[pfx] Re: inet_interfaces unable to deal with IPv6 link-local addresses

On 28/05/2025 02:14, Daniel Roesen via Postfix-users wrote: > Hi, > > Postfix fails to start up due to inability to deal with inet_interface = > $myhostname resolving to (also) IPv6 link-local address(es): > > postfix/postfix-script[1200]: starting the Postfix mail system > postfix/master[1202]: f

[pfx] Re: quieting postscreen logging of dnsbl-rejected connections?

On 17/05/2025 16:23, pgnd via Postfix-users wrote: > logs (/var/log/postfix/postfix.log) routinely report postscreen doing its job > well at fending off 'pulses' of spammy > connection attempts. e.g., > the number of attempts varies from any one IP -- from just one to hundreds. > > atm, ALL logg

[pfx] Re: Sanity check for check_sasl_access

On 05/02/2025 10:50, Gilgongo via Postfix-users wrote: > > And have the following in my access file: > > user1 192.x.x.x     PERMIT > user1 2001:x:x:x::x PERMIT > user1 REJECT > > In my access lists I have found that  0.0.0.0/0 matches every IPv4 address, and ::/0 matches every

[pfx] Re: Backup MX config

On 17/12/2024 06:06, Simon Wilson via Postfix-users wrote: > > Hi Postfix list, > > I have a stable low-volume Postfix setup on a 10-year-history IP address. In > mid-2025 we need to relocate interstate. > The mail MX is going to be offline for a few days for the relocation and have > possible

[pfx] Re: milter_header_checks seems not to get all spam

On 08/11/2024 16:44, Randy Bush via Postfix-users wrote: > fairly new at trying a scaled postfix install, so i assume it is my lack > of clue. trying to use milter_header_checks to reject all marked spam > on debian 12 running `mail_version = 3.7.11` > > milter_header_checks = regexp:/etc/po

[pfx] Re: RFC logs_check

On 24/07/2024 13:11, Jaroslaw Rafa via Postfix-users wrote: >> I want "Kill on Sight".  >> >> Fastest way to me would be Postfix says it logged a connection from >> fluffy.cuddly.port.raping.internet-measurement.com calls my script with >> the IP address and they get stuffed up IPTables. These pa

[pfx] Re: Documentation Prefix

On 07/07/2024 16:13, Ralph Seichter via Postfix-users wrote: > * Allen Coates via Postfix-users: > >> I have just been perusing my firewall logs, and notice I have had >> several "hits" using the documentation prefix (2001:db8::/32) as the >> source address. [..

[pfx] Documentation Prefix

I have just been perusing my firewall logs, and notice I have had several "hits" using the documentation prefix (2001:db8::/32) as the source address.   Eleven in a fortnight or so. I have also had some hits (on my website) from  Teredo addresses.  I am allowing these, because (arguably) we are

[pfx] Re: dnsbl submissions

On 07/07/2024 05:18, Nick Edwards via Postfix-users wrote: > > Main: > submission_recipient_restrictions = >         reject_rbl_client cbl.abuseat.org > =127.0.0.[2..255] >         reject_unknown_sender_domain >         reject_unknown_recipient_domain >         permit_myn

[pfx] Re: disable authentication on port 25

On 24/05/2024 03:15, Peter via Postfix-users wrote: No you definately should disable auth on port 25 regardless.  It is possible for postscreen to pass a connection to smtpd and smtpd can *then* offer auth. To answer your original question, you can just set   -o smtpd_sasl_auth_enable=no in m

[pfx] Re: Strengthen email system security

On 23/05/2024 14:45, Bill Cole via Postfix-users wrote: is rumored to have said: Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org".  For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via Pos

[pfx] Re: Feature request

On 20/03/2024 13:17, Viktor Dukhovni via Postfix-users wrote: > On Wed, Mar 20, 2024 at 01:42:16PM +0100, Ralf Hildebrandt via Postfix-users > wrote: >> Hi! >> >> I wonder if this is possible: >> >> If a PCRE/regexp style map is triggering, it can be quite hard to >> find out WHICH pattern actua

