[pfx] Re: 25 years today

2023-12-19 Thread Jan P. Kessler via Postfix-users
Sorry for replying to an old thread. As a few on this list may recall, it is 25 years ago today that the "IBM secure mailer" had its public beta release. This was accompanied by a nice article in the New York Times business section. I just wanted to say THANK YOU to you and any other contribut

Re: Click tracker removal ideas?

2019-02-14 Thread Jan P. Kessler
>> Does anyone have any suggestions for a tool for filtering out click >> trackers from links in email bodies and rewriting the links without >> the click tracking? > Anything that does this will also break DKIM, if the email has it > (which many do). But perhaps you are confident that your users

Re: unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

2019-01-20 Thread Jan P. Kessler
> No idea. It if works, great. Otherwise, try compiling with this > workaround: It works! Thanks to postfix and easy "make upgrade" the migration took only seconds. I didn't even had to clear caches (tls, recipient_verification) or such. Cool! Case closed. Btw - nice for me to see, that postfw

Re: unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

2019-01-20 Thread Jan P. Kessler
> That is a compiler bug. 620 static ATTR_OVER_TIME time_table[] = { 621 > 7 + VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, 0, 1, 0, > VAR_MILT_CONN_TIME is a constant ("milter_connect_timeout") therefore > 7 + VAR_MILT_CONN_TIME ("connect_timeout") is a constant. Good hint, thank you. I was able to

Re: unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

2019-01-19 Thread Jan P. Kessler
> Try: make makefiles ...optional arguments... make WARN= Sorry, I > haven't built with /opt/SUNWspro/bin/cc for ~10 years. Wietse No problem. Seems like it's time for a change. After emptying WARN it looked promising, but then the build broke here: "milter.c", line 621: non-constant initi

Re: unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

2019-01-19 Thread Jan P. Kessler
Hello, I'm sorry for line breaks and showing the wrong output. It's not easy to get that information here. Hope this will be readable. ### make makefiles finished; performing make ###   rm -f meta/main.cf.proto && ln -f conf/main.cf meta/main.cf.proto rm -f meta/master.cf.proto &

unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

2019-01-19 Thread Jan P. Kessler
Hi postfix-users, today I have the pleasure to update sparc some machines, that haven't been touched for more than 2.5 years :/ The systems use sunstudio compiler. Openssl, bind, ... went fine but now, as it comes to postfix, I'm failing. The build scripts are in use since long time, and worked f

Re: How to configure an infinite-retry for relay

2019-01-05 Thread Jan P. Kessler
Hi, > I have a situation where my primary/final MX server will be down for > an indefinite period of time, possibly up to a week.  During that time > I would like to have the secondary MX server to keep every message > queued, and keep on retrying, without ever "timing out" and without > sending a

Re: Monitoring amount of smtpd processes

2018-10-21 Thread Jan P. Kessler
we're monitoring the amount of active smtpd processes to make sure, that we do not reach the max-proc limit from master.cf. The number I found most useful to indicate something was going wrong is the number of messages in the queue.  For the servers I manage, normally that number would be

Re: A problem I'm not sure how best to solve

2018-10-09 Thread Jan P. Kessler
I want to TEMPORARILY (I hope) whitelist redac...@mg.pluspora.com as a sender address as long as the mail is being sent by mailgun.us. How would you do it? You could add a check_sender_access which returns OK for mg.pluspora.com before the reject_unknown_sender_domain in smtpd_recipient_re

Re: Network difficulties with some senders

2018-07-19 Thread Jan P. Kessler
Jul 19 13:40:39 mx31 postfix-p25/smtpd[96635]: NOQUEUE: client=mail.rosedale.ca[66.135.118.147] Jul 19 13:40:39 mx31 postfix-p25/smtpd[96635]: lost connection after DATA (0 bytes) from mail.rosedale.ca[66.135.118.147] Jul 19 13:40:39 mx31 postfix-p25/smtpd[96635]: disconnect from mail.

Re: Making relay_access_denied permanent?

2018-07-08 Thread Jan P. Kessler
Confirmed by my own test - sorry for noise on this list: Jul  8 10:23:14 mx3 postfix-cluster/smtpd[3564]: NOQUEUE: reject: RCPT from ipservice-047-071-140-188.pools.arcor-ip.net[47.71.140.188]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo= I have to admit that it's an old conf

Re: Making relay_access_denied permanent?

