from:"SysAdmin EM"

Re: [exim] Differences exim 4.93 and 4.94

2021-08-25 Thread SysAdmin EM

Here log from 4.94: https://pastecode.io/s/e0zm9887

typing error sorry

cleanup services cpu overload

2021-10-01 Thread SysAdmin EM

Hello,

I have three servers with Postfix and all day they were with a lot of CPU
use and it is not normal for this to happen.

top - 11:56:16 up 199 days, 56 min,  6 users,  load average: 40,12, 31,17,
21,94
Tasks: 578 total,  46 running, 528 sleeping,   0 stopped,   4 zombie
%Cpu0  : 88,1 us,  5,9 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  5,9 si,
 0,0 st
%Cpu1  : 99,0 us,  1,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
%Cpu2  : 95,0 us,  5,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
%Cpu3  : 99,0 us,  1,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
%Cpu4  : 99,0 us,  1,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
%Cpu5  : 99,0 us,  1,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
%Cpu6  : 97,0 us,  3,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
%Cpu7  :100,0 us,  0,0 sy,  0,0 ni,  0,0 id,  0,0 wa,  0,0 hi,  0,0 si,
 0,0 st
KiB Mem : 32808916 total, 13956116 free,  8732080 used, 10120720 buff/cache
KiB Swap:  7812092 total,  7696636 free,   115456 used. 21859016 avail Mem

  PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND


26482 postfix   20   0  242836 156608   3408 R  2,1  0,5   0:59.19 cleanup


24968 postfix   20   0  241688 155464   3408 R  2,5  0,5   1:14.43 cleanup


25337 postfix   20   0  241488 155048   3400 R  2,0  0,5   1:09.51 cleanup


32606 postfix   20   0  240892 154600   3408 S  0,0  0,5   0:19.89 cleanup


27027 postfix   20   0  240804 154576   3408 R  2,1  0,5   0:57.33 cleanup


24575 postfix   20   0  240948 154396   3400 S  0,5  0,5   1:22.03 cleanup


19231 postfix   20   0  240212 153976   3400 R  2,1  0,5   2:07.90 cleanup


10572 postfix   20   0  240128 153820   3400 R  2,4  0,5   3:30.41 cleanup


 1921 postfix   20   0  240004 153716   3408 R  2,0  0,5   0:11.37 cleanup


  607 postfix   20   0  239756 153200   3400 R  1,4  0,5   0:16.62 cleanup


32393 postfix   20   0  238692 152460   3400 R  2,2  0,5   0:29.58 cleanup


25986 postfix   20   0  238452 152156   3400 R  0,1  0,5   1:16.30 cleanup


18941 postfix   20   0  237952 151612   3400 R  2,1  0,5   2:14.73 cleanup


 3396 postfix   20   0  237764 151484   3408 S  1,7  0,5   0:05.36 cleanup


 1933 postfix   20   0  237768 151480   3408 S  1,6  0,5   0:11.48 cleanup


 3104 postfix   20   0  237520 151228   3400 S  1,5  0,5   0:07.83 cleanup


 3238 postfix   20   0  237516 151228   3408 S  1,7  0,5   0:07.14 cleanup


22020 postfix   20   0  237704 151208   3408 R  2,0  0,5   1:51.85 cleanup


 1883 postfix   20   0  237224 150940   3408 R  2,5  0,5   0:12.96 cleanup


25044 postfix   20   0  237112 150776   3408 R  2,6  0,5   1:28.17 cleanup


25319 postfix   20   0  236920 150696   3408 R  2,1  0,5   1:27.55 cleanup


30583 postfix   20   0  236772 150532   3400 R  2,0  0,5   0:44.22 cleanup


 3161 postfix   20   0  236956 150528   3400 S  0,0  0,5   0:06.26 cleanup


 3136 postfix   20   0  236864 150448   3408 R  2,0  0,5   0:05.43 cleanup


 3116 postfix   20   0  236868 150440   3408 R  2,1  0,5   0:07.13 cleanup


 1909 postfix   20   0  236652 150420   3400 R  2,4  0,5   0:17.12 cleanup


 1897 postfix   20   0  236836 150408   3400 R  1,1  0,5   0:11.67 cleanup


32002 postfix   20   0  236536 150308   3400 R  2,5  0,5   0:29.71 cleanup

### version

mail_version = 2.10.1


 main.cf
default_process_limit = 500

## Default 10 MB, subimos a 70 MB (lo mismo que el exim)
message_size_limit = 73400320

## Para aceptar desde backend Linux
mynetworks = 127.0.0.1/32 [::1]/128 172.17.0.0/16 10.0.0.0/8

## Round-robin de transports
transport_maps = tcp:127.0.0.1:23000
127.0.0.1:23000_time_limit = 3600s

## Cantidad de conexiones entrantes (Por defecto 2000)
smtpd_client_connection_count_limit = 2500

## Habilitar TLS - Recepcion
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_protocols = !SSLv2:!SSLv3
smtp_tls_mandatory_protocols = !SSLv2:!SSLv3
smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem
smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/ssl/smtpd_ssl_cache
## Defaults cuando smtpd_tls_security_level = may
###smtpd_tls_ciphers = medium
###smtpd_tls_protocols = !SSLv2, !SSLv3
## Falta investigar si es necesario excluir ciphers debiles
###smtpd_tls_exclude_ciphers = MD5, DES

## Habilitar TLS - Envio
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache
## Defaults cuando smtp_tls_security_level = may
###smtp_tls_ciphers = medium
###smtp_tls_protocols = !SSLv2, !SSLv3
## Falta investigar si es necesario excluir ciphers debiles
###smtp_tls_exclude_ciphers = MD5, DES

### Chequeo para remover cuentas mal formadas
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code  = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code   = 554

## Reduci

Re: cleanup services cpu overload

2021-10-01 Thread SysAdmin EM

Hello Wietse. Thank you for your answer, you are always attentive to
everyone, you were very kind.

I'm going to start using pcre, in the header_checks file I have certain
locks to prevent sending spam or phishing.

/^Subject: Invest once and get passive income.*/
   DISCARD SUBJECTSPAM2293
/^Subject: Earnings on a trading robot.*/   DISCARD
SUBJECTSPAM2294
/^Subject: Working Online At Home.*/DISCARD
SUBJECTSPAM2295
/^Subject: Netflix Je account.*/DISCARD
SUBJECTSPAM2296
/^Subject: Mailbox Size Warning.*/  DISCARD
SUBJECTSPAM2297
/^Subject:.*Sunrise ritual.*/   DISCARD SUBJECTSPAM2298
/^Subject:.*pending messages on hold.*/ DISCARD
SUBJECTSPAM2299

I am going to ask an additional question, is the syntax of pcre similar to
regexp? because I will have to modify many rules.

Regards,

On Fri, Oct 1, 2021 at 1:52 PM Wietse Venema  wrote:

> SysAdmin EM:
> > ## Chequeo de header
> > header_checks = regexp:/etc/postfix/header_checks
> >
> > ## Chequeos de body
> > body_checks = regexp:/etc/postfix/body_checks
>
> These can use lots of CPU for example with patterns that require
> backtracking. (google for "regexp cpu").
>
> Note that regexp: is less efficient than pcre:. The reason
> for having regexp support in Postfix is that every system library
> must support that, while pcre support is an addon.
>
> Wietse
>

Re: cleanup services cpu overload

2021-10-01 Thread SysAdmin EM

Thanks Wietse and Matus.

I understand that I must work this way, examples:

if /^Subject:/
/^Subject: Invest once and get passive income(.*)/
 DISCARD SUBJECTSPAM2293
/^Subject: Earnings on a trading robot(.*)/   DISCARD
SUBJECTSPAM2294
/^Subject: Working Online At Home(.*)/DISCARD
SUBJECTSPAM2295
/^Subject: Netflix Je account(.*)/DISCARD
SUBJECTSPAM2296
/^Subject: Mailbox Size Warning(.*)/  DISCARD
SUBJECTSPAM2297
/^Subject:(.*)Sunrise ritual(.*)/   DISCARD SUBJECTSPAM2298
/^Subject:(.*)pending messages on hold(.*)/ DISCARD
SUBJECTSPAM2299
endif

/usr/sbin/postmap -v -h -q - pcre:/etc/postfix/header_checks <
/etc/postfix/header_checks

In main.cf i add this:
header_checks = pcre:/etc/postfix/header_checks

This is my server hardware:

Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz
32 Gb RAM




On Fri, Oct 1, 2021 at 2:33 PM Wietse Venema  wrote:

> SysAdmin EM:
> > Hello Wietse. Thank you for your answer, you are always attentive to
> > everyone, you were very kind.
> >
> > I'm going to start using pcre, in the header_checks file I have certain
> > locks to prevent sending spam or phishing.
> >
> > /^Subject: Invest once and get passive income.*/
> >DISCARD SUBJECTSPAM2293
> > /^Subject: Earnings on a trading robot.*/   DISCARD
> > SUBJECTSPAM2294
> > /^Subject: Working Online At Home.*/DISCARD
> > SUBJECTSPAM2295
> > /^Subject: Netflix Je account.*/DISCARD
> > SUBJECTSPAM2296
> > /^Subject: Mailbox Size Warning.*/  DISCARD
> > SUBJECTSPAM2297
> > /^Subject:.*Sunrise ritual.*/   DISCARD SUBJECTSPAM2298
> > /^Subject:.*pending messages on hold.*/ DISCARD
> > SUBJECTSPAM2299
>
> First, DISCARD is not a nice way to eiminate spam if you have many
> users.
>
> Second, the .* at the end is not needed, but I do not expect that
> is causing high CPU usage.
>
> You can save lots of CPU if you have many Subject: patterns, by
> using if-endif.
>
> if /^Subject:/
> # No whitespace before patterns between if-endif
> /^Subject: *this/
> /^Subject:.*that/
> ...
> endif
>
> With this, message headers that aren't a Subject will use very
> little CPU.
>
> Wietse
>

Postfix with Kibana, help with configuration?

