[pfx] Re: transport_maps question
If I don’t set the recipient table, what’s the trouble?
Thanks
On 2024-10-30 21:05, Viktor Dukhovni via Postfix-users wrote:
On Wed, Oct 30, 2024 at 08:57:32PM +0800, Adriel via Postfix-users
wrote:
I have another question. Suppose I have two domains: foo.com and
bar.com.
Both point to an MX server: mx1.sample.com. However, on
mx1.sample.com, I
want to route bar.com's emails to mx2.sample.com, because
mx2.sample.com has
the complete user database for bar.com, and mx2.sample.com is only
accessible from restricted IP addresses. In mx1.sample.com's postfix
configuration, I'm using the following settings:
relay_domains = bar.com
transport_maps = inline:{
{ bar.com = relay:[mx2.sample.com] }}
Is this configuration correct? Thank you.
Correct, but not complete, it is missing a recipient table for the
relay
domain, you need:
# Real table if more than a handful of users.
relay_recipient_maps = inline:{
{ la...@bar.com = exists },
{ moe@bar@.com = exists },
{ cu...@bar.com = exists },
}
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Options to deal with aliases to external domains in DANE setup?
Dear Postfix folks, We use an external company for managing job applications. We set up the domain jobs.molgen.mpg.de as an alias, and the domain is used in email addresses for sending and receiving emails. $ host jobs.molgen.mpg.de jobs.molgen.mpg.de is an alias for cs-balancers-1.b-ite.com. cs-balancers-1.b-ite.com has address 62.204.161.138 cs-balancers-1.b-ite.com has address 62.204.161.137 cs-balancers-1.b-ite.com has IPv6 address 2a02:f90:0:195::105a cs-balancers-1.b-ite.com has IPv6 address 2a02:f90:0:195::105b cs-balancers-1.b-ite.com mail is handled by 1 mail.b-ite.com. We are using DANE, but of course the external service provider does not. Internally I configured the tls_policy *dane-only* for molgen.mpg.de/.molgen.mpg.de which of course leads to trouble in this situation. To work around it, I now have: molgen.mpg.de dane-only .molgen.mpg.de dane-only jobs.molgen.mpg.de encrypt Should I just switch to *dane* and be done with it, leave the special case entry above and harden it to *secure*, or somehow configure our server as MX, and then let it deliver the message to the external service provider SMTP server. Kind regards, Paul PS: The external service provider of course does not have the best security configuration [1]. Servers that don't enforce cipher suite preferences select the first cipher suite they support from the list provided by clients. This approach doesn't guarantee that best-possible cipher suite is negotiated. Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite. [1]: https://www.hardenize.com/report/jobs.molgen.mpg.de/1730279877#email_tls ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] transport_maps question
Dear list,
I have another question. Suppose I have two domains: foo.com and
bar.com. Both point to an MX server: mx1.sample.com. However, on
mx1.sample.com, I want to route bar.com's emails to mx2.sample.com,
because mx2.sample.com has the complete user database for bar.com, and
mx2.sample.com is only accessible from restricted IP addresses. In
mx1.sample.com's postfix configuration, I'm using the following
settings:
relay_domains = bar.com
transport_maps = inline:{
{ bar.com = relay:[mx2.sample.com] }}
Is this configuration correct? Thank you.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: transport_maps question
On Wed, Oct 30, 2024 at 08:57:32PM +0800, Adriel via Postfix-users wrote:
> I have another question. Suppose I have two domains: foo.com and bar.com.
> Both point to an MX server: mx1.sample.com. However, on mx1.sample.com, I
> want to route bar.com's emails to mx2.sample.com, because mx2.sample.com has
> the complete user database for bar.com, and mx2.sample.com is only
> accessible from restricted IP addresses. In mx1.sample.com's postfix
> configuration, I'm using the following settings:
>
> relay_domains = bar.com
> transport_maps = inline:{
> { bar.com = relay:[mx2.sample.com] }}
>
> Is this configuration correct? Thank you.
Correct, but not complete, it is missing a recipient table for the relay
domain, you need:
