[pfx] dmarc domain question

2024-06-01 Thread Jeff P via Postfix-users 

Hello

I am using a subdomain xxx.eu.org for sending email.
Though I have not set a dmarc for xxx.eu.org, but gmail says DMARC pass.
So i checked that eu.org does have a DMARC record:

_dmarc.eu.org.		7200	IN	TXT 
"v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org";



My question is, for my sender email - u...@xxx.eu.org, which domain 
should be checked for DMARC? xxx.eu.org, or eu.org?


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

2024-06-02 Thread Jeff P via Postfix-users 



I would like to set a seperated DMARC for xxx.eu.org.
But I have no control over the sender smtp server, so dkim is not 
possible to be added.

do you think if it's still right to add a dmarc?

Thanks.


Use DMARC for your own domain to clearly signal that your xxx.eu.org domain
and the parent eu.,org domain are NOT the same entity.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

2024-06-02 Thread Jeff P via Postfix-users 






Because - as you have found - Google will anyway apply the DMARC record for
the parent domain eu.org, over which you have no control, I think it is
still better to have the own one.


I just enabled DMARC on cloudflare where I hosted the domain.

_dmarc.stackops.eu.org.	300	IN	TXT	"v=DMARC1;  p=none; 
rua=mailto:ff3847f20ff8426680ccac3f8443b...@dmarc-reports.cloudflare.net";



Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: dmarc domain question

2024-06-02 Thread Jeff P via Postfix-users 






Some receiving systems may use a different search algorithm.  See, for
example (expired draft):

 https://www.ietf.org/archive/id/draft-levine-dmarcwalk-00.html


Thanks Viktor. I will check the doc you mentioned.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] force to use starttls on port 587

2024-06-03 Thread Jeff P via Postfix-users 

Hello

I have closed sasl auth on port 25.
but users still can use port 587 for login with plain text.
how can I force users to use submission via start-tls only?
I know I can open port 465 for ssl connection. but for history reason 
the port 587 must be open.


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

2024-06-03 Thread Jeff P via Postfix-users 



That's great. thanks all.


Belt and suspenders (the first setting implies the second, and the third
should then never be used), in master.cf for the submission entry set:

 -o { smtpd_tls_security_level = encrypt }
 -o { smtpd_tls_auth_only = yes }
 -o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary }
 -o { smtpd_sasl_tls_security_options = noanonymous }

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

2024-06-03 Thread Jeff P via Postfix-users 

After postfix and dovecot were installed, there are 4 ports open by default.

port 587
port 25
port 993
port 143

So I have improved them by implementing:

1. close public port 143
2. disable sasl auth on port 25
3. force smtp client to login using tls only on port 587

do you think there is any stuff I am missing?

Thanks.



I'm updating the Postfix documentation that "smtpd_tls_security_level
= encrypt" will reject all plaintext commands except HELO, EHLO,
XCLIENT, STARTTLS, NOOP, QUIT, and HELP.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: force to use starttls on port 587

2024-06-04 Thread Jeff P via Postfix-users 



I have already been using postscreen for port 25.

smtp  inet  n   -   y   -   1   postscreen
smtpd pass  -   -   y   -   -   smtpd
dnsblog   unix  -   -   y   -   0   dnsblog
tlsproxy  unix  -   -   y   -   0   tlsproxy
submission inet n   -   y   -   -   smtpd

Thank you anyway.




Use postscreen on port 25, it will drop many bots from trying to connect 
and send mail through your server.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

2024-06-05 Thread Jeff P via Postfix-users 

I do use spamhaus, spamcop, sorbs as rbl lists.
So I have to update the postscreen policy.
sorry to hear that and thanks Sorbs.

regards.




Naturally, if you're using SORBS as an RBL in postscreen, smtpd, or a content 
filter (amavis, rspamd, ...)

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org