[P-U] Re: Postfix lists are migrating to a new list server

2023-03-08 Thread Scott Techlist via Postfix-users 
>> On Tue, 7 Mar 2023, John Stoffel via Postfix-users wrote:
>>
>>> So what's the option for a more upto date version of DKIM milter for debian?
>>
>> rspamd does DKIM, SPF, DMARC and ARC (and lots more), and doesn't segfault 
>> (so
>> far ;-)
>
>
>I'm STILL trying to figure out rspamd's documentation enough to
>understand how to enable and configure all of those, so that I can have
>one milter instead of four.


I too would be grateful for a pointer to a decent how-to/guide on setting it 
up.  I'm still using amavis and clamd.  Always apprehensive to change horses.



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: A new Postfix book in the making - "Run Your Own Mail Server"

2023-03-17 Thread Scott Techlist via Postfix-users 
>Michael W. Lucas is writing a book about "Run Your Own Mail Server"
>featuring the Postfix mail server. Michael has written and published a
>Chapter 0 that gives an impression what the book will contain. Besides
>the technical aspects, the book will cover the email ecosystem and how
>to fit well into this ecosystem.
>
>The books Michael writes are little gems, nice to read, often funny,
>always "to-the-point" and not expensive. This might be his most
>important (technical) book.
>
>Michael is self-publishing his books, and he collects sponsorship
>money to be able to write this (and more) books. Please read Chapter 0
>and consider sponsoring this new book:
>
>Chapter 0: 
>
>Sponsorship page: 
>

Carsten, thanks for the pointer, I just ordered (sponsored) one.  My current, 
and long time "bible" is Ralph and Patrick's "Book of Postfix" which is getting 
pretty dated.  Hoped they'd make another.  I could use some DKIM/DMARC 
education at the least.

Cheers, Scott



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: A new Postfix book in the making - "Run Your Own Mail Server"

2023-08-06 Thread Scott Techlist via Postfix-users 
>>Michael W. Lucas is writing a book about "Run Your Own Mail Server"
>>featuring the Postfix mail server. Michael has written and published a
>>Chapter 0 that gives an impression what the book will contain. Besides
>>the technical aspects, the book will cover the email ecosystem and how
>>to fit well into this ecosystem.
>>
>>The books Michael writes are little gems, nice to read, often funny,
>>always "to-the-point" and not expensive. This might be his most
>>important (technical) book.
>>
>>Michael is self-publishing his books, and he collects sponsorship
>>money to be able to write this (and more) books. Please read Chapter 0
>>and consider sponsoring this new book:
>>
>>Chapter 0: 
>>
>>Sponsorship page: 
>>
>

Anyone know of any progress on this book?


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] debugging an appliance connection

2023-08-09 Thread Scott Techlist via Postfix-users 
Client has an appliance (Axion RTAC) that sends email based reports.  I don't 
have access to the appliance or its docs.  It used to send its emails to an 
Exchange server that has been decommissioned.  I'm trying to get it to send to 
my postfix server.  I have it whitelisted for postfix checks.  

I'm getting this in my log:

Aug  9 00:00:00 tn3 postfix/postscreen[16413]: CONNECT from [152.86.61.4]:46016 
to [serverip]:25
Aug  9 00:00:00 tn3 postfix/postscreen[16413]: WHITELISTED [152.86.61.4]:46016
Aug  9 00:00:00 tn3 postfix/smtpd[16414]: connect from 
oxyrtac.mlec.com[152.86.61.4]
Aug  9 00:00:01 tn3 postfix/smtpd[16414]: improper command pipelining after 
MAIL from oxyrtac.mlec.com[152.86.61.4]: RCPT TO: 
oxyme...@mlec.com\r\nDATA\r\nFrom: OXY Report RTAC\r\nTo: 
OxyMeter 
Aug  9 00:00:01 tn3 postfix/smtpd[16414]: disconnect from 
oxyrtac.mlec.com[152.86.61.4] mail=0/1 rcpt=0/1 data=0/1 unknown=0/1 
commands=0/4

Not sure if it's the  it's sending that's hosing the pipelining or 
what.  How can I debug what happens with this connection?



