[pfx] Re: postfix reload writing to stderr
On 2025-02-03 at 13:07:38 UTC-0500 (Mon, 3 Feb 2025 13:07:38 -0500) Dan Mahoney via Postfix-users is rumored to have said: > When calling “postfix reload”, should "postfix/postfix-script: refreshing the > Postfix mail system” be written to stderr? Yes. > It’s not an error, and it feels like this message should go to stdout, or > that there should be a command-line option to suppress non-error messages. It is really more useful to think of stderr as diagnostic output or meta-output rather than strictly errors. -- Bill Cole ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] smtpd_end_of_data_restrictions and check_policy_service
Hello, I have a question about smtpd_end_of_data_restrictions. In the documentation under the following link https://www.postfix.org/SMTPD_ACCESS_README.html#lists there is an example which looks like this: # Enforce mail volume quota via policy service callouts. smtpd_end_of_data_restrictions = check_policy_service unix:private/policy If I configure this as follows: smtpd_end_of_data_restrictions = check_policy_service inet:imap.server.tld:12340 I get the following WARNING message in the Dovecot log: quota-status(5043): Warning: Received policy query from MTA in unexpected state END-OF-MESSAGE (service can only be used for recipient restrictions) However, if I use smtpd_recipient_restrictions = check_policy_service inet:imap.server.tld:12340, I get NO WARNING. Is the example here correct, or should the WARNING in Dovecot be taken into account? Thanks in advance! Greetings Klaus. Versions: = postfix = 3.9.1-2 dovecot = 2.3.21.1-1 -- --- e-Mail : kl...@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net --- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
On Mon, Feb 03, 2025 at 05:56:45PM -0500, Wietse Venema via Postfix-users wrote:
> There is no built-in featrue to delete IP addresses from headers.
But, given the expected header form, it is not difficult to craft a PCRE
table that does the job well.
> If this is for messages submitted on port 587 (submission) or 465
> (smtps or submissions), then you can simply delete all Received:
> message headers, because there shuold be only one.
>
> master.cf:
>
> submission .. .. .. .. .. .. .. smtpd
> -o { header_checks = pcre:{{/^Received:/ IGNORE}} }
> ...other -o options...
>
> submissions .. .. .. .. .. .. .. smtpd
> -o { header_checks = pcre:{{/^Received:/ IGNORE}} }
> ...other -o options...
>
> This is much simpler than some of the on-line discussions.
Though one might want to be prepared to encounter more friction for
outbound mail lacking all upstream Received headers. These tend to
be classed more "spammy".
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
Ellie via Postfix-users: > On 2/3/25 11:56 PM, Wietse Venema via Postfix-users wrote: > > If this is for messages submitted on port 587 (submission) or 465 > > (smtps or submissions), then you can simply delete all Received: > > message headers, because there shuold be only one. > Thanks so much for your helpful response! I wonder, does postfix reject > unauthenticated mail from port 587 and 465, in the common config where > open relay access is disabled? From reading my own master.cf I feel like > it doesn't. Wouldn't it then strip from some external incoming mail as > well? That would seem a little strange. The submission configurations as distributed have smtpd_recipient_restrictions=permit_sasl_authenticated,reject which will reject mail without SASL login. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] IP discard for authenticated e-mails
Dear postfix users group, Sorry if this is the wrong place to ask, or if this is a nonsensical question. But it seems to me that discarding the exact end-user device IP from e-mails sent via any authenticated path is going to be a common scenario in today's more privacy aware age. Yet, it seems to be somewhat convoluted to do: https://askubuntu.com/a/78168 (My apologies if this is easy to all you experts, but I feel like to most postfix newcomers this is going to look somewhat difficult.) Is there any easier approach for doing this? Or was there ever a consideration for doing a simple yes/no option as a new feature for postfix, which omits the sender IP address from authenticated(!) incoming mail? I feel like there might be a wider demand for that. Regards, ell1e ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
On 2/4/25 4:15 AM, Wietse Venema via Postfix-users wrote: Ellie via Postfix-users: The submission configurations as distributed have smtpd_recipient_restrictions=permit_sasl_authenticated,reject which will reject mail without SASL login. Wietse Thank you so much for the clarifying response! Sorry for the confused questions, I hope this is helpful for somebody in the future finding it via search engines. Regards, ell1e ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
On 2/3/25 11:56 PM, Wietse Venema via Postfix-users wrote:
master.cf:
submission .. .. .. .. .. .. .. smtpd
-o { header_checks = pcre:{{/^Received:/ IGNORE}} }
...other -o options...
submissions .. .. .. .. .. .. .. smtpd
-o { header_checks = pcre:{{/^Received:/ IGNORE}} }
...other -o options...
