[pfx] Re: TLSRPT missing negative feedback
A tcpdump between smtp and smtpd shows a TCP handshake but no payload at all. That looks like the remote SMTP server wants to use TLS wrappermode, but your Postfix SMTP client wants to use STARTTLS. Ok, that was really dumb. Not seeing a banner should have given me a clue that I broke the remote smtpd. Indeed now I see a message on the tlsrpt socket indicating "starttls-not-supported". I also just noticed the limitations described in the TLSRPT_README, which "non DNSSEC destination" seems to be one of. It does not report failure to connect, or connections that break before or after a TLS handshake ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: TLSRPT missing negative feedback
Damian via Postfix-users: > I am currently doing some tests with Postfix 3.10 and postfix-tlspol > (using QUERYwithTLSRPT). > > I see positive feedback for DANE as well as MTA-STS on the tlsrpt > socket. However, I was not able to produce negative feedback yet. In > case of "non DNSSEC destination", nothing is written to the tlsrpt > socket, and if I set smtpd_tls_security_level=no on an MX that handles a > DANE-enabled domain, the Postfix 3.10 smtp hangs after establishing the smtpd_tls_security_level is a SERVER feature that has zero effect on outbound SMTP deliveries. When you report a problem you need to be more accurate in how you describe your Postfix configuration. https://www.postfix.org/DEBUG_README.html#mail > TCP connection. The last log line is of the form > > > smtp[1234567]: DNSSEC-signed TLSA record: _25._tcp.example.com: 3 1 1 > > DEADBEEF... > A tcpdump between smtp and smtpd shows a TCP handshake but no payload at > all. That looks like the remote SMTP server wants to use TLS wrappermode, but your Postfix SMTP client wants to use STARTTLS. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Documentation: please update spamhaus / lists of access restrictions usage
On 26/03/25 05:02, Wietse Venema via Postfix-users wrote: "Reputation lists may have additional policies and restrictions that you need to follow when using them, you should not configure a list in Postfix until you are fully aware of its requirements." ...or something like that. Yeah. And as Spamhaus says, it is OK to use a public/open resolver a long as your queries use your unique API key. Right, at the end of the day this is a due diligence thing where we're simply saying to follow the policies of the services that you use. The fact that the vast majority of lists will not, by policy, work with a public resolver is simply the low hanging fruit here, but there are other policies that can cause issues as well (e.g. query limits or registration requirements). There are multiple issues that have to be compressed into a short text. "Respect the usage policies of reputation services. Avoid public or ISP resolvers, unless reputation queries use your unique API key." This certainly covers all the issues but I fear that it doesn't emphasize the need to check usage policies before implementing a list. It is acceptable, imo but I would prefer to see more emphasis on this point. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Documentation: please update spamhaus / lists of access restrictions usage
Peter via Postfix-users: > On 25/03/25 07:43, Wietse Venema via Postfix-users wrote: > > > Too late! I have already updated the documentation (on www.porcupine.org; > > mirrrors will pick it up in the next hour or so). > > I'm guessing that you added this to postscreen_dnsbl_sites and > reject_rbl_client rbl_domain: > > "NOTE: Always use a local non-forwarding resolver for DNS reputation > lookups. Avoid public resolvers or ISP resolvers." > > I would suggest this as well: > > "Reputation lists may have additional policies and restrictions that you > need to follow when using them, you should not configure a list in > Postfix until you are fully aware of its requirements." > > ...or something like that. Yeah. And as Spamhaus says, it is OK to use a public/open resolver a long as your queries use your unique API key. There are multiple issues that have to be compressed into a short text. "Respect the usage policies of reputation services. Avoid public or ISP resolvers, unless reputation queries use your unique API key." Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: TLSRPT missing negative feedback
On Tue, Mar 25, 2025 at 11:46:33AM +0100, Damian via Postfix-users wrote: > ... if I set smtpd_tls_security_level=no ... That is not a valid value of that parameter, so smtpd will bail out with a fatal error. If you use "none", you might have better luck. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: spamhaus/abusix in rspamd or postfix
lutz.niederer--- via Postfix-users wrote: > spamhaus and abusix have a query limit for free accounts. spamhaus does not > seem to be a problem but abusix is 5000 queries/day. postfix as well as > rspamd can query them. > > postfix or rspamd: which one should be used to query them and why? I am using both RBLs with postscreen, but I do not use Abusix with Rspamd. Because, I observed much more DNS calls out of Rspamd, at least at my site. Even my caching resolver didn't help. I have been closing in with the 5000 queries/day limit. Thus I removed Abusix from Rspamd. FTR: If one is running FreeBSD then one may activate the blocklistd provided by the OS. I recently patched postscreen to communicate with the blacklistd; this patch is part of the postfix port, now. This will allow one to block all annoying bots that will try numerous times a day ... Regards, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] TLSRPT missing negative feedback
I am currently doing some tests with Postfix 3.10 and postfix-tlspol (using QUERYwithTLSRPT). I see positive feedback for DANE as well as MTA-STS on the tlsrpt socket. However, I was not able to produce negative feedback yet. In case of "non DNSSEC destination", nothing is written to the tlsrpt socket, and if I set smtpd_tls_security_level=no on an MX that handles a DANE-enabled domain, the Postfix 3.10 smtp hangs after establishing the TCP connection. The last log line is of the form smtp[1234567]: DNSSEC-signed TLSA record: _25._tcp.example.com: 3 1 1 DEADBEEF... A tcpdump between smtp and smtpd shows a TCP handshake but no payload at all. On the tlsrpt socket, I would expect negative feedback signaling "starttls-no-supported" and "dnssec-invalid" or "dane-required". ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
