[pfx] Re: sending emails times out

Hello, I picked something up in the news lately, google said with "ip data packet size russian capped": In Russia, Internet access for users connecting to websites protected by Cloudflare is currently being throttled by local ISPs, limiting users to the first 16 KB of web assets, effectively

[pfx] Re: Make postfix additionally relay?

Hallo, did you check if the always_bcc directive meets that need? Put in a dedicated recipient on the other postfix, it'll get a bcc of each message inbound/outbound of the first postfix server. Am 13.07.2025 um 21:12 schrieb oftl--- via Postfix-users: Hi! This is what i'd like to do: Have

[pfx] DANE verification question

domain. Can you verify/help? Thanks for reading & helping. Florian -- Florian Piekert, PMP flo...@floppy.org Velberstraße 6 Telephone+Fax: +49-179- 3928582 30451 Hannover / Germany No

[pfx] Re: smtp_tls_security_level = may vs. encrypt with "enabling PIX workarounds" on destination MX server

Hello, ofc NOT. But that then works. Danke Ömer! Am 19.04.2025 um 17:18 schrieb Ömer Güven: mx2.neumuenster.demay Have you tried: neumuenster.demay Best, Ömer Am 19.04.2025 um 17:15 schrieb Florian Piekert via Postfix-users : Dear Postfixians, I have noticed

[pfx] smtp_tls_security_level = may vs. encrypt with "enabling PIX workarounds" on destination MX server

Dear Postfixians, I have noticed the following. In main.cf I had #smtp_tls_security_level = may smtp_tls_security_level = encrypt for a while, until just now. When I noticed that some target mx destination had delivery issues with this, I put the exception in my smtp_tls_policy_maps file, pr

[pfx] Re: list.sys4.de

Hello, I only see IPv4. Maybe DNS issue on your end? root@sonne:~# host list.sys4.de list.sys4.de has address 45.90.5.195 list.sys4.de mail is handled by 10 list.sys4.de. root@sonne:~# dig list.sys4.de MX ; <<>> DiG 9.20.7-1+ubuntu24.04.1+deb.sury.org+1-Ubuntu <<>> list.sys4.de MX ;; global opt

[pfx] Re: lockfile problem postfix/dovecot

Hello Paul, is there the chance of storage hardware failures? Or VPS I/O issues in case it is on a VPS? Am 28.03.2025 um 07:50 schrieb Paul Neuwirth via Postfix-users: Hello group, Since a few days I have massive problems with lockfiles blocking the mailboxes (type storage, /var/mail/user).

[pfx] Re: I have found out the reason why Postfix keeps getting killed by OOM Killer

ormance of your VPS or LESS signatures for clamd. As written, only guesses based on assumptions. Florian Sent with Proton Mail secure email. On Monday, March 3rd, 2025 at 10:17 PM, Florian Piekert via Postfix-users wrote: Hello all, Am 03.03.2025 um 15:09 schrieb Varadi Gabor via Pos

[pfx] Re: I have found out the reason why Postfix keeps getting killed by OOM Killer

Hello all, Am 03.03.2025 um 15:09 schrieb Varadi Gabor via Postfix-users: 2025. 03. 02. 14:50 keltezéssel, Turritopsis Dohrnii Teo En Ming via Postfix-users írta: But until now I still have no idea why 115 messages stuck in the mail queue will cause postfix to consume ENORMOUS amounts of RAM

[pfx] Re: postfix / (NOT MTA-STS question)

Hello all, $ posttls-finger -F/etc/pki/tls/cert.pem -c -lsecure "[theater.piekert.de]" ... posttls-finger: Verified TLS connection established to theater.piekert.de[81.169.233.252]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature R

[pfx] postfix / MTA-STS question

Good morning gentlefolks, I am trying to figure out where my error is, using MTA-STS for virtually hosted domains on my postfix server. Environment: ubuntu 24, pf3.11snap (or pf3.10snap same), apache2, letsencrypt certs, bind9 on same machine The main server is sonne.floppy.org, all other dom