2021-10-26 Thread SysAdmin EM

Hello everyone?
Has anyone correctly configured kibana to read postfix logs?

I read this documentation, but in kibana 7 not work for me.
https://github.com/whyscream/postfix-grok-patterns

postfix_queue_id postfix_from postfix_to postfix_date

The idea is to have a dashboard with the mails sent to prevent users from
entering the console to search for them.

Regards,

header_check PREPEND option different behavior in hotmail and gmail

2022-02-08 Thread SysAdmin EM

Hello everyone, I did not know what title to put the problem, but I happen
to detail what is the drawback.

I use the header_checks file to insert a data in the Reply-To header but
depending on the provider it is added incorrectly.

# /etc/postfix/header_checks

/^From: (.*@primarydomain.com)/ PREPEND Reply-to: $1

In Hotmail it is generated incorrectly:

Reply-To: "user@" , <
nore...@primarydomain.com>

In gmail is generated correctly:

Reply-to: "u...@secondomain.com" <

I really don’t know how to fix it

Any helps??

Regards,

Prepend add extra symbol in header

2022-04-19 Thread SysAdmin EM

Hi!!

I am using the prepend option as follows:

/ From: (.*@mydomain.com)/ PREPEND Reply to: $1

When the mail arrives I see that it does this way:

Reply-to: "nore...@equair.com.ec" <

Re: Prepend add extra symbol in header

2022-04-19 Thread SysAdmin EM

Thanks for the help.

should also be corrected in the file sender_canonical?

/@gmail.com/ nore...@kiusys.com

/@gmail.cl/ nore...@kiusys.com

/@hotmail.com/ nore...@kiusys.com

/@outlook.com/ nore...@kiusys.com

/@satena.com/ nore...@kiusys.com

/@mayair.com/ nore...@kiusys.com

/@gmail.co/ nore...@kiusys.com

/@octopus.com.co/ nore...@kiusys.com

/@taccolombia.com/ nore...@kiusys.com

/@turpialairlines.com/ nore...@kiusys.com

/@.*/ nore...@kiusys.com

Regards!!

On Tue, Apr 19, 2022 at 11:31 AM Wietse Venema  wrote:

> Wietse Venema:
> > SysAdmin EM:
> > > Hi!!
> > >
> > > I am using the prepend option as follows:
> > >
> > > / From: (.*@mydomain.com)/ PREPEND Reply to: $1
> > >
> > > When the mail arrives I see that it does this way:
> > >
> > > Reply-to: "nore...@equair.com.ec" < > >
> > > I see an additional symbol added (<)
> >
> > The '<' was already present in the From: header.
> >
> > > any help?
> >
> > If you must do this, why not copy the entire From: value?
> >
> > /^From:(.+@example\.com\b.+) Reply-To:$1
>
>
> Correction for missing '/' at te end of the pattern:
>
> /^From:(.+@example\.com\b.+)/ Reply-To:$1
>
> > Note: the \b matches a word boundary, and the \. matches . instead
> > of every character.
> >
> > Test your patterns agains the following:
> >
> > postmap -q 'From: First Last ' pcre:/path/to/file
> > postmap -q 'From: u...@example.com (First Last)' pcre:/path/to/file
> >
> >   Wietse
> >
> >
>

Block MX from recipients

2022-05-31 Thread SysAdmin EM

I am checking the mail queue of my postfix server and I am seeing errors in
writing mail accounts, which refer to real domains of free mail providers
such as hotmail, gmail, yahoo.

BC2CC607AF   881286 Tue May 31 05:19:53  webchec...@kiusys.com
   (connect to hotmaul.com[54.159.98.68]:25: Connection timed
out)
 tc_gus...@hotmaul.com

BAF5D60E06 3071 Fri May 27 03:32:45  r...@kiusys.com
 (connect to hormail.com[104.215.95.187]:25: Connection timed
out)
 negritaa...@hormail.com

Any chance of blocking the MX of a recipient? Reading the documentation I
found the parameter "check_sender_mx_access" but I think it refers to a
sender and not a recipient.

Regards,

Re: Block MX from recipients

2022-05-31 Thread SysAdmin EM

We send confirmation of checking for flights, apparently users are
mistyping your email.

Is it possible to block IP addresses via Postfix?

On Tue, May 31, 2022 at 1:42 PM Wietse Venema  wrote:

> SysAdmin EM:
> > I am checking the mail queue of my postfix server and I am seeing errors
> in
> > writing mail accounts, which refer to real domains of free mail providers
> > such as hotmail, gmail, yahoo.
> >
> > BC2CC607AF   881286 Tue May 31 05:19:53  webchec...@kiusys.com
> >(connect to hotmaul.com[54.159.98.68]:25: Connection
> timed
> > out)
> >  tc_gus...@hotmaul.com
> >
> > BAF5D60E06 3071 Fri May 27 03:32:45  r...@kiusys.com
> >  (connect to hormail.com[104.215.95.187]:25: Connection
> timed
> > out)
> >  negritaa...@hormail.com
>
> Why is your mail server sending mail to those addresses?
>
> - If the sender is remote, make sure that you are not an open relay.
>
> - If the sender is MAILER-DAEMON, search the maillog file for
>   BC2CC607AF or BAF5D60E06 and see why those messages were created.
>
>
> Wietse
>

postfix3 with opendkim

2020-03-10 Thread SysAdmin EM

Hello, my again.

I update my Postfix 2 to Postfix 3. Postfix not communicating with opendkim.

Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter: mi_stop=1
Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter v2.11.0
terminating with status 0, errno = 0
Mar 10 10:14:34 server opendkim[18915]: OpenDKIM Filter v2.11.0 starting
(args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)



Mar 10 10:15:44 server003 postfix/cleanup[19015]: 614D2C09B473: message-id=<
20200310131544.614d2c09b...@mail03.server.com>
Mar 10 10:15:44 server003 postfix/qmgr[18994]: 614D2C09B473: from=<
r...@mail03.server.com>, size=512, nrcpt=1 (queue active)
Mar 10 10:15:44 server003 postfix/smtp[19018]: connect to
gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is
unreachable
Mar 10 10:15:45 server003 postfix/smtp[19018]: 614D2C09B473: to=<
emaw...@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.186.26]:25,
delay=1, delay
s=0.07/0/0.43/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK  1583846145
z199si8204777qka.20 - gsmtp)
Mar 10 10:15:45 server003 postfix/qmgr[18994]: 614D2C09B473: removed

In the openDKIM config file i add this options:

 /etc/opendkim.conf

PidFile>/var/run/opendkim/opendkim.pid
KeyTable/etc/opendkim/KeyTable
SigningTable   refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
Mode<-->v
Syslog<>yes
SyslogSuccess<->yes
LogWhy<>yes
UserID<>opendkim:opendkim
Socket<>inet:8891@localhost
Umask<->002
SendReports<--->yes
SoftwareHeader<>yes
Canonicalization<-->relaxed/relaxed
Selector<-->default
MinimumKeyBits<>1024
KeyFile>/etc/opendkim/keys/default.private
OversignHeaders>From

any ideas?

Regards,

Re: postfix3 with opendkim

2020-03-10 Thread SysAdmin EM

Hello.!

In the mail.cf i add this options:
# OpenDKIM
smtpd_milters   = inet:127.0.0.1:8891
non_smtpd_milters   = $smtpd_milters
milter_default_action   = accept
milter_protocol = 6

when i send and email from console, i not see communication with postfix
and opendkim

Mar 10 10:50:15 server003 postfix/pickup[19505]: BC053C09B473: uid=0
from=
Mar 10 10:50:15 server003 postfix/cleanup[19512]: BC053C09B473: message-id=<
20200310135015.bc053c09b...@mail03.server003.com>
Mar 10 10:50:15 server003 postfix/qmgr[19506]: BC053C09B473: from=<
r...@mail03.server003.com>, size=512, nrcpt=1 (queue active)
Mar 10 10:50:16 server003 postfix/smtp[19515]: BC053C09B473: to=<
emaw...@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.186.26]:25,
delay=1, delays=0
.04/0/0.34/0.62, dsn=2.0.0, status=sent (250 2.0.0 OK  1583848216
f20si8353764qkm.11 - gsmtp)
Mar 10 10:50:16 server003 postfix/qmgr[19506]: BC053C09B473: removed

any ideas?

Thanks for the help.

