Re: Can i run postfix on my home IP
On Thu, 13 Jan 2022, Yamadaえりな wrote: I have got a DSL from the ISP, having a static IP. Can I run postfix with this IP for accepting email for my own domain? On 2022-01-12 21:45, Fred Morris wrote: If you've got a static IP and there's no games being played, it should work as long as the connection is "always on" and accepts connections (SYN) on port 25 from the outside world. -- FWM On 13.01.22 00:29, Rob McGee wrote: Fred and Richard are of course correct, but you are very likely to have problems sending mail from a residential IP netblock. See if you're on PBL: https://www.spamhaus.org/pbl/ If your ISP will set a custom PTR record for your IP address, you can remove yourself from PBL. If not, you can possibly receive at your home IP address, but you would have to relay outbound through a VPS. Or, upgrade to business-class service from your ISP. Most often a VPS is cheaper. if an ISP is willing to set reverse DNS of statically assigned IP to something customer wants, it should not be required. so, look your reverse DNS (generic names are often blocked at many isps) and optionally ask your ISP to change it to somethint that points to your IP. you'll want non-generic name like mail.example.com. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: Can i run postfix on my home IP
Hello, i would say for *accepting* mail you 'just' have to get the following working: - ability to accept tcp connections on port 25 (some public reachable ip, no port 25 filtering by ISP) - have some dns A/ record(s) pointing to your public reachable ipv4/ipv6 - have the MX record of your domain point to the a/ record. that is the list for *accepting* mail. For sending mail, it get's more involved (check not on PBL list, have correct PTR record), but if taken literally that would be outside of what you described your goal is. cheers! Max On 1/13/22 3:00 AM, Yamadaえりな wrote: Hello list, I have got a DSL from the ISP, having a static IP. Can I run postfix with this IP for accepting email for my own domain? ありがとう えりな
Re: Can i run postfix on my home IP
On Thu, Jan 13, 2022 at 12:29:43AM -0600, Rob McGee wrote: > On 2022-01-12 21:45, Fred Morris wrote: > > If you've got a static IP and there's no games being played, it should > > work as long as the connection is "always on" and accepts connections > > (SYN) on port 25 from the outside world. -- FWM > > > > On Thu, 13 Jan 2022, Yamadaえりな wrote: > > > > > > I have got a DSL from the ISP, having a static IP. > > > Can I run postfix with this IP for accepting email for my own domain? > > Fred and Richard are of course correct, but you are very likely to > have problems sending mail from a residential IP netblock. See if > you're on PBL: > https://www.spamhaus.org/pbl/ > > If your ISP will set a custom PTR record for your IP address, you > can remove yourself from PBL. If not, you can possibly receive at > your home IP address, but you would have to relay outbound through > a VPS. Or, upgrade to business-class service from your ISP. Most > often a VPS is cheaper. I run Postfix on my home Desktop machine (always on), it basically only manages E-Mail to and from my hosting service which is where most of the domains that I actually use for my 'public' E-Mails reside. For outgoing E-Mail my postfix server just sends everything out to my ISP's 'smarthost'. -- Chris Green
Re: Can i run postfix on my home IP
Thanks for all your answers. My ISP has the free outgoing relay. so I can send email with my domain from their relay. All I need is to accept mails from my domain. So I was thinking about running postfix on my desk server. ありがとう えりな
Re: Can i run postfix on my home IP
> Hello list, > > I have got a DSL from the ISP, having a static IP. > Can I run postfix with this IP for accepting email for my own domain? > > ありがとう > えりな Late to the party, but, certainly. Many here do. However, exposing your mail port "to the world" might entice much more "unfriendly traffic" than you might imagine. joe a
Re: Can i run postfix on my home IP
On 2022-01-13 04:00, Yamadaえりな wrote: Hello list, I have got a DSL from the ISP, having a static IP. Can I run postfix with this IP for accepting email for my own domain? for sending no, for recieving yes for the sending part you will need to ask for matching PTR at your isp
Re: Can i run postfix on my home IP
On 2022-01-13 04:18, Richard wrote: The quick answer is that it depends on whether your ISP has port 25 open (both in an outbound). With consumer-grade connectivity it's generally not, so the type of connectivity that you have will impact this. Your terms of service may also legally preclude this, but that's an issue to be considered elsewhere. yes, but there is no sense to block incomming port 25 with static ip, it can be blocked on dunamic ip, but are seldom on static, hope it make sense, if port 25 is blocked on static ip for the outgoing connection most isp will open it on regest, but would at same time ask for the ptr reverse dns to add, do not just use default ptr if sending mail direct to mx recipients
How can I build a reliable distribution list?
