Hello Wietse Venema,
This will print recipient addresses that were sent over TLS.
Based on your suggestion I improved it a bit. In case someone else has
the same problem here the full script. It prints outgoing non TLS and at
the end a summary.
I'm sending mainly TLS except many DMARC repo
Hello,
Postfix logs TLS status details before it logs delivery status details.
...
With plaintext delivery, that first line will not be logged.
I know.
In both cases the logging shows the SMTP client process name and
process ID, and the remote SMTP server name, IP address, and port.
With
Hello,
for outgoing TLS connections with smtp_tls_loglevel=1 I can see the
Trusted, Untrusted or Verified lines easily by a grep with " connection
established to " in the log.
Now I tried to find all remaining unencrypted connections and failed. I
neither found any specific log line for the
Hallo,
On my machine, the authoriative server (BIND) only listends on the
the ethernet IP interface, while the recursive server (unbound)
listends only on 127.0.0.1. It validates queries for my own domain,
just like for any other.
I wanted to prevent installing and caring for two software ins
Hello,
DANE TLSA records are strictly enforced when "well-formed", where
well-formed also requires a plausible TLSA "associated data" field
(expected length for SHA2-256 and SHA2-512 digests and valid DER
encoding of certs or keys for matching type Full(0)).
That's what I did expect. Starting
Hello,
I recently did a misconfiguration of an internal mail server for a test
system and as a result broke the TLSA record. Postfix still delivered
mail to the system now with Trusted instead of Verified (BTW I find
these two outputs texts misleading, each time I check the logs I look
for a
On Wed, 24 Feb 2021, Wietse Venema wrote:
Postfix version 3.6 deprecates terminology that implies white is
better than black. Instead, Postfix prefers 'allowlist', 'denylist',
and variations on those words.
We had a late start, but it seems Newspeak will be established until 2050
as originall
On Wed, 10 Feb 2021, Bob Proulx wrote:
Eugene Podshivalov wrote:
I've just received a spam email from a client who presented itself as
emx.mail.ru but its ip 117.30.137.22 resolves to
22.137.30.117.broad.xm.fj.dynamic.163data.com.cn
Are reverse client hostname and the ehlo one not supposed to
Hello,
I don't think you're in the right forum for these questions, as they
aren't really realted to postfix.
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
Is this normal or a point for worry? It did say "not spam".
I'd assume you did not add a milter which
Hello,
openSUSE is switching from hash: to lmdb: in recent postfix version 3.5.8
(I assume to get rid of old legacy libraries).
Now postmap and postalias will by default use lmdb:, but the man pages for
these two tools don't even contain lmdb:
Can lmbdb: please be added to the man pages so the
Hello,
openSUSE is switching from hash: to lmdb: in recent postfix version 3.5.8
(I assume to get rid of old legacy libraries).
Now postmap and postalias will by default use lmdb:, but the man pages for
these two tools don't even contain lmdb:
Can lmbdb: please be added to the man pages so
On Tue, 13 Oct 2020, Fred Morris wrote:
Perfect, thanks! billmail.scconsult.com is not delegated from scconsult.com
(has no SOA or NS), and sccconsult.com is delegated from .com (of course),
with SOA and NS.
Bonus points: billmail has SPF.
Same concept, but a bit different (also has SPF, DA
On Tue, 29 May 2018, Wietse Venema wrote:
This is a task which I need something to change a vendor supplied main.cf
into the better understandable minimum configuration which does not
contain legacy settings.
Could "postconf" get a new "-N" paramater for that maybe ;-)
My Postfix cycles are c
On Mon, 28 May 2018, Viktor Dukhovni wrote:
It might be useful, but probably not, to have a version of postconf -n that
showed the default value along sinde the changed value:
join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/')
Do you maybe also have a command to show only cha
On Wed, 24 Jan 2018, Harald Koch wrote:
It's not sooo complicated:
The length of your message contradicts that statement.
Well, I assumed that for people who operate a proper postfix instance 3
different command sets and creating two files is't complicated. If that
assumption is untrue an
On Wed, 24 Jan 2018, Viktor Dukhovni wrote:
One one want to start with "umask 077", to avoid creating
world-readable private key files. This should not be
necessary with OpenSSL 1.1.0 and later, but older versions
(e.g. OpenSSL 1.0.2) create all output files with default
permissions, constraine
On Wed, 24 Jan 2018, Danny Horne wrote:
On 22/01/2018 3:52 pm, Viktor Dukhovni wrote:
On Jan 22, 2018, at 10:06 AM, Danny Horne wrote:
Private CA sounds interesting, will have to read up about it
You can get away with a lot less complexity than the usual OpenSSL CA.