Regards,


El mar., 10 de mar. de 2020 a la(s) 10:47, Fazzina, Angelo (
angelo.fazz...@uconn.edu) escribió:

> Hi, may I ask what your Postfix config looks like for OpenDkim ?
>
>
>
> In Postfix 2.x it is close to this :
>
> smtpd_milters = inet:127.0.0.1:8891
> non_smtpd_milters = $smtpd_milters
> milter_default_action = accept
> milter_protocol = 6
>
>
>
>
>
>
>
> -ANGELO FAZZINA
>
>
>
> ang...@uconn.edu
>
> University of Connecticut,  ITS, SSG, Server Systems
>
> 860-486-9075
>
>
>
> *From:* owner-postfix-us...@postfix.org  *On
> Behalf Of *SysAdmin EM
> *Sent:* Tuesday, March 10, 2020 9:26 AM
> *To:* postfix-users@postfix.org
> *Subject:* postfix3 with opendkim
>
>
>
> *Message sent from a system outside of UConn.*
>
>
>
> Hello, my again.
>
>
>
> I update my Postfix 2 to Postfix 3. Postfix not communicating with
> opendkim.
>
>
>
> Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter: mi_stop=1
> Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter v2.11.0
> terminating with status 0, errno = 0
> Mar 10 10:14:34 server opendkim[18915]: OpenDKIM Filter v2.11.0 starting
> (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)
>
>
>
>
>
>
>
> Mar 10 10:15:44 server003 postfix/cleanup[19015]: 614D2C09B473:
> message-id=<20200310131544.614d2c09b...@mail03.server.com>
> Mar 10 10:15:44 server003 postfix/qmgr[18994]: 614D2C09B473: from=<
> r...@mail03.server.com>, size=512, nrcpt=1 (queue active)
> Mar 10 10:15:44 server003 postfix/smtp[19018]: connect to
> gmail-smtp-in.l.google.com
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgmail-smtp-in.l.google.com%2F&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C8a4ec92032ce447cb37d08d7c4f6b64b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C637194436209788899&sdata=IidZEX6aiFinTxPWdS7ERrqEnvUMVBOOnKVqwphluuY%3D&reserved=0>[2800:3f0:4003:c00::1a]:25:
> Network is unreachable
> Mar 10 10:15:45 server003 postfix/smtp[19018]: 614D2C09B473: to=<
> emaw...@gmail.com>, relay=gmail-smtp-in.l.google.com
> <https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgmail-smtp-in.l.google.com%2F&data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C8a4ec92032ce447cb37d08d7c4f6b64b%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C637194436209788899&sdata=IidZEX6aiFinTxPWdS7ERrqEnvUMVBOOnKVqwphluuY%3D&reserved=0>[64.233.186.26]:25,
> delay=1, delay
> s=0.07/0/0.43/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK  1583846145
> z199si8204777qka.20 - gsmtp)
> Mar 10 10:15:45 server003 postfix/qmgr[18994]: 614D2C09B473: removed
>
> In the openDKIM config file i add this options:
>
>
>
>  /etc/opendkim.conf
>
>
>
> PidFile>/var/run/opendkim/opendkim.pid
> KeyTable/etc/opendkim/KeyTable
> SigningTable   refile:/etc/opendkim/SigningTable
> ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
> InternalHosts   refile:/etc/opendkim/TrustedHosts
> Mode<-->v
> Syslog<>yes
> SyslogSuccess<->yes
> LogWhy<>yes
> UserID<>opendkim:opendkim
> Socket<>inet:8891@localhost
> Umask<->002
> SendReports<--->yes
> SoftwareHeader<>yes
> Canonicalization<-->relaxed/relaxed
> Selector<-->default
> MinimumKeyBits<>1024
> KeyFile>/etc/opendkim/keys/default.private
> OversignHeaders>From
>
>
>
> any ideas?
>
>
>
> Regards,
>
>
>

Re: postfix3 with opendkim

2020-03-10 Thread SysAdmin EM

grep milter /etc/postfix/master.cf
#  -o milter_macro_daemon_name=ORIGINATING
#  -o milter_macro_daemon_name=ORIGINATING

I can't find the problem flaw

Any ideas? postfix 3 is compatible?

El mar., 10 de mar. de 2020 a la(s) 10:58, Dominic Raferd (
domi...@timedicer.co.uk) escribió:

> On Tue, 10 Mar 2020 at 13:52, SysAdmin EM  wrote:
> >
> > Hello.!
> >
> > In the mail.cf i add this options:
> > # OpenDKIM
> > smtpd_milters   = inet:127.0.0.1:8891
> > non_smtpd_milters   = $smtpd_milters
> > milter_default_action   = accept
> > milter_protocol = 6
> >
> > when i send and email from console, i not see communication with postfix
> and opendkim
> >
> > Mar 10 10:50:15 server003 postfix/pickup[19505]: BC053C09B473: uid=0
> from=
> > Mar 10 10:50:15 server003 postfix/cleanup[19512]: BC053C09B473:
> message-id=<20200310135015.bc053c09b...@mail03.server003.com>
> > Mar 10 10:50:15 server003 postfix/qmgr[19506]: BC053C09B473: from=<
> r...@mail03.server003.com>, size=512, nrcpt=1 (queue active)
> > Mar 10 10:50:16 server003 postfix/smtp[19515]: BC053C09B473: to=<
> emaw...@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.186.26]:25,
> delay=1, delays=0
> > .04/0/0.34/0.62, dsn=2.0.0, status=sent (250 2.0.0 OK  1583848216
> f20si8353764qkm.11 - gsmtp)
> > Mar 10 10:50:16 server003 postfix/qmgr[19506]: BC053C09B473: removed
> >
> >
> > El mar., 10 de mar. de 2020 a la(s) 10:47, Fazzina, Angelo (
> angelo.fazz...@uconn.edu) escribió:
> >>
> >> Hi, may I ask what your Postfix config looks like for OpenDkim ?
> >> In Postfix 2.x it is close to this :
> >>
> >> smtpd_milters = inet:127.0.0.1:8891
> >> non_smtpd_milters = $smtpd_milters
> >> milter_default_action = accept
> >> milter_protocol = 6
> >> -ANGELO FAZZINA
> >>
> >>
> >> From: owner-postfix-us...@postfix.org 
> On Behalf Of SysAdmin EM
> >> Sent: Tuesday, March 10, 2020 9:26 AM
> >> To: postfix-users@postfix.org
> >> Subject: postfix3 with opendkim
> >>
> >> I update my Postfix 2 to Postfix 3. Postfix not communicating with
> opendkim.
> >>
> >>
> >>
> >> Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter: mi_stop=1
> >> Mar 10 10:14:31 server003 opendkim[18596]: OpenDKIM Filter v2.11.0
> terminating with status 0, errno = 0
> >> Mar 10 10:14:34 server opendkim[18915]: OpenDKIM Filter v2.11.0
> starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)
> >> Mar 10 10:15:44 server003 postfix/cleanup[19015]: 614D2C09B473:
> message-id=<20200310131544.614d2c09b...@mail03.server.com>
> >> Mar 10 10:15:44 server003 postfix/qmgr[18994]: 614D2C09B473: from=<
> r...@mail03.server.com>, size=512, nrcpt=1 (queue active)
> >> Mar 10 10:15:44 server003 postfix/smtp[19018]: connect to
> gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is
> unreachable
> >> Mar 10 10:15:45 server003 postfix/smtp[19018]: 614D2C09B473: to=<
> emaw...@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.186.26]:25,
> delay=1, delay
> >> s=0.07/0/0.43/0.54, dsn=2.0.0, status=sent (250 2.0.0 OK  1583846145
> z199si8204777qka.20 - gsmtp)
> >> Mar 10 10:15:45 server003 postfix/qmgr[18994]: 614D2C09B473: removed
> >>
> >> In the openDKIM config file i add this options:...
>
>
> Maybe you have something in your master.cf that overrides the milter
> settings in main.cf. Have a look for keyword 'milter' in master.cf.
>

Re: Postfix stable release 3.5.0

2020-03-17 Thread SysAdmin EM

Hello! excellent work, the option to bounce emails manually is very useful
for me.

Never perform the update through the source code. I would like to know if I
can get the src.rpm for Centos?



El lun., 16 de mar. de 2020 a la(s) 11:18, Wietse Venema (
wie...@porcupine.org) escribió:

> [An on-line version of this announcement will be available at
> http://www.postfix.org/announcements/postfix-3.5.0.html]
>
> Postfix stable release 3.5.0 is available. Support has ended for
> legacy release Postfix 3.1.
>
> The main changes are below. See the RELEASE_NOTES file for further details.
>
>   * Support for the haproxy v2 protocol. The Postfix implementation
> supports TCP over IPv4 and IPv6, as well as non-proxied
> connections; the latter are typically used for heartbeat tests.
>
>   * Support to force-expire email messages. This introduces new
> postsuper(1) command-line options to request expiration, and
> additional information in mailq(1) or postqueue(1) output.
>
>   * The Postfix SMTP and LMTP client support a list of nexthop
> destinations separated by comma or whitespace. These destinations
> will be tried in the specified order. Examples:
>
> /etc/postfix/main.cf:
> relayhost = foo.example, bar.example
> default_transport = smtp:foo.example, bar.example
>
> Incompatible changes:
>
>   * Logging: Postfix daemon processes now log the from= and to=
> addresses in external (quoted) form in non-debug logging (info,
> warning, etc.). This means that when an address localpart
> contains spaces or other special characters, the localpart will
> be quoted, for example:
>
> from=<"name with spaces"@example.com>
>
> Specify "info_log_address_format = internal" for backwards
> compatibility.
>
>   * Postfix now normalizes IP addresses received with XCLIENT,
> XFORWARD, or with the HaProxy protocol, for consistency with
> direct connections to Postfix. This may change the appearance
> of logging, and the way that check_client_access will match
> subnets of an IPv6 address.
>
> You can find the updated Postfix source code at the mirrors listed
> at http://www.postfix.org/.
>
> Wietse
>

Postfix Sign smtp from with DKIM

2020-03-27 Thread SysAdmin EM

Is it possible to sign smtp from with DKIM? I clarify that I am not talking
about the header from.

