ipv6 address syntax in master.cf

[Byung-Hee HWANG]

hello, simple question.

is that possible writing ipv6 address style in master.cf?
if it is possible, which is correct syntax?

[::1]:10028 inet  (...) smtpd

or

::1:10028 inet (...) smtpd

byunghee

Re: ipv6 address syntax in master.cf

[Byung-Hee HWANG]

Olivier MJ Crepin-Leblond wrote:

Use the notation with the square brackets:

[::1]:10028

They are used to differentiate the colon used for separaring the port, 
as opposed to a colon which is part of the IPv6 address.


Olivier



Thanks!

byunghee

sending email with Gnus

[Byung-Hee HWANG]

Hello,

As far as i know, Postfix does not support GNU TLS.
Nevertheless! Is it possible sending email with Gnus (MUA) via Postfix 
(MTA)? In the future, i'll move to Gnus from Thundirbird. For now, only 
problem is an association with Postfix and GNU TLS.


byunghee

Re: matching IP ranges in headers

[Byung-Hee HWANG]

Louis-David Mitterrand  writes:

> Hi,
>
> A lot of spam comes from certain ip ranges (e.g. west africa) through
> relays (large ISPs) that would be too onerous to block. To filter these
> I am presently matching: 
>
>   /^((Received|X-Originating-IP):.+\b(124\.120\.1\.( REGEX>)\b/
>
> in pcre:/etc/postfix/header_access. But converting IP ranges to regex'es
> is time consuming and error prone.
>
> Is there a way to use a cidr table for header matching while retaining
> control of the prefix ^(Received|X-Originating-IP) ?
>
> Or another better way?

Use Google Apps: http://www.google.com/a ;;
Unfortunately, Google Apps is the best solution for spam filtering, as
far as i know.

Sincerely,

-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: dk dkim with dkimproxy

[Byung-Hee HWANG]

"fake...@fakessh.eu"  writes:

> I have a strange error that I do not understand
> I have the impression of having set dkimproxy well
> my config 
[...]
> fakessh.eu
> dkim(c=simple,s=fakessh.eu,a=rsa-sha1,key=/usr/local/dkimproxy/keys/fakessh.eu.key)
> domainkeys(c=nofws,s=fakessh.eu,key=/usr/local/dkimproxy/keys/fakessh.eu.key)
[...]
Well i think that you have wrong position in DNS record. Please check
your DNS with careful, as follow:

$ nslookup -type=TXT fakessh.eu._domainkey.fakessh.eu.

or

$ dig +short fakessh.eu._domainkey.fakessh.eu. TXT

Sincerely,
        
-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: dk dkim with dkimproxy

[Byung-Hee HWANG]

"fake...@fakessh.eu"  writes:

> that right now
> [swilt...@your-ab6cd29f8e ~]$  host -t txt fakessh.eu._domainkey.fakessh.eu.
> fakessh.eu._domainkey.fakessh.eu descriptive text "v=DKIM1\; 
> t=s\;k=rsa\;p=MIG[...]

OK, your check seems good. Then you check try again with external public
DNS (eg, bitsy.mit.edu) ;; 

$ host -t txt fakessh.eu._domainkey.fakessh.eu. bitsy.mit.edu.

Sincerely,

-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: help with dkimproxy

[Byung-Hee HWANG]

"fake...@fakessh.eu"  writes:

> I have two domain names sign with dkimproxy
> fakessh.eu and renelacroute.fr
> this is not a problem of software 
[...]

You are signing [fakessh.eu]'s signature with 
[renelacroute.fr]'s private key, i guess. 
That's why verifier.port25.com's reflector is 
always complaining about your signatures.

Please, double check your conf files(e.g., 
dkimproxy_out.conf, sender_map.conf, ...).

Meanwhile, Google also can be your good friend 
as signature's verifier. See Gmail's header in 
detail. There is some line on DKIM-Signature state.

Sincerely,

-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: sasl2auth how to

[Byung-Hee HWANG]

"fake...@fakessh.eu"  writes:

> hi all
> hi list
>
>
> m you can specify how to configure sasl2auth
> for anything other than authentication PLAIN
> updated my postfix to  postfix-2.5.1-1.mysql.sasl2.vda.rhel5.i386.rpm 
>
> thanks for all your feedbacks
>
> nb : "Buddha" peace themselve

If i understood your words correctly, you need this paper:
http://www.postfix.org/SASL_README.html 

Google also can be good friend as SASL Auth over TLS. Please have a look
this paper: http://souptonuts.sourceforge.net/postfix_tutorial.html

Sincerely,

-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: Warning: SASL authentication failure: no user in db

[Byung-Hee HWANG]

Gerard  writes:

> When sending from my network, I was receiving a warning message:
>
> Jul  5 15:57:06 scorpio postfix/smtpd[22724]: connect from 
> localhost[127.0.0.1]
> Jul  5 15:57:07 scorpio postfix/smtpd[22724]: warning: SASL authentication 
> failure: no user in db
>
> I was advised to put the following in the main.cf file:
>
> smtpd_sasl_exceptions_networks = $mynetworks
>
> That works fine if I send from the same PC that is hosting Postfix.
> However, if I send from another PC on the network, I receive a similar
> waring message:
>
> Jul  5 15:57:06 scorpio postfix/smtpd[22724]: connect from 
> boss.seibercom.net[192.168.1.104]
> Jul  5 15:57:07 scorpio postfix/smtpd[22724]: warning: SASL authentication 
> failure: no user in db
>
> So, I added this to the main.cf file:
>
> smtpd_sasl_exceptions_networks = $mynetworks, 192.168.1.0/24
>
> Unfortunately, it does not stop the waring message from appearing. I
> know it is only a harmless warning message; however, I would like to
> know what I am doing wrong.
>
> This is the output of postconf -n
>
> alias_database = hash:/usr/local/etc/postfix/aliases
> alias_maps = hash:/usr/local/etc/postfix/aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/local/sbin
> config_directory = /usr/local/etc/postfix
> daemon_directory = /usr/local/libexec/postfix
> data_directory = /var/db/postfix
> debug_peer_level = 2
> html_directory = no
> inet_interfaces = all
> mail_owner = postfix
> mail_spool_directory = /var/mail
> mailq_path = /usr/local/bin/mailq
> manpage_directory = /usr/local/man
> milter_default_action = accept
> mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
> mydomain = seibercom.net
> mynetworks_style = subnet
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = no
> sample_directory = /usr/local/etc/postfix
> sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay
> sendmail_path = /usr/local/sbin/sendmail
> setgid_group = maildrop
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_type = cyrus
> smtp_sender_dependent_authentication = yes
> smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
> smtp_tls_CApath = /usr/local/etc/postfix/certs
> smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
> smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
> smtp_tls_loglevel = 0
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
> smtpd_milters = unix:/var/run/clamav/clmilter.sock
> smtpd_recipient_restrictions = permit_sasl_authenticated  
> permit_mynetworks   reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_exceptions_networks = $mynetworks, 192.168.1.0/24
> smtpd_sasl_local_domain = 
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = noanonymous
> smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
> smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
> smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = 
> btree:/var/db/postfix/smtpd_tls_session_cache
> tls_random_source = dev:/dev/urandom
> transport_maps = hash:/usr/local/etc/postfix/transport
> unknown_local_recipient_reject_code = 550

It's not your fault. See
http://lists.freebsd.org/pipermail/freebsd-ports/2005-June/023801.html
;;

If you do not want to see the error line in your Postfix logs, just
switch saslauthd's authentication mechanism from "sasldb" to the others
(e.g., "pam", "getpwent") by modifying /usr/local/lib/sasl2/smtpd.conf ;;

FYI, currently, the default authentication mechanism in FreeBSD system
is "pam" [1]. For more information, have a look saslauthd(8) with care ;;

Sincerely,

[1]
http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/cyrus-sasl2-saslauthd/files/saslauthd.sh.in?rev=1.2;content-type=text%2Fplain

-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: Restricted Outbound Email

[Byung-Hee HWANG]

Noel Jones  writes:

> Dylan Martin wrote:
>> [...] I want to set up a gateway to limit email outbound.
>> I've found lots of documents about limiting inbound, but not much on
>> limiting outbound.. [...]
> [...]
> It might be useful to limit seattlecentral.edu mail to valid
> recipients, by replacing the OK above with
> "reject_unverified_recipient, OK"
> See: http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

That is good for me, too. Thanks, Noel!

-- 
Byung-Hee HWANG, KNU 
∑ WWW: http://izb.knu.ac.kr/~bh/

Postfix and IDENT (RFC1413)

[Byung-Hee HWANG]

Still not support?

-- 
Byung-Hee HWANG, KNU
∑ WWW: http://izb.knu.ac.kr/~bh/

"Never mind being a dance judge, do your job. Take a walk around the
neighborhood and see everything is OK."
-- Peter Clemenza, "Chapter 1", page 20

Re: Postfix and IDENT (RFC1413)

[Byung-Hee HWANG]

"Terry Carmen"  writes:

>> Still not support?
>>
>>
> Postfix implements the SMTP protocol. Why would you expect it to implement 
> Ident?
>

Sorry for noise. So i resend with some comments. Oneday i saw an email
including unusual Received header on the FreeBSD Project mailing
lists. Here is the example: 

http://izb.knu.ac.kr/~bh/stuff/sendmail20090809001.txt

Can you please explain about the example?

Sincerely,

-- 
"You have to eat something first."
-- Frederico Corleone, "Chapter 27", page 380

Re: Postfix and IDENT (RFC1413)

[Byung-Hee HWANG]

Ralf Hildebrandt  writes:

> * Byung-Hee HWANG :
>
>> http://izb.knu.ac.kr/~bh/stuff/sendmail20090809001.txt
>> 
>> Can you please explain about the example?
>
> Received: from ameno.mahoroba.org
> (IDENT:MAcVWWSsCq+jNgyMzEhX/rHMZDkharVcRZn2EgHiFH+a/spblmoixdzpksery...@ameno.mahoroba.org
> ...
> by asuka.mahoroba.org (8.14.3/8.14.3) with ESMTP/inet6 id
> ...
>
> Sendmail 8.14.3 with IDENT support, I guess.

Thanks for good point, Ralf. Then i would like to give you the question
again. How can i make to enable the above IDENT feature with Postfix?

Sincerely,

-- 
"Godfather, the man who runs it is a real .90 caliber PEZZONOVANTE. You can't
budge him, not even with money. He has big connections. And he hates me. I
just don't know how you can swing it."
"I say to you: you shall have it."
-- Johnny Fontane and Vito Corleone, "Chapter 1", page 44

Re: Postfix and IDENT (RFC1413)

[Byung-Hee HWANG]

At Mon, 10 Aug 2009 09:30:10 +0200,
Ralf Hildebrandt wrote:
> 
> * Byung-Hee HWANG :
> 
> > Thanks for good point, Ralf. Then i would like to give you the question
> > again. How can i make to enable the above IDENT feature with Postfix?
> 
> There is no such thing. And nobody ever needed that. In 10 years.

Greet! That is the real answer i wanted. Thanks!

Sincerely,

-- 
Byung-Hee HWANG, DJ
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: IPv6 and smarter relaying

[Byung-Hee HWANG]

At Thu, 13 Aug 2009 00:16:27 -0600,
Dave Täht wrote:
> 
> d...@teklibre.org (Dave Täht) writes:
> 
> Half solved!
> 
> > I have setup my laptop (as a test) to send out and respond to ipv6 mail,
> > and not listen on the ipv4 ports at all. I tunnel my laptop out to
> > have a static ipv6 address, and have mx records (for the teklibre.org
> > domain) that have a priority 10 for the ipv6 "direct" connection, and a 
> > priority
> > 20 mx record for a dual ipv4, ipv6 machine acting as a smart relay. This
> > seems to be working with all the mail exchangers I've tried thus far.
> >
> > I'd like to (assuming I get reverse dns straightened out) convince postfix 
> > to:
> >
> > If possible, send out the email from my static ipv6 address to any ipv6
> > capable mail exchanger (for example, I correspond with someone at
> > isc.org, and their mail exchanger, mx.isc.org sits on both ipv4 and
> > ipv6), and if that is not possible, fall back to my better connected
> > relay host. 
> >
> > Right now, everything not in mynetworks gets forwarded to my ipv6
> > relay host which has both ipv4 and ipv6 addresses because I have
> > relayhost set
> 
> With postfix bound to localhost for IPv4, and bound to a real ipv6
> address (via the smtp_bind_address, and smtp_bind_address6 options set)
> 
> with relayhost disabled and smtp_fallback_relay set to my more smartly 
> connected dual ipv6, ipv4 box, laptop attempts an ipv6 connection
> against mx records that have ipv6 (isc.org), which worked (very
> rapidly!)
> 
> For an ipv4 only mx exchanger (gmail.com), postfix tried, very rapidly,
> to connect to multiple ipv4 addresses, failed, and ended up forwarding
> to my smarter host, which did the rest of the work.
> 
> Half the problem solved. On to getting mail via ipv6 on the laptop...