2018-07-08 Thread Jan P. Kessler
= permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination Am I right? Thank you in advance   Jan Am 08.07.2018 um 10:04 schrieb Jan P. Kessler: Hi, I was wondering why the following error is returned as tempfail: Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from hwsrv-20

Making relay_access_denied permanent?

2018-07-08 Thread Jan P. Kessler
Hi, I was wondering why the following error is returned as tempfail: Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from hwsrv-20.hostwindsdns.com[108.174.196.241] Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT from hwsrv-20.hostwindsdns.com[108.174.19

Re: check rcpt to, from and destination in one session - nested smtpd_restriction_classes?

2018-05-15 Thread Jan P. Kessler
postfix is configured as relay server. Other systems relay with postfix. Here i want to allow for a specific group of hosts, when they use a specific mail from address only a few specific destination domains. Other hosts should not be bothered. This is only a need to limit a group of hosts to

Re: Postfix [Postfwd2 error]

2018-04-15 Thread Jan P. Kessler
So the thing to check with the author of postfwd2 is what's going on with the regular expression on line 1168. That is a scary one. It seems like an attempt to express all of the leniencies in a config format in a single regex, where a preliminary canonicalization (reducing all runs of white

Re: I need sample configuration files for rate-limiting with HOLD verdict

2015-10-09 Thread Jan P. Kessler
Am 21.09.2015 um 08:25 schrieb Kianoosh Kashefi: I use Postfix with Postfwd as policy service. and I want to limit all outgoing messages with exceptions for several SASL users with HOLD verdict. I'm new to postfwd so I need configuration example for rate-limiting with HOLD verdict (for instanc

Re: Policy attributes to PERL script

2015-02-27 Thread Jan P. Kessler
This issue I have is knowing how to read any of the attributes listed here www.postfix.org/SMTPD_POLICY_README.html#protocol I have tried using $attr = @_; and local(*attr) =@ _; to retreive the variables but $attr always remains empty. I have also set up the script to write the contents and e

Re: Add header based on number of recipients

2015-02-04 Thread Jan P. Kessler
With postfwd you could use the following rule: id=RCPTCNT action=PREPEND X-RCPT-COUNT: $$recipient_count or something like that id=RCPTCNT01 recipient_count>=200 action=PREPEND X-RCPT-COUNT: RED id=RCPTCNT02 recipient_count>=100 action=PREPEND X-RCPT-COUNT: YELLOW Please

Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified

2014-10-24 Thread Jan P. Kessler
Viktor: TOO MUCH MANUAL QUEUE MANAGEMENT. Wietse: So I speculate that what you see was the result of a "postsuper -r" race condition. Thanks! That was it. A colleague told me, that the queue on that system and a subsequent content filter had been congested and users were waiting impatient

Re: What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified

2014-10-24 Thread Jan P. Kessler
Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified The Postfix sendmail command awas invoked with no recipients on the command line, and (with -t) with no recipients in the message header.

What exactly does that mean: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified

2014-10-24 Thread Jan P. Kessler
Dear postfix users, today we discovered a problem with one of our mailrelays. Maillog contains lines like the following: Oct 23 10:53:00 rv-smtpext-201 postfix/pickup[11413]: [ID 947731 mail.warning] warning: maildrop/6B8F696F6: error writing 2737698C0: no recipients specified Looking deep

Re: recipients attribute, policy daemon.

2014-10-10 Thread Jan P. Kessler
Or what the limitations are. Note that you can not return different results for different recipients at data or end_of_data stage. You can only pass or reject the whole mail at all. p.s. the policy server example included in the postfix docs would break. substr(0,512) is to small for a

Re: recipients attribute, policy daemon.

2014-10-10 Thread Jan P. Kessler
"The "recipient" attribute is available in the "RCPT TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE" stages if Postfix accepted only one recipient for the current message." You can use the instance attribute to collect the list of recipients at RCPT TO stage. That informati

Re: Another policy server question...

