[pfx] SPF: HELO does not publish an SPF Record
Hello, I have domain mydomain.com, with mx record: $ host -t mx mydomain.com mail.mydomain.com and I have SPF record on my domain: host -t txt mydomain.com which is the ip address of mail.mydomain.com I have no SPF record on mail.mydomain.com itself. Now, when I check my email score on mail-tester.com, it says: SPF_HELO_NONE SPF: HELO does not publish an SPF Record and lastly, I have smtp_helo_name = mail.mydomain.com Does it mean that I should either: 1) create SPF record for mail.mydomain.com or 2) change smtp_helo_name to smtp_helo_name = $mydomain ? thanks, ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
On 12.04.23 12:41, Fourhundred Thecat via Postfix-users wrote: I have domain mydomain.com, with mx record: Use example.com unless you are real owner of mydomain.com I have no SPF record on mail.mydomain.com itself. Now, when I check my email score on mail-tester.com, it says: SPF_HELO_NONE SPF: HELO does not publish an SPF Record this is just informative message, it does not cause any problem. and lastly, I have smtp_helo_name = mail.mydomain.com Does it mean that I should either: 1) create SPF record for mail.mydomain.com or 2) change smtp_helo_name to smtp_helo_name = $mydomain I would do the first: fantomas.fantomas.sk descriptive text "v=spf1 a -all" but the latter is viable option too. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
> 2) change smtp_helo_name to > > smtp_helo_name = $mydomain It is very strange, i think. Sincerely, -- ^고맙습니다 _地平天成_ 감사합니다_^))// ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
> On 2023-04-12 14:48, Byung-Hee HWANG via Postfix-users wrote: 2) change smtp_helo_name to smtp_helo_name = $mydomain It is very strange, i think. what do you mean? is it strange to use example.com, instead of mail.example.com as smtp_helo_name, when the smtp client is actually mail.example.com ? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
Fourhundred Thecat via Postfix-users: > > On 2023-04-12 14:48, Byung-Hee HWANG via Postfix-users wrote: > >>2) change smtp_helo_name to > >> > >> smtp_helo_name = $mydomain > > > > It is very strange, i think. > > what do you mean? > is it strange to use example.com, instead of mail.example.com as > smtp_helo_name, when the smtp client is actually mail.example.com ? The smtp_helo_name used in the Postfix SMTP client should resolve to the client IP address that is seen by a remote SMTP server. Thus, setting smtp_helo_name=$mydomain may appear to work when your domain has only one machine that sends email, but it does not work well when there are multiple machines. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
> On 2023-04-12 15:30, Wietse Venema via Postfix-users wrote: Fourhundred Thecat via Postfix-users: > On 2023-04-12 14:48, Byung-Hee HWANG via Postfix-users wrote: The smtp_helo_name used in the Postfix SMTP client should resolve to the client IP address that is seen by a remote SMTP server. Thus, setting smtp_helo_name=$mydomain may appear to work when your domain has only one machine that sends email, but it does not work well when there are multiple machines. OK, I see. So should the client (mail.example.com) then have it's own SPF record, in addition to the domain itself (example.com) ? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
Fourhundred Thecat via Postfix-users: > > On 2023-04-12 15:30, Wietse Venema via Postfix-users wrote: > > Fourhundred Thecat via Postfix-users: > >> > On 2023-04-12 14:48, Byung-Hee HWANG via Postfix-users wrote: > > > > The smtp_helo_name used in the Postfix SMTP client should resolve to the > > client IP address that is seen by a remote SMTP server. > > > > Thus, setting smtp_helo_name=$mydomain may appear to work when your > > domain has only one machine that sends email, but it does not work > > well when there are multiple machines. > > OK, I see. > So should the client (mail.example.com) then have it's own SPF record, > in addition to the domain itself (example.com) ? Yes, if you must use SPF. In that case you may also want to "close a loophole", by configuring one SPF record for every name in the domain that does NOT send email. Otherwise those names would not be "protected" with SPF (would evaluate to "neutral"). Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