I have installed opendkim and can only sign the header from.

What I am seeing is that some emails that I receive in the different Gmail
tabs, for example Promotions, have a double dkim key:

Authentication-Results: mx.google.com;
   dkim=pass header.i=@stackoverflow.email header.s=s1
header.b=S0yxBc6Y;
   dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=uYee9Qd0;

The from address is stackoverflow.email but exits and second dkim from
sendgrid.info.

My idea is to sign the email twice, but I don't understand how to do it.
Does anyone use double signed?

Regards,

Postfix problem with Hotmail (501 5.5.4 Invalid domain name)

2020-04-03 Thread SysAdmin EM

Hello,

I am seeing the following error in some email directed to hotmail:

: host
hotmail-com.olc.protection.outlook.com[104.47.46.33] refused to talk to me:
501 5.5.4 Invalid domain name
[BN3NAM04FT008.eop-NAM04.prod.protection.outlook.com]Return-Path: <
facturac...@zonanet.com.ar>
Received: from smarthost04-ded.dattaweb.com (localhost [127.0.0.1])
by smarthost04-ded.dattaweb.com (Postfix) with ESMTPS id 2D3959201C6
for ; Fri, 3 Apr 2020 09:42:20 -0300 (-03)
Received: from vps-1683944-x.dattaweb.com (vps-1683944-x.dattaweb.com
[66.97.41.242])
by smarthost04-ded.dattaweb.com (Postfix) with ESMTPS id 06B8892021B
for ; Fri, 3 Apr 2020 09:42:20 -0300 (-03)
Received: from [190.225.223.13] (helo=ZNServer)
by vps-1683944-x.dattaweb.com with esmtpa (Exim 4.92.3)
(envelope-from )
id 1jKLeB-0001qo-HO
for lachec...@hotmail.com; Fri, 03 Apr 2020 09:42:07 -0300
MIME-Version: 1.0
From: "ZonaNet"

To: lachec...@hotmail.com
Date: 3 Apr 2020 09:42:05 -0300

Any ideas?

The configuration of the reverse of the sending IP and the server hostname
is correct.

[root@smarthost04-ded ~] # host vps-1683944-x.dattaweb.com
vps-1683944-x.dattaweb.com has address 66.97.41.242
vps-1683944-x.dattaweb.com has IPv6 address 2800:6c0:3::887

"Postfix Upgrade 3.4.7 to 3.5.x"

2020-04-21 Thread SysAdmin EM

Hello everyone.

I manage a server which works as a smarthost and I need to update my
version of Postfix since the new version incorporates a functionality to
manually expire messages and how I handle a large volume of shipments is
very useful for me.

System info:
CentOS Linux release 7.7.1908 (Core)
mail_version = 3.4.7
x86_64

Through the ghettoforce repo the rpm is not yet found and manually I have
many doubts about it. I nedd a tutorial to update my postfix without
damaging the current configuration?

Any recommendation on the matter to offer me?

Regards,

Postfix error "501 5.5.4 Invalid domain name"

2020-05-14 Thread SysAdmin EM

Hello,

I have two servers running on Postfix, one of which runs version 2.10.1 and
the other server runs version 3.4.7.

On the server where I am running verion 3.4.7, I receive "501 5.5.4 Invalid
domain name" errors in emails sent to different servers. Rhe mail is sent
to postfix through exim from a relay connection.

The reverse of the IP is configured correctly and the From domain is also
responding.

# Log example

postfix-out/smtp[12931]: E30639204ED: to=, relay=
hotmail-com.olc.protection.outlook.com[104.47.124.33]:25, delay=1.4,
delays=0.08/0/1.4/0, dsn=5.5.4, status=bounced (host
hotmail-com.olc.protection.outlook.com[104.47.124.33] refused to talk to
me: 501 5.5.4 Invalid domain name [
HK2APC01FT037.eop-APC01.prod.protection.outlook.com])

The only difference that I see in the logs of version 2 and version 3, is
the following

# Postfix 2

postfix/smtpd[2377]: 539628047FD1: client=servername[179.x.x.x]

# Postfix 3

postfix-out/smtpd[9433]: 7F6809204ED: client=localhost[127.0.0.1]

Any ideas?

Regards,

Any ideas?

Discard message with blank subject

2020-06-19 Thread SysAdmin EM

Hello everyone, i try to discard message with empty subject, but not work.

I use this rule:

/^Subject: *$/DISCARD "Empty Subject"

any ideas?

Regards,

Move queue to another Server, it's possible?

2020-07-01 Thread SysAdmin EM

Hello,
I am configuring a backup server, which works through round-robin, it is a
server that is only for Hosting, not commercial emails, the idea is to use
it as a backup, is it possible to move the queue between servers? does it
matter that there are different IP addresses?

Regards,

Re: Move queue to another Server, it's possible?

2020-07-01 Thread SysAdmin EM

I have another question, can I send the emails with another IP? tell
postfix to take it out through another interface? the mails I assign an
attribute "hold" can I tell postfix to come out from another interface?

Example on server number "1" I have 5 IPs, I create a new interface, can I
send the queued emails with a new IP?

I want to clarify that I am not sending email marketing in bulk, I only
send payment vouchers from schools, banks and other institutions. Also take
the opportunity to always thank you for the help you have given me, you are
always attentive to the needs of users.

Regards,

El mié., 1 de jul. de 2020 a la(s) 12:13, Wietse Venema (
wie...@porcupine.org) escribió:

> SysAdmin EM:
> > Hello,
> > I am configuring a backup server, which works through round-robin, it is
> a
> > server that is only for Hosting, not commercial emails, the idea is to
> use
> > it as a backup, is it possible to move the queue between servers? does it
> > matter that there are different IP addresses?
>
> If is safe to specify a main.cf:relayhost on the 'old' server
> and to let the queue drain to the 'new' server.
>
> So don't do any of these:
>
> You may lose mail due to filename clashes as you copy over files
> between servers. Postfix queue files do not have a unique name.
>
> Additionally, you may lose, corrupt, or duplicate mail as you copy
> files between RUNNING Postfix instances.
>
> Wietse
>

Re: Move queue to another Server, it's possible?

2020-07-01 Thread SysAdmin EM

Thans for the reply.

I think he explained me wrong. I already have this configuration, but I
have some mails in the "hold" state of Hotmail assigned to IP number 1 and
number 2, when configuring a new interface, let's call interface number 5,
it is possible to move the mails assigned to interface number 1 and number
2 to interface number 5?

El mié., 1 de jul. de 2020 a la(s) 12:51, Wietse Venema (
wie...@porcupine.org) escribió:

> SysAdmin EM:
> > I have another question, can I send the emails with another IP? tell
> > postfix to take it out through another interface? the mails I assign an
> > attribute "hold" can I tell postfix to come out from another interface?
> >
> > Example on server number "1" I have 5 IPs, I create a new interface, can
> I
> > send the queued emails with a new IP?
> >
> > I want to clarify that I am not sending email marketing in bulk, I only
> > send payment vouchers from schools, banks and other institutions. Also
> take
> > the opportunity to always thank you for the help you have given me, you
> are
> > always attentive to the needs of users.
>
> On the new server:
>
> master.cf:
>smtp5 .. .. .. .. .. .. smtp -o smtp_bind_address=5.4.3.2
>
> main.cf:
> smtpd_client_restrictions = check_client_access inline:{
> {1.2.3.4 = FILTER smtp5:}
> }
>
> Manually send one test message from the old server using telnet,
> netcat, or equivalent, and verify that the new server sends the
> mail to a destination server that logs the right IP address in their
> Received: header.
>
> On the old server set main.cf:relayhost to the 'new' server, and
> let the queue drain.
>
> Wietse
>

Prevent from falsification

2020-07-01 Thread SysAdmin EM

Hello,

I am working to minimize malformed mail that can be sent from my servers.

Example:

postfix-out/cleanup[1191]: BE1DF49336: warning: header From: "Juan Bautista
PITTIER"  from l
ocalhost[127.0.0.1]; from= to=
proto=ESMTP helo=

The user is using as From Header "gmail.com" which is very wrong.

I am about to use the spf check for these cases, through the "policy-spf"
component.

Do they recommend another way to block forgery from?

Postfix MySql result in bolean

2020-07-13 Thread SysAdmin EM

Hello,

I am using a suppression list in MySql with Postfix.

smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/
mysql-virtual-recipient-access.cf

query = SELECT access FROM virtual_sender_access WHERE source='%s'

the question is, is it possible to use boolean data?

like this:

SELECT COUNT(1) FROM virtual_sender_access WHERE source = 'u...@gmail.com'?

Regards,

smtpd_recipient_restrictions in mongodb?

2020-07-13 Thread SysAdmin EM

Hello,
I use a suppression list where I block domains and email accounts that
don't exist to prevent the reputation of my IP addresses from going down.

smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/
mysql-virtual-recipient-access.cf

# connection to mysql

hosts = 172.x.x.x
user = myuser
password = mypass
dbname = blacklist
query = SELECT access FROM virtual_sender_access WHERE source='%s'

The table currently has 4 million rows, so I am looking for a faster
database engine than MySql.
I read this postshttp://www.postfix.org/DATABASE_README.html and
http://www.postfix.org/access.5.html but I didn't find any information.

Does postfix have support for mongo database?

Or what method do you recommend to host a large number of unknown users and
invalid domains?

Regards,

Re: smtpd_recipient_restrictions in mongodb?