See, for example:
h
On Thu, 23 Nov 2017, Jonathan Sélea wrote:
I did struggle alot to understand and deploy a secure cipher list that
https://hardenize.com and https://ssl-tool.net would not complain on, so I
came up with this:
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smt
On Mon, 6 Nov 2017, Viktor Dukhovni wrote:
/.*infusionmail.com$/ 550 Infusionmail is not wanted or welcome
/.*\yahoo\.com/ 550 Yahoo.com is not allowed here, use gmail or someone who
hasn't leaked 3 billion passwords
/\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|j
Hello,
IF SMTP error code = 5.7.1
AND remote server = GMail
DON’T generate a bounce message (my server)
ELSE
Generate bounce messages (my server)
I use following approach for this problem, which not only affects GMail,
but also T-Online and any other service rej
On Tue, 29 Aug 2017, Tom Browder wrote:
Gmail has a list of steps recommended to minimize spam identification,
particularly mail sent as bulk mail (as from mailing lists).
One of the recommendations is to use DKIM and that is clearly explained on the
postfix website.
The other steps are fair
On Sat, 25 Mar 2017, Paul C wrote:
I wish the world would use ipv6 enough for this to be worth doing, but
it's not going to have much benefit to you as there's almost no one
using it for smtp, from the last time I checked which was a few months
ago, google uses it perfectly, verizon too (maybe a
On Tue, 21 Mar 2017, Mike Guelfi wrote:
If people want to use a non RFC compliant verification system, then they're
going to have problems with false positives on their spam filter.
The operative word being: they.
Your customer needs to get their email vendor to whitelist your trac
instance.
On Sun, 19 Mar 2017, Peter wrote:
I would move your check_recipient_access to smtpd_data_restrictions,
then it should work that it will not reject until the DATA command, but
servers performing address verification will have bailed by that point.
So you end up rejecting actual messages but not v
On Sat, 18 Mar 2017, Richard Damon wrote:
- On your side, don't reject RCPT TO for the no-reply address.
- On your side, add a telepathic policy service that can distinguish
between RCPT TO to verify an address, and RCPT to deliver mail.
smtpd_recipient_restrictions =
reje
On Sat, 18 Mar 2017, Wietse Venema wrote:
I'm operating a bug tracker which sends out emails to participants
notifying of ticket changes. For new submitters it often happened, that
they simply did reply by mail which wont work with this instance.
Now I changed our setup a bit
In postfix main.c
Hello,
I'm operating a bug tracker which sends out emails to participants
notifying of ticket changes. For new submitters it often happened, that
they simply did reply by mail which wont work with this instance.
Now I changed our setup a bit
In postfix main.cf:
smtpd_recipient_restrictions =
On Sat, 4 Mar 2017, Viktor Dukhovni wrote:
This is much too complex. To attach email message to another message,
just pipe it through the shell script below my signature. This can
be used as part of a pipe(8) transport with the output submitted via
sendmail(1) for delivery.
Thanks a lot. Tha
On Tue, 28 Feb 2017, Noel Jones wrote:
in one project I'm sending a bunch of status mails to a number of
different recepients. From time some of them cannot be delivered
(address changes, server misconfigurations, employment changes, ...).
The bounces from the mail come back to my mail server a
Hello,
in one project I'm sending a bunch of status mails to a number of
different recepients. From time some of them cannot be delivered
(address changes, server misconfigurations, employment changes, ...).
The bounces from the mail come back to my mail server and should go to a
contractor
On Wed, 22 Feb 2017, Peter wrote:
On 22/02/17 09:18, Dirk Stöcker wrote:
main.cf:
inet_interfaces = localhost, mail.stoecker.eu
Just remove the above, so it defaults to, "all".
That assumes that mail.stoecker.eu is the only external IPv6 address.
The advantage of IPv6 is that ea
On Wed, 22 Feb 2017, Peter wrote:
Yes, at least for a linux box and possibly other unix hosts. You will
want to make sure that /etc/host.conf has the setting, "multi on", then
you can list multiple IPv4 and IPv6 addresses for the same name in
/etc/hosts and use those names in your master.cf fil
Hello,
I did clean up my mail server a bit to finally get rid of my known issues
(i.e. filtering outgoing mails with SpamAssasin).
Using the approach like in
http://www.postfix.org/FILTER_README.html#remote_only
I did setup separate entries for localhost and external IP. Now with IPv4
and I
On Thu, 8 Sep 2016, /dev/rob0 wrote:
I am not in any hurry to move my email into IPv6 land. For now I am
satisfied to have IPv4-only MX records for my domains. My server is
IPv4-only, for that matter.