2014-10-09 Thread Jan P. Kessler
How exactly does one "disconnect" from stdin? I mean other than by calling exit() ? Exiting is sufficient. The SMTPD_POLICY_README file should be edited in a way so as to make that clear. The current wording is quite entirely perplexing. "Disconnect" is quite obviously the wrong word to us

Re: Using check_policy_service for greylisting with sqlgrey

2014-05-13 Thread Jan P. Kessler
> I'm using postfix-2.10.3 on fedora20 with sqlgrey, distributed across > three separate servers through mysql. I've configured it using: > > check_policy_service inet:127.0.0.1:2501 > > in main.cf . However, this doesn't provide fault > protection in the sa

Re: Setting the domain name of outgoing e-mail

2014-05-08 Thread Jan P. Kessler
May 8 15:50:28 s8 postfix/smtpd[5603]: NOQUEUE: reject: RCPT from localhost[::1]: 454 4.7.1 : Relay access denied; from= to= proto=ESMTP helo= Seems like the ipv6 loopback address is not part of mynetworks.

Re: New Greylisting daemon

2014-04-18 Thread Jan P. Kessler
> Yes. I'm working on preforking (in fact, I've started to analyze > prefork.c from Apache web server some days ago...). Threads are an > option, but we choose forking for better isolation. Some people say > forking and threading is basically the same in term of perfs, that's > even written in som

Re: New Greylisting daemon

2014-04-18 Thread Jan P. Kessler
Hi, maybe you should set up an own mailing list for GreyLSE. The are a lot of coders at this list. If any of them would use this list to discuss their own topics it might become somewhat confusing here. > - should be able to handle a lot of Postfix policy delegation requests > per second, due to

Re: need help with regexp in header_checks

2013-11-13 Thread Jan P. Kessler
Also, note that the carat (^) anchor isn't necessary. The header fields you're testing for are in the left most position. Thus no reason to left anchor your expression. Of course there is. - Anchored expressions are executed faster (the parser has to check the pattern only against the begi

Re: postfix access map for sasl authenticated users

2013-11-06 Thread Jan P. Kessler
Otherwise, postfwd and the like could be configured for a rate limit of zero (can't send mail). Sorry, for the late answer, but no zero rate limits are required here. With postfwd simply use: id=SASLDROP sasl_username==barrak sasl_username==vladimir sasl_username==mao action

Re: secure email server

2013-10-25 Thread Jan P. Kessler
> - encrypted filesystem > - SSL or TLS only for SMTP and IMAPS > - Talking only to some known other same-secured servers > *Thank you for any infos* If you really need security, do not forget to use a safe source for your mailrouting information (e.g. ipaddresses or *really* secured dns - do not

Re: postfwd2 expericiencies

2013-10-08 Thread Jan P. Kessler
>I've started to runnning postfwd2 on my server, with aproximately > up to 500 mails daily (and 80% spams :) ). I plan to use it to a > domain with 30 000 daily emails. Does anybody have postfwd2 applied > for similar domain ? What about huge dns count for RBL ? I use it since years wit

Re: Do not forward spam

2013-09-21 Thread Jan P. Kessler
> As I read it, 'smtp_header_checks' provides a way to do header checks only on > messages that are leaving the system, leaving local delivery unaffected? You are right. It should achieve the same.

Re: Do not forward spam

2013-09-21 Thread Jan P. Kessler
Am 21.09.2013 15:17, schrieb Jan P. Kessler: > > Would the single, existing instance with 'smtp_header_checks' not > > achieve the same thing? > > > > http://www.postfix.org/postconf.5.html#smtp_header_checks > > Not, if the required headers are added l

Re: Do not forward spam

2013-09-21 Thread Jan P. Kessler
> Would the single, existing instance with 'smtp_header_checks' not > achieve the same thing? > > http://www.postfix.org/postconf.5.html#smtp_header_checks Not, if the required headers are added later on by a content_filter.

Re: Do not forward spam

2013-09-21 Thread Jan P. Kessler
> The way I read his request is that he wants to forward non-spam > only, and is looking for a Postfix solution that supports this. > > The best proposal I can come up with is a Milter that triggers on > headers added by has spam filter, and that adds a second > recipient only if the mail does not

Re: disturbing TLS error

2013-09-14 Thread Jan P. Kessler
> So, there is nothing i can do ? If you don't need TLS for yahoo you can disable it for that server. Take a look at http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps

Re: Can't send mails but I can receive

2013-09-12 Thread Jan P. Kessler
> > Sep 12 04:57:06 nudin1 postfix/smtp[29110]: connect to > > freenet.de[62.104.23.42]:25: Connection refused > > connection refused is a network problem, probably a firewall block. > Perhaps your ISP doesn't allow you to run a mail server? Something is wrong with your DNS resolution. freenet.de

