Re: match empty sender in hash: sender access map?

[Matus UHLAR - fantomas]

On 12.04.22 23:06, Greg Klanderman wrote:

Thank you Bill!  Knowing that now, I see where postmap(1) states:

| The postmap(1) command can query any supported file type, but it can
| create only the following file types:
| ... [types not including 'regexp' or 'pcre']



Also, the error if you 'postmap regexp:filename' is not useful:

postmap: fatal: unsupported dictionary type: regexp. Is the postfix-regexp 
package installed?

given I know I have regexp installed.



On April 13, 2022 Matus UHLAR <- fantomas > wrote:

regexp and postfix-regexp are two different things.
some SW distributions separate some map types to extra packages.
you also may not have postfix compiled with regexp map type, try running:
postconf -m


On 14.04.22 00:21, Greg Klanderman wrote:

Yes, 'postconf -m' includes regexp.  As Bill wrote, you can't postmap a
regexp: map type, as postfix reads the text format directly.  I
maintain that it would be a lot more useful if the error message
stated something to that effect when you mistakenly try to do that.


I guess it's generic message when "postmap" can't be done (postmap -q can)

it's understandable, perhaps the code for regexp (pcre,texthash) could instead 
produce message:



if ((dp = (DYMAP_INFO *) htable_find(dymap_info, dict_type)) == 0)
msg_fatal("unsupported dictionary type: %s. "
  "Is the postfix-%s package installed?",
  dict_type, dict_type);
if (!dp->mkmap_name)
msg_fatal("unsupported dictionary type: %s does not support "
  "bulk-mode creation.", dict_type);



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Re: DMARC in postfix ?

[Demi Marie Obenour]

On 4/12/22 23:31, John Levine wrote:
> For doing DMARC validation, I know about the opendmarc milter.  Is that what
> everyone uses?  Is there anything else used in pratice?
> 
> I know about perl and python libraries but they don't seem to have
> milters or other ready to use integrations into MTAs.
> 
> TIA,
> John

I’m curious if DMARC, ARC, and other features should be supported in
Postfix natively.  I believe pretty much any Internet-facing MTA that
isn’t a null client needs them, and Exim has native support for at
least some of them.  I also trust that if it is in Postfix, it will be
implemented properly.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: DMARC in postfix ?

[Wietse Venema]

There is no need to build it in. There are
excellent implementations available.

But exim does X does not convince me.

Wietse

DKIM signature duplicated in headers

[DL Neil]

Have a multi-domain Postfix+Dovecot+MySQL+SpamAssassin working nicely.
Added OpenDKIM and it works, passing some 'tests', but not others. I
notice that outgoing mail appears to be signed twice. Is this correct?

The two signatures are otherwise identical but with marginally different
timestamps (and thus different hashes). I notice (of the few people who
appear to be using DKIM) Wietse's emails are signed only once - which
I'd imagine is correct (for at least two reasons...)

In case it is helpful, herewith Postfix definitions and a Validator
report (to save you looking at the (original) headers of this message):


main.cf
#DKIM
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
#smtpd_milters = local:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

[should the non_smtpd_milters be (what appears to me, to be) a repetition?]

[Different tutorials use the socket approach, and others the one
implemented here. I'm curious about any pros-and-cons]



DKIMValidator.com
[first it reproduces the headers]

Original Message (includes)