[pfx] Re: Problems with mail from fortimailcloud servers

Hello, could reject_unknown_reverse_client_hostname in the smtpd_recipient_restrictions be responsible, since there are dns resolution issues for the hostname. Florian Am 14.02.2025 um 10:30 schrieb Nikolaos Milas via Postfix-users: Hello, The two mail gateway servers (MX 10 mailgw1.noa.gr

[pfx] Re: Baffling outgoing mail rejection of PDF attachment

Amazon.com in the filename. .com extension. /name=[^>]*\.(bat|com|exe|dll|vbs|xls|zip)/ REJECT Am 11.02.2025 um 20:33 schrieb Phil Stracchino via Postfix-users: Hey folks, I have a puzzle that has me scratching my head.  A few minutes ago I tried to send a mail message with a PDF attachm

[pfx] Re: Can't connect to www.postfix.org

Hello, that doesn't seem to be a general non-accessibility of the server: root@sonne:~# host www.postfix.org www.postfix.org is an alias for postfix-mirror.horus-it.com. postfix-mirror.horus-it.com has address 65.108.3.114 postfix-mirror.horus-it.com has IPv6 address 2a01:4f9:6a:528d::a root@son

[pfx] Re: IP discard for authenticated e-mails

Good morning, out of curiosity, does it possibly -if implemented- break ARC signature creation of e.g. rspamd, which seems to use auth-info? ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=u...@doma.in smtp.mailfrom=u...@doma.in Or is this transferred via MILT

[pfx] Re: TLSRPT issue

Hello all, I can confirm it works again for me now. Thank you Wietse! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] TLSRPT broken confirmed, starting with 3.10-snapshot 20250105

Hello, sorry to have a similar, but different thread subject. I already deleted the others, so couldn't backup on those mails and just thought, hey, I have a look at my system. But I can confirm the non-working condition of the TLSRPT part of postfix, starting with snapshot 3.10-20250105, for

[pfx] Re: sender_bcc_maps & recipient_bcc_maps question (resolved)

Hello Wietse and all others, Jan 15 21:38:10 butterfly postfix/local[3652656]: 475F8F8AC4C: to=, relay=local, delay=2.9, delays=2.9/0.01/0/0, dsn=2.0.0, status=sent (delivered to file: /dev/null) You want to ADD a recipient with xxx_rcipient_bcc_maps. Done. Sometimes that added recipient is

[pfx] Re: sender_bcc_maps & recipient_bcc_maps question

Hello (again), Jan 15 12:40:48 butterfly postfix/local[3017382]: 225A9F8B1D1: to=, relay=local, delay=1.7, delays=1.7/0/0/0, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/devnull) The BCC is delivered to /dev/null in some way or another. Replace: ignorethis: "|/dev/nu

[pfx] Re: sender_bcc_maps & recipient_bcc_maps question

Hello Wietse, Jan 15 12:40:48 butterfly postfix/local[3017382]: 225A9F8B1D1: to=, relay=local, delay=1.7, delays=1.7/0/0/0, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/devnull) The BCC is delivered to /dev/null in some way or another. Replace: ignorethis: "|/dev/null

[pfx] Re: sender_bcc_maps & recipient_bcc_maps question

Am 15.01.2025 um 17:22 schrieb Wietse Venema via Postfix-users: Florian Piekert via Postfix-users: Hello postfix-users, I run pf 3.10-20250107 on ubuntu 24.04. I use sender_bcc_maps and recipient_bcc_maps with pcre: mapping. The files are simple. However, I am puzzled by some behaviour

[pfx] sender_bcc_maps & recipient_bcc_maps question

Hello postfix-users, I run pf 3.10-20250107 on ubuntu 24.04. I use sender_bcc_maps and recipient_bcc_maps with pcre: mapping. The files are simple. However, I am puzzled by some behaviour of postfix that doesn't fit my expectation somehow. In my main.cf the corresponding directives are ---8<