Re: newbie check Was [Re: port 25 submission settings sanity check]

2013-08-30 Thread Jan P. Kessler
As attachments get larger, and end users use email rather than ftp for file transfer for convenience sake, a UDP implementation, perhaps using UDP as a data streaming channel could become a very useful configuration, and the transfer speed over high latency links (think satellite etc) could i

Re: Backup mx on cable

2013-07-09 Thread Jan P. Kessler
Am 09.07.2013 23:56, schrieb Jan P. Kessler: > > How can I configure my primary server to accept connections/mail from the > > secondary server but still refuse connections/mail from all other cable > > connections. > > I use TLS client certificates for these purposes* &g

Re: Backup mx on cable

2013-07-09 Thread Jan P. Kessler
> How can I configure my primary server to accept connections/mail from the > secondary server but still refuse connections/mail from all other cable > connections. I use TLS client certificates for these purposes* http://www.postfix.org/TLS_README.html * Not for backup to primary mx, but whene

Re: Blacklist IP with a reject message

2013-06-26 Thread Jan P. Kessler
3. I could also write a policy server. Is there already a policy server that's as simple as blocking IPs based on a ACL. But then, I'll have to run a local mysql server also. postfwd has an option to use a table, which will be re-read on every request. Look for "lfile" or "ltable" at http:/

Re: Problem using TLS: lost connection after STARTTLS

2013-06-16 Thread Jan P. Kessler
Am 16.06.2013 05:00, schrieb Viktor Dukhovni: > On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote: > > > The openssl update from 0.9.8k to 1.0.1e solved the client certificate > > issue. Unfortunately now we see another problem with the outgoing > > instance, t

Re: Problem using TLS: lost connection after STARTTLS

2013-06-15 Thread Jan P. Kessler
you MAIL FROM:j...@example.com 250 2.1.0 j...@example.com... Sender ok RCPT TO:xxx@example.com RENEGOTIATING [CTRL+C] Am 16.06.2013 01:58, schrieb Jan P. Kessler: > >> # openssl > >> ./Configure \ > >> --prefix=${BASE}/openssl \ > >> --openssldir

Re: Problem using TLS: lost connection after STARTTLS

2013-06-15 Thread Jan P. Kessler
>> # openssl >> ./Configure \ >> --prefix=${BASE}/openssl \ >> --openssldir=${BASE}/openssl \ >> solaris-sparcv9-cc >> make; make install >> >> # postfix >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4

Re: Problem using TLS: lost connection after STARTTLS

2013-06-15 Thread Jan P. Kessler
> The sender should replace their certificate, it is not compliant with > TLSv1. This too may take time. > > I never enabled ask_ccert on port 25, I had used 587 for that (on a > machine that nevertheless was not an MSA), and clients with special > access configured via ccerts had to use a transpo

Re: Problem using TLS: lost connection after STARTTLS

2013-06-14 Thread Jan P. Kessler
Signature Algorithm: sha256WithRSAEncryption It looks your OpenSSL library does not enable this via OpenSSL_add_ssl_algorithms(). The use of certificates with signature algorithms other than MD5 and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1 do not have a way to neg

Re: Problem using TLS: lost connection after STARTTLS

2013-06-14 Thread Jan P. Kessler
>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 >> mail.info] certificate verification failed for >> mail.dgverlag.de[145.253.80.6]: untrusted issuer >> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > Why do you check client certificates? Because we authenticate/w

Problem using TLS: lost connection after STARTTLS

2013-06-14 Thread Jan P. Kessler
Hi, currently we are experiencing problems with an incoming SMTP/TLS connection. Remote side is an Ironport device, we are using postfix 2.8.13 on solaris 10. The problem exists only for incoming mails (ironport to postfix), the other direction works fine. It happens for both opportunistic (which

Re: how to tell postfix not to bounce when A: host not found?

2013-05-23 Thread Jan P. Kessler
Am 23.05.2013 18:24, schrieb Joe Wong: > Is there a config to tell posfix , to retry a email under A: host not > found condition? > > May 23 15:59:22 mysmtp postfix/smtp[7507]: 92B8BCC3DE: > to=mailto:t...@nosuchdomain.com>>, > relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.4.4, status=bounce

Re: reject_unknown_reverse_client_hostname safe?