This is much simpler than some of the on-line discussions.
I tested this out now, interestingly I get this issue:
mail-1 | /usr/sbin/postconf: fatal: file /etc/postfix/master.cf: line
16: bad field count
(Sorry if I did something super obvious wrong!)
Is my postfix version perhaps too old? I seem to be running 3.9.1 at the
moment, as packaged by Alpine Linux.
Regards,
ell1e
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix reload writing to stderr
Bill Cole via Postfix-users: > On 2025-02-03 at 13:07:38 UTC-0500 (Mon, 3 Feb 2025 13:07:38 -0500) > Dan Mahoney via Postfix-users > is rumored to have said: > > > When calling ?postfix reload?, should "postfix/postfix-script: refreshing > > the Postfix mail system? be written to stderr? > > Yes. > > > It?s not an error, and it feels like this message should go to stdout, or > > that there should be a command-line option to suppress non-error messages. > > It is really more useful to think of stderr as diagnostic output or > meta-output rather than strictly errors. > For practical reasons, all info (debug), warning, etc., messages are sent to stderr, so that they won't mess up the 'data' output from programs such as postcat, postmap, postqueue, and so on. As Bill observes, some of these are non-error outputs. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
Ellie via Postfix-users:
> Dear postfix users group,
>
> Sorry if this is the wrong place to ask, or if this is a nonsensical
> question.
>
> But it seems to me that discarding the exact end-user device IP from
> e-mails sent via any authenticated path is going to be a common scenario
> in today's more privacy aware age.
>
> Yet, it seems to be somewhat convoluted to do:
> https://askubuntu.com/a/78168 (My apologies if this is easy to all you
> experts, but I feel like to most postfix newcomers this is going to look
> somewhat difficult.)
>
> Is there any easier approach for doing this? Or was there ever a
> consideration for doing a simple yes/no option as a new feature for
> postfix, which omits the sender IP address from authenticated(!)
> incoming mail? I feel like there might be a wider demand for that.
There is no built-in featrue to delete IP addresses from headers.
If this is for messages submitted on port 587 (submission) or 465
(smtps or submissions), then you can simply delete all Received:
message headers, because there shuold be only one.
master.cf:
submission .. .. .. .. .. .. .. smtpd
-o { header_checks = pcre:{{/^Received:/ IGNORE}} }
...other -o options...
submissions .. .. .. .. .. .. .. smtpd
-o { header_checks = pcre:{{/^Received:/ IGNORE}} }
...other -o options...
