like my update did.

By this I assume you are setting the postfix ssl configuration
variables smtpd_tls_key_file and smtpd_tls_cert_file to use your Let's
Encrypt obtained Domain Validation certificates?  That's fine.  I do
that too.  But note that SMTP STARTTLS as far as I know does not and
cannot not require certificate validation.  It's opportunistic only.

http://www.postfix.org/TLS_README.html

By default Debian configures a self-signed certificate.  That's okay
too.  Likely not "the problem" you are currently experiencing.  For
debugging things the best reference is all of the good information here.

http://www.postfix.org/DEBUG_README.html

However let me point you specifically to what I would do.  I see by
what you have shown so far this:

Oct  9 05:35:05 ...: postfix/postqueue[...]: warning: Mail system is down 
-- accessing queue directly

So postfix is not running for some reason.  In that case start it.
Then look in the /var/log/syslog and /var/log/mail.log files for any
messages logged there.  Here is an example of what might be seen there
from a systemd system here, which should match your systemd machine there.

rwp@madness:~$ sudo systemctl start postfix.service

rwp@madness:~$ sudo tail /var/log/syslog
Oct 13 14:26:30 madness systemd[1]: Starting Postfix Mail Transport Agent 
(instance -)...
Oct 13 14:26:30 madness postfix/postfix-script[17085]: warning: symlink 
leaves directory: /etc/postfix/./makedefs.out
Oct 1

Re: Mail server without MX record.

[Bill Cole]

On 13 Oct 2020, at 15:02, Fred Morris wrote:

Hello. Real example of someone with this setup, and all records for 
the FQDNs in question, or it didn't happen.


Waving at Fred...

billmail.scconsult.com. 10800   IN  MX  0 clues.scconsult.com.
billmail.scconsult.com. 10800   IN  MX  10 grumpy.scconsult.com.
scconsult.com.  86400   IN  MX  10 sc1.scconsult.com.
scconsult.com.  86400   IN  MX  1 toaster.scconsult.com.



On Tue, 13 Oct 2020, @lbutlr wrote:

On 13 Oct 2020, at 12:03, Fred Morris  wrote:
Notwithstanding, any "fully qualified domain name" (FQDN) can have 
email sent to it; typically only the FQDN immediately below the zone 
cut, and also the subject of SOA and NS records, has MX records.


Pretty sure it is prefect fine to have different MX records for 
subdomains.


example.com MX  10  mail.example.com.
foo MX  10  mail.sub1.example.com.
Bar MX  10  mail.sub2.example.com.

Universities used to often have different MX servers for different 
departments/machines, though now it seems they are using external 
services for MX (maybe lucky, I checked five and all were using 
google or outlook for MX).


Nothing here says that they haven't delegated e.g. foo.example.com.

Here, like this:

MariaDB [DNS]> SELECT name, type FROM Resource WHERE name IN (select 
name from Resource where name like '%.washington.edu.' and type = 
'MX') GROUP BY name, type ORDER BY name, type;

+---+--+
| name  | type |
+---+--+
| marge.cac.washington.edu. | A|
| marge.cac.washington.edu. | MX   |
| marge.cac.washington.edu. | NS   |
| math.washington.edu.  | MX   |
| math.washington.edu.  | NS   |
| staff.washington.edu. | MX   |
| staff.washington.edu. | NS   |
| u.washington.edu. | MX   |
| u.washington.edu. | NS   |
| www.atmos.washington.edu. | A|
| www.atmos.washington.edu. | MX   |
| www.atmos.washington.edu. | NS   |
+---+--+

--

Fred Morris



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Mail server without MX record.

[Fred Morris]

On Tue, 13 Oct 2020, Bill Cole wrote:

On 13 Oct 2020, at 15:02, Fred Morris wrote:


 Hello. Real example of someone with this setup, and all records for the
 FQDNs in question, or it didn't happen.


Waving at Fred...

billmail.scconsult.com. 10800   IN  MX  0 clues.scconsult.com.
billmail.scconsult.com. 10800   IN  MX  10 grumpy.scconsult.com.
scconsult.com.  86400   IN  MX  10 sc1.scconsult.com.
scconsult.com.  86400   IN  MX  1 toaster.scconsult.com.


Perfect, thanks! billmail.scconsult.com is not delegated from 
scconsult.com (has no SOA or NS), and sccconsult.com is delegated from 
.com (of course), with SOA and NS.


Bonus points: billmail has SPF.

(I'll assume that it works, since you're subscribed from 
@billmail.scconsult.com. I probably wouldn't set it up that way.)


--

Fred

possible bottlenecks

[Zsombor B]

Hi,


I know this is a complicated question but what/where do you see  
possible bottlenecks in postfix?

Is it CPU? RAM? Disk IO?

I'm building an infra to send out ~3-5 million emails a day.
There are no known peak periods of the day but that's also sure that  
the load will be uneven (no emails for a while then suddenly 10-100K  
mails in a very short period of time).


The plan is to start with 4 VMs and about ~10% of the planned daily  
mail amount but it will reach the planned maximum very soon.


Do you have any experience based recommendations on CPU, RAM or other  
tuning parameters?


Thanks,
Zsombor

Re: Outlook.com Max Connections

[Viktor Dukhovni]

> On Oct 13, 2020, at 7:33 AM, Tom Sommer  wrote:
> 
> The process limit would be an overall limit on the transport?
> 
> Is there a way to limit the number of concurrent connections for each 
> destination IP?

No.  Postfix has no mechanism for that.  The only entity with a
global view of the queue is the queue manager, and the queue
manager has no knowledge of which IP addresses a particular
nexthop will resolve to once smtp(8) tries to do a delivery.

Postfix schedules delivery of a message to a nexthop destination
(domain in most cases), there is no explicit scheduling of
connections, the smtp(8) delivery agent just tries one or more
MX host IPs in turn, shuffling equal-priority IPs at random, 
but also trying to make sure that when both IPv4 and IPv6
addresses are available, neither some connections of each type
will be made before giving up on the destination as unreachable.

A subtantial redesign (unlikely to happen) of the queue manager
and/or smtp(8) delivery agent would be needed in order to schedule
connections, which means helper processes (and queues) for mapping
a nexthop to a set of IP addresses


One might therefore split the smtp(8) delivery agent into two
parts, with MX resolution and TLS policy lookup happening
separately from delivery, and the pending list of IP addresses
and recipients given to a connection manager process that would
orchestrate actual SMTP transactions against particular IP
addresses, with appropriate per-IP concurrency limits.

But this has implications for the queue manager, because now
a delivery attempt may be sitting for a while in a downstream
queue, waiting for a connection slot.  The resolution half of
the delivery agent can't report completion of the job, but
having it blocked waiting for a connection introduces potential
bottlenecks.  This design space has not been explored.

-- 
Viktor.

Re: Mail server without MX record.

[Dirk Stöcker]

On Tue, 13 Oct 2020, Fred Morris wrote:

Perfect, thanks! billmail.scconsult.com is not delegated from scconsult.com 
(has no SOA or NS), and sccconsult.com is delegated from .com (of course), 
with SOA and NS.


Bonus points: billmail has SPF.


Same concept, but a bit different (also has SPF, DANE, ...):

d.stoecker.eu -> 10 mail.stoecker.eu.

Subdomains for members of the family :-) Using only one MX for these
and the main domains.

Usually works fine except:
* Some clever web-interfaces assume that e-mail addresses can only have one dot
* Some more clever web-interfaces assume that a single letter before the dot 
isn't ok.

So it's not always possible to use the addresses.

Ciao
--
http://www.dstoecker.eu/ (PGP key available)