[pfx] Re: SMTP Smuggling, workarounds and fix

In the past, I have had messages coming in (via port 25) claiming to be Helpdesk, Personnel, etc So I had incorporated into my sender_access file the line:- cidercounty.org.uk   permit_sasl_authenticated, reject Do you think something like this would be beneficial WRT the smuggling probl

[pfx] Re: IPv6 and Cloud server CPU

On 22/11/2023 22:16, DL Neil via Postfix-users wrote: > Have been offered choice of more-modern Cloud-VPS systems, and two addressing > options: > > Q1: > can an email server be run off IPv6 (exclusively) these days, or are IPv4 + > v6 alternatives necessary? Realistically, you still need to pr

[pfx] Re: Filterring out invalidu...@mydomain.com

On 05/10/2023 04:44, Olivier via Postfix-users wrote: Hi, How is it possible to configure Postfix to filter messages of the form: from invalidu...@mydomain.com to validu...@mydomain.com I have been receiving quite a lot recently and they are trash. Best regasrds, Olivier From the top of my

[pfx] Re: Postfix: running a script on authentication failure

On 22/06/2023 16:09, Viktor Dukhovni via Postfix-users wrote: > So, at least in my case, geofencing is not an option. Of course not - there is never a universal solution. In the matter of multi-factor authentication, discussions are increasingly quoting a fourth factor:  "WHERE you are".  (Does

[pfx] Re: Postfix: running a script on authentication failure

On 22/06/2023 12:58, André Rodier via Postfix-users wrote: > > What are you using on your side ? > > - Do you know any service, that I could use, to get the network to ban from > an IP address reputation, something like > crowdsec, for instance ? > - Anyone has success with Suricata, Snort, or a

[pfx] Re: postfix ports questions

On 14/05/2023 01:09, Tom Reed via Postfix-users wrote: >> On Sat, May 13, 2023 at 06:51:30PM +0800, Tom Reed via Postfix-users >> wrote: >> >>> Can I setup only port 25 open to the world? If port 465/587 are filtered >>> by iptables which only permit internal users to connect, does this make >>>

[pfx] Re: Deny any sender address with subdomain

On 28/04/2023 14:59, Gerd Hoerst via Postfix-users wrote: > Hi ! > > question 1st : is it a good idea to reject any email which is not sent from a > domain  (means sen...@domain.tld) any > other like sen...@sub.domain.tld or sub.sub.domain.tld is rejected ? Any ideas on the opposite - i.e. WITH

[pfx] Re: postscreen question

The code 450 is the "deep tests"  doing their stuff. When a a remote host calls for the first time, it sees a temp-fail (code 450). When the host  calls back, *USING THE SAME IP ADDRESS*,  it will be passed through to the mail server.   The host has to call twice to get through. With  gmail and

Re: [SOLVED] Re: Submission runs very slowly

On 13/02/2023 22:43, raf wrote: > And for diceware style passphrases to be meaningful, > it's important that none of the words are "picked" by a > human. They must be random. Then, it doesn't matter if > they are common words or not. A human can throw in a misspelt or foreign-language word.  Pro

Re: Replacing initial "Received:" line on submission?

On 11/01/2023 00:04, Benny Pedersen wrote: > Charles Sprickman skrev den 2023-01-11 00:43: > >> Any pointers on what direction to go with this? > > start postconf -e "smtpd_sasl_authenticated_header = no" or remove it in > main.cf or master.cf overrides, its not > needed to add your sasl auth u

Re: run script on new connection?

On 27/12/2022 00:15, mats wrote: > Using DNS is not a way forward for us. > Maintaining cidr lists a number of times a minute with 10:s of thousands of > ip's instead of a simple query for the ip I'm interested in, well not > interested in that either > Invert the problem:- Test ONLY for the ip(s

Re: Protect access to submission services

On 14/08/2022 19:51, Matus UHLAR - fantomas wrote: but which lists?  using spamhaus PBL is not viable because it lists dynamic IP address which can be commonly used by clients. Could you try "permit_dnswl_client dnswl_domain=d.d.d.d", with the Spamhaus PBL and a selective return code?

