[pfx] Re: Recommended postscreen_dnsbl_sites settings to get some security without too many blocked emails?

Christian Seberino via Postfix-users wrote: > postscreen_dnsbl_threshold = 2 > postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 > b.barracudacentral.org*1 > > Is there a "minimal" setting for these two variables that will > give *some* protection without blocking friendly sites by a

[pfx] Re: Postfix and Spamhaus

Michael Grimm via Postfix-users wrote: > Tomasz Pala via Postfix-users wrote: > > [Spamhaus DQS] > >> Did you switch? How long is "mykey"? > > Mine has 27 characters. Me bad, make that 26 chars. Regards, Michael

[pfx] Re: Postfix and Spamhaus

Tomasz Pala via Postfix-users wrote: [Spamhaus DQS] > Did you switch? How long is "mykey"? Mine has 27 characters. Don't know if they all have the same size, though. Regards, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To uns

[pfx] Re: DANE and STS

Michael Grimm wrote: > [see Viktors link: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html] > <http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html%5D> correction: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Rega

[pfx] Re: DANE and STS

Gerd Hoerst via Postfix-users wrote: > I checked my cert and it related to R10 , but i will also publish the rest > regarding you advice I do recommend investigating '3 1 1' records, instead. "Hence, my best advice is to not play Let's Encrypt whack-a-mole, and use "3 1 1" records with st

[pfx] Re: discard message

Viktor Dukhovni via Postfix-users wrote: > On Thu, Jun 20, 2024 at 02:33:08PM +0200, Michael Grimm via Postfix-users > wrote: >>> One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/ >> >> Please correct me if I am mistaken, but that won't catch sc

[pfx] Re: discard message

Wietse Venema via Postfix-users wrote: > Paul Schmehl via Postfix-users: >> This is what I could match on: X-Spam-Status: Yes, score=2.1 >> >> If the score was higher than some number (e.g >4) than reject the mail. > > One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/ Please cor

[pfx] Re: postfix 3.8.4, missing inet_protocols setting in main.cf, and postfix' post-install script

Wietse Venema via Postfix-users wrote > Michael Grimm via Postfix-users: >> Very recently I re-enabled IPv6 on my servers, and removed my >> 'inet_protocols=ipv4' from main.cf and did *not* add 'inet_protocols=all' >> because I checked for the defa

[pfx] postfix 3.8.4, missing inet_protocols setting in main.cf, and postfix' post-install script

Hi, I am running postfix 3.8.4 on FreeBSD 14.0-STABLE and recompile postfix (and all my other ports) on a regular basis (by poudriere). Very recently I re-enabled IPv6 on my servers, and removed my 'inet_protocols=ipv4' from main.cf and did *not* add 'inet_protocols=all' because I checked for

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

Viktor Dukhovni via Postfix-users wrote: > > On Mon, Jan 08, 2024 at 07:36:37PM +0100, Michael Grimm via Postfix-users > wrote: >> But will that work, once a mail has been deferred and is sitting in the >> queue already? >> Meaning, if a 'postqueue -f&

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

Viktor Dukhovni via Postfix-users wrote: > On Mon, Jan 08, 2024 at 04:02:48PM +0100, Michael Grimm via Postfix-users > wrote: >> Sometimes outgoing mail is deferred due to "reputational issues" at >> the receiving side. These "reputational issues" mostly

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

Wietse Venema via Postfix-users wrote: > Michael Grimm via Postfix-users: >>> Postfix has a "rule based language" for receiving mail, but there >>> is no such thing for outbound deliveries. >> >> I am only curious of how much functionality would be

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

Wietse Venema via Postfix-users wrote: > Michael Grimm via Postfix-users: >> Sometimes outgoing mail is deferred due to "reputational issues" >> at the receiving side. These "reputational issues" mostly concerned >> my IP6 addresses, thus I removed IP6

[pfx] Redirect deferred mails via IP4 or IP6 addresses (automatically)

[FreeBSD 14-STABLE, postfix 3.8.4, dovecot 2.3.21, rspamd 3.7.5] Hi Sometimes outgoing mail is deferred due to "reputational issues" at the receiving side. These "reputational issues" mostly concerned my IP6 addresses, thus I removed IP6 mailing completely. But now, I do want to give it a try,

