[pfx] Email mit FG Funnel /Mailgun und eigenem Postfix Server
Hallo, eine Kundin von mir hat eine Email die Sie seit längerem bei mir gehostet hat und alle Emails im IMAP Postfix bei mir liegen. Jetzt hat sie sich bei FG Funnel ein Konto angelegt und will Newsletter und CRM mit dem System versenden. Also muss ich zu den bestehenden SPF, DKIM und DMARC Einträgen auch noch die von FG Funnel(bzw. die nutzen Mailgun) anlegen. Kann das überhaupt funktionieren? Wir haben jetzt die ersten Newsletter versendet und ein Teil davon landet im Spam Ordner der Empfänger. Hat jemand von Euch damit Erfahrung? Besten Dank für Tipps Christian ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix problem with resources
natan via Postfix-users: > Hi > In old server i have: > max_use=180 > > in new serwer I have: > max_use=150 This determines how many processes Postfdix will run (150 in each category). If the number is too large for your system (hardware plus OS plus Postfix plus other prorams) then some operations will fail due to a lack of resources. > I don't know if it's that important Very much. Try a smaller number until the problem does not come back. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: spamhaus/abusix in rspamd or postfix
On 23.03.25 15:16, lutz.niederer--- via Postfix-users wrote: spamhaus and abusix have a query limit for free accounts. spamhaus does not seem to be a problem but abusix is 5000 queries/day. postfix as well as rspamd can query them. postfix or rspamd: which one should be used to query them and why? you can query them in both, but you should be using local caching non-forwarding DNS server so the same queries are not sent multiple times when receiving mail. That way the same query from either won't be repeated. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Duplicated emails due to split by rcpt and OOM
On Thu, Apr 03, 2025 at 10:17:22PM +0200, Dmytro Alieksieiev via Postfix-users wrote: > I faced issue with splitting emails via local filter and > destination_recipient_limit = 1 under low memory condition which > result in duplicated emails in queue. Not duplicated, simply retained, if/when information that a recipient is delivered did get recorded in the queue file. What sort of "local filter" are you talking about? > 1. Postfix get email with multiple rcpts > > 2. taking couple of rcpts (depending on settings, 3 by default) and creates > new email in queue per each recipient Why? Postfix does not by default do that, unless you configure self-delivery. What is the purpose of the internal delivery? > 3. reach OOM That's your actual problem. Perhaps your filter uses unreasonable memory, tune the filter and its concurrency, if that's a factor in its memory requirements. > 4. new emails stay in queue, but original email not get rcpt marked as > "done", as result on next queue rerun they will be spitted again resulting > in duplicated messages What new emails? Your problem description is much too fuzzy. > Can be reproduced in docker with mem limit f.e. 100mb by send one email with > 50 rcpts with next configuration: With server systems routinely shipping with 256GB of RAM or more these days, 100MB seems rather undersized. Don't do that. > 1. Extra main.cf: > > smtpsplit_destination_recipient_limit = 1 What and why is "smtpsplit"? > 2. Extra master.cf: > > smtpsplit unix - - n - - smtp > -o syslog_name=postfix-split > -o smtp_send_xforward_command=yes > -o disable_mime_output_conversion=yes > -o smtp_generic_maps= > -o smtp_header_checks= What is the intent here? You should probably set a lower process limit on this service. > 127.0.0.1:5025 inet n - n -- smtpd > -o syslog_name=postfix-after-split > -o content_filter= > -o cleanup_service_name=cleanupsplit > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_helo_restrictions= > -o smtpd_client_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_relay_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o mynetworks=127.0.0.0/8 > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_tls_security_level=none > -o smtpd_data_restrictions= You may be processing each message through your milters twice. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Help with SASL Authentication Using /etc/sasldb2 in Postfix
wouldsmina via Postfix-users: > Hello, > > I am facing an issue with configuring Postfix to use /etc/sasldb2. I have > already set up SASL authentication, but authentication only works if > /etc/sasldb2 is included in the $FILE variable into > /usr/lib/postfix/configure-instance.sh file. That looks like a Debian-specific script that populates /var/spool/postfix with copies of system files. You can avoid that by using something like: /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb The actual pathname of the smtpd.conf file may differ. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtps starttls
