dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Matt Kinni 
I have opendkim configured via 'smtpd_milters' to sign all outbound 
mail, and my domain publishes a "quarantine" dmarc record to enforce the 
consequences of this.


I recently discovered that MAILER-DAEMON messages generated by postfix 
itself bypass this setup and do /not/ get signed, which unfortunately 
results in legitimate DSNs being filtered into the sender's spam/junk 
mail folder due to the dmarc policy (I confirmed this with gmail).


After doing some research, I learned that dkim signing can be forced for 
postfix's internally generated mails by setting 'non_smtpd_milters' in 
conjunction with 'internal_mail_filter_classes=bounce', however the 
manpage for the latter parameter has this cautionary message:

>
> NOTE: It's generally not safe to enable content inspection of 
Postfix-generated email messages. The user is warned.

>

So I'm not sure what the best practice is here; postfix tries hard to 
prevent being a source of backscatter and thus outbound DSN messages 
should be rare, but in the event a legitimate bounce does need to be 
sent out, I'd like it to not end up in the sender's spam folder.  On the 
other hand, miltering mailer-deamon messages adds a point of failure to 
a privileged message class that should always be expected to succeed, 
which I imagine is why the manpage discourages it.


Thoughts?

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Byung-Hee HWANG 
Hellow Matt,

Matt Kinni  writes:

> I have opendkim configured via 'smtpd_milters' to sign all outbound
> mail, and my domain publishes a "quarantine" dmarc record to enforce
> the consequences of this.
>
> I recently discovered that MAILER-DAEMON messages generated by postfix
> itself bypass this setup and do /not/ get signed, which unfortunately 
> results in legitimate DSNs being filtered into the sender's spam/junk
> mail folder due to the dmarc policy (I confirmed this with gmail).
>
> After doing some research, I learned that dkim signing can be forced
> for postfix's internally generated mails by setting
> 'non_smtpd_milters' in conjunction with
> 'internal_mail_filter_classes=bounce', however the manpage for the
> latter parameter has this cautionary message:
>>
>> NOTE: It's generally not safe to enable content inspection of
>   Postfix-generated email messages. The user is warned.
>>
>
> So I'm not sure what the best practice is here; postfix tries hard to
> prevent being a source of backscatter and thus outbound DSN messages 
> should be rare, but in the event a legitimate bounce does need to be
> sent out, I'd like it to not end up in the sender's spam folder.  On
> the other hand, miltering mailer-deamon messages adds a point of
> failure to a privileged message class that should always be expected
> to succeed, which I imagine is why the manpage discourages it.
>
> Thoughts?

Well i think this is useful thought:


Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

"Alternating" IPv4 / IPv6 connections

2022-05-09 Thread Nikolaos Milas 

Hello,

In our setup we have two mail gateway servers accepting incoming mail 
(mailgw1.noa.gr [primary] and mailgw3.noa.gr), filtering mail (using 
postscreen, amavis, spamassassin, clamav) and forwarding to the internal 
mail server (vmail2.noa.gr) where user mailboxes lie.


All servers are running postfix 3.7.0.

I am trying to investigate why our mail gateway servers (mailgw1 and 
mailgw3) sometimes connect over IPv6 and some other times connect over 
IPv4 to deliver mail to vmail2.


As an example I am listing below some successive log entries (collated, 
usernames modified).


Why does this happen? I would expect all connections to be made using 
IPv6, since it is preferred over IPv4. Why all connections do not use IPv6?


Can you please help me to understand and correct any settings if/where 
needed?


At the bottom I list the output of postconf -n for mailgw1 and vmail2.

