[pfx] local ROOT - forward + keep copy
Hi guys. I'd hope some experts here have it figured out long time ago & would be happy to advise on: How to keep root's mail locally, on each machine + at the same time have a copy forwarder to another address. More specifics on what I'm thinking: r...@box1.my.private r...@box2.my.private etc... those root have mail delivered locally & a copy forwarded to allmail@my.private and!... when forwarded to _allmail@my.private_ then there would be some evidence of that _r...@box1.my.private_ To highlight - currently my Postfix does some key bits via Dovecot and I'd love to keep it that way. ... virtual_transport = lmtp:unix:private/dovecot-lmtp smtpd_sasl_type = dovecot mailbox_transport = lmtp:unix:private/dovecot-lmtp many thanks for all the thoughts & suggestions. L.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: local ROOT - forward + keep copy
On 06.11.23 09:31, lejeczek via Postfix-users wrote: I'd hope some experts here have it figured out long time ago & would be happy to advise on: How to keep root's mail locally, on each machine + at the same time have a copy forwarder to another address. I personally redirect all root's mail to local user via aliases, where it's stored locally and forwarded to remote via .forward. other way is using recipient_bcc_maps to another account, but this might be a bit overkill. More specifics on what I'm thinking: r...@box1.my.private r...@box2.my.private etc... those root have mail delivered locally & a copy forwarded to allmail@my.private and!... when forwarded to _allmail@my.private_ then there would be some evidence of that _r...@box1.my.private_ To highlight - currently my Postfix does some key bits via Dovecot and I'd love to keep it that way. ... virtual_transport = lmtp:unix:private/dovecot-lmtp smtpd_sasl_type = dovecot mailbox_transport = lmtp:unix:private/dovecot-lmtp many thanks for all the thoughts & suggestions. L. Perhaps you could configure local copy+forward via sieve scripts. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: GMail is rejecting mail I forward
> https://gitlab.com/soyeomul/Gnus/-/raw/karma/DKIM/setup-policy.lua?ref_type=heads And because i have to prove myself, See: https://gitlab.com/soyeomul/Gnus/-/commit/59122d99bd6a0b01d293c0a2f46d5343e54bbc4e Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))// ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
* Jens Hoffrichter via Postfix-users : > Hi! > > We are looking into implementing DKIM signing for one of our services, > and there are multiple ways to implement that. > > So far I have found that you can do it with opendkim and amavis - any > recommendation for one or the other, or maybe something completely > different I haven't found yet? amavis:: amavis does nor support ED25519 and will very likley never will. There's a none open DMARC / DKIM / SPF addon but I doubt the company who built that will ever open source it. opendkim:: opendkim supports RSA-SHA256 and a (few years old) BETA also supports ED25519-SHA256. Last time I had a look the BETA was still BETA though I can confirm it works very reliably even on larger platforms (ISP). dkimpy-milter:: dkimpy-milter supports RSA-SHA256 and ED25519-SHA256. If you have experience running opendkim you will feel at home using dkimpy-milter. dkimpy-milter used to have and I don't know if it still has problems handling email message headers containing UTF-8 chars when there shouldn't be any, like in a Subject that reads "Passwort zurücksetzen", which MUST be ISO encoded, but then there are developers who don't know that and … dkimpy-milter crashes because of the way Python 3.x handles UTF-8. I've no idea if Scott has found time to address and fix that. rspamd:: rspamd supports RSA-SHA256 and ED25519-SHA256 though the documentation hardly mentions this fact. If you want to add signatures to outbound messages only you might turn off all other scanning (spam, malware, …) rspamd provides to increase performance and avoid false positives or unwanted learning. My recommendation: Use rspamd if you are using it anyway on your platform. It handles email reliably and supports RSA-SHA256 and ED25519-SHA256. If you need a DKIM signer on servers that relay outbound mail only use opendkim's BETA. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] local domain email collection
Hi guys. How do you do your local domain local root mail collection? Having a numer of boxes, say: r...@box1.my.private r...@box2.my.private etc.. I'm thinking having each box's root I'd forward to _allmail@my.private_ - probably it's how many, if not everybody, do it. Here, my 'allmail' is a user which exists, via Dovecoto auth, on all boxes. What I struggle to wrap my head around, how, since I have: ... mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain ... is, how to have Postfix mail to that one MX for this local 'my.private' domain. Right now, if I'm not mistaken, each box will be it's own destination and will deliver on-the-box locally. If I try ... mydestination = $myhostname, localhost.$mydomain, localhost ... the Postfix errors out with: ... loops back to myself Is the only way to forward to an "external/virtual" domain? Perhaps conceptually my approach is wrong - how do you collect same domain all boxes' local root mail? ps. with Dovecot for transport & auth many thanks, L. