It appears that Viktor Dukhovni via Postfix-users
said:
>Only for DNS lookups. Otherwise, IIRC U-label domain names are left
>as-is, something else in your processing pipeline (a milter or
>content_filter) might replace U-labels with A-labels, but I believe
>Postfix does not.
Indeed it does not.
It appears that Scott Techlist via Postfix-users said:
>Apologies in advance for the slightly OT question. I've used Postfix since
>the beginning on a relatively small server. I was thankful when Let's Encrypt
>made it possible for me to automate and have "real" certs vs the pain of
>having to
It appears that Bill Cole via Postfix-users
said:
>You could easily turn on SMB file sharing on that OS X machine. iOS has
>builtin SMB support via the Files app and while I don't really track
>Android capabilities, I am sure that if there isn't a builtin SMB
>client, there has to be an app.
It appears that Bill Cole via Postfix-users
said:
>What sort of "support" would you expect to see in a MTA?
When that RFC was published a lot of us were sceptical that anyone would use
the Author header
since there had been no interest whatsoever from any MTA or MUA developers or
operators.
A
It appears that Wietse Venema via Postfix-users said:
>3 - Wait until IETF issues guidelines for converting messages (and
>envelopes) from SMTPUTF8 to legacy format.
We did, it didn't work, it's mostly deprecated, and nobody does it.
See RFCs 5335 and 5336 for the failed experiment to put ba
It appears that A. Schulze via Postfix-users said:
>
>
>Am 01.12.24 um 17:07 schrieb Wietse Venema via Postfix-users:
>> The remote server announces SMTPUTF8, but Postfix does not request
>> SMTPUTF8. It is as if the SMTP client has "smtputf8_enable = no".
>
>Hello Wietse,
>
>I don't think it's an
It appears that Florian Piekert via Postfix-users said:
>AFAIK you can't use the "doma.in" DKIM Key for signing "sub.doma.in" eMails.
>You need to add a separate key in the DNS file
>- which in this case you can't.
Sorry, that's just wrong. You can put a DKIM signature with any d= domain on any
We have a bunch of role addresses that we forward to the people in the role.
If the messages have DKIM signatures, it works reasonably well since the
signatures
stay valid. But if they don't, mail systems like Gmail reject them becahse
there
is no DKIM and SPF fails. So I would like to change
It appears that Wesley via Postfix-users said:
>i know there is is a kind of wild certificate for *.example.com.
>besides that, is it possible to setup multiple separated hosts/certs in
>postfix?
Somebody else suggested getting a cert with multiple names, which is a reaonable
approach if the num
It appears that Laura Smith via Postfix-users
said:
>
>
>
>> My doubt is that since the outgoing email server identifies itself as
>> host1.example.com in the EHLO, is there a requirement or even an
>> expectation that postmas...@example.com will be able to receive email.
>
>
>I think the reality
It appears that John Fawcett via Postfix-users said:
>I didn't see anywhere what your value of smtpd_sasl_type is (as
>applicable to the sasl type used by the smtp server.
Bingo. Thanks.
In my defence, if you look at https://www.postfix.org/postconf.5.html
which purports to list all of the mai
ur "sasldb".
This is a test setup in a virtual machine on my laptop. The names of the
users don't really matter.
R's,
John
--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading thi
I think these are the main things I learned:
* Debian moved the sasl configuration file to a nonstandard place
/etc/postfix/sasl/smtpd.conf
Dunno how I would have figured that out if someone here hadn't told me.
* The socket that the sasl daemon uses has to be inside the postfix
chroot, by defaul
It appears that Patrick Ben Koetter via Postfix-users said:
>IIRC Debian patches Postfix and expects smtpd.conf to be located in
>/etc/postfix/sasl/smtpd.conf. Have you tried this?
I just did and it worked.
Thanks, everyone. Now I have to back out my hacks one by one and make sure
I understand
It appears that Viktor Dukhovni via Postfix-users
said:
>Have you posted "postconf -nf" and "postconf -Mf" output (with as-is
>whitespace, including line-breaks)?
