[pfx] Re: Sanity check for check_sasl_access

On Wed, 5 Feb 2025 at 11:06, Allen Coates via Postfix-users < postfix-users@postfix.org> wrote: > > In my access lists I have found that 0.0.0.0/0 matches every IPv4 > address, and ::/0 matches every IPv6 address. > > (Unless, of course you are expressly testing for a specific IP address) > I se

[pfx] Re: Sanity check for check_sasl_access

On Wed, 5 Feb 2025 at 09:32, Gilgongo wrote: > I just wanted to make sure I've read the docs > correctly. > I'd like to restrict a couple of sasl users by IP4/6 (I can't test this on > my sandbox setup), so if I have this in my master.cf

[pfx] Sanity check for check_sasl_access

I just wanted to make sure I've read the docs correctly. I'd like to restrict a couple of sasl users by IP4/6 (I can't test this on my sandbox setup), so if I have this in my master.cf: submission inetn - n-

[pfx] Re: alternative to one.com ?

On Sun, 27 Oct 2024 at 04:37, Wesley via Postfix-users < postfix-users@postfix.org> wrote: > On 2024-10-27 02:31, Benny Pedersen via Postfix-users wrote: > > i like to stop using one.com for servial ressons, first that do not > > support rfc 7505, why ? > > > > I recently migrated some domains to

[pfx] Re: General feedback on my postfix setup?

> > Hi Jonathan, thank you. > It helped me to eliminate some fake senders and spams, but I see your > point. > Yes, I'm not using postscreen as I have rspamd. > Is there any further suggestion you might have? > I had a look at https://ssl-config.mozilla.org when setting up TLS things, but I think

[pfx] Re: General feedback on my postfix setup?

On Thu, 24 Oct 2024 at 13:02, Mark via Postfix-users < postfix-users@postfix.org> wrote: > Hello Postfix fellows, > > Could you please give me your feedback on my postfix (with dovecot > LMTP and virtual users in MySQL db) setup? > > Here's my main.cf and master.cf contents; > > https://www.pasteb

[pfx] Re: RBLs at smtp level

On Sat, 7 Sept 2024 at 10:55, Peter via Postfix-users < postfix-users@postfix.org> wrote: > Postscreen has several advantages here in that it allows you to block > based on a weighted score, so that you can give each individual RBL a > score based on how reliable you believe it to be and then requ

[pfx] RBLs at smtp level

I notice Spamhaus say that for smaller hosts, RBL blocking at smtp level is not recommended, and instead it’s better to use a milter for RBL checking. https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/030-Sendmail.html I can see the logic in that, since a milte

[pfx] Re: dnsblog question

On Sun, 11 Aug 2024 at 16:16, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > > The dnsblog(8) service is NOT postscreen(8) and does not know which > values postscreen(8) might, or might not, take into account. It just > logs what it fines. It is up to postscreen(8) to ma

[pfx] dnsblog question

I have the following in my postscreen_dnsbl_sites: wl.mailspike.net=127.0.0.[19;20]*-2 Yet my logs show entries for .17 and .18 as well, eg: Aug 11 14:14:10 alice postfix/dnsblog[3952116]: addr 211.151.30.122 listed by domain wl.mailspike.net as 127.0.0.17 Aug 11 14:14:59 alice postfix/dnsb

[pfx] Re: Do you reject DMARC failures?

Thanks for all the replies on this - food for thought! Seems the general consensus is that while in theory I should reject for p=reject (since that's what the sender wants me to do), in practice things like mailing lists and other forwarding conditions make that unsafe (and to a lesser extent the s

[pfx] Do you reject DMARC failures?

I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. I also see Spamassassin doesn't give particularly high scores for SPF/DKIM failures, and Mail::SpamAssassin::Plugin::DMARC (not that it comes as standard) s

[pfx] Re: RFC logs_check

On Tue, 23 Jul 2024 at 23:06, r.barclay--- via Postfix-users < postfix-users@postfix.org> wrote: > Hi, > > You could use a custom Fail2Ban regular expression to ban IP addresses > that cause Postfix log entries containing certain domain names. > > See > https://en.wikipedia.org/wiki/Fail2ban > htt

[pfx] Re: Preventing unauthorised senders

On Wed, 10 Jul 2024 at 18:56, Serhii via Postfix-users < postfix-users@postfix.org> wrote: > On 7/10/24 08:40, Gilgongo via Postfix-users wrote: > > As you can see, it goes straight to the MX of the domain of the > recipient. The same is true if I use mail.mailutils or other c