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
I need to allow a domain to bypass my RBL checks.  I'm doing something wrong, 
or I'm misunderstanding what I'm checking from my logs.  I'd be grateful for an 
assist to remedy.

 

This box is an old postfix install Postfix version 2.2.10. (I know, working on 
migrating)

 

main.cf: (full postconf -n output follows below)

 

parent_domain_matches_subdomains = smtpd_access_maps 

check_sender_access hash:/etc/postfix/sender_checks,

 

I need to let mail from outbound.protection.outlook.com, and bypass my RBL 
checks. My old understanding is that the first OK "wins" (maybe not?), and I 
have check sender before check RBL.  I don't seem to be getting a match/OK on 
it.

 

This is a sample log entry of what I'm trying to "OK" before it gets to my RBL 
checks and thus fails:

 

  Feb 28 12:45:13 host1 postfix/smtpd[10600]: connect from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]

 

Feb 28 12:45:14 host1 postfix/smtpd[10600]: NOQUEUE: reject: RCPT from 
mail-psaapc01on2101.outbound.protection.outlook.com[40.107.255.101]: 554 
Service unavailable; Client host [40.107.255.101] blocked using bl.spamcop.net; 
Blocked - see https://www.spamcop.net/bl.shtml?40.107.255.101; 
from= to= 
proto=ESMTP helo=

 

Isn't the sender = connect from = 
mail-psaapc01on2101.outbound.protection.outlook.com ?

 

In my sender_checks file I've tried:

 

outbound.protection.outlook.com OK

.outbound.protection.outlook.com OK # to match subdomains as an attempt to get 
it to work.

 

Can I go that deep on subdomains (e.g. outbound.protection.outlook.com)? Or do 
I need to only have ".outlook.com OK"

 

I tried testing my sender_checks file using:

 

postmap -q 'mail-mw2nam10on2100.outbound.protection.outlook.com' 
hash:/etc/postfix/sender_checks

(does not match)

 

postmap -q 'outbound.protection.outlook.com' hash:/etc/postfix/sender_checks

OK #(matches)

 

In any case, what I'm doing does not prevent the RBL test that's after the 
sender check from being passed.

 

-

postconf -n:

 

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

body_checks = pcre:/etc/postfix/body_checks.pcre

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

disable_vrfy_command = yes

html_directory = no

inet_interfaces = $host1, localhost

local_recipient_maps = hash:/etc/postfix/local_recipient

mail_owner = postfix

mail_spool_directory = /var/spool/mail

mailbox_size_limit = 483886080

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

message_size_limit = 20971520

mydestination = $host1,  localhost.$mydomain,  localhost,  s-e-inc.com, 
$mydomain

mydomain = example.com

host1 = host1.example.com

mynetworks = localhost,$localdomain, [& other local IPs]

myorigin = $host1

newaliases_path = /usr/bin/newaliases.postfix

parent_domain_matches_subdomains = smtpd_access_maps

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

recipient_bcc_maps = hash:/etc/postfix/recipient_bcc

relay_domains = mlec.com

relay_recipient_maps = hash:/etc/postfix/relay_recipients

sample_directory = /usr/share/doc/postfix-2.2.10/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_data_restrictions = reject_unauth_pipelining,  permit