Log entries follow:

May 03 07:23:54 vmail2 postfix/smtpd[24699]: connect from 
mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:23:54 vmail2 postfix/smtpd[24699]: Anonymous TLS connection 
established from mailgw1.noa.gr[2001:648:2ffc:1115::27]: TLSv1.3 with 
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:23:54 vmail2 postfix/smtpd[24699]: 3EA3681E8C1DE: 
client=mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:23:54 vmail2 postfix/cleanup[22675]: 3EA3681E8C1DE: 
message-id=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@email.amazonses.com>
May 03 07:23:54 vmail2 postfix/qmgr[27646]: 3EA3681E8C1DE: 
from=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@bounce.academia-mail.com>, 
size=63158, nrcpt=1 (queue active)
May 03 07:23:54 vmail2 postfix/smtpd[24699]: disconnect from 
mailgw1.noa.gr[2001:648:2ffc:1115::27] ehlo=2 starttls=1 mail=1 rcpt=1 
data=1 quit=1 commands=7
May 03 07:23:54 vmail2 postfix/lmtp[22677]: 3EA3681E8C1DE: 
to=, relay=vmail2.noa.gr[private/dovecot-lmtp], 
delay=0.35, delays=0.31/0.002/0.001/0.034, dsn=2.0.0, status=sent (250 
2.0.0  YC2SIVqucGJvYgAAcV+qjQ Saved)

May 03 07:23:54 vmail2 postfix/qmgr[27646]: 3EA3681E8C1DE: removed

May 03 07:24:17 vmail2 postfix/smtpd[24699]: connect from 
mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:24:17 vmail2 postfix/smtpd[24699]: Anonymous TLS connection 
established from mailgw1.noa.gr[2001:648:2ffc:1115::27]: TLSv1.3 with 
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:17 vmail2 postfix/smtpd[24699]: 5415981E8C1DE: 
client=mailgw1.noa.gr[2001:648:2ffc:1115::27]
May 03 07:24:17 vmail2 postfix/cleanup[22675]: 5415981E8C1DE: 
message-id=
May 03 07:24:17 vmail2 postfix/qmgr[27646]: 5415981E8C1DE: 
from=, size=25840, nrcpt=1 (queue active)
May 03 07:24:17 vmail2 postfix/smtpd[24699]: disconnect from 
mailgw1.noa.gr[2001:648:2ffc:1115::27] ehlo=2 starttls=1 mail=1 rcpt=1 
data=1 quit=1 commands=7
May 03 07:24:17 vmail2 postfix/lmtp[22677]: 5415981E8C1DE: 
to=, relay=vmail2.noa.gr[private/dovecot-lmtp], 
delay=0.1, delays=0.093/0.001/0.001/0.008, dsn=2.0.0, status=sent (250 
2.0.0  aEf1GXGucGJvYgAAcV+qjQ Saved)

May 03 07:24:17 vmail2 postfix/qmgr[27646]: 5415981E8C1DE: removed

May 03 07:24:26 vmail2 postfix/smtpd[24699]: connect from 
mailgw1.noa.gr[83.212.5.27]
May 03 07:24:26 vmail2 postfix/smtpd[24699]: Anonymous TLS connection 
established from mailgw1.noa.gr[83.212.5.27]: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:26 vmail2 postfix/smtpd[24699]: 0FE2A81E8C1DE: 
client=mailgw1.noa.gr[83.212.5.27]
May 03 07:24:26 vmail2 postfix/cleanup[22675]: 0FE2A81E8C1DE: 
message-id=<20220503042418.138f63f...@cl2n038.stanford.edu>
May 03 07:24:26 vmail2 postfix/qmgr[27646]: 0FE2A81E8C1DE: 
from=, size=4807, nrcpt=3 (queue active)
May 03 07:24:26 vmail2 postfix/smtpd[24699]: disconnect from 
mailgw1.noa.gr[83.212.5.27] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 
quit=1 commands=7
May 03 07:24:26 vmail2 postfix/lmtp[22677]: 0FE2A81E8C1DE: 
to=, orig_to=, 
relay=vmail2.noa.gr[private/dovecot-lmtp], delay=0.18, 
delays=0.056/0.003/0.001/0.12, dsn=2.0.0, status=sent (250 2.0.0 
 uABAB3qucGJvYgAAcV+qjQ Saved)