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Noel, * Noel Butler via Postfix-users : > > sys4.de are not removing original DKIM sigs just adding postfix.org's, > > which also fails for some reason, but ohh looky that - SPF passes :D > > Decided to have a look ater lunch, that looks like it would be because sys4 > adds footers, where previously Wietse did not, again if they configured > mailman correctly it wouldnt care about that because it wouldn't see yours > or my original sigs, using DKIM "relaxed" doesnt work that way either :) we (sys4) don't add a footer. Determining a lists policy e.g. having the MLM add a footer or not is the owner's privilege. We (sys4) don't own postfix.org's lists – we host them (and are very proud to do so). p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
On November 6, 2023 10:51:06 AM UTC, Patrick Ben Koetter via Postfix-users wrote: >* Jens Hoffrichter via Postfix-users : >> Hi! >> >> We are looking into implementing DKIM signing for one of our services, >> and there are multiple ways to implement that. >> >> So far I have found that you can do it with opendkim and amavis - any >> recommendation for one or the other, or maybe something completely >> different I haven't found yet? ... >dkimpy-milter:: >dkimpy-milter supports RSA-SHA256 and ED25519-SHA256. If you have >experience running opendkim you will feel at home using dkimpy-milter. >dkimpy-milter used to have and I don't know if it still has problems >handling email message headers containing UTF-8 chars when there shouldn't >be any, like in a Subject that reads "Passwort zurücksetzen", which MUST >be ISO encoded, but then there are developers who don't know that and … >dkimpy-milter crashes because of the way Python 3.x handles UTF-8. I've >no idea if Scott has found time to address and fix that. ... This is fixed. It still does properly implement support for non-ASCII headers, but the crashes should be a thing of the past. Scott K ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
On November 6, 2023 12:39:35 PM UTC, Scott Kitterman via Postfix-users wrote: > > >On November 6, 2023 10:51:06 AM UTC, Patrick Ben Koetter via Postfix-users > wrote: >>* Jens Hoffrichter via Postfix-users : >>> Hi! >>> >>> We are looking into implementing DKIM signing for one of our services, >>> and there are multiple ways to implement that. >>> >>> So far I have found that you can do it with opendkim and amavis - any >>> recommendation for one or the other, or maybe something completely >>> different I haven't found yet? >... >>dkimpy-milter:: >>dkimpy-milter supports RSA-SHA256 and ED25519-SHA256. If you have >>experience running opendkim you will feel at home using dkimpy-milter. >>dkimpy-milter used to have and I don't know if it still has problems >>handling email message headers containing UTF-8 chars when there shouldn't >>be any, like in a Subject that reads "Passwort zurücksetzen", which MUST >>be ISO encoded, but then there are developers who don't know that and … >>dkimpy-milter crashes because of the way Python 3.x handles UTF-8. I've >>no idea if Scott has found time to address and fix that. >... > >This is fixed. It still does properly implement support for non-ASCII >headers, but the crashes should be a thing of the past. > Sigh. That should have been ... doesn't ... Scott K ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Virtual Domains
Hi All, I'm sure I'm missing some subtle point in the documentation but could someone kindly clarify for me. This is postfix 3.5.8 on a Rocky Linux system. Delivery is by lmtp to cyrus-imap on another machine. My e-mail domain kensnet.org, among others, is set up as a virtual domain. There is an entry for that domain in the file local_host_names that is referenced by virtual_mailbox_domains in main.cf I have also set up the parameter virtual_mailbox_maps = hash:/etc/postfix/virtusertable in main.cf. virtusertable contains the entry "k...@kensnet.org kens" which appears to be working. However, that file also contains the entry "k...@kensnet.org kens" to catch incoming e-mail with that version of my e-mail address. This address receives an address unknown NDA. Similarly there is another entry for j...@kensnet.org with a similar alias of accou...@kensnet.org. The accounts address gets an NDA. The relevant mailboxes in cyrus are kens and joy. Its almost as if postfix is not rewriting the name part before the @ and is simply handing them over to cyrus as received. I tried switching virtual_mailbox_maps to virtual_alias_maps. On restarting postfix I received a bunch of /etc/postfix/main.cf: unused parameter: vitrual_alias_maps=hash:/etc/postfix/virtusertable messages. I didn't test further and switched the setting back. I hope this is something postfix can do as its a breeze to set up in sendmail. I'm sure I'm missing some subtle point here and would appreciate a steer. Thanks Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Virtual Domains
