Re: odd client restrictions behaviour

[postfix-users]

> The postifx log says:
> 
> "RCPT from unknown[202.70.195.135]"
> 
> Regardless of the results from dig, doesn't the above log entry mean 
> that postfix is unable to find an rdns entry for this IP and that 
> reject_unknown_reverse_client_hostname should be rejecting the
connection?
> 
> Terry

No.  As explained previously.  It says unknown because the rDNS entry
(Which is present) doesn't have a forward.  e.g. the reverse is set to
x.y.z.host.com but there is no actual dns entry for x.y.z.host.com
resolving to that IP.  Hence this is a bad check to perform, since most
dialup providers create the rDNS but don't always put in the forward to
match...

Lee

Spam to a "submail" via recipient_delimiter

[postfix-users]

Hello,
i used to create on-the-fly mail-addresses with "recipient_delimiter" 
set to "."


Now, one of those mail-addresses is heavily receiving spam.

As this mail-address is of the form "user@...", cannot just remove 
the user "user.sub" from my list of users.


I would like to reject any mail to "user@..." as early as possible 
while still allowing mail to any other "user.s...@..." or "u...@...".


So far, i could only find "check_recipient_access" that points to a file 
contains addresses to be rejected.
But as far as i can tell, this is already quite late in processing the 
mails!


Is there any other way to reject/tarpit such "sub-mail-addresses" (from 
recipient_delimiter) very very early in processing the mail?


At best, directly after reading the first header-line ...

Thank for any hint!

Re: Spam to a "submail" via recipient_delimiter

[postfix-users]

/dev/rob0 wrote:

But as far as i can tell, this is already quite late in
processing the mails!


Why do you think so?


I seem to remember, that the recipient code technically is called later 
- after all headers and maybe even data has been read by the server.


I would like to reject those mails as soon as possible and thought, this 
requires a different place.


Thanx for your hint!

Re: Spam to a "submail" via recipient_delimiter

[postfix-users]

postfix-us...@tja-server.de schrieb:

/dev/rob0 wrote:

But as far as i can tell, this is already quite late in
processing the mails!


Why do you think so?


I seem to remember, that the recipient code technically is called later 
- after all headers and maybe even data has been read by the server.



From your URLs, i found the text again, that made be think this way:

In 
http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient i 
found the following text:



Other restrictions that are valid in this context:
[...]
SMTP command specific restrictions described under 
smtpd_sender_restrictions  or smtpd_recipient_restrictions. When sender 
or recipient restrictions are listed under smtpd_helo_restrictions, they 
have effect only with "smtpd_delay_reject  = yes", so that 
$smtpd_helo_restrictions  is evaluated at the time of the RCPT TO command.



So, it seems that using "check_recipient_access" as argument to 
"smtpd_helo_restrictions" would reject mails more early than using the 
same for "smtpd_recipient_restrictions", or?


In summary:

smtpd_recipient_restrictions = check_recipient_access ...,
would reject later then
smtpd_helo_restrictions = check_recipient_access ...,

So, for getting aways that spam as early as possible, 
"smtpd_helo_restrictions" would be better than 
"smtpd_recipient_restrictions".


Or not?

All email forward a copy to testing server

[postfix users]

Hi,

I am migrating the Exchange 2000 to Exchange 2010, but before we switch over
to new server, I want make a copy of email to new server for testing.


Existing Config:

Postfix -> Amavisd -> Exchange 2000

Here what I want :

Postfix ---> Amavisd -> Exchange 2000
   ---> Exchange 2010

Is it possible?

Or it is better forward all email before Postfix?

email -- some program? --> Postfix ---> Amavisd -> Exchange 2000
   --> Exchange 2010

Many thanks in advance.

Regards,
Paul Margaillan

Re: All email forward a copy to testing server

[postfix users]

Dear  Noel,

Thanks for your reply.

Does it mean on my new Exchange 2010 server, I need to add
"@new.example.com" email address for each recipient?

For example, If  I send email to p...@example.com.

After postfix process, it rewrite the email address
p...@new.example.com and delivery to our new Exchange server.

It is possible to do it with rewrite the recipient email address?


Regards,
Paul

On Sat, Mar 20, 2010 at 11:19 AM, Noel Jones  wrote:
>
> On 3/19/2010 8:34 PM, postfix users wrote:
>>
>> Hi,
>>
>> I am migrating the Exchange 2000 to Exchange 2010, but before we switch
>> over to new server, I want make a copy of email to new server for testing.
>>
>>
>> Existing Config:
>>
>> Postfix -> Amavisd -> Exchange 2000
>>
>> Here what I want :
>>
>> Postfix ---> Amavisd -> Exchange 2000
>>            ---> Exchange 2010
>>
>> Is it possible?
>>
>> Or it is better forward all email before Postfix?
>>
>> email -- some program? --> Postfix ---> Amavisd -> Exchange 2000
>>                                    --> Exchange 2010
>>
>> Many thanks in advance.
>>
>> Regards,
>> Paul Margaillan
>>
>>
>>
>>
>
> (copy of an answer from a few days ago)
>
> To deliver to two destinations, you need two recipients.
>
> You can use a regexp recipient_bcc_maps to add another
> recipient, then use smtp_generic_maps to rewrite it back to
> the original during delivery.  Use a transport_maps entry to
> direct the bcc'ed mail to the proper server.
>
> # main.cf
> recipient_bcc_maps = regexp:/etc/postfix/recipient_bcc
> smtp_generic_maps = hash:/etc/postfix/smtp_generic
> transport_maps = hash:/etc/postfix/transport
>
> # recipient_bcc
> if /@example\.com/
> /^...@example\.com$/ �...@new.example.com
> endif
>
> # smtp_generic
> @new.example.com �...@example.com
>
> # transport
> new.example.com  smtp:new.server.example.com
>
> Be sure to postmap the hash: tables after making changes to them.
>
>   -- Noel Jones

Mailgateway

[postfix-users]

Hello,

i would like to create the following setup for two postfix servers.

The setup:

Server A is the smtp(s) server and the MX record for some domains.
He accepts mail from clients over sasl/tls for delivery to the internet 
or to the domains.

He does forward all external mail to Server B
He works as a mail-gateway

Server B has no MX record, but takes all mails from Server A, stores 
them locally (for access via IMAP) or delivers them to hosts from the 
domains.
All outbound mail will NOT be delivered directly, but transported to the 
mail-gateway Server A, which in turn delivers to the internet. This may, 
the MX server will the the source of such mail ...


So, all external input or output will be done by Server A.
Internal delivery will be done by Server B, while all other domains will 
be forwared to Server A again ...


This sound like a possible loop :-/


I have some ideas about mydestinaton, relay_domains, mynetworks and a 
transport map, but i feel that there may be a easy and RECOMMENED way to 
create such a setup ...


Can anybody give me a hint about the best direction to go?

Thank you!

Re: Mailgateway

[postfix-users]

Thank you, Noel!

I got that running - mostly :)

Server A (MX, SMTP: smtp.example.com) has:

relay_domains = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

relay_transport = smtp:[smtp.example.com]
mynetworks = [ip.ad.dr.es], ...

Where /etc/postfix/mydomains lists all domains to be relayed and the 
relay_transport is the IP of Server B:


Server B (IMAP, imap.example.com) has:

relayhost = [smtp.example.com]
mydestination = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

mynetworks = [ip.ad.dr.es], ...


This setup works for me - beside one problem:


The /etc/aliases of Server A will not be honored, which means that all 
mail to any of the domains will be transported to Server B, which in 
turn will bounce the mail.


I would like to let already Server A bounce those mails!


Using a relay_recipient_maps as you wrote, seems to be the right way, 
but i cannot get it running.


Like in a /etc/aliases file, i want to accept certain users for all domains.

I tried to create the file as follows:

awk -F: '{print $1}' /etc/aliases | egrep -v "^(#|$)" | awk '{print $1"@ 
   OK"}' | sort -u > relay_recipient_map


So, for example, it contains lines like:

user1@  OK
user2@  OK

But this does not work :-(

I would not like to list all users for all domains, but just accept mail 
to the existing users for ALL domains (as shown in my example above).


Is there a way to reach that goal?
Or do i need to add one line for each user in every domain?

Thank you!
:)

Re: Mailgateway

[postfix-users]

I got caught by that already :-O

My server bounced two mails from the list (having relay_recipient_maps 
set up wrongly) - and i have no idea if that was already an answer ...


So, if somebody answered to my last mail, please send it again.
:)

Sorry for that!


postfix-us...@tja-server.de schrieb:

Thank you, Noel!

I got that running - mostly :)

Server A (MX, SMTP: smtp.example.com) has:

relay_domains = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

relay_transport = smtp:[smtp.example.com]
mynetworks = [ip.ad.dr.es], ...

Where /etc/postfix/mydomains lists all domains to be relayed and the 
relay_transport is the IP of Server B:


Server B (IMAP, imap.example.com) has:

relayhost = [smtp.example.com]
mydestination = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

mynetworks = [ip.ad.dr.es], ...


This setup works for me - beside one problem:


The /etc/aliases of Server A will not be honored, which means that all 
mail to any of the domains will be transported to Server B, which in 
turn will bounce the mail.


I would like to let already Server A bounce those mails!


Using a relay_recipient_maps as you wrote, seems to be the right way, 
but i cannot get it running.


Like in a /etc/aliases file, i want to accept certain users for all 
domains.


I tried to create the file as follows:

awk -F: '{print $1}' /etc/aliases | egrep -v "^(#|$)" | awk '{print $1"@ 
   OK"}' | sort -u > relay_recipient_map


So, for example, it contains lines like:

user1@OK
user2@OK

But this does not work :-(

I would not like to list all users for all domains, but just accept mail 
to the existing users for ALL domains (as shown in my example above).


Is there a way to reach that goal?
Or do i need to add one line for each user in every domain?

Thank you!
:)

Rejecting certain sub-names (from recipient_delimiter)

[postfix-users]

One more question, as i reconfigure my mail-servers :)

I have "recipient_delimiter" set to ".", so that 
user.@example.com will be delivered to u...@example.com


Now, i have a certain sub-name, that i want to REJECT.

For example:

user.s...@example.com

Is it possible to reject mail to user.s...@example.com while accepting 
all other use...@example.com addresses?



So far, i found "recipient_access" to allow this this:

main.cf:
check_recipient_access pcre:/etc/postfix/recipient_access

/etc/postfix/recipient_access:
/^user\.s...@example\.com$/  REJECT


Is this the right way to handle this?

Or are there other, more recommended methods?

Re: Mailgateway

[postfix-users]

Noel Jones schrieb:


Everything is running fine :)

Thank you!

Re: Rejecting certain sub-names (from recipient_delimiter)

[postfix-users]

Ralf Hildebrandt schrieb:

check_recipient_access hash:/etc/postfix/recipient_access

user.s...@example.com REJECT


Thanx, that is more easy to use :)

Re: Mailgateway

[postfix-users]

Ansgar Wiechers schrieb:

It should work if the FQDN is the FQDN of server B. It shouldn't work if
the FQDN is the FQDN of server A (which was the case in your config
snippet).


Ahh ...
Was too fast to format that stuff, sorry for that!



The default includes all local users of the machine, which probably is
not what you want, considering the machine's purpose.


Thats a good argument - i changed the config!

Thanx again :)

Re: Mailgateway

[postfix-users]

And finally, to showcase my config, the "postconf -n" outputs, modified 
to remove real hostnames and IP-addresses.