[pfx] Re: 25 years today

Wietse Venema via Postfix-users wrote: > As a few on this list may recall, it is 25 years ago today that the > "IBM secure mailer" had its public beta release. […] > That was a long time ago. Postfix has evolved as the Internet has > changed. I am continuing the overhaul of this software, motiv

[pfx] Re: body_checks not catching all backscatter

Sebastian Wiesinger via Postfix-users wrote > Thanks Peter but I will never ever, as long as I live, use anything > connected to UCEProtect. +1 Regards, Michael ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email t

[pfx] Re: E-mail problem

Kolusion K via Postfix-users wrote: > So I have a bizarre problem. I can't send e-mail to some servers but I can to > others. The e-mail that doesn't get sent is due to the connection timing out > to the remote server. > > Another strange problem is that some people can e-mail me while others

[pfx] Re: Painful Postfix

Kolusion K via Postfix-users wrote: > When I open a raw socket to the remote server on port 25 using telnet, I am > able to connect and see the server announce itself […] Then, do continue to provide all essential *FURTHER* commands via telnet and see and report what happens. Michael

[P-U] Re: sys4 is listed in Abusix

Patrick Ben Koetter via Postfix-users wrote: > * Michael Grimm via Postfix-users : >> toganm--- via Postfix-users wrote: >> >>> Maybe it would have been a better idea to check if the mail server is listed >>> in any rbl sites. >> >> If you real

[P-U] Re: sys4 is listed in Abusix

toganm--- via Postfix-users wrote: > Maybe it would have been a better idea to check if the mail server is listed > in any rbl sites. If you really were in mailing business for some time you would know how RBLs work: They react, they do not read crystal balls! Regards, Michael ___

Re: Typo in http://www.postfix.com/postconf.5.html#lmtp_line_length_limit default value (?)

Wietse Venema wrote >> | lmtp_line_length_limit (default: 990) >> >> Is this a typo? > > No. With Postfix 2.9 the 990 was replaced with 998, but he text for > lmtp_line_length_limit docuentation wasn't updated. Thanks for clarification, Michael

Typo in http://www.postfix.com/postconf.5.html#lmtp_line_length_limit default value (?)

Hi, I recently found some of the following messages in my logfiles, all triggered by the very same sender: | Dec 16 22:05:13 mmw.lan postfix/lmtp[46725]: 4MdkqX6PKszHgv: breaking line > 998 bytes with SPACE Ok, after some evaluations, I understood why. From my side, nothing to concern. Thes

Re: Fixed: postscreen signal 11

Wietse Venema wrote: > Wietse Venema: >> This is a site-specific problem. I ran "openssl s_client" and >> "posttls-finger -w" against one of the affected servers, and reliably >> crashed their postscreen daemon. I've been doing similar tests >> against my own servers without any problems. > > Th

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

John Fawcett wrote: > On 20/04/2022 22:20, Michael Grimm wrote: >> this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD >> 13.1-STABLE. > > is this problem happening on one of the RC versions of FreeBSD 13.1? > > On the FreeBSD site at the moment,

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Michael Grimm: >> FTR: I am using poudriere for the compilation of every FreeBSD >> port, and I do upgrade 13.1-STABLE on a (bi)weekly basis. So, all >> postfix binaries considered in this thread have been recompiled >> numerous times >

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Matus UHLAR - fantomas wrote: > > On 24.04.22 14:35, Wietse Venema wrote: >> Looks good, I see nothing concerning here or in the FreeBSD patches >> for the postfix ports. > > while talking about FreeBSD, I'd consider recompiling required software > you never know when binary compatibility it br

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Michael Grimm wrote: > Wietse Venema wrote: >> I can use some additional information, off-list email preferred. Well I screwed it ;-) Regards, Michael

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > I can use some additional information, off-list email preferred. Ok the following configuration is identical at both servers (besides hostname). > Complete output from: > >postconf -n autoresponder_destination_recipient_limit = 1 command_directory = /usr/local/sbin

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Michael Grimm: >> I do have to admit that I haven't been using tcpdump a lot. I found 35 >> distinct IP addresses that do trigger 'signal 11'. I am currently running >> tcpdump on both servers with those addresses. AND: I did remove &

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Michael Grimm wrote > [had to remove one of two attachments due to 'Message too long' issue] And here is the previously omitted attachment. HTH and regards, Michael zMX1.txt.bz2 Description: BZip2 compressed data

