Or
https://jyotishp.ml/tutorials/postfix/dual-delivery-for-postfix
http://pjrlost.blogspot.com/2012/11/smtp-delivery-to-two-mail-servers-via.html
This one, its a bit a search but the files are still available on the internet.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: sel...
The linke of linode, but transformed in a script for Debian 9.
https://github.com/thctlo/debian-scripts/blob/master/setup-opendkim-postfix.sh
Read it or use it. ( make backups first ).
Its tested on a clean setup, but if you read through the script you see
everything thats needed to fix this.
Did someone look at a "old" howto here?
Postfix manual shows clearly.
/etc/postfix/main.cf:
# Postfix ?? 2.6
milter_protocol = 6
# 2.3 ?? Postfix ?? 2.5
milter_protocol = 2
This works fine on Debian Stretch, if you set milter_protocol = 6
dpkg -l | egrep "postfix|opend[m,k]"
All i can think of is.
Setup 3 postfix dual smtp.
Server 1, incoming relay.
Which delivers on server 2 and 3 with dual smtp.
Server 2 to
Vessel A = *@vessel_A.domain.com
Has smtp relay 1 = a ip adress:25
Server 3 to
Vessel A = *@vessel_A.domain.com
Has Smtp 2 relay as backup with ipadress
Hai,
recent.spam.dnsbl.sorbs.net = 127.0.0.6
and you gave it 1 point.
whats the postscreen_dnsbl_threshold set at ?
I'll bet thats set higher than 1.
Greetz,
Louis
Van: cubew...@googlemail.com [mailto:owner-postfix-us...@postfix.org]
Namens Ste
In order of messages. ( i got 11 message for 1 postfix list mail ).
I only see this these when .
1) someone tries to mail out of my domainname.
2) when i mail the postfix list.
I never figured this out, why this happens at the postfix list.
This is an authentication failure report for an
I had a simular things.
.. Waiting for the bounce...
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: rei...@bbmk.org [mailto:owner-postfix-us...@postfix.org]
> Namens B. Reino
> Verzonden: vrijdag 14 september 2018 10:52
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Double-Bounc
Yes.
i did like this setup.
https://wiki.deimos.fr/Postfix:_limit_outgoing_mail_throttling
And now you have also options per domain.
Greetz,
Louis
Van: paul.martin.b...@gmail.com [mailto:owner-postfix-us...@postfix.org] Namens
Paul Martin
Verzonden: woensdag 20 juni 2018 16:44
Aan: postf
Have a look.
https://toolbox.googleapps.com/apps/checkmx/check?domain=schweb.com.ar&dkim_selector=
schweb.com.ar
There were some critical problems detected with this domain. Mail-flow is
probably affected. Please refer to the corresponding help articles to fix
these.
Your base setup is ok,
You did not get the hint.. The "wrong" thing here is mail.*
Because your rotating now everything behind the mail.*
so also .1 .1.1 .1.1.1 etc etc, until you server explodes ;-)
You should have this in you postfix logrotate..
Try this.
/var/log/mail.info /var/log/mail.warn /var/log/mail
Hai,
Did you remove the mail rotate also from /etc/logrotate.d/rsyslog ?
You have these lines in the rsyslog file also.
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
Your now "double" rotateing your logs. ;-)
Greetz,
louis
> -Oorspronkelijk bericht---
Or why not use and SPF like this in the dns.
your.domain.tld TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx -all
exp:explain.your.domain.tld”
explain.your.domain.tld TXT "SPF error %{i} is not one of %{d}’s designated
mail servers.”
Now these never reaches your server, saving cpu cy
Hello Victor,
> -Oorspronkelijk bericht-
> Van: postfix-us...@dukhovni.org
> [mailto:owner-postfix-us...@postfix.org] Namens Viktor Dukhovni
> Verzonden: dinsdag 13 maart 2018 15:27
> Aan: Postfix users
> Onderwerp: Re: question about envelop from.
>
>
>
> > On Mar 13, 2018, at 8:54
Hai Matus,
Thank you for the reply, most apriciated.
No, but its a "government" server, so i need to be very sure.. ;-)
Thanks, i was looking in the wrong rfc.
Best regards,
Louis
> -Oorspronkelijk bericht-
> Van: uh...@fantomas.sk
> [mailto:owner-postfix-us...@postfix.org] N
Hai,
Im reading through rfc's but the following is still not clear for me.