A "client" server:

config_directory = /etc/postfix
mydomain = example.com
mynetworks = 127.0.0.1/8
myorigin = $mydomain
relayhost = smtp.example.com


The MX SMTP server (Server A):

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
local_recipient_maps = $alias_maps
mailbox_size_limit = 1073741824
message_size_limit = 2048
mydestination = localhost
mydomain = example.com
myhostname = smtp.example.com
mynetworks = 127.0.0.0/8, IP.AD.DR.ES/32, IP.AD.DR.ES/32, 
IP.AD.DR.ES/29, IP.AD.DR.ES/32, IP.AD.DR.ES/32, IP.AD.DR.ES/31, 
IP.AD.DR.ES/32

myorigin = $mydomain
recipient_delimiter = .
relay_domains = /etc/postfix/mydomains
relay_recipient_maps = hash:/etc/postfix/relay_recipient_map
relay_transport = smtp:[mail.example.com]
relocated_maps = hash:/etc/postfix/relocated
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_unknown_reverse_client_hostname, 
check_client_access hash:/etc/postfix/client_access

smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
check_recipient_access hash:/etc/postfix/recipient_access

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/sender_access

smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no


And the IMAP server (Server B):

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
disable_vrfy_command = yes
mailbox_size_limit = 1073741824
message_size_limit = 2048
mydestination = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

mydomain = example.com
mynetworks = 127.0.0.0/8, IP.AD.DR.ES/32, IP.AD.DR.ES/32, 
IP.AD.DR.ES/29, IP.AD.DR.ES/32, IP.AD.DR.ES/32, IP.AD.DR.ES/31, 
IP.AD.DR.ES/32

myorigin = $mydomain
recipient_delimiter = .
relayhost = [smtp.example.com]
relocated_maps = hash:/etc/postfix/relocated
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_unknown_reverse_client_hostname, 
check_client_access hash:/etc/postfix/client_access

smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
check_recipient_access hash:/etc/postfix/recipient_access

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/sender_access

smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no

Re: Mailgateway

[postfix-users]

Noel Jones schrieb:

This should use $data_directory rather than $queue_directory.

$data_directory must be a directory owned by $mail_owner (default 
"postfix") and not used by any other programs.  On most systems this 
defaults to /var/lib/postfix.


On my systems (Debian 4 and 5), data_directory is not set!
And nothing points to /var/lib/postfix, which not even exists :-O


postconf | grep directory | grep \/ | grep -v 
execution_directory_expansion_filter | grep -v '\$'

command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
mail_spool_directory = /var/mail
manpage_directory = /usr/share/man
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples

postconf mail_version
mail_version = 2.3.8


All smtpd_*_restrictions should start with "permit_mynetworks, 
permit_sasl_authenticated" to prevent rejecting authorized clients.




smtpd_helo_restrictions = reject_invalid_helo_hostname


Same comment as above.


OK.
I added that!

Also to smtpd_sender_restrictions, as you mentioned above.



smtpd_use_tls = yes


This parameter is obsolete.  Rather use
smtpd_tls_security_level = may


OK.
I added that too and removed smtpd_tls_auth_only as this will be set anyway.

Thank you very much!
I begin to like my configurations now :)

New server, still older software, minimal configuration

[postfix-users]

Hello my dear Postfix users :)

I got a "new" server, that still runs older software: Debian 6.0.9 with 
Postfix 2.7.1


I tried to start anew and tried to get my configuration as small as 
possible, with only few changes to the default settings.

I am using "grossd" as greylisting server on port 5525

Esp. at the smtpd_*_restrictions i am unsure if i did too much ... or 
too few :)

Maybe someone could have a look at those things?
Did i do wrong?

Thank you very much!

I came out with the following:

alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
mailbox_command = /usr/bin/procmail -a "$EXTENSION" 
DEFAULT=$HOME/MyMail/ MAILDIR=$HOME/MyMail

mailbox_size_limit = 1073741824
message_size_limit = 41943040
mydestination = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

myhostname = MYFQHN
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128, MYOWNIP/32
mynetworks_style = host
recipient_delimiter = .
relocated_maps = hash:/etc/postfix/relocated
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = check_client_access 
hash:/etc/postfix/client_access, permit_inet_interfaces, 
permit_mynetworks, permit_sasl_authenticated, 
reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, 
permit
smtpd_data_restrictions = reject_multi_recipient_bounce, 
reject_unauth_pipelining, permit

smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access 
hash:/etc/postfix/helo_access, permit_mynetworks, 
permit_sasl_authenticated, reject_invalid_helo_hostname, 
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, 
reject_invalid_hostname, permit
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/recipient_access, permit_mynetworks, 
permit_sasl_authenticated, reject_unlisted_recipient, 
reject_non_fqdn_recipient, reject_unauth_destination, 
reject_unknown_recipient_domain, check_policy_service 
inet:localhost:5525, permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/sender_access, reject_non_fqdn_sender, 
reject_unknown_sender_domain, reject_unknown_address, permit

smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = yes

At client_access, i added some otherwise problematic clients.
At header_checks, i remove some header lines (User-Agent and initial 
Received "by" server).

At helo_access, i added some otherwise problematic servers.
At mydomains, i list all domains i am hosting.
At recipient_access, i redirect or reject some "sub-domains" (some 
spammed mail-adresses).
At relocated, i bounce (or send information about) some old and unused 
mail-adresses.

sender_access is currently empty.

Re: New server, still older software, minimal configuration (connect / disconnect from unknown)

[postfix-users]

I was suspecting this already:

Mar 25 12:16:56 HOSTNAME postfix/smtpd[6243]: connect from 
unknown[180.93.167.227]
Mar 25 12:16:58 HOSTNAME postfix/smtpd[6243]: disconnect from 
unknown[180.93.167.227]


Something seems to get through possibly should not?
I have no idea, what i should fix :-(


postfix-us...@tja-server.de wrote:

Hello my dear Postfix users :)

I got a "new" server, that still runs older software: Debian 6.0.9 
with Postfix 2.7.1


I tried to start anew and tried to get my configuration as small as 
possible, with only few changes to the default settings.

I am using "grossd" as greylisting server on port 5525

Esp. at the smtpd_*_restrictions i am unsure if i did too much ... or 
too few :)

Maybe someone could have a look at those things?
Did i do wrong?

Thank you very much!

I came out with the following:

alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
mailbox_command = /usr/bin/procmail -a "$EXTENSION" 
DEFAULT=$HOME/MyMail/ MAILDIR=$HOME/MyMail

mailbox_size_limit = 1073741824
message_size_limit = 41943040
mydestination = $myhostname, localhost.$mydomain, localhost, 
/etc/postfix/mydomains

myhostname = MYFQHN
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128, MYOWNIP/32
mynetworks_style = host
recipient_delimiter = .
relocated_maps = hash:/etc/postfix/relocated
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = check_client_access 
hash:/etc/postfix/client_access, permit_inet_interfaces, 
permit_mynetworks, permit_sasl_authenticated, 
reject_unknown_reverse_client_hostname, 
reject_unknown_client_hostname, permit
smtpd_data_restrictions = reject_multi_recipient_bounce, 
reject_unauth_pipelining, permit

smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access 
hash:/etc/postfix/helo_access, permit_mynetworks, 
permit_sasl_authenticated, reject_invalid_helo_hostname, 
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, 
reject_invalid_hostname, permit
smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/recipient_access, permit_mynetworks, 
permit_sasl_authenticated, reject_unlisted_recipient, 
reject_non_fqdn_recipient, reject_unauth_destination, 
reject_unknown_recipient_domain, check_policy_service 
inet:localhost:5525, permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access 
hash:/etc/postfix/sender_access, reject_non_fqdn_sender, 
reject_unknown_sender_domain, reject_unknown_address, permit

smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = yes

At client_access, i added some otherwise problematic clients.
At header_checks, i remove some header lines (User-Agent and initial 
Received "by" server).

At helo_access, i added some otherwise problematic servers.
At mydomains, i list all domains i am hosting.
At recipient_access, i redirect or reject some "sub-domains" (some 
spammed mail-adresses).
At relocated, i bounce (or send information about) some old and unused 
mail-adresses.

sender_access is currently empty.

Re: postfix delivers all mail to root's mailbox

[postfix-users]

Yes, this default value also bugged be several times :)
Strange to add a NIS mal by default ...

BTW, i hate that the reply-to is not set to the list  :D


chrissko wrote:

The output is indeed a non-root user, but before I run the command you
mentioned, I modified the /etc/main.cf file, so now alias_maps =
hash:/etc/aliases (without nis:mail.aliases) and it started working, it
delivers the emails fine now. Thank you very much for your patience and
help!

This issue is sorted now. 
  

Re: Asking about heartbleed

[postfix-users]

Wietse Venema wrote:

OpenSSL versions prior to 1.0.1 don't
have the hearbeat feature and have never been affected by this bug.
  


ii  openssl   
0.9.8o-4squeeze14 Secure Socket 
Layer (SSL) binary and related cryptographic tools


Never change a running system :D

header_checks - transport problem

[postfix-users]

Hi all,

I try to use header_checks to route mails with a specific header through 
a different SMTP with special TLS options.


Therefore I configured a new SMTP service in master.cf:
    smtp-sec  unix  -   -   y   -   -   smtp
  -o smtp_header_checks=
  -o syslog_name=postfix_smtp-sec
  -o smtp_tls_security_level=secure

and a test header check:
    /^Subject: test1test/   FILTER smtp-sec:

This is for testing only. Later I wanted to do this with special headers.

According to the documentation 
(http://www.postfix.org/header_checks.5.html) it should be possible 
since Postfix 2.7 with this entry to change the transport but not the 
nexthop:
  "... To override the recipient's transport but not the next-hop 
destination, specify an empty filter destination ..."

I use postfix 3.5.6-1+b1 (Debian 11).

My postfix has a transport table for sending mails for the internal 
domain to a mailbox server:

    testdomain.net    relay:[10.0.0.2]

But now when a mail for testdomain.net with the subject "test1test" 
arrives, postfix does a MX lookup and gives an error:

    end attr reason = mail for testdomain.net loops back to myself

The log shows that trivial-rewrite does a lookup on the transport map 
and sets the nexthop:
    Nov 16 13:38:19 mailtest1 postfix/trivial-rewrite[1143350]: 
`t...@example.org' -> `tes...@testdomain.net' -> (`relay' `[10.0.0.2]' 
`tes...@testdomain.net' `2048')
    Nov 16 13:38:19 mailtest1 postfix/trivial-rewrite[1143350]: send 
attr flags = 0
    Nov 16 13:38:19 mailtest1 postfix/trivial-rewrite[1143350]: send 
attr transport = relay
    Nov 16 13:38:19 mailtest1 postfix/trivial-rewrite[1143350]: send 
attr nexthop = [10.0.0.2]


Then cleanup sets the transport:
    Nov 16 13:38:19 mailtest1 postfix/cleanup[1147934]: 5C0D85B05: 
filter: header Subject: test1test from unknown[192.0.2.1]; 
from= to= proto=ESMTP 
helo=: smtp-safe:


But the smtp-sec service does a MX loopup and ends in an
    Nov 16 13:38:19 mailtest1 postfix_smtp-sec/smtp[1147935]: send attr 
action = failed
    Nov 16 13:38:19 mailtest1 postfix_smtp-sec/smtp[1147935]: send attr 
reason = mail for testdomain.net loops back to myself


Do I miss anything or is it an incorrect approach?

Regards
  Marcus

Re: header_checks - transport problem

[postfix-users]

Yes, smtp-sec and smtp-safe is the same (copy paste mistake...)

Thanks for the explanation.


postfix-us...@mattern.org:

and a test header check:
   /^Subject: test1test/?? FILTER smtp-sec:

...

Nov 16 13:38:19 mailtest1 postfix/cleanup[1147934]: 5C0D85B05:
filter: header Subject: test1test from unknown[192.0.2.1];
from= to= proto=ESMTP
helo=: smtp-safe:

If smtp-sec (smtp-safe) is an SMTP client, it will try to connect
to port 25 using the recipient domain (testdomain.net) as the
destination, because by definition FILTER overrides transport maps.