DKIM-Filter: OpenDKIM Filter v2.11.0 vps.rangi.cloud 0AB68561C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=danceswithmice.info;
s=staff; t=1649930978;
bh=zGisXci4PDXL/JL6Wa7U+L8MDKVB1Mt9llnbf2jgwaI=;
h=Date:From:Subject:To:From;
b=aJM9/Vj+2t6x8sGjYbLXhcPCUc9W2dYJ6N4RrlFkbVNmnNbThZoC4UWsxY7hS610U
 l4+gOQ4N9Ya0+s3YWbMSdEykuzOA5Q+STyS3ljND5XRhV7QnHtK5vmXcGHxwL5ui6m
 0P1QOj2xjbK+i5toNKz9uOZcSHW+dRu8XWk6wyjSKl7afKCqtx6QgxptJRrOhiuU4M
 OoQw/jD5krI3SxHAaN/FcdoKoWIfGUdiYpLhXx/9YSkp3zFjQLVMAx0d6hzwWK7tbY
 4VooYnP1tTFSiG6u+DfBomD3Daw9YQ0MktkYHYpxkj/6AIRQDod7JkDOrbCqjDx4cK
 zPDnWfP7+E5pA==
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vps517507.ovh.net
X-Spam-Level:
X-Spam-Status: No, score=-3.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.0
Received: from [192.168.7.57] (118-92-199-252.dsl.dyn.ihug.co.nz
[118.92.199.252])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
(Authenticated sender: domainadmin@rangi.cloud)
by vps.rangi.cloud (Postfix) with ESMTPSA id 9AC0E5614
for ; Thu, 14 Apr 2022 10:09:36 +
(UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 vps.rangi.cloud 9AC0E5614
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=danceswithmice.info;
s=staff; t=1649930977;
bh=zGisXci4PDXL/JL6Wa7U+L8MDKVB1Mt9llnbf2jgwaI=;
h=Date:From:Subject:To:From;
b=S6fq1BJnSLkzf9o2ty+CQz1yx7OSbY7NVH33a1PeKGmDlLh3VS/O1gk1EMsgMAKr9 
qwMCjGJy0mZQ1ZMRDqh78HFDvgxLhCvcR6bM8WmvZmnr4EFYbUl0z4Hfne2gwxtRl+
 k+XCfk6iZt3eoNfQdbyqIcOAZRFL0u4jIgmSLh6FifPLF1koMoVQ7fWgEXgJ1CxC8g
 8CPu6tf/VUvzKTmBFbqVOGOEN9j2Hu39AYovLpl+huL7p2NHpoTut4py6+alp4gaXR 
yJq4N9WuGXJEqc4QP/Mz8CNWrdD0lHTZfHRafTf1XLz3sHd7ysfmeA0MktfgDtVnSi
 +V2ChfMaMQEEQ==
Message-ID: <3d3a6f7b-25ac-eeb3-06bd-7f4096b8c...@danceswithmice.info>
D


[Now it starts its analysis and reporting. Note how it picks-up both
signatures, but only one appears in the report below]

DKIM Signature
[snipped repetition of (both) above]

Signature Information:
v= Version: 1
a= Algorithm:   rsa-sha256
c= Method:  relaxed/simple
d= Domain:  danceswithmice.info
s= Selector:staff
q= Protocol:
bh= zGisXci4PDXL/JL6Wa7U+L8MDKVB1Mt9llnbf2jgwaI=
h= Signed Headers:  Date:From:Subject:To:From
b= Data:
aJM9/Vj+2t6x8sGjYbLXhcPCUc9W2dYJ6N4RrlFkbVNmnNbThZoC4UWsxY7hS610U
 l4+gOQ4N9Ya0+s3YWbMSdEykuzOA5Q+STyS3ljND5XRhV7QnHtK5vmXcGHxwL5ui6m
 0P1QOj2xjbK+i5toNKz9uOZcSHW+dRu8XWk6wyjSKl7afKCqtx6QgxptJRrOhiuU4M
 OoQw/jD5krI3SxHAaN/FcdoKoWIfGUdiYpLhXx/9YSkp3zFjQLVMAx0d6hzwWK7tbY
 4VooYnP1tTFSiG6u+DfBomD3Daw9YQ0MktkYHYpxkj/6AIRQDod7JkDOrbCqjDx4cK
 zPDnWfP7+E5pA==


[the next stage of the analysis shows where/how it picked-up the DKIM
settings]

Public Key DNS Lookup

Building DNS Query for staff._domainkey.danceswithmice.info
Retrieved this publickey from DNS:
v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqr7MeOrYgSUc17kYIR65gFTUX6/UjJvFySRw3kzG/Jp+G8bjLv6ssMaziw0EZBtFsI0moywuXq+n74xUWX/a2vOnmOnG/IAmtw5hg7eiUQFGgUx/MOeXIS1nU3ziekrAwWSEWEuF9/IaSPEhZZDBOGS2anBij/itTLo1tn32cA6I8dQ/4Gg58SVfBQw/KPupgn5URVtQAeGKDW3GInyAet7di2XHncEztCMYIlmAFWkfDS5dFd182pbusmBE+X86tKYjdVp7tf0Cim7zNUSf41IZgCG/fhM+d/d7MpX4Pe7iEsXnNRPDz/dKhHUv23ExvymVb/IL6QGcuMEm0Y3mLwIDAQAB

Validating Signature
result = pass
Details:

[I'm curious that there are no details - something I said - something
else that I should have done?]