E-mail is rejected base on the envelop-from adres from a mail-daemon with
postfix + postfix-policyd-spf
I saw the following in the postfix logs.
Feb 7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connect
I use this list for postscreen, big list.
Use with care, this one is customized for my needs.
The why to cidr's in the access list. The first is manualy maintaint.
The second cidr and spamhous drop are auto updated by script.
Greetz,
Louis
postscreen_greet_banner =$myhostname, checking
Hai,
Kopano with nextcloud, z-push and webapp with files plugin rules here.
Very good combo, bit harder to setup, but very compatible with lots of
different devices.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: li...@merit.unu.edu
> [mailto:owner-postfix-us...@postfix.org] Nam
No, i know it runs fine, after about 2-3 milion emails processed, i know ..
Really..
And no i did not ignore him, but i want mailscanner and i want postfix and not
exim.
Did you even try it and test it? And if so, what did you encounter??
I only found 1 thing and thats fixed.
something with
Hai,
mailscanner runs fine here for about 5-6 years now, with postfix.
Mailscanner + postfix (postscreen) rules here :-)
But if you want a quicky to test.
https://efa-project.org/ = Mailscanner + mailwatch +... Lots of extra's.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van:
 https://tools.ietf.org/html/rfc5321.html#section-2.3.5
Local aliases MUST NOT appear in any SMTP transaction.
So correctly rejected, imo.
just tell the other site the mail manager forgot to set the outgoing smtp
connector in exchange.
Happens so often..
Greetz,
Louis
Van:
for me it was a good and easy upgrade from jessie to stretch.
Things i needed to change/run was this :
# for postfix
postconf compatibility_level=2 && postfix reload
# for ntp
sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery/restrict -4
default kod notrap nomodify nope
Maybe its handy to tell us the real domainname and ip involving this problem?
So far i can see, is your web site the target not you mail server.
I personaly use : http://multirbl.valli.org/lookup/netlite.it.html
About the same as mx toolbox, but i did notice that the list of multirbl is
much shorted when the domainname is used.
If i check with this hostname: mail.netlite
And if you running debian you can set the min-cache-ttl..
That bind is patched with :
https://anonscm.debian.org/cgit/users/lamont/bind9.git/commit/?h=patches&id=84fa402750fab5cd887d357501e2896494ac551f
So you can set these if needed.
min-cache-ttl 90;
min-ncache-ttl 90;
Greetz,
Louis
Sorry about that, i was thinking your talking about the remote connecting to
you. So, it's you to remote ( so the smtp_tls settings )
I did setup also for client myself, but that more how official you need to have
some things.
Its about the same, for the client setup im using :
# TLS Client (
Yes is advicable to enable TLS.
Whats is your OS and Postfix version?
For example, i use Debian.
And when you want to use : ca-certificates.crt
You need to setup as debian expects and it includes your cert in the
ca-certifcate.crt, so thats why i want to know the os and version of postfix.
(
He is multiple times listed.
See :
http://multirbl.valli.org/lookup/46.22.210.2.html
Spamhaus ( listed in DBL Advisory. ) ( aerial.astogle.us.dbl.spamhaus.org )
The remote server probley sends "listed at zen.spamhaus.org" but is using DBL
also.
https://www.spamhaus.org/dbl/
Greetz,
Lo
Hai,
It all depends all in what you need and want.
After monitoring for about a year on with or without encryption.
I have 0 unecrypted mail servers found and a handfull of SSLv2 or V3.
Which i simply dont allow anymore. ( The sslv2/v3 )
Due to the dutch "Privacy laws" users are oblgated to
No mx lookup in the SPF?
Why not :
mail.example.org. TXT "v=spf1 mx ip4:1.2.3.4 ip6:: -all"
And why no A record
Every host in you dns with A can send, which is not (always) what you want.
For example: www.example.org and now you server gets comprimized and is
spamming.
Hello Noel,
Would you please stop say that im labeling.. im not.
Sorry im so bad in explaining things in english.
I just trying to explain something based on what i did read here:
http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname
reject_unknown_helo_hostname (with Postfix < 2.