Nice testing! FYI, if you are searching another IPv6 SMTP server (for
testing IPv6 feature), try to mx1.freebsd.org. Especially, send mail
to "t...@freebsd.org", which is to allow anybody with free charge.

Sincerely,

-- 
Byung-Hee HWANG
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: domainkey

[Byung-Hee HWANG]

At Wed, 19 Aug 2009 10:31:45 -0500,
AMP Admin wrote:
> 
> We have the following setup for dkimproxy but it's only signing with dkim
> and not domainkey.  We would like to do both.  Any ideas?

Use sender_map.conf ;;

-- 
Byung-Hee HWANG
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: Country IP block list

[Byung-Hee HWANG]

At Sat, 22 Aug 2009 08:56:28 -0700,
Security Admin (NetSec) wrote:
> 
> [1  ]
> Could someone provide links to sites where IP addresses are grouped by 
> country?  ASNs would work too but would prefer IP lists that I could put in a 
> file that my postfix mail gateway could read.  Obvious countries like China 
> and Brazil I would like to block wholesale.  Thanks in advance!
> [2  ]

Please don't do that. There are many open source committers in Asia
and Brasil. You need time to think about that seriously. 

Sincerely,

-- 
Byung-Hee HWANG
∑ WWW: http://izb.knu.ac.kr/~bh/

Re: moveing to postfix from qmail setup

[Byung-Hee HWANG]

On Sun, 2008-09-21 at 10:08 -0700, Wayne Catterton wrote:
> Hi,
>  
> I currently have an old qmail toaster (customized some) setup.  I have
> been wanting to build a new mail server for a while, and just finally
> got around to doing it.  My old system is setup with qmail, vpopmail,
> squirrelmail, spam assassin, smtpauth, autorespond, qmailadmin,
> vqadmin, clamav, courier-imap, daemontools, ezmlm, qmail mrtg,
> ucspi-tcp, qmail-scanner, and tmda.  At any rate, I'm getting quite a
> bit of spam coming through, and it seems that people sending mail to
> my servers ignore the TMDA, so the user ends up having to look in the
> pending queue and release messages and such, so I've decided tha TMDA
> has to go.
>  
> Upon looking for what I wanted in a new mail system, I started with
> the qmail route again (but I wanted to make the install easier), so I
> looked at qmailrocks, started getting it setup, then ran into
> problems, and not much help, so I junked it, and installed
> qmailtoaster (I have to say it was an easy install, and I got
> everything working and up quickly), however I find myself dizzy and
> confused when figuring out how everything is working, and configs are
> scattered throughout the system.
>  
> One of the things I really want to implement is Dspam, I've been
> reading alot about it, and decided that I really want to have it on my
> mail system, and I was unable to really implement it the way I wanted
> on the qmailtoaster and documentation is slim.
>  
> So I looked at alternative MTA's and found postfix.  It looks like
> it's exactly what I'm looking for, however I am not sure on what all I
> need to install to keep the mail system fairly secure and protected.
> So I started looking through installation documentation for various
> setup's, and so far, I've decided I wanted:  postfix, dovecot (imap
> and pop3), dspam (of course), virtual users/domains (mysql setup),
> clamav, sasl (smtpauth), mysql, Mailman, squirrelmail, and some kinda
> of GUI frontend (I saw postfix admin and I think that will do it).
>  
> What I'm wondering is if I missed something, is there something vital
> I missed as far as security/mail processing?  
>  
> Also as far as dspam, do you have any reccomendations, I've looked
> through documentation on it, however it can be fairly complex.  I know
> I want to have a spam and nospam address for users to forward email
> to.  maybe setup some spam/nospam IMAP folders as well (to be used
> from squirrelmail as another mechanism).
>  
> Thanks,
>  
> Wayne Catterton CCNA
> Network Engineer
> Scappoose, OR

i think you had better use "google apps" instead of postfix ;;

-- 
"Here, I'll pay you. I threw the gun away after the truck job."
"I don't want the money."
-- Vito Corleone and Peter Clemenza, "Chapter 14", page 206

envelope_sender VS header_sender

[Byung-Hee HWANG]

i saw some terms "envelope _sender" and "header_sender" in postfix docs
on public postfix website. it is so confused to me. what is different
between "envelope_sender" and "header_sender"? according to RFC 2822,
there is described about "Sender" and "From". is the terms
(envelope_sender, header_sender) related to "Sender" and "From"? can you
please give me your cool explain? 

byunghee

-- 
"Do you have my goods still? Did you look inside?"
"I'm not interested in things that don't concern me."
-- Peter Clemenza and Vito Corleone, "Chapter 14",
   page 194-195

Re: envelope_sender VS header_sender

[Byung-Hee HWANG]

(first, i want to send "big thank you!" for Vitor, mouss, Wietse ;;)

On Sun, 2008-10-12 at 12:28 -0400, Wietse Venema wrote:
> Byung-Hee HWANG:
> > i saw some terms "envelope _sender" and "header_sender" in postfix docs
> > on public postfix website. it is so confused to me. what is different
> > between "envelope_sender" and "header_sender"? according to RFC 2822,
> > there is described about "Sender" and "From". is the terms
> > (envelope_sender, header_sender) related to "Sender" and "From"? can you
> > please give me your cool explain? 
> > 
> > byunghee
> 
> 220 example.com ready to talk ESMTP
> ehlo russian-caravan.cloud9.net
> 250 example.com greets you
> MAIL FROM:<[EMAIL PROTECTED]> < 250 ok
> RCPT TO:<[EMAIL PROTECTED]>   < DATA
> 354 Go ahead
> From: [EMAIL PROTECTED]   < To: postfix-users@postfix.org < Subject: Re: header versus envelope addresses
> ...more text...
> .
> 250 queued as ABCDEFGHIJK
> QUIT
> 221 Bye

your example is good and cool to me ;; and more, here this message's
envelope_sender(RFC2822's Sender) changed by postfix's
sender_canonical_map. for that, i examined with Postfix and Google
Apps's outgoing gateway feature for a couple hours ;; i'm feeling
strongly Postfix is good product! thanks again Wietse!

byunghee

-- 
"Then maybe I can give you and the kids more dough."
"We have more than enough."
-- Johnny Fontane and Virginia, "Chapter 12", page 161

Re: envelope_sender VS header_sender

[Byung-Hee HWANG]

On Sun, 2008-10-12 at 20:39 +0200, mouss wrote:
> Byung-Hee HWANG a crit :
> > [snip]
> > your example is good and cool to me ;; and more, here this message's
> > envelope_sender(RFC2822's Sender)
> 
> envelope sender is governed by RFC[2]821 (smtp), not RFC[2]822 (format
> of messages, including the headers).
> 
> These RFCs have been obsoleted by the new versions: 5321 and 5322.

oh, i need to do homework about that, thanks for good information ;;

> >  changed by postfix's
> > sender_canonical_map. for that, i examined with Postfix and Google
> > Apps's outgoing gateway feature for a couple hours ;; i'm feeling
> > strongly Postfix is good product! thanks again Wietse!
> >   
> 
-- 
"Mr. Corleone promises only to speak in your favor on this labor trouble as a 
matter of friendship in return for your speaking in behalf of his client."
-- Tom Hagen, "Chapter 1", page 61

Re: Finally blocking some spam

[Byung-Hee HWANG]

Joey wrote:
[...]
I made a list from the web of IP’s in the following countries: 
asian.list

czech.list
internal-h.list
internal-m.list
india.list
poland.list
turkey.list

[...]

Instead, use RelayCountry plugin of SpamAssassin. Using RelayContry 
plugin is more smooth than your the way.


And more, i think your the way to prevent spam is somewhat dangerous.
There are several opensource developers and businessmen and college 
students, professors over the world. The guys do not sent spam on the 
Internet as far as i know. So personally i'm using Google Apps as a 
receiving SMTP. Google's policy is fair and exact at handling spam ;;


byunghee

[OT] What is a condition for ideal mail server?

[Byung-Hee HWANG]

Hi, i'm not a serious hacker nor a power user for Postfix. I'm just 
using Postfix. Recently, i'm interested in setup ideal mail server for 
outgoing. Already i moved my mailbox to Google Apps because i could not 
handle so many spam. So now making receiving SMTP is not my concern. 
Only my concern is to make outgoing SMTP in perfect.


As fas as i know, here are many Postfix guru. So just i wish to hear 
various opinions about making outgoing SMTP perfectly. Whenever i have 
some times, i search about DKIM and RFCs for SMTP standard. What is the 
real point for ideal outgoing mail server? I investigate with some mail 
servers on the Internet, postfix.org's MX, isc.org's MX and 
freebsd.org's MX and gnu.org's MX, ietf.org's MX, mipassoc.org's MX, 
gmail.com's MX, some univeristy's MXs, etc.


After all, i thought that the conditions for perfect outgoing mail 
server are providing a correct rDNS and a correct signature as like DKIM 
and a correct certificate-based authentication as like TLS. Besides 
that, is there any the conditions? Well, i just curious about that..


Sincerely,

byunghee

Re: [OT] What is a condition for ideal mail server?

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

mouss wrote:
> Byung-Hee HWANG a écrit :
[...]
> - Use the submission port (587) with TLS+SASL.

What is different between using 25 and using 587?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkBQ0sACgkQB00DNxnlnTayJQCdG7s8H783PyWSOhuz84Oz4Z+x
m0IAn1CCxjqKX+J8sIYIgv/WW9hSDq/n
=W+z2
-END PGP SIGNATURE-

free certificate over TLS

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Recently, actually i'm interested in a certificate over TLS on SMTP as
like ISC's MX. However, i don't know how to use that. Is there anyone to
use certificate over TLS? Can you please give me some hint? Or
information? Thanks in advance ;;

byunghee
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkFW3AACgkQsCouaZaxlv4WzwCeKp2Kv3jM5j2p1OUTegSbyPG5
hbAAoK5/RCBs9LlWh4w3mvWWYdFOS63F
=/Mmu
-END PGP SIGNATURE-

Re: free certificate over TLS

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Noel Jones wrote:
> This should have all the information you need:
> http://www.postfix.org/TLS_README.html
> 
> If you have specific questions after reading the above, please see:
> http://www.postfix.org/DEBUG_README.html#mail
> 
Ah Noel, thank you quick reply. After Google, a few hours ago i found
out what i need really:
http://koti.kapsi.fi/ptk/postfix/postfix-tls-cacert.shtml>. Oh..
the author also did recommendation to read TLS's README you told me. Now
i go to do study with Postfix ;;

byunghee


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkGXgMACgkQsCouaZaxlv5r3wCgsP6sRAfezECH204ymsvqDjbk
bXIAn2X7Fvu5ezzTndBzIKfDK6mOgpNV
=WMpA
-END PGP SIGNATURE-

Re: free certificate over TLS

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Victor Duchovni wrote:
> On Tue, Oct 28, 2008 at 09:34:11AM +0900, Byung-Hee HWANG wrote:
> 
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Noel Jones wrote:
>>> This should have all the information you need:
>>> http://www.postfix.org/TLS_README.html
>>>
>>> If you have specific questions after reading the above, please see:
>>> http://www.postfix.org/DEBUG_README.html#mail
>>>
>> Ah Noel, thank you quick reply. After Google, a few hours ago i found
>> out what i need really:
>> http://koti.kapsi.fi/ptk/postfix/postfix-tls-cacert.shtml>.
> 
> This recommends making your private key group readable by the "postfix"
> group. This advice is neither necessary, nor a good idea. Private keys
> should belong to "root" and be readable (mode 0600) only by root. Postfix
> loads private keys before dropping privs.
> 
I read Victor's advice very seriously. I stop to do that. Instead, i'll
spend my spear time to study about DKIM with dkimproxy and dkim-milter.
That's my best passion at email study. Thanks, Victor and Noel ;;

byunghee
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkHmsEACgkQsCouaZaxlv757QCgtYfH6iZVxPspbpi4gEUhFP9R
y2cAnA11oYvEimLlinMzbuolkI3Rv35i
=rq9/
-END PGP SIGNATURE-

[OT] with ezmlm

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

(first of all, sorry if it is already discussed and a known issue)

Is that possible to set up Postfix with ezmlm? I'm considering to make a
private mailing list with ezmlm. Yep, i think ezmlm is more fast than
mailman. Can you please help me for that? Or some hint also good..;;

byunghee
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkNs28ACgkQsCouaZaxlv7bQQCgsEYzc+WRgUX8HdK3GQmdKBz1
YesAninvzfC2IFKVdDPUZw93Ri04v7qX
=Gw/V
-END PGP SIGNATURE-

Re: OT: Sender Header

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Brian Evans - Postfix List wrote:
[...]
> It is added by the mail client, not the server.