If testdomain.net is a local destination, then you have a mail
delivery loop.

Wietse

Bounce spam configuration.

[Postfix users]

Hello,

Looks like I get listed (again) becouse my conf recjects spam messages 
with full body.


What to change in postfix configuration to get reject with my message 
only and SPAM message added as eml attachment ?


Sebastian

postfix tls deploy-server-cert fails with "can't shift that many"

[postfix-users]

I've run into a problem with one of the postfix tls scripts.

Attempting to deploy server certificates with
# postfix tls deploy-server-cert certificate.crt keyfile.key

Expected to deploy new certificates

What happened - command fails with
 /usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift 
that many




Reproducing this doesn't need a lot of pre-setup:
# apt install postfix ssl-cert
# postfix tls deploy-server-cert /etc/ssl/certs/ssl-cert-snakeoil.pem 
/etc/ssl/private/ssl-cert-snakeoil.key
/usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift that 
many



The issue appears to be that the function "deploy-server-cert" in 
/usr/lib/postfix/sbin/postfix-tls-script expects be three arguments:


/usr/lib/postfix/sbin/postfix-tls-script line 777
 deploy_server_cert() {
 certfile=$1; shift
 keyfile=$1; shift
 deploy=$1; shift
...

This works when the function is called by new_server_cert() in line 830, 
which calls the function as follows:
 deploy_server_cert "${certfile}" "${keyfile}" "${deploy}" || return 
1


But when this function is invoked directly in line 1042, it is called 
with only 2 arguments

 deploy_server_cert "${certfile}" "${keyfile}" || exit 1

My work-around was to comment out the final shift in line 780, which is 
probably NOT the best long-term solution.


Please let me know if I may provide additional information.

Thanks for your help!

=>Robert


$ lsb_release -rd
Description: Ubuntu 18.04.4 LTS
Release: 18.04

postfix:
  Installed: 3.3.0-1ubuntu0.2
  Candidate: 3.3.0-1ubuntu0.2
  Version table:
 *** 3.3.0-1ubuntu0.2 500
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu 
bionic-updates/main amd64 Packages

100 /var/lib/dpkg/status
 3.3.0-1 500
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic/main 
amd64 Packages


$ ubuntu@mail3:~$ postconf -d | egrep mail_version
mail_version = 3.3.0

Please let me know

Re: postfix tls deploy-server-cert fails with "can't shift that many"

[postfix-users]

On 2020-05-30 09:42, Wietse Venema wrote:

postfix-us...@vintagesfinewine.com:


I've run into a problem with one of the postfix tls scripts.

Attempting to deploy server certificates with
# postfix tls deploy-server-cert certificate.crt keyfile.key

Expected to deploy new certificates

What happened - command fails with
  /usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't 
shift

that many



Reproducing this doesn't need a lot of pre-setup:
# apt install postfix ssl-cert
# postfix tls deploy-server-cert /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key
/usr/lib/postfix/sbin/postfix-tls-script: 780: shift: can't shift that
many


Below is a patch. I find that the handling of this differ a lot
among shell implementations, from terminating to ignoring.

Wietse

diff -ur /var/tmp/postfix-3.6-20200523/conf/postfix-tls-script
conf/postfix-tls-script
--- /var/tmp/postfix-3.6-20200523/conf/postfix-tls-script   2017-02-18
20:58:20.0 -0500
+++ conf/postfix-tls-script 2020-05-30 10:37:04.0 -0400
@@ -777,7 +777,7 @@
 deploy_server_cert() {
 certfile=$1; shift
 keyfile=$1; shift
-deploy=$1; shift
+case $# in 0) deploy=;; *) deploy=$1; shift;; esac

 # Sets key_algo, key_param and cert_param
 check_key "$keyfile" || return 1


Works perfectly.  Thank you!

=>Robert

Re: HELO and nothing else

[postfix-users]

Hello (not helo :-)

I am working on a spam filter and so I find myself spending a lot more quality 
time with mail logs than I used to.  One of the things I have noticed is that I 
will get a lot of connections that send a HELO command and then disconnect.  
Sometimes I get this repeated several times a minute from the same IP for hours 
on end.  What is going on here?  Should I block these IPs?  Am I being scanned? 
 By what?  To what end?

Maybe this could be some Spam prevention systems. Some systems try to 
reach the MX of a domain (like 
https://www.rspamd.com/doc/modules/mx_check.html)

Thanks,
rg

relay_recipient_maps ./. smtp callout

[Postfix Users]

I have a Postfix-relay with a bunch of domains.
Most oft them are relayed to an ms exchange-server behind.
Therefore I make a ldap-query against the ms ad-server (relay_recipient_maps = 
ldap:/etc/postfix/ldap_relay_recipient_map.cf) which works perfect.

One domain is hosted on a Linux (Postfix too) mailbox server. The recipients 
oft hat server are not listed at the ms-ad.
>From the moment the ldap-query is in place the "normal" recipient verification 
>seems tob e not working anymore.
Postfix assumes that all recipients are in the ldap-database.
Adressing a Lunux-user I get a  "Recipient address rejected: User unknown in 
relay recipient table"

How can I activate the veification for this users without manually creating an 
additional recipient map?

Regards




--
This message has been scanned by E.F.A. Project and is believed to be clean.

Re: tcp_table: flag_pattern vs flag_fixed

[postfix-users]

Wietse Venema:
> Damian Lukowski:
>> Hi,
>>
>> is there a reason that tcp_table has the DICT_FLAG_PATTERN flag
>> instead of DICT_FLAG_FIXED?  One could create more flexible transport
>> map chains if tcp_table was also queried for pure domains.
> Like pcre, regexp, and socketmap, tcp_table is queried only with
> the full search string. Substring matches can be done with regexp/pcre
> patterns, or with socketmap/tcp_table server code.
>
>   Wietse
Hi,

I'm aware of this. However, consider a scenario we have today:

- an extensive hash table HT with pure domains and next hop information
- a tcp_table which:
-- may output varying next-hops for varying email addresses within the same 
domain.
-- has "authoritative" next-hop knowledge for a set S of domains.
-- has non-authoritative, fallback next-hop knowledge for a set T of domains, T 
disjoint S.
   Next-hop information can be wrong for some domains of T.
- Domains from T are easily describable.
- HT and T are not disjoint.
- HT has correct information where the tcp_table would be wrong.

The problem is to eliminate wrong answers for domains from T.
Since the tcp_table is consulted with a full address, it can produce wrong
answers even if it is placed at the last position of transport_maps.

The first idea was to return 500 when queried for addresses whose domain is in 
T.
In the next round, when Postfix queried for pure domains, it would find a hit
in HT and use this information. If there is no hit in HT, the tcp_table would
give fallback next-hop information for the domain. However, there is no next
round for the tcp_table as it is a PATTERN dictionary.

Possible solutions are:

1) transform HT into a regexp table which ignores the local part.
Performance would probably get much worse.
2) Parse HT within the tcp_table handler itself, in front of its current logic.
  Performance would probably degrade a little, but it would be okay.
  However, I would not like to duplicate program logic which is already in 
Postfix.
3) Make tcp_table a FIXED dictionary, place it on the last position within 
transport_maps,
  and let it work as described above.

However, I don't know if a fixed tcp dictionary can cause problems.

Regards
 Damian

How to resend a message?

[lists . postfix-users]

Hello,

I typed the address in a message wrong. Pine copied ot to the
sendmail folder anyway. But postfix saw the message that the
address was wrong and put it in the mailq. (Fair enough).
Question is: can I resnd the message with the correct address
and if yes, how?

Regards,

   Hans.

jdh dot beekhuizen at duinheks dot nl
--- GoldED+/LNX 1.1.5/090409
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: How to resend a message?

[lists . postfix-users]

*** Antwoord op een bericht uit gebied LISTS.POSTFIX-USERS
(lists.postfix-users).

Hallo Ralf,

Op zondag 24 mei 2009 schreef Ralf Hildebrandt aan postfix-users@postfix.org:

 >> Question is: can I resnd the message with the correct address
 >> and if yes, how?
 RH> I fail to see how this is a postfix question!

Maybe it is not, but it seemed to me to be the easiest way,
as the message was in the postfix queue anyway. I could not
find a way in pine (which does not mean that it's impossible
of course).

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

--- GoldED+/LNX 1.1.5/090409
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: How to resend a message?

[lists . postfix-users]

*** Antwoord op een bericht uit gebied LISTS.POSTFIX-USERS
(lists.postfix-users).

Hallo Wietse,

Op zondag 24 mei 2009 schreef Wietse Venema aan Postfix users:

 >> Question is: can I resnd the message with the correct address
 >> and if yes, how?
 WV> I assume that the message is still queued because DNS lookup
 WV> fails or because the (wrong) destination is not reachable.

Correct. The domain dhs.nl does not exist. But it's such a habit
to type that..

 WV> You can save a copy of the message with the postcat command
 WV> (postcat -q queueID) and use that to resend your message.

I did and hope to hear from the other side if it worked soon.

 WV> Postfix will return the mail as undeliverable in five days.

I know :)

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

--- GoldED+/LNX 1.1.5/090409
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

How to stop these fakes?

[lists . postfix-users]

Hallo postfix-users,

Occasionally external systems are tying to send mail with a
faked sender address via my system. So far no harm is done,
ad they have not been able to create a real user name. But
I would like to stop them before they use my mail system,
as soon as they make contact. How can I do this?
Example:
Jul 31 15:31:02 duinheks postfix/smtpd[29511]: NOQUEUE: reject: RCPT from
unknown[218.20.152.23]: 550 5.1.0 <[EMAIL PROTECTED]>: Sender address 
rejected:
User unknown in local recipient table; from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]> proto=ESMTP helo=

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

Here's my current configurtaion:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases,
hash:/opt/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_transport = smtp
home_mailbox = Mailbox
html_directory = no
local_recipient_maps = $alias_maps unix:passwd.byname
mail_owner = postfix
mailbox_size_limit = 204800
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 1536
mydestination = duinheks.nl, $myhostname, localhost.$mydomain
mydomain = duinheks.nl
myhostname = duinheks.nl
mynetworks = 192.168.178.0/24, 127.0.0.0/8
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, f1018.n280.z2.fidonet.org
relayhost = smtp.xs4all.nl
sample_directory = /etc/postfix
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/lib/sendmail
setgid_group = postdrop
smtpd_recipient_restrictions = reject_non_fqdn_sender
reject_non_fqdn_recipientreject_unlisted_recipient
reject_unlisted_senderpermit_mynetworksreject_unauth_destination
permit
soft_bounce = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 550

--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: How to stop these fakes?

[lists . postfix-users]

Hallo Robert,

Op vrijdag 01 augustus 2008 schreef Robert Schetterer aan ram:

 >>> Example:
 >>> Jul 31 15:31:02 duinheks postfix/smtpd[29511]: NOQUEUE:
 >>> reject: RCPT from unknown[218.20.152.23]: 550 5.1.0
 >>> <[EMAIL PROTECTED]>: Sender address rejected: User unknown in
 >>> local recipient table; from=<[EMAIL PROTECTED]>
 >>> to=<[EMAIL PROTECTED]> proto=ESMTP helo=

 RS> reject_unknown_reverse_client_hostname
 RS> helps a lot here

Thanks. I've put that in and will awit and see what happens.

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: How to stop these fakes?

[lists . postfix-users]

Hallo ram,

Op vrijdag 01 augustus 2008 schreef ram aan [EMAIL PROTECTED]:

 >> Occasionally external systems are tying to send mail with a
 >> faked sender address via my system. So far no harm is done,
 >> ad they have not been able to create a real user name. But
 >> I would like to stop them before they use my mail system,
 >> as soon as they make contact. How can I do this?
 ra> I dont see any reason for you to worry. You are doing a
 ra> reject_unauth_destination already

It's not the destination I'm worried about, it's the sender.
There is a [small] possibility that the culprit guesses a real
user name on my system and then sends spam or other unpleasant
things across the world. I would not like that...

 ra> There is no way to stop *all* unauthorized connections ( as soon
 ra> as they connect ? ).