May 03 07:24:26 vmail2 postfix/qmgr[27646]: 0FE2A81E8C1DE: removed

May 03 07:24:40 vmail2 postfix/smtpd[24699]: connect from 
mailgw1.noa.gr[83.212.5.27]
May 03 07:24:40 vmail2 postfix/smtpd[24699]: Anonymous TLS connection 
established from mailgw1.noa.gr[83.212.5.27]: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:40 vmail2 postfix/smtpd[24699]: DC30681E8C1DE: 
client=mailgw1.noa.gr[83.212.5.27]
May 03 07:24:40 vmail2 postfix/cleanup[22675]: DC30681E8C1DE: 
message-id=
May 03 07:24:41 vmail2 postfix/qmgr[27646]: DC30681E8C1DE: 
from=, size=4638210, nrcpt=1 (queue active)

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Wietse Venema 
Matt Kinni:
> I have opendkim configured via 'smtpd_milters' to sign all outbound 
> mail, and my domain publishes a "quarantine" dmarc record to enforce the 
> consequences of this.
> 
> I recently discovered that MAILER-DAEMON messages generated by postfix 
> itself bypass this setup and do /not/ get signed, which unfortunately 
> results in legitimate DSNs being filtered into the sender's spam/junk 
> mail folder due to the dmarc policy (I confirmed this with gmail).
> 
> After doing some research, I learned that dkim signing can be forced for 
> postfix's internally generated mails by setting 'non_smtpd_milters' in 
> conjunction with 'internal_mail_filter_classes=bounce', however the 
> manpage for the latter parameter has this cautionary message:
>  >
>  > NOTE: It's generally not safe to enable content inspection of 
> Postfix-generated email messages. The user is warned.
>  >
> 
> So I'm not sure what the best practice is here; postfix tries hard to 
> prevent being a source of backscatter and thus outbound DSN messages 
> should be rare, but in the event a legitimate bounce does need to be 
> sent out, I'd like it to not end up in the sender's spam folder.  On the 
> other hand, miltering mailer-deamon messages adds a point of failure to 
> a privileged message class that should always be expected to succeed, 
> which I imagine is why the manpage discourages it.

It's generally not safe, because Postix cannot prevent loops when,
for example,

- header_body_checks issues a FILTER action. Mail would loop between
Postfix and the content filter until the number of Received: headers
exceeds the hopcount_limit setting (default: 50).

- I don't quickly have an example of bad things that can happen
with Milter inspection of Postfix-generated mail. That doesn't mean
that such bad things don't exist.

Wietse

Re: "Alternating" IPv4 / IPv6 connections

2022-05-09 Thread Nikolaos Milas 

On 9/5/2022 3:39 μ.μ., Nikolaos Milas wrote:
In our setup we have two mail gateway servers accepting incoming mail 
(mailgw1.noa.gr [primary] and mailgw3.noa.gr), filtering mail (using 
postscreen, amavis, spamassassin, clamav) and forwarding to the 
internal mail server (vmail2.noa.gr) where user mailboxes lie.

...


Transport is configured as follows (on mailgw1 and mailgw3 servers):

/etc/postfix/transportmap:

noa.gr  relay:[vmail2.noa.gr]
admin.noa.gr    relay:[vmail2.noa.gr]
nestor.noa.gr   relay:[vmail2.noa.gr]
space.noa.gr    relay:[vmail2.noa.gr]
meteo.noa.gr    relay:[vmail2.noa.gr]
gein.noa.gr relay:[vmail2.noa.gr]
technet.noa.gr  relay:[vmail2.noa.gr]
astro.noa.gr    relay:[vmail2.noa.gr]
hesperia-space.eu   relay:[vmail2.noa.gr]

If any additional information is required, I will be happy to share it 
with you.


