[pfx] Re: Do you reject DMARC failures?
On Jul 31, 2024, at 1:19 AM, Matus UHLAR - fantomas via Postfix-users wrote: FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requirements only when DMARC policy is "quarantine" or "reject" On 01.08.24 12:12, Robert L Mathews via Postfix-users wrote: That's the "dmarc_moderation_action" option in the "Sender filters" section of the Mailman interface [1]. But there's also another option in the General Options section called "from_is_list" [2] that does it for all messages. If set to "Munge From", it "replaces the From: header address with the list's posting address to mitigate issues stemming from the original From: domain's DMARC or similar policies and puts the original From: address in a Reply-To: header". [1] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#Sender_filters [2] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#line-163 Yes, the latter applies generally for lists. But I consider this difference irelevant because the topic is related to DMARC errors, and mailman 2's dmarc_moderation_action applies when mail should be rejected because of DMARC failure. So, even setting DMARC policy to "quarantine" or "reject" would not cause problems. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Matus UHLAR - fantomas via Postfix-users skrev den 2024-08-05 11:57: So, even setting DMARC policy to "quarantine" or "reject" would not cause problems. i want to belive when ... if all dmarc policy is allowed what should happens on the time when subscribers got this with a dmarc fail ? mailman try imho to not make this happend, but imho all what mailman should have done it to tell subscriber not to post with a dmarc policy of quarantine or reject since mailman can break dkim and spf wonderfull world to live in thats why smtpd_milter_maps exists in postfix to avoid reject maillist client ips when postfix maillist runned on cloud9 it was well designed to not break dkim, and even if it sometimes happende it would not make majordome unsubscribe users we all lost now ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Matus UHLAR - fantomas via Postfix-users skrev den 2024-08-05 11:57: So, even setting DMARC policy to "quarantine" or "reject" would not cause problems. On 05.08.24 12:14, Benny Pedersen via Postfix-users wrote: i want to belive when ... if all dmarc policy is allowed what should happens on the time when subscribers got this with a dmarc fail ? mailman try imho to not make this happend, but imho all what mailman should have done it to tell subscriber not to post with a dmarc policy of quarantine or reject since mailman can break dkim and spf mailman can as well avoid modification of e-mail and require correct DKIM. But that all means less mail delivered to lists like this one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Matus UHLAR - fantomas via Postfix-users wrote in : |>Matus UHLAR - fantomas via Postfix-users skrev den 2024-08-05 11:57: |>>So, even setting DMARC policy to "quarantine" or "reject" would not |>>cause problems. | |On 05.08.24 12:14, Benny Pedersen via Postfix-users wrote: |>i want to belive when ... if all dmarc policy is allowed what should |>happens on the time when subscribers got this with a dmarc fail ? |> |>mailman try imho to not make this happend, but imho all what mailman |>should have done it to tell subscriber not to post with a dmarc policy |>of quarantine or reject since mailman can break dkim and spf | |mailman can as well avoid modification of e-mail and require correct \ |DKIM. |But that all means less mail delivered to lists like this one. There are only two options: leave the message alone entirely, no footer (never saw header), no Subject: etc, or "create a new message", aka become the "author". Or not, aka become the sender, but leave the Author:, noone supports Author: but fewest, unfortunately. With SPF and thus one-hop-email, the latter may be necessary even without any modification. One can include the original, unchanged message as a RFC 822 attachments, mailman can do that. But i was told that many MUAs cannot properly deal with that, and one may hear complaints like "clicking on that icon this and that [sic]", etc. It is a pity there were no strong forces pushing applications towards support of and for the century old envelope-in-envelope- in-envelope way of layering, but this is where it is. Btw the (brute simple, long way to go) MUA i maintain can regulary "quote as attachment", i had seen this in the plan9 community, and liked it over there, and so i did it .. used it for quite some time, but then went away. I mean, yes, it is better than the top posting the giants were pushing through, practically, but what is ok in that minimal-header-all-text-message world of Plan9 is a terrible misfeature and nuisance with Gmail or Outlook header convulsions. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] reject_unknown_reverse_client_hostname issue
Hello All, I'm getting rejections showing: reject: RCPT from unknown[96.92.246.116]: 450 4.7.25 Client host rejected: cannot find your hostname But if I do an nslookup on the same box, it does resolve. I thought this was purely if no reverse exists reject. I have added this under: smtpd_sender_restrictions The goal of course is to reduce junk mail, Any suggestions? -- Thanks! Joey ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: reject_unknown_reverse_client_hostname issue
On Mon, Aug 05, 2024 at 09:00:48PM -0400, Joey J via Postfix-users wrote: > I'm getting rejections showing: > reject: RCPT from unknown[96.92.246.116]: 450 4.7.25 Client host rejected: > cannot find your hostname https://www.postfix.org/DEBUG_README.html#mail - "postconf -nf" output (with verbatim whitespace/line breaks) - "postconf -Mf" output (with verbatim whitespace/line breaks) > But if I do an nslookup on the same box, it does resolve. > I thought this was purely if no reverse exists reject. Things could be different when DNS queries are issued from inside the chroot jail (Debian/Ubuntu enable chroot for most Postfix services by default) or when executed by the postfix user, rather than say root. The lookup failure may also have been transient (as evidenced by the "450" response code, though, after initial burn-in, you may not have known to set: plaintext_reject_code = 550 unknown_address_reject_code = 550 unknown_client_reject_code = 550 unknown_hostname_reject_code = 550 unverified_recipient_reject_code = 550 unverified_sender_reject_code = 550 The (initial safety net) defaults are: plaintext_reject_code = 450 unknown_address_reject_code = 450 unknown_client_reject_code = 450 unknown_hostname_reject_code = 450 unverified_recipient_reject_code = 450 unverified_sender_reject_code = 450 These should be changed once you believe your configuration to be sound. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