2013-05-08 Thread Jan P. Kessler
Am 08.05.2013 01:58, schrieb Vincent Lefevre: > On 2013-05-07 23:00:01 +0200, Jan P. Kessler wrote: >> Yes this is possible with postfwd. The policy delegation protocol >> contains reverse_client_name and client_name, which can be used within >> postfwd rulesets. >> &

Re: reject_unknown_reverse_client_hostname safe?

2013-05-07 Thread Jan P. Kessler
> Is it possible to use reject_unknown_reverse_client_hostname-like > feature as part of scoring with blacklist checking? I think > policyd-weight supported that. I consider using postfwd. Yes this is possible with postfwd. The policy delegation protocol contains reverse_client_name and client_na

Re: postscreen_dnsbl_sites

2013-05-06 Thread Jan P. Kessler
> Is it possible that the key is being exposed not from the > postscreen_dnsbl_sites line but from a line also in main.cf which says > the following? > smtpd_client_restrictions = reject_rbl_client .zen.dq.spamhaus.net Use rbl_reply_maps and a text without $rbl_domain: http://www.postfix.org/post

Re: Secure relay from specific internet host to internet

2013-04-22 Thread Jan P. Kessler
> Very well. If adding the IP address to mynetworks provides sufficient > security against abuse of my server, I will leave it to that. TCP and therefore SMTP is a bidirectional protocol (SYN-ACK and such). If you really estimate an attacker between you and the remote end, you will need *verified

Re: Case sensivity: Strict rfc5321 or reality compliance

2013-04-15 Thread Jan P. Kessler
Thanks to anybody for sharing your opinions and thoughts. I decided that the default rate limit functions will operate completely case-insensitive, because this seems to be what people (including me) expect. As most people also seem to have expected that behaviour in the past, I think this is one o

Re: Case sensivity: Strict rfc5321 or reality compliance

2013-04-15 Thread Jan P. Kessler
>> localpart case sensivity according to rfc5321: >> >> "The local-part of a mailbox MUST BE treated as case sensitive." > You are misunderstanding. Relaying MTAs MUST treat the local-part as > case sensitive. IOW, until the message is received at the destination, > case must be preserved. However

Case sensivity: Strict rfc5321 or reality compliance

2013-04-15 Thread Jan P. Kessler
Hi, sorry, I know this is not directly related to postfix but I know that there are several very experienced people reading this list. My question is how you (the people that use and administer mailservers) handle the localpart case sensivity according to rfc5321: "The local-part of a mailbox

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Jan P. Kessler
>> Is postscreen able to identify email as spam to prevent bouncing it? >> Is there a way to alter my postfix configuration to prevent bouncing it? > This is not a matter of 'spam detection'. You have to verify for valid > (means existing) recipients *before* you accept mail. > > Look for reject_u

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Jan P. Kessler
> Is postscreen able to identify email as spam to prevent bouncing it? > Is there a way to alter my postfix configuration to prevent bouncing it? This is not a matter of 'spam detection'. You have to verify for valid (means existing) recipients *before* you accept mail. Look for reject_unlisted_

Re: Is postfix misconfiguration to send to wrong domain?

2013-04-11 Thread Jan P. Kessler
Hi, > And these are the logfile lines for our sending of the non-delivery > notice we sent. One item in these log lines I do not understand at all > is "relay=server50.appriver.com > [204.232.236.138]:25". I do not > understand where were that information is sourced.

Re: Enforced TLS per MX

2013-02-27 Thread Jan P. Kessler
Am 22.02.2013 17:06, schrieb Viktor Dukhovni: > On Fri, Feb 22, 2013 at 08:48:31AM -0500, Wietse Venema wrote: > >>> We are trying to establish enforced TLS with a partner that hosts about >>> 2000 recipient domains. All of these point to the same four MX records: >>> >>> host[1-4].example.com

Enforced TLS per MX

2013-02-22 Thread Jan P. Kessler
Dear list, we are trying to establish enforced TLS with a partner that hosts about 2000 recipient domains. All of these point to the same four MX records: host[1-4].example.com As I did not want to specify all of these domains in our tls_policy file, I wanted to ask if there is any option to