Thanks,
Nick

Re: dnswl.org lookup error

2022-05-09 Thread Steffen Nurpmeso 
Byung-Hee HWANG wrote in
 <87ee13qxa1.fsf@penguin>:
 ...
 |> First install a true local resolver such as bind9 or unbound and then
 |> switch your system to use it instead of systemd-resolved. To switch to 
 |> bind9 you could try my
 |> https://www.timedicer.co.uk/programs/help/bind9-resolved-switch.sh.php.
 |>
 |> [ If you want, bind9 can be set so that 'normal' lookups still go via
 |> external (public) resolvers (as you specify in 
 |> /etc/bind/named.conf.options), but lookups for RBLs are routed
 |> directly. Perhaps unbound can do the same (I haven't tried it). ]
 |
 |Wow it seems so difficult work! I need time to think! Thanks for your
 |kind advice!! Thanks again... Dominic ^^^

I use dnsmasq for almost twenty years.  On the laptop it listens
on all ip netns namespaces etc and /etc/resolv.conf is "nameserver
127.0.0.1".  It locally caches but otherwise only contacts dnsmasq
on my vserv VM (via VPN address "server=192.0.2.1") where dnsmasq
sits for real.  dnsmasq.conf is

  #log-queries=extra
  #conf-dir=/etc/dnsmasq.d/,*.conf
  no-poll
  bogus-priv
  selfmx
  addn-hosts=/etc/hosts.local
  dnssec
  conf-file=/usr/share/dnsmasq/trust-anchors.conf
  # no-resolv,server= <- this is cool and can kind of split-DNS
  no-resolv
  server=ADDR1
  server=ADDR2
  server=8.8.8.8

^ I need multiple selections only ever since i have dnssec
enabled.  Before ADDR1 was enough.

  cache-size=1
  neg-ttl=30
  min-cache-ttl=30
  stop-dns-rebind

And i start dnsmasq via

  DNSMASQ_ARGS='--pid-file=${pid} '\
  '--conf-file=/root/hosts/${HOSTNAME}/dnsmasq.conf'

On the server resolv.conf is "nameserver 127.0.0.1" also.

I only use non-systemd systems and have no idea of that one.
('Can understand why you would want to put everything in one, but
do not like it.)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: dnswl.org lookup error

2022-05-09 Thread Matus UHLAR - fantomas 

Byung-Hee HWANG wrote in
<87ee13qxa1.fsf@penguin>:
...
|> First install a true local resolver such as bind9 or unbound and then
|> switch your system to use it instead of systemd-resolved. To switch to
|> bind9 you could try my
|> https://www.timedicer.co.uk/programs/help/bind9-resolved-switch.sh.php.
|>
|> [ If you want, bind9 can be set so that 'normal' lookups still go via
|> external (public) resolvers (as you specify in
|> /etc/bind/named.conf.options), but lookups for RBLs are routed
|> directly. Perhaps unbound can do the same (I haven't tried it). ]
|
|Wow it seems so difficult work! I need time to think! Thanks for your
|kind advice!! Thanks again... Dominic ^^^


On 09.05.22 16:21, Steffen Nurpmeso wrote:

I use dnsmasq for almost twenty years.  On the laptop it listens
on all ip netns namespaces etc and /etc/resolv.conf is "nameserver
127.0.0.1".  It locally caches but otherwise only contacts dnsmasq
on my vserv VM (via VPN address "server=192.0.2.1") where dnsmasq
sits for real.  dnsmasq.conf is


dnsmasq it not a true resolver. It does DNS forwarding, which is unwanted in 
case of mailservers because of DNS-based blocklists etc.



I only use non-systemd systems and have no idea of that one.
('Can understand why you would want to put everything in one, but
do not like it.)


I guess systemd-resolved does the same, just different way.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: "Alternating" IPv4 / IPv6 connections

2022-05-09 Thread Nikolaos Milas 

On 9/5/2022 3:39 μ.μ., Nikolaos Milas wrote:

As an example I am listing below some successive log entries 
(collated, usernames modified). 