Thank you Noel, again :-)
Based on my loglines i found that;
postfix/ [smtp/smtpd/postscreen] show [client-hostname or unknown] IP
(*always unknown if A/PTR mismatches in client hostname OR helo hostname)
postfix/ cleanup (header Received) show from helo-hostname (client-hostname
Hai,
Well, Thank you Noel,
This makes much more sence now.
I was mislead due to the log messages of postfix.
My own server has an A/PTR to the hostname and A/MX for helo name.
This is the confusing part, at least it was for me.
The logs showed me:
postfix/smtpd[29331]: connect fro
Hello,
After the message from yesterday, im asking if the postfix logging can be
changed.
To improve the loggings and a better more clear reject message.
A small change maybe, i dont know, i’ll show what i mean below.
Maybe im totaly incorrect here so correct me if needed.
Now,
Hai,
First sorry to have the ips and name anonymized, i had to do that.
I cant expose details until i first talked to the company in question.
Thas a moral thing to do in my believe.
And i need to be sure that i tell the right info when i do that.
The "helo=" space was a copy past error, sorry
Hello Noel/Jim,
Thank you for the replies.
Ok, thats clear, so multple A are allowed but i thing its the way around here.
I'll explain bit more.
I did run also that way, one host multiple ip's but both ip's has a different
helo name to match a/ptr and mx records with it.
But this
Hello,
I couldnt find this on the internet and is was thinking, the postfix list wil
know this.
Customer send email which are rejected by my server. I thinks that is
correctly rejected.
Now i digged into this and i found the following but i dont know if this is
allowed by RFC.
To
Hai Florian,
No, Thats is due my setup with the mailscanner antispam behind it.
Just give those sites a good read, and the adjust the config to your needs.
Running a caching dns on that server helps dns queries.
Extra to that, install fail2ban and add postfix-dnsbl.conf
With filter :
failreg
Some good info to read into.
http://rob0.nodns4.us/postscreen.html
http://blog.schaal-24.de/mail/postscreen-im-kampf-gegen-spam/?lang=en
and ofcourse a must read:
http://www.postfix.org/POSTSCREEN_README.html
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: flo...@floppy.org [mailt
Ah yes,
In master.cf adust these.
smtp inet n - - - 1 postscreen
smtpd pass - - - - - smtpd
dnsblog unix - - - - 0 dnsblog
> -Oorspronkelijk bericht-
> Van: flo...@floppy.org [mai
I suggest you read :
http://faculty.cs.niu.edu/~rickert/cf/bad-ehlo.html
personaly i use the following.
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access pcre:/etc/postfix/pcre/helo.pcre
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
reject_inval
Hai Paul,
I saw you got it fixed, comprimized pass as i suspected. ;-)
I saw also this in you log.
from [127.0.0.1] (87-92-55-206.bb.dnainternet.fi [87.92.55.206]
This should never be allowed. ( from 127.0.0.1 ) ( on the external ip )
Thats impossible imo.
To fix that you can use something
paul, check if there are messages still in queue.
i had a comprimized account also and same as you it didnt stop. it did after
clearing up the queue list.
the user in question has used its email and pass om a website which was
omprimized, at least thats what i think.
i my case i allow my
.. fail2ban
Sasl filer.
Of add xtable (geo ip) and block then countries.
I only allow sasl auth from my own country AND an A record must exist in the
dns for the host sending.
And Blacklisting the spamming domains is often useless.
You better check for the age of the domain or so.
http://sp
here your have an bind log example, WITH lame server logging.
Adjust where needed.
Just enable only lameserver logging.
Set all to null and enable lameserver logging.
No performance drop.
logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 1m;
Then stop using google dns or other dns servers
that block dns request to rbl servers.
Source : https://www.spamhaus.org/faq/section/DNSBL%20Usage
Check what DNS resolvers you are using: If you are using a free "open DNS
resolver" service such as the Google Public DNS or large cloud/outsourc
A good combination of rbl lists with postscreen im using.
postscreen_dnsbl_threshold=4
postscreen_dnsbl_sites =
b.barracudacentral.org*4
bad.psky.me*4
zen.spamhaus.org*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
The are after username/passwords.
And when that happend they will user your server als relay.
Happend on one of my servers also.
One of my users used his email and pass in facebook and linkedin.
And the same as on the server.. :-/
About 60.000 mails where tried to send over my server.