Will welcome any and all advice, and/or pointers to further reading!
-- 
Regards,
=dn

Re: Best way forwarding to Gmail

[Byung-Hee HWANG]

(sorry i forgot one file)

> After all, i did make decision. See here:
> 

This is the full headers: (the above thing)


DKIM signature is an outbound's passport, at least, to me.

> To me, forwarding to Gmail is good, i keep moving on...
>
> Thanks to Ludi, Dominic, John, Benny, Rob and Venema ^^^

Thanks again here all professional of Postfix ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

10s of REJECT messages multiple times a day

[Dino Edwards]

Hello,

We have various IPs that throughout the day hammer our server attempting to 
deliver messages to non-existent recipients. The messages get rejected because 
the recipients do not exist. This results with having 30 to 100 rejected emails 
at a time. What is the recommended way to combat this behavior?

Thanks

Re: 10s of REJECT messages multiple times a day

[Sven Schwedas]

What is the recommended way to combat this behavior?


I'd personally lean towards fail2ban or comparable solutions to 
aggregate Rejects with other suspicious behaviour on other ports and 
react with system-wide IP bans.


Fail2ban e.g. has examples for catching REJECTs in its wiki: 
http://www.fail2ban.org/wiki/index.php/Postfix
Plus built-in modules to handle Postfix SASL login failures and others. 
I expect the competition is doing the same.


OpenPGP_signature
Description: OpenPGP digital signature

Re: DKIM signature duplicated in headers

[Wietse Venema]

Mail is signed twice because Postfix receives it twice. I suggest
that you correlate the Received: headers with the DKIM signatures,
and decide where to enable DKIM signing. It may be easier to configure
this per-service in master.cf than globally in main.cf.

Wietse

Re: DMARC in postfix ?

[A. Schulze]

Am 13.04.22 um 05:31 schrieb John Levine:
> For doing DMARC validation, I know about the opendmarc milter.  Is that what
> everyone uses?  Is there anything else used in pratice?

Hello John,

rspamd handle DMARC as well.


But it's also a milter. This is intentional: Wietse / 
http://www.postfix.org/MILTER_README.html say
"Having yet another Postfix-specific version of all that software is a poor use 
of human and system resources."

Andreas

Re: 10s of REJECT messages multiple times a day

[Steffen Nurpmeso]

Sven Schwedas wrote in
 <1d9d281d-de64-8299-2bed-35fc9889f...@tao.at>:
 |
 |> What is the recommended way to combat this behavior?
 |
 |I'd personally lean towards fail2ban or comparable solutions to 
 |aggregate Rejects with other suspicious behaviour on other ports and 
 |react with system-wide IP bans.
 |
 |Fail2ban e.g. has examples for catching REJECTs in its wiki: 
 |http://www.fail2ban.org/wiki/index.php/Postfix
 |Plus built-in modules to handle Postfix SASL login failures and others. 
 |I expect the competition is doing the same.

I use firewall rules to assign traffic control dependent on the
hit count

   if fwcore_has_i smtp || fwcore_has_i smtps || fwcore_has_i submission; then
  change_chain i__smtp

  if [ -n "${FWCORE_SMTPX_NOLIMIT_PEERS}" ]; then
 for i in ${FWCORE_SMTPX_NOLIMIT_PEERS}; do

Whitelisting some which contribute most to my traffic.
Whitelisted also in graylist.  (I hate i need two different
lists.)