On Thu, Apr 03, 2025 at 12:40:02PM +0200, Paul Neuwirth via Postfix-users wrote: > that makes totally sense. > > I am struggling with that scanner: > https://siwecos.de/en/app > > it says: > > for > > SMTPS Scanner [SMTPS_TLS] > SMTP MSA(STARTTLS) Scanner [SMTP_MSA_TLS] > SMTP(STARTTLS) Scanner [SMTP_TLS] > "TLS not supported" Congratulations, you've found another useless scanner on the Internet, why do you care??? > for mail.swabian.net All you need to know is that your TLS support is just fine: $ posttls-finger -cF /etc/ssl/cert.pem -lsecure -Lsummary "[mail.swabian.net]:587" posttls-finger: Verified TLS connection established to mail.swabian.net[80.152.201.148]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 $ posttls-finger -cwF /etc/ssl/cert.pem -lsecure -Lsummary "[mail.swabian.net]:465" posttls-finger: Verified TLS connection established to mail.swabian.net[80.152.201.148]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 > I have no idea, what version or cipher they test. that's why I tried > with openssl s_client and I cannot find any issues. :-( > > contacted their support, but doubt I'll get a reply. Just ignore them. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: smtps starttls
On Thu, Apr 03, 2025 at 11:16:15AM +0200, Paul Neuwirth via Postfix-users wrote: > after an upgrade of postfix I am checking my config. > > I am in the impression, this should work: > # openssl s_client -connect mail.swabian.net:465 -starttls smtp > -tls1_3 CONNECTED(0003) > Didn't find STARTTLS in server response, trying anyway... > write:errno=32 On Thu, 3 Apr 2025 11:22:24 +0200 "Herbert J. Skuhra via Postfix-users" wrote: Either remove '-starttls smtp' or use port 587. On 03.04.25 11:29, Paul Neuwirth via Postfix-users wrote: ok, that means I was wrong with the impression, that this should work on port 465. "-starttls smtp" should work on ports 25/587 where plaintext is default. (587 should require starttle before it allows anything). on port 465, TLS should be the default and starttls should not make sense. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] spamhaus/abusix in rspamd or postfix
Hi! spamhaus and abusix have a query limit for free accounts. spamhaus does not seem to be a problem but abusix is 5000 queries/day. postfix as well as rspamd can query them. postfix or rspamd: which one should be used to query them and why? Thanks! -lutzn ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Duplicated emails due to split by rcpt and OOM
Hi Postfix community, I faced issue with splitting emails via local filter and destination_recipient_limit = 1 under low memory condition which result in duplicated emails in queue. From what I can see in logs: - warning: process /usr/libexec/postfix/smtp pid 1039 killed by signal 9 - warning: private/smtpsplit socket: malformed response - warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling From what I observe it goes as: 1. Postfix get email with multiple rcpts 2. taking couple of rcpts (depending on settings, 3 by default) and creates new email in queue per each recipient 3. reach OOM 4. new emails stay in queue, but original email not get rcpt marked as "done", as result on next queue rerun they will be spitted again resulting in duplicated messages I expect that when email get queued as new email original email receive 250 OK and mark email as "done", but looks like it not the case. Maybe somebody know a secure way to avoid such situation? Or only possible way it to never face OOM, which honestly can be complicated at traffic spikes like email bombing, etc. Can be reproduced in docker with mem limit f.e. 100mb by send one email with 50 rcpts with next configuration: 1. Extra main.cf: milter_default_action = tempfail smtpd_milters = inet:rspamd-proxy:11332 header_checks = regexp:/etc/postfix/header_checks milter_header_checks = regexp:/etc/postfix/milter_header_checks smtp_header_checks = regexp:/etc/postfix/smtp_header_checks smtpsplit_destination_recipient_limit = 1 2. Extra master.cf: smtpsplit unix - - n - - smtp -o syslog_name=postfix-split -o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes -o smtp_generic_maps= -o smtp_header_checks= 127.0.0.1:5025 inet n - n -- smtpd -o syslog_name=postfix-after-split -o content_filter= -o cleanup_service_name=cleanupsplit -o receive_override_options=no_unknown_recipient_checks -o smtpd_helo_restrictions= -o smtpd_client_restrictions= -o smtpd_sender_restrictions= -o smtpd_relay_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 -o smtpd_tls_security_level=none -o smtpd_data_restrictions= cleanupsplit unix n - n - 0 cleanup -o header_checks= 3. /etc/postfix/header_checks and /etc/postfix/smtp_header_checks content: /^x-postfix-split:.