[pfx] LMTP delivery failing for all backend during single backend failure

2023-11-14 Thread seena--- via Postfix-users 
Hi,we have a single lmtp end point which is pointing load balancer .Lmtp endpoint  ---> Load balance --> Dovecot director --> Dovecot  backendIf any one of the backend failed we are seeing the delay in lmtp delivery to even the other backend which are healthy. How to solve this issue is this due to lmtp_connection_reuse_time_limit ? We need to make sure that only the delivery to the failed backend should fail and rest all should work as expected Pasting the lmtp settings here lmtp_connect_timeout = 0slmtp_connection_cache_time_limit = 2slmtp_connection_reuse_time_limit = 300slmtp_data_done_timeout = 600slmtp_data_init_timeout = 50slmtp_data_xfer_timeout = 60slmtp_lhlo_timeout = 40slmtp_mail_timeout = 40slmtp_pix_workaround_delay_time = 10slmtp_pix_workaround_threshold_time = 500slmtp_quit_timeout = 300slmtp_rcpt_timeout = 300slmtp_rset_timeout = 20slmtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_limitlmtp_destination_concurrency_limit = 9lmtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedbacklmtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedbacklmtp_initial_destination_concurrency = $initial_destination_concurrency___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Dino Edwards via Postfix-users 
Hello,

 

I have been using OpenDKIM and OpenDMARC as smtpd_milters in Postfix and
Amavis as a content filter. I'm trying to replace OpenDKIM with Amavis for
DKIM verify and signing. The problem is that since Amavis is setup as an
after-queue content_filter and OpenDMARC is a pre-queue smptd_milter in
postfix OpenDMARC never sees the authentication headers and it's always
failing DKIM checks. So I need to setup Amavis as a pre-queue milter before
OpenDMARC in order to get this to work. I tried this config but sadly it
doesn't work, OpenDMARC (127.0.0.1:54321) gets skipped completely:

 

milter_amavis = unix:/var/spool/postfix/amavis/amavis.sock

milter_connect_macros = "j {client_name} {daemon_name} v _"

smtpd_milters =
unix:/var/spool/postfix/amavis/amavis.sock,inet:127.0.0.1:54321

non_smtpd_milters = $smtpd_milters

 

I posted in the Amavis mailing list but it wasn't helpful and they suggested
I post in the Postfix mailing list since the original author of amavisd
seems to lurk in here.

 

I would appreciate some assistance.

 

Thanks

 

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Matus UHLAR - fantomas via Postfix-users 

On 14.11.23 07:43, Dino Edwards via Postfix-users wrote:

I have been using OpenDKIM and OpenDMARC as smtpd_milters in Postfix and
Amavis as a content filter. I'm trying to replace OpenDKIM with Amavis for
DKIM verify and signing. The problem is that since Amavis is setup as an
after-queue content_filter and OpenDMARC is a pre-queue smptd_milter in
postfix OpenDMARC never sees the authentication headers and it's always
failing DKIM checks. So I need to setup Amavis as a pre-queue milter before
OpenDMARC in order to get this to work. I tried this config but sadly it
doesn't work, OpenDMARC (127.0.0.1:54321) gets skipped completely:

milter_amavis = unix:/var/spool/postfix/amavis/amavis.sock


this does not make sense unless you use it somewhere.


milter_connect_macros = "j {client_name} {daemon_name} v _"

smtpd_milters =
unix:/var/spool/postfix/amavis/amavis.sock,inet:127.0.0.1:54321

non_smtpd_milters = $smtpd_milters


what do logs say?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [Thunderbird email client] Composing email: Clicking Options > Delivery Status Notification Does Not Work At All!!!

2023-11-14 Thread Yassine Chaouche via Postfix-users 

Le 11/13/23 à 14:45, Stephen Satchell via Postfix-users a écrit :

[...]
3.  Thunderbird sends out the delivery status return receipt request.  I must 
emphasize, REQUEST.  Mail recipients are free to ignore such requests.  For 
example, I have my all my instances of Thunderbird set to ignore such requests 
as a rule.



I think you're mixing with Return Reciepts.
Mail recipients do not play a role in DSN delivery,
MTAs do,
and in fact,
it's not even on the recipient side,
but on the sender side,
in which case you receive something like this:

"This is the mail system at host [...]

Your message was successfully delivered to the destination(s)
listed below. If the message was delivered to mailbox you will
receive no further notifications. Otherwise you may still receive
notifications of mail delivery errors from other systems.