Re: Delaying mail delivery

2012-11-12 Thread Jan P. Kessler
> - To inspect mail for badness (there is a better solution in Postfix > than hold+cron) Would it be possible to explain, what you mean by "a better solution"? My problem is, that since a while we receive mails containing 0-day malware which is not recognised by any of our AV scanners (Trendmi

Re: Postfix Move Emails to TMP Queue Directory if recipent limit is more than 5

2012-11-02 Thread Jan P. Kessler
> Using third party tool/script is strictly prohibited ..That is the > reason i dont use postfwd . So, what about postfix itself? Did you really analyze every line of the source code? > It would be greate if you could help me to customize > "smtpd-policy-template" for me The policy delegation

Re: Alert of unusually large queue

2012-10-22 Thread Jan P. Kessler
>> I'm not sure, if sending an e-mail about a "full mailqueue"-condition is >> the best way to go ;-) > depends > > if you have no bulk-mail on your server it will tak enot too long > to find a good value to adjust the "50" and as example if i have > 500 queued messages i like to look if there is

Re: Alert of unusually large queue

2012-10-20 Thread Jan P. Kessler
Hey guys, > if [ `$mailq_count` -gt 50 ]; then echo "Mail count on Server is" > `$mailq_count`|/usr/sbin/sendmail -f r...@example.com repo...@example.com ; fi I'm not sure, if sending an e-mail about a "full mailqueue"-condition is the best way to go ;-) cheers, Jan

Re: Postfwd vs Policyd

2011-12-17 Thread Jan P. Kessler
are further interested you are welcome to ask questions on postfwd's mailingslist. Regards Jan P. Kessler

Re: postfwd - limit outgoing mail

2011-12-17 Thread Jan P. Kessler
open relay to anyone. Consider using "permit_auth_destination" instead. For rate limit examples see postfwd's documentation at http://postfwd.org. If you have any ruleset related questions you are welcome to ask them on postfwd's mailinglist. Best regards Jan P. Kessler

Re: Per IP per domain restriction

2011-08-29 Thread Jan P. Kessler
> In an attempt to work around existing infrastructure, I am trying to > restrict, by sender domain, what mail is accepted from certain IPs. > My thought at the moment is the lookup would look something like: > > ip.add.re.ssdomain1.com , domain2.com > > >

Re: RBL whitelist?

2010-03-18 Thread Jan P. Kessler
This whitelist is 1409 records long, so indeed as you say very small. I suppose I could download it and host it locally. Apparently AXFR is not allowed, but plain text HTTP download is, so that's good enough. Then I would only need an efficient and robust way for postfix to use it. If they le

Re: smtp restriction class

2009-09-04 Thread Jan P. Kessler
Ralf Hildebrandt schrieb: > * Muhammed Sameer : > >> Hello, >> >> In my postfix configuration I want to apply an smtp restriction class if the >> domainname of the sender and the recipient is different >> for example in my main.cf i am using >> >> > > You need a policy server for that >

Re: OT: ethics

2009-07-01 Thread Jan P. Kessler
ghe schrieb: > Wietse says something like "Spam is war -- RFCs don't apply." OK, but > how about nmap ethics? > > I've started hitting spam IPs and their nets with nmap to find out who > they are and maybe a little of what they're up to (and using the info > to decide if the net belongs in my packe

Re: header checks not working

2009-07-01 Thread Jan P. Kessler
> Bingo: > > -o > receive_override_options=no_header_body_checks,no_unknown_recipient_checks > > > Any negative consequences for eliminating this line, or changing it to: > > -o receive_override_options=no_unknown_recipient_checks header_checks will be executed twice

Re: Resolver issue in postfix ?

2009-06-30 Thread Jan P. Kessler
> He knows! But he argues that the hostname COULD be found and the > WORDING of the message is (supposedly) incorrect. > Ok, got that. Although I think it's kind of nitpicking, a more precise answer would be "Client host rejected: cannot verify your hostname, [87.53.72.254]"

Re: Resolver issue in postfix ?