Can you please show me some example?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkTe7QACgkQsCouaZaxlv41EgCfZRSYzbsvJbY3aTmrEv9KgFv1
qz0AnRhuCPxqw4XfmaO32sxowubQ256y
=6I1x
-END PGP SIGNATURE-

Re: [OT] with ezmlm

[Byung-Hee HWANG]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Wietse Venema wrote:
> Byung-Hee HWANG:
>> (first of all, sorry if it is already discussed and a known issue)
>>
>> Is that possible to set up Postfix with ezmlm? I'm considering to make a
>> private mailing list with ezmlm. Yep, i think ezmlm is more fast than
>> mailman. Can you please help me for that? Or some hint also good..;;
> 
> Here is some hint:
> 
> postfix local -> qmail-local -> ezmlm -> postfix qmqpd
> 
> However I think it would be a mistake to consider the speed of
> ezmlm alone. Most time will be spent outside ezmlm.

Thanks Wietse for hint, now i can figure out the specific map ;;

byunghee

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (FreeBSD)

iEYEARECAAYFAkkXJP8ACgkQsCouaZaxlv7lRgCfXODpPrscoSZX/vZ14WjLa15p
hsUAnjO5eyUUKWr4+aHoOImLAL/OU0Hm
=aGLW
-END PGP SIGNATURE-

Re: Installing DKIM

[Byung-Hee HWANG]

LuKreme wrote:
[...]
The other question is what do most people do with the check on the DKIM 
if a message fails, reject outright?  Won't this mess up any forwarded 
mail?


Because of DKIM and related specifications are in a time of transition 
stage, it is not good to reject directly if a message fails.


Instead, most people recommend using with SpamAssassin.

pass: +some
fail: -some

Or it is also good using amavisd-new. See 
 ;;


byunghee

relay with permit_tls_clientcerts

[Byung-Hee HWANG]

Hello,

I'm using Google Workspace and Postfix (Only Outbound).

I am very interested in permit_tls_clientcerts.

In particular, i would like to relay by permit_tls_clientcerts.
Because it seems like very reliable and trust!

There is how-to and example docs related on permit_tls_clientcerts?
(before i did try googling but failed)

My Postfix version is 3.5.6 udner Debian 11 Bullseye.

Any comments welcome!

Sincerely, Byung-Hee


-- 
^고맙습니다 _救濟蒼生_ 감사합니다_^))//

Solved (Was: Re: relay with permit_tls_clientcerts)

[Byung-Hee HWANG]

Byung-Hee HWANG  writes:

> (...)
> There is how-to and example docs related on permit_tls_clientcerts?
> (before i did try googling but failed)

Oh, now i resolved!

#+BEGIN_SRC text
soyeomul@yw-1204:~$ cat /etc/postfix/relay_clientcerts
D7:5B:D1:A0:EA:A1:8D:9F:7A:4D:77:47:AD:DE:2D:07 yw-0919.doraji.xyz
01:7A:51:89:E5:C0:07:17:51:66:0D:C5:77:F8:77:38 smtp.gmail.com
soyeomul@yw-1204:~$
#+END_SRC

Thanks!!!

REFERENCE: (by googling again...)
<https://opensource.apple.com/source/postfix/postfix-265/postfix/html/TLS_README.html#server_access>

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _救濟蒼生_ 감사합니다_^))//

Re: Solved

[Byung-Hee HWANG]

Viktor Dukhovni  writes:

> On Tue, Apr 05, 2022 at 12:54:55PM +0900, Byung-Hee HWANG wrote:
>
>> soyeomul@yw-1204:~$ cat /etc/postfix/relay_clientcerts
>> D7:5B:D1:A0:EA:A1:8D:9F:7A:4D:77:47:AD:DE:2D:07 yw-0919.doraji.xyz
>> 01:7A:51:89:E5:C0:07:17:51:66:0D:C5:77:F8:77:38 smtp.gmail.com
>
> These are "md5" hashes, which are deprecated.  Set:
>
> smtpd_tls_fingerprint_digest = sha256
>
> and populate the table with corresponding "sha256" digests instead.

Oh i did update related stuff, thanks again ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _救濟蒼生_ 감사합니다_^))//

Best way forwarding to Gmail

[Byung-Hee HWANG]

Hellow,

My final Inbox Provider is Gmail(soyeo...@gmail.com) for 13 years. Also
i added paid plan of Google Workspace for 

Someday far later i have to plan. That is to forward into
soyeo...@gmail.com all emails (on soyeo...@doraji.xyz). (If True) then,
i will subtract paid plan of Google Workspace. So now i'm studying
about forward technology.

I heard that forwarding to Gmail is very rigid as follow:
https://support.google.com/mail/answer/175365?hl=en

There is good guidance for forwarding? If it is on Gmail, is best option.

Really i would like to success with Postfix. Currently i'm running SMTP
servers with two Postfix. [yw-0919.doraji.xyz, yw-1204.doraji.xyz] ;;;

Thanks in advance!

Sincerely, Byung-Hee

-- 
^고맙습니다 _和合團結_ 감사합니다_^))//

Re: AW: Best way forwarding to Gmail

[Byung-Hee HWANG]

"Ludi Cree"  writes:

> (...thanks...)
> My advice is not to forward to GMail if you can not exclude spam.
  ^ 
This is a worthwhile answer for me, thanks!

> Greets,
> Ludi

Sincerely, Byung-Hee

-- 
^고맙습니다 _和合團結_ 감사합니다_^))//

Re: AW: Best way forwarding to Gmail

[Byung-Hee HWANG]

Dominic Raferd  writes:

> On 06/04/2022 13:26, Byung-Hee HWANG wrote:
>> "Ludi Cree"  writes:
>>
>>> (...thanks...)
>>> My advice is not to forward to GMail if you can not exclude spam.
>>^
>> This is a worthwhile answer for me, thanks!
>
> Agreed that first you must be rigorous and excluding spam (and worse);
> then see my script:
> https://www.timedicer.co.uk/programs/help/relay-enforcer.sh.php

Wow it is good lecture! Day by day i have to study with your lecture!

Thank you very so much ^^^

Sincerely, Byung-Hee

-- 
^고맙습니다 _和合團結_ 감사합니다_^))//

Re: Best way forwarding to Gmail

[Byung-Hee HWANG]

(... sorry for late ...)

Byung-Hee HWANG  writes:

> Hellow,
>
> My final Inbox Provider is Gmail(soyeo...@gmail.com) for 13 years. Also
> i added paid plan of Google Workspace for 
>
> Someday far later i have to plan. That is to forward into
> soyeo...@gmail.com all emails (on soyeo...@doraji.xyz). (If True) then,
> i will subtract paid plan of Google Workspace. So now i'm studying
> about forward technology.
>
> I heard that forwarding to Gmail is very rigid as follow:
> https://support.google.com/mail/answer/175365?hl=en
>
> There is good guidance for forwarding? If it is on Gmail, is best option.
>
> Really i would like to success with Postfix. Currently i'm running SMTP
> servers with two Postfix. [yw-0919.doraji.xyz, yw-1204.doraji.xyz] ;;;

After all, i did make decision. See here:
<https://gitlab.com/soyeomul/Gnus/-/commit/235b9b5afc4db38ddf6e8bf2859f4edc953bef63>

To me, forwarding to Gmail is good, i keep moving on...

Thanks to Ludi, Dominic, John, Benny, Rob and Venema ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//

Re: setup postfix to send email

[Byung-Hee HWANG]

Dear roberts,

r r  writes:

> Hello,
>
> My domain registrar has email forwarding for free. I plan to setup a
> authorized SMTP in my ubuntu VPS for sending email from this domain.
> I am newbie to email server and postfix.
> Do you have any suggestion on doing this?

Do you read rfc 8461? That is good guidance, i think...

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Best way forwarding to Gmail

[Byung-Hee HWANG]

(sorry i forgot one file)

> After all, i did make decision. See here:
> 

This is the full headers: (the above thing)


DKIM signature is an outbound's passport, at least, to me.

> To me, forwarding to Gmail is good, i keep moving on...
>
> Thanks to Ludi, Dominic, John, Benny, Rob and Venema ^^^

Thanks again here all professional of Postfix ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

Re: question about certificates usage

[Byung-Hee HWANG]

"ミユナ (alice)"  writes:

> Olivier wrote:
>> Tou definitely need the certificate for box.coakmail.com because that's
>> the actual server that receives all the traffic.
>
> does plain traffic on port 25 require a certificate?

Maybe RFC 8461 is our friend. In my case, i did setup all MXs with the
certificate (Let's Encrypt) [^^^].

Sincerely, Linux fan Byung-Hee

[^^^] 

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: how other MTA talks to me

[Byung-Hee HWANG]

"ミユナ (alice)"  writes:

> (... thanks ...)
> but for smtp service on port 25, how other MTA talks to me? they are
> using plain, startTLS or SSL?

This is useful testing site:


Thanks ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: how other MTA talks to me

[Byung-Hee HWANG]

>> This is useful testing site:
>> 

Also smtp*_tls_loglevel are useful to debug.

Thanks ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: password security

[Byung-Hee HWANG]

> There is obviously a point where the server won't be capable of
> handling the load, always. But what are the odds with "just" a
> brute-force on passwords/accounts?
> Our outbound/internal mail gateway handles the traffic for +2K
> every-day users +28K occasional users. Millions emails per month. It
> handles also emails sent by applications. One of these app had a
> problem last October and tried to send +2M emails per day, for many
> days: the app authenticated on the mail server (sasl/dovecot) tried to
> send the mail, got bounced because recipient was non-valid, got
> disconnected, re-connected and tried again with next recipient, etc.
> Nobody noticed, no user complained, no performance impact at all. We
> only find out because of the postfix log volume increase.
> It's a virtual machine with 4 vcpu and 10GB RAM (most ram is used by
> antispam), it can handle way more: it runs postfix multi, does
> antispam/av filtering and dkim singing for outbound, handles mailing
> lists peaks of +60K messages, etc.

Dear patpro,

Wow amazing story! Your email volume/traffic is a thousand times bigger than
mine!

Thanks ^^^ 

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: password security

[Byung-Hee HWANG]

Dear Viktor,

Viktor Dukhovni  writes:

> On Tue, Apr 26, 2022 at 11:54:21PM +0900, Byung-Hee HWANG wrote:
>
>> > There is obviously a point where the server won't be capable of
>> > handling the load, always. But what are the odds with "just" a
>> > brute-force on passwords/accounts?
>> > Our outbound/internal mail gateway handles the traffic for +2K
>> > every-day users +28K occasional users. Millions emails per month. It
>> > handles also emails sent by applications. One of these app had a
>> > problem last October and tried to send +2M emails per day, for many
>> > days: the app authenticated on the mail server (sasl/dovecot) tried to
>> > send the mail, got bounced because recipient was non-valid, got
>> > disconnected, re-connected and tried again with next recipient, etc.
>> > Nobody noticed, no user complained, no performance impact at all. We
>> > only find out because of the postfix log volume increase.
>> > It's a virtual machine with 4 vcpu and 10GB RAM (most ram is used by
>> > antispam), it can handle way more: it runs postfix multi, does
>> > antispam/av filtering and dkim singing for outbound, handles mailing
>> > lists peaks of +60K messages, etc.
>> 
>> Wow amazing story! Your email volume/traffic is a thousand times bigger than
>> mine!
>
> Not surprising, when over a decade ago I set the Postfix servers for the
> Google IPO, each individual server (spinning rust not SSD) was capable
> of sustaining ~200 msgs/sec, which would be ~17M msgs/day if there were
> enough messages.
>
> In the meantime the corporate mail servers were handling 2M messages/day
> for ~80k users, for redundancy 4 nodes 2 each at 2 sites, any one would
> have handled all the load.  The main limiting factor was the CPU cost
> of content inspection, "normal" mail processing easily scaled to
> ~300/sec, but dropped to ~30/sec with content inspection.
>
> With SSD storage and modern CPUs, the peak performance of a Postfix
> server would be a few times higher.