Hello!
I have a postfix server with one local and two virtual
domains. For one of the virtual domains, I need a mail
distribution list. I used the virtual alias list for a long time,
but meanwhile I have many recipients that block mail from that
list. An analysis from mx toolbox reports SPF trouble ("original"
sender is some...@business.de, people get mail from
distribut...@myserver.de).
I tried to set up a mailing list, but ended up having the same
problems.
I tried to exchange the virtual domain with the local domain, but
that didn't work and caused other problems.
I'm a bit at the end of my wits. All I want is that people can
send a mail to distribut...@myserver.de and some 20 other people
with various addresses will get that mail reliably. Being able to
respond is a bonus, but not really necessary.
Could you please help me with that endeavour?
--
Markus Grunwald
https://www.the-grue.de/~markus/markus_grunwald.gpg
Re: Can i run postfix on my home IP
I have a postfix server both inbound and outbound in my own home, that is, my isp does not block traffic on port 25, it blocks it on 53 El 13/1/2022 a las 15:24, Benny Pedersen escribió: On 2022-01-13 04:00, Yamadaえりな wrote: Hello list, I have got a DSL from the ISP, having a static IP. Can I run postfix with this IP for accepting email for my own domain? for sending no, for recieving yes for the sending part you will need to ask for matching PTR at your isp smime.p7s Description: Firma criptográfica S/MIME
Re: Can i run postfix on my home IP
On 2022-01-13 15:37, Francesc Peñalvez wrote: I have a postfix server both inbound and outbound in my own home, that is, my isp does not block traffic on port 25, it blocks it on 53 perfect, so basicly your isp is stopping spam via no dns ? reminds me of tele-danmark and piratebay dns blocked, while it was working with no problems if one just have own dns servers, now thay have paid for the content shareing, but curt in lyngby still ask isp to block piratebay, hellios :=) lesson learned is curts should block domains with the registras, not on dns
Re: Can i run postfix on my home IP
My isp does not provide email service, only internet and filters all DNS traffic, to block websites that it considers illegal, but it does not filter port 25, for example I cannot have my own DNS service since it blocks all inputs to port 53 , my bind service only covers the lan, for the wan I use external service El 13/1/2022 a las 15:44, Benny Pedersen escribió: On 2022-01-13 15:37, Francesc Peñalvez wrote: I have a postfix server both inbound and outbound in my own home, that is, my isp does not block traffic on port 25, it blocks it on 53 perfect, so basicly your isp is stopping spam via no dns ? reminds me of tele-danmark and piratebay dns blocked, while it was working with no problems if one just have own dns servers, now thay have paid for the content shareing, but curt in lyngby still ask isp to block piratebay, hellios :=) lesson learned is curts should block domains with the registras, not on dns smime.p7s Description: Firma criptográfica S/MIME
Re: How can I build a reliable distribution list?
On Thu, 2022-01-13 at 15:20 +0100, Markus Grunwald wrote: > > I'm a bit at the end of my wits. All I want is that people can > send a mail to distribut...@myserver.de and some 20 other people > with various addresses will get that mail reliably. Being able to > respond is a bonus, but not really necessary. > The hardest problems often have the simplest statements. An alias will never work due to SPF. A mailing list can, but you have to be careful with DKIM/DMARC. Those signatures protect the "From" address and the body of the message, so when the sender has a policy that insists the signature be valid, you either (a) can't touch them, or (b) can't retain the original sender/signature. In short, you have to choose a mailing list package that is aware of the issues and can work around them, like the 3.x series of GNU Mailman. And then you have to configure it very carefully.
Re: How can I build a reliable distribution list?
On 2022-01-13 15:20, Markus Grunwald wrote: Could you please help me with that endeavour? setup mailman, and set all recipients to only send, now you have a nice web archive all can read on, that will stop spamming, and its not needed to be monitored much for this, and lastly not so fun for rbl list to help blocking
Re: How can I build a reliable distribution list?
Markus Grunwald:
> Hello!
>
> I have a postfix server with one local and two virtual
> domains. For one of the virtual domains, I need a mail
> distribution list. I used the virtual alias list for a long time,
> but meanwhile I have many recipients that block mail from that
> list. An analysis from mx toolbox reports SPF trouble ("original"
> sender is some...@business.de, people get mail from
> distribut...@myserver.de).