   The mail system

: delivery via
mta7.am0.yahoodns.net[67.195.228.109]:25: 250 ok dirdel"


Best,

--
yassine -- sysadm
+213-779 06 06 23
http://about.me/ychaouche
Looking for side gigs.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Damian via Postfix-users 
I tried this config but sadly it doesn’t work, OpenDMARC 
(127.0.0.1:54321) gets skipped completely


If "getting skipped" means that you don't see Authentication-Results for 
DMARC, I have a feeling that you didn't disable DKIM verification on 
your content_filter Interface Policy. Amavis will remove all such 
headers that match your AuthservID.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] FOLLOW-UP Re: Re: [ext] list.sys4.de fails with starttls

2023-11-14 Thread Patrick Ben Koetter via Postfix-users 
* Viktor Dukhovni via Postfix-users :
> On Mon, Sep 25, 2023 at 04:24:55PM +0200, Patrick Ben Koetter via 
> Postfix-users wrote:
> 
> > > Do you have SMTP client TLS connection reuse enabled?  If so, TLS
> > > connections are made via tlsproxy(8), with the smtp(8) client
> > > unaware of any initialisation issues until STARTTLS.
> > 
> > Well spotted and that was the reason Postfix failed. We've added a SELinux
> > policy to let tlsproxy do what it wants and things went back to normal.
> 
> Thanks for the confirmation.  I feel some pride in intuiting the cause
> in this case, the link with the reported symptoms was fairly subtle.

After some more investigation and testing…

It turned out that RedHat's SELinux policy does not cover Postfix' tlsproxy
and whenever tlsproxy takes out to do what Postfix wants it to do SELinux will
interfere and prohibit it from doing that. That in consequence made the SMTP
service throttle and so it came to a stillstand.

For the moment we decided to do without TLS session caching in Postfix
smtp-client *and* sending client side x509 certificates on demand in favor of
running a more secure platform.

Our long-term goal is to re-enable the Postfix features *and* use SELinux.
(RedHat if you're on this list and following this thread ping me offlist and
I'll be happy to share all information we can provide.)

Regards

p@rick

-- 
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: LMTP delivery failing for all backend during single backend failure

2023-11-14 Thread Wietse Venema via Postfix-users 
seena--- via Postfix-users:
> we have a single lmtp end point which is pointing load balancer .
> 
> Lmtp endpoint  ---> Load balance --> Dovecot director --> Dovecot
> backend

What is an endpoint: TCP socket, UNIX-domain socket, avian carriers,
and how is Postfix configured to CONNECT TO that endpoint? Your
posting has no information about that.

- What is the output from:

postconf -n  | grep "lmtp:"  note the trailing ":"

postconf -M | grep lmtp  note no trailing ":"

> If any one of the backend failed we are seeing the delay in lmtp
> delivery to even the other backend which are healthy. How to solve this

What does "failed" mean? In other words, What is the error message?

> We need to make sure that only the delivery to the failed backend
> should fail and rest all should work as expected

If a backend becomes unhealthy, then the next connection from Postfix
shoule immediately be routed to a healthy backend, without any delay. 

Without further information I cannot distinguish between:

- Postfix is reusing a failed connection. If that is the case,
disabling connection reuse should make a difference.

- The load balancer is not working proiperly.

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Dino Edwards via Postfix-users 
By “getting skipped” I mean I have no logs of opendmarc doing anything. I don’t 
understand how I would disable dkim in my content_filter policy. Dkim 
verification is either enabled or disabled in Amavis unless I’m not 
understanding what you mean.

 

 

 

From: Damian via Postfix-users  
Sent: Tuesday, November 14, 2023 9:13 AM
To: postfix-users@postfix.org
Subject: [pfx] Re: Postfix, Amavis DKIM and DMARC

 

I tried this config but sadly it doesn’t work, OpenDMARC (127.0.0.1:54321) gets 
skipped completely

If "getting skipped" means that you don't see Authentication-Results for DMARC, 
I have a feeling that you didn't disable DKIM verification on your 
content_filter Interface Policy. Amavis will remove all such headers that match 
your AuthservID.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Dino Edwards via Postfix-users 



-Original Message-
From: Matus UHLAR - fantomas via Postfix-users  
Sent: Tuesday, November 14, 2023 8:04 AM
To: postfix-users@postfix.org
Subject: [pfx] Re: Postfix, Amavis DKIM and DMARC

>this does not make sense unless you use it somewhere.