Huwa... for a while i watched a movie like as <>!

Thank you for sharing good story INDEED...

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: Postfix stable release 3.7.1 and legacy releases 3.6.6, 3.5.16, 3.4.26

[Byung-Hee HWANG]

Greg Klanderman  writes:

>> On April 18, 2022 Wietse Venema  wrote:
>
>>   * (problem introduced: Postfix 3.0) With dynamic map loading
>> enabled, an attempt to create a map with "postmap regexp:path"
>> would result in a bogus error message "Is the postfix-regexp
>> package installed?" instead of "unsupported map type for this
>> operation". This happened with all non-dynamic map types (static,
>> cidr, etc.) that have no 'bulk create' support. Problem reported
>> by Greg Klanderman.
>
> Thank you Wietse!
>
> Greg
>

+1; Thank you Dr. Venema ^^^ 

(Currently i am running two Postfix servers as real service.)

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: what's a encrypted email?

[Byung-Hee HWANG]

wilson  writes:

> today everyone claim they are encrypted email provider.
> what's the definition of an encrypted email? messages and headers and
> logs were encrypted in the rest?

I think RFC 8461 is worth considering, thanks!

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

dnswl.org lookup error

[Byung-Hee HWANG]

Hellow!

I am running postfix server under Ubuntu 18.04 LTS at Google Compute
Engine. The hostname is <>, open port is 25 only.

The server conf are bellow:


So now question. After i added 'permit_dnswl_client list.dnswl.org',
very often i see these pattern's logs:

#+begin_src text (postfix log)
May  8 10:24:14 bionic190316003 postfix/smtpd[10918]: connect from 
lists.gnu.org[209.51.188.17]
May  8 10:24:15 bionic190316003 postfix/smtpd[10918]: Anonymous TLS connection 
established from lists.gnu.org[209.51.188.17]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May  8 10:24:25 bionic190316003 postfix/smtpd[10918]: warning: 
17.188.51.209.list.dnswl.org: RBL lookup error: Host or domain name not found. 
Name service error for name=17.188.51.209.list.dnswl.org type=A: Host not 
found, try again
May  8 10:24:25 bionic190316003 postfix/smtpd[10918]: 810D83F064: 
client=lists.gnu.org[209.51.188.17]
May  8 10:24:25 bionic190316003 postfix/cleanup[10965]: 810D83F064: 
message-id=<87y1zcqq5e.fsf@localhost>
May  8 10:24:25 bionic190316003 postfix/qmgr[32274]: 810D83F064: 
from=, size=7315, nrcpt=1 
(queue active)
May  8 10:24:25 bionic190316003 postfix/cleanup[10965]: 93B323F06A: 
message-id=<87y1zcqq5e.fsf@localhost>
May  8 10:24:25 bionic190316003 postfix/qmgr[32274]: 93B323F06A: 
from=, size=7448, nrcpt=1 
(queue active)
May  8 10:24:25 bionic190316003 postfix/local[10966]: 810D83F064: 
to=, relay=local, delay=10, delays=10/0/0/0, dsn=2.0.0, 
status=sent (forwarded as 93B323F06A)
May  8 10:24:25 bionic190316003 postfix/qmgr[32274]: 810D83F064: removed
#+end_src

As shown above log, the line 'RBL lookup error' is normal? Can i ignore that?

And the others are OK.

Any comments welcome!

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: dnswl.org lookup error

[Byung-Hee HWANG]

Dear Bastian,

Bastian Blank  writes:

> Hi
>
> On Sun, May 08, 2022 at 07:42:00PM +0900, Byung-Hee HWANG wrote:
>> May 8 10:24:25 bionic190316003 postfix/smtpd[10918]: warning:
>> 17.188.51.209.list.dnswl.org: RBL lookup error: Host or domain name
>> not found. Name service error for name=17.188.51.209.list.dnswl.org
>> type=A: Host not found, try again
>> As shown above log, the line 'RBL lookup error' is normal? Can i ignore that?
>
> No, this line is not normal.  It means you have an error in the DNS
> resolution.  Maybe you are using a public resolver.

Thanks for quick reply Bastian!

Below is my /etc/resolv.conf:

#+begin_src text (/etc/resolv.conf in Google Compute Engine)
soyeomul@bionic190316003:~$ sudo cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search us-west1-b.c.elite-flow-234711.internal c.elite-flow-234711.internal 
google.internal
soyeomul@bionic190316003:~$ 
#+end_src

Possibly i would like to solve this problem.

Thanks!

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: dnswl.org lookup error

[Byung-Hee HWANG]

Dear Bjoern,

Bjoern Franke  writes:

> Hi,
>
>> I think your system is using systemd-resolved for DNS lookups; this
>> hands off the real work of resolving to public resolvers, so RBLs will
>> block your lookups. This is a normal setup for a systemd-based distro
>> but is not appropriate for a mail server.
>> 
>
> We don't know if systemd-resolved uses public resolvers until he shows
> us the output of reseolvectl.

Thanks for comments!

#+begin_src text (shell command output)
soyeomul@bionic190316003:~$ sudo systemd-resolve --status
Global
  DNSSEC NTA: 10.in-addr.arpa
  16.172.in-addr.arpa
  168.192.in-addr.arpa
  17.172.in-addr.arpa
  18.172.in-addr.arpa
  19.172.in-addr.arpa
  20.172.in-addr.arpa
  21.172.in-addr.arpa
  22.172.in-addr.arpa
  23.172.in-addr.arpa
  24.172.in-addr.arpa
  25.172.in-addr.arpa
  26.172.in-addr.arpa
  27.172.in-addr.arpa
  28.172.in-addr.arpa
  29.172.in-addr.arpa
  30.172.in-addr.arpa
  31.172.in-addr.arpa
  corp
  d.f.ip6.arpa
  home
  internal
  intranet
  lan
  local
  private
  test

Link 2 (ens4)
  Current Scopes: DNS
   LLMNR setting: yes
MulticastDNS setting: no
  DNSSEC setting: no
DNSSEC supported: no
 DNS Servers: 169.254.169.254
  DNS Domain: us-west1-b.c.elite-flow-234711.internal
  c.elite-flow-234711.internal
  google.internal
soyeomul@bionic190316003:~$ date
Mon May  9 01:52:31 UTC 2022
soyeomul@bionic190316003:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:Ubuntu 18.04.6 LTS
Release:18.04
Codename:   bionic
soyeomul@bionic190316003:~$ 
#+end_src

Any comments and advice welcome!

> Regards
> Bjoern
>

Sincrely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

Re: dnswl.org lookup error

[Byung-Hee HWANG]

Dear Dominic,

Dominic Raferd  writes:

> On 08/05/2022 11:59, Byung-Hee HWANG wrote:
>> Dear Bastian,
>>
>> Bastian Blank  writes:
>>
>>> Hi
>>>
>>> On Sun, May 08, 2022 at 07:42:00PM +0900, Byung-Hee HWANG wrote:
>>>> May 8 10:24:25 bionic190316003 postfix/smtpd[10918]: warning:
>>>> 17.188.51.209.list.dnswl.org: RBL lookup error: Host or domain name
>>>> not found. Name service error for name=17.188.51.209.list.dnswl.org
>>>> type=A: Host not found, try again
>>>> As shown above log, the line 'RBL lookup error' is normal? Can i
>>>> ignore that?
>>> No, this line is not normal.  It means you have an error in the DNS
>>> resolution.  Maybe you are using a public resolver.
>> Thanks for quick reply Bastian!
>>
>> Below is my /etc/resolv.conf:
>>
>> #+begin_src text (/etc/resolv.conf in Google Compute Engine)
>> soyeomul@bionic190316003:~$ sudo cat /etc/resolv.conf
>> # This file is managed by man:systemd-resolved(8). Do not edit.
>> #
>> # This is a dynamic resolv.conf file for connecting local clients to the
>> # internal DNS stub resolver of systemd-resolved. This file lists all
>> # configured search domains.
>> #
>> # Run "systemd-resolve --status" to see details about the uplink DNS servers
>> # currently in use.
>> #
>> # Third party programs must not access this file directly, but only
>> through the
>> # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
>> different way,
>> # replace this symlink by a static file or a different symlink.
>> #
>> # See man:systemd-resolved.service(8) for details about the supported modes 
>> of
>> # operation for /etc/resolv.conf.
>>
>> nameserver 127.0.0.53
>> options edns0
>> search us-west1-b.c.elite-flow-234711.internal
>> c.elite-flow-234711.internal google.internal
>> soyeomul@bionic190316003:~$
>> #+end_src
>>
>> Possibly i would like to solve this problem.
>>
>> Thanks!
>>
>> Sincerely, Linux fan Byung-Hee
>>
> I think your system is using systemd-resolved for DNS lookups; this
> hands off the real work of resolving to public resolvers, so RBLs will 
> block your lookups. This is a normal setup for a systemd-based distro
> but is not appropriate for a mail server.
>
> First install a true local resolver such as bind9 or unbound and then
> switch your system to use it instead of systemd-resolved. To switch to 
> bind9 you could try my
> https://www.timedicer.co.uk/programs/help/bind9-resolved-switch.sh.php.
>
> [ If you want, bind9 can be set so that 'normal' lookups still go via
> external (public) resolvers (as you specify in 
> /etc/bind/named.conf.options), but lookups for RBLs are routed
> directly. Perhaps unbound can do the same (I haven't tried it). ]

Wow it seems so difficult work! I need time to think! Thanks for your
kind advice!! Thanks again... Dominic ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

Solved (Was: Re: dnswl.org lookup error)

[Byung-Hee HWANG]

Byung-Hee HWANG  writes:

> Hellow!
>
> I am running postfix server under Ubuntu 18.04 LTS at Google Compute
> Engine. The hostname is <>, open port is 25 only.
>
> The server conf are bellow:
> <https://gitlab.com/soyeomul/Gnus/-/raw/karma/DKIM/smtp-conf.yw-0919>
>
> So now question. After i added 'permit_dnswl_client list.dnswl.org',
> very often i see these pattern's logs:
>
> #+begin_src text (postfix log)
> May  8 10:24:14 bionic190316003 postfix/smtpd[10918]: connect from 
> lists.gnu.org[209.51.188.17]
> May  8 10:24:15 bionic190316003 postfix/smtpd[10918]: Anonymous TLS 
> connection established from lists.gnu.org[209.51.188.17]: TLSv1.2 with cipher 
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> May  8 10:24:25 bionic190316003 postfix/smtpd[10918]: warning: 
> 17.188.51.209.list.dnswl.org: RBL lookup error: Host or domain name not 
> found. Name service error for name=17.188.51.209.list.dnswl.org type=A: Host 
> not found, try again
> May  8 10:24:25 bionic190316003 postfix/smtpd[10918]: 810D83F064: 
> client=lists.gnu.org[209.51.188.17]
> May  8 10:24:25 bionic190316003 postfix/cleanup[10965]: 810D83F064: 
> message-id=<87y1zcqq5e.fsf@localhost>
> May  8 10:24:25 bionic190316003 postfix/qmgr[32274]: 810D83F064: 
> from=, size=7315, nrcpt=1 
> (queue active)
> May  8 10:24:25 bionic190316003 postfix/cleanup[10965]: 93B323F06A: 
> message-id=<87y1zcqq5e.fsf@localhost>
> May  8 10:24:25 bionic190316003 postfix/qmgr[32274]: 93B323F06A: 
> from=, size=7448, nrcpt=1 
> (queue active)
> May  8 10:24:25 bionic190316003 postfix/local[10966]: 810D83F064: 
> to=, relay=local, delay=10, delays=10/0/0/0, dsn=2.0.0, 
> status=sent (forwarded as 93B323F06A)
> May  8 10:24:25 bionic190316003 postfix/qmgr[32274]: 810D83F064: removed
> #+end_src
>
> As shown above log, the line 'RBL lookup error' is normal? Can i ignore that?
>
> And the others are OK.