For your reference, I am posting below the log entries (usernames 
modified consistently) of the same sessions (which I listed in my 
original message), as logged at mailgw1.noa.gr


(You will notice that each session includes local delivery to amavis and 
return back for final deliver to vmail2.noa.gr):


May 03 07:23:50 mailgw1 postfix/smtpd[195932]: connect from 
a10-227.smtp-out.amazonses.com[54.240.10.227]
May 03 07:23:51 mailgw1 postfix/smtpd[195932]: Anonymous  connection 
established from a10-227.smtp-out.amazonses.com[54.240.10.227]: TLSv1.2 
with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
May 03 07:23:51 mailgw1 postfix/smtpd[195932]: 4Ksn0768SXzLyyK: 
client=a10-227.smtp-out.amazonses.com[54.240.10.227]
May 03 07:23:52 mailgw1 postfix/cleanup[196401]: 4Ksn0768SXzLyyK: 
message-id=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@email.amazonses.com>
May 03 07:23:52 mailgw1 postfix/qmgr[193390]: 4Ksn0768SXzLyyK: 
from=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@bounce.academia-mail.com>, 
size=61693, nrcpt=1 (queue active)
May 03 07:23:54 mailgw1 postfix/smtpd[196404]: connect from 
localhost[127.0.0.1]
May 03 07:23:54 mailgw1 postfix/smtpd[196404]: 4Ksn0B16bmzM016: 
client=localhost[127.0.0.1]
May 03 07:23:54 mailgw1 postfix/cleanup[196401]: 4Ksn0B16bmzM016: 
message-id=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@email.amazonses.com>
May 03 07:23:54 mailgw1 postfix/qmgr[193390]: 4Ksn0B16bmzM016: 
from=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@bounce.academia-mail.com>, 
size=62726, nrcpt=1 (queue active)
May 03 07:23:54 mailgw1 postfix/lmtp[196406]: 4Ksn0768SXzLyyK: 
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=2.8, 
delays=0.95/0/0.01/1.8, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Ksn0B16bmzM016)

May 03 07:23:54 mailgw1 postfix/qmgr[193390]: 4Ksn0768SXzLyyK: removed
May 03 07:23:54 mailgw1 postfix/smtpd[196404]: connect from 
localhost[127.0.0.1]
May 03 07:23:54 mailgw1 postfix/smtpd[196404]: 4Ksn0B16bmzM016: 
client=localhost[127.0.0.1]
May 03 07:23:54 mailgw1 postfix/cleanup[196401]: 4Ksn0B16bmzM016: 
message-id=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@email.amazonses.com>
May 03 07:23:54 mailgw1 postfix/qmgr[193390]: 4Ksn0B16bmzM016: 
from=<010001808828f889-bcb7b94b-b241-41c4-879f-353d04ea2966-000...@bounce.academia-mail.com>, 
size=62726, nrcpt=1 (queue active)
May 03 07:23:54 mailgw1 postfix/smtp[196405]: 4Ksn0B16bmzM016: 
to=, relay=vmail2.noa.gr[2001:648:2011:15::166]:25, 
delay=0.41, delays=0.05/0/0.04/0.32, dsn=2.0.0, status=sent (250 2.0.0 
Ok: queued as 3EA3681E8C1DE)