Scratch this: I've spotted my typo Thanks Ken Ken Smith via Postfix-users wrote: Hi All, I'm sure I'm missing some subtle point in the documentation but could someone kindly clarify for me. This is postfix 3.5.8 on a Rocky Linux system. Delivery is by lmtp to cyrus-imap on another machine. My e-mail domain kensnet.org, among others, is set up as a virtual domain. There is an entry for that domain in the file local_host_names that is referenced by virtual_mailbox_domains in main.cf I have also set up the parameter virtual_mailbox_maps = hash:/etc/postfix/virtusertable in main.cf. virtusertable contains the entry "k...@kensnet.org kens" which appears to be working. However, that file also contains the entry "k...@kensnet.org kens" to catch incoming e-mail with that version of my e-mail address. This address receives an address unknown NDA. Similarly there is another entry for j...@kensnet.org with a similar alias of accou...@kensnet.org. The accounts address gets an NDA. The relevant mailboxes in cyrus are kens and joy. Its almost as if postfix is not rewriting the name part before the @ and is simply handing them over to cyrus as received. I tried switching virtual_mailbox_maps to virtual_alias_maps. On restarting postfix I received a bunch of /etc/postfix/main.cf: unused parameter: vitrual_alias_maps=hash:/etc/postfix/virtusertable messages. I didn't test further and switched the setting back. I hope this is something postfix can do as its a breeze to set up in sendmail. I'm sure I'm missing some subtle point here and would appreciate a steer. Thanks Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Patrick Ben Koetter via Postfix-users: > Noel, > > * Noel Butler via Postfix-users : > > > sys4.de are not removing original DKIM sigs just adding postfix.org's, > > > which also fails for some reason, but ohh looky that - SPF passes :D > > > > Decided to have a look ater lunch, that looks like it would be because sys4 > > adds footers, where previously Wietse did not, again if they configured > > mailman correctly it wouldnt care about that because it wouldn't see yours > > or my original sigs, using DKIM "relaxed" doesnt work that way either :) > > we (sys4) don't add a footer. Determining a lists policy e.g. having the MLM > add a footer or not is the owner's privilege. We (sys4) don't own > postfix.org's lists ? we host them (and are very proud to do so). For completeness: - From: header munging and footer lines are a "list" setting. I configured the Postfix lists to hide the original sender domain and keep SPF and DKIM aligned, to reduce bounce rates that would cause subscribers to be unsubscribed from the list. - Stripping existing DKIM signatures is a "system" setting, not a mailing list setting. I think that it would help if sys4 configures mailman to strip existing DKIM headers, because some receivers will reject mail with a valid DKIM signature, when there is also an invalid DKIM signature present. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: local domain email collection
lejeczek via Postfix-users: > Hi guys. > > How do you do your local domain local root mail collection? > Having a numer of boxes, say: > r...@box1.my.private > r...@box2.my.private > etc.. Have you considerd using local aliases to forward mail for 'root' to a different address? $ man 5 aliases $ postconf alias_maps Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Hi Patrick, Thank you very much for this list, this was very helpful and exactly what I was looking for. Currently, we are only looking into signing mails, not validating signatures, as we are expanding a currently legacy system which is supposed to be superseded next year, and we hadn't planned on implementing DKIM anymore at all - but Google's announcement about the new specifications for bulk senders changed our trajectory there very quickly.. I'm currently leaning towards trying dkimpy-milter, as it seems to be something still in active development, and if things go wrong, it is always good that the maintainer of the software is still responding ;) I'm just a bit worried about the size of the dependencies I need for that - I haven't looked into it yet, but from experience tend python projects to pull a lot of dependencies. And as I need to build my own RPM packages for this, it might not be feasible to go with something very big. But this is all pointing me in the right direction, thanks to everyone contributing to the discussion! Jens On Mon, Nov 6, 2023 at 11:51 AM Patrick Ben Koetter via Postfix-users wrote: > > * Jens Hoffrichter via Postfix-users : > > Hi! > > > > We are looking into implementing DKIM signing for one of our services, > > and there are multiple ways to implement that. > > > > So far I have found that you can do it with opendkim and amavis - any > > recommendation for one or the other, or maybe something completely > > different I haven't found yet? > > amavis:: > amavis does nor support ED25519 and will very likley never will. There's a > none open DMARC / DKIM / SPF addon but I doubt the company who built that > will ever open source it. > opendkim:: > opendkim supports RSA-SHA256 and a (few years old) BETA also supports > ED25519-SHA256. Last time I had a look the BETA was still BETA though I > can confirm it works very reliably even on larger platforms (ISP). > dkimpy-milter:: > dkimpy-milter supports RSA-SHA256 and ED25519-SHA256. If you have > experience running opendkim you will feel at home using dkimpy-milter. > dkimpy-milter used to have and I don't know if it still has problems > handling email message headers containing UTF-8 chars when there shouldn't > be any, like in a Subject that reads "Passwort zurücksetzen", which MUST > be ISO encoded, but