2020-07-13 Thread SysAdmin EM

The user database is set up because my clients, some bad users, send mass
mailings to non-existent accounts, such as hotmail, gmail, which usually
measure the number of IP bounces. Also sometimes there are cases where the
PC or mobile device is infected with a virus and they use the email account
to send spam, so I add those accounts that they sent to my list because
they can see spam trap. the database has maintenance, the accounts within
it are cleaned as I check them with another system, I only clean those that
exist.

here I add some info from the table

mysql> desc virtual_sender_access;
+---+-+--+-+-+-+
| Field| Type   | Null | Key | Default| Extra
   |
+---+-+--+-+-+-+
| id   | int(11)| NO  | PRI | NULL   |
auto_increment |
| source   | varchar(64) | NO  | MUL ||
   |
| access   | varchar(64) | NO  |||
   |
| created_on   | timestamp  | NO  || -00-00 00:00:00 |
   |
| check_bounce | int(11)| NO  || NULL   |
 |
| last_modified | timestamp  | NO  || CURRENT_TIMESTAMP  | on update
CURRENT_TIMESTAMP |
+---+-+--+-+-+-+
6 rows in set (0.00 sec)

mysql> show index from virtual_sender_access ;
+---++--+--+-+---+-+--++--++-+
---+
| Table| Non_unique | Key_name | Seq_in_index | Column_name
| Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment
|
 Index_comment |
+---++--+--+-+---+-+--++--++-+
---+
| virtual_sender_access | 0 | PRIMARY |   1 | id |
A|4225535 |NULL | NULL  | | BTREE ||
  |
| virtual_sender_access | 1 | source  |   1 | source |
A|4225535 |NULL | NULL  | | BTREE ||
  |
+---++--+--+-+---+-+--++--++-+
---+
2 rows in set (0.00 sec)

I would like to know if I can use mongo in the smtpd_recipient_restrictions
parameter anyway. Thank you.

Regards,



El lun., 13 de jul. de 2020 a la(s) 18:05, Ralph Seichter (
ra...@ml.seichter.de) escribió:

> * SysAdmin EM:
>
> > I use a suppression list where I block domains and email accounts that
> > don't exist to prevent the reputation of my IP addresses from going
> > down. [...] The table currently has 4 million rows, so I am looking
> > for a faster database engine than MySql.
>
> Can you clarify for me: You try to maintain a database for domains that
> do not exist and email accounts that do not exist? How would that work?
> Both the number of nonexistent domains and and accounts are, while not
> infinite, huge. Why not list the domains and accounts that do exist?
> These numbers are definitely finite.
>
> As for your choice of database: I am a fan of MongoDB because of its
> capability of storing unstructured data, but here your data does have a
> well-defined, uniform structure. If you use a proper index, MySQL or
> similar relational databases should be quick as blazes.
>
> -Ralph
>

Re: smtpd_recipient_restrictions in mongodb?

2020-07-14 Thread SysAdmin EM

Exactly.

Here a typical row

| 1382959 | nelly_cab...@gmail.com
| REJECT Recipient address rejected for policy reasons | 2018-11-04 01:49:33
mysql> describe virtual_sender_access ;
+---+-+--+-+-+-+

| Field | Type| Null | Key | Default | Extra
  |
+---+-+--+-+-+-+

| id| int(11) | NO   | PRI | NULL|
auto_increment  |
| source| varchar(64) | NO   | MUL | |
|
| access| varchar(64) | NO   | | |
|
| created_on| timestamp   | NO   | | -00-00 00:00:00 |
|
| check_bounce  | int(11) | NO   | | NULL|
|
| last_modified | timestamp   | NO   | | CURRENT_TIMESTAMP   | on
update CURRENT_TIMESTAMP |
+---+-+--+-+-+-+

All rows use this bounce "REJECT Recipient address rejected for policy
reasons".

El mar., 14 de jul. de 2020 a la(s) 10:01, Ralph Seichter (
ra...@ml.seichter.de) escribió:

> * SysAdmin EM:
>
> > query = SELECT access FROM virtual_sender_access WHERE source='%s'
>
> You wrote that you only store nonexistent sources. In that case, the
> value of the "access" column should always be something that indicates
> "access denied", possibly a constant value across all entries? If so,
>
>   SELECT 'restricted' as access FROM ...
>
> should provide a way of reducing the DB load in a very small way, as
> only an index scan would be required. However, that only saves one read
> operation per lookup and therefore may not help you much.
>
> I am still unconvinced that the type of data you are storing provides a
> good way to achieve your goal.
>
> > Does postfix have support for mongo database?
>
> Following Wietse's rule of "if it is not documented it is not supported"
> and the content of http://www.postfix.org/DATABASE_README.html , the
> answer should be no.
>
> -Ralph
>

Greylisted for 300 seconds and queue_run_delay

2020-08-04 Thread SysAdmin EM

Hello,

I think I understand that the "queue_run_delay" parameter is used to retry
an email.

Aug  4 12:19:23 smarthost03-ded postfix/qmgr[11588]: 68E2A18001AF1: from=<
ju...@jorgeloinaz.com>, size=131840, nrcpt=1 (queue active)
Aug  4 12:19:26 smarthost03-ded postfix/smtp[14720]: 68E2A18001AF1: host
mx8.webfaction.com[185.20.49.163] said: 450 4.2.0 :
Recipient address rejected: Greylisted for 300 seconds (in reply to RCPT TO
command)
Aug  4 12:19:29 smarthost03-ded postfix/smtp[14720]: 68E2A18001AF1: to=<
ism...@ilaviola.com.ar>, relay=mx7.webfaction.com[185.20.49.162]:25, delay=5
.9, delays=0.5/0/4.2/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
2B4C2209E59E8)
Aug  4 12:19:29 smarthost03-ded postfix/qmgr[11588]: 68E2A18001AF1: removed

The first attempt was at 12:19:23 and then retry 12:19:29, I just wait 3
seconds.

I set queue_run_delay in 300s:

# postconf | grep queue_run_delay
queue_run_delay = 300s

Could it be that the retry value is not correctly set?

Regards,

Re: Greylisted for 300 seconds and queue_run_delay

2020-08-04 Thread SysAdmin EM

El mar., 4 de ago. de 2020 a la(s) 13:13, Viktor Dukhovni (
postfix-us...@dukhovni.org) escribió:

> On Tue, Aug 04, 2020 at 12:26:03PM -0300, SysAdmin EM wrote:
>
> > I think I understand that the "queue_run_delay" parameter is used to
> retry
> > an email.
> >
> > Aug  4 12:19:26 smarthost03-ded postfix/smtp[14720]: 68E2A18001AF1:
> >   host mx8.webfaction.com[185.20.49.163] said:
> >   450 4.2.0 : Recipient address rejected:
> >   Greylisted for 300 seconds (in reply to RCPT TO command)
> > Aug  4 12:19:29 smarthost03-ded postfix/smtp[14720]: 68E2A18001AF1:
> >   to=< ism...@ilaviola.com.ar>, relay=mx7.webfaction.com
> [185.20.49.162]:25,
> >   delay=5 .9, delays=0.5/0/4.2/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok:
> >   queued as 2B4C2209E59E8)
> > Aug  4 12:19:29 smarthost03-ded postfix/qmgr[11588]: 68E2A18001AF1:
> removed
> >
> > The first attempt was at 12:19:23 and then retry 12:19:29, I just wait 3
> > seconds.
>
> That was not a "retry" of a deferred message, rather it was the same
> delivery attempt via a second MX host after the primary temp-failed.
>
> ilaviola.com.ar. IN MX 10 mx7.webfaction.com.
> ilaviola.com.ar. IN MX 10 mx8.webfaction.com.
> ilaviola.com.ar. IN MX 10 mx9.webfaction.com.
>
> > Could it be that the retry value is not correctly set?
>
> No, the message never went back into the queue, since it was delivered
> on the first attempt.  The second MX host tried did not enforce
> greylisting.
>
> Any recommendation  to avoid retrying the second mx? in some cases when
retrying the second mx we also represent the grey list error.


> --
> Viktor.
>

Re: Greylisted for 300 seconds and queue_run_delay

2020-08-04 Thread SysAdmin EM

Thank you very much everyone for the responses.

So I think that for this case I have no solution, I will continue
investigating thanks

El mar., 4 de ago. de 2020 a la(s) 15:03, Viktor Dukhovni (
postfix-us...@dukhovni.org) escribió:

> On Tue, Aug 04, 2020 at 02:37:22PM -0300, SysAdmin EM wrote:
>
> > > No, the message never went back into the queue, since it was delivered
> > > on the first attempt.  The second MX host tried did not enforce
> > > greylisting.
> >
> > Any recommendation  to avoid retrying the second mx? in some cases when
> > retrying the second mx we also represent the grey list error.
>
> Trying a second MX is the right thing to do.
>
> - Pattern matching the greylisting response is too fragile.
>
> - The various MX hosts may not share their greylisting caches,
>   and you may encounter another greylising delay if you defer
>   and retry.
>
> - Probably some other reasons, that I'm too lazy to recall on
>   the spur of the moment.
>
> Just let Postfix do its job.
>
> --
> Viktor.
>

Re: Greylisted for 300 seconds and queue_run_delay

2020-08-04 Thread SysAdmin EM

El mar., 4 de ago. de 2020 a la(s) 15:25, Viktor Dukhovni (
postfix-us...@dukhovni.org) escribió:

> On Tue, Aug 04, 2020 at 03:19:27PM -0300, SysAdmin EM wrote:
> > Thank you very much everyone for the responses.
> >
> > So I think that for this case I have no solution, I will continue
> > investigating thanks
>
> My take is that rather than "no solution", what you don't have is a
> "problem".  Please consider the strong possibility that everything is
> working exactly as it should, and it is simply best to not dwell on
> the logs in question.
>
> If you do believe there's actually a problem, i.e. something actually
> goes wrong as a result of trying to delivery 4XX failures on a second MX
> host, please explain what it is that does not work the way it should.
>
> --
> Viktor.
>

I think I understood what I need, is it possible to send an email defer
when I receive a greylist error? I thought that with the command
"queue_run_delay" I could solve this but not.