That was not very well formulated, sorry. Obviously they have
to make contact before I can see who they are. But I would
like postfix to see as soon as possible that my host name is
used illegally and reject that message straight away.

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: How to stop these fakes?

[lists . postfix-users]

Hallo Robert,

Op maandag 04 augustus 2008 schreef [EMAIL PROTECTED] aan
postfix-users:

 RS>> reject_unknown_reverse_client_hostname
 RS>> helps a lot here
 lpu> Thanks. I've put that in and will wait and see what happens.

It took a few days, becaus it doen'st happen every day. But this
solution doesn't seem to work:
Aug 11 05:12:09 duinheks postfix/smtpd[13102]: connect from
125-225-150-228.dynamic.hinet.net[125.225.150.228]
Aug 11 05:12:12 duinheks postfix/smtpd[13102]: lost connection after EHLO from
125-225-150-228.dynamic.hinet.net[125.225.150.228]
Aug 11 05:12:12 duinheks postfix/smtpd[13102]: disconnect from
125-225-150-228.dynamic.hinet.net[125.225.150.228]
Aug 11 05:12:26 duinheks postfix/smtpd[13102]: connect from
125-225-150-228.dynamic.hinet.net[125.225.150.228]
Aug 11 05:12:33 duinheks postfix/smtpd[13102]: NOQUEUE: reject: RCPT from
125-225-150-228.dynamic.hinet.net[125.225.150.228]: 550 5.1.0
<[EMAIL PROTECTED]>: Sender address rejected: User unknown in local recipient
table; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP
helo=
Aug 11 05:12:34 duinheks postfix/smtpd[13102]: lost connection after DATA (0
bytes) from 125-225-150-228.dynamic.hinet.net[125.225.150.228]
Aug 11 05:12:34 duinheks postfix/smtpd[13102]: disconnect from
125-225-150-228.dynamic.hinet.net[125.225.150.228]

Or mayee I put it into the wrog place...  I find it very
difficult to find all the possible configuration options
of Postfix and put them into the right place :(

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases,
hash:/opt/mailman/data/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_transport = smtp
home_mailbox = Mailbox
html_directory = no
local_recipient_maps = $alias_maps unix:passwd.byname
mail_owner = postfix
mailbox_size_limit = 204800
mailq_path = /usr/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 1536
mydestination = duinheks.nl, $myhostname, localhost.$mydomain
mydomain = duinheks.nl
myhostname = duinheks.nl
mynetworks = 192.168.178.0/24, 127.0.0.0/8
mynetworks_style = host
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, f1018.n280.z2.fidonet.org
relayhost = smtp.xs4all.nl
sample_directory = /etc/postfix
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/lib/sendmail
setgid_group = postdrop
smtpd_recipient_restrictions = reject_non_fqdn_sender
reject_unknown_reverse_client_hostnamereject_non_fqdn_recipient
reject_unlisted_recipientreject_unlisted_senderpermit_mynetworks
reject_unauth_destinationpermit
soft_bounce = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_client_reject_code = 554
unknown_local_recipient_reject_code = 550

--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Why "may be forged"?

[lists . postfix-users]

Hello,

This morning I sent a message from my system at home to my
user account with my provider. When I looked at the headers
I noticed the following received header line:
from duinheks.nl (duinheks.nl [82.95.255.219] (may be forged))  by
smtp-vbr1.xs4all.nl (8.13.8/8.13.8) with ESMTP id m8K6up83086283 for
<[EMAIL PROTECTED]>; Sat, 20 Sep 2008 08:56:51 +0200 (CEST)
(envelope-from [EMAIL PROTECTED])
I am a little worried about the remark "may be forged". I'm
certain that th message was sent from duinheks.nl, as that
is my own system and I sent it myself.
Does it point to any problems and/or is there something I
can do to change it?

Regards,

   Hans.

jdh dot beekhuizen at duinheks dot nl
--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: Why "may be forged"?

[lists . postfix-users]

Hallo Ralf,

Op zaterdag 20 september 2008 schreef Ralf Hildebrandt aan
postfix-users@postfix.org:

 RH> $ host -t A duinheks.nl
 RH> duinheks.nl has no A record

Ah, that was a very useful answer, and easily fixed. I really
should read up on al this DNS stuff.
Thank you very much!

Groeten,

   Hans.

jdh punt beekhuizen bij duinheks punt nl

--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Re: Why "may be forged"?

[lists . postfix-users]

Hello Ralf,

On Saturday September 20 2008, Ralf Hildebrandt wrote to
postfix-users@postfix.org:

 RH> Ask on the sendmail list. smtp-vbr1.xs4all.nl is running
 RH> sendmail 8.13.8

I liked your other reply better :) I don't use sendmail and
the xs4all help desk is nowadays very unhelpful. The change
that a phone call or e-mail is actually handled by someone
who has enough knowledge to *help* you I estimate as less
then 5% :(

Regards,

   Hans.

jdh dot beekhuizen at duinheks dot nl
--- GoldED+/LNX 1.1.5/080731
 * Origin: The Wizard is using MBSE/Linux (2:280/1018)

Invalid DKIM signature with `milter_protocol = 2` and folded header

[msd+postfix-users]

Hi all,

With `milter_protocol = 2`, the DKIM signature is invalid if a signed
header is like "Subject:" in this test.eml attached example.

```
From: 
To: 
Subject:
 
Folding_White_Space_and_too_long_subject_a

Test
```

It works fine with `milter_protocol = 6`.

I explained this problem here :
https://bugs.launchpad.net/ubuntu/+source/opendkim/+bug/1857618

Let me know if you need more informations to reproduce or understand the
problem.

Do you know if it is normal, or a bug in postfix, or a bug in opendkim ?


Guillaume
--- Begin Message ---
Test
--- End Message ---

A Second Or Third Pair Of Eyes Are Always Best: Please Inspect My Config

[jarrett+postfix-users]

If I made any errors/mistakes or my configuration contains any
unnecessary settings/variables, can someone point them out?

Thanks!

==

postconf -n:

best_mx_transport = virtual
biff = no
bounce_queue_lifetime = 3d
compatibility_level = 2
default_process_limit = 150
delay_warning_time = 12h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = .maildir/
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailbox_transport = $virtual_transport
manpage_directory = /usr/share/man
maximal_backoff_time = 2h
maximal_queue_lifetime = 3d
milter_default_action = quarantine
minimal_backoff_time = 15m
mydestination = localhost, mail.domain.com
myhostname = mail.domain.com
mynetworks_style = host
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/opendmarc/opendmarc.sock
postscreen_access_list = permit_mynetworks
postscreen_bare_newline_action = enforce
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3, b.barracudacentral.org*2,
bl.spameatingmonkey.net*2, dnsbl.ahbl.org*2, bl.spamcop.net,
dnsbl.sorbs.net, psbl.surriel.com, bl.mailspike.net,
swl.spamhaus.org*-4, list.dnswl.org=127.[0..255].[0..255].0*-2,
list.dnswl.org=127.[0..255].[0..255].1*-3,
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
queue_run_delay = 60m
recipient_delimiter = +-
smtp_aol_destination_concurrency_limit = 4
smtp_aol_destination_recipient_limit = 5
smtp_aol_initial_destination_concurrency = 1
smtp_att_destination_concurrency_limit = 4
smtp_att_destination_recipient_limit = 5
smtp_att_initial_destination_concurrency = 1
smtp_dns_support_level = dnssec
smtp_fastmail_destination_concurrency_limit = 4
smtp_fastmail_destination_recipient_limit = 5
smtp_fastmail_initial_destination_concurrency = 1
smtp_gmail_destination_concurrency_limit = 4
smtp_gmail_destination_recipient_limit = 5
smtp_gmail_initial_destination_concurrency = 1
smtp_hotmail_destination_concurrency_limit = 4
smtp_hotmail_destination_recipient_limit = 5
smtp_hotmail_initial_destination_concurrency = 1
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_use_tls = yes
smtp_yahoo_destination_concurrency_limit = 4
smtp_yahoo_destination_recipient_limit = 5
smtp_yahoo_initial_destination_concurrency = 1
smtpd_banner = $myhostname ESMTP NO UCE
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_dnswl_client
list.dnswl.org=127.0.[2..14].[2..3],
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
reject_unknown_reverse_client_hostname
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/opendmarc/opendmarc.sock
smtpd_recipient_limit = 128
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
regexp:/etc/postfix/recipient_access_list, reject_non_fqdn_recipient,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_helo
dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access
regexp:/etc/postfix/sender_access_list, reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /etc/ssl/postfix/domain.com.rsa.ca
smtpd_tls_cert_file = /etc/ssl/postfix/domain.com.rsa.crt
smtpd_tls_dh1024_param_file = /etc/ssl/postfix/dhparam_2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/postfix/dhparam_512.pem
smtpd_tls_key_file = /etc/ssl/postfix/domain.com.rsa.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
strict_rfc821_envelopes = yes
tls_random_exchange_name = /var/lib/postfix/prng_exch
tls_random_source = dev:/dev/urandom
tls_ssl_options = no_compression, no_ticket
transport_maps = regexp:/etc/postfix/transport
unknown_local_recipient_reject_code = 450
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:207
virtual_mailbox_base = /var/spool/postfix/virtual
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:207

--
master.cf

anvilunix--n-1anvil
bounceunix 

Re: OpenDKIM

[jarrett+postfix-users]

Some of my favs:

https://en.internet.nl/ (if you're running Postscreen, it will fail the
TLS test as it doesn't wait for the STARTTLS offer)
http://www.mail-tester.com
https://ssl-tools.net
https://dane.sys4.de/ (thanks Victor!)
http://arp.simson.net/dev/dane_check.cgi/ (defunct :( )

On 11/07/2015 09:09 AM, Steve Jenkins wrote:
> On Saturday, November 7, 2015, John Allen  > wrote:
>
> Interesting!
> I tried a couple of DKIM test sites, one says I am signing my
> emails, the other says I am not!!
> Mailradar say I am not signing!
> DKIMValidator say I am!
>
>
> My favorite "test site" for SPF, DKIM, DMARC configuration
> and validation is sending to a Gmail account and then viewing the raw
> message headers.
>
>
> -- 
> *Steve Jenkins*
> /st...@stevejenkins.com /
>
>   
>   
>  
>   
> 
>

How to change the sender of an e-mail ?

[msd+postfix-users]

Hello,

Is there a way, in the context of SMTP Access Policy Delegation 
(http://www.postfix.org/SMTPD_POLICY_README.html), to change the 
envelope sender (MAIL FROM: / Return-Path) of an e-mail ?


In fact, what I want is to call a script that will replace the envelope 
sender (in order to collect bounces), but having in this script an 
access to the "sasl_username" and the "recipient" to generate the new 
envelope sender.


Thank you in advance for your reply,


Msd

Re: How to change the sender of an e-mail ?

[msd+postfix-users]

r...@gmx.co.uk:
> It sounds like you might want VERP, did you review this one:
> http://www.postfix.org/VERP_README.html
> ?

Yes, I have already read this. But I really need the recipient address 
and the sasl_username (to identify my user when I get the bounce) and, 
except if I'm wrong, I can't do this with postfix VERP.


For now, I'm looking at "MILTER" (on the advice of Wietse) or 
"SMTPD_PROXY" (which seems easier to implement for me).


Thanks,


Msd

Override a transport configuration parameter with its own name

[msd+postfix-users]

Hi,

1. In master.cf, is it possible to override a transport configuration 
parameter with its own name ? Like this :


transportname   unix  -   -   n   -   1   smtp
  -o transportname_destination_rate_delay=1s

If I can't, why ?