I will, see below.
>> But when I try to get postfix to authenticate, I cannot get it even to talk
>> to
>> the daemon.
>
>What's th
I'm trying to set up a little POP toaster on debian that has a few addreses all
in virtual domains.
I'm using Cyrus SASL (no Dovecot allowed for reasons) and to keep it
simple, I'm using sasldb authentication. I can set up the sasldb with
saslpasswd2 but I am stuck getting the Cyrus sasl daemon t
It appears that Emmanuel Fusté via Postfix-users said:
>In the general case (not null sender), HELO SPF validation does not
>interfere with DMARC as DMARC only use the MAIL FROM identity.
>There was historically a bug in some DMARC implementation witch evaluate
>whatever SPF identity check that
It appears that Peter via Postfix-users said:
>On 19/06/24 18:51, Tan Mientras via Postfix-users wrote:
>> Hi
>>
>> *Trying to setup email REJECT when users try to send to a no-reply email.*
>
>There is no such thing as a no-reply email, there is no part of the
>email specification that allows a
It appears that Matus UHLAR - fantomas via Postfix-users
said:
>If one of recipients wants to accept mail from a sender while another
>recipient doesn't, teoretically you can reject that sender at recipient
>level, but that complicates configuration (but it's possible).
>This would mean that fo
People I'm working with have a short list of addresses from which they
don't want to accept mail at all, and they'd like to reject as early
as possible without running it through anti-spam milters, ideally by
rejecting the SMTP MAIL FROM command. What's the best way to do this?
The list is short so
It appears that Steffen Nurpmeso via Postfix-users said:
W> |I did not want to insult you!
> |In mind i had these canon..py snippets
> |
> | def strip_trailing_whitespace(content):
> |return re.sub(b"[\t ]+\r\n", b"\r\n", content)
> |
> |
> | def compress_whitespace(content):
> |return r
It appears that Viktor Dukhovni via Postfix-users
said:
>On Wed, Apr 24, 2024 at 01:01:46AM -0000, John Levine via Postfix-users wrote:
>
>> >I must be interpreting this wrong because it appears postfix is not
>> >accepting that. Here is the complete process. A messa
and it should work. BTDT.
This has nothing to do with MIME or wrapping, by the way. The SMTP
spec says that the *only* line ending is \r\n and bare \r or \n is
undefined. Postfix strips the \r on the way in and will add the \r on
the way out if you let it handle the SMTP sessions.
R's,
John
Here's another question that might be answered in the documentation
but I can't find it. If I have a file delivery like this in
the /etc/aliases file
foo: /a/b/somefile
what userid writes to the file? postfix? nobody?
I realize that for user mailboxes it's the user, but
in this case, there's n
I am trying to tidy up a complicated and messy postfix config that has
all the issues you'd expect in one that has been twiddled by many
people over a decade to handle multiple sort of related mail streams.
Today's issue is ensuring that we only do submission rewrites on
outgoing mail, not incomin
It appears that Joachim Lindenberg via Postfix-users
said:
>Hello John,
>are you willing to share what direction you/IETF are working towards?
It's the EMAILCORE working group. You can see the documents here:
https://datatracker.ietf.org/wg/emailcore/documents/
>What I am really missing is cl
It appears that Phil Biggs via Postfix-users said:
>Where do see the "mandatory" requirement?
>
>Section 4.1.1.8 says:
>
> SMTP servers SHOULD support HELP without arguments and MAY support it
> with arguments.
SHOULD is IETF-ese for you have to, except that there might be reasons
not to d
Over in the IETF we're slowly working on updating RFC 5321.
Today's topic is the HELP command. The current spec says that it is
mandatory to implment it. Most MTAs implement it by returning a fixed
string, or something close to fixed, e.g., gmail's answer appears to
include a code that tells you w
This paper describes a clever hack that uses defective line endings to embed
a second SMTP session inside a first one, which has the practical effect
of letting you send fake authenticated mail from anyone else who uses the
same mail system you do. If that system is MS Outlook, that's a lot of peo
If a malformed mail message shows up by SMTP (not local sendmail or
submission), will postfix generally try to clean it up or just
pass it along?