*/ STRIP 4. /etc/postfix/milter_header_checks content: /^x-postfix-split:\s+required/ FILTER smtpsplit:127.0.0.1:5025 5. Configure Rspamd or other milter to add "X-Postfix-Split: Required" -- Thanks, Dmytro Alieksieiev ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix problem with resources
Hi In old server i have: max_use=180 in new serwer I have: max_use=150 I don't know if it's that important I have no idea what could be wrong. after restarting postfix everything seems to be back to normal so I don't know W dniu 3.04.2025 o 10:32, natan via Postfix-users pisze: Hi Today I have this same problem with resources... for 4 houers works fine and I get many Apr 3 10:07:07 node2 postfix/smtpd[426447]: warning: connect to private/policy-spf: Resource temporarily unavailable Apr 3 10:07:07 node2 postfix/smtpd[426447]: warning: problem talking to server private/policy-spf: Resource temporarily unavailable This is debian11 (systemd) Linux node2 5.10.0-34-amd64 This machine is ber metal (64 vcory+ 128GB ram) Load average: 0.20 1.36 3.10 ii postfix 3.5.25-0+deb11u1 amd64 nobody 4125051 0.0 0.0 23216 16628 ? Ss 09:48 0:00 /usr/bin/python3 /usr/bin/policyd-spf #cat /proc/4125051/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 515047 515047 processes Max open files 524288 524288 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 515047 515047 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us The difference between the new and old server is: New: -debian11 (systemd) -in main.cf I add dkim: smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 milter_default_action = accept milter_protocol = 6 Old serwer -debian10(init.d) In old debian10 (sysinit) all works fine and never get "Resource temporarily unavailable" Both servers do not have selinux Both servers have apparmor (distribution) node2:~# journalctl | grep -i apparmor Find nothing node2:~# aa-status apparmor module is loaded. 11 profiles are loaded. 10 profiles are in enforce mode. /usr/bin/freshclam /usr/bin/man /usr/sbin/clamd /usr/sbin/unbound lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod tcpdump 1 profiles are in complain mode. /usr/sbin/chronyd 4 processes have profiles defined. 2 processes are in enforce mode. /usr/bin/freshclam (1345) /usr/sbin/clamd (1144) 2 processes are in complain mode. /usr/sbin/chronyd (1374) /usr/sbin/chronyd (1389) 0 processes are unconfined but have a profile defined. And Realy I dont have any problem whats going on I must mention that my traffic is about 40 requests per second W dniu 27.03.2025 o 20:32, Wietse Venema via Postfix-users pisze: natan via Postfix-users: W dniu 27.03.2025 o?14:44, Wietse Venema via Postfix-users pisze: natan via Postfix-users: Hi I dont have selinux Hi I dot have and use apparmor to Then perhaps your kernel does not have enough memory for file handles, network connections, etc. Is this some kind of a 'minimal' system like some people love to use for containers? Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] smtps starttls
Hello, after an upgrade of postfix I am checking my config. I am in the impression, this should work: # openssl s_client -connect mail.swabian.net:465 -starttls smtp -tls1_3 CONNECTED(0003) Didn't find STARTTLS in server response, trying anyway... write:errno=32 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 33 bytes Verification: OK --- New, (NONE), Cipher is (NONE) This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- but as you see, it doesn't - on port 25 it is working fine. in master.cf: smtpsinet n - n - 10 smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_security_level=encrypt i think those are relevant from main.cf: smtpd_tls_security_level = smtpd_tls_wrappermode = no smtpd_use_tls = no what did I miss? thank you ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A question about the configuration of postscreen