Can you elaborate?

>what do logs say?

Logs don't say anything. There are simply no entries for opendmarc going
anything, i.e. opendmarc does not get called thus no logs.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Damian via Postfix-users 

By “getting skipped” I mean I have no logs of opendmarc doing anything.


Do you have logs of opendmarc doing anything if you remove Amavis from 
smtpd_milters?


I don’t understand how I would disable dkim in my content_filter 
policy. Dkim verification is either enabled or disabled in Amavis 
unless I’m not understanding what you mean.


`enable_dkim_verification` is a dynamic confvar, meaning that it is a 
per-policybank setting. Depending of how you set up your system, it 
might be easier to selectively disable or enable it. If you don't know 
what an interface_policy is, you might not have one for your 
content_filter. But you should at least have an interface_policy for the 
amavisd-milter socket. It is the construct that defines `AM.PDP` as its 
`protocol`. In there you can define `enable_dkim_verification => 1`, and 
disable it globally.


You also need to make sure that OpenDMARC and Amavis use the same 
authserv-id (`AuthservID` and `$myauthservid`)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread mailmary--- via Postfix-users 


it happens to me sometimes, I make changes to the postfix configuration and I 
forget to restart postfix for it to take effect (systemctl restart postfix 
opendkim opendmarc etc). 

Could it be that simple?



On Tue, 14 Nov 2023 11:16:18 -0500 Dino Edwards via Postfix-users 
 wrote:

> Logs don't say anything. There are simply no entries for opendmarc going
> anything, i.e. opendmarc does not get called thus no logs.
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Matus UHLAR - fantomas via Postfix-users 

this does not make sense unless you use it somewhere.


Can you elaborate?


yes, the configuration variable you showed is not used by anything, unless 
you refer to it elsewhere in postfix configuration.



what do logs say?


On 14.11.23 11:16, Dino Edwards via Postfix-users wrote:

Logs don't say anything. There are simply no entries for opendmarc going
anything, i.e. opendmarc does not get called thus no logs.


I run opendmarc and it shows report after each e-mail. I just had to set 
"syslog true" in opendmarc.conf. Try that.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Benny Pedersen via Postfix-users 

Dino Edwards via Postfix-users skrev den 2023-11-14 13:43:


I would appreciate some assistance.


https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] LDAP - how to design a virtual domain alias table?

2023-11-14 Thread Francis Augusto Medeiros-Logeay via Postfix-users 
Hi,

I have been using Postfix with MySQL for a few years now, but I want to move to 
LDAP (FreeIPA) to store my user’s data.

I figured out all the queries I need, except one. You see, right now, I use 
Postfixadmin and my query for virtual_mailbox_domains is like this:

query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = 
'%d' and alias.address = CONCAT('%u', '@', alias_domain.target_domain) AND 
alias.active = 1 AND alias_domain.active=‘1’

So it basically checks a list of all valid addresses, and try to match with the 
target domain.

I am struggling with LDAP to do this, mostly because LDAP doesn’t do nested 
searches, at least not in the way MySQL does.

My directory is structured like this:

cn=postfix - root for my configuration
  cn=mydomain.com,cn=postix - container for mailboxes and aliases
 uid=myuser,cn=mydomain.com,cn=postfix - my mailbox or my alias
 uid=myaliasdomain.com,cn=mydomain.com,cn=postfix - my alias domain 
(different objectClass)

My main problem is how to get the «target» domain from a query to check if 
there’s a valid mailbox/alias configured for the target domain.

I created an attribute on my alias domain called «targetDomain», but I don’t 
think it is possible with LDAP to read its value, concatenate with the %s and 
query again.

Is there a way to accomplish something like this?

Best,
Francis

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: LDAP - how to design a virtual domain alias table?

2023-11-14 Thread Viktor Dukhovni via Postfix-users 
On Tue, Nov 14, 2023 at 06:32:55PM +0100, Francis Augusto Medeiros-Logeay via 
Postfix-users wrote:

> I figured out all the queries I need, except one. You see, right now,
> I use Postfixadmin and my query for virtual_mailbox_domains is like
> this:
> 
> query = SELECT goto
> FROM alias, alias_domain
>WHERE alias_domain.alias_domain = '%d'
>  AND alias.address = CONCAT('%u', '@', alias_domain.target_domain)
>  AND alias.active = 1
>  AND alias_domain.active=‘1’

Your relational data model is normalised to store each user alias just
once, under the primary domain of each alternate domain.  You get to
attach secondary domains to a primary domain without losing recipient
validation by doing wildcard rewrites.

