[pfx] Re: SASL authentication with colon „:“ in username not possible

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> There is a tool that given a JSONschema will generate a parser in
> C that populates a C structure, at github.com/badicsalex/json_schema_to_c
> (~300 LOC). This depends on github.com/zserge/jsmn (~500 LOC). The
> generated parser is much bigger, over 35 kLOC for the example.  This
> would be better than hand-written parsers (I'd never trust those),
> or generic parsers that produce a generic parse tree and increase
> application code complexity.

Oops, "over 35 kLOC" should be "~1000 LOC". I took the number from
the wrong column.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Disappointments at https://www.postfix.org/docs.html

[Wietse Venema via Postfix-users]

DL Neil via Postfix-users:
> The "Postfix Howtos and FAQs" is out-dated and requires 
> correction/editing. To assist the web-master:-

Checking links takes timm, so thanks for doing that. I think it is
best to drop the page with 'howto' links. The page was created
almost a decade before sites like StackOverflow were created.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Block based on subject and rcpt to

[SysAdmin EM via Postfix-users]

Hi, Is it possible to discard an email based on the Subject and the
destination email address?

I try this and not work:

/^Subject:.*Test email subject .*To:.*m...@me.com/ DISCARD

Any helps?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Block based on subject and rcpt to

[Noel Jones via Postfix-users]

On 8/14/2023 2:13 PM, SysAdmin EM via Postfix-users wrote:
Hi, Is it possible to discard an email based on the Subject and the 
destination email address?


I try this and not work:

/^Subject:.*Test email subject .*To:.*m...@me.com/  
DISCARD


Any helps?



You'll need a milter for that. Maybe look at milter-regex.


  -- Noel Jones

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Block based on subject and rcpt to

[postfix--- via Postfix-users]

Hi, Is it possible to discard an email based on the Subject and the destination 
email address?

/^Subject:.*Test email subject .*To:.*m...@me.com/ DISCARD



The postfix filters only work on one header at a time. You can not put 
conditions for multiple headers.
As already suggested, a milter would be able to do this.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Block based on subject and rcpt to

[Viktor Dukhovni via Postfix-users]

On Mon, Aug 14, 2023 at 04:13:54PM -0300, SysAdmin EM via Postfix-users wrote:

> Hi, Is it possible to discard an email based on the Subject and the
> destination email address?

> I try this and not work:
> 
> /^Subject:.*Test email subject .*To:.*m...@me.com/ DISCARD

Note that "the destination email address" is NOT what you see in the
"To:" or "Cc:" headers, for example, you're reading this list without
the message headers mentioning your address.  The recipient information
is in the message "envelope", so not available to header checks as a
matter of principle.

In a milter you can squirrel away the envelope address(es), and then
take it(them) into consideration while examining the message headers.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: identifying sender failing ssl/tls cipher (ECDSA server certificate???)

[Viktor Dukhovni via Postfix-users]

On Sat, Aug 12, 2023 at 12:53:35PM -0400, Viktor Dukhovni wrote:

> > Length: 00 00 9c (156)
> > ...
> >  0x01,0x88 7 ???
> > ...
> >  0xC0,0x12 14 ECDHE-RSA-DES-CBC3-SHA Au=RSA
> > ...
> >  0x00,0x40 22 DHE-DSS-AES128-SHA256 Au=DSS
> > ...
> 
> All the ciphersuites offered except one (DSS) are RSA.

It turned out that there were multiple "bit errors" in the hex dump,
perhaps as a result of a "noisy" console connection, or auto-correct of
cut/paste, or similar.  None of the above were in fact what the client
sent.

- The length was 154 as expected.
- The 0188 was: 0x00,0x88   TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- The c012 was: 0xC0,0x13   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- The 0040 was: 0x00,0x41   TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

So, no oddball hello fragmentation, no unregistered ciphers, no 3DES and
no DSS.  Sometimes its the evidence that's wrong, not the underlying
behaviour.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] How to block subaddressing from extern with a table

[lutz.niederer--- via Postfix-users]

Hi,

we need to block subaddressing from extern, and only from extern.  Internally 
we use it really often.

We thought about a table that denies recipient addresses that got a "+".  But 
how do we filter only if they do not come from mynetwork and not the 
authenticated users, but only from users outside?

Such a table would be a great idea, because when thinking about how to disable 
it for external users only, some nice guys came up with the idea to use it from 
extern, too.  But only for very specific addresses.
So, a table that operates in the class of not mynetwork and not authenticaed 
and that gives us the freedom to filter what we want, that would be great.  But 
have not found it.  What does not work for us is a separate smtpd in master.cf 
listening on a different port.

Is there a (simple) way to do that?

Thanks a lot!
-lutzn


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to block subaddressing from extern with a table

[Noel Jones via Postfix-users]

On 8/14/2023 4:04 PM, lutz.niederer--- via Postfix-users wrote:

Hi,

we need to block subaddressing from extern, and only from extern.  Internally 
we use it really often.

We thought about a table that denies recipient addresses that got a "+".  But 
how do we filter only if they do not come from mynetwork and not the authenticated users, 
but only from users outside?