[pfx] Re: Backup MX config

Good morning, Questions: How does the secondary MX know to transport to the primary when it is back online? (some online “guides” talk about editing transports, but the postfix documentation does not) The emails remain in the queue on the backup mx and postfix (in)frequently tries to delive

[pfx] Re: Backup MX config

Good morning, I have a stable low-volume Postfix setup on a 10-year-history IP address. In mid-2025 we need to relocate interstate. The mail MX is going to be offline for a few days for the relocation and have possible further outage time through new location setup. The new location will als

[pfx] Re: a small experiment: restricting capabilities for postfix

Good morning, Am 17.12.2024 um 06:41 schrieb Michael Tokarev via Postfix-users: ... capabilities of the service which aren't needed.  Obviously, postfix does not need an ability to reboot a system (does it not? How about sending a special email which will trigger a reboot?) or to do many My s

[pfx] Re: dkim for domain

Hello, AFAIK you can't use the "doma.in" DKIM Key for signing "sub.doma.in" eMails. You need to add a separate key in the DNS file - which in this case you can't. my current domain (bitfox.ddns.net) can set neither txt records nor cname records. So I can't setup dkim/spf for this domain. So,

[pfx] Re: tlsproxy process failures (was Re: Re: TLSRPT issue)

Hello Viktor, all, OK, so the "normal exit" isn't a problem then at all? That is indeed good news, as I thought it was pointing to an issue I have on these machines. Core dump might have been wrong terminology, process logging then as you explained. ... -all three have in master.cf for tlsp

[pfx] tlsproxy process failures (was Re: Re: TLSRPT issue)

Hello again on this topic, the problem surely is on my end. But where and why. Maybe someone has an idea. Situation: -3 cloud machines with ubuntu 24.04.1 LTS (2 dist upgraded from 22.04.1 LTS, 1 plain 24.04.1 LTS out of the box) -all three have postfix 3.10-20241113 snapshot -2 out of 3 use tl

[pfx] Re: TLSRPT issue

Good morning, That was not very useful. Next experiment: - Build Postfix like you built it before we started messing with debuggers. - But this time don't add -DUSE_TLSRPT in the CFLAGS. - As usual: make upgrade, postfix reload. If this build also crashes, then the problem is at your end.

[pfx] Re: TLSRPT issue

Hello, Further, and I guess it is all linked together (not linked in the ldd sense), I get cores. ==> mail/mail.warn <== Nov 12 11:29:09 sonne postfix/tlsproxy[3242552]: warning: TLS library problem: error:0A000102:SSL routines::unsupported protocol:../ssl/statem/statem_srvr.c:1657: Nov 12 1

[pfx] Re: TLSRPT issue

80 00 00 00 48 85 ff 74 0b f6 03 01 74 06 83 7b 08 00 74 ANY ideas about any of my questions? Am 11.11.2024 um 22:22 schrieb Florian Piekert via Postfix-users: Hello, Then probably this is my problemwhich TLSRPT receiver daemon can i use/configure? The one from https://github

[pfx] Re: TLSRPT issue

Hello, Then probably this is my problemwhich TLSRPT receiver daemon can i use/configure? The one from https://github.com/sys4/tlsrpt/ I suppose this is covered under https://github.com/sys4/tlsrpt/?tab=readme-ov-file#how-to-setup-the-virtual-environment-for-python Like Postfix, this imnp

[pfx] Re: Opening up port 465

Hello, Nope. smtps (port 465) and submissions (port 587) are two separated services defined in master.cf. Their use will not affect each other. "smtps" is the old name for "submissions" and both refer to 465. "submission" (without the "s" on the end) is port 587. Find the "smtps" or "submis