You reduced the amount of data to manage, at the cost of being unable to
assign valid addresses on a per-user basis, with some users having a
different subset of associated secondary domains than others.

This type of normalisation is idiomatic for SQL, but is not idiomatic
(or necessarily possible) with LDAP.

LDAP schemas are not normalised, they are "star-like".  Typical LDAP
objects Objects have multi-valued attributes representing 1-to-many
relationships, such as the set of all the valid addresses of a user
object.

The LDAP representation of a mail user would typically have (attribute
name choices vary, though "cn" for the 'display name', and "mail" for
the single-valued primary address are essentially standard.

  user.ldif:
cn: Joe User
uid: joeuser
mail: joe.user@someorg.example
maildrop: joeuser@imap1.someorg.example
mailacceptinggeneralid: joe.user@someorg.example
mailacceptinggeneralid: joe.user@aliasorg1.example
mailacceptinggeneralid: joe.user@aliasorg2.example
mailacceptinggeneralid: joeuser@someorg.example
mailacceptinggeneralid: userjoe@someorg.example
...

  virtual.cf:
query = mailacceptinggeneralid=%s
result_attribute = maildrop

  canonical.cf:
query = mailacceptinggeneralid=%s
result_attribute = mail

Mail can be sent to the user under each of the *explicitly* listed
addresses, but is typically canonicalised to "mail" in outbound email
(all headers and envelope sender).  Inbound mail is rewritten to
"maildrop" (just the envelope recipient) for storage.

Other designs are possible, see LDAP_README for variations.

But you're unlikely to find (or ultimately want) data model parity.
LDAP directories just aren't SQL databases.  If you want to assign
every user in some collection the same set of domains, that would
be done as of provisioning and maintaining the user "entries",
rather than computed via relational query logic.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FOLLOW-UP Re: Re: [ext] list.sys4.de fails with starttls

2023-11-14 Thread Viktor Dukhovni via Postfix-users 
On Tue, Nov 14, 2023 at 03:56:25PM +0100, Patrick Ben Koetter via Postfix-users 
wrote:

> It turned out that RedHat's SELinux policy does not cover Postfix' tlsproxy
> and whenever tlsproxy takes out to do what Postfix wants it to do SELinux will
> interfere and prohibit it from doing that. That in consequence made the SMTP
> service throttle and so it came to a stillstand.

In particular, presumably read access to the client cert .pem files was
blocked, though perhaps access to other essential resources was also
denied.

> For the moment we decided to do without TLS session caching in Postfix
> smtp-client *and* sending client side x509 certificates on demand in
> favor of running a more secure platform.

I am having some trouble parsing the above.  I think you're saying
you're keeping SELinux enabled ("more secure platform"), and going
without client certs *and* without TLS connection reuse.

My vague impression from upthread was that disabling client certs was
sufficient, and connection reuse would then work?  Was that not the
case?

> Our long-term goal is to re-enable the Postfix features *and* use
> SELinux.  (RedHat if you're on this list and following this thread
> ping me offlist and I'll be happy to share all information we can
> provide.)

My recommendation of not gratuitously enabling client certs stands, they
add no value when (almost always) the server can't use them in any
meaningful way.

Client certificates are for prior bilateral security arrangements
with *specific* servers that know what to do with specific client
certificates.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: LDAP - how to design a virtual domain alias table?

2023-11-14 Thread Francis Augusto Medeiros-Logeay via Postfix-users 


> On Nov 14, 2023, at 19:09, Viktor Dukhovni via Postfix-users 
>  wrote:
> 
> On Tue, Nov 14, 2023 at 06:32:55PM +0100, Francis Augusto Medeiros-Logeay via 
> Postfix-users wrote:
> 
>> I figured out all the queries I need, except one. You see, right now,
>> I use Postfixadmin and my query for virtual_mailbox_domains is like
>> this:
>> 
>> query = SELECT goto
>>FROM alias, alias_domain
>>   WHERE alias_domain.alias_domain = '%d'
>> AND alias.address = CONCAT('%u', '@', alias_domain.target_domain)
>> AND alias.active = 1
>> AND alias_domain.active=‘1’
> 
> Your relational data model is normalised to store each user alias just
> once, under the primary domain of each alternate domain.  You get to
> attach secondary domains to a primary domain without losing recipient
> validation by doing wildcard rewrites.
> 
> You reduced the amount of data to manage, at the cost of being unable to
> assign valid addresses on a per-user basis, with some users having a
> different subset of associated secondary domains than others.
> 

> This type of normalisation is idiomatic for SQL, but is not idiomatic
> (or necessarily possible) with LDAP.
> 

Thank you for the thorough explanation, Viktor. 