2. Can I use 'default_xxx' or 'smtp_xxx' ? Like this :

transportname   unix  -   -   n   -   1   smtp
  -o default_destination_rate_delay=1s

Regards,


Msd

Re: Override a transport configuration parameter with its own name

[msd+postfix-users]

Hi Wietse,

Thank you for your reply,

That's why it wasn't working as expected !

So, just to be sure, is this syntax valid (destination_concurrency_limit 
is this time documented in the smtp manpage) ?


  transportname   unix  -   -   n   -   1   smtp
-o transportname_destination_concurrency_limit=3

Or do I have to use "-o smtp_destination_concurrency_limit=3" ?

Regards,


Msd

Postfix 2.6.6: unexpected behavior in face of nameserver misconfiguration

[ben+postfix-users]

Scenario: a nameserver is misconfigured such that it doesn't set the "recursion 
available" (ra) bit on its replies. Postfix's relayhost has an A record but no 
MX record, and is specified in main.cf without [] brackets around it.

What I see is that Postfix 2.6.6 looks up the MX record, receives a successful 
negative reply (but with the ra bit unset), and defers with "Host or domain 
name not found. Name service error for name=[REDACTED] type=MX: Host not found, 
try again".

RFC 5321 section 5.1:

The lookup first attempts to locate an MX record associated with the name.  If 
a CNAME record is found, the resulting name is processed as if it were the 
initial name.  If a non-existent domain error is returned, this situation MUST 
be reported as an error.  If a temporary error is returned, the message MUST be 
queued and retried later (see Section 4.5.4.1).

Is a response with 'ra' unset an error? If not, then I'd expect Postfix to 
continue to the "implicit MX" behavior and look up the A record. If so, then I 
guess the observed behavior is correct. What do you think?

Best regards,
-- 
Ben Rosengart
2.3.2 418 I'm a teapot
Any attempt to brew coffee with a teapot should result in the error code
"418 I'm a teapot".  The resulting entity body MAY be short and stout.

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

What date does this take effect and we start receiving list mail from the new 
server host?
So we can keep an eye out to make sure no issues on our side, whitelisting if 
needed.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] sys4 is listed in Abusix

[toganm--- via Postfix-users]

Hi,

Maybe it would have been a better idea to check if the mail server is listed
in any rbl sites. For one it is listed in Abusix and my server is rejected it 
as a result

Abusix Mail Intelligence; https://lookup.abusix.com/search?q=188.68.34.52
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

What date does this take effect and we start receiving list mail from the new 
server host?


7th March 2023 (today), 12:35 UTC (approx 5 hours ago).



Oh, silly me. I thought they said a footer would be added when it happened. 
Guess I read that wrong.
Looks like no issues and i didn't have to do anything, it just worked.

  Authentication-Results: dmarc=pass (p=quarantine dis=none) header.from=sys4.de
  Authentication-Results: spf=pass smtp.mailfrom=sys4.de
  Authentication-Results: dkim=pass (1024-bit key, secure) header.d=sys4.de 
header.i=@sys4.de header.a=rsa-sha256 header.s=20190903 header.b=mKunzef7

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

Reviewing logs I notice many soft bounces from the new list. Some emails from 
the new list have been accepted and I don't understand what the differences 
are. I have not seen these types of errors before and don't understand what is 
causing them. Here are just two examples:


Mar  7 13:05:25 host postfix/smtpd[1152692]: connect from 
list.sys4.de[188.68.34.52]
Mar  7 13:05:25 host opendmarc[1152829]: /etc/opendmarc.conf:
Mar  7 13:05:26 host postfix/smtpd[1152692]: 4PWNdy5lkcz4l3gy: 
client=list.sys4.de[188.68.34.52]
Mar  7 13:05:26 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: 
message-id=
Mar  7 13:05:26 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: info: header Subject: [P-U] Re: 
Poster Name not visible in Thunderbird from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:05:26 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: info: header From: Noel Jones via 
Postfix-users  from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:05:26 host opendkim[1883]: 4PWNdy5lkcz4l3gy: list.sys4.de 
[188.68.34.52] not internal
Mar  7 13:05:26 host opendkim[1883]: 4PWNdy5lkcz4l3gy: not authenticated
Mar  7 13:05:27 host opendkim[1883]: 4PWNdy5lkcz4l3gy: message has signatures 
from postfix.org, megan.vbhcs.org
Mar  7 13:05:27 host opendkim[1883]: 4PWNdy5lkcz4l3gy: DKIM verification 
successful
Mar  7 13:05:27 host postfix/cleanup[1152719]: warning: milter 
unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet 
header: Success
Mar  7 13:05:27 host postfix/cleanup[1152719]: 4PWNdy5lkcz4l3gy: milter-reject: END-OF-MESSAGE 
from list.sys4.de[188.68.34.52]: 4.7.1 Service unavailable - try again later; 
from= to= proto=ESMTP 
helo=
Mar  7 13:05:27 host opendmarc[1877]: terminated with signal 11, restarting
Mar  7 13:05:27 host postfix/smtpd[1152692]: disconnect from 
list.sys4.de[188.68.34.52] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 
commands=6/7
Mar  7 13:05:27 host opendmarc[1152893]: OpenDMARC Filter v1.4.1 starting 
(args: -c /etc/opendmarc.conf -P /run/opendmarc/opendmarc.pid)
Mar  7 13:05:27 host opendmarc[1152893]: additional trusted authentication 
services: (none)


Mar  7 13:18:55 host postfix/smtpd[1153940]: connect from 
list.sys4.de[188.68.34.52]
Mar  7 13:18:55 host opendmarc[1153579]: /etc/opendmarc.conf:
Mar  7 13:18:57 host postfix/smtpd[1153940]: 4PWNxY2dFlz4l3gy: 
client=list.sys4.de[188.68.34.52]
Mar  7 13:18:57 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: 
message-id=<60a0790cfdbbe3f5c72786e4f6519...@ptld.com>
Mar  7 13:18:57 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: info: header Subject: [P-U] Re: 
Postfix lists are migrating to a new list server from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:18:57 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: info: header From: postfix--- via 
Postfix-users  from list.sys4.de[188.68.34.52]; 
from= to= proto=ESMTP 
helo=
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: list.sys4.de 
[188.68.34.52] not internal
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: not authenticated
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: message has signatures 
from postfix.org, ptld.com
Mar  7 13:18:57 host opendkim[1883]: 4PWNxY2dFlz4l3gy: DKIM verification 
successful
Mar  7 13:18:58 host postfix/cleanup[1153970]: warning: milter 
unix:/var/run/opendmarc/opendmarc.sock: can't read SMFIC_BODYEOB reply packet 
header: Success
Mar  7 13:18:58 host postfix/cleanup[1153970]: 4PWNxY2dFlz4l3gy: milter-reject: END-OF-MESSAGE 
from list.sys4.de[188.68.34.52]: 4.7.1 Service unavailable - try again later; 
from= to= proto=ESMTP 
helo=
Mar  7 13:18:58 host opendmarc[1877]: terminated with signal 11, restarting
Mar  7 13:18:58 host opendmarc[1153979]: OpenDMARC Filter v1.4.1 starting 
(args: -c /etc/opendmarc.conf -P /run/opendmarc/opendmarc.pid)
Mar  7 13:18:58 host opendmarc[1153979]: additional trusted authentication 
services: (none)
Mar  7 13:18:58 host postfix/smtpd[1153940]: disconnect from 
list.sys4.de[188.68.34.52] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 
commands=6/7


What is broken on my end causing these DMARC SMFIC_BODYEOB errors?
Since most of the list mail is being bounced by my setup can someone email me 
directly and not through the list if they know the answer to fix this?

_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

OpenDMARC is segfaulting. That's what 'signal 11' means. Postfix fails to get 
an answer to its end-of-body milter call because of the segfault closing the 
other end of that socket. That failure results in Postfix sending a 4xx to the 
client.

First step is to verify your installation of OpenDMARC. Make sure you have a 
current version, that its dependencies are consistent with the build, etc.



Yes, I understood the problem to be something is "breaking" in opendmarc and 
postfix is soft bouncing based on service/milter not available. What i don't understand 
is why this is happening only with the new list host. This hasn't happened with any other 
server and while this is going on my server is still accepting and delivering mail from 
other mail servers without issue. Right now all list mail is bouncing so please CC: me 
directly so i may receive replies.

As far as i know everything is up to date.

[root]# opendmarc -V
opendmarc: OpenDMARC Filter v1.4.1
SMFI_VERSION 0x101
libmilter version 1.0.1
Active code options:
WITH_SPF
WITH_SPF2

I know this is going out of scope so i will reach out to the opendmarc list.
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[mailmary--- via Postfix-users]

Unfortunately I've seen this crash as well, its actually quite frequent in my 
case and I'm using a newer version of OpenDMARC than you:

# opendmarc -V
opendmarc: OpenDMARC Filter v1.4.2
SMFI_VERSION 0x101
libmilter version 1.0.1
Active code options:
WITH_SPF
WITH_SPF2


No solution so far, I think there are 2-3 open bug reports on github, but since 
the project is very dead, nobody has bothered to fix the problem.



On Tue, 07 Mar 2023 14:37:41 -0500 postfix--- via Postfix-users 
 wrote:

> Yes, I understood the problem to be something is "breaking" in opendmarc and 
> postfix is soft bouncing based on service/milter not available. What i don't 
> understand is why this is happening only with the new list host. This hasn't 
> happened with any other server and while this is going on my server is still 
> accepting and delivering mail from other mail servers without issue. Right 
> now all list mail is bouncing so please CC: me directly so i may receive 
> replies.
> 
> As far as i know everything is up to date.
> 
> [root]# opendmarc -V
> opendmarc: OpenDMARC Filter v1.4.1
>  SMFI_VERSION 0x101
>  libmilter version 1.0.1
>  Active code options:
>  WITH_SPF
>  WITH_SPF2
> 
> I know this is going out of scope so i will reach out to the opendmarc list.
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

OpenDMARC is segfaulting. That's what 'signal 11' means. Postfix fails to get 
an answer to its end-of-body milter call because of the segfault closing the 
other end of that socket. That failure results in Postfix sending a 4xx to the 
client.
First step is to verify your installation of OpenDMARC. Make sure you have a 
current version, that its dependencies are consistent with the build, etc.



I ran into the same problem. I found that the opendmarc package in Debian 
bullseye is vulnerable to CVE-2021-34555, and I believe this is the source of 
the crash (in combination with the new email headers from the mailing list 
transition).

I solved the problem by upgrading to the version of opendmarc in Debian testing.



I am using RHEL8 and after checking for updates I was able to update opendmarc 
to 1.4.2 (from 1.4.1) however it still has the error, only with mail from this 
list.
In the mean time as suggested, I added "list.sys4.de" to the ignorelist to be 
able to accept list mail again. However i would like to solve the problem and not rest on 
a band-aid.
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

No solution so far, I think there are 2-3 open bug reports on
github, but since the project is very dead, nobody has bothered to
fix the problem.



So what's the option for a more upto date version of DKIM milter for debian?


And what would be a dmarc replacement or solution for RHEL systems?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

We'll generate a new 2024 Bit key pair and place the new key in DNS. When we
do that we'll also see to fix the h=sha256 problem. This will take place
within the next 12 hours. Mailman will be restarted in the end and the service
will be unavailable for about 30 seconds. No list mail will be lost.

p@rick



Can you announce on the list when this is completed so we can test if it 
resolves the issue with opendmarc failing? Thank you.
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[Peter via Postfix-users]

On 8/03/23 10:54, postfix--- via Postfix-users wrote:

No solution so far, I think there are 2-3 open bug reports on
github, but since the project is very dead, nobody has bothered to
fix the problem.