Hello all again!

I just updated /etc/resolv.conf stuff.
Exactly, i don't know the reason why it works.

Anyway it works.

The edited stuff:
#+begin_src text (shell command output)
soyeomul@bionic190316003:~$ sudo ls -ld /etc/resolv.*
lrwxrwxrwx 1 root root 15 May  9 03:24 /etc/resolv.conf -> resolv.conf.one
-rw-r--r-- 1 root root 24 May  9 04:42 /etc/resolv.conf.one
soyeomul@bionic190316003:~$ sudo cat /etc/resolv.conf.one
nameserver 168.126.63.1
soyeomul@bionic190316003:~$ sudo cat /etc/resolv.conf
nameserver 168.126.63.1
soyeomul@bionic190316003:~$ 
soyeomul@bionic190316003:~$ sudo systemd-resolve --status
Global
 DNS Servers: 168.126.63.1
  DNSSEC NTA: 10.in-addr.arpa
  16.172.in-addr.arpa
  168.192.in-addr.arpa
  17.172.in-addr.arpa
  18.172.in-addr.arpa
  19.172.in-addr.arpa
  20.172.in-addr.arpa
  21.172.in-addr.arpa
  22.172.in-addr.arpa
  23.172.in-addr.arpa
  24.172.in-addr.arpa
  25.172.in-addr.arpa
  26.172.in-addr.arpa
  27.172.in-addr.arpa
  28.172.in-addr.arpa
  29.172.in-addr.arpa
  30.172.in-addr.arpa
  31.172.in-addr.arpa
  corp
  d.f.ip6.arpa
  home
  internal
  intranet
  lan
  local
  private
  test

Link 2 (ens4)
  Current Scopes: DNS
   LLMNR setting: yes
MulticastDNS setting: no
  DNSSEC setting: no
DNSSEC supported: no
 DNS Servers: 169.254.169.254
  DNS Domain: us-west1-b.c.elite-flow-234711.internal
  c.elite-flow-234711.internal
  google.internal
soyeomul@bionic190316003:~$
soyeomul@bionic190316003:/etc$ sudo diff -uNr hosts.orig hosts
--- hosts.orig  2022-02-14 13:15:31.262460939 +
+++ hosts   2022-05-09 03:08:44.797121524 +
@@ -1,5 +1,7 @@
 ::1localhost
 127.0.0.1  localhost
+127.0.0.1  bionic190316003
+127.0.0.1  bionic190316003.us-west1-b.c.elite-flow-234711.internal
 
 # The following lines are desirable for IPv6 capable hosts
 ::1 ip6-localhost ip6-loopback
@@ -9,3 +11,5 @@
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
 169.254.169.254 metadata.google.internal metadata
+
+# 2022-05-09
soyeomul@bionic190316003:/etc$ 
#+end_src

"168.126.63.1" is located in South Korea. Maybe Korea Telecom?

Thanks again all ^^^
(Bastian, Dominic, Bjoern, ...)

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

Re: dkim signing outbound MAILER-DAEMON messages - is it worth it?

[Byung-Hee HWANG]

Hellow Matt,

Matt Kinni  writes:

> I have opendkim configured via 'smtpd_milters' to sign all outbound
> mail, and my domain publishes a "quarantine" dmarc record to enforce
> the consequences of this.
>
> I recently discovered that MAILER-DAEMON messages generated by postfix
> itself bypass this setup and do /not/ get signed, which unfortunately 
> results in legitimate DSNs being filtered into the sender's spam/junk
> mail folder due to the dmarc policy (I confirmed this with gmail).
>
> After doing some research, I learned that dkim signing can be forced
> for postfix's internally generated mails by setting
> 'non_smtpd_milters' in conjunction with
> 'internal_mail_filter_classes=bounce', however the manpage for the
> latter parameter has this cautionary message:
>>
>> NOTE: It's generally not safe to enable content inspection of
>   Postfix-generated email messages. The user is warned.
>>
>
> So I'm not sure what the best practice is here; postfix tries hard to
> prevent being a source of backscatter and thus outbound DSN messages 
> should be rare, but in the event a legitimate bounce does need to be
> sent out, I'd like it to not end up in the sender's spam folder.  On
> the other hand, miltering mailer-deamon messages adds a point of
> failure to a privileged message class that should always be expected
> to succeed, which I imagine is why the manpage discourages it.
>
> Thoughts?

Well i think this is useful thought:


Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _白衣從軍_ 감사합니다_^))//

Re: transport map with TLS policies?

[Byung-Hee HWANG]

Hellow Joachim,

"Joachim Lindenberg"  writes:

> I wanted to send a mail to a domain yesterday, that was using dead MX records 
> and one
> the one MX that was alive, was presenting an untrusted certificate (my server 
> uses verify
> by default). I added a transport map (or “route” as mailcow-dockerized calls 
> it) that points
> to the alive MX plus a TLS policies for the domain and MX that asks for 
> “may”, but flushing
> the queue I still got “untrusted certificate”. I temporarily changed my 
> default to may and
> the mail was delivered.
>
> Are TLS policies applied at all after setting a domain specific transport?

This are my example:
gmail.com  verify
[yw-1204.doraji.xyz]:2525   encrypt

yw-1204 is smtp server -- [FQDN], which is just relay server.
gmail.com is domain, which have MX(s).

> I cannot rule out that the problem is mailcow specific of course.
>
> Thanks, 
>
> Joachim
>

Thanks,

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//

Re: AW: transport map with TLS policies?

[Byung-Hee HWANG]

Hellow Joachim,

"Joachim Lindenberg"  writes:

> Hello Byung-Hee,
> I do have all of the following in my TLS policy: 
> domainmay
> mx.domain may
> [mx.domain]:25may
> and it doesn´t work for me.

Well you could check that your server is 'good' or 'not good' with this:


Above code require only FQDN, not domain. Default port is '25'.
Example result:

#+BEGIN_SRC text (shell command output)
soyeomul@penguin:~$ ./ct.py yw-1204.doraji.xyz
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = yw-1204.doraji.xyz
verify return:1
250 CHUNKING
DONE
notBefore=May 24 02:00:00 2022 GMT
notAfter=Aug 22 01:59:59 2022 GMT
^^^
posttls-finger: yw-1204.doraji.xyz[185.17.255.72]:25: Matched subjectAltName: 
yw-1204.doraji.xyz
posttls-finger: yw-1204.doraji.xyz[185.17.255.72]:25 CommonName 
yw-1204.doraji.xyz
posttls-finger: yw-1204.doraji.xyz[185.17.255.72]:25: 
subject_CN=yw-1204.doraji.xyz, issuer_CN=R3, 
fingerprint=9E:48:5B:F2:D9:70:40:C3:52:7A:C6:8B:1E:79:8D:9B:4A:E1:1A:0B:8D:0D:67:DF:A3:55:58:20:DE:76:6D:24,
 
pkey_fingerprint=98:02:56:7B:09:51:9A:EB:A7:94:B1:B9:A0:52:FC:64:33:CD:EE:39:C4:03:4D:4C:B3:74:5B:FB:87:6D:77:93
posttls-finger: Verified TLS connection established to 
yw-1204.doraji.xyz[185.17.255.72]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256
soyeomul@penguin:~$ 
#+END_SRC


Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//

Re: tricky dual delivery challenge

[Byung-Hee HWANG]

Hellow charlie,

charlie derr  writes:

> Greetings fine postfix wizards,
>
> We are in the process of transitioning from a local postfix and dovecot
> infrastructure to using gmail. While we're in the process of copying
> over all of our users' archived email to the new gmail environment, we'd
> like to have all email delivered both to gmail and to our local dovecot
> mailboxes.
>
> simons-rock.edu MX records currently point to Gmail servers. With Gmail
> "dual delivery" routing, all email received by Gmail for simons-rock.edu
> is delivered to a Gmail mailbox and additionally routed to our internal
> email spam filters (hormel.simons-rock.edu) and then on to our internal
> Postfix + Dovecot system (hedwig.simons-rock.edu).
>
> However, email that is generated by our users or systems directly via
> SMTP to hedwig.simons-rock.edu currently has no way to reach Gmail
> mailboxes.
>
> Are there any suggestions on how we can make sure that both internally
> generated and external email reach both Gmail and Dovecot mailboxes
> without creating a routing loop?
>
> Our current idea is to rely on the existing Gmail dual delivery setup.
> We'd like to know if it's possible to configure Postfix on
> hedwig.simons-rock.edu so that:
>  1) Any email that originates on this system (or our roundcube webmail
> instance on warlock.simons-rock.edu) is first routed out to Gmail
> servers, even if the domain is simons-rock.edu and the user has a
> Dovecot mailbox.
>  2) Any email that is routed to (or back to) our internal servers via
> Gmail dual delivery (arriving via hormel.simons-rock.edu) is just
> delivered to a Dovecot mailbox.
>
> Thanks so much for any direction you can provide us. Should there be
> more information you would like us to provide, we'll be happy to do so.
>
> gratefully,
> ~c

A simple configuration is best for maintenance. Another thought.


Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//

Re: transport map with TLS policies?

[Byung-Hee HWANG]

Viktor Dukhovni  writes:

> (... thanks ...)
> Yes.  But in your case (with an overly strict default policy, requiring
> may exceptions) it would be more appropriate to define a dedicated
> transport for opportunistic unauthenticated TLS:
>
> # Or "dane" instead of "may" if you have a working DNSSEC resolver
> # on 127.0.0.1
> #
> maytls unix  -   -   n   -   -   smtp
> -o smtp_tls_security_level=may
>
> and then just set the transport to "maytls" instead of "smtp" for the
> multitude of domains for which you need to make exceptions.
>

Hellow Viktor, i learn something new from you, thanks!

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

Re: AW: AW: transport map with TLS policies?

[Byung-Hee HWANG]

Dear Joachim,

"Joachim Lindenberg"  writes:

> Couldn´t run the python script due to postfix in docker, but can run
> postfix-finger domain - but this tells me what I already knew and
> wrote in my first mail. The certificate is not trusted and thus verify
> as default does not work, and it doesn´t look like postfix-finger
> evaluates tls policies at all. Does it?

Well i read wrong your first message. So please ignore my before mails.

Viktor he gave us good answer, i think.

Thanks!


Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//

[pfx] Re: Test Post - Please Ignore

[Byung-Hee HWANG via Postfix-users]

duluxoz via Postfix-users  writes:

> Sorry Everyone, but I need to test if my posts are going through
>
> Please ignore (or feel free to send me a confirmation)
>
> Cheers
>
> Dulux-Oz

Looks good.

But Subject's prefix [pfx] or [P-U] are too rich.
Just it is minority feedback...

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Configuration of postfix on Ubuntu 22

[Byung-Hee HWANG via Postfix-users]

Aosars Repository via Postfix-users  writes:

> Hi all,
> I have installed postfix on Ubuntu server 22 and configured to use gmail 
> smtp.But it fails to send mails.
> Can some share with me a step by step guide on installation and 
> configuration. 

At first, as Ralf already mentioned, make sure you have Gmail's app password --
16-digit. And simple setting is best.

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] What is best way for backup solution?

[Byung-Hee HWANG via Postfix-users]

Hellow,

I am running two Postfix servers. Both are in Cloud -- Google GCP and
Rimuhosting-EU VM. Recently i thought that i have to backup servers
setting values. Because sometimes i meet minor accidents.

Somebody say Docker is good for backup. Though i would like to hear more
opinions. Any comments welcome!

My domain is this [DORAJI.XYZ].

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: What is best way for backup solution?

[Byung-Hee HWANG via Postfix-users]

Dear Matt,

Matt Kinni via Postfix-users  writes:

> Are you just talking about backing up the config files in /etc/postfix?
> I would recommend using git for version control; there is nothing
> special about backing up the postfix configs vis a vis any other
> service on your machine.  It also wouldn’t hurt to take periodic
> snapshots of your VMs

Also i like git! Wonderful advice, thanks!

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secondary MX server

[Byung-Hee HWANG via Postfix-users]

Corey Hickman via Postfix-users  writes:

> Hello,
>
> Since almost every sending MTA has the queues, do I need a secondary
> MX for my domain email?
>
> I am afraid the secondary MX was abused by spammers.
>
> Thanks.

I am now running secondary mx. It is valuable for me.