Matus UHLAR - fantomas wrote in : |On 12.04.23 12:41, Fourhundred Thecat via Postfix-users wrote: ... |>Does it mean that I should either: |> |> 1) create SPF record for mail.mydomain.com ... |I would do the first: | |fantomas.fantomas.sk descriptive text "v=spf1 a -all" Interesting this still works for you. I had to change to ~all because some behind-alias-expansion-and-forward collocutor de-facto uses a GMail address. Just three weeks ago on the LUGA ML that also came up | host gmail-smtp-in.l.google.com said: 550-5.7.26 The MAIL FROM | domain [] has an SPF record with a hard fail 550-5.7.26 policy | (-all) but it fails to pass SPF checks with the ip: My (earlier own) communication then ended with |> 2015. Changing to ~all could be done, i do not know if Google |> gets that. | |Google may have been ignoring your -all until recently. Google seems to have been laxe regarding FreeBSD forwarding. I have cloned https://github.com/roehling/postsrsd.git to have a look at it. ... --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
On April 12, 2023 2:00:01 PM UTC, Steffen Nurpmeso via Postfix-users wrote: >Matus UHLAR - fantomas wrote in > : > |On 12.04.23 12:41, Fourhundred Thecat via Postfix-users wrote: > ... > |>Does it mean that I should either: > |> > |> 1) create SPF record for mail.mydomain.com > ... > |I would do the first: > | > |fantomas.fantomas.sk descriptive text "v=spf1 a -all" > >Interesting this still works for you. I had to change to ~all >because some behind-alias-expansion-and-forward collocutor >de-facto uses a GMail address. Just three weeks ago on the LUGA >ML that also came up > > | host gmail-smtp-in.l.google.com said: 550-5.7.26 The MAIL FROM > | domain [] has an SPF record with a hard fail 550-5.7.26 policy > | (-all) but it fails to pass SPF checks with the ip: > >My (earlier own) communication then ended with > > |> 2015. Changing to ~all could be done, i do not know if Google > |> gets that. > | > |Google may have been ignoring your -all until recently. > > Google seems to have been laxe regarding FreeBSD forwarding. > I have cloned https://github.com/roehling/postsrsd.git to have > a look at it. Generally the interoperability issues that can arise with SPF for Mail From don't come up with HELO. I don't think I've ever heard of a problem with -all for HELO. For Mail From, some people have issues, as you describe. Scott K ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
Matus UHLAR - fantomas wrote in |fantomas.fantomas.sk descriptive text "v=spf1 a -all" On April 12, 2023 2:00:01 PM UTC, Steffen Nurpmeso via Postfix-users wrote: Interesting this still works for you. I had to change to ~all because some behind-alias-expansion-and-forward collocutor de-facto uses a GMail address. Just three weeks ago on the LUGA ML that also came up On 12.04.23 14:08, Scott Kitterman via Postfix-users wrote: Generally the interoperability issues that can arise with SPF for Mail From don't come up with HELO. I don't think I've ever heard of a problem with -all for HELO. For Mail From, some people have issues, as you describe. correct, I don't use the hostname for mail, it's there only for HELO/EHLO. I was also thinking about using nullmx record. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
On 2023-04-12 at 06:41:02 UTC-0400 (Wed, 12 Apr 2023 12:41:02 +0200) Fourhundred Thecat via Postfix-users <400the...@gmx.ch> is rumored to have said: Hello, I have domain mydomain.com, with mx record: $ host -t mx mydomain.com mail.mydomain.com and I have SPF record on my domain: host -t txt mydomain.com which is the ip address of mail.mydomain.com I have no SPF record on mail.mydomain.com itself. Now, when I check my email score on mail-tester.com, A site that no one should trust, as they actively misrepresent SpamAssassin's usage and scores. it says: SPF_HELO_NONE SPF: HELO does not publish an SPF Record A fact that in fact carries no value judgment. SpamAssassin currently hard-scores that rules at +0.001, meaning that while *in theory* it adds to the "spamminess" metric, it is effectively meaningless in the overall score of almost any particular message. A non-zero score (or usage in a non-zero-score meta-rule) is required for SA to check any rule, so we score some things that users have asked for as possibly informative at -0.001 or +0.001 to assure that they are always checked, even when our QA shows no indication of the rule being in any way useful for determining whether a message is spam or not. One reason for that is the recognition that every site sees a different mail stream. There may be sites where SPF_HELO_NONE could be a helpful discriminant between spam and ham. If we don't peg the score, that possibility is invisible. and lastly, I have smtp_helo_name = mail.mydomain.com Does it mean that I should either: 1) create SPF record for mail.mydomain.com or 2) change smtp_helo_name to smtp_helo_name = $mydomain Neither. You do not have any problem that is worth solving. Believing that every SpamAssassin hit is a "problem" that can or should be "solved" is simply not true. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Postfix 3.8 release candidsate 1