then there are developers who don't know that and … > dkimpy-milter crashes because of the way Python 3.x handles UTF-8. I've > no idea if Scott has found time to address and fix that. > rspamd:: > rspamd supports RSA-SHA256 and ED25519-SHA256 though the documentation > hardly mentions this fact. If you want to add signatures to outbound > messages only you might turn off all other scanning (spam, malware, …) > rspamd provides to increase performance and avoid false positives or > unwanted learning. > > My recommendation: Use rspamd if you are using it anyway on your platform. It > handles email reliably and supports RSA-SHA256 and ED25519-SHA256. If you need > a DKIM signer on servers that relay outbound mail only use opendkim's BETA. > > p@rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
On 06/11/2023 15:43, Jens Hoffrichter via Postfix-users wrote: I'm currently leaning towards trying dkimpy-milter, as it seems to be something still in active development, and if things go wrong, it is always good that the maintainer of the software is still responding 😉 That is probably the approach I would take in your situation. But just to give my 2 cents worth: I've been using opendkim for several years, signing millions of outbound emails, and I have not ever had any problems. Installation is very easy on Debian using system packages only (although I am not sure whether equivalent RPMs exist). Andy ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: local domain email collection
On 06/11/2023 15:25, Wietse Venema via Postfix-users wrote: lejeczek via Postfix-users: Hi guys. How do you do your local domain local root mail collection? Having a numer of boxes, say: r...@box1.my.private r...@box2.my.private etc.. Have you considerd using local aliases to forward mail for 'root' to a different address? $ man 5 aliases $ postconf alias_maps Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org I now understand that such Postfixes must run with: mydestination = $myhostname, localhost.$mydomain, localhost if want to forward own local root to a one central allmail@my.private and that one postfix/server (routed to via MX) must be with: mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain eg. r...@box1.my.private to forward via/with MX to a "differnt-central" postfix to allmail@my.private I have another question relating to this, but I'll put into a separate thread. thanks, L. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] should a local relay be paranoid
Hi guys. Even though it's only local network, a relay which is final destination only to: mydestination = $myhostname, localhost.$mydomain, localhost has to _relay_ to central, also local postfix which postfix takes "all" the required security precautions in. Should such _relaying_ postfix be restrictive and relay only specific bits - I'm thinking it should. What would be a good practice & basic config for relaying-postifx? Will 'relay_domains' alone do? many thanks, L.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: local domain email collection
On Mon, Nov 06, 2023 at 11:55:44AM +0100, lejeczek via Postfix-users wrote:
> I'm thinking having each box's root I'd forward to _allmail@my.private_ -
> probably it's how many, if not everybody, do it.
> Here, my 'allmail' is a user which exists, via Dovecoto auth, on all boxes.
> What I struggle to wrap my head around, how, since I have:
> ...
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> ...
> is, how to have Postfix mail to that one MX for this local 'my.private'
> domain.
The best-practice way to deliver mail addressed to one logical recipient
to two (or more) separate mailboxes is to use virtual(5) aliases:
virtual:
root root@local.invalid, someuser@foo.example
This assumes:
- Only "local.invalid" is listed in $mydestination
- $myorigin is the same on all hosts, and expands to a shared
logical mail domain.
- Neither $myorigin, nor its expanded value, is listed in $mydestination
- A relayhost is defined to point at the internal mailhub
("smarthost") which knows how to deliver for all valid addresses
in the shared domain.
main.cf:
indexed = ${default_database_type}:${config_directory}/
mydomain = foo.example
myorigin = foo.example
mydestination = local.invalid
relayhost = [mail.foo.example]
virtual_alias_maps = ${indexed}virtual
alias_database = ${indexed}aliases
alias_maps = $alias_database
# Maildir delivery, see local(8)
mail_spool_directory = /var/spool/mail/
# Or
# mailbox_transport = lmtp:unix:...
# Or skip local aliases(5) entirely:
# local_transport = lmtp:unix:...
# local_transport = virtual (with suitable virtual_mailbox_maps,
#virtual_uid_maps, ...)
aliases:
postmaster: root
bin: root
...
Basically, use as little of the legacy Sendmail-compatible behaviour of
local(8) as you can:
- Avoid 1-to-many aliases(5) expansion
- Avoid delivery to command pipes
- Avoid .forward files
- ...
Use at most:
- One-to-one delivery to a mailbox, or preferrably a maildir
- Or better, just deliver directly to an LMTP server or via
virtual(8).
The main useful feature of local(8) that is best exercised on the
mailhub is support for mailing lists via ":include:", owner-alias
mappings, ... But you should not need this null client end hosts.
Speaking of "null clients", see also MULTI_INSTANCE_README.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