if ipaddr_split a "${i}"; then
   if fwcore_has_i smtp; then
  [ -z "${port}" -o "${port}" = smtp ] &&
 add_rule -p tcp --src ${addr}${mask} \
--dport ${p_smtp} -m limit --limit 60/m -j f_m0_2
   fi
   if fwcore_has_i smtps; then
  [ -z "${port}" -o "${port}" = smtps ] &&
 add_rule -p tcp --src ${addr}${mask} \
--dport ${p_smtps} -m limit --limit 60/m -j f_m0_2
   fi
   #if fwcore_has_i submission; then
   #   [ -z "${port}" -o "${port}" = submission ] &&
   #  add_rule -p tcp --src ${addr}${mask} \
   # --dport ${p_smtps} -m limit --limit 60/m -j f_m0_2
   #fi
fi
 done
  fi

  #-m recent --name alien --set
  # Alienization now handled by cron-parse-mail.awk
  #   -m recent --name alien --set
  add_rule -m recent --name smtp --set \
 -m recent --name smtp ! --rcheck --seconds 600 --reap --hitcount 20 \
 -j f_m2
  add_rule -m recent --name smtp --rcheck --seconds 120 --hitcount 16 \
 -j f_m5
  add_rule -m recent --name smtp ! --rcheck --hitcount 32 -j f_m3
  add_rule -j f_m5
   fi

f_m2 is second best (VPN and ssh are best), f_m5 is the slowest
that is possible (1 percent of "max").  Ie conn/marks are set,
traffic control is applied. 
(This is a private server with only a high 3-digit number of
messages a day, the remains is noise.)

There are "alien"s which seem strange, and after appearing like
this multiple times they become "super_alien"s which are blocked
for quite some hours.  I found it impossible, really, to do this
automatically from within the firewall for SMTP (and HTTP),
because the firewall just does not know enough to make a decision.
Therefore i had to bite the bullet and finally wrote a primitive
log parser:

  #!/usr/bin/awk -f
  #@ Parse postfix log output, as via
  #@exec /root/bin/cron-parse-mail.awk < /var/log/mail

  # DEBUG: 1=logger(1), >1=SANDBOX
  BEGIN{ DEBUG = 0; sl = ""; xl = "" }

  function doit(line){
 if((i = match(line, "\\[[^]]+\\]$")) != 0){
j = substr(line, i + 1)
j = substr(j, 1, length(j) - 1)

if(!drops[j]){
   i = maydrops[j]
   if(!i)
  i = 0
   else if(i >= 2){
  drops[j] = 1
  if((i = match(line, " [^ ]+$")) != 0)
 j = substr(line, i + 1)
  if(sl)
 sl = sl " "
  sl = sl j
  return
   }
   maydrops[j] = ++i
}
 }
  }

  # To avoid that "unknown" that tries evil is not blocked because we think
  # it is only a local DNS error, treat logins special
  /too many errors after AUTH from.+\[/ {doit($0); next;} # ]
  /SSL_accept error from.+\[/ { # ]
 line = $0
 if((i = match(line, ": -?[[:alnum:]]+$")) != 0)
line = substr(line, 1, i - 1)
 doit(line)
 next
  }

  /too many errors.+from unknown\[/{
 if((i = match($0, "\\[[^]]+\\]$")) != 0){
j = substr($0, i + 1)
j = substr(j, 1, length(j) - 1)

if(unign[j])
   next

if(!drops[j]){
   i = maydrops[j]
   if(!i)
  i = 0
   else if(i >= 2){
  # Could be local resolver error, try this first

This only because my ISP gives me bind and powerdns via two
different IPs after bind alone started producing errors after
i have finally turned on dnssec in my dnsmasq cache.
Ie bind failed a lot for FreeBSD (maybe truncation i have no
idea), and the other fails for other things (i am no longer
looking), anyhow if all else fails we check Google DNS.

  if(DEBUG > 1)
 es = 1
  else
 es = system("{ command -v host && \
   host " j " 8.8.8.8 || \
   nslookup " j " 8.8.8.8; } >/dev/null 2>&1")

Re: 10s of REJECT messages multiple times a day

[Togan Muftuoglu]

> "DE" == Dino Edwards  writes:

DE> Hello, We have various IPs that throughout the day hammer our server
DE> attempting to deliver messages to non-existent recipients. The messages
DE> get rejected because the recipients do not exist. This results with having
DE> 30 to 100 rejected emails at a time. What is the recommended way to combat
DE> this behavior?

After having implemented postscreen with abusix and spamhaus in my case such
emails have been dramatically reduced.

If you are not using postscreen you may want to give it a try.