On Sun, Apr 06, 2025 at 01:18:14AM +0200, Andreas Kuhlen via Postfix-users wrote: > For better readability once more. Sorry for the first post which was a > bit confusing because of its format! This variant is not much better, at least not its text/plain variant, only the HTML is correctly formatted. Please avoid HTML in posts to this list.. > I have a question regarding the configuration of postscreen. In my > current master.cf file I have not allowed SASL authentication for SMTP: > > I have a question regarding the configuration of postscreen. In my > current master.cf file I have not allowed SASL authentication for SMTP: > smtp inet n - y - - smtpd >-o smtpd_sasl_auth_enable=no You should leave essentially unchanged, just replacing "inet" with "pass". It is still smtpd(8) that might or might not do SASL, the postscreen(8) service never implements SASL. > To activate postscreen in the master.cf file I added the following passage: > smtp inet n - y - 1 postscreen > smtpd pass - - y - - smtpd Add -o smtpd_sasl_auth_enable=no to the "smtpd pass" service. > dnsblog unix - - y - 0 dnsblog > tlsproxy unix - - y - 0 tlsproxy > I commented out the upper part that prohibits SASL authentication for > SMTP. Changing the internal protocol from "inet" to "pass" does not substantially change the fact that this smtpd(8) instance handles incoming connections on port 25 after they're briefly inspected by postscreen(8). > Postscreen also works so far, the question remains whether the > option line that prohibits SMTP authentication can also be set for > postscreen? See above. > Like this: > smtp inet n - y - 1 postscreen >-o smtpd_sasl_auth_enable=no > smtpd pass - - y - - smtpd > dnsblog unix - - y - 0 dnsblog > tlsproxy unix - - y - 0 tlsproxy No, the option goies "smtpd", just like its name implies. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] A question about the configuration of postscreen
Hello list, I have a question regarding the configuration of postscreen. In my current master.cf file I have not allowed SASL authentication for SMTP: smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=no To activate postscreen in the master.cf file I added the following passage: smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy I commented out the upper part that prohibits SASL authentication for SMTP. Postscreen also works so far, the question remains whether the option line that prohibits SMTP authentication can also be set for postscreen? The configuration in main.cf does not need to be considered here, I think. Like this: smtp inet n - y - 1 postscreen -o smtpd_sasl_auth_enable=no smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] A question about the configuration of postscreen
For better readability once more. Sorry for the first post which was a bit confusing because of its format! Hello list, I have a question regarding the configuration of postscreen. In my current master.cf file I have not allowed SASL authentication for SMTP: *smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=no* To activate postscreen in the master.cf file I added the following passage: *smtp inet n - y - 1 postscreen smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy* I commented out the upper part that prohibits SASL authentication for SMTP. Postscreen also works so far, the question remains whether the option line that prohibits SMTP authentication can also be set for postscreen? The configuration in main.cf does not need to be considered here, I think. Like this: *smtp inet n - y - 1 postscreen **-o smtpd_sasl_auth_enable=no* *smtpd pass - - y - - smtpd dnsblog unix - - y - 0 dnsblog tlsproxy unix - - y - 0 tlsproxy* ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Bests Database
On 3/31/25 3:22 AM, Matus UHLAR - fantomas via Postfix-users wrote: On 29.03.25 17:41, John Hill via Postfix-users wrote: In my last gig I ran Exchange, Oracle and various Debian servers. I retired and set up Postfix, bind9 etc to support my hobby domain. It keeps me involved. I use Fail2Ban, lousy docs, good product. I upgraded from iptables to nftables. I have written a few regex filters passing variables to actions for nftables and Postfix that work rather well. I like MariaDB, not Oracle but, as I said, it keeps me involved. I update nftables sets dynamically. I did not like fail2ban reloading Postfix to update the access files. Just FYI, this can be done with iptables as well, you just need to use ipsets which may need separate ipset command. With the advice found here. I have changed access lists to lmdb. I had not used postmap on postscreen's cidr files previously. I read doing so would eliminate reloading on updates. Used Ipsets a lot. Nftables will do the same thing, bu not quite as well. It loads updates to memory. I follow it with a rule set dump and write to a set table file for reloads. Thx --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