This is much simpler than some of the on-line discussions.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Searching for old Postfix 2.0.6 RPM-packaged for Red Hat 6.2 (classic)
On 4/02/25 09:53, Emmanuel Seyman via Postfix-users wrote: * Josh Good via Postfix-users [31/01/2025 00:37] : There were community-provided RPM packages of Postfix for Red Hat 6.2 (Classic), as noted in the original post for this thread, but none of them seems to have survived on any publicly accessible repository today. I had the pleasure of meeting Simon Mudd this weekend at FOSDEM and thanked him for making these rpms (and the corresponding .src.rpm). They made my life considerably easier 25 years ago. He was somewhat surprised to see someone remember that project... But I'm sure it is archived privately in many places. If just this was read by any such archivists... Simon told me that the tools that he used to build his rpms are still on github: https://github.com/sjmudd/postfix-rpm You should be able to build your own rpm pretty easily. And that site has a link to his old (now defunct) site where the rpms themselves are hosted: http://postfix.wl0.org/ This site no longer exists, but there's a copy on the wayback machine, which leads to this page for Red Hat Linux 6.2 Postfix 2.0 RPMs: https://web.archive.org/web/20160426072839/http://ftp.wl0.org/official/2.0/RPMS-rh6x-i386/ ...and checking the latest of these, it's still archived and can be downloaded: https://web.archive.org/web/20160426072839/http://ftp.wl0.org/official/2.0/RPMS-rh6x-i386/postfix-2.0.20-1.rh6x.i386.rpm ...which appears to be the exact rpm you're after! Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Searching for old Postfix 2.0.6 RPM-packaged for Red Hat 6.2 (classic)
* Josh Good via Postfix-users [31/01/2025 00:37] : > > There were community-provided RPM packages of Postfix for Red Hat 6.2 > (Classic), as noted in the original post for this thread, but none of > them seems to have survived on any publicly accessible repository today. I had the pleasure of meeting Simon Mudd this weekend at FOSDEM and thanked him for making these rpms (and the corresponding .src.rpm). They made my life considerably easier 25 years ago. He was somewhat surprised to see someone remember that project... > But I'm sure it is archived privately in many places. If just this was > read by any such archivists... Simon told me that the tools that he used to build his rpms are still on github: https://github.com/sjmudd/postfix-rpm You should be able to build your own rpm pretty easily. Emmanuel ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
On 2/3/25 11:56 PM, Wietse Venema via Postfix-users wrote: If this is for messages submitted on port 587 (submission) or 465 (smtps or submissions), then you can simply delete all Received: message headers, because there shuold be only one. Thanks so much for your helpful response! I wonder, does postfix reject unauthenticated mail from port 587 and 465, in the common config where open relay access is disabled? From reading my own master.cf I feel like it doesn't. Wouldn't it then strip from some external incoming mail as well? That would seem a little strange. Regards, ell1e ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: IP discard for authenticated e-mails
On 2/4/25 2:25 AM, Viktor Dukhovni via Postfix-users wrote: Though one might want to be prepared to encounter more friction for outbound mail lacking all upstream Received headers. These tend to be classed more "spammy". This made me curious, and I've checked a bunch of incoming mail. Many mails seem to replace the Received: headers that I assume previously listed individual clients, by listing some internal submission proxy instead. (Whether that proxy even exists, or is made up, or who knows.) That seems like a workaround for that issue. I'm still wondering if a postfix config option for this use case would help a lot of people. Regards, ell1e ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix reload writing to stderr
Dan Mahoney via Postfix-users: > All, > > This is the most minor problem, but I'll bring it up. > > We use Lets Encrypt for our certs (using the Dehydrated client), > and call a 'postfix reload' as part of the hook script if a cert > has been renewed. > > We also wrapper this with ?cronic' which works not under the old > cron principle that 'all cron jobs should be silent and output > only in an error' (which means by the time you've got an error, > you've lost context), but instead, that you'll get all a script's > output if it either exits with a bad error code, *or* writes to > stderr. > > So the issue: > > When calling 'postfix reload', should "postfix/postfix-script: > refreshing the Postfix mail system" be written to stderr? It's > not an error, and it feels like this message should go to stdout, > or that there should be a command-line option to suppress non-error > messages. > > Obviously, in my hook script, I can redirect stderr to /dev/null, > but this means I might miss 'real' errors. If the output bothers you, use grep. postfix reload 2>&1 | grep -v "refreshing the Postfix mail system" In the past people have complained that Postfix programs produced NO OUTPUT when not run from a terminal. So now we have a luxury problem of output where it is not desired. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postfix reload writing to stderr