> LDAP schemas are not normalised, they are "star-like".  Typical LDAP
> objects Objects have multi-valued attributes representing 1-to-many
> relationships, such as the set of all the valid addresses of a user
> object.
> 
> 
>  virtual.cf:
>query = mailacceptinggeneralid=%s
>result_attribute = maildrop
> 
>  canonical.cf:
>query = mailacceptinggeneralid=%s
>result_attribute = mail
> 
> Mail can be sent to the user under each of the *explicitly* listed
> addresses, but is typically canonicalised to "mail" in outbound email
> (all headers and envelope sender).  Inbound mail is rewritten to
> "maildrop" (just the envelope recipient) for storage.
> 
> Other designs are possible, see LDAP_README for variations.
> 
> But you're unlikely to find (or ultimately want) data model parity.
> LDAP directories just aren't SQL databases.  If you want to assign
> every user in some collection the same set of domains, that would
> be done as of provisioning and maintaining the user "entries",
> rather than computed via relational query logic.
> 

My case is that I wanted to mimic Postfixadmin in FreeIPA. I even created a 
plugin for it, and the data model works nice, for the most part, except for the 
 virtual domains part. My design is simplified since I only use virtual 
mailboxes.

But I hear what you are saying, it does seem to be complicate to accomplish the 
same with LDAP when it comes to that on-the-fly checking if b@domainb exists 
when b should receive a mail from domainc. I might drop this feature.

Best,
Francis 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Damian via Postfix-users 

https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have


This is a confusing statement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Matus UHLAR - fantomas via Postfix-users 

Dino Edwards via Postfix-users skrev den 2023-11-14 13:43:

I would appreciate some assistance.


On 14.11.23 18:13, Benny Pedersen via Postfix-users wrote:

https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have


it's the same as https://github.com/prehor/amavisd-milter just an older 
version.


but it does not support dmarc.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Benny Pedersen via Postfix-users 

Damian via Postfix-users skrev den 2023-11-14 19:28:

https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have


This is a confusing statement.


in what way ?, if you can configure opendmarc with postfix why is 
amavisd milter a problem ?


amavisd only miss openARC and openDMARC to have it all in one basket, if 
this is confusing there is only rspamd left to use for all in one


i just prefer simple things not complicated setups

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Benny Pedersen via Postfix-users 

Matus UHLAR - fantomas via Postfix-users skrev den 2023-11-14 19:44:

Dino Edwards via Postfix-users skrev den 2023-11-14 13:43:

I would appreciate some assistance.


On 14.11.23 18:13, Benny Pedersen via Postfix-users wrote:

https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have


it's the same as https://github.com/prehor/amavisd-milter just an older 
version.


but it does not support dmarc.


currect, but amavisd support rspamd with have dmarc

and spamasassassin 4 have dmarc, but this needs stable 4.x releases :/

i have only amavvisd-milter in postfix, nothing more


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FOLLOW-UP Re: Re: [ext] list.sys4.de fails with starttls

2023-11-14 Thread raf via Postfix-users 
On Tue, Nov 14, 2023 at 03:56:25PM +0100, Patrick Ben Koetter via Postfix-users 
 wrote:

> * Viktor Dukhovni via Postfix-users :
> > On Mon, Sep 25, 2023 at 04:24:55PM +0200, Patrick Ben Koetter via 
> > Postfix-users wrote:
> > 
> > > > Do you have SMTP client TLS connection reuse enabled?  If so, TLS
> > > > connections are made via tlsproxy(8), with the smtp(8) client
> > > > unaware of any initialisation issues until STARTTLS.
> > > 
> > > Well spotted and that was the reason Postfix failed. We've added a SELinux
> > > policy to let tlsproxy do what it wants and things went back to normal.
> > 
> > Thanks for the confirmation.  I feel some pride in intuiting the cause
> > in this case, the link with the reported symptoms was fairly subtle.
> 
> After some more investigation and testing…
> 
> It turned out that RedHat's SELinux policy does not cover Postfix' tlsproxy
> and whenever tlsproxy takes out to do what Postfix wants it to do SELinux will
> interfere and prohibit it from doing that. That in consequence made the SMTP
> service throttle and so it came to a stillstand.
> 
> For the moment we decided to do without TLS session caching in Postfix
> smtp-client *and* sending client side x509 certificates on demand in favor of
> running a more secure platform.
> 
> Our long-term goal is to re-enable the Postfix features *and* use SELinux.
> (RedHat if you're on this list and following this thread ping me offlist and
> I'll be happy to share all information we can provide.)
> 
> Regards
> 
> p@rick