May 03 07:23:54 mailgw1 postfix/qmgr[193390]: 4Ksn0B16bmzM016: removed

May 03 07:24:15 mailgw1 postfix/smtpd[195934]: connect from 
66-220-155-141.mail-mail.facebook.com[66.220.155.141]
May 03 07:24:15 mailgw1 postfix/smtpd[195934]: Anonymous TLS connection 
established from 66-220-155-141.mail-mail.facebook.com[66.220.155.141]: 
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange 
X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
May 03 07:24:15 mailgw1 postfix/smtpd[195934]: 4Ksn0b6C9dzLyyK: 
client=66-220-155-141.mail-mail.facebook.com[66.220.155.141]
May 03 07:24:16 mailgw1 postfix/cleanup[196401]: 4Ksn0b6C9dzLyyK: 
message-id=
May 03 07:24:16 mailgw1 postfix/qmgr[193390]: 4Ksn0b6C9dzLyyK: 
from=, size=24266, nrcpt=1 (queue active)
May 03 07:24:17 mailgw1 postfix/smtpd[195932]: disconnect from 
a10-227.smtp-out.amazonses.com[54.240.10.227] ehlo=2 starttls=1 mail=1 
rcpt=1 data=1 quit=1 commands=7
May 03 07:24:17 mailgw1 postfix/smtpd[196411]: connect from 
localhost[127.0.0.1]
May 03 07:24:17 mailgw1 postfix/smtpd[196411]: 4Ksn0d20kHzM019: 
client=localhost[127.0.0.1]
May 03 07:24:17 mailgw1 postfix/cleanup[196401]: 4Ksn0d20kHzM019: 
message-id=
May 03 07:24:17 mailgw1 postfix/qmgr[193390]: 4Ksn0d20kHzM019: 
from=, size=25399, nrcpt=1 (queue active)
May 03 07:24:17 mailgw1 postfix/lmtp[196402]: 4Ksn0b6C9dzLyyK: 
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.7, 
delays=0.5/0/0.01/1.2, dsn=2.0.0, status=sent (250 2.0.0 from 
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4Ksn0d20kHzM019)

May 03 07:24:17 mailgw1 postfix/qmgr[193390]: 4Ksn0b6C9dzLyyK: removed
May 03 07:24:17 mailgw1 postfix/smtp[196405]: 4Ksn0d20kHzM019: 
to=, relay=vmail2.noa.gr[2001:648:2011:15::166]:25, 
delay=0.16, delays=0.01/0/0.04/0.1, dsn=2.0.0, status=sent (250 2.0.0 
Ok: queued as 5415981E8C1DE)

May 03 07:24:17 mailgw1 postfix/qmgr[193390]: 4Ksn0d20kHzM019: removed


May 03 07:24:22 mailgw1 postfix/smtpd[195934]: connect from 
mx0a-0d04.pphosted.com[148.163.149.245]
May 03 07:24:23 mailgw1 postfix/smtpd[195934]: Anonymous TLS connection 
established from mx0a-0d04.pphosted.com[148.163.149.245]: TLSv1.2 
with

Re: "Alternating" IPv4 / IPv6 connections

2022-05-09 Thread Wietse Venema 
Nikolaos Milas:
> Hello,
> 
> In our setup we have two mail gateway servers accepting incoming mail 
> (mailgw1.noa.gr [primary] and mailgw3.noa.gr), filtering mail (using 
> postscreen, amavis, spamassassin, clamav) and forwarding to the internal 
> mail server (vmail2.noa.gr) where user mailboxes lie.
> 
> All servers are running postfix 3.7.0.
> 
> I am trying to investigate why our mail gateway servers (mailgw1 and 
> mailgw3) sometimes connect over IPv6 and some other times connect over 
> IPv4 to deliver mail to vmail2.

I received complaints when some Linux distro shipped Postfix with
IPv4 and IPv6 support turned on. Under specific confitions, sites
could no longer send mail to destinations with IPv6+IPv4 primary
MX addresses even if those destinations were perfectly reachable
over IPv4.

- Postfix would never try IPv4, because it was configured to prefer
  IPv6, and the number of a destination's IPv6 primary MX addresses
  was >= than $smtp_mx_address_limit.

- Postfix IPv6 support was on, but the host had no IPv6 connectivity.

- Not reported, but plausible: IPv6 was tunneled over IPv4, and
  IPv6 came from a different provider. Thus, IPv6 could go down
  while IPv4 still worked.