smtpd_helo_required = yes

smtpd_recipient_limit = 3000

smtpd_recipient_restrictions = reject_invalid_hostname,  
reject_non_fqdn_hostname,  reject_non_fqdn_sender,  reject_non_fqdn_recipient,  
permit_mynetworks,  reject_unauth_destination,  check_recipient_mx_access 
hash:/etc/postfix/mx_access,  check_sender_mx_access 
hash:/etc/postfix/mx_access,  reject_unknown_sender_domain,  
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,  
check_helo_access hash:/etc/postfix/helo_checks,  check_sender_access 
hash:/etc/postfix/sender_checks,  check_client_access 
hash:/etc/postfix/client_checks,  check_client_access 
pcre:/etc/postfix/client_checks.pcre,  check_recipient_access 
hash:/etc/postfix/access,  reject_rbl_client zen.spamhaus.org=127.0.0.[2..255], 
 reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_sender 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rhsbl_helo 
dbl.spamhaus.org=127.0.1.[2..99],  reject_rbl_client psbl.surriel.com,  
reject_rbl_client bl.spamcop.net,  reject_rhsbl_sender 
fresh.spameatingmonkey.net,  reject_rhsbl_client fresh.spameatingmonkey.net,  
reject_rhsbl_sender uribl.spameatingmonkey.net,  reject_rhsbl_client 
uribl.spameatingmonkey.net,  reject_rbl_client 
sip-sip24.metbpp3hnheh.invaluement.com,  check_policy_service 
unix:postgrey/socket, permit

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $host1

smtpd_sasl_security_options = noanonymous

smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/certs

[pfx] Re: postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
>I can tell you there is significant spam from that Microsoft IP space. That 
>spamcop doesn't have false positives, but rather due to >the sharing of IP 
>space, senders that aren't spammers get tarred with the same brush as the 
>spammers.  I did a grep on the maillog >files and that is a firehose of spam. 

>Up to you of course. I have a few posts on the list trying to whitelist just 
>one sender. 

I agree. My problem is I have a business client that I process mail for, and 
they converted from in-house Exchange to O365.  I was rejecting their email to 
me LOL, not good for the relationship.  And they are losing a lot of their 
customer's mail who are also using O365.  It's become too many to micromanage, 
and their perception is it' smy fault, not M$.  I don’t see much of a way out 
of letting the blacklisted M$ servers "in"/around my RBLs.  FWIW, I've only 
bypassed my RBL checks, what comes in still goes through the rest of the checks 
(spamassassin etc.).




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
>Scott Techlist via Postfix-users:
>> I need to allow a domain to bypass my RBL checks.  I'm doing something 
>> wrong, or I'm
>misunderstanding what I'm checking from my logs.  I'd be grateful for an 
>assist to remedy.
>>
>
>Depending on whether omain is client or sender or ...
>
>...
>reject_unauth_destination
>...
>check_client_access hash:/pathname
>reject_rbl_client example.com
>...
>
>Or
>
>...
>reject_unauth_destination
>...
>check_sender_access hash:/pathname
>reject_rbl_client example.com
>...
>
>Or ???
>
>Where the table returns OK for the allowlisted domain.
>
>   Wietse


I'm always apprehensive when you answer .  

I think I've misunderstood client and sender, I added the test to my 
check_sender_access hash file.  Will see how that does.  Thank you.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
>> check_sender_access hash:/etc/postfix/sender_checks,
>
>That directive checks the email address which is used in the SMTP MAIL
>FROM command.
>
>I believe you need to use check_client_access to check the verified
>client hostname instead of check_sender_access.
>
>

Bill & Noel, thank you both for the assist.  

Moving my check from sender_checks to client_checks appears to have resolved my 
issue, I now see some RBL listed M$ host's mail making it past my RBL checks.  

Seems I always mix up client and sender, somewhere many years ago I got it 
stuck in my head postfix client checks was IP only.  Obviously incorrect.




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
>>Depending on whether omain is client or sender or ...
>>
>>...
>>reject_unauth_destination
>>...
>>check_client_access hash:/pathname
>>reject_rbl_client example.com
>>...
>>
>>Or
>>
>>...
>>reject_unauth_destination
>>...
>>check_sender_access hash:/pathname
>>reject_rbl_client example.com
>>...
>>
>>Or ???
>>
>>Where the table returns OK for the allowlisted domain.
>>
>>  Wietse
>
>
>I'm always apprehensive when you answer .
>
>I think I've misunderstood client and sender, I added the test to my 
>check_sender_access hash file.
>Will see how that does.  Thank you.