I'm operating dual stacked servers for years now and don't see negative
impact. Majority o
On Tue, 19 Apr 2016, Viktor Dukhovni wrote:
On Tue, Apr 19, 2016 at 02:51:58PM +0100, Danny Horne wrote:
Can anyone follow up on this? In other words, are any of you using
Let's Encrypt certificates with any of the TLSA options written about?
In my survey of 12000 DANE TLSA-enabled domains
On Fri, 15 Apr 2016, David Mehler wrote:
I'm looking for an autoresponder, free, and one that does not rely on
postfixadmin.
I saw one featured in a howtoforge article called Autoresponse 1.6.3
but that has been taken down, which is unfortunate, because how it
worked, sending an email to an add
On Fri, 15 Apr 2016, Christian Kivalo wrote:
One would think so, but: I asked my main domain provider
domaindiscount24
which introduced DNSSEC last year when they will offer TLSA, DS and
SSHFP
records also. Their answer: Currently the requested features aren't
available and we can make no statem
On Thu, 14 Apr 2016, Viktor Dukhovni wrote:
The web.de domain has just published DANE TLSA records for its MX
hosts. This follows earlier "pilot" deployments with the smaller
mail.com and mail.de domains.
Fine!
I already thought they wouldn't do it. The announcement was in August last
year
On Thu, 31 Mar 2016, A. Schulze wrote:
As mentioned we see numerous domains with the same broken MX.
I have to list them one by one in the transport table
or did I forgot a cool configuration to catch any destination domain with
this specific MX?
Did you try to contact them to fix their serve
On Sat, 13 Feb 2016, Viktor Dukhovni wrote:
Now I checked the postfix virtual domain documentation and parameter
descriptions and I don't understand it much better. Is that intended
behaviour, that mydestination includes subdomains and
virtual_alias_domains not?
Neither includes sub-domains,
Hello,
with a recent update I got confused about virtual domains and
mydestination, as they seem to do different things with subdomains
I had following setup:
mydomain = stoecker.eu
myhostname = mail.stoecker.eu
mydestination = $myhostname, localhost.$mydomain, $mydomain
virtual_alias_domains
On Mon, 4 Jan 2016, Bill Cole wrote:
The certificate I got is for "mail..com" which should be correct.
My MX record redirects to "mail..com" while I also have an A
record with a prefix "mail" which redirects to the correct IP. But
Thunderbird sees the Location as "imap..com" opposed to the
Hello,
yesterday updating the tlsa tool I thought about making a set of domains
which contain different errors or non-errors for DANE-TLSA records, like
DANE-TA with incomplete TLS chain, but the missing part in full cert TLSA
record and similar examples.
Before doing so I want to ask if may
On Sun, 13 Dec 2015, Alice Wonder wrote:
A big negative to Thunderbird autoconfig - it looks for http before https
resulting in MITM vulnerability.
They say it is because hosting companies like godaddy don't want to have a
TLS cert for every e-mail domain.
I agree with both :-)
They should
On Sat, 12 Dec 2015, Viktor Dukhovni wrote:
And SMTP has the big advantage, that you can define the name of the host in
MX, so the name of the mail server can be independent from the domain of the
email address.
Simply wait a bit longer and maybe that issue solves itself :-)
Thanks for the mo
On Fri, 11 Dec 2015, Viktor Dukhovni wrote:
Over the years there have from time to time been requests for
server-side SNI support in Postfix, but most users have found
workable alternatives, such as above.
A key reason that SNI support is not there yet, is that we like to
do things right(TM) in
On Thu, 10 Dec 2015, Viktor Dukhovni wrote:
There are just ~30 domains with TLSA records that large enough for you
to have heard of them. Here's a sample:
...
bund.de
Sadly that's only the main domain. Each subsection has own servers, so
bkg.bund.de does not support DANE ATM and that'
Hello,
does anyone here have statistics about DANE enabled mail servers? And
maybe also a timeline showing an increase (hopefully)? I'm running DANE
for some time now and I don't ever get a Verified connection (except to my
second server). That's a bit discouraging. I'd like to have at least o
On Thu, 8 Oct 2015, Wietse Venema wrote:
I searched the net but didn't find the a description so I ask here. I'm
operating two mail servers with postfix and I see that the servers always
switch between IPv4 and IPv6 when sending mails from one to the other.
