On Thu, Aug 19, 2021 at 02:44:44PM +1000, raf wrote:
> > Is google / gmail using it yet?
> > Last i knew they weren't using DNSSEC or DANE.
>
> Nope.
Actually, yes to some extent. See my more detailed response.
> But it's still a very small percentage overall.
I'm tracking ~15.8 million DNSSE
On Wed, Aug 18, 2021 at 10:03:06PM -0400, post...@ptld.com wrote:
> > The adoption of DNSSEC seems to have increased a lot in
> > the past 12 months (~30% increase).
>
> Is google / gmail using it yet?
> Last i knew they weren't using DNSSEC or DANE.
Nope.
> host -t ds google.com
google.com
On Wed, Aug 18, 2021 at 10:03:06PM -0400, post...@ptld.com wrote:
> > The adoption of DNSSEC seems to have increased a lot in
> > the past 12 months (~30% increase).
>
> Is google / gmail using it yet?
There are 4 GMail MX hosts that are not publicised by Google,
but are DNSSEC signed:
mx[1
On Wed, Aug 18, 2021 at 11:04:10AM +0200, Marcel de Riedmatten
wrote:
> Le mercredi 18 août 2021 à 17:45 +1000, raf a écrit :
> >
> > I'll need to find out how to replace one certificate
> > with the other as well.
>
> Keep in mind that both certificates will have a different path. It goes
> s
The adoption of DNSSEC seems to have increased a lot in
the past 12 months (~30% increase).
Is google / gmail using it yet?
Last i knew they weren't using DNSSEC or DANE.
On Wed, Aug 18, 2021 at 09:52:38PM +0200, Ralph Seichter
wrote:
> * raf:
>
> > If you don't mind having a key that lasts "forever", you only
> > need one(!) extra line in Bind's zone config, and one(!) manual
> > interaction with your domain registrar.
>
> Well, sort of. As per default setting
> On 18 Aug 2021, at 4:35 pm, Ralph Seichter wrote:
>
> I still use RSA keys (algorithm 8). My main point is that I find it more
> convenient to only roll ZSK, and to only place KSK data into the parent
> zone. The latter requires me to ask my hosting provider to manually
> update key material in
* Viktor Dukhovni:
> With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive
> to rotate keys frequently (~90 days) is substantially lower [...]
I still use RSA keys (algorithm 8). My main point is that I find it more
convenient to only roll ZSK, and to only place KSK data into the
> On 18 Aug 2021, at 3:52 pm, Ralph Seichter wrote:
>
> Well, sort of. As per default settings, BIND does not appear to create a
> key signing key (KSK) / zone signing key (ZSK) pair, but instead one
> single key to sign each zone. That's sufficient from a technical
> perspective, but whenever th
* raf:
> If you don't mind having a key that lasts "forever", you only need
> one(!) extra line in Bind's zone config, and one(!) manual interaction
> with your domain registrar.
Well, sort of. As per default settings, BIND does not appear to create a
key signing key (KSK) / zone signing key (ZSK
* Ken N.:
> does ubuntu linux have the keystone chain management? thanks.
"Keychain" is Apple's name for an application that deals with
system-wide and user-specific passwords, certificates, and other
sensitive information. Ubuntu uses a different mechanism, as do the
other Linux distributions. S
On Wed, Aug 18, 2021 at 12:27:36PM -0700, Ron Garret wrote:
> > Milters are primarily for content filtering,
>
> Sure, but...
>
> > they don't or shouldn’t affect address rewriting and message routing.
>
> That doesn’t make sense to me. One of the main uses of a milter is to
> sequester mail w
On Aug 18, 2021, at 12:13 PM, Viktor Dukhovni
wrote:
>> On 18 Aug 2021, at 3:07 pm, Ron Garret wrote:
>>
>>> If you want different processing for inbound and outbound mail,
>>> use separate Postfix instances configured appropriately to the
>>> task at hand.
>>
>> There is a useful distincti
> On 18 Aug 2021, at 3:07 pm, Ron Garret wrote:
>
>> If you want different processing for inbound and outbound mail,
>> use separate Postfix instances configured appropriately to the
>> task at hand.
>
> There is a useful distinction to be made between mail that is injected into
> the system by
> On 18 Aug 2021, at 3:01 pm, post...@ptld.com wrote:
>
>> A useful rubric to keep in mind is:
>> * There's no such thing as outbound mail,
>>all mail comes in, and then it goes out...
>> Any notion of incoming or outgoing is a mental model you overlay on
>> your use of the Postfix MTA, the a
On Aug 18, 2021, at 11:55 AM, Viktor Dukhovni
wrote:
> If you want different processing for inbound and outbound mail,
> use separate Postfix instances configured appropriately to the
> task at hand.
There is a useful distinction to be made between mail that is injected into the
system by an
A useful rubric to keep in mind is:
* There's no such thing as outbound mail,
all mail comes in, and then it goes out...
Any notion of incoming or outgoing is a mental model you overlay on
your use of the Postfix MTA, the actual MTA is just a message switch.