So what's the option for a more upto date version of DKIM milter for 
debian?


And what would be a dmarc replacement or solution for RHEL systems?


Looks like there's a COPR available with the patch for this issue:

https://copr.fedorainfracloud.org/coprs/abo/opendmarc/

I can't vouch for how trustworthy it is.


Peter
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[Peter via Postfix-users]

On 8/03/23 15:46, Scott Kitterman via Postfix-users wrote:

For Debian, if someone can find/test patches, I can get them into Debian's 
package.  I assume other distributors are similar.  Feel free to update the 
Debian bug with information.  It's unfortunate we don't have a better 
maintained solution.


The patch appears to be committed in github:

https://github.com/andreasschulze/OpenDMARC/commit/e8e7b41fef40032398d35650489a717108ac70de.patch


Peter
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[Peter via Postfix-users]

On 8/03/23 10:40, postfix--- via Postfix-users wrote:
I am using RHEL8 and after checking for updates I was able to update 
opendmarc to 1.4.2 (from 1.4.1) however it still has the error, only 
with mail from this list.
In the mean time as suggested, I added "list.sys4.de" to the ignorelist 
to be able to accept list mail again. However i would like to solve the 
problem and not rest on a band-aid.


Another workaround would be to set milter_default_action=accept so that 
when the milter crashes postfix will still accept the message.  I would 
also suggest this:


# systemctl edit opendmarc

[Service]
Restart=on-failure

...so that opendmarc will restart when it does crash for this or any 
other reason.



Peter
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[Michael via Postfix-users]

wietse,

On Monday, 6 March 2023 17:08:49 CET, Wietse Venema wrote:

This week, the Postfix mailing lists will be migrated from Majordomo at
Cloud9.net to Mailman at Sys4.de.
[...]


what a coincidence!

since 'Monday, 6 March 2023 00:02:20 CET' i see multiple attempts to login 
to this email account!


every day i get at least 5 failed attempts. and before the migration: 0

zero!

so, how did you convince sys4.de to use my email address, dedicated to 
mailing lists only, to sell them to the bad guys?


i am not amused! (rip, queen elizabeth...)

greetings...


here is what postfix log says (this is the first of many):
Mar  6 00:02:01 mail postfix/submission/smtpd[129396]: connect from 
unknown[196.0.87.222]
Mar  6 00:02:11 mail postfix/submission/smtpd[129396]: Anonymous TLS 
connection established from unknown[196.0.87.222]: TLSv1.2 with cipher 
ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
Mar  6 00:02:21 mail postfix/submission/smtpd[129396]: warning: 
unknown[196.0.87.222]: SASL PLAIN authentication failed: 


and here is dovecot's corresponding log entry:
Mar 06 00:02:20 auth: Info: passwd-file(m...@hemathor.de,196.0.87.222): 
Password mismatch

_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[Michael via Postfix-users]

hey,

On Thursday, 9 March 2023 15:29:01 CET, Wietse Venema via Postfix-users 
wrote:

Let me help remind you that your email address has been out there
for a while. Here are some samples from the postfix-users list:


i am totally aware of that. and to be clear: my email address being public 
was not my point...


neverthless, i apologize if i offended you. that was never my intention!

greetings...
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

We'll generate a new 2024 Bit key pair and place the new key in DNS. When we
do that we'll also see to fix the h=sha256 problem. This will take place
within the next 12 hours. Mailman will be restarted in the end and the service
will be unavailable for about 30 seconds. No list mail will be lost.

p@rick



This is a test email to see if the changes above fixed the opendmarc issues.
Assuming the list is using the new key by now.
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

We'll generate a new 2024 Bit key pair and place the new key in DNS. When we
do that we'll also see to fix the h=sha256 problem. This will take place
within the next 12 hours. Mailman will be restarted in the end and the service
will be unavailable for about 30 seconds. No list mail will be lost.

p@rick



This is a test email to see if the changes above fixed the opendmarc issues.
Assuming the list is using the new key by now.



It worked. My setup no longer gets the "can't read SMFIC_BODYEOB" error,
and I don't need to include "list.sys4.de" in the opendmarc ignore list as a 
work around.
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: Postfix lists are migrating to a new list server

[postfix--- via Postfix-users]

I am still seeing DKIM fails and two DKIM-Signatures.
Is this correct? Haven´t seen this with other mails but I cannot rule out a 
config issue on my side. Is someone else observing that?


Yes there will be two DKIM signatures due to the configuration of the mailing 
list.
The first DKIM signature is from the email author to the mailing list.
The second DKIM signature is added by the mailing list when it is resent to 
everyone on the list.

The SPF will pass, because the email is from the list and matches the SPF 
records.
The first DKIM signature created by the author will fail because the mailing 
list altered the email adding a footer and reply-to headers.
The second DKIM signature will pass because it was signed by the list before 
sending to you.

With the SPF pass, and one DKIM pass, DMARC should pass and the email should be 
accepted as legit.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] New List Host and Reply-to Header

[postfix--- via Postfix-users]

Is it the best idea to add a reply-to header to the author on mailing list 
emails?
The problem I see is many people will hit reply in their email client which 
will create an email from them to the author, bypassing the mailing list.
Unless they remember to manually alter the To: field to keep the conversation 
on the list, it wont be.

Was that the intent?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[Peter via Postfix-users]

On 10/03/23 07:34, postfix--- via Postfix-users wrote:
Is it the best idea to add a reply-to header to the author on mailing 
list emails?
The problem I see is many people will hit reply in their email client 
which will create an email from them to the author, bypassing the 
mailing list.
Unless they remember to manually alter the To: field to keep the 
conversation on the list, it wont be.


Many email clients have a "Reply List" option which goes to the address 
in the List-Post: header.  Thunderbird has a "Smart Reply" button that 
when displaying a message with List-Post: defaults to "Reply List". 
I've found that hiding the normal reply button in TB and enabling the 
smart reply button has made my world way easier when dealing with 
mailing lists.



Peter
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[postfix--- via Postfix-users]

Is it the best idea to add a reply-to header to the author on mailing list 
emails?
The problem I see is many people will hit reply in their email client which 
will create an email from them to the author, bypassing the mailing list.
Unless they remember to manually alter the To: field to keep the conversation 
on the list, it wont be.

Was that the intent?



This (same-domain From: header and DKIM signature) is  DMARC damage control.

Wietse



I totally understand the benefit of putting the list address in the From: 
header.
But why does that mean something *HAS* to be put in the reply-to header?

It isn't important for me to know the author's address to answer the content of 
the list mail. If it's important for others to know who authored the email, the 
address can be include as tag line information in the footer that is already 
being appended by the list. Or make up an x-header for tracking/investigative 
purposes.

I just predict emails being replied to directly and not kept on list. Ive said 
my 2cents, i will let it go.
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[postfix--- via Postfix-users]

The very much worth reading RFC 9057 of Dave Crocker defines an Author: field...


I like that idea better than my suggestion of footer or x-header.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[Peter via Postfix-users]

On 10/03/23 08:50, Steffen Nurpmeso via Postfix-users wrote:

Wietse Venema via Postfix-users wrote in
  <4pxdmb1f8fzj...@spike.porcupine.org>:
  |postfix--- via Postfix-users:
  |> Is it the best idea to add a reply-to header to the author on mailing \
  |> list emails?
  |> The problem I see is many people will hit reply in their email client \
  |> which will create an email from them to the author, bypassing the \
  |> mailing list.
  |> Unless they remember to manually alter the To: field to keep the \
  |> conversation on the list, it wont be.
  |>
  |> Was that the intent?
  |
  |This (same-domain From: header and DKIM signature) is  DMARC damage \
  |control.

The very much worth reading RFC 9057 of Dave Crocker defines an
Author: field which can at least be used to fixate the original
From: (or Sender:).  It is (hmm,well) a shame that those who do
invent and push things that brake things, at least, do not use it.


Maybe:

* Mung the From: as we do now (we can perhaps do this selectively based 
on the DMARC policy of the sender instead of doing it across the board?)


* Add an Author: header reflecting the original From: header (if one 
does not already exist).


* Add an Original-From: header reflecting the original From:.  This is 
also supported by some MUAs.


* Don't add a Reply-To:.  I actually question if this is really needed 
as we likely want replies to go to the list the vast majority of time 
anyways.  I have seen other lists explicitly exclude this step and it 
works well.



Peter
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[Peter via Postfix-users]

On 10/03/23 09:07, Matthew McGehrin via Postfix-users wrote:

Hi Peter.

The Reply-To has always been the original poster for 10+ years. No sense 
changing it now. :)


On the contrary, this is the perfect time to change it, if we're going 
to change it.  We've already made a number of changes to where the 
argument of "it's always been like that" is pretty well invalidated at 
this point, imo.



Peter
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[Peter via Postfix-users]

On 10/03/23 09:12, Gerald Galster via Postfix-users wrote:

Many email clients have a "Reply List" option which goes to the address in the List-Post: header.  
Thunderbird has a "Smart Reply" button that when displaying a message with List-Post: defaults to 
"Reply List". I've found that hiding the normal reply button in TB and enabling the smart reply 
button has made my world way easier when dealing with mailing lists.


Apple Mail doesn't seem to have that feature.
A standard reply goes to the original sender via reply-to, "reply all" goes to 
original sender and list.
This requires manually correcting email addresses, but I'm not complaining.


Indeed, it's a suggestion to help people who use an MUA that does have 
the feature.  I wouldn't consider it a proper fix for the issue from the 
perspective of the list itself.  I find the feature works well in 
Thunderbird and can't speak for other MUAs.



Regarding DKIM: I don't see any benefits with ARC-signing for this list, but 
I'll accept whatever the list admin decides.


I tend to agree, ARC is not well implemented (except for google) and it 
doesn't really say much of anything except that you should trust the 
middle man (who's trust is already in question).  That said, it doesn't 
really hurt to have it and can help for gmail recipients.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: New List Host and Reply-to Header

[Peter via Postfix-users]

On 10/03/23 09:22, Wietse Venema via Postfix-users wrote:

This list uses Mailman configuration settings, not handcrafted code.
If people believe that it is worthwhile to change the Mailman
implementation or the DMARC spec, then I suggest that they work
with the people responsible for that.


How about this setting?

reply_goes_to_list

If this is set to other than no-munging of Reply-To:, the original 
From: goes in Cc: rather than Reply-To:. This is intended to make MUA 
functions of reply and reply-all have the same effect with messages to 
which mitigations have been applied as they do with other messages.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: The joke writes itself.

[Peter via Postfix-users]

On 10/03/23 10:04, Dan Mahoney via Postfix-users wrote:

I know that P-U stands for postfix users.  I get it that a short subject tag 
was desired, but would [postfix] have been that much more distracting, without 
adding the obvious third-grader label that might better be held by qmail?


Indeed, please consider changing it.


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: The joke writes itself.

[Peter via Postfix-users]

On 10/03/23 11:09, Wietse Venema via Postfix-users wrote:

I am subscribed to several mailing lists that have [uppercase
abbreviation] as their tag, and that works well. None of those tags
are more than 5 characters long.


I have the opposite experience.  most of the lists I'm subscribed to 
have relatively longer, more descriptive tags.  Some examples:


[CentOS]
[CentOS-devel]
[CentOS-announce]
[CIRCLE]
[Fail2ban-users]
[SDLU List]
[rocky]
[rocky-announce]
[rocky-devel]

I also have some examples of shorter tags.  At the end of the day the 
current [P-U] rubs me the wrong way because of the childish reference it 
invokes.  I don't want to see postfix associated with that reference in 
any way.


I think that [postfix] or [postfix-users] and [postfix-devel] 
[postfix-announce] are just fine, but if you want shortened versions, 
might I suggest:


[pf] [pf-dev] [pf-ann]


Peter



If I'd change anything I would
delete the '-' in the middle of the current tag.