2009-06-30 Thread Jan P. Kessler
Søren Schrøder schrieb: > On Tue, Jun 30, 2009 at 12:05, Ralf > Hildebrandt wrote: > >> $ host 87.53.72.254 >> 254.72.53.87.in-addr.arpa domain name pointer mail.viauc.dk. >> $ host mail.viauc.dk >> mail.viauc.dk has address 87.53.72.234 >> >> 87.53.72.254 != >> 87.53.72.234 >> > > I got th

Re: Allowing OK instead of just DUNNO in check_recipient_mx_access

2009-06-29 Thread Jan P. Kessler
Noel Jones wrote: > postfix-l...@monmouth.com wrote: >> The postconf(5) manage says: 'a result of "OK" is not allowed for >> safety reasons.' >> Is there a way to bypass this? > > No. Is it possible to use permit_auth_destination here?

Re: smtpd_recipient_limit for one group of users

2009-06-29 Thread Jan P. Kessler
Please note: > # wants exclusive mails only ;-) > id=GROUP3; recipient==j...@doe.local; recipient_count>=1; \ > action=REJECT too many rcpts $$recipient_count >= 1 > The recipient attribute is only valid for single recipient mails at smtpd_data_restrictions. So this rule works, but other rec

Re: smtpd_recipient_limit for one group of users

2009-06-29 Thread Jan P. Kessler
;=200; \ action=REJECT too many rcpts $$recipient_count >= 200 Jan P. Kessler

Re: Whitelisting by recipient domain name

2009-06-29 Thread Jan P. Kessler
> The one observation I've made is there is no way of spotting in the logs > that the mail was subjected to a whitelist. For example; > > map: > example.com OK putting text here does not log it > > I'm guessing I can do this > example.com WARN whitelisted > example.com OK > > But is there a way to

Re: ISP being blocked by us

2009-06-26 Thread Jan P. Kessler
José Luis Tallón schrieb: > > What we do (without policyd-weight, however): > > Redirect these "problematic domains" to a special restriction class (we > call it from_freemail) > Then, we match the sending server with *any* valid sending server for > that domain. > > Something along the lines: > AC

Re: ISP being blocked by us

2009-06-26 Thread Jan P. Kessler
Ignacio Garcia schrieb: > FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 The helo_name (IMPaqm2.telefonica.net) did not match the sender_domain (terra.es) nor the mx (mx.terra.es). > CLIENT_NOT_MX/A_FROM_DOMAIN=9.1 The client_name (IMPaqm2.telefonica.net) did not match the sender_domain (terra.es) nor the

Re: rejecting client=unknown[ip.ad.dr.ess]

2009-06-23 Thread Jan P. Kessler
LuKreme schrieb: > On 22-Jun-2009, at 18:29, mouss wrote: >>> Is there anyway to, if not outright reject anyone whose DNS shows up as >>> unknown to at least tempfail them with a "Ooops, your DNS is not >>> resolving, try back later" or something? > >> if you insist, you could use one of >> >> http

Re: Header Filter Time Range

2009-06-15 Thread Jan P. Kessler
Steve schrieb: > I have to be honest, I looked at Postfwd a couple of weeks back and it > left me with a bad feeling. It was utter dependency hell to install - > It's your decision, but the only dependencies are Net::DNS and Net::Server perl modules and perl itself, of course. > like Russian D

Re: Header Filter Time Range

2009-06-15 Thread Jan P. Kessler
EASY steve.h...@digitalcertainty.co.uk schrieb: > Probably a stupid question, but in practical terms is it possible to set > a header filter that will reject (or ideally defer) mail on time range? > For example during the hours of 00:00 -> 07:00. > postfwd a policy server would do this with the

Re: questions on check_sender_mx_access

2009-06-12 Thread Jan P. Kessler
Wietse Venema wrote: Jan P. Kessler: 1. Will check_sender_mx_access lookup an a record if there is no mx record for a given sender domain? It looks up MX records. As with many other Postfix features, there is no access control on information that does not exist. Noel Jones wrote

questions on check_sender_mx_access

2009-06-12 Thread Jan P. Kessler
1. Will check_sender_mx_access lookup an a record if there is no mx record for a given sender domain? I guess it won't as there's reject_unknown_sender but I'd prefer to be sure. 2. Is there a maximum number of mx records that will be checked by postfix? Are there any standards requiring or recom

Re: reject_sender_login_mismatch for client certificates

2009-06-08 Thread Jan P. Kessler
Florian Wagner schrieb: > Hi, > > I'm currently playing around with client certificates in postfix. > > Is there any way do do something similar to reject_sender_login_mismatch > with certificate authentication? A table to map from certificate > fingerprints to allowed addresses? > postfwd (a p