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Viktor Dukhovni wrote: > On Sat, Apr 23, 2022 at 10:28:37PM -0400, Wietse Venema wrote: >> It would be invaluable to have a recording of a complete session >> with that system. Something like: >> >>tcpdump -i name-of-interface is 2000 -w /file/name host 1.2.3.4 > > I think Wietse meant "-s

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Viktor Dukhovni wrote: > On Sun, Apr 24, 2022 at 01:19:49PM +0200, Michael Grimm wrote: >> Mar 25 03:43:17 mx2.lan postfix/postscreen[5463]: CONNECT from >> [89.248.165.24]:61384 to [10.1.1.1]:25 >> Mar 25 03:43:17 mx2.lan postfix/postscreen[5463]: PREGREET 47 >>

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

[had to remove one of two attachments due to 'Message too long' issue] Wietse Venema wrote:Michael Grimm:Wietse Venema wroteWhat is the output from:postconf smtputf8_enableToday it is: smtputf8_enable = noThis is in main.cf. When was this changed? The c

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Michael Grimm: >> Apr 23 12:07:45 mail.lan postfix/postscreen[61983]: PREGREET 159 >> after 0.03 from [1.2.3.4]:58878: >> \026\003\001\000\232\001\000\000\226\003\0030An';\265\235\335\250\344N,%\233Y\305\226\030tMb\024\b\3 >> Apr 23 12:09

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote > Did you have NON-SMTP command events for the cases that had signal 11 > errors? If so, can we have more complete logs for ONE such case? No, I haven't. I can find those entries a lot, but not in conjunction with signal 11. Sorry for the noise. > What is the output from: >

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Michael Grimm: >> Wietse Venema wrote: >>> Would these commands make a difference (for Postfix 3.7 or 3.8): >>> >>> postconf -P smtp/inet/smtputf8_enable=no >>> postfix reload >> >> Done. Please give me 24/48 hou

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote > Would these commands make a difference (for Postfix 3.7 or 3.8): > > postconf -P smtp/inet/smtputf8_enable=no > postfix reload Done. Please give me 24/48 hours to respond, because these events are not that often ... Thanks and with kind regards, Michael

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Michael Grimm: >> Wietse Venema wrote: >>> Viktor Dukhovni: >>>> That looks like a TLS client HELLO. Perhaps the client is misconfigured >>>> and using >>>> wrapper mode on port 25 instead of 465... >>> &g

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Viktor Dukhovni wrote: > On Wed, Apr 20, 2022 at 08:26:16PM -0400, Viktor Dukhovni wrote: >>> this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD >>> 13.1-STABLE. >> >> You could install the "postfix" rather than "postfix-current" port. >> I have: >> >>-rw-r--r-- 1 root

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Viktor Dukhovni: >> That looks like a TLS client HELLO. Perhaps the client is misconfigured and >> using >> wrapper mode on port 25 instead of 465... > > It should not matter. postscreen is designed to handle random garbage. > > If you could test withg Postfix 3.6 then

Re: warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Wietse Venema wrote: > Michael Grimm: >> this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD >> 13.1-STABLE. >> >> I do find comparable entries in my logfiles that I do not understand, >> honestly, like: > > The text from the remote c

warning: process /usr/local/libexec/postfix/postscreen pid xxxxx killed by signal 11

Hi, this is postfix 3.8-20220325 (FreeBSD port postfix-current) on FreeBSD 13.1-STABLE. I do find comparable entries in my logfiles that I do not understand, honestly, like: Apr 20 06:36:23 mail.lan postfix/postscreen[74803]: CONNECT from [1.2.3.4]:45534 to [10.1.1.1]:25 Apr 20 06:36:23 mai

Re: Some DNSSEC/DANE questions

Dan Mahoney wrote >> Here's an SMTP DANE validator that I use when I make changes to my server. >> https://dane.sys4.de/ >> >> I'm not sure if it is just what you're looking for, though. > > No, I am looking for a server to which I can send mail to make sure DANE is > being looked up and used

Re: Today is a good day to DANE!

On 21. Aug 2021, at 01:57, Viktor Dukhovni wrote: >> On 20 Aug 2021, at 4:59 pm, Michael Grimm wrote: >> All of my domains are signed by KSK(13) and ZSK(13) and I do still rotate my >> ZSK's every 90 days after my migration from DSA keys. If I do understand you >>

Re: Today is a good day to DANE!

