[pfx] Re: DANE and STS

2024-07-03 Thread Matt Kinni via Postfix-users
On 2024-07-03 17:25, raf via Postfix-users wrote: > So it's not really easier to just used self-signed > certificates since you'll want a CA-signed certificate > for submission anyway, and you can have the same key > for both. Well I control what devices use the submission port, so I can also just

[pfx] Re: DANE and STS

2024-07-03 Thread Matt Kinni via Postfix-users
On 2024-06-27 05:24, Viktor Dukhovni via Postfix-users wrote: > Publishing just "R10" will soon fail, when you get a cert from "R11" or > one of the backup issuers R12, R13 or R14. You MUST publish them all to > avoid sudden breakage surprises. Isn't it easier to just used self-signed certificat

[pfx] Re: Best practices?

2024-06-19 Thread Matt Kinni via Postfix-users
On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote: > On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: >> smtpd_helo_restrictions = >> ... >> reject_non_fqdn_helo_hostname, >> ... > I've found this to block some legitimat

[pfx] Re: Best practices?

2024-06-19 Thread Matt Kinni via Postfix-users
On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: > smtpd_helo_restrictions = > ... > reject_non_fqdn_helo_hostname, > ... I've found this to block some legitimate mails in the past from Bank of America, so you may want to grep your logs for "Helo command rejected: Host not fo

[pfx] Re: What is best way for backup solution?

2023-03-29 Thread Matt Kinni via Postfix-users
Are you just talking about backing up the config files in /etc/postfix? I would recommend using git for version control; there is nothing special about backing up the postfix configs vis a vis any other service on your machine. It also wouldn’t hurt to take periodic snapshots of your VMs Sent f

dkim signing outbound MAILER-DAEMON messages - is it worth it?

2022-05-09 Thread Matt Kinni
I have opendkim configured via 'smtpd_milters' to sign all outbound mail, and my domain publishes a "quarantine" dmarc record to enforce the consequences of this. I recently discovered that MAILER-DAEMON messages generated by postfix itself bypass this setup and do /not/ get signed, which unfo

Re: Securing a local mail app that is unable to smtp auth

2022-03-15 Thread Matt Kinni
On 2022-03-14 03:42, Jaroslaw Rafa wrote: Looks like a job for identd. You have to set up identd on your server and make the Postfix service on port 2525 to ask identd about the userid of connecting process. If it's not setroubleshoot, you should reject the connection. That's an interesting ide

Re: Securing a local mail app that is unable to smtp auth

2022-03-15 Thread Matt Kinni
On 2022-03-14 07:34, Wietse Venema wrote: I see that the sender runs on the same machine as Postfix. Can the sender be configured to use /bin/mail, mailx, or /usr/sbin/sendmail instead of using SMTP? Submission through /usr/sbin/sendmail (and therefore /bin/mail and mailx) can be restricted with