Wha
Hai,
Im testing out my servers and i noticed the following
telnet localhost 587
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.mydomain.tld ESMTP Ready
ehlo localhost
250-mail.mydomain.tld
250-PIPELINING
250-SIZE 1536
250-VRFY
250-ETRN
250-STARTTLS
Did you reboot the server? If not, try it first.
Why.. find out with:
apt-get install debian-goodies
checkrestart
but, most of these cant restart, so rebooting the server is the only option.
When thats done, check again.
Greetz.
Louis
> -Oorspronkelijk bericht-
> Van: christ
Switch to the perl version of this and your problem is fixed.
Use postfix-policyd-spf-perl
Not postfix-policyd-spf-python
Both work the same, but the perl version works fine with ipv6 on my server.
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: t...@whyscream.net [mailto:owner-pos
First in reply to. .
... cannot find your hostname
Optional to add:
unknown_hostname_reject_code = 550
but if you have dns problems, everything gets rejected as Wiets already told
you.. .. but I think.. , so what, the sender does get the NDR, he can send
again but thats a choice. And think c
Ok, debian, my thing.. ;-)
Try :
Edit /etc/dovecot/dovecot.conf
To Change : protocols = imap lmtp
And add:
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = postfix
mode = 0600
user = postfix
}
}
protocol lmtp {
postmaster_address=postm
These are 2 different things.
Unknow hostname is a missing PTR record
For that you can use :
smtpd_client_restrictions = ...
"unknown" is also the name in the case of a temporary dns lookup failure. so
using 5xx for all "unknown" is not a good idea.
# reject_unknown_client_host
never knew this, what is the SPN postix/sasl needs?
and a simple way to make the client work, setup a samba client, if setup
correctly, samba wil refres the keytab file.
if someone want info on this, i can answere monday again.
greetz,
louis
> Op 1 jan. 2016 om 21:17 heeft Viktor Dukhovni
>
Well, your allowed to have your opionion .. no problems with that.
And good for you then there are other MTA's you can try to configure..
Im using postfix for more that 10 years now, and im very happy with it.
I get about 0.05% spam of all mails, and that 0.05% is catched by spamassassin,
i do
This is how i run it. ( postfix 2.11.x on debian Jessie )
This stops a lot of "spamming" servers, and if anyone sees improvements,... im
all ear... ;-)
This was a drop op about 90% of all spam, remaining used "good" configured
servers.. :-/ but for that spamassassin..
unknown_hostname_r
Hai,
I run this on a debian Jessie, postfix 2.11 (all debian packages )
Route for me is like this.
-> postscreen -> policy-weight -> policy-spf -> clamsmtp (->
-> spamassassin) -> user
A1.
I have in main.cfg
content_filter = clamsmtp:127.0.0.1:10025
A2. Yes, you
Try starting spamd with
--listen-ip 127.0.0.1 --listen-ip ::1
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: v...@cfcl.com [mailto:owner-postfix-us...@postfix.org] Namens Vicki
> Brown
> Verzonden: woensdag 18 november 2015 9:13
> Aan: Postfix users
> Onderwerp: Suggestions for more
> -Oorspronkelijk bericht-
> Van: pa...@matos-sorge.com [mailto:owner-postfix-us...@postfix.org] Namens
> Paulo Matos
> Verzonden: maandag 16 november 2015 21:14
> Aan: L.P.H. van Belle; postfix users
> Onderwerp: Re: Disable spooling
>
>
>
> On 09/11/15 16:43, L.P.H. van Belle wrote:
Read : http://www.sorbs.net/faq/rfc_helo_enforcement.shtml
I contains also the links to the RFC’s
Greetz,
Louis
Van: zalezny.niezale...@gmail.com [mailto:owner-postfix-us...@postfix.org]
Namens Zalezny Niezalezny
Verzonden: dinsdag 10 november 2015 13:30
Aan: Postfix users
> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> Namens Noel Jones
> Verzonden: maandag 9 november 2015 16:05
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Disable spooling
>
> On 11/9/2015 3:46 AM, Paulo Matos wrote:
> > Hi,
> >
> >
> Hai Alex,
>
> I use the same as in the link you posted.
> http://rob0.nodns4.us/postscreen.html
> This is used for my bases setup also.