You get a similar result, failure to connect over IPv6, when Postfix
is configured to prefer IPv4, and IPv4 is down while IPv6 is up.

When Postfix IPv4 and IPv6 support are turned on, these Postfix
default settings will keep mail flowing as long as at least one of
the two protocols works:

smtp_address_preference = any

smtp_balance_inet_protocols = yes

If you must force IPv6 delivery, then I would recommend using a
dedicated SMTP client in transport_maps that overrides the above
settings (with "-o inet_protocols=ipv6").

I would STRONGLY advise not to override these defaults for email
deliveries across the internet or else Postfix will fail to try To
deliver over IPV6 (or IPv4) when the other procotol is down.

Wietse

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Bernardo Reino 

On 09/05/2022 12:48, Matt Kinni wrote:
I have opendkim configured via 'smtpd_milters' to sign all outbound 
mail, and my domain publishes a "quarantine" dmarc record to enforce the 
consequences of this.


I recently discovered that MAILER-DAEMON messages generated by postfix 
itself bypass this setup and do /not/ get signed, which unfortunately 
results in legitimate DSNs being filtered into the sender's spam/junk 
mail folder due to the dmarc policy (I confirmed this with gmail).


If you are using DMARC I assume you have also setup SPF correctly, so 
that DMARC should pass even if your messages are not DKIM signed.


Maybe you can explain what you mean with "I confirmed this with gmail", 
as it's generally very hard to confirm *anything* with gmail, i.e. the 
reason why a certain mail will be rejected or land in junk.


Cheers,
Bernardo

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Wietse Venema 
Wietse Venema:
> Matt Kinni:
> > I have opendkim configured via 'smtpd_milters' to sign all outbound 
> > mail, and my domain publishes a "quarantine" dmarc record to enforce the 
> > consequences of this.
> > 
> > I recently discovered that MAILER-DAEMON messages generated by postfix 
> > itself bypass this setup and do /not/ get signed, which unfortunately 
> > results in legitimate DSNs being filtered into the sender's spam/junk 
> > mail folder due to the dmarc policy (I confirmed this with gmail).
> > 
> > After doing some research, I learned that dkim signing can be forced for 
> > postfix's internally generated mails by setting 'non_smtpd_milters' in 
> > conjunction with 'internal_mail_filter_classes=bounce', however the 
> > manpage for the latter parameter has this cautionary message:
> >  >
> >  > NOTE: It's generally not safe to enable content inspection of 
> > Postfix-generated email messages. The user is warned.
> >  >
> > 
> > So I'm not sure what the best practice is here; postfix tries hard to 
> > prevent being a source of backscatter and thus outbound DSN messages 
> > should be rare, but in the event a legitimate bounce does need to be 
> > sent out, I'd like it to not end up in the sender's spam folder.  On the 
> > other hand, miltering mailer-deamon messages adds a point of failure to 
> > a privileged message class that should always be expected to succeed, 
> > which I imagine is why the manpage discourages it.
> 
> It's generally not safe, because Postix cannot prevent loops when,
> for example,
> 
> - header_body_checks issues a FILTER action. Mail would loop between
> Postfix and the content filter until the number of Received: headers
> exceeds the hopcount_limit setting (default: 50).
> 
> - I don't quickly have an example of bad things that can happen
> with Milter inspection of Postfix-generated mail. That doesn't mean
> that such bad things don't exist.

So, with that caveat you can turn on DKIMM signing of bounce messages.