All, This is the most minor problem, but I’ll bring it up. We use Lets Encrypt for our certs (using the Dehydrated client), and call a “postfix reload” as part of the hook script if a cert has been renewed. We also wrapper this with ‘cronic’ which works not under the old cron principle that “all cron jobs should be silent and output only in an error” (which means by the time you’ve got an error, you’ve lost context), but instead, that you’ll get all a script’s output if it either exits with a bad error code, *or* writes to stderr. So the issue: When calling “postfix reload”, should "postfix/postfix-script: refreshing the Postfix mail system” be written to stderr? It’s not an error, and it feels like this message should go to stdout, or that there should be a command-line option to suppress non-error messages. Obviously, in my hook script, I can redirect stderr to /dev/null, but this means I might miss “real” errors. -Dan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpd_end_of_data_restrictions and check_policy_service
Hello, just so I understand correctly, the recommendation would be to use smtpd_end_of_data_restrictions, despite the warning in the Dovecot log? Thank you Klaus. On 2/3/25 17:39, Wietse Venema via Postfix-users wrote: Klaus Tachtler via Postfix-users: Hello, I have a question about smtpd_end_of_data_restrictions. In the documentation under the following link https://www.postfix.org/SMTPD_ACCESS_README.html#lists there is an example which looks like this: # Enforce mail volume quota via policy service callouts. smtpd_end_of_data_restrictions = check_policy_service unix:private/policy If I configure this as follows: smtpd_end_of_data_restrictions = check_policy_service inet:imap.server.tld:12340 I get the following WARNING message in the Dovecot log: quota-status(5043): Warning: Received policy query from MTA in unexpected state END-OF-MESSAGE (service can only be used for recipient restrictions) quota-status complains that it must not be called after end-of-data. So, don't do that. One message can have multiple recipients, and if one recipient is over quota, only that recipient must be rejected. However, if I use smtpd_recipient_restrictions = check_policy_service inet:imap.server.tld:12340, I get NO WARNING. Are you surprised that quota-status is not logging the above warning? If not that warning, what other warning? Is the example here correct, or should the WARNING in Dovecot be taken into account? Postfix receiveds a non-error response from quota-status, so it will not complain. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- --- e-Mail : kl...@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net --- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpd_end_of_data_restrictions and check_policy_service
Klaus Tachtler via Postfix-users: > Hello, > > just so I understand correctly, the recommendation would be to use > smtpd_end_of_data_restrictions, despite the warning in the Dovecot log? No. The recommendation is to use the software as intended by its author, not at end-of-data. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpd_end_of_data_restrictions and check_policy_service
Hello, thanks for the clarification. Regards Klaus. - Nachricht von Wietse Venema via Postfix-users - Datum: Mon, 3 Feb 2025 12:02:59 -0500 (EST) Von: Wietse Venema via Postfix-users Antwort an: Wietse Venema Betreff: [pfx] Re: smtpd_end_of_data_restrictions and check_policy_service An: Postfix users Klaus Tachtler via Postfix-users: Hello, just so I understand correctly, the recommendation would be to use smtpd_end_of_data_restrictions, despite the warning in the Dovecot log? No. The recommendation is to use the software as intended by its author, not at end-of-data. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org - Ende der Nachricht von Wietse Venema via Postfix-users - -- --- e-Mail : kl...@tachtler.net Homepage: https://www.tachtler.net DokuWiki: https://dokuwiki.tachtler.net --- bindNJUZfTM_k.bin Description: Öffentlicher PGP-Schlüssel ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtpd_end_of_data_restrictions and check_policy_service
Klaus Tachtler via Postfix-users: > Hello, > > I have a question about smtpd_end_of_data_restrictions. In the > documentation under the following link > https://www.postfix.org/SMTPD_ACCESS_README.html#lists there is an > example which looks like this: > > # Enforce mail volume quota via policy service callouts. > smtpd_end_of_data_restrictions = check_policy_service unix:private/policy > > If I configure this as follows: > > smtpd_end_of_data_restrictions = check_policy_service > inet:imap.server.tld:12340 > > I get the following WARNING message in the Dovecot log: > > quota-status(5043): Warning: Received policy query from MTA in > unexpected state END-OF-MESSAGE (service can only be used for recipient > restrictions) quota-status complains that it must not be called after end-of-data. So, don't do that. One message can have multiple recipients, and if one recipient is over quota, only that recipient must be rejected. > However, if I use smtpd_recipient_restrictions = check_policy_service > inet:imap.server.tld:12340, I get NO WARNING. Are you surprised that quota-status is not logging the above warning? If not that warning, what other warning? > Is the example here correct, or should the WARNING in Dovecot be taken > into account? Postfix receiveds a non-error response from quota-status, so it will not complain. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