Re: IPv6 DNSRBLs

On 30/05/2022 06:44, Peter wrote: We're now starting to see some IPv6 DNSRBLs (eg: bl.ipv6.spameatingmonkey.net). It occurs to me that postscreen and postfix should only be sending IPv4 requests to IPv4-specific DNSRBLs and IPv6 requests to IPv6-specific lists. I brooded about this some ye

Re: password security

On 25/04/2022 05:26, ミユナ (alice) wrote: do you know how to stop passwords from being brute-forced for a mailserver? do you have any practical guide? thank you. You could use an Access Control List to include all your "customers", and banning everybody else. In my case, any submission or

Re: About smtp_fallback_relay parameter

On 07/04/2022 17:55, Pedro David Marco wrote: Probably i am misunderstanding Postfix documentation but... What is exactly the Postfix criteria about using smtp_fallback_relay I also had an issue with this some time ago, which I didn't understand. At the time I had set the fallback r

Re: How can I build a reliable distribution list?

Given that you also have distribution-ow...@myhost.com as an alias, is there an easy way of making it a "closed" list, such that only the list-members can write to it? I am thinking of the committee of a small club (ten addresses at most). Allen C On 29/01/2022 14:43, Wietse Venema wrote:

Re: Bypass postscreen

On 14/07/2021 23:56, Doug Hardie wrote: I have both of those set to enforce. Here is the complete postscreen section of main.cf: # postscreen spam filtering postscreen_greet_action = enforce postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = bl.spamcop.net zen.spamhaus.org b.ba

Re: Certificate Postfix.org missing?

On 23/04/2021 07:36, Nicky Thomassen wrote: > With the risk of going off-topic, I do not see the reason for encrypting > everything on the internet from a more practical point of view, as it just > gives > overhead: It takes time to set up and maintain, takes processing power on both > ends, and

Re: Couple of questions re: IPBLs & DNSBLs

On 18/03/2021 22:34, Antonio Leding wrote: > Hello all, > > > 1. Where to place IPBL\DNSBL rules > > * Because the result of a hit against an IPBL\DNSBL is to REJECT, does it > make > sense to place these kind of rules earlier in the SMTPD_RESTRICTIONS eval > chain (i.e. CLI

Re: Rootless postfix

On 26/02/2021 02:55, Viktor Dukhovni wrote: > On Thu, Feb 25, 2021 at 11:39:19PM +0000, Allen Coates wrote: > >> It is an *ANCIENT* reference, but the but the O'Reilly book "Building >> Internet >> Firewalls" describes a simple program called smap. &g

Re: Rootless postfix

On 25/02/2021 09:43, Emond Papegaaij wrote: > Hi all, > > We are hardening our services and would like to run postfix as a > non-root user. All our primary services, including postfix run as > docker containers. We use postfix as a forwarding agent only: mail is > delivered from the other servi

Re: Fwd: Verify Proper method for sender restrictions

On 28/10/2020 15:24, Viktor Dukhovni wrote: > On Wed, Oct 28, 2020 at 09:05:40AM +0000, Allen Coates wrote: > >> Some time ago (5 years maybe) I discovered that "OK" was not being >> universally >> recognised in every access list; I cultivated the habit

Re: Fwd: Verify Proper method for sender restrictions

On 26/10/2020 20:44, Joey J wrote: > And within that file have both white & blacklist like so: > youareok.com    OK > youarebad.com   REJCT > 1.2.3.4  550 Block-I dont like you > 1.5.6.0/24 550 Block I dont like any of you. > Some

Re: Rejecting messages based on recipient MTA''s IP address

On 01/10/2020 08:01, Ansgar Wiechers wrote: > On 2020-09-30 Allen Coates wrote: >> >> Does the SMTP daemon resolve a destination if there is no MX record? > > Normally Postfix will check for an MX first, and if that is absent check > for an A record for the doma

Re: Rejecting messages based on recipient MTA''s IP address

On 30/09/2020 15:58, @lbutlr wrote: > On 29 Sep 2020, at 11:46, J David wrote: >> domains that have no email service, i.e., those domains >> have A records in that range but no MX records at all. Question at a tangent:- Does the SMTP daemon resolve a destination if there is no MX record? All

