[pfx] Relaying Teams Invitations send by Microsoft365 via Postfix to the Internet
Hello, We've got a single user needing Micro$oft Teams. This users mailaccount u...@contenso.com is configured on our server AND within Microsoft365 as sending address for the invitations. All other mail accounts are local and send via postfix. With blimmen Microsoft365 the invitation mails are directly send out to the internet with the u...@contenso.com sender address. These mails get bounced quite often because neither are the Microsoft365 Servers configured within SPF nor is Microsoft365 configured to DKIM sign these mails. I've configured a SMTP connector on the Microsoft side to route all mail through our postfix system. The SMTP connector is unable to use authentication or to be configured to use a different port. So, to make this work I had to add the Microsoft365 sending IP CIDR Ranges to the smtpd_recipient_restrictions by using "check_client_access cidr:/etc/postfix/microsoft365_cidr" The postfix server now is accepting the mail, but when relaying it to the internet the reciving server says: " 550 5.7.26 Message rejected per DMARC policy by contonso.com" I suppose this is either because the the originating server was not listed in the SPF entry or because the mail is not DKIM signed. My questions: - Would postfix be an almost open relay using this configuration as all users of Micro$oft365 would be able to send mail through my server to the internet? - Is there a safe way to configure the M365-SMTP-Connector to send mail through my postfix mailserver (and only my mail, not the mail of any other Microsoft 365 user)??? - How to DKIM sign these mails with "dkimproxy" as these mails are received via port 25 smtpd they would be checked by dkimproxy if they are destined to our users but not signed when relayed to the internet? Any help appreciated Regards Norbert ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Relaying Teams Invitations send by Microsoft365 via Postfix to the Internet
Norbert Schmidt via Postfix-users:
> Hello,
>
> We've got a single user needing Micro$oft Teams. This users mailaccount
> u...@contenso.com is configured on our server AND within Microsoft365 as
> sending address for the invitations.
> All other mail accounts are local and send via postfix.
> With blimmen Microsoft365 the invitation mails are directly send out to the
> internet with the u...@contenso.com sender address. These mails get bounced
> quite often because neither are the Microsoft365 Servers configured within
> SPF nor is Microsoft365 configured to DKIM sign these mails.
> I've configured a SMTP connector on the Microsoft side to route all mail
> through our postfix system. The SMTP connector is unable to use
> authentication or to be configured to use a different port. So, to make this
> work I had to add the Microsoft365 sending IP CIDR Ranges to the
> smtpd_recipient_restrictions by using "check_client_access
> cidr:/etc/postfix/microsoft365_cidr"
> The postfix server now is accepting the mail, but when relaying it to the
> internet the reciving server says: " 550 5.7.26 Message rejected per DMARC
> policy by contonso.com"
> I suppose this is either because the the originating server was not listed
> in the SPF entry or because the mail is not DKIM signed.
>
> My questions:
> - Would postfix be an almost open relay using this configuration as all
> users of Micro$oft365 would be able to send mail through my server to the
> internet?
> - Is there a safe way to configure the M365-SMTP-Connector to send mail
> through my postfix mailserver (and only my mail, not the mail of any other
> Microsoft 365 user)???
> - How to DKIM sign these mails with "dkimproxy" as these mails are received
> via port 25 smtpd they would be checked by dkimproxy if they are destined to
> our users but not signed when relayed to the internet?
You could configure a Postfix SMTP daemon with a dedicated IP address
or port to forward and sign email only from Microsoft, and only
from a specific sender address.
This daemon would have its own Postfix settings for access control
and DKIM signing.