Use MTA-STS (testing is profer) if you want to mitigate spam things.

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: invalid and non-fqdn hostname

[Byung-Hee HWANG via Postfix-users]

Ken Peng via Postfix-users  writes:

> (...)
> for instance, 腾讯.公司 is a invalid hostname, but it is a fqdn
> hostname which will pass the check by the second clause.

Good example, thanks!

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: forwarding setup for mailbox user

[Byung-Hee HWANG via Postfix-users]

tom--- via Postfix-users  writes:

> Hello,
>
> for a mailbox user, such as my one t...@myposts.ovh, where to define
> the forwarding? for example, I want messages sent to this mailbox to
> be copied to gmail.

Hellow tom,

DKIM is good for you if you are domain's owner.

This is general guideline:
https://support.google.com/mail/answer/175365?hl=en&ref_topic=7280290#admins

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF: HELO does not publish an SPF Record

[Byung-Hee HWANG via Postfix-users]

>   2) change smtp_helo_name to
>
> smtp_helo_name = $mydomain

It is very strange, i think.

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Regarding transport maps (sender_dependent_relayhost_maps not working)

[Byung-Hee HWANG via Postfix-users]

Andrew Athan via Postfix-users  writes:

> (...)
> My goal is to silently discard all inbound mail from a certain
> domain. Or actually, I may wish to redirect all of that mail either to
> a flat file (similar to the proposed blackhole transport) or (...)

Go with easy way. See header_checks. `man 5 header_checks` ;;;

This [1] is real server conf files from my mail server.

[1] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-0919

Sincerely,

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Regarding transport maps (sender_dependent_relayhost_maps not working)

[Byung-Hee HWANG via Postfix-users]

Matus UHLAR - fantomas via Postfix-users 
writes:

> (...)
> for envelope from, simple access map should be enough:
> http://www.postfix.org/access.5.html
>
> and use DISCARD

Ok. Thanks for the heads-up, Matus!

Sincerely, Byung-Hee

-- 
^고맙습니다 _地平天成_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: forwarding questions

[Byung-Hee HWANG via Postfix-users]

Tom Reed via Postfix-users  writes:

> (...)
> How can I setup it to both reach local mailbox and forwarding?
>

You first have to read 3 times very carefully:
https://support.google.com/mail/answer/175365?sjid=13805511033984428370-AP

I read all emails at Gmail. Yes i'm forwarding user like you.

Sincerely,

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Domain scoring

[Byung-Hee HWANG via Postfix-users]

Ken Peng via Postfix-users  writes:

> Do you know any plugins for scoring a domain?
> For example, new registered domain, free domain get the low scores.

How about dnswl.org?

Sincerely,

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: stop bulk messages

[Byung-Hee HWANG via Postfix-users]

Corey Hickman via Postfix-users  writes:

> Hello list,
>
> Some clients abuse the outgoing smtp server for sending bulk messages.
> The messages have the same content of business promotion letter.
> Do you know how to stop this behavior?
>

You can not stop it if he/she is paid user.

Instead, you can redirect him/her to another relay server.
Use <<>>.

There are so many examples on the INTERNET blogs/forums.

Also Amazon SES is proper relay service for bulk messages.

Sincerely,

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

[Byung-Hee HWANG via Postfix-users]

On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote:
> I have setup Postfix so that internally I offer TLS to systems but do not
> require it since I have no control over their configuration.  I did
> extensive testing to ensure that the mail gateway supports TLS and accepts
> email from another Postfix system where TLS is disabled.  But today I found
> a system failing to route email through the Postfix gateway today that has
> me baffled.
> 
> My best guess based on searching the archives is that there may be a defect
> in the remote system that is causing the issue.  I looked at the
> documentation and I think the next step would be to configure the
> smtpd_discard_ehlo_keyword_address_maps option and use a CIDR file for the
> mapping.  (i.e. smtpd_discard_ehlo_keyword_address_maps =
> cidr:/etc/postfix/smtpd_discard_ehlo_keyword_address_maps).  The contents
> of the file would be the IP address of the system and the STARTTLS keyword
> if I want to disable TLS for this IP (i.e. 123.456.789.123 STARTTLS).  I
> tested this on my test system with good ole telnet and it seems to have the
> effect I desired.
> 
> Am I missing anything?
> 
> [snippet from main.cf]
> smtpd_tls_security_level = may
> 
> [snippet from log]
> May 05 16:27:59 zzz postfix/smtpd[1234567]: connect from
> xxx.xxx.xxx[yyy.yyy.yyy.yyy]
> May 05 16:27:59 zzz postfix/smtpd[1234567]: SSL_accept error from
> xxx.xxx.xxx[yyy.yyy.yyy.yyy]: -1
> May 05 16:27:59 zzz postfix/smtpd[1234567]: warning: TLS library problem:
> error:0398:digital envelope routines::invalid
> digest:crypto/evp/m_sigver.c:343:
> May 05 16:27:59 zzz postfix/smtpd[1234567]: warning: TLS library problem:
> error:0A0C0103:SSL routines::internal error:ssl/statem/statem_srvr.c:2684:
> May 05 16:27:59 zzz postfix/smtpd[1234567]: lost connection after STARTTLS
> from xxx.xxx.xxx[yyy.yyy.yyy.yyy]

Because TLS/SSL things are very complex, you have to show us real 
settings all. Like me: (yw-0919: inbound, yw-1204: outbound)
[1] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-0919
[2] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-1204

Then we go to check things, IMHO.

Sincerely,
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix documentation pitfalls. virtual_alias_maps and main.cf macros

[Byung-Hee HWANG via Postfix-users]

Viktor Dukhovni via Postfix-users  writes:

> (...)
> [ Yes, one could also craft "classless" access(5) tables, ... and rely
>   only on explicit transport(5) table entries, opting out of all the
>   taxonomy that makes it easier to reason about Postfix mail routing,
>   but this is not a good idea, and users advanced enough to do that
>   aren't the audience for the README tutorials. ]

Hellow Viktor,

I strongly agree with you, thanks!


Sincerely, Byung-Hee from South Korea

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Hellow Postfix hackers,

I have a questions while reading DANE docs. Is DNSSEC mandotary? For
making DANE mail server.

For now i'm running two postfix servers in public. Actually i'm beginner
in both DANE and DNSSEC.

Any comments welcome!

Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Joachim Lindenberg via Postfix-users  writes:

> DNSSEC is mandatory for DANE.

Hellow Joachim!

Thanks for kind replying ^^^


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Dear Patrick,

Patrick Ben Koetter via Postfix-users 
writes:

> (...)
> You don't need DNSSEC for your DNS zone *if* your server should DANE-verify
> other DANE enabled receiver platforms. In this case all you need to do is run
> a DNSSEC-verifying DNS resolver on your server (not systemd-resolved) and
> configure Postfix to use DANE when it sends messages:

Wow! Good news ^^^ 

> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane
> smtp_tls_loglevel = 1

Thanks for kind example!

> I do recommend to enable at least DANE on the outbound side to let your users
> participate from the higher level of security.

Thank you!

>
> P.S.
> See also: https://blog.sys4.de/blog/outbound-dane/, which I've written in 
> German.

Don't worry, i can read that docs. Google translator is so good.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

raf via Postfix-users  writes:

> On Thu, May 11, 2023 at 03:17:21PM +0900, Byung-Hee HWANG via Postfix-users
>  wrote:
>
>> Hellow Postfix hackers,
>> 
>> I have a questions while reading DANE docs. Is DNSSEC mandotary? For
>> making DANE mail server.
>> 
>> For now i'm running two postfix servers in public. Actually i'm beginner
>> in both DANE and DNSSEC.
>> 
>> Any comments welcome!
>> 
>> Sincerely, Byung-Hee
>
> Hi Byung-Hee,
>
> As others have said, if you want incoming DANE, you need DNSSEC.
> Bind9 makes it incredibly easy to enable DNSSEC. It's literally
> two extra lines in your configuration (unless you get fancy with
> automatic expiry and rollover - and that's easy too), plus you
> need to supply some information to your domain registrar for them
> to put into their servers. If your domain registrar doesn't support
> DNSSEC, or doesn't make it easy, find one that does. You'll need
> to interact with them every time you rollover your DNSSEC keys
> (e.g., maybe annually).

Thank you! I'll regard it, step by step.

> As for the TLSA records you need to create for your mail servers,
> I recommend my "danectl" program which can generate TLSA records
> for you to publish in the DNS, and you can use it to monitor that
> they have been published. Recent versions include a couple of adapters
> to help publish the TLSA records in the DNS, but only if you edit your
> own bind9 zone files or use nsupdate for a dynamic zone. A big
> prerequisite of danectl is certbot to handle the actual key/certificate
> generation. danectl doesn't work with any other ACME client.

Yes i did check it danectl by Googling, thanks!

> There are technically many ways to do TLSA DANE but only one great
> way (TLSA 3 1 1 current + next) which is what danectl supports.
> The idea is to always have two keys/certificates and their corresponding
> TLSA records available for use all the time: the current one, and the
> next one. Whenever you want to rollover your key, you can immediately
> switch to the next one which is already published in the DNS and
> ready to go while you prepare the new next key/certificate and its
> corresponding TLSA record (for the next rollover). This ensures that
> every rollover works seamlessly because you never have the situation
> where things aren't working while your TLSA records are propagating
> around the DNS because they were published well before they were
> required.
>
> Here are some wikis that might help:
>
>   https://github.com/baknu/DANE-for-SMTP/wiki
>   https://github.com/internetstandards/toolbox-wiki
>
> cheers,

Thanks raf!

At above wiki, i found EMSP guide line in Germany. Because my mail
server (yw-1204.doraji.xyz) is located in Frankfurt, Germany.


All docs and comments are useful for me. Thanks again raf!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: question: "said: 550 Mail was identified as spam"

[Byung-Hee HWANG via Postfix-users]

Hi lty,
On Fri, May 12, 2023 at 03:32:45PM +0800, lty--- via Postfix-users wrote:
> (...) 
> We are using postfix 2.11 version. 

Really? My postfix version are:
yw-0919: Postfix 3.3.0 / Ubuntu 18.04 LTS
yw-1204: Postfix 3.5.18 / Debian 11 Bullseye

And yw-1204 have OpenDKIM 2.11 as *Outbond* SMTP Server.

Again, your postfix version is 2.11?


Sincerely, Byung-Hee
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM and DMARC

[Byung-Hee HWANG via Postfix-users]

Tom Reed via Postfix-users  writes:

> Hello list,
>
> Should we reject failed message on DKIM validation stage, or DMARC
> validation stage, or both?

I even DKIM-sign the mail one more time. For forwarding to Gmail.
See https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/setup-policy.lua


Sincerely, Byung-Hee 

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Now i added DNSSEC. Currently it is being registra job. 10 minutes ago,
i did make some DS record at Cloudfalre.

Thanks to Joachim, Patrick and raf ^^^


Sincerely, Byung-Hee
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Byung-Hee HWANG via Postfix-users  writes:

> Now i added DNSSEC. Currently it is being registra job. 10 minutes ago,
> i did make some DS record at Cloudfalre.
>
> Thanks to Joachim, Patrick and raf ^^^

And now i added TLSA record for only *outbond* smtp server,
<>. I read Patrick's blog[1]. Still i'm not sure my
setting is OK.

And i did update(add) tls_policy:

debian.org  dane
.debian.org dane
postfix.org dane-only
sys4.de dane-only
dukhovni.orgdane-only



[1] https://blog.sys4.de/blog/outbound-dane/


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

On Thu, May 18, 2023 at 09:22:34PM +0900, Byung-Hee HWANG via Postfix-users 
wrote:
> Byung-Hee HWANG via Postfix-users  writes:
> 
> > Now i added DNSSEC. Currently it is being registra job. 10 minutes ago,
> > i did make some DS record at Cloudfalre.
> >
> > Thanks to Joachim, Patrick and raf ^^^
> 
> And now i added TLSA record for only *outbond* smtp server,
> <>. I read Patrick's blog[1]. Still i'm not sure my
> setting is OK.
> 
> And i did update(add) tls_policy:
> 
> debian.orgdane
> .debian.org   dane
> postfix.org   dane-only
> sys4.de   dane-only
> dukhovni.org  dane-only
> 
> 
> 
> [1] https://blog.sys4.de/blog/outbound-dane/
> 

Ah now i see log as *OK* signal:

yw-1204 postfix/smtp[27985]: Verified TLS connection established to 
list.sys4.de[188.68.34.52]:25: TLSv1.3 with ...