Correction:
I added the test to my check_client_access hash file


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix check_sender_access and subdomain test

2024-02-28 Thread Scott Techlist via Postfix-users 
Noel:

As I understand from your explanation, if I keep my 
parent_domain_matches_subdomains = smtpd_access_maps
Then the preceding dot format is moot/not needed.  Only
outbound.protection.outlook.com OK
Check.


>The reason it doesn't work is you're confusing sender and client.

Indeed I was.

I've updated my personal postfix manual, and added comments in my respective 
files as reminders, so as to not get them (client/sender) mixed up next time.  
The details you covered in-line were very helpful for me. Much appreciated.  

And now with client checks, it's working as desired.






___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Strengthen email system security

2024-05-22 Thread Scott Techlist via Postfix-users 
>All of these entries are using the LOGIN mech.  Unless you have an
>extremely old outlook express MUA (or similar) you xan and should be
>using the PLAIN mech.  You can eliminate all of the above attacks by
>removing LOGIN from the list of mechs you accept.

Peter:

I too see a lot of these so I went to try your solution.  I edited 
/etc/sasl2/smtpd.conf  
It now contains:

pwcheck_method: saslauthd
#mech_list: plain login
mech_list: plain

Restarted postfix and dovecot.

But now I notice I have both LOGIN and PLAIN failures, the change I made didn't 
have any effect that I can see.  
May 22 18:40:18 tn2 postfix-submission/smtpd[6125]: warning: 
unknown[218.67.123.202]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 22 18:40:31 tn2 postfix-submission/smtpd[6063]: warning: 
unknown[60.212.0.13]: SASL PLAIN authentication failed:
May 22 18:40:51 tn2 postfix-submission/smtpd[6126]: warning: 
unknown[41.207.248.204]: SASL PLAIN authentication failed:
May 22 18:41:25 tn2 postfix-submission/smtpd[6125]: warning: 
unknown[109.195.69.156]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 22 18:41:41 tn2 postfix-submission/smtpd[6063]: warning: 
unknown[175.196.165.155]: SASL LOGIN authentication failed: 

Is there some place else I need to adjust that mechs I accept?  Something else 
I need to restart?

Thanks, Scott



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Comcast Throttle

2024-09-23 Thread Scott Techlist via Postfix-users 
>The web form results in an automated email saying, "Your ip addresses are not 
>blocked." from Comcast.  This is a difficult group to interact with.

 

Last time I went through this I found they were using some 3rd party scoring 
company.  And for a small server like mine, I wasn’t even on that companies 
radar, much less at a volume that could get me delisted.  I throttled 
deliveries to them and that seems to have cured it.  I used to have a large 
opt-in mail-out list I managed for a motorsports org that had a lot of Comcast 
addresses.  I’ve since stopped providing that service.

 

 

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Let's Encrypt ending TLS Client Authentication

2025-05-14 Thread Scott Techlist via Postfix-users 
Apologies in advance for the slightly OT question.  I've used Postfix since the 
beginning on a relatively small server.  I was thankful when Let's Encrypt made 
it possible for me to automate and have "real" certs vs the pain of having to 
deal with and renew self signed certs (if that will even work anymore).  

With this latest letsencrypt announcement, is this going to hose my Postfix 
TLS?  I'm far from proficient at the cert business, grateful that is "just 
works" now.  Worried about how this will affect me.

Announcement email today from outre...@letsencrypt.org:
  "
  Ending TLS Client Authentication

  Certificate Support in 2026

  Let's Encrypt will no longer include the "TLS Client Authentication" Extended 
Key Usage (EKU) in our certificates beginning in 2026.
  "

Most everything TLS related in my main.cf (let me know if you need to see the 
whole config):

broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_cert_file = /etc/letsencrypt/live/[myhostname]/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/[myhostname]/privkey.pem
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
tls_preempt_cipherlist = yes



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org