I see the cleanup program and all the options about when to run it and
what to tell it to do, but in practice, will a typical system clean
everything up
It appears that Viktor Dukhovni via Postfix-users
said:
>Postfix supports DANE, but there's no MTA-STS support. And I've not
>seen much by way of receiving MTAs advertising REQUIRETLS as a
>capability
I did a proof of concept implementation that advertises REQUIRETLS and then
ignores it.
As I
It appears that Tom Reed via Postfix-users said:
>Since the message was sent to mailing list which rewrites envelope address
>and adds list signature, so:
>
>1) SPF for header From: address won't get pass due to SRS.
>2) DKIM won't get pass due to list signature.
>
>So the DMARC failed totally and
It appears that Jaroslaw Rafa via Postfix-users said:
>Dnia 16.04.2023 o godz. 16:32:41 Gerald Galster via Postfix-users pisze:
>>
>> Mails classified as spam or external forwards seemingly take another route
>> via mout-xforward.web.de. These servers are SBL-listed by intention, most
>> likely b
It appears that tom--- via Postfix-users said:
>$ dig -x 82.165.159.35 +short
>mout-xforward.web.de.
>
>Can anyone from web.de help with this?
The only people who should be able to send mail through that server are web.de
customers.
If you are a customer, what happened when you contacted them t
It appears that Benny Pedersen said:
gmail.dk. 300 IN MX 0 .
>>>
>>> if nullMX is added then spf and dmarc can be removed
>>
>> You need both the null MX and the SPF. Null MX says you
>> don't receive mail, SPF -all says you don't send mail.
>
>why is spf needed
It appears that Benny Pedersen said:
>On 2022-04-13 19:27, Matus UHLAR - fantomas wrote:
>
>> however, they miss the nullmx record:
>>
>> gmail.dk. 300 IN MX 0 .
>
>if nullMX is added then spf and dmarc can be removed
You need both the null MX and the SPF. Null MX sa
For doing DMARC validation, I know about the opendmarc milter. Is that what
everyone uses? Is there anything else used in pratice?
I know about perl and python libraries but they don't seem to have
milters or other ready to use integrations into MTAs.
TIA,
John
It appears that Byung-Hee HWANG said:
>Hellow,
>
>My final Inbox Provider is Gmail(soyeo...@gmail.com) for 13 years. Also
>i added paid plan of Google Workspace for
>
>Someday far later i have to plan. That is to forward into
>soyeo...@gmail.com all emails (on soyeo...@doraji.xyz). (If True) then
It appears that @lbutlr said:
>On 2022 Feb 25, at 08:55, Viktor Dukhovni =
>wrote:
>> The moment TLS enters into the picture, you start to need much more
>> complicated certificate management to get MUAs to see an acceptable
>> certificate for its expected name on ports 587 and 465,
Also for STA
t this might break upon replying with this doctored header.
>That is, will it cause "breakage" of certain SPAM/Malware checks, or email
>tamper detectors.
List software does that all the time. It won't cause any problems that you
don't already have from
the routine ch
It appears that Benny Pedersen said:
>On 2022-01-15 20:01, Robert Siemer wrote:
>
>> I need to DKIM sign possibly huge emails (up to 150MB).
>
>insane
agreed
>> A DKIM signer can do this by either keeping the message in memory (a
>> no-go for me) or write it to a file.
>
>will a mount point on t
It appears that Viktor Dukhovni said:
>I'd use CDB for this. I think the inputs will not change frequently
>enough or be anywhere near sufficiently many to make the CDB map
>creation time to be something to worry about.
>
>CDB has a very stable disk format and API, I trust it more than
>either Be
It appears that Viktor Dukhovni said:
>> For an application I'm working on, we need to set up about 50,000 forwarding
>> addresses.
>You should be able to use an LMDB, Berkeley DB or CDB database with
>millions of entries.
>
>Though I don't think you're asking about 1-to-very-many forwarding,
>i
For an application I'm working on, we need to set up about 50,000 forwarding
addresses.