>
> I tried to set up a mailing list, but ended up having the same
> problems.
You need a list manager (such as gnu mailman) that replaces the
From: header AND the envelope sender address (SMTP MAIL FROM) with
the name of your list's domain.
Wietse
Re: How can I build a reliable distribution list?
you can either * use mailman, of course, but it may be overkill * use your *client* (thunderbird, widows live... ) to build a recipient list * if there are few people in the list you can use the /etc/alias file, it works... jdd -- http://dodin.org http://valeriedodin.com
Re: How can I build a reliable distribution list?
On 2022-01-13 15:54, Michael Orlitzky wrote: In short, you have to choose a mailing list package that is aware of the issues and can work around them, like the 3.x series of GNU Mailman. And then you have to configure it very carefully. what if mailman did not accept subscribers with dmarc policy reject ? what is left to fix then ? oh dkim can reject on its own too :( spf will change on next hop, so its safe
Re: How can I build a reliable distribution list?
On 2022-01-13 16:06, Wietse Venema wrote: You need a list manager (such as gnu mailman) that replaces the From: header AND the envelope sender address (SMTP MAIL FROM) with the name of your list's domain. if mailman can stop breaking dkim all problems are gone postfix maillist does not use mailman as a proff of concept ? :=)
Re: How can I build a reliable distribution list?
Benny Pedersen: > On 2022-01-13 16:06, Wietse Venema wrote: > > > You need a list manager (such as gnu mailman) that replaces the > > From: header AND the envelope sender address (SMTP MAIL FROM) with > > the name of your list's domain. > > if mailman can stop breaking dkim all problems are gone > > postfix maillist does not use mailman as a proff of concept ? :=) I would not consider this mailing list as an example that everyone should follow. Wietse
Re: How can I build a reliable distribution list?
On 1/13/22 10:36, Benny Pedersen wrote: > On 2022-01-13 15:54, Michael Orlitzky wrote: > >> In short, you have to choose a mailing list package that is aware of >> the issues and can work around them, like the 3.x series of GNU >> Mailman. And then you have to configure it very carefully. > > what if mailman did not accept subscribers with dmarc policy reject ? That is not a good idea. You may lose legitimate subscribers this way. Use a mailing list package that can handle header-from rewriting. -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature
SASL questions
While reading the Postfix SASL doc, (http://www.postfix.org/SASL_README.html#client_sasl), I puzzled over a few things. - "The smtp_tls_security_level setting ensures that the connection to the remote smtp server will be encrypted, and smtp_sasl_tls_security_options removes the prohibition on plaintext passwords." Is that incorrect? Surely one would not want to send passwords in plaintext as this seems to state? - "With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP client to send username and password information to the mail gateway server. As discussed in the next section, the Postfix SMTP client supports multiple ISP accounts. For this reason the username and password are stored in a table that contains one username/password combination for each mail gateway server." Figured I would ask before reading further. Is it not possible to authenticate to the same remote (receiver) with multiple sets of credentials? I ask as preliminary discussion with a potential provider seemed to indicate a "per user" authentication is required. Still waiting for clarification on that point. Thanks.
Re: SASL questions
On 2022-01-13 at 13:09:45 UTC-0500 (Thu, 13 Jan 2022 13:09:45 -0500) Joe Acquisto-j4 is rumored to have said: > While reading the Postfix SASL doc, > (http://www.postfix.org/SASL_README.html#client_sasl), > I puzzled over a few things. > > - "The smtp_tls_security_level setting ensures that the connection to the > remote smtp server will be encrypted, and smtp_sasl_tls_security_options > removes the prohibition on plaintext passwords." > > Is that incorrect? Surely one would not want to send passwords in plaintext > as this seems to state? But only sending plaintext passwords *over an encrypted channel.* SASL has a bunch of mechanisms that provide safe authentication over a non-secure channel. It also has a few which are essentially plaintext, only armoring auth credentials with Base64 encoding. Mechanisms that never send the password unencrypted/unhashed over an unencrypted channel have the weakness that they require both sides to store the password in a recoverable form, whereas plaintext mechanisms allow the server to only store a 1-way hash of the password. Having the whole channel protected from sniffing and not having the password in a recoverable form on the server is a better choice than allowing in-the-clear transport and using a complex mechanism to just protect credential in transit while storing leakable passwords on the server. > - "With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP > client to send username and password information to the mail gateway server. > As discussed in the next section, the Postfix SMTP client supports multiple > ISP accounts. For this reason the username and password are stored in a table > that contains one username/password combination for each mail gateway server." > > Figured I would ask before reading further. Is it not possible to > authenticate to the same remote (receiver) with multiple sets of credentials? Yes. The smtp_sasl_password_maps table can have full sender addresses, target MX hostnames, and next-hop domains as keys. For per-sender auth to work, you must also enable sender-dependent authentication. See the section on "Configuring Sender-Dependent SASL authentication" in the SOHO readme (http://www.postfix.org/SOHO_README.html#client_sasl_sender) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: How can I build a reliable distribution list?