Re: spam uses my email address as sender in "header from"

It has been suggested in the past that if the "From" header does not contain both the email address AND the name of its owner (see my address above) then it may be rejected - or at least flagged as suspect. Allen C On 14/09/2020 11:35, Fourhundred Thecat wrote: > Hello, > > I am receiving spam,

Re: Postfix restrictions

On 07/06/2020 10:51, Nicolas Kovacs wrote: > Before committing this configuration to my main server, I thought I'd share > this configuration on the list. Maybe the Postfix gurus among you have the odd > comment to make. > > My aim is simply to eliminate as much spam as possible (that is, before

Re: Dropping email purporting to be from my domain received from the Internet

On 30/05/2020 00:58, Scott A. Wozny wrote: > In my hypothetical environment, I have an external and an internal relay on > either sides of a firewall. I want to configure the external system to relay > both 1) email received from the internal relay to the Internet and 2) email > received from th

Re: Preferred/maintained greylisting options?

On 24/05/2020 23:22, micah anderson wrote: > We paid for access to spamhaus for a while, but they jacked up the > prices and now its far too expensive even for their non-profit rate. > > What RBLs do people find to be effective now days? I was looking at > SpamRats, which I did not know about b

Re: Postfix "IPv6-only" - experience/recommendation question

On 08/05/2020 21:58, Wietse Venema wrote: > Bob Proulx: >> How are working and available IPv6 DNSBLs progressing? That's a >> critical component which I would love to hear is no longer a missing >> component. > > zen.spamhaus.org blocks some 15% of IPv6 spam for me. The other 85% > comes from

Re: Postfix "IPv6-only" - experience/recommendation question

On 08/05/2020 17:38, michae...@rocketmail.com wrote: > Hi all, > > > I've a generic question to all more experienced than me postfix users here: > Is it nowadays (reasonable) possible to run postfix with IPv6 only? E.g > "mail.example.com" and "smtp.example.com" with only ipv6 records i

Re: Possible header_check solution?

On 14/04/2020 18:42, Rick King wrote: > Hello List! > > We have a customer that occasionally receives messages like this... > > Return-Path: > From: "Free iPad " > To: > Subject:Free iPad > Any suggestions welcome! Thank you! > > I am no expert on pattern matching, but could you pick

Re: Rejecting emails based on address extension?

On 09/04/2020 00:29, @lbutlr wrote: > On 08 Apr 2020, at 17:16, Allen Coates wrote: >> On 09/04/2020 00:01, @lbutlr wrote: >>> Given an email address of user+ama...@example.com how can I reject all >>> emails to that address that do not come from amazon.com? >

Re: Rejecting emails based on address extension?

On 09/04/2020 00:01, @lbutlr wrote: > Given an email address of user+ama...@example.com how can I reject all emails > to that address that do not come from amazon.com? > > I think I did something like this once but if I did, I didn’t keep notes. :/ > > Funny you should mention that - within

Re: Disabling TLSv1

Virtually all my TLSv1 connections come from this mailing list... Would there be any mileage in disabling OUTBOUND TLSv1 connections while accepting inbound for a little while longer? Allen C On 05/03/2020 20:08, ratatouille wrote: > Hello! > > Don't know why TLSv1 is still offered on our serve

Re: How to restrict imposters

On 20/02/2020 03:39, Bob Proulx wrote: > I do a slight variation on this that I think is slightly better. > Instead of pcre tables I use hash tables. Which should be slightly more > efficient. And won't suffer from common substring matches such as > hitting by accident on goodkreme.com or othe

Re: postfix for IoT

On 20/01/2020 02:31, Viktor Dukhovni wrote: > On Mon, Jan 20, 2020 at 08:38:46AM +0800, Wesley Peng wrote: > >> How to compile postfix into the Embedded operating system (such as the >> home router) and make it as a mail gateway for Smart home appliances? > > Most embedded systems are not su

Re: What are these types trying to do?