Viktor Dukhovni wrote: > With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive > to rotate keys frequently (~90 days) is substantially lower, as the keys > are strong enough to resist cryptographic attacks for years. The only > practical risk is key disclosure. Thanks for that

Re: inet_protocols

Wietse Venema wrote: > Michael Grimm: >> On 1. Apr 2021, at 14:45, Viktor Dukhovni wrote: >>>> On Apr 1, 2021, at 8:40 AM, Michael Grimm wrote: >>>> Is inet_protocols 'order sensitive'? >>> >>> No. > You can specit

Re: inet_protocols

On 1. Apr 2021, at 14:45, Viktor Dukhovni wrote: >> On Apr 1, 2021, at 8:40 AM, Michael Grimm wrote: >> Is inet_protocols 'order sensitive'? > > No. [..] > No. See: http://www.postfix.org/postconf.5.html#smtp_balance_inet_protocols Thanks for your clarification and regards, Michael

inet_protocols

Hi, is inet_protocols 'order sensitive'? What I mean is, does postfix follow the order of the following settings: inet_protocols = ipv4, ipv6 inet_protocols = ipv6, ipv4 Would the latter definition tell postfix to try ipv6 first and ipv4 second? Thanks and regards, Michael

Re: Deprecated: white is better than black

Wietse Venema wrote: > Michael Grimm: >> /usr/local/sbin/postconf: warning: /usr/local/etc/postfix/main.cf: >> unused parameter: respectful_logging=no > > I tested the code with the name cut-and-pasted and did not notice > that the name had a typo. > > postf

Re: Deprecated: white is better than black

[Sorry Wietse, this mail should have gone to the ML instead to your personal mail address] Wietse Venema wrote: > The following is from the postfix-3.6-20210221 release notes. I did upgrade to this version today. > To keep logging the old form, make the setting "respectful_logging = > no" per

Re: smtpd_milters

A. Schulze wrote > Am 30.12.2017 um 22:55 schrieb Michael Grimm: >> After reading http://www.postfix.org/MILTER_README.html there are some >> questions unanswered to me. > also read the milter documentation part of the opensource sendmail for > example at > https:/

smtpd_milters

Hi After reading http://www.postfix.org/MILTER_README.html there are some questions unanswered to me. Let's assume one does define: smtpd_milters = milter1, milter2, …, milterX README: "Milter applications are applied in the order as specified, and the first Milter application

Re: Postfix 20 years ago

Jesper Dybdal wrote: > every Postfix upgrade I've done has been a trouble-free success. ACK. I started to use postfix 10 years ago without having troubles during an update/upgrade to a newer version, ever. Congratulations and thanks for that wonderful piece of software! With kind regards, M

Re: Am I overdoing my configuration?

Noel Jones wrote: > On 11/28/2015 3:16 PM, Michael Grimm wrote: >> Viktor Dukhovni wrote: >>> On Fri, Nov 27, 2015 at 09:26:20PM -0500, David Mehler wrote: >>>> In particular can I eliminate the rbl checks in >>>> smtpd_recipient_restrictions since

Re: Am I overdoing my configuration?

Viktor Dukhovni wrote: > On Fri, Nov 27, 2015 at 09:26:20PM -0500, David Mehler wrote: > >> In particular can I eliminate the rbl checks in >> smtpd_recipient_restrictions since they're going in the postscreen >> setup? > > Keep both. Please ignore my ignorance, but: why would one keep both?

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 21:40, Viktor Dukhovni wrote: > I've figured out what's going on. LibreSSL 2.2.2 appears to have > disabled support for the SSLv2-compatible client HELLO. Servers > that have not disabled SSLv2 are unable to complete an SSLv2-compatible > TLS handshake with LibreSSL 2.2.2. Co

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 21:40, Viktor Dukhovni wrote: > I've figured out what's going on. LibreSSL 2.2.2 appears to have > disabled support for the SSLv2-compatible client HELLO. Servers > that have not disabled SSLv2 are unable to complete an SSLv2-compatible > TLS handshake with LibreSSL 2.2.2. Co

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 20:21, Michael Grimm wrote: > I will revert to OpenSSL my primary mx, first. Done. BTW: LibreSSL 2.2.2 broke unbound 1.5.4 as well. > Then I will come back to this issue and provide you with tcpdump debugging > info. Now, my secondary is postfix/LibrSSL, only.