Togan

-- 

Life is endless possibilities,
and there is choice!

Re: milter_header_checks, pcre, chroot

[Matus UHLAR - fantomas]

On 2022-03-19 17:49, Matus UHLAR - fantomas wrote:

this should be fixable by using proxymap, better than disabling chroot
http://www.postfix.org/proxymap.8.html


On 20.03.22 17:29, Jesper Dybdal wrote:

Thanks.  As far as I can see, I need to add
   proxy:regexp:/etc/postfix/regexp_milter_header_checks
to proxy_read_maps.  But proxy_read_maps has a long default value - is 
there a not-too-ugly way to add my  milter header checks to the value 
without losing the default value contents?


the funny part is that I have just encountered this problem, completely 
forgetting I solved it for you a month ago ;-)


wietse already answered, so far I only added comment to the main.cf:

milter_header_checks = proxy:regexp:/etc/postfix/milter_header_checks.regexp
# defaults + $milter_header_checks
proxy_read_maps=$local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
$smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps 
$smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions 
$smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions 
$smtpd_recipient_restrictions 
$address_verify_sender_dependent_default_transport_maps 
$address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps 
$fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps 
$lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps 
$mailbox_command_maps $mailbox_transport_maps 
$postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps 
$sender_dependent_default_transport_maps $sender_dependent_relayhost_maps 
$smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps 
$smtp_sasl_password_maps $smtp_tls_policy_maps 
$smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps 
$virtual_uid_maps $milter_header_checks

(OT: Having looked at log files while implementing DMARC check, I am 
surprised to see that it seems to be not very unusual for companies to 
have p=reject in their DMARC policy but still send mail that does not 
pass DMARC - in some cases even with neither SPF nor DKIM.  I'm 
beginning to fear that it will be a while before DMARC can be really 
useful...)


since I did some statistic for our customer curious about this problem, 
there is one huge problem with this, and that is (of course) Microsoft.


looks like neither exchange servers nor their 365 services sign 
(non-)delivery messages, even when they contain their domains in From:, so 
if you use either of those, you can't afford any other policy than none.


OTOH, rejecting DMARC failures with policy reject should be not a problem, 
since there's just a few of them.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!

Virtual domains

[Emmett Culley]

I run a couple of mail servers using postfix, currently at version 2.10.1.

They are set up to send and receive email for multiple virtual domains and have 
been doing that beautifully for years.

I recently changed the host name of one of the servers from one domain I am 
hosting to another of the domains the server is serving.

Upon verifying the server I noticed that the Received: headers on email sent 
via that server now have the new host name and so causes Thunderbird to show 
the from address in red for emails from domains that are different from the 
server's hostname.  To be honest, I have been seeing the for a long while and 
just ingnored it until now.

Is there anything I can do to specify that the Recieved: headers have the 
"correct" domain name depending on what domain is sending an email (From:)?

I have DKIM working in such a manner.  When an email is sent for domain.one 
(From: domain.one) the dkim signature contains the signature for domain.one and 
if sent for domain.two (From: domain.two) it contains the dkim signature for 
domain.two.  No matter what the server's hostname is set to.

I guess I am asking if there is any way to map the sending domain written to 
the header (From.: domain.tld) to the domain the email was sent as?  Similar to 
how opendkim does when choosing the DKINM signature to add to the outgoing 
email's header.

I would include the output of postconf, but it is very large and I don't know 
how to narrow it down to what is needed to help resolve this issue.

Emmett

Re: Virtual domains

[Shawn Heisey]

On 4/14/22 09:26, Emmett Culley wrote:
I would include the output of postconf, but it is very large and I 
don't know how to narrow it down to what is needed to help resolve 
this issue. 



Try "postconf -n".  This should only show settings that are different 
from default.


elyograg@bilbo:~$ postconf -n | wc -l
94
elyograg@bilbo:~$ postconf | wc -l
1059

Thanks,
Shawn

Re: Virtual domains

[Emmett Culley]

On 4/14/22 8:38 AM, Shawn Heisey wrote:

On 4/14/22 09:26, Emmett Culley wrote:
I would include the output of postconf, but it is very large and I don't know how to narrow it down to what is needed to help resolve this issue. 