The expansion of virtual alias
> On 18 Aug 2021, at 2:50 pm, post...@ptld.com wrote:
>
> It is an all or nothing situation? To not "expand" that means not having
> alias lookup at all even for incoming messages? The fact i have virtual alias
> lookup for incoming that means postfix will by default use that for outgoing?
> No
Don't expand the alias.
I don't understand this. As far as i know, *IM* not expanding the
alias.
Is this a setting in postfix? Is this a default behavior?
You are expanding the alias, by configuring a virtual(5) alias table
entry with an expansion for the alias. To not expand the alias, use
> On 18 Aug 2021, at 2:41 pm, post...@ptld.com wrote:
>
>> Don't expand the alias.
>
> I don't understand this. As far as i know, *IM* not expanding the alias.
> Is this a setting in postfix? Is this a default behavior?
You are expanding the alias, by configuring a virtual(5) alias table
entry w
Is there anyway to prevent this behavior? Have the third server just
send the email to who it was told to send it to, the alias address.
Don't expand the alias.
I don't understand this. As far as i know, *IM* not expanding the alias.
Is this a setting in postfix? Is this a default behavior?
post...@ptld.com:
> > Im confused by this situation. Two separate independent servers both
> > running same version of postfix and both setup the same way with
> > virtual users and alias address stored in SQL.
>
> Okay, i think i figured out what is going on. On the second server that
> im sendi
post...@ptld.com:
> Im confused by this situation. Two separate independent servers both
> running same version of postfix and both setup the same way with virtual
> users and alias address stored in SQL.
>
> main.cf:
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> virtual_mai
Im confused by this situation. Two separate independent servers both
running same version of postfix and both setup the same way with
virtual users and alias address stored in SQL.
Okay, i think i figured out what is going on. On the second server that
im sending email to, im sending from a thi
Im confused by this situation. Two separate independent servers both
running same version of postfix and both setup the same way with virtual
users and alias address stored in SQL.
main.cf:
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_maps = proxy:mysql:/etc/postf
>
> Why not:
> # postconf -M 'policyd-spf/unix=policyd-spf unix - n n - 0 spawn
> argv=/usr/bin/policyd-spf ...'
>
> As documented "postconf -P" is for '-o parameter=value' not for
> other command-line arguments.
Thanks! Definitely a case of asking the question and discovering the right
answer a
Robert Pufky:
> Currently I can create the service:
> $ postconf -M 'policyd-spf/unix=policyd-spf unix - n n - 0 spawn'
>
> But attempting to add additional args not using "-o" fails:
> $ postconf -M 'policyd-spf/unix=policyd-spf unix - n n - 0 spawn'
> $ postconf -P 'policyd-spf/unix/user=policyd
Heya Folks,
When managing the master.cf file with postconf, specific services requiring
additional options not using "-o" fail.
I want to have an end state of:
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Currently I can create t
On Wed, 2021-08-18 at 15:59 +1000, raf wrote:
>
> Database files used with
> sender_dependent_relayhost_maps need either an email
> address or a @domain on the left hand side.
>
> You are trying to use shell glob-style patterns instead
> of email addresses or @domains. I don't think
> glob-style
On Wed, 2021-08-18 at 00:43 -0400, Viktor Dukhovni wrote:
> On Tue, Aug 17, 2021 at 09:18:08PM -0400, fp145 wrote:
>
> > Aug 18 02:58:09 libertyfp postfix/lmtp[11706]: D0C4941E97:
> > to=, orig_to=,
> > relay=mail.libertyfp.org[private/dovecot-lmtp], delay=0.96,
> > delays=0.91/0.02/0.02/
Wietse Venema:
> Ron Garret:
> > Is there an easy way to tell postfix to send a copy of every message
> > it receives to a ?shadow server? in a way that preserves the SMTP
> > envelope? I?m trying to tune a spam filter on actual data, but I
> > don?t want to do it on my production server because t
Ron Garret:
> Is there an easy way to tell postfix to send a copy of every message
> it receives to a ?shadow server? in a way that preserves the SMTP
> envelope? I?m trying to tune a spam filter on actual data, but I
> don?t want to do it on my production server because the tuning is
> likely to
Dnia 17.08.2021 o godz. 17:35:18 Viktor Dukhovni pisze:
>
> Unless you have friends in high places at Gmail, or manage to get law
> enforcement interested, you're unlikely to get much feedback.
I think it would be good to forward all this thread to mai...@mailop.org
mailing list (details at https
Le mercredi 18 août 2021 à 17:45 +1000, raf a écrit :
>
> I'll need to find out how to replace one certificate
> with the other as well.
Keep in mind that both certificates will have a different path. It goes
so:
1) create the new certificate
2) add a TLSA record to the zone for the new key and
On Wed, Aug 18, 2021 at 08:53:40AM +0200, Marcel de Riedmatten
wrote:
> Le mercredi 18 août 2021 à 14:32 +1000, raf a écrit :
> >
> > It would be great if certbot supported multiple simultaneous
> > certificates
> > for a domain, so that the next certificate could be ready in advance.
> > Then
35 matches
Mail list logo