On Thu, Jan 13, 2022 at 03:20:57PM +0100, Markus Grunwald
wrote:
> Hello!
>
> I have a postfix server with one local and two virtual domains. For one of
> the virtual domains, I need a mail distribution list. I used the virtual
> alias list for a long time, but meanwhile I have many recipients that block
> mail from that list. An analysis from mx toolbox reports SPF trouble
> ("original" sender is some...@business.de, people get mail from
> distribut...@myserver.de).
>
> I tried to set up a mailing list, but ended up having the same problems.
>
> I tried to exchange the virtual domain with the local domain, but that
> didn't work and caused other problems.
>
> I'm a bit at the end of my wits. All I want is that people can send a mail
> to distribut...@myserver.de and some 20 other people with various addresses
> will get that mail reliably. Being able to respond is a bonus, but not
> really necessary.
>
> Could you please help me with that endeavour?
>
> --
> Markus Grunwald
> https://www.the-grue.de/~markus/markus_grunwald.gpg
If the distribution itself is working, and the list of
members doesn't change often, and it's only SPF that's
getting in the way, perhaps the least disruptive
solution is to add SRS to Postfix. The problem being
that someone who sends to the list has SPF on their
domain and a server who receives from the list bounces
it because your server isn't allowed by the original
sender's SPF.
Postsrsd can add SRS support to Postfix:
https://github.com/roehling/postsrsd
But by itself, it's a bit of overkill. It applies SRS
to all outgoing mail, not just the mail that is being
forwarded to the distribution list. To limit SRS to
only those messages that require it, you also need
Postforward:
https://github.com/zoni/postforward
If you have Debian, there is a postsrsd package, but
no postforward package.
If this approach seems appropriate, after installing
postsrsd and postforward, you need something like
this:
/etc/postfix/main.cf:
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes = envelope_recipient,header_recipient
/etc/postfix/virtual:
listmemb...@example.com listmember1
listmemb...@something.org listmember2
listmemb...@elsewhere.org listmember3
/etc/aliases:
listmember1: "|/usr/local/bin/postforward listmemb...@example.com"
listmember2: "|/usr/local/bin/postforward listmemb...@something.org"
listmember3: "|/usr/local/bin/postforward listmemb...@elsewhere.org"
But this is probably only good if the recipient list doesn't
change much, and you want to be in control of it when it does.
Otherwise, it's too much bother managing the local aliases
(unless you script it). Using mailing list software is a
better option in general. Using postsrsd without postforward
would also be easier, as it would rewrite envelope addresses
in all outgoing mail, so you don't need to fiddle with individual
aliases.
cheers,
raf
Re: SASL questions
> On 2022-01-13 at 13:09:45 UTC-0500 (Thu, 13 Jan 2022 13:09:45 -0500) > Joe Acquisto-j4 > is rumored to have said: > >> While reading the Postfix SASL doc, > (http://www.postfix.org/SASL_README.html#client_sasl), >> I puzzled over a few things. >> >> - "The smtp_tls_security_level setting ensures that the connection to the > remote smtp server will be encrypted, and smtp_sasl_tls_security_options > removes the prohibition on plaintext passwords." >> >> Is that incorrect? Surely one would not want to send passwords in plaintext > as this seems to state? > > But only sending plaintext passwords *over an encrypted channel.* > > SASL has a bunch of mechanisms that provide safe authentication over a > non-secure channel. It also has a few which are essentially plaintext, only > armoring auth credentials with Base64 encoding. Mechanisms that never send > the password unencrypted/unhashed over an unencrypted channel have the > weakness that they require both sides to store the password in a recoverable > form, whereas plaintext mechanisms allow the server to only store a 1-way > hash > of the password. Having the whole channel protected from sniffing and not > having the password in a recoverable form on the server is a better choice > than allowing in-the-clear transport and using a complex mechanism to just > protect credential in transit while storing leakable passwords on the server. > >> - "With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP > client to send username and password information to the mail gateway server. > As discussed in the next section, the Postfix SMTP client supports multiple > ISP accounts. For this reason the username and password are stored in a table > that contains one username/password combination for each mail gateway > server." >> >> Figured I would ask before reading further. Is it not possible to > authenticate to the same remote (receiver) with multiple sets of credentials? > > Yes. The smtp_sasl_password_maps table can have full sender addresses, > target MX hostnames, and next-hop domains as keys. For per-sender auth to > work, > you must also enable sender-dependent authentication. See the section on > "Configuring Sender-Dependent SASL authentication" in the SOHO readme > (http://www.postfix.org/SOHO_README.html#client_sasl_sender) > > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire Thanks. I am having some problems getting the SASL thing working. Not looking for any "fix" advice, but would like to establish something in my mind. Would it be valid to presume that an SMTP server that can be connected to, securely, via Outlook, Thunderbird and the other common clients, can be connected to via the postfix SASL stuff? Or is SASL/Cyrus an equine of a different hue? joe a.