Such a table would be a great idea, because when thinking about how to disable 
it for external users only, some nice guys came up with the idea to use it from 
extern, too.  But only for very specific addresses.
So, a table that operates in the class of not mynetwork and not authenticaed 
and that gives us the freedom to filter what we want, that would be great.  But 
have not found it.  What does not work for us is a separate smtpd in master.cf 
listening on a different port.

Is there a (simple) way to do that?



Sure, just put your map after permit_mynetworks, 
permit_sasl_authenticated.  Something like:


smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
  check_recipient_access regexp:/etc/postfix/no-subaddress
  ... other local controls ...



  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Troubleshooting mail loop issue

[Alex via Postfix-users]

Hi,
I have what appears to be a complicated mail loop problem that I can't
figure out. I suspect that their receiving system (M365) is somehow
reinjecting the message back to our mail server after it's been
successfully delivered to them.

We are acting as MX for two small companies, and occasionally, when
companyA emails companyB, it is first received by raven.example.com,
209.216.111.115,
which is the MX we have created for them, processed by amavisd, then routed
to the destination through our postfix-out instance xavier.example.com,
209.216.111.114. The companyB server accepts the message, but then somehow
companyA appears to connect to our server again and send the same message
again.

It's very difficult to trace what's happening, so I hoped someone could
help. I think the sending server is somehow reconnecting to our server and
resending the same message, but it eventually dies with the sending server
saying "Error: too many hops". Our server never sees that message. They
have forwarded the bounce to me and I've pasted it here:
https://pastebin.com/ChcnDwjK

It appears like it delivers five different copies, but each version has all
the received headers of the previous version.

I'm sorry if this is confusing. I've spent probably six hours or more
reading through this one email trying to trace the problem and correlate it
with the postfix/amavis logs. I believe it's only happened a few times - I
don't quite understand all the circumstances under which it happens. We
also don't always see the reject/too many hops message. Here is a recent
one:

Aug  4 09:01:13 xavier postfix-115/smtp[125455]: 88D5F246:
to=, relay=127.0.0.1[127.0.0.1]:11024, delay=0.67,
delays=0.21/0/0/0.45, dsn=5.4.0, status=bounced (host 127.0.0.1[127.0.0.1]
said: 554 5.4.0 id=136757-17 - Rejected by next-hop MTA on relaying, from
MTA(smtp:[127.0.0.1]:11025): 554 5.4.0 Error: too many hops (in reply to
end of DATA command))

Any ideas for either what's going on with this email or what I can do to
troubleshoot this further would really be appreciated.

Thanks,
Alex
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to block subaddressing from extern with a table

[Viktor Dukhovni via Postfix-users]

On Mon, Aug 14, 2023 at 11:04:56PM +0200, lutz.niederer--- via Postfix-users 
wrote:

> we need to block subaddressing from extern, and only from extern.
> Internally we use it really often.

A sensible initial simplification is to not mix inbound and outbound
mail on the same Postfix instance.  Then, once the only traffic coming
into the inbound server is from "external" users:

> We thought about a table that denies recipient addresses that got a
> "+".  But how do we filter only if they do not come from mynetwork and
> not the authenticated users, but only from users outside?

main.cf:
pcre = pcre:${config_directory}/
smtpd_recipient_restrictions =
...
check_recipient_access ${pcre}extension-access.pcre

extension-access.pcre:
# Either +ext@domain (or address literal) or just bare +ext
if /[+](?:.*?@[^@]+|[^@]*)$/
/^first-exception+/ DUNNO
/^another-exception+/   DUNNO
# ...
# Disallowed by default
/^/ REJECT 554 5.1.1 restricted address extension
endif

> What does not work for us is a separate smtpd in master.cf listening
> on a different port.

You really should separate inbound and outbound mail, this makes many
aspects of the configuration much simpler.

That said, you could replace the "REJECT ..." with:

/^/ permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination

at the cost of a much less clear error response to the hapless sender.
That too can be worked-around, but why jump through all the hoops, you
could simply (but I repeat myself) ...

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to block subaddressing from extern with a table

[lutz.niederer--- via Postfix-users]

Thank you very much.

And "yes!!!", I understand you very well.

But, we want to make things simple.