If we just put them into a hash or btree lookup table, would that be a problem?
It doesn't
seem like a very big database.
R's,
John
It appears that Wietse Venema said:
>Here's a nice writeup that illustrates why Postfix blocks ALPACA attacks.
>
>https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/
Just wondering, did you add the anti-http stuff because of ALPACA or was it
People in the web world are in a kerfuffle about an attack called ALPACA which
(leaving out
a lot of details) gets a web browser to send requests to a non-web server and
then get the
browser to interpret the responses in unfortunate ways. Most of the
unfortunateness comes
from the server replyi
long time.
It is a fairly recent change, perhaps a year ago, that they return the .254 and
.255
codes rather than just ignoring the request, as a hint that you need to fix your
configuration.
--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Pl
It appears that Benny Pedersen said:
>On 2021-04-30 18:34, John Levine wrote:
>
>>> We've just released OpenDMARC 1.4.1 over at
>>> https://github.com/trusteddomainproject/OpenDMARC
>>
>> Thanks. Is there a downloadable tarball available? Sourceforge
It appears that Dan Mahoney (Gushi) said:
>Hey there,
>
>A cross post because there's enough dmarc discussion to be relevant.
>
>We've just released OpenDMARC 1.4.1 over at
>https://github.com/trusteddomainproject/OpenDMARC
Thanks. Is there a downloadable tarball available? Sourceforge only has
It appears that Viktor Dukhovni said:
>[ Wietse's upstream FTP site for Postfix source tarballs will soon no
> longer be browser-accessible. :-( ]
If you use a Mac, FTP is built into the Finder. Who needs a browser?
It appears that Jaroslaw Rafa said:
>Dnia 22.04.2021 o godz. 12:04:23 John Levine pisze:
>>
>> Safari and Brave also show a Not Secure warning. Firefox won't connect
>> at all unless you manually edit the https to http in the address box.
>> Pick your poison.
&g
It appears that Nick Tait said:
>>> Chrome shows it as "Not secure" followed by postfix.com by gracefully
>>> hiding the implied www.
>> I think you meant to write "by disgracefully hiding...".
>
>I'm not hearing many reasons to use HTTPS... Just lots of reasons not to
>use Chrome? ;-)
Safari a
It appears that IL Ka said:
>-=-=-=-=-=-
>
>>
>>
>> There is neither a service at port 443, nor a postfix.org website.
>>
>>
>I believe this is about http://www.postfix.org/
>There is no https there.
>
>It should be easy to install Letsencrypt certificate there, but I am not
>sure if it's worth th
It appears that Wietse Venema said:
>According to Exim documentation (link below) the '!' and '%' are
>not special in email addresses, so we know that at least it does
>not appear to break legitimate usage.
Technically, that is correct. According to the local-part syntax in RFCs 5321
and 5322,
It appears that Wietse Venema said:
>With uniform or compressed payloads, 256 bytes become 261 on average,
>thus it takes 978.9 bytes on average to expand into 998. Add CR
>and LF to the 998, and we have an expansion of 1000/978.9=1.022 or
>just a little over 2%.
That was my estimate too. I was
It appears that Wietse Venema said:
>> BINARYMIME avoids the 33% size increase of base64. If people cared
>> about that, since every MTA now supports 8BITMIME it would be easy
>> to invent a quoted-unprintable content-transfer-encoding which
>> escaped only the few characters that are special in
It appears that Wietse Venema said:
>Demi Marie Obenour:
>> How useful would BINARYMIME support be? It does mean that DKIM signing
>> would need to be done in the sending path, but I cannot think of any
>> reasons that would be a blocker. Having DKIM and DMARC built-in to
>> Postfix would be a n
It appears that LoneStarKen said:
>Possibly. Since I am unsure why the package maintainer disabled
>CHUNKING I am concerned enabling it, we might have a broken
>implementation of BDAT or even worse something else breaks.