On 30/12/2019 22:32, Gerben Wierda wrote: > Now that Finally have a postfix back with actual logging, I noticed this in > my log: > > Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from > [182.99.42.88]:49546 to [192.168.2.66]:25 > Dec 30 23:26:10 mail postfix/postscreen[16020]: PREG

Re: lots of connections that make no sense

On 15/11/2019 16:15, @lbutlr wrote: > On 15 Nov 2019, at 03:21, Allen Coates wrote: >> Disabling auth does not stop them from trying; I scan my logs for the string >> "auth=0/1", and add the offending IP address to a blacklist - a >> do-it-yourself >>

Re: lots of connections that make no sense

On 15/11/2019 12:33, Wietse Venema wrote: > Jeffrey 'jf' Lim: >>> Disabling auth does not stop them from trying; I scan my logs for the >>> string >>> "auth=0/1", and add the offending IP address to a blacklist - a >>> do-it-yourself >>> fail2ban. >>> >> >> It should. Unless they're the dumbe

Re: lots of connections that make no sense

On 15/11/2019 05:10, Fourhundred Thecat wrote: > On 15/11/2019 06.06, Jeffrey 'jf' Lim wrote: >> >> ok then this makes sense. I've seen bots retry multiple passwords at >> one go in the past; Fourhundred are all of these "auth=0/1"? > > yes, all are "auth=0/1". > > I have disabled auth on port

Re: Dictionary attacks

On 03/11/2019 02:42, Wietse Venema wrote: > John Schmerold: >> What is the best way to protect against dictionary attacks in Postfix? > > Reportedly, fail2ban (no first-hand experience, because I have no > SASL clients). > > Wietse > I run a home-brewed fail2ban look-alike; I find it

Re: Postfix is not open relay but send spam

On 15/10/2019 08:27, Julien Michaux wrote: > Time to time, my server is attack and he sends spam. All spam are from a > specific address "cy...@mydomain.com" I tried many things but nothing works> > I have to stop postfix for some hours and attack ends until next time. > Have you tried puttin

Re: How to avoid being classified as spam by Google?

On 07/10/2019 06:11, martin f krafft wrote: > Quoting "Wietse Venema", who wrote on 2019-10-06 at 19:13 Uhr -0400: >> Perhaps the SMTP client IP address 2001:db8:bad::cafe:: has no PTR record (or >> the name does not resolve to 2001:db8:bad::cafe::). > > Good point, but the address has a PTR re

Re: Suggestions for less spam

On 24/09/2019 12:08, Wietse Venema wrote: > Dominic Raferd: >> On Tue, 24 Sep 2019 at 11:31, Matus UHLAR - fantomas >> wrote: >> >>> On 24.09.19 12:11, Paul van der Vlis wrote: I am using now much of your setting and it seems to help. Thanks a lot! >>> >>> I would just like to note that al

Re: OT: Postscreen and scoring/blocking by ISP

On 30/05/2019 22:21, Allen Coates wrote: > Currently, I am using a CIDR access-control-list to block (in PostScreen) > hosts > from certain "nuisance" countries. A weekly script derives the netblocks from > the zone lists published by http://www.ipdeny.com A similar scr

Re: OT: Postscreen and scoring/blocking by ISP

There is an RBL, zz.countries.nerd.dk, which will return a code based on country of origin - or if you substitute a country code (eg uk.countries.nerd.dk) it will return 127.0.0.1 if the host "belongs" to that country; it can be used to load the final RBL score for an individual country. I don't

Re: GEO IP based restrictions?

http://www.ipdeny.com publish IP address-lists sorted by country zones; a script can quite easily derive a .cidr access-list (or perhaps a DNS zone file). Alternatively, there is an RBL, zz.countries.nerd.dk, which will return a code based on country of origin - or if you substitute a country co

Re: How "safe" is reject_unknown_helo_hostname?

I usually put my access-control lists EARLY, so I have yes / no / "further-processing" options Allen C On 27/04/2019 23:21, @lbutlr wrote: > > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, check_helo_access > pcre:/etc/postf

Re: How "safe" is reject_unknown_helo_hostname?

out (at this server) whatever the RFCs might say. It is getting the balance right... Allen C On 26/04/2019 14:46, Phil Stracchino wrote: > On 4/25/19 7:56 PM, Allen Coates wrote: >> I have been looking at the configuration parameter >> "reject_unknown_helo_hostname", wi

How "safe" is reject_unknown_helo_hostname?