Wow! Now i'm DANE user!!

And i added <> at tls_policy as dane-only.


Thanks, Byung-Hee from South Korea
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Viktor Dukhovni via Postfix-users  writes:

> On Thu, May 18, 2023 at 09:22:34PM +0900, Byung-Hee HWANG via Postfix-users
> wrote:
>
>> And now i added TLSA record for only *outbond* smtp server,
>> .
>
> It is also your secondary MX host:
>
> https://stats.dnssec-tools.org/explore/?doraji.xyz
>
> the primary MX host does not yet have TLSA records.  The detailed
> status is:
>
> doraji.xyz. IN MX 1871 yw-0919.doraji.xyz.
> doraji.xyz. IN MX 1895 yw-1204.doraji.xyz.
> _25._tcp.yw-0919.doraji.xyz. IN TLSA ? ; NXDOMAIN
> _25._tcp.yw-1204.doraji.xyz. IN TLSA 3 1 1 
> b4b06c36727808cb3e272f438cc6f1a77ee370c50dfb24eb5774a6113e4c6c0f
>   yw-1204.doraji.xyz[185.17.255.72]: pass: TLSA match: depth = 0, name = 
> yw-1204.doraji.xyz
> TLS = TLS13 with AES256GCM-SHA384,X25519,PubKeyALG_RSA
> name = yw-1204.doraji.xyz
> depth = 0
>   Issuer CommonName = R3
>   Issuer Organization = Let's Encrypt
>   notBefore = 2023-03-20T06:03:54Z
>   notAfter = 2023-06-18T06:03:53Z
>   Subject CommonName = yw-1204.doraji.xyz
>   pkey sha256 [matched] <- 3 1 1 
> b4b06c36727808cb3e272f438cc6f1a77ee370c50dfb24eb5774a6113e4c6c0f
> depth = 1
>   Issuer CommonName = ISRG Root X1
>   Issuer Organization = Internet Security Research Group
>   notBefore = 2020-09-04T00:00:00Z
>   notAfter = 2025-09-15T16:00:00Z
>   Subject CommonName = R3
>   Subject Organization = Let's Encrypt
>   pkey sha256 [nomatch] <- 2 1 1 
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
> depth = 2
>   Issuer CommonName = DST Root CA X3
>   Issuer Organization = Digital Signature Trust Co.
>   notBefore = 2021-01-20T19:14:03Z
>   notAfter = 2024-09-30T18:14:03Z
>   Subject CommonName = ISRG Root X1
>   Subject Organization = Internet Security Research Group
>   pkey sha256 [nomatch] <- 2 1 1 
> 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
>   yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]: pass: TLSA match: depth = 0, 
> name = yw-1204.doraji.xyz
> TLS = TLS13 with AES256GCM-SHA384,X25519,PubKeyALG_RSA
> name = yw-1204.doraji.xyz
> depth = 0
>   Issuer CommonName = R3
>   Issuer Organization = Let's Encrypt
>   notBefore = 2023-03-20T06:03:54Z
>   notAfter = 2023-06-18T06:03:53Z
>   Subject CommonName = yw-1204.doraji.xyz
>   pkey sha256 [matched] <- 3 1 1 
> b4b06c36727808cb3e272f438cc6f1a77ee370c50dfb24eb5774a6113e4c6c0f
> depth = 1
>   Issuer CommonName = ISRG Root X1
>   Issuer Organization = Internet Security Research Group
>   notBefore = 2020-09-04T00:00:00Z
>   notAfter = 2025-09-15T16:00:00Z
>   Subject CommonName = R3
>   Subject Organization = Let's Encrypt
>   pkey sha256 [nomatch] <- 2 1 1 
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
> depth = 2
>   Issuer CommonName = DST Root CA X3
>   Issuer Organization = Digital Signature Trust Co.
>   notBefore = 2021-01-20T19:14:03Z
>   notAfter = 2024-09-30T18:14:03Z
>   Subject CommonName = ISRG Root X1
>   Subject Organization = Internet Security Research Group
>   pkey sha256 [nomatch] <- 2 1 1 
> 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
> 
> Since your certificate is from Let's Encrypt, you've probably configured
> automatic renewal.  If you haven't also implemented *monitoring* of your
> DANE TLSA configuration that checks whether the TLSA records match the
> certificate chain, you should do that immediately, and ideally before
> publishing TLSA records for any servers carrying "non-test" traffic.
>
> You can publish TLSA records for some test host with a self-signed
> cert, and check monitoring detects incorrect TLSA records when
> mismatched TLSA records are configured (and is not complaining
> when the TLSA records are correct).
>
> You then also need to make sure that your certificate rollover process
> is robust, and either keeps the public key unchanged, or you pre-publish
> matching TLSA records for future keys alongside current keys.
>
> Setting up inbound DANE requires operational diligence.  Do consider
> implemting DANE, but not as a fashion statement, rather only because
> you understand how to coordinate certificate management with DANE
> TLSA record upkeep.

Thanks for advice!

>[renewalp

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Benny Pedersen via Postfix-users  writes:

> Byung-Hee HWANG via Postfix-users skrev den 2023-05-19 04:26:
>
>> Thanks for advice!
>> 
>>>[renewalparams]
>>>reuse_key = True
>>>preferred_chain = ISRG Root X1
>
>> And
>> I can't say anything yet. I need some test for long time. If i am sure
>> what DANE is,
>
> posttls-finger example.org, basic test to test outbound


soyeomul@yw-1130:~/git/karma/Gnus/DKIM$ ./ct.py yw-1204.doraji.xyz
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = yw-1204.doraji.xyz
verify return:1
250 CHUNKING
DONE
notBefore=May 19 06:01:23 2023 GMT
notAfter=Aug 17 06:01:22 2023 GMT
^^^
posttls-finger: using DANE RR: _25._tcp.yw-1204.doraji.xyz -> _dane.doraji.xyz 
IN TLSA 2 1 1 
8D:02:53:6C:88:74:82:BC:34:FF:54:E4:1D:2B:A6:59:BF:85:B3:41:A0:A2:0A:FA:DB:58:13:DC:FB:CF:28:6D
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: depth=1 matched 
trust anchor public-key sha256 
digest=8D:02:53:6C:88:74:82:BC:34:FF:54:E4:1D:2B:A6:59:BF:85:B3:41:A0:A2:0A:FA:DB:58:13:DC:FB:CF:28:6D
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: depth=0 chain is 
trust-anchor signed
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: Matched 
subjectAltName: yw-1204.doraji.xyz
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25 CommonName 
yw-1204.doraji.xyz
posttls-finger: yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: 
subject_CN=yw-1204.doraji.xyz, issuer_CN=R3, 
fingerprint=A7:84:A8:5B:69:A4:A2:2A:00:AC:CC:17:AA:EF:C0:D8:C3:BC:B4:CF:FC:D4:F3:19:5D:96:AA:45:19:44:94:BE,
 
pkey_fingerprint=B4:B0:6C:36:72:78:08:CB:3E:27:2F:43:8C:C6:F1:A7:7E:E3:70:C5:0D:FB:24:EB:57:74:A6:11:3E:4C:6C:0F
posttls-finger: Verified TLS connection established to 
yw-1204.doraji.xyz[2a03:ebc0:5000:12::10]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (2048 bits) server-digest SHA256
soyeomul@yw-1130:~/git/karma/Gnus/DKIM$ 


After read mails of Viktor+Joachim, i moved to "2 1 1" from "3 1
1". Still i am testing... So i can't say anything for a while.

>> i will setup inbond server (yw-0919.doraji.xyz) with DANE.
>
> inbound is STARTTLS only

Thank you!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Joachim Lindenberg via Postfix-users  writes:

> (...) just mark your calendar to update in September 2025 ...

Hellow Joachim! Thanks for remarkble tip ^^^


Sincerely, Byung-Hee

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "danebot" beta release

[Byung-Hee HWANG via Postfix-users]

Viktor Dukhovni via Postfix-users  writes:

> On Mon, May 22, 2023 at 09:53:36PM -0400, Viktor Dukhovni via Postfix-users 
> wrote:
>
>> Key reuse as a *default* rollover approach is robust.  When it is time
>> to change keys, one can do so deliberately, and with due care to
>> prepublish TLSA records matching the *next* key, then after a few TTLs
>> deploy the next certificate, and at that point drop the outdated TLSA RR
>> matching the old keys.  Meanwhile, root CAs reuse the same RSA 2048-bit
>> key for decades.
>
> To that end, though it is not yet feature-complete, I am announcing
> a "beta" release of "danebot", which is a wrapper around "certbot"
> that supports safe key rollover (with by default stable reused keys)
> in combination with "3 1 1" TLSA records.
>
> At this point, I am particularly looking for adoption from experienced
> shell script developers, who might add missing features or having
> examined the code might help to improve the documentation.
>
> That said, "danebot" can be used as-is (I've been using it for over a
> year) by anyone who is not a novice with "certbot".
>
> https://github.com/tlsaware/danebot
>
> The same design principles can surely (and perhaps even more easily)
> be adapted to other ACME clients.  Contributions along those lines
> also welcome (likely as variants of the "certbot" script).

Thanks for good tool, because still i feel very hard to make "3 1 1"
tlsa things. Someday far later, i'll try this "3 1 1" things.

Actually i cannot say anything about DANE. Still work in progress ...


Sincerely, Byung-Hee
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "danebot" beta release

[Byung-Hee HWANG via Postfix-users]

Benny Pedersen via Postfix-users  writes:

> Byung-Hee HWANG via Postfix-users skrev den 2023-05-25 05:42:
>
>> Thanks for good tool, because still i feel very hard to make "3 1 1"
>> tlsa things. Someday far later, i'll try this "3 1 1" things.
>> Actually i cannot say anything about DANE. Still work in progress ...
>
> postfix tls output-server-tlsa -h example.org
>
> add output to dns, done

Oh good! You gave me the start point of DANE "3 1 1" things.

Thanks, Benny!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Problem setting up postfix on arch linux to forward mail to my gmail account

[Byung-Hee HWANG via Postfix-users]

> Next question is where can I find accurate instructions on setting up the
> configuration for arch linux to forward mail to my gmail account?

Like as people said, forwarding is not easy. Though if you wish try it,
use DKIM.

Sincerely,

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: GMail is rejecting mail I forward

[Byung-Hee HWANG via Postfix-users]

> I have set up SPF for my domain, but I don't think that is relevant to 
> FORWARDING mail (is it?).

I use Gmail forwarding like you. DKIM is my friend.
This is my configuration [1].

Sincerely, Byung-Hee

[1]
https://gitlab.com/soyeomul/Gnus/-/raw/karma/DKIM/setup-policy.lua?ref_type=heads

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: GMail is rejecting mail I forward

[Byung-Hee HWANG via Postfix-users]

> https://gitlab.com/soyeomul/Gnus/-/raw/karma/DKIM/setup-policy.lua?ref_type=heads

And because i have to prove myself, See:
https://gitlab.com/soyeomul/Gnus/-/commit/59122d99bd6a0b01d293c0a2f46d5343e54bbc4e

Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: GMail is rejecting mail I forward

[Byung-Hee HWANG via Postfix-users]

Byung-Hee HWANG via Postfix-users  writes:

>> https://gitlab.com/soyeomul/Gnus/-/raw/karma/DKIM/setup-policy.lua?ref_type=heads
>
> And because i have to prove myself, See:
> https://gitlab.com/soyeomul/Gnus/-/commit/59122d99bd6a0b01d293c0a2f46d5343e54bbc4e

This is more powerful screenshots, with dmarc p=reject. And forwarding it
is surprisingly successful: (attached 3 items)

https://gitlab.com/soyeomul/Gnus/-/commit/9e77df267523c3a9bd0232a3f30a08bd1d3f0579

Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

[Byung-Hee HWANG via Postfix-users]

Hellow Viktor,

Viktor Dukhovni via Postfix-users  writes:

> The DANE/DNSSEC survey () has seen a
> recent spike in the number of MX hosts whose "2 1 1" TLSA records no
> longer match their certificate chain.  The records in question all
> shar the same digest value, for various TLSA base domains:
>
> _25._tcp.mx1.example. IN TLSA 2 1 1 
> 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
>
> I was initially puzzled as to why this might be happening, but then
> it occurred to me that the reason why is clear.
>
> The above hash is the hash of the ISRG X1 root CA key, but it is also of
> course the key hash of its outdated **cross-certificate** issued by DST.
> That DST cross cert was needed for compatability with some old Android
> systems that did not get root CA updates (or updates of any kind).
>
> It must be that Let's Encrypt finally stopped by default including that
> cross certificate in their chains.  So instead of a chain that looks
> like:
>
> - depth 0: EE (server) certificate
> - depth 1: Let's Encrypt R3/E1 issuer CA
> - depth 2: ISRG X1 cross cert issued by DT
>
> with the certificate at depth 2 matching the TLSA record, they now
> generate just:
>
> - depth 0: EE (server) certificate
> - depth 1: Let's Encrypt R3/E1 issuer CA
>
> with the ISRG (now standalone) root CA not included in the chain!
>
> Leaving out the root CA works fine for WebPKI, where clients need to
> have a locally trusted copy of the root, but not for certificate usage
> DANE-TA(2), which does not rely on any local CA store:
>
> https://dane.sys4.de/common_mistakes#4
> https://datatracker.ietf.org/doc/html/rfc7672#section-3.1.2
>
> Bottom line, if you're relying on that "2 1 1" record matching the ISRG
> root to match your Let's Encrypt chain, you're about to be disappointed,
> if you aren't already.  See:
>
> http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
>
> for better alternatives, or switch to "3 1 1", perhaps with the aid of
> "danebot" (still hoping some early adopters will pitch in to further
> improve it, to support some additional workflows):
>
>

Thank you for notifying us. Also i'm using 211 TLSA record.