[pfx] Re: implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

and rather implement the particular from/to access rules intended. On 06.11.24 11:44, Florian Piekert via Postfix-users wrote: Thanks for pointing out this security hole I set up!  I wasn't even aware yet of smtpd_sender_restrictions directive...  So I moved the access check there, as

[pfx] Re: implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

Hello, Following this idea, I would put mua_recipient_restrictions = permit_sasl_authenticated,     check_sender_access   btree:/etc/postfix/restricted_senders,     reject in main.cf and instead in master.cf submission inet  n   -   y   

[pfx] Re: implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

Hello Viktor, I found the solution by using in main.cf the smtpd_relay_restrictions = permit_mynetworks, check_sender_access btree:$meta_directory/restricted_senders, permit_sasl_authenticated, reject_unauth

[pfx] Re: implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

Hello, If I understood correctly, I need to have a "list" containing the "jailed" user1@domain_AB. Let's call it restricted_senders as in the pf docs. ---8<--- # user1@domain_AB    local_only ---8<--- I have added it in my main.cf (I add smtpd_client_restrictions for completeness, perhaps th

[pfx] Re: implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

y/recipient_checks.regexp, check_recipient_access btree:$meta_directory/recipient_checks, reject_non_fqdn_recipient # smtpd_restriction_classes = local_only local_only = check_recipient_access btree:/etc/postfix/local_domains, reject ... ---8<--- But testing it, it

[pfx] Re: implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

Maybe some kind of policy driven solution coming from postfix/amavis/dovecot in combination driven by pf is? I am not aware that dovecot does such checking - possibly with sieve. At least I didnt use the proper search keywords so far... -- Florian Piekert, PMP

[pfx] implementing some kind of dovecot/imap user@domain based sending restriction to @domain recipients only

no restriction at all userXY@domain_CD has no restriction at all Any ideas how to do something like that on pf? (ubuntu 24.04.1 btw). Thanks for suggestions/pointers/out of the box solutions ;-) Florian -- Florian Piekert, PMP flo

[pfx] pf snap 3.8-20230402 mem corruption issues

Hello all, I get dozens of Apr 6 10:34:22 blueberry postfix/smtp[2590]: panic: myfree: corrupt or unallocated memory block Apr 6 10:34:23 blueberry postfix/qmgr[4313]: warning: private/smtp socket: malformed response Apr 6 10:34:23 blueberry postfix/qmgr[4313]: warning: transport smtp failu

Re: DNSBLOG and whitelisted domains

Am 09.01.2017 um 13:14 schrieb @lbutlr: > Only hosts with scores that exceed the postscreen_dnsbl_threshold get logged > with their scores, and not IPs that reach the > postscreen_dnsbl_whitelist_threshold, is that correct? > > I certainly don’t see anything like a DNSBL rank for whitelisted dom

Postfix 3.2 snapshots 1227 & 1231

Dear List, happy new year to all of you! Hello Wietse and Viktor, I am receiving compile errors for the recent snapshots. The 1224 compiles and works nicely, 1227 and 1231 do not compile on my opensuse 42.2 (nothing changed from 1224). OMIC=1 -I/usr/include -DHAS_DEV_URANDOM -DSNAPSHOT -DUSE_

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

HOWTO docs for SMTP encryption is my next stop. I use the same certificate for postfix, apache, dovecot, proftpd, etc... (from cacert.org). -- Florian Piekert flo...@floppy.org Spargelweg 5Tel

Re: SMTP Error with Thunderbird with remote Ubuntu Server 16.04

com. >> >> >>> >>> I decided to perform the same test, but pull the www record and >> with that I actually got an IP address. >>> >>> nslookup -type=www example.com >>> unknown query type: www >>> Server: 8.8.8.8 >>

Re: regexp for allowing helo host

x = NOQUEUE: reject: RCPT from (.*)\[\]:([0-9]{4,5}:)? 550 > 5.7.1 Service unavailable; client \[(.*)\] blocked > > And this all helpt my traffic down about 5-10%. Not much but still. -- Florian Piekert flo...@floppy.org Spargelweg 5