___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] [P-U] Re: The joke writes itself.

[postfix--- via Postfix-users]

If I'd change anything I would delete the '-' in the middle of the
current tag.


I'm all in favour, though I also be happy with [U], [D], and [A]. :-)



Or we all could be adults and not giggle like little girls at seeing [P-U]
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [P-U] Re: The joke writes itself.

[Mal via Postfix-users]

On 10/03/2023 5:24 pm, Viktor Dukhovni via Postfix-users wrote:
> I was also quite happy with
> no tags at all.

+1 no tags

Mal


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: milter-reject: END-OF-MESSAGE

[mailmary--- via Postfix-users]

Hello,

Are you using OpenDMARC? if you do, then its because OpenDMARC is broken and 
crashes on some types of emails.

Look above those log lines for the actual crash, it looks like:

"can't read SMFIC_BODYEOB reply packet header"

unfortunately, OpenDMARC seems like a dead project so don't expect a fix, maybe 
you should prepare to move to another DMARC verification utility.


If you are not using OpenDMARC then look for the output of the milter that 
caused the 4.7.1 retry error.



On Fri, 10 Mar 2023 11:13:35 +0100 Adrian Huryn via Postfix-users 
 wrote:

> Hello. I have problem from cuple of days.
> When DHL try to send me an email, we get
> Mar 10 11:04:06 poczta postfix/cleanup[26141]: EB48B36AABA: 
> milter-reject: END-OF-MESSAGE from gateway11b.dhl.com[165.72.200.202]: 
> 4.7.1 Try again later; from= 
> to= proto=ESMTP helo=
> 
> And i see i have more this milter-reject: END-OF-MESSAGE in logs from 
> different domains (gmail etc.)
> 
> I try to add @dhl.com to rbl_override
> in main.cf
> smtpd_client_restrictions =
>    permit_mynetworks,
>    permit_sasl_authenticated,
>    check_client_access hash:/usr/local/etc/postfix/rbl_override,
> 
> But this not work. Can anyone help me ? I dont know what more info i 
> need to send, when i get this info i add it.
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] about openSRS for forwarding

[pyh--- via Postfix-users]

* { font-size: 13px; font-family: 'MS Pゴシック', sans-serif;}p, ul, ol, blockquote 
{ margin: 0;}a { color: #0064c8; text-decoration: none;}a:hover { color: 
#0057af; text-decoration: underline;}a:active { color: #004c98;}
Hello,




I am running a postfix server for email forwarding.

Should I enable openSRS for this forwarding service? what's the flaw on SRS?




Thanks.

Yong
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [P-U] Re: Postfix lists are migrating to a new list server

[mailmary--- via Postfix-users]

The problem with dkimpy/dkimpy-milter, is that they don't exist in enterprise 
distros (Alma, Rocky, Oracle) via EPEL.


The popularity of opendkim/opendmarc is due to their packages being available 
via EPEL.


Looking at the opendkim/opendmarc right now, they appear dead over the past 2 
years or so, which is sad really. I hope the project owners decide to either 
close the projects or give them away to someone else. There is no reason to 
beat a dead horse.



On Fri, 10 Mar 2023 10:19:40 -0500 PGNet Dev via Postfix-users 
 wrote:

> ime, dkimpy/dkimpy-milter are great alternatives to opendkim stagnation/bloat
> 
> here, in production on Fedora boxes,
> 
>   Name: dkimpy
>   Version: 1.1.0
> 
>   Name: dkimpy-milter
>   Version: 1.2.3
> 
> have been working with postfix with no issues at all, at least for my use 
> cases.
> 
> much appreciated!
> ___________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [P-U] Re: Postfix lists are migrating to a new list server

[mailmary--- via Postfix-users]

Unfortunately, due to company policy, I can only work with RPM packages from 
either the default repo or EPEL and nothing else. I know several other 
companies that have the same rule. Its not something that I can change, so I 
work with what I have.



On Fri, 10 Mar 2023 11:14:14 -0500 PGNet Dev via Postfix-users 
 wrote:

> > The problem with dkimpy/dkimpy-milter, is that they don't exist in 
> > enterprise distros (Alma, Rocky, Oracle) via EPEL.  
> FWIW, it's a trivial install with python/pip, and plays nicely in a venv.  
> works a charm here.
> 
> rpm spec's also straightforward.
> 
> here's one for Fedora,
> 
>   
> https://src.fedoraproject.org/rpms/python-dkimpy/blob/rawhide/f/python-dkimpy.spec
> 
> none's built for EPEL atm, but the infrastructure is there,
> 
>   https://src.fedoraproject.org/rpms/python-dkimpy
> 
> any interested party could certainly chime in there
> 
> should be similar for dkimpy-milter ...
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] MySQL error from not all the receiver

[antonino.dimauro--- via Postfix-users]

Hi to all,

this is my first Postfix configuration.
I create virtual users in a mariadb database.
I implemented TLS security.
Until now, i used an external smarthost to send mail to external 
destinations.

It's works fine!

Now i implemented DKIM with OpenDKIM, add DMARC record and improve SPF 
record, but (and here I don't understand why?) some times, for not all 
of address, my mail remaining in queue.


In the log when it happens, i can see this:

- postfix/smtp[313760]: warning: connect to mysql server localhost: 
Can't connect to local MySQL server through socket 
'/run/mysqld/mysqld.sock' (2)


- postfix/smtp[313760]: warning: 
mysql:/etc/postfix/mysql_virtual_alias_maps.cf lookup error for 
"mail.any_external_domain.it"


- postfix/smtp[313760]: warning: 839744C0210: smtp_sasl_password_maps 
lookup error


smtp_sasl_password_maps is configured with a connection parameter to db 
connection and a simply select query.


I think, if i mistake some configuration, the mails never send, why some 
time yes and sometimes not ?



if i send an internal mail, it's always works fine !
if i send a mail in my private gmail, it's always works fine !
if i use external smarthost, this mail is always sent regularly.

what can i check?
is the problem the server configuration or the SPF record?


Very very thanks to all...

Regards.

Antonio
_______________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: MySQL error from not all the receiver

[postfix--- via Postfix-users]

some times, for not all of address, my mail remaining in queue



what can i check?
is the problem the server configuration or the SPF record?



Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock'



The problem isn't SPF. The problem is postfix can't open the database to 
continue processing, so it has to give up and put the mail in queue to try 
again later. You need to figure out why postfix can't connect to the database. 
Is the database stopped? Is it on the same server as postfix? Does the socket 
have the correct permissions? Is postfix running in chroot denying access? 
Selinux issue?

_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: MySQL error from not all the receiver

[antonino.dimauro--- via Postfix-users]

Il 2023-03-11 14:23 postfix--- via Postfix-users ha scritto:

some times, for not all of address, my mail remaining in queue



what can i check?
is the problem the server configuration or the SPF record?


Can't connect to local MySQL server through socket 
'/run/mysqld/mysqld.sock'



The problem isn't SPF. The problem is postfix can't open the database
to continue processing, so it has to give up and put the mail in queue
to try again later. You need to figure out why postfix can't connect
to the database. Is the database stopped? Is it on the same server as
postfix? Does the socket have the correct permissions? Is postfix
running in chroot denying access? Selinux issue?

_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org



thanks for your reply.
i think the problem is "sasl-password" authentication file.

Actually i try two ways to config this file:

1.
user = myuser
password = xxx
hosts = localhost
dbname = maildb
table = mailbox
select_field = password
where_field = username

2.

user = myuser
password = xxx
hosts = localhost
dbname = maildb

query = SELECT password FROM mailbox WHERE username = '%s' AND active = 
'1'




and then "postmap" command.

it's correct ?



The problem isn't SPF. The problem is postfix can't open the database

to continue processing, so it has to give up and put the mail in queue
to try again later. You need to figure out why postfix can't connect
to the database. Is the database stopped? Is it on the same server as
postfix? Does the socket have the correct permissions? Is postfix
running in chroot denying access? Selinux issue?


it's Debian 11, db is active, if i send a mail to my gmail, it works !
i do not understand, if a db connect problem, i never rescue to send 
mail also my gmail, are you agree ?


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Fwd: Re: MySQL error from not all the receiver

[antonino.dimauro--- via Postfix-users]

ok thanks.

But what is the correct syntax for connect in db to set in sasl_password 
?

how should i write it?

now i try to follow your suggest of the first mail...


 Messaggio originale 
Oggetto: [pfx] Re: MySQL error from not all the receiver
Data: 2023-03-11 16:26
Mittente: Gerald Galster via Postfix-users 
Destinatario: Postfix users 
Rispondi a: Gerald Galster 


i think the problem is "sasl-password" authentication file.


No, your problem is related to mysql which is a database (daemon),
that is accessed via sockets, not a file.


[...]
query = SELECT password FROM mailbox WHERE username = '%s' AND active = 
'1'


and then "postmap" command.

it's correct ?


No, "query = SELECT password ..." is a database / SQL query, that
has nothing to do with plain files.

Postfix talks to mysql directly, there is no postmap involved.
Postmap is used when converting plain files to e.g. indexed formats
like hash/btree/lmdb/cdb. Those can be seen as database files but
unlike mysql there is no server process running in the background.
Therefore they are accessed in a different way, not via sockets.

In my first mail I gave hints where to spot mysql problems.

Best regards,
Gerald
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Fwd: Re: MySQL error from not all the receiver

[antonino.dimauro--- via Postfix-users]

OK, I try to document myself.
if you have a links, I will be grateful...

 Messaggio originale 
Oggetto: [pfx] Re: MySQL error from not all the receiver
Data: 2023-03-11 17:34
Mittente: Gerald Galster via Postfix-users 
Destinatario: Postfix users 
Rispondi a: Gerald Galster 

smtp_sasl_password_maps is configured with a connection parameter to db 
connection and a simply select query.

[...]
if i use external smarthost, this mail is always sent regularly.


I am also not sure what you want to achieve:

https://www.postfix.org/postconf.5.html#smtp_sasl_password_maps

###
smtp_sasl_password_maps (default: empty)

Optional Postfix SMTP client lookup tables with one username:password 
entry per sender, remote hostname or next-hop domain. Per-sender lookup 
is done only when sender-dependent authentication is enabled. If no 
username:password entry is found, then the Postfix SMTP client will not 
attempt to authenticate to the remote host.

###

smtp_* keys are for outgoing connections, like with your external 
smarthost.


With smtp_sasl_password_maps you can configure credentials that are used 
when

you are submitting emails via an external smarthost that requires smtp
authentification.

In case you want postfix to send mails directly you don't need 
smtp_sasl_password_maps.
In case you want to authenticate your own users submitting mails via 
submission (e.g. port 587)

you need other means like saslauthd or dovecot.

Best regards,
Gerald
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] use object storage as message store

[pyh--- via Postfix-users]

Hello list,

Is it possible to use an object storage system (like aws's S3) to store 
message files? if this can be implemented we may have a more persistent 
storage for email. AFAIK aws's S3 has three replicas for each file in 
their system by default.


Thanks
Yong
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Integrating a new milter with Postfix

[EML via Postfix-users]

I've written a before-queue milter that I'm trying to integrate with 
Postfix, but there doesn't seem to be any specific documentation on how 
to do this. During development, I ran the milter manually, listening on 
port 7950, with nothing in master.cf, and this in main.cf:


smtpd_milters = inet:localhost:7950
non_smtpd_milters = $smtpd_milters

This works. For production, I'd like to get Postfix to run the milter, 
so I've added this to master.cf:


7950  inet  n  y  n  0  - samilter { -p inet:7950@localhost }

In other words, I want Postfix to run program 'samilter', with arguments 
'-p inet:7950@localhost'. This doesn't work, because 'samilter' is 
actually run with lots of additional arguments that I don't recognise. 
When samilter fails it adds this to the system mail log:


usage error (samilter -n 7950 -t inet -u -o stress= -s 2 -p 
inet:7950@localhost)


So Postfix is running it with additional arguments '-n 7950 -t inet -u 
-o stress= -s 2'.