I'm wrapping up the Postfix 3.8 stable release, and have rolled out a release candidate postfix-3.8.0-RC1. This is mainly so that people can find out if Postfix 3.8 will build and run as expected. The changes involve code and documentation improvements, SRV record lookup, configuration for a feature new in OpenSSL 3.0, and removal of TLS features that are no longer available in OpenSSL 1.1.1 (the minimum version required in Postfix 3.6 and later). Separately, I'll do a bug-fix release for Postfix stable releases 3.4 - 3.7. AFter ths, Postfix 3.4 will no longer receive updates. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SPF: HELO does not publish an SPF Record
Dnia 12.04.2023 o godz. 15:43:07 Fourhundred Thecat via Postfix-users pisze: > OK, I see. > So should the client (mail.example.com) then have it's own SPF record, > in addition to the domain itself (example.com) ? If you plan to send mail with senders addresses as someth...@mail.example.com, then yes. If you don't, and you will be only sending mail as someth...@example.com, you don't need to bother with SPF record for mail.example.com at all. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Debugging SSL_accept error Connection reset by peer
On 2023-04-11 15:49:30, Matus UHLAR - fantomas via Postfix-users wrote: >>> On Fri, Apr 07, 2023 at 11:25:33AM -0400, micah via Postfix-users wrote: 2023-04-06T07:34:42.281789+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:before SSL initialization 2023-04-06T07:34:42.300347+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:before SSL initialization 2023-04-06T07:34:42.300445+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:SSLv3/TLS read client hello 2023-04-06T07:34:42.300492+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:SSLv3/TLS write server hello 2023-04-06T07:34:42.300537+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:SSLv3/TLS write certificate 2023-04-06T07:34:42.317750+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:SSLv3/TLS write key exchange 2023-04-06T07:34:42.317879+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:SSLv3/TLS write server done 2023-04-06T07:34:42.337252+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:error in SSLv3/TLS write server done 2023-04-06T07:34:42.338243+00:00 mx1 postfix/smtpd[1680368]: SSL_accept error from mail2.wsecu.org[65.125.209.36]: Connection reset by peer > >>On 2023-04-07 13:25:42, Viktor Dukhovni via Postfix-users wrote: >>> The SMTP client closed the TCP connection at some point while receiving >>> the server TLS Hello, Certificate and Key Exchange messages. Likely >>> it took some issue with the certificate. You need to ask the client >>> MTA administrator why they hang up. >> >>Unfortunately, I do not have any way to communicate with the client MTA >>admins, so I'm shooting in the dark here. > >>Restarted postfix after these changes and triggered the remote client to >>try again, but unfortunately, the same error happens. Same thing in the >>pcap: I say Server Hello Done, and then the client sends a RST, ACK. > > On 11.04.23 08:32, micah anderson via Postfix-users wrote: >>Any other ideas of things I could try? > > It's very hard to find out a problem when client is dropping connection. > That may be even SSL scanner or similar. Indeed. > Perhaps you could disable STARTTLS extension for this particular address by > using smtpd_discard_ehlo_keyword_address_maps: > > smtpd_discard_ehlo_keyword_address_maps=hash:/etc/postfix/smtpd_keywords > > /etc/postfix/smtpd_keywords: > > 65.125.209.36 STARTTLS > > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps This does allow them to connect and send, unfortunately it results in that connection to not be encrypted (and they are a bank!) :( I can tell, based on their certificate CN, that this is an outlook server, but I wasn't able to obtain more information than that. -- micah ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