This might be because tlsproxy is not active by default. Perhaps the default
selinux policy for postfix is based only on the default configuration of
postfix, when really, the default selinux policy for postfix should probably
be based on all possible postfix behaviour. Talk to redhat about that.

It must be possible to adapt the selinux policy to allow tlsproxy (but I can't
help you with that).

cheers,
raf
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

2023-11-14 Thread Viktor Dukhovni via Postfix-users 
The DANE/DNSSEC survey () has seen a
recent spike in the number of MX hosts whose "2 1 1" TLSA records no
longer match their certificate chain.  The records in question all
shar the same digest value, for various TLSA base domains:

_25._tcp.mx1.example. IN TLSA 2 1 1 
0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

I was initially puzzled as to why this might be happening, but then
it occurred to me that the reason why is clear.

The above hash is the hash of the ISRG X1 root CA key, but it is also of
course the key hash of its outdated **cross-certificate** issued by DST.
That DST cross cert was needed for compatability with some old Android
systems that did not get root CA updates (or updates of any kind).

It must be that Let's Encrypt finally stopped by default including that
cross certificate in their chains.  So instead of a chain that looks
like:

- depth 0: EE (server) certificate
- depth 1: Let's Encrypt R3/E1 issuer CA
- depth 2: ISRG X1 cross cert issued by DT

with the certificate at depth 2 matching the TLSA record, they now
generate just:

- depth 0: EE (server) certificate
- depth 1: Let's Encrypt R3/E1 issuer CA

with the ISRG (now standalone) root CA not included in the chain!

Leaving out the root CA works fine for WebPKI, where clients need to
have a locally trusted copy of the root, but not for certificate usage
DANE-TA(2), which does not rely on any local CA store:

https://dane.sys4.de/common_mistakes#4
https://datatracker.ietf.org/doc/html/rfc7672#section-3.1.2

Bottom line, if you're relying on that "2 1 1" record matching the ISRG
root to match your Let's Encrypt chain, you're about to be disappointed,
if you aren't already.  See:

http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

for better alternatives, or switch to "3 1 1", perhaps with the aid of
"danebot" (still hoping some early adopters will pitch in to further
improve it, to support some additional workflows):

   

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Damian via Postfix-users 

https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have


This is a confusing statement.


in what way ?

amavisd-milter was already part of Dino's smtpd_milters. It is like you would 
have said:

> http://www.postfix.org/. Just use that, it replaces the /etc you have.



if you can configure opendmarc with postfix why is amavisd milter a problem ?


That's what Dino is trying to do. Make amavis-over-milter add an DKIM AR-header, then make OpenDMARC evaluate DMARC using that 
header. It may be true that SpamAssassin 4 has a DMARC test, but Amavis does not use such test hit for a policy enforcement.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix, Amavis DKIM and DMARC

2023-11-14 Thread Matus UHLAR - fantomas via Postfix-users 

Dino Edwards via Postfix-users skrev den 2023-11-14 13:43:

I would appreciate some assistance.



On 14.11.23 18:13, Benny Pedersen via Postfix-users wrote:

https://amavisd-milter.sourceforge.net/

just use that, it replace all milters you have



Matus UHLAR - fantomas via Postfix-users skrev den 2023-11-14 19:44:
it's the same as https://github.com/prehor/amavisd-milter just an 
older version.


but it does not support dmarc.


On 14.11.23 21:55, Benny Pedersen via Postfix-users wrote:

currect, but amavisd support rspamd with have dmarc


what? 


and spamasassassin 4 have dmarc, but this needs stable 4.x releases :/


Luckily I do have that one with Debian 12.  However, it does not support 
dmarc rejection OOTB not reports like opendmarc does



i have only amavvisd-milter in postfix, nothing more


Perhaps you should've explained that immediatly with steps how to implement
DMARC rejections at smtp time. 


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org