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 20:02, Viktor Dukhovni wrote: > On Wed, Aug 19, 2015 at 07:49:42PM +0200, Michael Grimm wrote: >> One of the servers in question is one of the servers sending mail for this >> ML: >> >> Aug 19 19:08:29 mail postfix/smtpd[94303]: connect from &g

Re: SSL_accept errors after recent upgrade to LibreSSL 2.2.2

On 19.08.2015, at 18:58, Viktor Dukhovni wrote: > > On Wed, Aug 19, 2015 at 06:30:43PM +0200, Michael Grimm wrote: >> This is postfix 3.0.2 and FreeBSD-10.2/STABLE. I switched from OpenSLL to >> LibreSSL some month ago. > > LibreSSL is not tested with Postfix, and so

SSL_accept errors after recent upgrade to LibreSSL 2.2.2

Hi — This is postfix 3.0.2 and FreeBSD-10.2/STABLE. I switched from OpenSLL to LibreSSL some month ago. My relevant SSL/TLS settings for receiving mail didn't change ever since that time (postconf -n | grep tls | grep smtpd) smtpd_use_tls = yes smtpd_tls_auth_only = yes

Re: Postfix stable release 2.11.2 and legacy releases 2.10.4, 2.9.10, and 2.8.18

On 19.10.2014, at 22:09, Wietse Venema wrote: > Michael Grimm: >> Just out of curiosity: Do you have any particular reason for omitting >> FREEBSD10 in makedefs and src/util/sys_defs.h? > > It will be included once it is fully supported: using the cc command, > usi

Re: Postfix stable release 2.11.2 and legacy releases 2.10.4, 2.9.10, and 2.8.18

On 14.10.2014, at 01:46, Wietse Venema wrote: > You can find the Postfix source code at the mirrors listed at > http://www.postfix.org/. I can confirm that postfix 2.11.x runs perfectly well at FreeBSD10. Just out of curiosity: Do you have any particular reason for omitting FREEBSD10 in makede

Re: Building a mail service with redundancy

On 24.09.2014, at 15:06, Nikolaos Milas wrote: > We already have two production mail servers, vmail1 and vmail2, running > postfix/dovecot (with virtual users on LDAP), each running on a separate data > center. Same here, called mx1 and mx2. > vmail1 is the main one (i.e. the one used to send

Upcoming FreeBSD 10.0 and compilation

Hi -- FYI: postfix 2.10.2 runs perfectly well at FreeBSD 10.0-PRERELEASE Sure, I needed to add "FREEBSD10" in makedefs and util/sys_defs.h to get compilation going: | make -f Makefile.init makefiles DEBUG= CC='clang -Wno-comment' OPT='-O2 -pipe -fno-strict-aliasing' \ | CCARGS='-DDEF_CONFIG_DI

Re: Setting up SPF in Postfix for sending

On 16.08.2013, at 08:50, Titanus Eramius wrote: [DNS] > I tend to simply use "v=spf1 mx -all" since my setup is simple, but you > can see the entire syntax here http://www.openspf.org/SPF_Record_Syntax Hmm, I used to have just that configuration in my DNS for more than a year, but very recently

Re: Distribution lists with Postfix

That's not what I meant. Perhaps the question was to basic even for low-tech ;-) When a user uses his email client, what address does he need to enter to send something to the list? I thought that /etc/aliases is for local delivery only. Michael > To update the list from a mail client, use a m

Re: Distribution lists with Postfix

I like that approach. How do I then address the list from my email client? foo...@smtp.network.local? Kind regards Michael 2010/12/13 Wietse Venema : > Michael Grimm: >> Is there maybe an even more simple approach to this using standard >> postfix functionality? >> The d

Re: Distribution lists with Postfix

Is there maybe an even more simple approach to this using standard postfix functionality? The distribution lists are very static and do not require adjustments very often. Kind regards Michael

Re: Distribution lists with Postfix

Thanks for the advice. I have downloaded, compiled and installed wimp, but I don't understand how to integrate it into my postfix installation. I have found this in the documentation but feel a little bit left alone after trying to understand it. Postfix apparently supports a similar mechanism to

Distribution lists with Postfix

Dear all, I want to do the following with postfix: A user sends an email to an internal postfix server (smtp.network.local) The E-Mail is addressed to lis...@externaldomain.org Postfix now needs to forward the E-Mail to a predefined list of external email accounts depending whether it is list01 or