Re: regexp for allowing helo host

Am 16.11.2016 um 15:00 schrieb L.P.H. van Belle: Hello, > No, Thats is due my setup with the mailscanner antispam behind it. What is so different in your pf configuration, that you do not encounter these warnings? Nov 16 17:08:31 blueberry postfix/postscreen[27495]: warning: psc_dnsbl_request: c

Re: regexp for allowing helo host

>> Van: flo...@floppy.org [mailto:owner-postfix-us...@postfix.org] Namens >> Florian Piekert >> Verzonden: woensdag 16 november 2016 14:27 >> Aan: L.P.H. van Belle; postfix-users@postfix.org >> Onderwerp: Re: regexp for allowing helo host >> >> Am 1

Re: regexp for allowing helo host

e repeated 7 times: [ warning: psc_dnsbl_request: connect to private/dnsblog service: Resource temporarily unavailable] Any idea?! I stopped pf, removed the postscreen_cache.db file just in case, restarted pf. Still getting those messages... -- Florian Piekert, PMP f

Re: ANN: vim syntax highlighting for Postfix

Am 15.11.2016 um 21:57 schrieb Patrick Ben Koetter: Good morning Patrick & List members, please find attached a modified version of the scripts that sets the CAT var to either gz (as on my opensuse 42.1) or bz2. Feel free to use it according to the GNU GENERAL PUBLIC LICENSE

Re: Blocking users sending spam

Am 15.11.2016 um 14:09 schrieb Volker Cordes: Good afternoon Volker, dear List. We had a similar incident last year. What I then did was to parse the logfiles on a daily basis to check where the logins occur from. We have a customer base from Germany mainly (except business travelling people), so

SSL_accept error from ...outbound.protection.outlook.com

Hello everybody, another issue around TLS/SSL from me. I see tons of ==> mail/mail.log <== Nov 7 15:03:29 blueberry postfix/postscreen[16163]: PASS NEW [2a01:111:f400:fe1f::32d]:56472 Nov 7 15:03:29 blueberry postfix/postscreen[16163]: CONNECT from [187.58.37.29]:62661 to [85.214.17.19]:25 Nov

Re: postfix as delivery agent to Maildir/ style mailboxes with dovecot

Am 06.11.2016 um 02:37 schrieb Viktor Dukhovni: Hello everybody, I got it working, finally. A bit different from my expectation, but working. I think Viktor's comment delivered the final click that was needed. Thanks again everybody! > >> On Nov 5, 2016, at 9:08 AM, Florian

Re: ubuntu / Snapshot 1105 compile errors

Am 05.11.2016 um 23:11 schrieb Wietse Venema: snapshot 1106 works fine on all machines again. Thanks! > Florian Piekert: >> According to apt-get the libicu-dev is installed on the 10.04., but the >> compile says >> >> gcc -I. -I../../include -DUSE_TLS -DUSE_SASL_A

Re: ubuntu / Snapshot 1105 compile errors

Am 05.11.2016 um 22:58 schrieb Viktor Dukhovni: > >> On Nov 5, 2016, at 5:51 PM, Florian Piekert wrote: >> >> Maybe these are simply too old for pf to use? Dating 25.01.2012... >> ... >> /usr/lib/libicui18n.so.42.1 >> /usr/lib/libicutu.so.42.1 >> /

Re: ubuntu / Snapshot 1105 compile errors

Am 05.11.2016 um 22:10 schrieb Wietse Venema: > Wietse: >> Workaround: try building with EAI support. > [install icu-devel, etc.] >> This is in order to ***ENABLE*** EAI. > > Florian Piekert: >> export CCARGS="-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL >>