Regards,

Re: Greylisted for 300 seconds and queue_run_delay

2020-08-05 Thread SysAdmin EM

Viktor,

My problem is that I cannot deliver the mail because the greylist does not
allow it and in some cases I also receive the same error in the other MXs.

# Example

Jul 31 09:30:08 smarthost03-ded postfix/smtp[22475]: A88B418003D5B:
to=, relay=mx7.webfaction.com[185.20.49.162]:25,
delay=969, delays=962/0.01/6.8/0.34, dsn=4.2.0, status=deferred (host
mx7.webfaction.com[185.20.49.162] said: 450 4.2.0
: Recipient address rejected: Greylisted for 300
seconds (in reply to RCPT TO command))
Jul 31 09:31:04 smarthost03-ded postfix/smtp[22767]: A88B418003D5B: host
mx9.webfaction.com[185.20.49.164] said: 450 4.2.0
: Recipient address rejected: Greylisted for 300
seconds (in reply to RCPT TO command)

I am use PowerMTA and depending on the message I receive, I can perform an
action such as hold the queue waiting for a certain time and not in postfix.

I understand that postfix retries on all MXs in the domain, can I configure
the retry time towards the second MX? I did not find it in the
documentation http://www.postfix.org/qmgr.8.html

Can i automatically send the queue into hold when i get a greylist error?

Regards,

El mar., 4 de ago. de 2020 a la(s) 19:51, Viktor Dukhovni (
postfix-us...@dukhovni.org) escribió:

> On Tue, Aug 04, 2020 at 05:47:35PM -0300, SysAdmin EM wrote:
>
> > > If you do believe there's actually a problem, i.e. something actually
> > > goes wrong as a result of trying to delivery 4XX failures on a second
> MX
> > > host, please explain what it is that does not work the way it should.
> >
> > I think I understood what I need, is it possible to send an email defer
> > when I receive a greylist error? I thought that with the command
> > "queue_run_delay" I could solve this but not.
>
> No queue_run_delay has nothing to do with whether a second MX host is
> tried when the first responds with a 4XX error.  It just controls how
> often qmgr(8) scans the deferred queue.
>
> Since you've not (yet?) explained what problem you're trying to solve,
> I'm not (yet) prepared to offer a (half-baked) solution.
>
> --
> VIktor.
>

Re: Greylisted for 300 seconds and queue_run_delay

2020-08-05 Thread SysAdmin EM

Is it possible to change the retransmission time to the second max?

El mié., 5 de ago. de 2020 a la(s) 10:41, SysAdmin EM (emaw...@gmail.com)
escribió:

> Viktor,
>
> My problem is that I cannot deliver the mail because the greylist does not
> allow it and in some cases I also receive the same error in the other MXs.
>
> # Example
>
> Jul 31 09:30:08 smarthost03-ded postfix/smtp[22475]: A88B418003D5B:
> to=, relay=mx7.webfaction.com[185.20.49.162]:25,
> delay=969, delays=962/0.01/6.8/0.34, dsn=4.2.0, status=deferred (host
> mx7.webfaction.com[185.20.49.162] said: 450 4.2.0
> : Recipient address rejected: Greylisted for 300
> seconds (in reply to RCPT TO command))
> Jul 31 09:31:04 smarthost03-ded postfix/smtp[22767]: A88B418003D5B: host
> mx9.webfaction.com[185.20.49.164] said: 450 4.2.0
> : Recipient address rejected: Greylisted for 300
> seconds (in reply to RCPT TO command)
>
> I am use PowerMTA and depending on the message I receive, I can perform an
> action such as hold the queue waiting for a certain time and not in postfix.
>
> I understand that postfix retries on all MXs in the domain, can I
> configure the retry time towards the second MX? I did not find it in the
> documentation http://www.postfix.org/qmgr.8.html
>
> Can i automatically send the queue into hold when i get a greylist error?
>
> Regards,
>
>
>
> El mar., 4 de ago. de 2020 a la(s) 19:51, Viktor Dukhovni (
> postfix-us...@dukhovni.org) escribió:
>
>> On Tue, Aug 04, 2020 at 05:47:35PM -0300, SysAdmin EM wrote:
>>
>> > > If you do believe there's actually a problem, i.e. something actually
>> > > goes wrong as a result of trying to delivery 4XX failures on a second
>> MX
>> > > host, please explain what it is that does not work the way it should.
>> >
>> > I think I understood what I need, is it possible to send an email defer
>> > when I receive a greylist error? I thought that with the command
>> > "queue_run_delay" I could solve this but not.
>>
>> No queue_run_delay has nothing to do with whether a second MX host is
>> tried when the first responds with a 4XX error.  It just controls how
>> often qmgr(8) scans the deferred queue.
>>
>> Since you've not (yet?) explained what problem you're trying to solve,
>> I'm not (yet) prepared to offer a (half-baked) solution.
>>
>> --
>> VIktor.
>>
>

Re: Greylisted for 300 seconds and queue_run_delay

2020-08-05 Thread SysAdmin EM

I think I have found what I need, I must increase the value of the
parameter "transport_retry_time".

### transport_retry_time (default: 60s)
The time between attempts by the Postfix queue manager to contact a
malfunctioning message delivery transport.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The
default time unit is s (seconds).

I will increase the value and I will see how it behaves thanks to everyone
for helping me, take good care

Regards,

El mié., 5 de ago. de 2020 a la(s) 10:57, SysAdmin EM (emaw...@gmail.com)
escribió:

> Is it possible to change the retransmission time to the second max?
>
> El mié., 5 de ago. de 2020 a la(s) 10:41, SysAdmin EM (emaw...@gmail.com)
> escribió:
>
>> Viktor,
>>
>> My problem is that I cannot deliver the mail because the greylist does
>> not allow it and in some cases I also receive the same error in the other
>> MXs.
>>
>> # Example
>>
>> Jul 31 09:30:08 smarthost03-ded postfix/smtp[22475]: A88B418003D5B:
>> to=, relay=mx7.webfaction.com[185.20.49.162]:25,
>> delay=969, delays=962/0.01/6.8/0.34, dsn=4.2.0, status=deferred (host
>> mx7.webfaction.com[185.20.49.162] said: 450 4.2.0
>> : Recipient address rejected: Greylisted for 300
>> seconds (in reply to RCPT TO command))
>> Jul 31 09:31:04 smarthost03-ded postfix/smtp[22767]: A88B418003D5B: host
>> mx9.webfaction.com[185.20.49.164] said: 450 4.2.0
>> : Recipient address rejected: Greylisted for 300
>> seconds (in reply to RCPT TO command)
>>
>> I am use PowerMTA and depending on the message I receive, I can perform
>> an action such as hold the queue waiting for a certain time and not in
>> postfix.
>>
>> I understand that postfix retries on all MXs in the domain, can I
>> configure the retry time towards the second MX? I did not find it in the
>> documentation http://www.postfix.org/qmgr.8.html
>>
>> Can i automatically send the queue into hold when i get a greylist
>> error?
>>
>> Regards,
>>
>>
>>
>> El mar., 4 de ago. de 2020 a la(s) 19:51, Viktor Dukhovni (
>> postfix-us...@dukhovni.org) escribió:
>>
>>> On Tue, Aug 04, 2020 at 05:47:35PM -0300, SysAdmin EM wrote:
>>>
>>> > > If you do believe there's actually a problem, i.e. something actually
>>> > > goes wrong as a result of trying to delivery 4XX failures on a
>>> second MX
>>> > > host, please explain what it is that does not work the way it should.
>>> >
>>> > I think I understood what I need, is it possible to send an email defer
>>> > when I receive a greylist error? I thought that with the command
>>> > "queue_run_delay" I could solve this but not.
>>>
>>> No queue_run_delay has nothing to do with whether a second MX host is
>>> tried when the first responds with a 4XX error.  It just controls how
>>> often qmgr(8) scans the deferred queue.
>>>
>>> Since you've not (yet?) explained what problem you're trying to solve,
>>> I'm not (yet) prepared to offer a (half-baked) solution.
>>>
>>> --
>>> VIktor.
>>>
>>

dummy question, discard rcpt-to with header_checks

2020-08-08 Thread SysAdmin EM

Hello,

I'm trying to block a recipient's address (To:) but it doesn't work.

# main.cf
header_checks = regexp:/etc/postfix/header_checks

/^To.*gus...@gmail.com/ DISCARD

warning: header Subject: test Sat, 08 Aug 2020 12:44:14 -0300 from
vps-1107836-x.dattaweb.com[179.43.124.100]; from=<
ggonza...@ambitecnica.com.ar> to= proto=SMTP

I've tried To: or to = but can't get it to work.

I know this is a dummy question but I would like some help on that, thanks.

Regards,

Re: dummy question, discard rcpt-to with header_checks

2020-08-10 Thread SysAdmin EM

Hello, I am trying to discard the message after the DISCARD I add a message
which I use for informational purposes in the system.