Honestly, 311 it was not easy to set up to me.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

[Byung-Hee HWANG via Postfix-users]

Hellow raf,

> As Viktor pointed out, you're not affected,

Welcome! And thanks a lot for confirmation.

> but if you want to use "3 1 1",
> and you use certbot for your LetsEncrypt certificates, as well as Viktor's
> danebot program (https://github.com/tlsaware/danebot), my danectl program
> makes it easy (https://github.com/raforg/danectl).
>
> With danectl, you still have to publish/remove the DNS records it tells you 
> to,
> but it comes with a couple of DNS output adapters to help (for Bind9 zonefiles
> and for nsupdate). I'm happy to add more DNS output adapters if anyone needs
> them (and can supply it or help me write and test it).
>
> It seems there's another danebot program (https://github.com/stuvusIT/danebot)
> that (only) works with nsupdate. I don't know enough about it to recommend it
> or not.

If i have some problem with 211, then i will try again to 311.

Many many thanks!

Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

[Byung-Hee HWANG via Postfix-users]

Hellow Viktor,

Viktor Dukhovni via Postfix-users  writes:

> On Wed, Nov 15, 2023 at 04:53:17PM +0100, Geert Hendrickx via Postfix-users 
> wrote:
>
>> On Wed, Nov 15, 2023 at 10:29:41 -0500, James Cloos via Postfix-users wrote:
>> > LE announced a while back that they would not renew the cross cert.
>> 
>> Yes, but dropping the cross-signed X1 root cert from the default chain
>> last week was an accident:
>> https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580/2
>> 
>> They plan to stop providing the cross-signed "long chain" by default
>> in February 2024, and completely in June, as the cross-sign expires
>> in September.  Dropping it last week was unintended.
>
> Many thanks for that reference.  The ensuing conversation on the LE
> forum uncovered a second potential future incompatibility to plan for:
>
> 
> https://community.letsencrypt.org/t/short-chain-and-dane/208422/8?u=ietf-dane
>
> Let's Encrypt are apparently also planning to *randomise* the choice of
> intermediate issuer CA used with each renewal.  Instead of consistently
> using say "R3", they'll randomly choose one of R3/R4/E1/E2.
>
> Therefore, anyone who publishes TLSA records for just one of the 4
> issuers, will eventually also be "disappointed".
>
> If you're using Let's Encrypt as your CA and prefer to publish
> DANE-TA(2), rather than DANE-EE(3) TLSA records, please look over:
>
> 
>
> carefully, and publish all four of the **required** TLSA records, for
> each MX host:
>
> _25._tcp.mx1.org.example. IN TLSA 2 1 1 
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3
> _25._tcp.mx1.org.example. IN TLSA 2 1 1 
> e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4
> _25._tcp.mx1.org.example. IN TLSA 2 1 1 
> 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1
> _25._tcp.mx1.org.example. IN TLSA 2 1 1 
> bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2
> ...
>
> or if you prefer:
>
> _25._tcp.mx1.org.example. IN CNAME _25._tlsa.org.example.
> _25._tcp.mx2.org.example. IN CNAME _25._tlsa.org.example.
> ...
> _25._tcp.mxN.org.example. IN CNAME _25._tlsa.org.example.
> ;
> _25._tlsa.org.example. IN TLSA 2 1 1 
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d ; R3
> _25._tlsa.org.example. IN TLSA 2 1 1 
> e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 ; R4
> _25._tlsa.org.example. IN TLSA 2 1 1 
> 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 ; E1
> _25._tlsa.org.example. IN TLSA 2 1 1 
> bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 ; E2

Thank you for the clear summary. I did update all again.

Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TAKE NOTE 2: Future Let's Encrypt CA choice randomisation.

[Byung-Hee HWANG via Postfix-users]

Viktor Dukhovni via Postfix-users  writes:

> (...)
> Good job, you're set until some future change a few years down the line.
>
> _25._tcp.yw-0919.doraji.xyz. IN CNAME rfc7671.doraji.xyz.
> _25._tcp.yw-1204.doraji.xyz. IN CNAME rfc7671.doraji.xyz.
> rfc7671.doraji.xyz. IN TLSA 2 1 1
> 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
> rfc7671.doraji.xyz. IN TLSA 2 1 1
> e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
> rfc7671.doraji.xyz. IN TLSA 2 1 1
> 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
> rfc7671.doraji.xyz. IN TLSA 2 1 1
> bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
>
> It may be prudent to mark your calendar to check the Let's Encrypt
> certificate page once or twice a year, and make appropriate changes if
> new intermediate issuer CAs are introduced, or extant ones retired.
>
> https://letsencrypt.org/certificates/

Viktor! Thank you for kind guidance. And finally i feel proud to be a
part of this DANE users.


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain

[Byung-Hee HWANG via Postfix-users]

Ralph Seichter via Postfix-users  writes:

> * Byung-Hee HWANG via Postfix-users:
>
>> Honestly, 311 it was not easy to set up to me.
>
> These days, one is a bit spoiled for choice when it comes to software
> which handles this automatically. LetsDNS (https://letsdns.org) is what
> I use and recommend, unsurprisingly, because it is robust and easy to use.

If i have some trouble with 211, someday far later, i will check it.
Thanks Ralph ^^^


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: configuration to send to recipients in a spread out manner to avoid being considered spam

[Byung-Hee HWANG via Postfix-users]

Wietse Venema via Postfix-users  writes:

> testeur via Postfix-users:
>> Hi,
>> 
>> I did a request to mailman3 ML about this question, but it seems that 
>> postfix can respond to my request.
>> I use mailman3. But AOL, YAHOO seems to consider emails sent to 
>> recipients as spam or an "Excessively high volume of emails". There's 
>> just 40 (aol, yahoo) emails suscribed to the list. i tested the list on 
>> www.mail-tester.com, but 10/10.
>> 
>> Is there a mean to configure postfix for that emails be sent to 
>> recipients in a spread out manner to avoid being considered spam ? Maybe 
>> taking 10 emails from the same domain, to send it all 3 minutes until 
>> that all email form the same domain be passed.
>
> See https://www/postfix.org/QSHAPE_README.html
>
> When a destination is unable to handle the load even after the Postfix process
> limit is reduced to 1, a desperate measure is to insert brief delays between
> delivery attempts.
>
>   * Postfix version 2.5 and later:
>
>   o In master.cf set up a dedicated clone of the "smtp" transport for the
> problem destination. In the example below we call it "slow".
>
>   o In main.cf configure a short delay between deliveries to the same
> destination.
>
> /etc/postfix/main.cf:
> transport_maps = hash:/etc/postfix/transport
> slow_destination_rate_delay = 1
> slow_destination_concurrency_failed_cohort_limit = 100
>
> /etc/postfix/transport:
> example.com  slow:
>
> /etc/postfix/master.cf:
> # service type  private unpriv  chroot  wakeup  maxproc command
> slow  unix -   -   n   -   -smtp
>
> Here, the delay is 1 second between deliveries. Use "postfix
> reload" command sparingly, as it resets the rate delay timer. 
> Use the command only when you change master.cf, or the rate delay.
>

Oh exciting! Also i need this policy. Thanks!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: configuration to send to recipients in a spread out manner to avoid being considered spam

[Byung-Hee HWANG via Postfix-users]

Byung-Hee HWANG via Postfix-users  writes:

> Wietse Venema via Postfix-users  writes:
>
>> testeur via Postfix-users:
>>> Hi,
>>> 
>>> I did a request to mailman3 ML about this question, but it seems that 
>>> postfix can respond to my request.
>>> I use mailman3. But AOL, YAHOO seems to consider emails sent to 
>>> recipients as spam or an "Excessively high volume of emails". There's 
>>> just 40 (aol, yahoo) emails suscribed to the list. i tested the list on 
>>> www.mail-tester.com, but 10/10.
>>> 
>>> Is there a mean to configure postfix for that emails be sent to 
>>> recipients in a spread out manner to avoid being considered spam ? Maybe 
>>> taking 10 emails from the same domain, to send it all 3 minutes until 
>>> that all email form the same domain be passed.
>>
>> See https://www/postfix.org/QSHAPE_README.html
>>
>> When a destination is unable to handle the load even after the Postfix 
>> process
>> limit is reduced to 1, a desperate measure is to insert brief delays between
>> delivery attempts.
>>
>>   * Postfix version 2.5 and later:
>>
>>   o In master.cf set up a dedicated clone of the "smtp" transport for the
>> problem destination. In the example below we call it "slow".
>>
>>   o In main.cf configure a short delay between deliveries to the same
>> destination.
>>
>> /etc/postfix/main.cf:
>> transport_maps = hash:/etc/postfix/transport
>> slow_destination_rate_delay = 1
>> slow_destination_concurrency_failed_cohort_limit = 100
>>
>> /etc/postfix/transport:
>> example.com  slow:
>>
>> /etc/postfix/master.cf:
>> # service type  private unpriv  chroot  wakeup  maxproc command
>> slow  unix -   -   n   -   -smtp
>>
>> Here, the delay is 1 second between deliveries. Use "postfix
>> reload" command sparingly, as it resets the rate delay timer. 
>> Use the command only when you change master.cf, or the rate delay.
>>
>
> Oh exciting! Also i need this policy. Thanks!

Here is "Big Thanks" log. For now, actually i have no trouble with
Gmail. Again thanks to Wietse.

https://gitlab.com/soyeomul/Gnus/-/raw/2eac4535840d8eae26bdca16014f8eacd20252eb/DKIM/thanks.log


Sincerely, Byung-Hee
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: gmail failing SPF/DKIM

[Byung-Hee HWANG via Postfix-users]

Wietse Venema via Postfix-users  writes:

> (...)
> gmail rejects all messsages with that sender domain name? Some
> messages? I have found that Gmail may treat some 'soft' errors (DNS
> timeout) as 'hard' errors. My workaround is to retry deliveries.
>
> /etc/postfix/main.cf:
> transport_maps = hash:/etc/postfix/transport
>
> /etc/postfix/transport:
> gmail.com   google:
> gmail.com   google:
> # List other domains hosted at google...
> # Postfix needs the ability to group mail by recipient's MX servers.
> # It is becoming urgent.
>
> /etc/postfix/master.cf:
> google unix  -   -   -   -   -   smtp
> -o soft_bounce=yes
>
> You'd need to monitor your mail queue for messages that are really
> undeliverable.
>

Hellow Wietse,

Again, i learn another new thing from you, thanks!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Some TLS connections untrusted in postfix but trusted with posttls-finger

[Byung-Hee HWANG via Postfix-users]

> ...
> Nov 30 11:31:48 mailgate postfix/tlsproxy[175]: server certificate
> verification failed for in-8.smtp.github.com[140.82.114.32]:25: 
> num=62:hostname mismatch
> ...

Maybe you check?


root@yw-1204:/etc/postfix# postconf -n | grep CAfile
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt



Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org