Is there a list of additional arguments that I can ignore? Or do I 
actually need any of these arguments? I can run the milter as a service, 
if necessary, instead of adding an entry in master.cf, but this feels 
like the wrong way to do this. Thanks.


___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Integrating a new milter with Postfix

[EML via Postfix-users]

On 12/03/2023 12:49, David Bürgin via Postfix-users wrote:

EML:

I can run the milter as a service, if necessary, instead of adding an entry in 
master.cf, but this feels like the wrong way to do this. Thanks.


But note that this is how milters are normally operated, eg milters
installed from a distro package.


That's a surprise - thanks. I've just checked and seen that opendkim and 
opendmarc set up init-style services. I'll do a systemd service for this 
milter, but I'd be interested to hear if there's any policy or other 
advice about whether we should be using master.cf or a service.




___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: MySQL error from not all the receiver

[mailmary--- via Postfix-users]

out of curiosity, why do you want to use an SQL database? Do you have more than 
1,000,000 email accounts?

I don't really see any benefit by using SQL for small to medium sized systems.



On Mon, 13 Mar 2023 13:26:47 +0100 Antonino Di Mauro via Postfix-users 
 wrote:

> It seems i found the problem.
> 
> With Hash file it works fine!
> 
> With MySQL DB, I found out Postfix not read encrypt password.
> 
> Effectively in my db, password field is encrypted.
> 
> 
> although I don't understand why it sends it to Gmail...
> 
> 
> suggest ?
> 
> Thanks
> 
> 
> 
> Il 11/03/23 13:46, antonino.dimauro--- via Postfix-users ha scritto:
> > Hi to all,
> >
> > this is my first Postfix configuration.
> > I create virtual users in a mariadb database.
> > I implemented TLS security.
> > Until now, i used an external smarthost to send mail to external 
> > destinations.
> > It's works fine!
> >
> > Now i implemented DKIM with OpenDKIM, add DMARC record and improve SPF 
> > record, but (and here I don't understand why?) some times, for not all 
> > of address, my mail remaining in queue.
> >
> > In the log when it happens, i can see this:
> >
> > - postfix/smtp[313760]: warning: connect to mysql server localhost: 
> > Can't connect to local MySQL server through socket 
> > '/run/mysqld/mysqld.sock' (2)
> >
> > - postfix/smtp[313760]: warning: 
> > mysql:/etc/postfix/mysql_virtual_alias_maps.cf lookup error for 
> > "mail.any_external_domain.it"
> >
> > - postfix/smtp[313760]: warning: 839744C0210: smtp_sasl_password_maps 
> > lookup error
> >
> > smtp_sasl_password_maps is configured with a connection parameter to 
> > db connection and a simply select query.
> >
> > I think, if i mistake some configuration, the mails never send, why 
> > some time yes and sometimes not ?
> >
> >
> > if i send an internal mail, it's always works fine !
> > if i send a mail in my private gmail, it's always works fine !
> > if i use external smarthost, this mail is always sent regularly.
> >
> > what can i check?
> > is the problem the server configuration or the SPF record?
> >
> >
> > Very very thanks to all...
> >
> > Regards.
> >
> > Antonio
> > _______
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org  
> 
> 
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: MySQL error from not all the receiver

[mailmary--- via Postfix-users]

for only 200 users, you are adding a lot of complexity with an SQL database and 
no real benefits.

my suggestion for small systems, is to use dovecot with the Maildir format, and 
to separate domains/virtual hosts as separate system users, thus email accounts 
are stored as (for example the email i...@domain.com) : 
/home/domain/mail/domain.com/mail/info

email accounts can be stored as simple passwd files under : 
/home/domain/etc/domain.com/passwd

a system like that can easily handle thousands of email accounts. An extra 
benefit, is that each domain is isolated and separated from other account 
domains, which is something supported by SELinux on enterprise linux distros 
(Alma, Rocky, Oracle, etc).

no need for an SQL database.



On Mon, 13 Mar 2023 13:42:42 +0100 Antonino Di Mauro via Postfix-users 
 wrote:

> about 200 users...
> 
> 
> Il 13/03/23 13:33, mailmary--- via Postfix-users ha scritto:
> > out of curiosity, why do you want to use an SQL database? Do you have more 
> > than 1,000,000 email accounts?
> >
> > I don't really see any benefit by using SQL for small to medium sized 
> > systems.
> >
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Simple send-only postfix config

[Fongaboo via Postfix-users]

/etc/postfix/main.cf:


# See /usr/share/postfix/main.cf.dist for a commented, more complete 
version


smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination

#myhostname = al-rtmp01
myhostname = 
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, , localhost.localdomain, 
localhost

relayhost =
mynetworks = 127.0.0.0/8  
[:::127.0.0.0]/104 [::1]/128

mailbox_size_limit = 0
recipient_delimiter = +
#inet_interfaces = all
#inet_interfaces = loopback-only
inet_interfaces = 127.0.0.1,
inet_protocols = all
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Simple Backup MX with relay recipient validation

[Fongaboo via Postfix-users]

/etc/postfix/main.cf:


compatibility_level=2

myhostname = 
smtpd_banner = $myhostname ESMTP
mynetworks =  127.0.0.0/24
maximal_queue_lifetime = 10d

relay_domains = hash:/etc/postfix/relay_domains
transport_maps = hash:/etc/postfix/transport_maps

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, 
check_recipient_access hash:/etc/postfix/relay_recipients, reject



/etc/postfix/relay_domains:

firstdomain.tld OK
.
.
.
lastdomain.tld  OK



/etc/postfix/transport_maps:

firstdomain.tld ::
.
.
.
lastdomain.tld  ::



/etc/postfix/relay_recipients:

firstu...@domain.tldOK
.
.
.
lastu...@domain.tld OK



run postmap  on relay_domains, relay_recipients, transport_maps

restart postfix.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: A new Postfix book in the making - "Run Your Own Mail Server"

[pyh--- via Postfix-users]

Nice release. Does he need a Japanese translator?

regards
Yong

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: list.sys4.de fails with starttls

[mailmary--- via Postfix-users]

same here, it appears like someone is doing tests on their end, because these 
errors first appeared today and only for a few hours.



On Fri, 17 Mar 2023 14:17:19 +0100 Benny Pedersen via Postfix-users 
 wrote:

> Mar 17 11:38:31 localhost postfix/smtpd[22150]: lost connection after 
> STARTTLS from list.sys4.de[2a03:4000:10:51d:b8ce:63ff:feca:a5a0]
> Mar 17 12:09:10 localhost postfix/smtpd[23415]: lost connection after 
> STARTTLS from list.sys4.de[2a03:4000:10:51d:b8ce:63ff:feca:a5a0]
> 
> maybe it works ?
> 
> can i make it not happend ?
> 
> this have never seen on cloud9
> 
> 
> 
> ___________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
___________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: list.sys4.de fails with starttls

[postfix--- via Postfix-users]

My server [204.10.37.139] also.

Mar 17 07:32:36 host postfix/smtpd[1474828]: connect from 
list.sys4.de[188.68.34.52]
Mar 17 07:32:36 host postfix/smtpd[1474828]: SSL_accept error from 
list.sys4.de[188.68.34.52]: lost connection
Mar 17 07:32:36 host postfix/smtpd[1474828]: lost connection after STARTTLS 
from list.sys4.de[188.68.34.52]
Mar 17 07:32:36 host postfix/smtpd[1474828]: disconnect from 
list.sys4.de[188.68.34.52] ehlo=1 starttls=0/1 commands=1/2

I have 12 of these attempts so far today.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

[Peter via Postfix-users]

On 19/03/23 09:08, Steffen Nurpmeso via Postfix-users wrote:

I still have no problems with

   smtpd_tls_mandatory_protocols = >=TLSv1.2


This is fine, so long as you don't have a user that can't support at 
least TLSv1.2 that needs to use submission.



   smtpd_tls_protocols = $smtpd_tls_mandatory_protocols


This will simply result in clients that can't support at least TLSv1.2 
connecting in plain text instead.  So rather than having (arguably not 
so) poor encryption for those client you would rather have no encryption 
at all?  This does not make any sense.



   # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection..
   tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20


I would avoid messing with this setting unless you really understand 
what you are doing, and even then it's not a very good idea.  You could 
end up causing some clients to be unable to establish a connection or on 
the flip side you could inadvertently be enabling a cipher that ends up 
becoming vulnerable in the future unless you stay on top of this setting 
and remove it from the list.  Note that the default for this setting is 
taken from openssl so when a vulnerability does get found in a cipher 
you will get an update to openssl from your OS vendor which will remove 
that cipher from the list, unless you do something like override it like 
you are doing above.



   smtpd_tls_mandatory_ciphers = high


This is fine.


Peter
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

[Peter via Postfix-users]

On 19/03/23 02:54, Gerd Hoerst via Postfix-users wrote:

I setup my postfix for the clients to use only  protocols > TLSv1 with

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1


A better way to do this is:
smtpd_tls_protocols = >=TLSv1.1


smtpd_tls_protocols   = !SSLv2,!SSLv3,!TLSv1


Don't do this!  All you will accomplish is to force clients that don't 
support at least TLSv1.1 to connect in plain text instead.  No 
encryption is never better than (arguably not very) weak encryption.



in main.cf

but unfortunately i have a sender (its a printer) which is not capable 
for TLSv1.1 and up..


As others have pointed out, TLSv1.0 is not that bad for smtp.  Others 
have posted a solution for this, but honestly I would just allow >=TLSv1 
and not worry about it.



Peter
_______
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Allow TLSv1 only for internal senders

[Peter via Postfix-users]

On 19/03/23 07:44, Matus UHLAR - fantomas via Postfix-users wrote:

I would generally allow the printer to use port 25.


Port 25 is not a submission port and should not be used as such.  Keep 
your submission separate from your MX traffic and you will avoid a whole 
heap of issues down the road.


If you want a separate port for the printer then just create one in 
master.cf:


10465 inet n   -   n   -   -   smtpd
-o syslog_name=postfix/10465
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=$mua_recipient_restrictions
-o milter_macro_daemon_name=ORIGINATING

...or similar for a submission (non-wrappermode) port.


Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: Re: Re: Allow TLSv1 only for internal senders

[Peter via Postfix-users]

On 19/03/23 12:13, Steffen Nurpmeso via Postfix-users wrote:

  |>smtpd_tls_protocols = $smtpd_tls_mandatory_protocols
  |
  |This will simply result in clients that can't support at least TLSv1.2
  |connecting in plain text instead.  So rather than having (arguably not
  |so) poor encryption for those client you would rather have no encryption
  |at all?  This does not make any sense.

There is none.  I have looked, there is only a single server of
value, and it does not even try starttls.  (And he won the USENIX
Flame award.)


Assuming you are correct then you still gain nothing with this setting, 
and if you are not correct then it will cause you to downgrade potential 
encrypted connections to plain text.  I know someone will likely argue 
with me, but I can really think of no valid reason to set this.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: difference between relay and smtp

[fh--- via Postfix-users]

Relay uses SMTP protocol, as well as submission.


On 2023-03-22 20:32, Gino Ferguson via Postfix-users wrote:

Hi,


Can you explain me the practical difference between relay and smtp 
delivery on a relay server?



Thanks!
G.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Test Post - Please Ignore

[duluxoz via Postfix-users]

Sorry Everyone, but I need to test if my posts are going through

Please ignore (or feel free to send me a confirmation)

Cheers

Dulux-Oz
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Test Post - Please Ignore

[duluxoz via Postfix-users]

Thanks Guys  :-)___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org