Try "postconf -n".  This should only show settings that are different from 
default.

elyograg@bilbo:~$ postconf -n | wc -l
94
elyograg@bilbo:~$ postconf | wc -l
1059

Thanks,
Shawn



Thanks for that:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
bounce_queue_lifetime = 0
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
cyrus_destination_recipient_limit = 1
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 5
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
default_privs = mail
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_sasl_type = cyrus
local_recipient_maps =
mail_owner = postfix
mailbox_command = /usr/bin/procmail -f- -a "$USER"
mailbox_size_limit = 128000
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 9
milter_default_action = accept
milter_protocol = 6
mydestination = localhost, 23.xxx.1.40, 23.xxx.1.38
mydomain = hostname.com
myhostname = hostname.com
mynetworks = 127.0.0.0/8, 23.249.1.67
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
owner_request_special = no
polite_destination_concurrency_failed_cohort_limit = 0
polite_destination_concurrency_limit = 2
polite_destination_rate_delay = 0
polite_destination_recipient_limit = 5
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_destination_concurrency_limit = 2
smtp_extra_recipient_limit = 10
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_type = cyrus
smtp_tls_loglevel = 4
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_client_connection_count_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_unauth_pipelining, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_pipelining, reject_unauth_destination, reject_unlisted_recipient, 
reject_unverified_recipient, reject_rbl_client zen.spamhaus.org, 
reject_rbl_client bl.spamcop.net, permit
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_non_fqdn_sender, reject_unlisted_sender, reject_rhsbl_sender 
dsn.rfc-ignorant.org, permit
smtpd_timeout = 45s
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.something.else/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.something.else/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
turtle_destination_concurrency_failed_cohort_limit = 0
turtle_destination_concurrency_limit = 5
turtle_destination_rate_delay = 3s
turtle_destination_recipient_limit = 10
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-mydestination.cf
virtual_transport = cyrus
yahoo_destination_concurrency_limit = 10
yahoo_destination_rate_delay = 5s
yahoo_destination_recipient_limit = 2
yahoo_initial_destination_concurrency = 5

Re: Strange To: of e-mail on postfix-users

[Daniel Azuelos]

[ Rédigé dans le sens de lecture normal.
  Written in the usual reading direction. ]

Le (on) 09/04/2022, Bob Proulx  a écrit (wrote):

[...]
| For mailing lists using List-Id is the recommended method.
| 
| :0
| * ^List-Id: .*
| * ^list-Id: .*

Re: Virtual domains

[Wietse Venema]

Emmett Culley:
> Is there anything I can do to specify that the Recieved: headers
> have the "correct" domain name depending on what domain is sending
> an email (From:)?

The Received: headers contain the value of the "myhostname" parameter,
i.e.  the identity of this Postfix MTA instance. This name should
match the IP address where the MTA sends and receives mail.

Postfix can send and receive email on behalf of many domains. Email
is not like HTTP, and there is no requirement that the Postfix MTA
identity matches the name of every domain that it handles mail for.
But it is supported ever since Postfix got SNI support a few years
ago.

Wietse

Re: Virtual domains

[Emmett Culley]

On 4/14/22 9:58 AM, Wietse Venema wrote:

Emmett Culley:

Is there anything I can do to specify that the Recieved: headers
have the "correct" domain name depending on what domain is sending
an email (From:)?


The Received: headers contain the value of the "myhostname" parameter,
i.e.  the identity of this Postfix MTA instance. This name should
match the IP address where the MTA sends and receives mail.

Postfix can send and receive email on behalf of many domains. Email
is not like HTTP, and there is no requirement that the Postfix MTA
identity matches the name of every domain that it handles mail for.
But it is supported ever since Postfix got SNI support a few years
ago.

Wietse


Thanks Wietse.  I will study up on SNI.  I am working on new servers with 
RockyLinux 8 and so will also be using a newer version of postfix.

Emmett

Re: DKIM signature duplicated in headers

[Jaroslaw Rafa]

Dnia 14.04.2022 o godz. 23:21:18 DL Neil pisze:
> Have a multi-domain Postfix+Dovecot+MySQL+SpamAssassin working nicely.
> Added OpenDKIM and it works, passing some 'tests', but not others. I
> notice that outgoing mail appears to be signed twice. Is this correct?