> Gesendet: Montag, 14. August 2023 um 23:31 Uhr
> Von: "Viktor Dukhovni via Postfix-users" 
> An: postfix-users@postfix.org
> Betreff: [pfx] Re: How to block subaddressing from extern with a table
>
> On Mon, Aug 14, 2023 at 11:04:56PM +0200, lutz.niederer--- via Postfix-users 
> wrote:
>
> > we need to block subaddressing from extern, and only from extern.
> > Internally we use it really often.
>
> A sensible initial simplification is to not mix inbound and outbound
> mail on the same Postfix instance.  Then, once the only traffic coming
> into the inbound server is from "external" users:
>
> > We thought about a table that denies recipient addresses that got a
> > "+".  But how do we filter only if they do not come from mynetwork and
> > not the authenticated users, but only from users outside?
>
> main.cf:
> pcre = pcre:${config_directory}/
> smtpd_recipient_restrictions =
> ...
> check_recipient_access ${pcre}extension-access.pcre
>
> extension-access.pcre:
> # Either +ext@domain (or address literal) or just bare +ext
> if /[+](?:.*?@[^@]+|[^@]*)$/
> /^first-exception+/ DUNNO
> /^another-exception+/   DUNNO
> # ...
> # Disallowed by default
> /^/ REJECT 554 5.1.1 restricted address extension
> endif
>
> > What does not work for us is a separate smtpd in master.cf listening
> > on a different port.
>
> You really should separate inbound and outbound mail, this makes many
> aspects of the configuration much simpler.
>
> That said, you could replace the "REJECT ..." with:
>
> /^/ permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination
>
> at the cost of a much less clear error response to the hapless sender.
> That too can be worked-around, but why jump through all the hoops, you
> could simply (but I repeat myself) ...
>
> --
> Viktor.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to block subaddressing from extern with a table

[lutz.niederer--- via Postfix-users]

Ah, still one question.  I don't remember exactly where, but I believe that you 
said it would be better to split into separate instances.  Sorry, can't find it 
anymore.  Both instances would work in parallel on the domain socket (unix:...) 
to dovecot (lmtp authentication & delivery).  Do we have to expact any problems 
with that or is it safe?


> Gesendet: Montag, 14. August 2023 um 23:31 Uhr
> Von: "Viktor Dukhovni via Postfix-users" 
> An: postfix-users@postfix.org
> Betreff: [pfx] Re: How to block subaddressing from extern with a table
>
> On Mon, Aug 14, 2023 at 11:04:56PM +0200, lutz.niederer--- via Postfix-users 
> wrote:
>
> > we need to block subaddressing from extern, and only from extern.
> > Internally we use it really often.
>
> A sensible initial simplification is to not mix inbound and outbound
> mail on the same Postfix instance.  Then, once the only traffic coming
> into the inbound server is from "external" users:
>
> > We thought about a table that denies recipient addresses that got a
> > "+".  But how do we filter only if they do not come from mynetwork and
> > not the authenticated users, but only from users outside?
>
> main.cf:
> pcre = pcre:${config_directory}/
> smtpd_recipient_restrictions =
> ...
> check_recipient_access ${pcre}extension-access.pcre
>
> extension-access.pcre:
> # Either +ext@domain (or address literal) or just bare +ext
> if /[+](?:.*?@[^@]+|[^@]*)$/
> /^first-exception+/ DUNNO
> /^another-exception+/   DUNNO
> # ...
> # Disallowed by default
> /^/ REJECT 554 5.1.1 restricted address extension
> endif
>
> > What does not work for us is a separate smtpd in master.cf listening
> > on a different port.
>
> You really should separate inbound and outbound mail, this makes many
> aspects of the configuration much simpler.
>
> That said, you could replace the "REJECT ..." with:
>
> /^/ permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination
>
> at the cost of a much less clear error response to the hapless sender.
> That too can be worked-around, but why jump through all the hoops, you
> could simply (but I repeat myself) ...
>
> --
> Viktor.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: How to block subaddressing from extern with a table

[Viktor Dukhovni via Postfix-users]

On Mon, Aug 14, 2023 at 11:54:16PM +0200, lutz.niede...@gmx.net wrote:

> Ah, still one question.  I don't remember exactly where, but I believe
> that you said it would be better to split into separate instances.
> Sorry, can't find it anymore.

https://www.postfix.org/MULTI_INSTANCE_README.html

> Both instances would work in parallel on the domain socket (unix:...)
> to dovecot (lmtp authentication & delivery).  Do we have to expact any
> problems with that or is it safe?

Multi-instance Postfix configurations (and even multiple SMTP services
within a single master.cf(5) file) require separate TCP listener
endpoints, so generally a separate IP address or separate ports.  The
outbound service could perhaps be a submission service on port 587.

Noel's advice makes it possible to preserve the error message quality
while using the suggested table within a single instance.  But, as
always, I recommend split configurations once you start adding
non-trivial direction-dependent policy.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] smtp auth on port 25

[Jon Smart via Postfix-users]

Hello,

I have disabled port 587/465 to be accessed publicly.

but port 25 must be open to internet for MTA communications.

My question is, can external users access port 25 for smtp auth and send
mail then?

Thanks.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Postfix Help with a rejection message

[Chad Lundquist via Postfix-users]

I am getting legitimate emails REJECTED by postfix and I need to figure out a 
way to forward them or whitelist them from getting blocked.

 

I am using PFLogsumm and see this:

 

message reject detail

-

  RCPT

450 4.7.1 : Helo 
command rejected: Host not found; from=<03349...@alight.com> 
to= proto=ESMTP 
helo= (total: 21)

  21   amazonaws.com  (03349...@alight.com)

 

What file do I edit in postfix to allow this message to flow and get delivered 
or whitelisted?

 

Please!

 

This is my employee benefit information.

 

Thank you

 

 

 

 

 

 

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org