[pfx] Re: Preventing unauthorised senders

On Wed, 10 Jul 2024 at 09:06, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > > When you say "the client", what do you mean? Do applications do "direct > to MX" mail transmission? That seems odd, because they generally lack > the capability to queue and retry messages if

[pfx] Re: Preventing unauthorised senders

On Tue, 9 Jul 2024 at 15:39, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, Jul 09, 2024 at 12:54:38PM +0100, Gilgongo via Postfix-users wrote: > > Just configure content inspection on all the submission pathways. > > > My first

[pfx] Preventing unauthorised senders

I've set up our mail server (with some help from this list, for which much thanks) to scan sasl-auth senders for spam and viruses with Amavis. I'd now like to make sure that rogue processes can't bypass those checks, particularly web servers (I already have PHP using msmtp to enforce well-behaved

[pfx] Re: Question on DKIM process ordering

On Fri, 5 Jul 2024 at 09:10, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > I think in case of amavis it's just the order of logs being written. > IIUC amavis does not confirm receiving message from postfix until after > it's > scanned and passed further, which is w

[pfx] Question on DKIM process ordering

I'm setting up a server to handle outbound mail for sasl auth accounts and would like to scan that mail for spam and malware before DKIM signing because I assume scanning might potentially add headers that could break the sig. Right now I have the following (extract) in my Amavis conf: $interface

[pfx] Using postfwd for sasl auth clients only?

I have some simple postfwd rules that count the number of emails being sent per hour/day per sasl account (and reject once a limit is reached). I'm not sure how best to implement that though, Should I just have the following in master.cf? So if an account sent a CC to [n] addresses, the rules wou

[pfx] Re: SPF hostname and domainname

On Thu, 20 Jun 2024, 2:01 pm Emmanuel Seyman via Postfix-users, < postfix-users@postfix.org> wrote: > > So there's a confusion between the hostname of the mailer and the > doamin to be used for the SPF check. Is anybody else seeing this ? > Yes, I had to recently add an "a:" record to an SPF (for

[pfx] Re: Best practices?

On Wed, 19 Jun 2024 at 03:57, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users > wrote: > > > The defaults for those settings, as far as postfix is concerned, are as > > follows: > > > > smtpd_tls_auth_

[pfx] Re: Help with reject_sender_login_mismatch

On Tue, 18 Jun 2024 at 08:55, Jeff Peng wrote: > I did have tried this line (with just one value > reject_sender_login_mismatch). > But then I even can't send mail from the valid user (the user who login > into RC). > Oh, sorry I didn't see you weren't using smtpd_sender_login_maps. I'm pretty s

[pfx] Re: Help with reject_sender_login_mismatch

On Tue, 18 Jun 2024 at 08:31, Jeff Peng via Postfix-users < postfix-users@postfix.org> wrote: > Hello, > > I have this section in master.cf: > > smtps inet n - y - - smtpd >-o syslog_name=postfix/smtps >-o smtpd_tls_wrappermode=yes >-o smtpd_sasl_auth

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 16:14, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > If you need permit_mx_backup, that means postfix doesn't have a > clear idea of domains it is responsible for. > > Please read and study: > http://www.postfix.org/BASIC_CONFIGURATION_README.html > > my

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 11:52, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > On 11.06.24 11:02, Gilgongo via Postfix-users wrote: > >OK so I assume I can use the IP address of the primary and secondary MX > >servers, since all our domains ar

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > >BTW in the meantime, if I add this (where mx2.mydomain.com is our > secondary > >MX hostname), I take it that would be a good idea: > > > >permit_mx_backup_networks = $mynetworks mx2. my

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > You should remove permit_mx_backup. > > This feature is intended for ISP-scale users that may not have a > complete list of domains that use their server as a backup MX. In > this case, permit_mx_backu

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > 3. > smtpd_recipient_restrictions = permit_mx_backup > > avoid this whenever possible. Or at least define permit_mx_backup_networks > > Thanks - I forgot to ask about this. Am I right in

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: > why not postscreen for this purpose? > Thanks - I thought about postscreen, but wasn't sure if it would be overkill for such a small server? Could look again though. __

[pfx] Sanity check/suggestions appreciated

Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4) config is pretty old and confusing, and may not be doing things we want. So I'd like to re-jig it. Here's how I think I'd like to have it: 1. Incoming mail (not from $mynetworks or sasl auth): RBL, SPF/DKIM verification and SA (

[pfx] Re: FYI: SORBS Closing announcement from the mailop list.

Hi Viktor, I'm not questioning the veracity of this, but equally I'm not sure I can justify turning off one of our more important RLBs just on the strength of an email on this list. It would be good to have something from Proofpoint about the closure to refer to if possible. Google isn't coming u