How do you run SpamAssassin? As a milter or as a post-queue content filter,
that reinjects the mail back to Postfix?

Double signing is a known issue in the latter case (ie. if you run SA as a
content filter). Switch to running SA as a milter and the issue will be
solved.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."

always_bcc for selected recipients? map support?

[PGNet Dev]

I'd like to have my Postfix receiving instance always bcc mail for a specific 
set of recipients to another , off-site server.
And to do so regardless of the intended 'main' recipient address being 'up' for 
receiving @ subsequent Postfix transport delivery targets, or not.

Reading,

https://www.postfix.org/postconf.5.html#always_bcc

straightforward for bcc'ing all.

But I don't immediately see that it support maps.

(1) does always_bcc support maps? (doc or example?)

(2) is there a better alternative that always_bcc for this use?

Re: DMARC in postfix ?

[Benny Pedersen]

On 2022-04-14 15:41, A. Schulze wrote:


But it's also a milter. This is intentional: Wietse /
http://www.postfix.org/MILTER_README.html say
"Having yet another Postfix-specific version of all that software is a
poor use of human and system resources."


so why have rspamd ucl, and lua ? :=)

if anything changes in postfix i would see forward to lua implemention, 
so all sid-milter, opendkim, openarc, opendmarc can be scripted in 
postfix lua, have all that in core postfix is incorrect way to go


but adding lua, is best compromize with the needs

but seen from trustedproject standpoint, i think it would be to 
stabelize the rfc in to something that can be used in postfix lua, not 
5000 milters is then needed, also many fails it imho avoided if all is 
known to work seamsly together


all the above have low priortet, waiting for spamassassin 4.x.x

Re: always_bcc for selected recipients? map support?

[Benny Pedersen]

On 2022-04-14 19:19, PGNet Dev wrote:


https://www.postfix.org/postconf.5.html#always_bcc

straightforward for bcc'ing all.

But I don't immediately see that it support maps.


maps what ?


(1) does always_bcc support maps? (doc or example?)

(2) is there a better alternative that always_bcc for this use?


maybe use recipient_bcc ?

or sender_bcc ?

or combination of all

messy :)

Re: always_bcc for selected recipients? map support?

[Wietse Venema]

PGNet Dev:
> I'd like to have my Postfix receiving instance always bcc mail for a specific 
> set of recipients to another , off-site server.
> And to do so regardless of the intended 'main' recipient address being 'up' 
> for receiving @ subsequent Postfix transport delivery targets, or not.
> 
> Reading,
> 
>   https://www.postfix.org/postconf.5.html#always_bcc
> 
> straightforward for bcc'ing all.
> 
> But I don't immediately see that it support maps.

Try sender_bcc_maps or recipient_bcc_maps.

Wietse

Re: always_bcc for selected recipients? map support?

[PGNet Dev]

Try sender_bcc_maps or recipient_bcc_maps.


once again, looking in the wrong place!

perfect, thx.

Re: milter_header_checks, pcre, chroot

[Benny Pedersen]

On 2022-04-14 16:58, Matus UHLAR - fantomas wrote:


OTOH, rejecting DMARC failures with policy reject should be not a
problem, since there's just a few of them.


since many maillist take ownerships its not a problem at all :)

but its more a fail if opendkim reject, i will let it up to the readers 
understanding why

Re: Strange To: of e-mail on postfix-users

[Bob Proulx]

Daniel Azuelos wrote:
> Are you still using procmail?

Yes.  I am still using procmail.  It is powerful, mature, and stable.

But more importantly you said YOU were using procmail.

>   I just found an email incorrectly filtered by my .procmailrc,
> because the To: wasn't postfix-users@postfix.org:

And therefore I answered with a procmail specific hint. :-)

Bob

spam emails with "to:" line missing

[Fourhundred Thecat]

Hello,

I am receiving spam emails, where the "to:" line is entirely missing in
the email header.

The header has "X-Original-To:" and "Delivered-To:", but no "to:" line.

I have pasted the header here: https://ctxt.io/2/AABg30FRFQ

How could I block such emails? Can I use header-check for this?

Are there any legitimate cases where "to:" might be missing?