I have been looking at the configuration parameter "reject_unknown_helo_hostname", with a view to using it to resist spam. I know it is reasonably safe to reject an incoming email on an invalid or non-fqdn HELO hostname, but *UNKNOWN?* I don't receive a sufficient corpus of email to make a reason

Re: Assistance to protect from spam flood

On 12/01/2019 11:09, Nick Howitt wrote: > > Is there anything further I can do to cut down or stop this spam? Also are > there more effective blocks I can do to > lighten the load on the server and reduce traffic? > > Thanks, > > Nick If you are troubled by Chinese hosts, you might also lik

Re: Postscreen concurrency limits

On 14/12/2018 06:13, Viktor Dukhovni wrote: > > >> On Dec 13, 2018, at 8:25 PM, Alex wrote: >> >> We had a Mimecast user report today that their mail was being rejected >> with a 4.7.0 "too many connections" error. This is a "soft" error, in >> that the mail client will later attempt to resen

Re: how set postfix server as non-functional

On 25/10/18 11:12, Viktor Dukhovni wrote: >> On Oct 25, 2018, at 5:55 AM, Allen Coates wrote: >> >> There are some anti-spam projects which offer MXes for your use. >> You set one up with the LOWEST prioity (your "MX of last resort"); If a >> messa

Re: how set postfix server as non-functional

On 25/10/18 07:33, Viktor Dukhovni wrote: > On Thu, Oct 25, 2018 at 08:11:35AM +0200, Poliman - Serwis wrote: > >> Hi. I heard that having a non-functional server as the primary MX is a >> well-known trick to reduce the amount of incoming spam, as most software >> used by spammers will only eve

Re: Could you please explain a warning message

Allen C On 08/10/18 12:03, Ralf Hildebrandt wrote: > * Allen Coates : >> Yesterday I saw the following warning message in my logs:- >> >> 2018-10-06T14:11:19+01:00 geronimo postfix/postscreen[8194]: warning: >> psc_cache_update: btree:/var/lib/postfix/postscreen_cac

Could you please explain a warning message

Yesterday I saw the following warning message in my logs:- 2018-10-06T14:11:19+01:00 geronimo postfix/postscreen[8194]: warning: psc_cache_update: btree:/var/lib/postfix/postscreen_cache update average delay is 151 ms A tenth of a second is an ENORMOUS delay for an SSD, and my immediate thought

Re: What is postscreen_dnsbl_reply_map use for?

On 23/09/18 15:46, Bill Cole wrote: > On 23 Sep 2018, at 10:13 (-0400), John anderson wrote: > >> What is the meaning of `postscreen_dnsbl_reply_map` in postscreen (postfix) ? >> I've read from documentation: >> >>> if your DNSBL queries have a "secret" in the domain name, you must censor >>> t

Re: How to white list

On 23/07/18 21:17, dur...@mgtsciences.com wrote: > I have whitelisted the ip in postscreen_access.cidr. I can see the > 'whitelisted' for postscreen in log. > But it does not get past smtpd. > > I do not want to remove reject_invalid_helo_hostname as this really opens > up more spam. So how

Re: Greylisting?

Late last year I tried the Postscreen "deep protocol tests" as a primitive form of greylisting; It was a high-maintenance exercise for minimal benefit and I have since stopped using it. Google and the like, use a different mail server for each connect attempt. You need an actively maintained whit

Re: Question regarding smtpd DNS resolution

On 05/02/18 00:12, Viktor Dukhovni wrote: > > >> On Feb 4, 2018, at 5:46 PM, J Doe wrote: >> >> Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname >> 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not >> known >> >> Does this mean that: >> >> 1. smtpd recei

Re: Best practice when setting up a mail relay

On 06/01/18 18:27, Jonathan Sélea wrote: > For example: > www.siteA.xyz on ServerY is hacked and someone is using mail() in order > to send hundreds of thousands email via localhost - that is relayed to > the smtp relay (that only accepts mail from internal servers). And > instead of relaying th