>
> Just put all your servers (rbls) in here and copy the response lines, Like
> :
> /^zen\.spamhaus\.org$/blocked by rbl, see
> http://multirb
I just point everything to http://multirbl.valli.org so they can see if they
are listed on multiple rbl servers.
And imo thats better, then, mailing, getting rejected, by for example spamhaus.
Going to that site, checking, removing.
Mailing again, and now again blocked, other rbl server etc.
This example should wil not relay over outlook.com without the correct
outlook.com settings in the dns.
Base on : from= to= proto=ESMTP
@mygnus.com is missing the ms= and spf settings in the dns
Greetz,
Louis
> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-
Hai,
I thinking why not put them together
Ik run a setup like this
https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484
which uses postscreen spamassassin clamav and this works very wel for me.
And the load is not to much, but depends on the amount of emails your
pro
> set postix server to check for rfc complaince and you see a spam drop of
> atleast 90% and
> setup postscreen with it.. 98% less spam
> and in above just check for the helo compliance and not hostname checks, that
> will drop to many ok servers..
>
> greetz
>
> Louis
>
>
>
>
>
>
>
sorry, a correction on the previous.
This is wrong :
>add in main.cf : in smtpd_client_restrictions, just after
>permit_mynetworks:
>
>smtpd_discard_ehlo_keyword_address_maps =
>cidr:/etc/postfix/smtpd_discard_ehlo_keywords_address.cidr
>
just add
smtpd_discard_ehlo_keyword_address_maps =
>-Oorspronkelijk bericht-
>Van: al...@domblogger.net
>[mailto:owner-postfix-us...@postfix.org] Namens Alice Wonder
>Verzonden: woensdag 19 augustus 2015 12:42
>Aan: postfix-users@postfix.org
>Onderwerp: Re: TLS cert - bug in documentation or bug in my
>understanding ??
>
>
>
>On 08/19/201
Hai,
Try it like this, there is no need for combining the certificates.
# TLS parameters
smtp_tls_cert_file = /etc/ssl/certs/certificate.cer
smtp_tls_key_file = /etc/ssl/private/certificate.key
smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer
smtpd_tls_key_file = /etc/ssl/private/certifica
>>> Okay, I assume then that this should be the only PTR record:
>>>
>>> 4.3.2.1.in-addr.arpa. IN PTR B.tld.
>>
>> Yes. Provided of course B.tld is The One True Hostname for
>your server.
>
>It is!
No, imo, it is not.. and this setup can be better i think.
read on..
A hostname is not a domain
Hai,
... its all about correct DNS settings, so dont say that does not matter..
Best is you read :
rfc2821 section-3.6 and 4.1.1.1 ( and 10.3 thank you Michael good read, i
forgot that one.. )
rfc5321 section 2.3.5
in short..
make sure your hostname has an A or record and PTR record.
for the policy-spf, check this one.
https://bananasfk.wordpress.com/2015/06/05/policyd-spf-in-debian-8-fix/
Greetz,
Louis
>-Oorspronkelijk bericht-
>Van: robert.sen...@lists.microscopium.de
>[mailto:owner-postfix-us...@postfix.org] Namens Robert Senger
>Verzonden: dinsdag 18 august
I dont know if its an option, but i suggest have a look here :
multiple packages for postfix on centos 6
http://pkgs.org/search/postfix?type=name
or
https://solusipse.net/blog/posts/compiling-postfix-with-postgresql-support-on-centos-7/
Not for the postgresql, but just for the upgrade of post
Hai,
As far as i know, no.
Unless you are forceing all clients to use SSLv2 only (since that doesn't
support renegotiation).
Are you sure you want to disable it and not just prevent old clients from
using the vulnerable renegotiation methods? If it's the last
you'll need to upgrade to 2.8+ to
Finaly i did found the problem.
In the end i did add the ldap ldap://etc/postfix/zarafa-ads-*-aliases.cf in
the aliases_map
and all the redirects in the virtual_alias_maps
and now i did some testing with an e-mail address, .. which did not have any
typos in the email adres in ldap.
that was
Hai,
Im new to the list, so tell me if im do-ing something wrong..
in advance, .. sorry for my english, and sorry for the long explanation..
better to much than to little imo.
Im having the following setup.
Debian Jessie 8.1 with packages, running a zarafa mail server samba 4 AD
domain,
76 matches
Mail list logo