>Since this is a production server, I'm going to err on the
>side of caution
In article <20210214181714.ga238...@wzv.porcupine.org> you write:
>On Sun, Feb 14, 2021 at 10:49:52AM -0500, John Levine wrote:
>> I'm using postfix 3.5.8 on FreeBSD 12.2, the packaged version
>>
>> I have set up a Chinese EAI domain with some Chinese ad
In article <0969fd79d37ce0b524e84319a8f21...@junc.eu> you write:
>On 2021-02-14 16:49, John Levine wrote:
>> I'm using postfix 3.5.8 on FreeBSD 12.2, the packaged version
>>
>> I have set up a Chinese EAI domain with some Chinese addresses.
>>
>> The domain is in virtual_alia
�M-^T��M-^P�M-^B�件�M-^K�M-^U.中�M-^[�> proto=ESMTP
helo=
Feb 14 10:31:52 eaicheck postfix/smtpd[48813]: disconnect from
gal.iecc.com[64.57.183.53] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
--
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet f
>I suspect either it's just a mistake, or stuff that actually used that
>domain in a URL (as opposed to just a random string in a message)q has
>been really spammy.
I asked. There really is a domain master.cf, and it really is used
in URLs in a lot of spam.
Solution: don't look up strings in the
>> Content inspection is evil by-design and doomed to fail. This is just
>> another example.
Unfortunately, there's no alternative unless your users don't care
about getting mail from large providers with the occasional spam
infestation.
I suspect either it's just a mistake, or stuff that actuall
>> submission 587/udp
I've been doing this for a long time, and I've never seen anyone try
to do SMTP over anything other than TCP.
Regards,
John Levine, postmas...@cauce.org, CAUCE postmaster
http://www.cauce.org
In article
you write:
>-=-=-=-=-=-
>
>It's possible to modify the Date field on MUA side, if one were so
>inclined, right?
>
>If so, how would that be accomplished?
The easiest way is to change the clock in your computer, then send the
message, then change it back.
>> As I think I said, the person who asked
>> has a domain a typo away from a very popular one, and would like to
>> get rid of the unwanted traffic efficiently while still having his
>> web server or whatever on the A record.
>
>Tough. Whoever is in that position is presumably making enough money
>Does any MTA other than Postfix implement nullmx?
I did some experiments. My qmail system rejects on nullmx immediately
for roughly the same reason postfix does, a general rejection on bad
MX records.
Among web mail, Yahoo rejects immediately, Gmail and AOL don't reject
immediately and I don't
>If someone doesn't want a domain name to get email, the solution is simple.
>Don't start an SMTP
>listener. For bonus points, don't publish MX records for the domain either.
>Avoid having A or
>records too, or at least make sure they go somewhere that doesn't listen for
>SMTP.
That "works
>> This is inaccurate. Postfix will not perform A/ lookups for ".".
>
>True. But postfix is not the only MTA, even if it is the one that gets
>discussed on this list. :-)
I would say that if there are A or records for "." we have worse
problems than whether some poorly addressed mail bo
There is a somewhat popular convention that if a domain publishes an
MX like this:
whatever.example MX 0 .
it means the domain does not receive mail. There was a draft about it
in 2005 but it's never been formally standardized and the question has
arisen how widely imlplemented it is.
I don't
>Qmail ( which i know very few ) seem a bit autistic when talking
>to non FQDN distants servers or with MX misconfigured.
I'm not surprised, it's pretty picky about non-standard behavior.
>my idea is to add a postfix instance on this machine which will
>send emails to the Internet.
>
>In my plan
RFC 5321 says that if a mail server gives an initial banner with a 554
status code, that means "no mail server here", so the client should do
whatever it normally does on a connection failure, looking for another
MX at equal or lower priority.
This is different from 554 later in the SMTP session,
>The jungle drums has been rumbling about SPF2, as a result I started to
>do some reading up on the new "standard".
Not to cast aspersions, but the Sender-ID spec was published in 2006.
Must be a big jungle.
But the answer is simple: Sender-ID is dead, even Microsoft doesn't
use it any more. Yo
>Don't use spamcop, or use it only with small weight in a scoring system.