The example assumes that you can configure an additional IP address
or port to receive mail with the existing Postfix host.
master.cf:
a.b.c.d:25 inet n - n - - smtpd
# Require an expected Microsoft client IP address
-o { mynetworks = p.q.r.s/24 }
-o { smtpd_client_restrictions = permit_mynetworks, reject }
-o { smtpd_recipient_restrictions = permit_mynetworks, reject }
# Require an expected sender address
-o { smtpd_sender_restrictions =
check_sender_access inline:{{ u...@contonso.com = permit }}, reject }
# Override main.cf settings with empty value
-o { smtpd_helo_restrictions = }
-o { smtpd_relay_restrictions = }
# Sign with dkimproxy
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
Then, you would have to change nothing on the standard port 25
service (os port 587 or 465).
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Implementing ARC with postfix to allow/assist with forwarding
Hi, I'm using postfix-3.7.9 on fedora38 and would like to implement ARC to assist with authenticating emails being forwarded by users to Gmail and others. The research I've done points to OpenARC as a dead project. This looks like a great guide to get started, but I'm having trouble identifying which milter(?) to use for this. https://blog.mystrika.com/arc/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Implementing ARC with postfix to allow/assist with forwarding
Hello, I’m using openarc from https://github.com/trusteddomainproject/OpenARC May be dead but does work. You could try https://github.com/fastmail/authentication_milter (https://github.com/fastmail/authentication_milter) but it’s way more complex. cheers patpro May 3, 2024 4:17 PM, "Alex via Postfix-users" wrote: Hi, I'm using postfix-3.7.9 on fedora38 and would like to implement ARC to assist with authenticating emails being forwarded by users to Gmail and others. The research I've done points to OpenARC as a dead project. This looks like a great guide to get started, but I'm having trouble identifying which milter(?) to use for this. https://blog.mystrika.com/arc/ (https://blog.mystrika.com/arc/) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: long header folding and DKIM fails
Further investigation showed that the issue is in Python 2.7’s `email` module. Although this is out of support, I’d expect some to be lying around and thought it worth mentioning to this group. Specifically, `email.Message.__str__()`. It seems ok in python3 > On 2 May 2024, at 12:53, Tim Coote via Postfix-users > wrote: > > I think that I’ve now fixed this in my domain, so I thought I’d just note the > route to finding it, more as a comment on the complexity of working out > what’s going on. > > After making a simple robot to send emails with long headers and > demonstrating how they broke in my production environment, I rebuilt that env > on a Vagrant box. It worked properly (ie it didn’t replace “,” with > “,”) until I’d added in the old spambayes filter that I’d been > ‘using’. > > Removing Spambayes fixed the issue. Dunno whether this will have an effect on > the amount of spam, but I suspect that it hadn’t done anything useful for > some time. > > What would have helped - and I’ve no idea how feasible this is - would be > some tooling to pull out different versions of the message as they flow > through the queues. > > Interesting how long latent bugs can lie around, isn’t it? > > Tim ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Fwd: [S-announce] s-dkim-sign: addendum: ed25519 keys not usable with v0.6.0
Hello. I am very sorry to disturb again, but please allow me that one in addition. (Btw i will not forward *that*, but by the next weekend i will have released another version of s-postgray which fixes a bug and gains a new "no-timeout" mode, ie, entries which are so old that their last usage time cannot be represented are kept, and only (as many as needed of) those will be garbage collected (unless that is not enough). I thought that is a good addition.) Sorry for the inconvience, shall you have downloaded and used (a ed25519- key with) s-dkim-sign (already). --- Forwarded from Steffen Nurpmeso --- Date: Sat, 04 May 2024 02:47:40 +0200 ... Thanks a lot to juef i have to give the advise that users of s-dkim-sign cannot enable the ed25519-sha256 key type. Shall the IETF publish a asn1-ed25519-sha256 key type then this will do (i *think*; after doing the name adjustments etc), but ed25519 as of RFC 8463 is not supported. The rsa-sha256 that everybody uses should do fine, though, and i have restricted my own key usage accordingly. I will publish a v0.6.1 after some delay which does hard-disable this key type. Sorry for the inconvenience! Ciao! ... -- End forward <20240504004740.Tx-M0L_r@steffen%sdaoden.eu> --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