Re: PSA University of Michigan research IP space

On 08/12/17 03:59, Viktor Dukhovni wrote: > > >> On Dec 7, 2017, at 9:14 PM, li...@lazygranch.com wrote: >> >> http://researchscan288.eecs.umich.edu/ >> I never could find the research IP space and my email went unanswered. >> I just blocked the whole university. Link has the IP space as listed

Message Rejection

Is there any way of making a bad email address (eg a spam-trap) reject an entire multi-destination transaction? If one RCPT TO command is to a spamtrap address, then that message will be spam; you do not want it being delivered to any other (genuine) RCPT TO destinations. Allen C

Re: Regarding ciphers

On 23/11/17 09:30, Jonathan Sélea wrote: > > My question is, can I improve  this futher or do you guys/girls have any > opinion regarding this? > I am grateful for all comments, tips or other suggestions :) > > / Jonathan > Thinking at a tangent, if your messages are particularly sensitive, y

Re: Regarding ciphers

On 23/11/17 09:30, Jonathan Sélea wrote: > My question is, can I improve  this futher or do you guys/girls have any > opinion regarding this? > I am grateful for all comments, tips or other suggestions :) > > / Jonathan > If the remote host does not support the cyphers you deploy, then you ha

Re: Ban IP or Host

To limit repeating offenders, you might like to try playing with smtpd_client_connection_count_limit, smtpd_client_connection_rate_limit, and anvil_rate_time_unit For my quiet (domestic) server, I have set limits of two simultaneous connections, and twelve connections per hour. If a remote host

Re: Postscreen exceptions and blacklisting

In your exceptions list, use ACCEPT or REJECT; DUNNO means "let something else decide" ... Allen C On 08/09/17 09:36, Nikolaos Milas wrote: > Hello, > > I have tried to whitelist some servers for postscreen, but I notice that > they continue to get blocked if they are blacklisted. > > What I a

Re: Postscreen Feature Request

On 03/09/17 00:43, Wietse Venema wrote: > On 02/09/17 22:03, Wietse Venema wrote: >> Surprise: I already solved that problem: postscreen would hand off >> the _decrypted_ session to the tarpitting daemon :-) > > Allen Coates: >> How would you optionally hand off to th

Re: Postscreen Feature Request

On 02/09/17 22:03, Wietse Venema wrote: > > Surprise: I already solved that problem: postscreen would hand off > the _decrypted_ session to the tarpitting daemon :-) > How would you optionally hand off to the tarpit daemon, instead of to postfix? Allen C

Postscreen Feature Request

GIVEN THAT, when the Postscreen internal SMTP engine is invoked, the decision to reject the message has already been made; It seems to me that this is an opportunity to tar-pit the (bad) remote host, diminishing spam throughput, and eroding the host's useful life-span. I SUGGEST, therefore, that a

Re: Postscreen temporary whitelist

ietse Venema wrote: > Allen Coates: >> Is there any way of reducing the TTL of the postscreen temporary whitelist? > > As of Postfix 3.1, these are the defaults: > > postscreen_bare_newline_ttl = 30d > postscreen_dnsbl_max_ttl = > ${postscreen_dnsbl_t

Postscreen temporary whitelist

Is there any way of reducing the TTL of the postscreen temporary whitelist? I am having problems with spammers repeatedly getting through postscreen with a "PASS OLD" result. While I can't stop them trying, at least I can cost them time by making them run the full postscreen gauntlet more frequen

Re: Strategies for using backup MX records

The thing I liked about my pop-3 solution was, if my server blew up and I had to rebuild from scratch with new hardware, I could still read my emails via my (almost redundant) ISP account Allen C On 17/08/17 16:10, Chris Green wrote: > On Thu, Aug 17, 2017 at 02:24:45PM +0100, Allen Coates wr

Re: Strategies for using backup MX records

On 17/08/17 13:38, Chris Green wrote: > I run Postfix on a home server which is on all the time of course but, > as it's connected via a 'domestic' broadband service it's not a 100% > reliable connection. There are also times when I reconfigure things > (e.g. upgrade the server) that cause downti

Re: Why there is no `reject_rbl_sender` restriction?