Re: Proxying a policy service

2009-05-18 Thread Jan P. Kessler
J Sloan schrieb: > I'm going to try out hapolicy first, since it's quite a bit quicker and > cheaper to set up than full blown mysql replication. > hapolicy (http://postfwd.org/DEVEL/tools/hapolicy-0.99.1) was developed to be small (~200 lines perl), simple and reliable. therefore it uses only

Re: check_policy_service does not work as expected: protocol_state=RCPT, even under smtpd_client_restrictions

2009-04-02 Thread Jan P. Kessler
mig schrieb: > I wrote a policy server (that do RBL checks and dynamically disable slow RBL > servers). I supposed the right place is the smptd_client_restrictions: > postfwd does asynchronous dnsbl lookups and allows to disable non-responding lists automatically. it also has an integrated cac

Re: header check for '.com' blocks non-exec with url in file name

2009-02-25 Thread Jan P. Kessler
Voytek Eymont schrieb: ahem, what else might be worthwile to put into mime header check ? single rule mime header check seems lonely... http://en.wikipedia.org/wiki/KISS_principle

Re: Address verification question

2009-02-18 Thread Jan P. Kessler
Halassy Zoltán schrieb: > When a server rejects an e-mail address with 5xx, mine rejects it only > with 4xx. But! I would like to reject them with 4xx if the foreign > server sends 4xx, or unreachable, DNS failures etc... Is this possible? Take a look at http://www.postfix.org/postconf.5.html#unve

Re: howto setup outgoing port to 587 ?

2008-12-26 Thread Jan P. Kessler
mouss schrieb: it's not required. but if you don't verify the cert, then you trust DNS. so a DNS attack (poisoning, ...) would make him send passwords to the wrong server. If you use encryption you implicitly assume that there might be someone between you and the target system. Unfortunate

Re: fight spam problem: sender equal to receiver

2008-12-14 Thread Jan P. Kessler
Roland Plüss schrieb: It's just that you said they monitor the number of "dns queries". Now by bypassing a query for the DNS I can put it locally on my machine so no queries for the DNS goes out to the net. Whatever I removed the line from /etc/hosts for testing but it still doesn't seem to work.

Re: fight spam problem: sender equal to receiver

2008-12-12 Thread Jan P. Kessler
Roland Plüss schrieb: I'll try mapping zen.spamhaus.org to 127.0.0.2 in my /etc/hosts. This should not require a DNS lookup and hopefully it works then. Let's see You must not do this if you want to use zen.spamhaus.org. Please follow the given advices and read something about how dnsbls wo

Re: redirecting remote blacklisted (rbl) messages

2008-12-11 Thread Jan P. Kessler
Frederick Reeve schrieb: > On Mon, 8 Dec 2008 06:49:46 +0100 > Magnus Bäck <[EMAIL PROTECTED]> wrote: > > >> On Monday, December 08, 2008 at 06:36 CET, >> Frederick Reeve <[EMAIL PROTECTED]> wrote: >> >> >>> I have a working Postfix 2.5.5 setup that uses several rbls. I would >>> like

Re: question on xforward

2008-11-27 Thread Jan P. Kessler
Victor Duchovni schrieb: Is there any good reason why smtpd_tls_received_header does not include the ccert_fingerprint when available? Perhaps it is because software does not grow on trees and actually needs to be created first? Hey - no offense, we're in the same business! This wa

Re: question on xforward

2008-11-26 Thread Jan P. Kessler
Victor Duchovni schrieb: The topmost header "by your-MTA" is trustworthy, as are any headers above it. That makes sense, of course. Is there any good reason why smtpd_tls_received_header does not include the ccert_fingerprint when available?

Re: question on xforward

2008-11-26 Thread Jan P. Kessler
Victor Duchovni schrieb: On Wed, Nov 26, 2008 at 06:50:13PM +0100, Jan P. Kessler wrote: would it be possible/valuable to enhance xforward by additional attributes reflecting the tls parameters of the upstream smtp session? Background is the current development of a content/proxyfilter

question on xforward

2008-11-26 Thread Jan P. Kessler
Dear postfix developers, would it be possible/valuable to enhance xforward by additional attributes reflecting the tls parameters of the upstream smtp session? Background is the current development of a content/proxyfilter. Cheers, Jan

  1   2   >