Re: ubuntu / Snapshot 1105 compile errors

8_README.html and according to http://www.postfix.org/INSTALL.html -DNO_EAIDo not build with EAI (SMTPUTF8) support. By default, EAI support is compiled in when the "icuuc" library and header files are found. ? -- Florian Piekert fl

Re: ubuntu / Snapshot 1105 compile errors

Am 05.11.2016 um 21:09 schrieb Wietse Venema: > Florian Piekert: >> ../../lib/libpostfix-global.so: undefined reference to >> `midna_domain_transitional' > > Workaround: try building with EAI support. > > apt-mumble install libicu-dev > make makefiles > ma

ubuntu / Snapshot 1105 compile errors

27; failed make: *** [master] Error 1 Makefile:98: recipe for target 'update' failed make: *** [update] Error 1 1101 compiles without errors on either though. On my suse 42.1 no problems compiling 1105 at all. -- Florian Piekert flo...

Re: postfix as delivery agent to Maildir/ style mailboxes with dovecot

Am 05.11.2016 um 19:14 schrieb li...@lazygranch.com: Hello there, > Did you do the postmap? > > When I add a virtual user, I do postmap, ‎then reload and restart. Yes. Always... And for completeness, master.cf has dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/doveco

postfix as delivery agent to Maildir/ style mailboxes with dovecot

Hello everybody, as previously mentioned I have another issue I like to solve. I would like my users to use dovecot to retrieve their emails and postfix is my local hero. The users are "virtual" users, meaning they do not have a real account on the mail machine, they don't exist in /etc/passwd

Re: Ubuntu 16.04lts & ssl unknown states

Am 03.11.2016 um 20:57 schrieb Viktor Dukhovni: Good morning. > Perhaps "posttls-finger" is left over from an earlier install? Did > you build and install Postfix from source? I reinstalled the distro pf package and re-compiled pf snapshot 1101 again. Now posttls-finger works again. Whyever. >

Re: Ubuntu 16.04lts & ssl unknown states

closing connection g9sm9596385wjk.25 - gsmtp > read:errno=0 > SSL3 alert write:warning:close notify > >> postconf mail_version >> -> mail_version = 3.2-20161101 > > I very much doubt that Ubuntu shipped this Postfix version. Looks > like you

Re: Ubuntu 16.04lts & ssl unknown states

Am 03.11.2016 um 17:29 schrieb Viktor Dukhovni: Hello Viktor, Wietse and everybody, since there is no tlsproxy running at the moment (removed the modifications from Wietse and restarted pf, let's wait...?) I can't provide that output at the moment. Or do you have a suggestion how to get one up

Re: Ubuntu 16.04lts & ssl unknown states

ate Nov 3 16:03:51 blueberry postfix/smtp[12959]: message repeated 10 times: [ SSL_connect:unknown state] Negative. -- Florian Piekert, PMP flo...@floppy.org Spargelweg 5Telephone+Fax

Re: Ubuntu 16.04lts & ssl unknown states

Am 03.11.2016 um 14:26 schrieb Fazzina, Angelo: Hello Angelo, please find attached my output, looks pretty good to me, similar to yours. > Hi Florian, > I am curious if you ran a basic telnet test of your SSL config, trying to > connect over port 465 or 587 ? > Sorry for not reading your attach

Ubuntu 16.04lts & ssl unknown states

Good morning everybody, I was wondering for quite some weeks now how to fix this issue with my postfix. I had a brief discussion with Ralf Hildebrandt and he suggested asking via the users lists, that's what I am doing now. I have the situation that the PF currently doesn't seem to get proper inf

postfix 3.2 version 1031

Hello, the Halloween Edition 1031 of pf 3.2 seems to have some issues on my system, resulting in mail.log Nov 1 13:46:20 bhaal postfix/master[3558]: warning: process /usr/lib/postfix/smtpd pid 3612 killed by signal 11 Nov 1 13:46:20 bhaal postfix/master[3558]: warning: /usr/lib/postfix/smtpd: b