Example:

/^To.*gus...@gmail.com/ DISCARD BLABLA001

Aug 10 10:40:22 smarthost01-ded postfix/cleanup[9766]: 13F1D60065: warning:
header From: Higiene Empresarial  from
vps-110
7836-x.dattaweb.com[179.43.124.100]; from=
to= proto=SMTP helo=
Aug 10 10:40:22 smarthost01-ded postfix/cleanup[9766]: 13F1D60065: warning:
header Subject:
=?utf-8?Q?Protocolo_Covid-19_-_F=C3=B3rmulas_potenciadas_de_=C
3=BAltima_generaci=C3=B3n?= from vps-1107836-x.dattaweb.com[179.43.124.100];
from= to= proto=SMTP
helo=
Aug 10 10:40:22 smarthost01-ded postfix/cleanup[9766]: 13F1D60065:
message-id=<
kpgyiziuplesktdhfog0oglqz8pdo8e9mjc5mva...@fm01.beneficiosnuthost.com>
Aug 10 10:40:22 smarthost01-ded postfix/qmgr[16663]: 13F1D60065: from=<
ggonza...@ambitecnica.com.ar>, size=6160, nrcpt=1 (queue active)
Aug 10 10:40:23 smarthost01-ded postfix/smtp[1438]: 13F1D60065: to=<
gus...@gmail.com>, relay=gmail-smtp-in.l.google.com[172.217.192.27]:25,
delay=1.7, del
ays=0.11/0/0.8/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK  1597066823
h71si11798516pgc.228 - gsmtp)
Aug 10 10:40:23 smarthost01-ded postfix/qmgr[16663]: 13F1D60065: removed

I think the syntax is fine since I use the same for other recipients.

Regards,

El sáb., 8 de ago. de 2020 a la(s) 13:52, Viktor Dukhovni (
postfix-us...@dukhovni.org) escribió:

> On Sat, Aug 08, 2020 at 01:00:20PM -0300, SysAdmin EM wrote:
>
> > I'm trying to block a recipient's address (To:) but it doesn't work.
>
> Please be more precise about what you mean by "block".  Are you
> trying to:
>
>1. REJECT the recipient in incoming SMTP deliveries
>
>2. REJECT messages where that recipient is one of the possibly
>   many recipients of the message.
>
>3. Silently discard messages where that recipient is one of the possibly
>   many recipients of the message.
>
> > # main.cf
> > header_checks = regexp:/etc/postfix/header_checks
>
> Why are you trying to use header_checks and NOT an access(5)
> table with "check_recipient_access"?
>
> > /^To.*gus...@gmail.com/ DISCARD
>
> Since you don't operate gmail.com, this is likely a remote recipient
> that you don't want your local users to send email to.  How do your
> local users submit outbound email, is it via SMTP, or are they logged
> into the Postfix server and sending email (indirectly) via the
> sendmail(1) command (invoked via mail(1), Pine, Mutt, ...).
>
> --
> Viktor.
>

Cannot start TLS: handshake failure

2020-11-30 Thread SysAdmin EM

Hello,

When trying to send an email to a server which works with Microsoft
Exchange I receive the following message: Cannot start TLS: handshake
failure

Nov 30 14:43:58 smarthost04-ded postfix-out/smtpd[31559]: 0F6EE920CBC:
client=localhost[127.0.0.1]
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header Received: from smarthost04-ded.dattaweb.com (localhost
[127.0.0.1])??by smarthost04-ded.dattaweb.com (Postfix) with ESMTPS id
0F6EE920CBC??for ; Mon, 30 Nov 2020 14:4
from localhost[127.0.0.1]; from= to=<
fvid...@exchange.infoauto.com.ar> proto=ESMTP helo=<
smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header Received: from sd-1465396-l.dattaweb.com (
sd-1465396-l.dattaweb.com [138.219.43.209])??by smarthost04-ded.dattaweb.com
(Postfix) with ESMTPS id C30CB920E6B??for ;
Mon from localhost[127.0.0.1]; from= to=<
fvid...@exchange.infoauto.com.ar> proto=ESMTP helo=<
smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header Received: from [209.85.221.41]
(helo=mail-wr1-f41.google.com)??by
sd-1465396-l.dattaweb.com with esmtps
(TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)??(Exim 4.92.2)??(envelope-from
 to= proto=ESMTP
helo=
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header Received: by mail-wr1-f41.google.com with SMTP id
i2so17320655wrs.4?for ; Mon, 30 Nov 2020
09:43:53 -0800 (PST) from localhost[127.0.0.1]; from=<
fvid...@infoauto.com.ar> to= proto=ESMTP
helo=
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header From: Santiago Videla  from
localhost[127.0.0.1]; from= to=<
fvid...@exchange.infoauto.com.ar> proto=ESMTP helo=<
smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
message-id=<
caba6nqkhpp89zigz5xj_oid9rv4abi--8dhz6bzg3y3tz9w...@mail.gmail.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header Subject: Re: Consulta INFOAUTO from localhost[127.0.0.1];
from= to=
proto=ESMTP helo=
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC:
warning: header X-Spam-Report: Spam detection software, running on the
system "eternia14",? has NOT identified this incoming email as spam.  The
original? message has been attached to this so you can view it or label
from localhost[127.0.0.1]; from= to=<
fvid...@exchange.infoauto.com.ar> proto=ESMTP helo=<
smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/qmgr[31287]: 0F6EE920CBC: from=<
fvid...@infoauto.com.ar>, size=55840, nrcpt=1 (queue active)
Nov 30 14:43:58 smarthost04-ded postfix/smtp[31558]: C30CB920E6B: to=<
fvid...@exchange.infoauto.com.ar>, relay=127.0.0.1[127.0.0.1]:10026,
delay=0.4, delays=0.22/0/0.04/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok:
queued as 0F6EE920CBC)
Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC:
Cannot start TLS: handshake failure
Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: to=<
fvid...@exchange.infoauto.com.ar>, relay=exet02.hostmar.com[200.58.120.69]:25,
delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start
TLS: handshake failure)

posttls-finger -c -Ldebug "exet02.hostmar.com"
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to
exet02.hostmar.com[200.58.120.69]:25

posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25:
lost connection

# Postfix config

mail_version = 3.5.2

smtpd_use_tls=yes
smtp_use_tls=yes

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist =
kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5

smtp_tls_ciphers = high
smtpd_tls_ciphers = high

Any ideas?

Regards,

Postfix says "Cannot start TLS: handshake failure" when try to send to Exchange 2007 Server

2020-11-30 Thread SysAdmin EM

I use Postfix as an SMTP server, in the last few days I have started to see
an error delivering mail to some servers.

I am trying to deliver an email to a Server with Microsoft Exchange 2007
and I receive the following message.

> Nov 30 15:29:40 smarthost04-ded postfix-out/qmgr[9305]: 56253920A60:
> from=, size=7238, nrcpt=1 (queue active) Nov
> 30 15:29:40 smarthost04-ded postfix/smtp[9335]: 32FEC920C41:
> to=,
> relay=127.0.0.1[127.0.0.1]:10026, delay=0.24, delays=0.1/0/0.04/0.09,
> dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 56253920A60) Nov 30
> 15:29:40 smarthost04-ded postfix-out/smtp[9312]: 56253920A60: Cannot
> start TLS: handshake failure Nov 30 15:29:40 smarthost04-ded
> postfix-out/smtp[9312]: 56253920A60:
> to=,
> relay=exet02.hostmar.com[200.58.120.69]:25, delay=0.12,
> delays=0.09/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start TLS:
> handshake failure)

I have read the documentation but I cannot understand why this error occurs.

This is my configuration

```
postconf mail_version
mail_version = 3.5.2

smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem
smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/ssl/smtpd_ssl_cache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache

```

Here I make a connection to the destination server

```
posttls-finger -c -Ldebug "exet02.hostmar.com"
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to exet02.hostmar.com
[200.58.120.69]:25
posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25:
lost connection
```
Any ideas??

Regards,

Re: Cannot start TLS: handshake failure

2020-11-30 Thread SysAdmin EM

Thanks for the reply.

The configuration I am currently using is the following:

smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem
smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
btree:/var/lib/postfix/ssl/smtpd_ssl_cache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache

Since I don't know how to solve the problem, I started to test
configurations and wrote so fast that it didn't explain everything
correctly.

It seems strange to me because the connection was working correctly and no
changes have been made to the settings.

Here the configuration of the Exchange Server:
https://freeimage.host/i/FNElne

Any ideas??