I agree that Spamcop used to be awful, with vast numbers of false
alarms. But since Ironport bought them several years ago, there's
been a nearly complete turnover of staff and it's much better run.
Take another look. I f
>You want to share one dedicated external source IP address among
>multiple Postfix SMTP clients. If there were only one dedicated
>external source IP address, then a NAT router would suffice.
That would be my first suggestion. For a cheap experiment, get
something like a Cisco E2500, configure i
> I would like to configure Postfix to send a mail after
>e.g. 4 hours that the delivery has failed and that the system will try
>to send the message for another 5 days. Is this possible?
Considering how incredibly annoying those messages were when sendmail
used to send them, I hope not.
R's,
J
>My current config is as follows:
This one:
>reject_rbl_client zen.spamhaus.org,
Includes these three, so there's no point in using them.
>reject_rbl_client dnsbl.njabl.org,
>reject_rbl_client sbl.spamhaus.org,
>reject_rbl_client cbl.abuseat.org,
This one:
>reject_rbl_client t1.dnsbl.net.au,
't do that.
Outsource your list to a competent ESP who already knows how to do it
correctly. The modest cost is well worth it. For a list of that size,
I'd look at Mailchip and Constant Contact.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dumm
>Sadly, the opendkim library does not support applying two signatures in
>parallel (set up two signing contexts, pass the message content through
>once, get two sigatures). So I have to pass the message through the
>library twice, to apply two signatures. Not a show-stopper, but annoying.
If we as
Sorry about that. Stupid helpful mail program.
R's,
John
PS: What's worse is that I programmed the helpful bits myself.
Here's some recipies for Postfix SUBMIT
--- Begin Message ---
On 11/8/2010 9:28 PM, John Levine wrote:
A friend is trying to set up a Postfix submit server on port 587, so
it requires SMTP AUTH but doesn't use the DNSBLs that his regular port
25 server uses.
This is surely a FAQ, b
>> Do NOT look up rDNS in the DWL. If you do, you will get random
>> results, since we have no idea what rDNS our clients use.
>
>Noted. The feature is not SpamHaus specific, and other WLs may support
>rDNS domains, but we should perhaps add a note in the docs about SpamHaus,
>since your list will
A friend is trying to set up a Postfix submit server on port 587, so
it requires SMTP AUTH but doesn't use the DNSBLs that his regular port
25 server uses.
This is surely a FAQ, but we must both be very nearsighted because we
can't find it. Can someone remind us where it explains how to set up
a
My apologies for shouting, but this wrong idea just won't go away:
> If Postfix can't determine the client's reverse domain
>(tempfail) and therefore cannot even ask SpamHaus whether the
>(verified) client (PTR) domain is on the whitelist,
NO! NO, NO, NO!
Do NOT look up rDNS in the DWL. If
>Should we mention that these should only be used to reduce FPs from
>blacklists that follow, and that are expected to not list legitimate
>clients. ...
Depends on the whitelist.
I'm working on Spamhaus' new whitelist where our goal is to list only
mail sources clean enough that you can skip the
>Anyone opposed to the postfix.org domain publishing an SPF record?
Yes. Now, can you go away, please?
R's,
John, MAAWG senior technical advisor, among other things
>dkim can help as one component of a content filtering solution.
Current versions of Spamassassin can do DKIM checking. Don't turn on
ADSP "reject because I say so" checks (I say this as one of the
authors of the ADSP RFC), but you can adjust your config to list a few
heavily phished DKIM signers
>Should I disable SAV for some domains to prevent blacklisting? Which domains?
Yes. All of them.
SAV is widely considered to be abusive, since it is technically
indistinguishable from spammer address verification. It's also rather
ineffective since great amounts of spam now uses random sender
a
>Last time I used majordomo was in the 90's, I don't know if there is a
>web interface. Can you tell me if there is a official one? Or can you
>recommend another software to ease the management?
Majordomo2 is a complete rewrite from scratch. All it shares with mj1
is the basic commands used in co
89 matches
Mail list logo