# Real table if more than a handful of users.
relay_recipient_maps = inline:{
{ la...@bar.com = exists },
{ moe@bar@.com = exists },
{ cu...@bar.com = exists },
}
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cloudmark CSI
Dear. Here is link. https://csi.cloudmark.com/en/reset/ ___ Best Regards Andriy Pachkovskyy Mob. tel. +48504122924 Mob. tel. +380679421834 Sip tel. 220...@lviv-ua.com Email:ap...@lviv-ua.com Jabber: ap...@lviv-ua.com On Wed, 30 Oct 2024 16:48:04 +0800 Adriel via Postfix-users wrote: Some of my messages were rejected by cloudmark CSI though the message content was totally valid. Do you know this BL provider? Is it a reliable one? Thank you. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cloudmark CSI
Adriel via Postfix-users skrev den 2024-10-30 09:48: Some of my messages were rejected by cloudmark CSI though the message content was totally valid. Do you know this BL provider? Is it a reliable one? Thank you. logs ? CSI gives an reject message to follow sorting out, but end users cant, so ask your mailhoster, give them the reject message ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cloudmark CSI
If you have Cloudmark in your system you will see... 11:30:51.091 5 EXTFILTER inp(105): 2757 ADDHEADER "X-Junk-Score: 69 [XX]\eX-SpamCatcher-Score: 69 [XX]\e (100%)\tBODY: likely offers spam" 11:30:51.091 4 EXTFILTER [5414373] ADDHEADER(X-Junk-Score: 69 [XX]\nX-SpamCatcher-Score: 69 [XX]\n (100%)\tBODY: likely offers) completed But other end just see reject and nothing more. To unblock just fill up form and wait +/- hours. ___ Best Regards Andriy Pachkovskyy Mob. tel. +48504122924 Mob. tel. +380679421834 Sip tel. 220...@lviv-ua.com Email:ap...@lviv-ua.com Jabber: ap...@lviv-ua.com On Wed, 30 Oct 2024 18:20:27 +0100 Benny Pedersen via Postfix-users wrote: APach via Postfix-users skrev den 2024-10-30 17:35: https://csi.cloudmark.com/en/reset/ the reject messages is more correct, your help is here bogus, sorry ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cloudmark CSI
APach via Postfix-users skrev den 2024-10-30 17:35: https://csi.cloudmark.com/en/reset/ the reject messages is more correct, your help is here bogus, sorry ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: two MX servers question
Adriel via Postfix-users:
> If users are added in main MX, how can they be synchronized to backup MX
> for relay access?
Use Postfix recipient addres verification.
https://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient
This populates a valid recipient address cache on the remote MX.
Doing this makes sense if your list of valid addresses changes a
often. Otherwise just use a static list.
For this to work, both local and remote MX should have the same MX
preference, with the remote MX having a transport_maps setting that
routes your domain to the local MX.
Both MXes should have the same anti-spam policy.
On the remote MX:
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
# reject_unauth_destination is not needed here if the mail
# relay policy is specified under smtpd_relay_restrictions
# (available with Postfix 2.10 and later).
reject_unauth_destination
...
reject_unverified_recipient
...
# Privacy feature.
# unverified_recipient_reject_reason = Address lookup failed
# Forward this domain to the local MX. The [] are required.
relay_domains = example.com
transport_maps = inline:{
{ example.com = relay:[local-mx.example.com] }}
The tricky part is the "same anti-spam policy" part.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cloudmark CSI
Adriel via Postfix-users: > Some of my messages were rejected by cloudmark CSI though the message > content was totally valid. Do you know this BL provider? Is it a > reliable one? Thank you. Isn't that an **IP based*** reputation service? Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Options to deal with aliases to external domains in DANE setup?
On Wed, Oct 30, 2024 at 02:14:26PM +0100, Paul Menzel via Postfix-users wrote: > We are using DANE, but of course the external service provider does not. > Internally I configured the tls_policy *dane-only* for > molgen.mpg.de/.molgen.mpg.de which of course leads to trouble in this > situation. To work around it, I now have: > > molgen.mpg.de dane-only > .molgen.mpg.de dane-only > jobs.molgen.mpg.de encrypt > > Should I just switch to *dane* and be done with it, leave the special case > entry above and harden it to *secure*, or somehow configure our server as > MX, and then let it deliver the message to the external service provider > SMTP server. Both the current setup and the alternative are valid choices. All depends on how concerned you are than some parts of your domain might by accident end up with non-DANE MX hosts, and you'd possibly be vulnerable to MiTM attacks when sending mail to various "molgen" domains. While there's only one exception, managing the exception doesn't look onerous. You could also select specific ".molgen.mpg.de" subdomains for "dane-only" and use opportunistic DANE TLS for the rest. Your call. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: transport_maps question
On Wed, Oct 30, 2024 at 09:11:13PM +0800, Adriel wrote: > If I don’t set the recipient table, what’s the trouble? You'll accept mail to non-existent recipients, which will later bounce, and if spam and perhaps a joe-job, will annoy the forged senders and damage the reputation of your system. Also help to avoid congestion in your queue trying to deliver all those bounces to non-responsive MX hosts of forged sender addresses. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cloudmark CSI
On 2024-10-31 01:44, APach via Postfix-users wrote: If you have Cloudmark in your system you will see... 11:30:51.091 5 EXTFILTER inp(105): 2757 ADDHEADER "X-Junk-Score: 69 [XX]\eX-SpamCatcher-Score: 69 [XX]\e (100%)\tBODY: likely offers spam" 11:30:51.091 4 EXTFILTER [5414373] ADDHEADER(X-Junk-Score: 69 [XX]\nX-SpamCatcher-Score: 69 [XX]\n (100%)\tBODY: likely offers) completed But other end just see reject and nothing more. To unblock just fill up form and wait +/- hours. update: i have filled up the form in their web and few hours later they unblocked my IP. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Cloudmark CSI
Some of my messages were rejected by cloudmark CSI though the message content was totally valid. Do you know this BL provider? Is it a reliable one? Thank you. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