El lun, 30 de nov. de 2020 a la(s) 16:20, Viktor Dukhovni (
postfix-us...@dukhovni.org) escribió:

> On Mon, Nov 30, 2020 at 02:50:43PM -0300, SysAdmin EM wrote:
>
> > Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC:
> > Cannot start TLS: handshake failure
> > Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC:
> to=<
> > fvid...@exchange.infoauto.com.ar>, relay=exet02.hostmar.com
> [200.58.120.69]:25,
> > delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot
> start
> > TLS: handshake failure)
>
> With opportunistic TLS, after a TLS failure, Postfix will typically try
> a second connection immediately without TLS once the message is "old
> enough" (has been deferred and is being retried).  So this message
> is likely delivered by now.
>
> > posttls-finger -c -Ldebug "exet02.hostmar.com"
> > posttls-finger: initializing the client-side TLS engine
> > posttls-finger: setting up TLS connection to exet02.hostmar.com
> [200.58.120.69]:25
> >
> > posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
> > "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
> > posttls-finger: SSL_connect:before/connect initialization
> > posttls-finger: SSL_connect:SSLv2/v3 write client hello A
> > posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25:
> lost connection
>
> > # Postfix config
> >
> > mail_version = 3.5.2
> >
> > smtpd_use_tls=yes
> > smtp_use_tls=yes
> >
> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> > smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> You'd generally have better luck by not disabling TLSv1 and TLSv1.1,
> these are the best available TLS versions for some email servers, and
> are not weaker than falling back to cleartext.
>
> > smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> > smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> >
> > tls_high_cipherlist =
> >
>  
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5
>
> This looks unwise.  The default value is better.
>
> > smtp_tls_ciphers = high
> > smtpd_tls_ciphers = high
>
> This can be too restrictive for some peer systems that only do (medium)
> RC4.  But in this case the server drops the connection immediately after
> accepting the STARTTLS command, and before receiving the client TLS
> HELLO.  The outbound transmission of the client HELLO fails (presumably
> a TCP RST arrived right after the STARTTLS ok):
>
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: Connected to exet02.hostmar.com[200.58.120.69]:25
> posttls-finger: < 220 HMEXCAS01.host.hm.local Microsoft ESMTP MAIL
> Service ready at Mon, 30 Nov 2020 16:13:58 -0300
> posttls-finger: > EHLO [...]
> posttls-finger: < 250-HMEXCAS01.host.hm.local Hello [...]
> posttls-finger: < 250-SIZE
> posttls-finger: < 250-PIPELINING
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-X-ANONYMOUSTLS
> posttls-finger: < 250-AUTH NTLM LOGIN
> posttls-finger: < 250-X-EXPS GSSAPI NTLM
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-BINARYMIME
> posttls-finger: < 250-CHUNKING
> posttls-finger: < 250-XEXCH50
> posttls-finger: < 250 XRDST
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 SMTP server ready
> posttls-finger: setting up TLS

SASL authentication failure: Internal Error

2021-02-18 Thread SysAdmin EM

Hello everyone,

I run telnet from outside my network to a server and I receive the
following message

# telnet server7 25
Trying 200.x.x.x...
Connected to server07.
Escape character is '^]'.
Connection closed by foreign host.

In the postfix logs i see this:

Feb 18 13:03:31 server07 postfix/smtpd[11585]: connect from mon.sever.com
[200.x.x.x]
Feb 18 13:03:31 server07 postfix/smtpd[11585]: warning: SASL authentication
failure: Internal Error -4 in server.c near line 1757
Feb 18 13:03:31 server07 postfix/smtpd[11585]: warning: SASL authentication
failure: Internal Error -4 in server.c near line 1757
Feb 18 13:03:31 server07 postfix/smtpd[11585]: warning: SASL authentication
failure: Internal Error -4 in server.c near line 1757

I have never seen this error message I do not know how to solve it or where
to read about it

Any ideas?

Regards,

Cache for smtpd_recipient_restrictions????

2021-03-30 Thread SysAdmin EM

Hello,

I would like to know if there is any way to implement cache for the
smtpd_recipient_restrictions parameter?

I use MySql to store a table full of non-existent users, which I was saving
from email accounts that have been compromised by viruses on the PC.

Any recommendation?

Regards,

[P-U] Correct way to disable sender_canonical

2023-03-08 Thread SysAdmin EM via Postfix-users

I am administering a Postfix that uses sender_canonicals to do a rewrite of
the header from but I need to disable that option.

I have commented the sender_canonical file but when reloading the
configuration I try to send an email and the service fails.

#sender_canonical_maps = regexp:/etc/postfix/sender_canonical
#local_header_rewrite_clients = static:all

I see this:


220 email.domaintest.com ESMTP Postfix
250- email.domaintest.com
250-PIPELINING
250-SIZE 15360
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with .
451 4.7.1 Service unavailable - try again later
221 2.0.0 Bye

this is my config:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 5h
config_directory = /etc/postfix
header_checks = regexp:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = ipv4
local_header_rewrite_clients = static:all
mailbox_size_limit = 0
maximal_backoff_time = 3h
maximal_queue_lifetime = 5h
message_size_limit = 15360
milter_default_action = accept
milter_protocol = 2
minimal_backoff_time = 15m
mydestination = mail.domaintest.com, localhost.olleros, , localhost
myhostname = email.domaintest.com
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 10.10.0.0/16
192.168.22.0/24 10.1.27.0/24 10.1.120.0/24 10.1.20.0/24 10.1.24
.0/24 172.31.32.0/20 10.54.175.0/24 172.16.0.0/24 10.54.0.0/16
172.31.3.98/32
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12345,inet:localhost:54321
queue_run_delay = 300s
readme_directory = no
recipient_delimiter = +
relayhost =
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_milters = inet:localhost:12345,inet:localhost:54321
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_exclude_ciphers = "aNULL"
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_mandatory_ciphers = medium, high
smtpd_tls_mandatory_protocols = TLSv1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport

The idea is not to rewrite more headers, any help in disabling this?

Regards,
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Sender Caninical Condition

2023-03-10 Thread SysAdmin EM via Postfix-users

Good days, request help, is it possible to use conditions in the
sender_canonical file? we are migrating an entire system and some customers
do not have our SPF added.

I would like to add a condition for you to rewrite the from when it does
not match a condition.

Example,

If the from is not domain1.com and domain2.com do a rewrite of the from by
no-re...@mydomain.com.

Any helps¿??
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Sender Caninical Condition

2023-03-10 Thread SysAdmin EM via Postfix-users

I’ve created the next rule but I don’t know if it’s works.

!if !/^(.*)@(domainclient1.com|domainclient2.com|domainclient3.com)$/
nore...@mydomain.com
endif

At the moment there are only domains that have our spf, as there are many
domains that do not have our spf, I want to create a rule to rewrite the
from of all emails but with some exclusions.

Any helps??

On Fri, Mar 10, 2023 at 9:17 AM SysAdmin EM  wrote:

> Good days, request help, is it possible to use conditions in the
> sender_canonical file? we are migrating an entire system and some customers
> do not have our SPF added.
>
> I would like to add a condition for you to rewrite the from when it does
> not match a condition.
>
> Example,
>
> If the from is not domain1.com and domain2.com do a rewrite of the from
> by no-re...@mydomain.com.
>
> Any helps¿??
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] header_checks not work with regexp

2023-04-14 Thread SysAdmin EM via Postfix-users

Sorry for such a basic question but I couldn’t find a solution on my part.
I’m trying to block a Subject using header_checks but it’s not working.

This is my rule:

/^Subject:.*Invalid HTTP_HOST header.*/ DISCARD SUBJECTALERT

I used postmap to test the rule but not match.

postmap -q "[KIS] ERROR (EXTERNAL IP): Invalid HTTP_HOST header:
'10.54.130.188:8020'. You may need to add u'10.54.130.188' to
ALLOWED_HOSTS." regexp:/etc/postfix/header_checks

in the configuration see support for regexp:

postconf -m
btree
cidr
environ
fail
hash
internal
memcache
nis
proxy
regexp
sdbm
static
tcp
texthash
unix

postconf mail_version
mail_version = 2.9.6

Is there something wrong with my rule?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: header_checks not work with regexp

2023-04-14 Thread SysAdmin EM via Postfix-users

The rule not work

postmap -q "Subject: [KIS] ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '
10.54.130.188:8020'. You may need to add u'10.54.130.188' to
ALLOWED_HOSTS." regexp:/etc/postfix/header_checks
WARN

/^Subject:.*You may need to add.*/ DISCARD BLOCK_TEMPORAL

any ideas??


On Fri, Apr 14, 2023 at 3:50 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

> On Fri, Apr 14, 2023 at 03:31:17PM -0300, SysAdmin EM via Postfix-users
> wrote:
>
> > Sorry for such a basic question but I couldn’t find a solution on my
> > part.  I’m trying to block a Subject using header_checks but it’s not
> > working.
> >
> > This is my rule:
> >
> > /^Subject:.*Invalid HTTP_HOST header.*/ DISCARD SUBJECTALERT
>
> This looks OK, and expects a "Subject:" header.
>
> > I used postmap to test the rule but not match.
> >
> > postmap -q "[KIS] ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '
> 10.54.130.188:8020'. You may need to add u'10.54.130.188' to
> ALLOWED_HOSTS." regexp:/etc/postfix/header_checks
>
> This is not a "Subject:" header.  Perhaps you meant to type:
>
> postmap -q "Subject: [KIS] ERROR (EXTERNAL IP): Invalid HTTP_HOST
> header: '10.54.130.188:8020'. You may need to add u'10.54.130.188' to
> ALLOWED_HOSTS." regexp:/etc/postfix/header_checks
>
> --
> Viktor.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: header_checks not work with regexp

2023-04-17 Thread SysAdmin EM via Postfix-users

Hello everyone the problem persists. Maybe I’m doing something wrong.

Step 1, I add the rule in the /etc/postfix/header_checks file

/^Subject:.*You may need to add/ DISCARD TMP_BLOCK

Step 2, postmap /etc/postfix/header_checks and postfix surcharge.

Are these steps correct?

Could the problem occur because the postfix-regexp library is not installed?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Block based on subject and rcpt to

2023-08-14 Thread SysAdmin EM via Postfix-users

Hi, Is it possible to discard an email based on the Subject and the
destination email address?

I try this and not work:

/^Subject:.*Test email subject .*To:.*m...@me.com/ DISCARD

Any helps?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

48 matches

Mail list logo