Wietse

Re: dnswl.org lookup error

2022-05-09 Thread Steffen Nurpmeso 
Matus UHLAR - fantomas wrote in
 :
 |>Byung-Hee HWANG wrote in
 |> <87ee13qxa1.fsf@penguin>:
 |> ...
 |>|> First install a true local resolver such as bind9 or unbound and then
 |>|> switch your system to use it instead of systemd-resolved. To switch to
 |>|> bind9 you could try my
 |>|> https://www.timedicer.co.uk/programs/help/bind9-resolved-switch.sh.php.
 ...
 |On 09.05.22 16:21, Steffen Nurpmeso wrote:
 |>I use dnsmasq for almost twenty years.  On the laptop it listens
 |>on all ip netns namespaces etc and /etc/resolv.conf is "nameserver
 |>127.0.0.1".  It locally caches but otherwise only contacts dnsmasq
 |>on my vserv VM (via VPN address "server=192.0.2.1") where dnsmasq
 |>sits for real.  dnsmasq.conf is
 |
 |dnsmasq it not a true resolver. It does DNS forwarding, which is unwanted \
 |in 
 |case of mailservers because of DNS-based blocklists etc.

Well it can do a lot and even act authoritatively for some stuff,
it call itself a caching DNS server.  Note i use it, but it can
much more than i ever asked it for.  Which is true for all my
program use cases btw, even including vim(1) i use for so long.
(In the meantime i even use it to deliver DHCP in some network
namespaces, namely vm, and there i have the problem that it does
not act authoritatively for IPv6 even though it did assign an IPv4
address, which is a problem since by default many
things-to-be-resolved send out A and  and only one is
answered, the other is forwarded, which is a nuisance .. but 'got
no answer a couple of months back .. IPv6 is disabled here, i had
to reread the RFCs and learn it anew.)

I do use _rbl_ stuff with zen.spamhaus.org and dnsbl.sorbs.net and
sometimes it even hits?  But i am not a postfix configuration
expert and may definitely falsely understand what you mean.

 |>I only use non-systemd systems and have no idea of that one.
 |>('Can understand why you would want to put everything in one, but
 |>do not like it.)
 |
 |I guess systemd-resolved does the same, just different way.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Viktor Dukhovni 
On Mon, May 09, 2022 at 03:03:42PM -0400, Wietse Venema wrote:

> > - I don't quickly have an example of bad things that can happen
> > with Milter inspection of Postfix-generated mail. That doesn't mean
> > that such bad things don't exist.
> 
> So, with that caveat you can turn on DKIMM signing of bounce messages.

Bounces to external domains are "backscatter", and should ideally be
rather rare, in so far as recipient validation should reject most if not
all inbound mail that is undeliverable *before* it is accepted into the
Postfix queue.

That said, if quotas are in place, or some other issue prevents delivery
for a valid recipient, the occasional bounce may take place.

There is a modest risk that the bounced content may contain spam or
malware, and so it is not ideal to impute your site's reputation to
such content by adding a DKIM signature.

A reasonable work-around on an inbound MTA is to configure Postfix
to bounce only the headers, dropping all other message content:

bounce_size_Limit = 1

With that, the returned message carries at most a spammy subject...

-- 
Viktor.

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Matus UHLAR - fantomas 

On 09/05/2022 12:48, Matt Kinni wrote:
I have opendkim configured via 'smtpd_milters' to sign all outbound 
mail, and my domain publishes a "quarantine" dmarc record to enforce 
the consequences of this.


I recently discovered that MAILER-DAEMON messages generated by 
postfix itself bypass this setup and do /not/ get signed, which 
unfortunately results in legitimate DSNs being filtered into the 
sender's spam/junk mail folder due to the dmarc policy (I confirmed 
this with gmail).


On 09.05.22 20:59, Bernardo Reino wrote:
If you are using DMARC I assume you have also setup SPF correctly, so 
that DMARC should pass even if your messages are not DKIM signed.


you'll get errors from people who forward their mail (especially to gmail) 
setting envelope from to MAILER-DAEMON@(your domain).


I got some of those.

Maybe you can explain what you mean with "I confirmed this with 
gmail", as it's generally very hard to confirm *anything* with gmail, 
i.e. the reason why a certain mail will be rejected or land in junk.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.