On 03/08/17 11:55, Matus UHLAR - fantomas wrote: > You apparently mean something like check_sender_mx_access (reject when MX > server of sending domain points to blacklisted IP) or maybe > check_sender_a_access (similar), but with dnsbl lookups. > > Doing it on MX would require dnsbl lookups for ea

Re: Why there is no `reject_rbl_sender` restriction?

For a while I tried a local black-list based on the senders of bounced emails. It was deployed using "check_sender_access ". Using the whole email address didn't work - I never sawthe same sender twice; and using just the domain part gave me more false positives than true. A more targeted list, c

Re: postscreen fail2ban filter

On 17/07/17 21:04, Scott Techlist wrote: >> Postcreen logs DISCONNECT for clients that PASS the "after 220 greeting" >> tests (bare newline, non-SMTP command, pipelining). > Exactly what I was afraid of, thanks for the confirmation. > >> I don't think there is much to gain from parsing postscreen

Re: postscreen fail2ban filter

On 17/07/17 16:43, Scott Techlist wrote: > As I watch the bots and spammers hammer my server with connection attempts, > I figured I might as well stop them even closer to the front door when they > try repeatedly. > > I have fail2ban running already and once I enabled postscreen it didn't seem >

Re: Block forged addresses

On 14/07/17 10:28, Abi Askushi wrote: > Hi all, > > I was wondering what choices are there to block forged sender email > addresses. > > I was thinking SPF could assist. > The other option I saw is reject_sender_login_mismatch in postfix. * > * > Do you have any other suggestion? > > Many thanx >

Re: Limit the damage of a hacked sender acount

On 24/06/17 00:37, Daniel Miller wrote: > I had a couple of accounts with too simple passwords hacked. And > obviously my mail server is entirely too efficient - I think about 50k > spams got blasted out before I caught it (because we got in the DNSBL's). > > Separate from improving the password

Re: Forged FROM Adresses deny based on actual user?

On 07/05/17 17:12, BlackIce_ wrote: > Lately I have been getting SPAM mails that mimic our typical adress > (i.e. user@domain) Ideally, the postfix server should only accept mail > from ACTUAL users (or aliases to users) on the server. > > Is there a config change that can accomplish this easily? S

Re: Optimising new system and postscreen questions

On 01/05/17 13:17, Simon Wilson wrote: > > 3. Any other ways to speed it up, or should I accept the trade-off > between speed and accuracy of result? > If you can create a postscreen white-list of your "regular" remote hosts, they will be almost instantly passed on to the mail server. Hope this

Re: Alert Trend Micro reputation LIST QIL

If you check your IP address on THEIR look-up page - https://www.ers.trendmicro.com/reputations - it will tell you WHY you are black-listed. For example, my own IP4 address is in their "Dynamic User List" - not surprising, as I am a domestic user with a personal mail server. Hope this helps Al

Re: Recent upsurge of spam messages rate

I have a script that does a simple "head-count" over the last 1500 maillog entries. Just now it showed the following results: Nuisance hosts blocked by firewall:97 Connections handled by Postscreen:134 Black-listed Locally:10 Black-listed by DNSBL:94 Pre

Re: Recent upsurge of spam messages rate

I have also noticed an increase of "bad connections" to my server. Fortunately, very few get past postscreen - I heartily recommend its use. Allen C On 28/03/17 22:00, Daniele Nicolodi wrote: > Hello, > > this is not strictly Postfix related, but I don't know how to get in > contact with a simil

Re: Fallback to IPV4 in case of IPV6 is not available

On 25/03/17 14:43, Wietse Venema wrote: > Postfix can be configured to try IPv6 before IPv4 (with > smtp_address_preference), but that feature is independent from > routing features such as transport_maps, smtp_fallback_relay, and > so on. That is, there are no ipv6_transport_maps or > ipv4_smtp_

Re: Autoresponder?

> On 2017-01-16 13:49, @lbutlr wrote: >> I have an email account that belonged to someone who died recently. >> Rather than simply shutdown the account and bounce all future emails, >> the family would like some sort of automated messages for at least a >> few months saying something like “ died i

  1   2   >