Re: Virtual users with postfix and dovecot
Just a follow-up to correct a couple of things in case anyone is reading this in future: main.cf includes: # Route inbound for valid recipients to dovecot virtual_transport = lmtp:unix:/var/spool/postfix/private/dovecot-lmtp lmtp_use_tls = no virtual_mailbox_domains = pjb.cc virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmailbox virtual_alias_maps = hash:/usr/local/etc/postfix/virtual vmailbox: ml-postfix-us...@pjb.cc off-to-lmtp virtual contains: mb170...@pjb.cc ml-postfix-us...@pjb.cc # +LOTS of others The Dovecot users file includes: ml-postfix-us...@pjb.cc:,:10043:1::/var/vhome/%n # +LOTS of others All working as expected. -- Cheers, Phil
Re: SASL questions
On 2022-01-13 at 20:26:53 UTC-0500 (Thu, 13 Jan 2022 20:26:53 -0500) Joe Acquisto-j4 is rumored to have said: [...] Would it be valid to presume that an SMTP server that can be connected to, securely, via Outlook, Thunderbird and the other common clients, can be connected to via the postfix SASL stuff? No. There are authentication mechanisms supported by interactive clients that are not supported by Cyrus. The most important ones are OAUTHBEARER and XOAUTH2, which require an out-of-band (web) interaction following the OAuth2 protocol, typically to support 2FA methods that require a live human interaction. Or is SASL/Cyrus an equine of a different hue? SASL is a broad framework used by many application protocols (SMTP, IMAP, etc.) for authentication and each implementation is unique, but hopefully they are interoperable when needed. As long as the relay isn't requiring an authentication mechanism that is designed to exclude bots (such as the those mentioned above) it should be possible to get Postfix (using Cyrus) to authenticate to it. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Blacklisted - SASL Login Attempt
Hello, I see he tried to log in "authentication failed" and failed , but the IP is blacklisted, please why? should it not be blocked before. -- OS Debian 10.11 - Postfix - mail_version = 3.4.14 -- Main.cf postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/whitelistCIDR+IP, cidr:/etc/postfix/blacklistIP -- BlacklistIP root@mail:/etc/postfix# cat blacklistIP | grep 5.188.206.199 5.188.206.199 REJECT -- Mail.log Jan 14 07:17:56 nmail postfix/smtps/smtpd[7809]: warning: unknown[5.188.206.199]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 14 07:17:57 nmail postfix/smtps/smtpd[7809]: lost connection after AUTH from unknown[5.188.206.199]
Re: Blacklisted - SASL Login Attempt
On 2022-01-14 07:33, Maurizio Caloro wrote: Hello, I see he tried to log in "authentication failed" and failed , but the IP is blacklisted, please why? should it not be blocked before. -- OS Debian 10.11 - Postfix - mail_version = 3.4.14 -- Main.cf postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/whitelistCIDR+IP, cidr:/etc/postfix/blacklistIP -- BlacklistIP root@mail:/etc/postfix# cat blacklistIP | grep 5.188.206.199 5.188.206.199 REJECT -- Mail.log Jan 14 07:17:56 nmail postfix/smtps/smtpd[7809]: warning: unknown[5.188.206.199]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Jan 14 07:17:57 nmail postfix/smtps/smtpd[7809]: lost connection after AUTH from unknown[5.188.206.199] This is smtps (port 465). Your config and blocklist is for postscreen which should only be enabled for port 25. -- Christian Kivalo
