Re: Bug: Postfix errors at startup for service listed in known_tcp_ports but not listed in /etc/services

2021-10-17 Thread Viktor Dukhovni 
On Sun, Oct 17, 2021 at 06:40:47PM +1300, Peter wrote:

> Just had someone come into the IRC chat with this issue and I was able 
> to reproduce it quite easily, this is with Postfix 3.6.2.  If your 
> /etc/services has smtps listed but not submissions (or vice-versa) and 
> you uncomment or add the relevant section to master.cf then postfix 
> gives an error like the following at startup:
> 
> Oct 17 18:28:59 CentOS8 postfix/master[79810]: fatal: 
> 127.0.0.1:submissions: Servname not supported for ai_socktype
> Oct 17 18:29:00 CentOS8 postfix/master[79809]: fatal: daemon 
> initialization failure
> Oct 17 18:29:01 CentOS8 postfix/postfix-script[79811]: fatal: mail 
> system startup failed

The feature appears to have been released in an incomplete form.
I don't see any code in Postfix to actually use "known_tcp_ports"
to load the underlying hash table.

Also, while numeric service names work with getaddrinfo(3), I
don't believe they work with with getservbyname(3):

--- a/src/posttls-finger/posttls-finger.c
+++ b/src/posttls-finger/posttls-finger.c
@@ -1495 +1496 @@ static char *parse_destination(char *destination, char 
*def_service,
-   if ((sp = getservbyname(service, protocol)) != 0)
+   if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) 
!= 0)
--- a/src/smtp/smtp_connect.c
+++ b/src/smtp/smtp_connect.c
@@ -363 +364 @@ static char *smtp_parse_destination(char *destination, char 
*def_service,
-   if ((sp = getservbyname(service, protocol)) == 0)
+   if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) 
== 0)
--- a/src/util/find_inet.c
+++ b/src/util/find_inet.c
@@ -92 +93 @@ int find_inet_port(const char *service, const char 
*protocol)
-   if ((sp = getservbyname(service, protocol)) == 0)
+   if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) 
== 0)
--- a/src/util/myaddrinfo.c
+++ b/src/util/myaddrinfo.c
@@ -284 +285 @@ static int find_service(const char *service, int socktype)
-if ((sp = getservbyname(service, proto)) != 0) {
+if ((sp = getservbyname(filter_known_tcp_port(service), proto)) != 0) {
@@ -447 +448 @@ int hostname_to_sockaddr_pf(const char *hostname, int 
pf,
-err = getaddrinfo(hostname, service, &hints, res);
+err = getaddrinfo(hostname, filter_known_tcp_port(service), &hints, 
res);
@@ -563 +564 @@ int hostaddr_to_sockaddr(const char *hostaddr, const 
char *service,
-err = getaddrinfo(hostaddr, service, &hints, res);
+err = getaddrinfo(hostaddr, filter_known_tcp_port(service), &hints, 
res);

So even when the parameter is properly loaded, only the last two changes
would work as expected.

-- 
Viktor.

Re: Bug: Postfix errors at startup for service listed in known_tcp_ports but not listed in /etc/services

2021-10-17 Thread Peter 

On 17/10/21 8:00 pm, Viktor Dukhovni wrote:

The feature appears to have been released in an incomplete form.
I don't see any code in Postfix to actually use "known_tcp_ports"
to load the underlying hash table.


Hr, okay.


Also, while numeric service names work with getaddrinfo(3), I
don't believe they work with with getservbyname(3):

 +   if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) 
!= 0)
 +   if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) 
== 0)
 +   if ((sp = getservbyname(filter_known_tcp_port(service), protocol)) 
== 0)
 +if ((sp = getservbyname(filter_known_tcp_port(service), proto)) != 0) 
{

So even when the parameter is properly loaded, only the last two changes
would work as expected.


That makes sense.  It seems like we need a wrapper function for 
getservbyname() that first checks htable_locate() and if the port exists 
there simply creates the servent structure itself with the proper 
service data, and if not passes the call onto getservbyname().



Peter

DKIM signed by other domains breaks DMARC?

2021-10-17 Thread Wes Peng 
I am a little confused about this scene, the email sent from my domain is
signed by Yahoo,  thus it has a valid DKIM. But my domain itself has no
DKIM setup, the message was signed by Yahoo not by my domain. Will this
DKIM setting make DMARC broken?

I saw the headers from gmail as below. I am just not sure about this.
Please advise, thanks.

SPF: PASS with IP 106.10.242.xx Learn more

DKIM: 'PASS' with domain yahoo.com Learn more

DMARC: 'PASS'

Re: DKIM signed by other domains breaks DMARC?

2021-10-17 Thread Matus UHLAR - fantomas 

On 17.10.21 18:48, Wes Peng wrote:

I am a little confused about this scene, the email sent from my domain is
signed by Yahoo,  thus it has a valid DKIM. But my domain itself has no
DKIM setup, the message was signed by Yahoo not by my domain. Will this
DKIM setting make DMARC broken?


if you set up DMARC for your domain, DMARC won't pass, but Yahoo DKIM should
not break anything.

DMARC and DKIM apply for your sending domain (the one in From:).

signing by other domains usually make no sense.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Re: DKIM signed by other domains breaks DMARC?

2021-10-17 Thread Peter 

On 17/10/21 11:48 pm, Wes Peng wrote:
I am a little confused about this scene, the email sent from my domain 
is signed by Yahoo,  thus it has a valid DKIM. But my domain itself has 
no DKIM setup, the message was signed by Yahoo not by my domain. Will 
this DKIM setting make DMARC broken?


I saw the headers from gmail as below. I am just not sure about this. 
Please advise, thanks.


SPF:	PASS with IP 106.10.242.xx Learn more 

DKIM:	'PASS' with domain yahoo.com  Learn more 



DMARC simply ignores any DKIM sigs that are not signed by the domain in 
the From: header, so having the yahoo DKIM signature won't break DMARC, 
but it won't help either.



DMARC:  'PASS'


DMARC requires either DKIM or SPF to pass on the domain in the From: 
header, so in this case it likely passed based on SPF.


Do note that when a message is sent through an email list such as this 
there will be no passing SPF signature on the From: domain because of 
the forwarding aspect of the mailing list, so if you don't have a valid 
DKIM signature on that domain then the message will (and in this case 
does) fail DMARC.



Peter

Re: Various questions about Postfix

2021-10-17 Thread raf 
On Fri, Oct 15, 2021 at 12:20:55PM -0500, Tyler Montney 
 wrote:

> One other thing while I wait...
> 
> Once I'm done researching (in a week or two), I'd like someone to provide a
> sanity check on my Postfix config by posting it here. Is that allowed?

Sure. When you're ready, post the output of "postconf -nf" and "postconf -Mf".

cheers,
raf

Way to apply a postfix rule to both FROM and TO?

2021-10-17 Thread Dan Mahoney (Gushi) 

Hey there all,

I've wondered this a while.  It seems the old Sendmail access maps, and 
following that postfix have managed to allow you to apply a rule on things 
like:


CONNECTED VIA specific IP.
FROM a specific mailbox
TO a specific mailbox

But never more than one of these.

Is there any easy way in postfix to say things like "Block all gmail.com 
addresses for stuff sent to i...@dayjob.com"?


-Dan

--

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---