Is there a mechanism in postfix to sw
Hello,
I searched the net but didn't find the a description so I ask here. I'm
operating two mail servers with postfix and I see that the servers always
switch between IPv4 and IPv6 when sending mails from one to the other.
Is there a mechanism in postfix to switch randomly between the IP
ad
On Thu, 27 Nov 2014, Viktor Dukhovni wrote:
which shows a non-broken DoE response, so it looks your domain is
all set. Though sometimes the issue is triggered by a wildcard at
the zone apex ("*.example.com") that is incorretly applied to
I stopped using wildcards for my active used domains. T
Hello,
after nearly a year I was now able to setup a testing domain which
supports DANE with a German domain provider. Now I'm in the testing stage
to see if I did everything right.
DNSSEC-validation is fine:
http://dnssec-debugger.verisignlabs.com/cryptedmail.eu
DANE/TLSA existence is fine:
On Tue, 25 Feb 2014, Viktor Dukhovni wrote:
smtp_dns_support_level = dnssec
was enough to fix this. I'll see how many servers will have a
"Verified" connection in the future.
I hope you read the note about the importance of having 127.0.0.1
and/or ::1 as the only nameservers listed in /etc/re
On Tue, 25 Feb 2014, Dirk Stöcker wrote:
Hmpf. It says "dane configured with dnssec lookups disabled". Seems I need to
fix the RPM first.
No, a
smtp_dns_support_level = dnssec
was enough to fix this. I'll see how many servers will have a "Verified"
connection in t
Hello,
But I have no idea how to use the postfix tools to start a TLS
connection to such an server without sending an email. This requires
too much internal knowledge I fear. Last time I tried to call smtp
tool by hand it told me not to do so and I took that advice.
/usr/sbin/sendmail -f $(
On Mon, 24 Feb 2014, /dev/rob0 wrote:
Oh yes - DNSSEC. When will it come? In hundred years?
Dirk, do you mind explaining this? Are you having trouble finding
DNSSEC-enabled DNS hosting?
Reading about it for years - always with "Delayed" as main information
(same like for IPv6). But OTOH dur
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
With a bit of luck roughly 5 years. Exim has not implemented DANE
yet, and the RFC for DANE TLS for SMTP has not yet been ratified
by the IETF. The first Postfix release with DANE just came out
last month, and is not in most O/S distributions.
You'
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I don't want to have a perfection box which can't communicate with
the rest of the world, but something which helps with todays
internet.
Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
mailserver has TLSA records. Enabling DNSSEC doe
On Mon, 24 Feb 2014, Wietse Venema wrote:
The absence of observed variation does not mean nothing of relevance
has changed, and the presence of benign observed changes drowns out
the malicious ones, assuming that the malicious party is stupid
enough to reveal itself.
Well, if the only output o
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I know that there are many side-effects and things which don't work,
but that does not mean that one can at least try?
Sorry, no half-assed solutions that work only sometimes and break
unpredictably.
Yes, the same story again. When it does not work
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
I hope there aren't any TLS capable mailservers, which fallback to
unencrypted transmission, when I use this.
Fallback is up the client. I am not aware of any Internet facing
MX hosts that offer STARTTLS without any server certificate. Lots
of SMTP
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
smtp_tls_verify_certs=whenpossible
SMTP is not HTTP. Due to MX indirection, peer authentication is
not possible without explicit per-destination configuration. Once
you've gone to all that trouble, you may as well configure a "secure"
channel.
I
On Sun, 23 Feb 2014, Dirk Stöcker wrote:
If this is important to you, set:
smtp_tls_exclude_ciphers=aNULL
for the transport that delivers mail between your internal systems.
Does not sound like what I want. I don't want to hardcode a specific handling
for some servers, I want tha
On Mon, 24 Feb 2014, li...@rhsoft.net wrote:
Seems Postfix still need to learn a lot about secure connections
seems you need to do so
in case of opportunistic there is not real trust
trusted in case of a secure connection means both sides know each
other - opportunistic means the other side
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
On Sun, Feb 23, 2014 at 02:28:07PM +0100, Dirk St?cker wrote:
And whatever I do I'm unable to get any of these three to show a
trusted connection to any of the others. It trusts Google and GMX
and whatever, but not my own servers. That's disturbing.
Hello,
I'm lost and don't find any solution anymore, so I now need to ask.
I'm running three mail-servers with Postfix 2.9.6 (valid TLS cert), 2.7.2
(self-signed), 2.11.0 (self-signed).
And whatever I do I'm unable to get any of these three to show a trusted
connection to any of the others.
66 matches
Mail list logo
