On 9/5/2024 12:45 PM, Noel Jones via Postfix-users wrote:
On 9/5/2024 9:05 AM, Thomas Cameron via Postfix-users wrote:
smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/sender_access
permit_mynetworks
permit_auth_destination
Note permit_auth_destination
file looks like this:
It's totally reasonable to reject whole TLDs that you don't expect
to get legit mail from. Same with check_client_access and whole
network blocks. Especially if you're prepared to make exceptions.
-- Noel Jones
___
. You can mark the mail and deliver it, or send it to
a quarantine.
I know it can seem very satisfying to discard mail, but DISCARD
should be reserved for very narrow use cases, such as a former lover
or a very persistent spammer.
-- Noel Jones
__
;
> $config['smtp_user'] = '%u';
> $config['smtp_pass'] = '%p’;
>
When sending to port 465 with wrapper mode, you need to use
ssl://mail.stovebolt.com:465
ie. ssl: instead of tls:
— Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
a non-fatal
error and keep retrying until their queue expires, possibly hundreds
of times over several days. In that case a regular old access table,
maybe with smtpd_delay_reject=no, would be a better choice.
-- Noel Jones
___
Postfix-users mailing
On 6/11/2024 4:05 AM, Gilgongo via Postfix-users wrote:
On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users
mailto:postfix-users@postfix.org>> wrote:
You should remove permit_mx_backup.
This feature is intended for ISP-scale users that may not have a
complete l
_backup.
This feature is intended for ISP-scale users that may not have a
complete list of domains that use their server as a backup MX. In
this case, permit_mx_backup_networks would define the ISP's customer
network space.
-- Noel Jones
___
Po
7;re trying to use.
But really we're still just guessing because you have still not
adequately described what you're doing, what you've changed, what
the error is, and where the error occurs.
If you're tired of guesses from random list members who are trying
to help, please
On 3/27/2024 11:51 AM, Noel Jones via Postfix-users wrote:
On 3/27/2024 11:25 AM, Samuel Goodies via Postfix-users wrote:
Hi guys. I'm inheriting a job that has an email server hosting
several domains, and I'm wanting to move them behind our firewall
and route mail from the main mail
use everyone else was even
worse equipped to handle it than me. A step by step would surely be
appreciated.
Start with
http://www.postfix.org/documentation.html
Many of the how-to sites you find on the internet are wrong in small
or large ways.
-- Noel Jones
___
IPv4 addresses
{!10.0.0.0/8 silent-discard,dsn}
Seems to me 172. and 192. would match the above line.
Does cidr support DUNNO?
-- Noel Jones
{!172.16.0.0/12 silent-discard,dsn}
{!192.168.0.0/16 silent-discard,dsn}
{endif
unauthorized mail, before it gets to postfix.
The usual cause is a compromised web server or abused web forms.
Fix the right problem.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
eject wanted mail.
Of course, YMMV...
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
nd.protection.outlook.com'
hash:/etc/postfix/sender_checks
(does not match)
postmap -q 'outbound.protection.outlook.com'
hash:/etc/postfix/sender_checks
OK #(matches)
As documented, postmap is a simple test tool and does not do any
automatic parent or
; and "postconf -Mf", and samples
of what postfix logs when mail is received.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
oblem.
Alternately, you can control it all yourself -- use canonical_maps
to map users to the correct outgoing domain, then use
virtual_alias_maps to map incoming mail back to the original user.
-- Noel Jones
On 12/19/2023 12:34 PM, Richard Raether via Postfix-users wrote:
In addition, the boss
sible for postfix to do the mapping using canonical_maps,
but the first choice should be configuring the user's mail client.
If this isn't working as expected, please send logging demonstrating
the problem, and your "postconf -Mf".
-- Noel Jones
_
milestone!
Your kind and respectful attitude towards all the list members sets
the tone for this list, making it a great resource for both newbies
and experts. I think this list is one of the best features of postfix.
Looking forward to many more years! Thanks!
--
ke:
127.0.0.1:10025 inet n - n - - smtpd
-o smtpd_milters=
-o syslog_name=postfix/10025
add other parameters, such as overrides for the various
smtpd_*_restrictions, as necessary for your situation.
-- Noel Jones
___
Postfix-users mai
override any existing
content_filter setting.
http://www.postfix.org/access.5.html
Also some content filters, such as amvisd-new, can alter their
behavior based on the sender domain or other criteria. This might be
easier to maintain than multiple filters.
-- Noel Jones
these limits are intended to limit attacks and not to regulate
legit traffic, as any host slowed by these limits will likely see
significant delays. But maybe that's what you need.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@pos
#soft_bounce
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
gs overrides in master.cf and must have the
check_sender_access somewhere in that path.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
p://www.postfix.org/SASL_README.html
http://www.postfix.org/TLS_README.html
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
ghost connections won't stress
postfix or interfere with other mail. The biggest annoyance is
junking up the logs.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
l controls ...
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
7;ll need a milter for that. Maybe look at milter-regex.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
ou can still see where it came from.
chris@localhost user@somewhere
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
get around this;
body_checks are evaluated one line at a time, not on the whole message.
You could probably use a milter, or a policy_service that rejects
based on size. Set the main.cf size value to something big, and
reject after the client sends all the data. This is inefficient, but
wou
is is the wrong solution. With this setting, postfix will accept mail to any
user address, and you will eventually have a queue full of undeliverable
bounces, plus get listed as a backscatter source.
The correct solution is to give postfix a list of all valid users. The easiest
way to do that is have all users be system users.
— Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
), not Postfix. You need to run whatever
system utility FreeBSD uses to switch the default mailer. Note the
mail already is addressed to @mail.citytel.net, so that's happening
before postfix ever sees the mail.
-- Noel Jones
___
Postfix-users m
rule
rejecting all mail containing "2024", is just a land mine waiting to
disrupt mail in the future.
Leave date checking to mail parsers that are made for that job, or
find some other feature of the message to block on.
-- Noel Jones
___
dn’t. A tcp
capture will show what’s actually being sent.
— Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
subdomain is a reliable
spam indicator. Zero false positives is a much better goal than zero
spam.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
h a check_helo_access map.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
same spam
controls and valid recipient lists. and an excuse to get rid of
largely unnecessary secondary MX servers.
Note that reject_unknown_client_hostname is a very strict test that
is likely to reject legit mail. Consider using
reject_unknown_reverse_client_hostname instead.
--
hy rely entirely
on your spam filter (or unknown mitigations) when a common feature
such as authentication will do the job? Why the risk?
This is a local spam problem.
Report abuse to your provider. If the provider is unwilling or
unable to fix the abuse, find another provider
still don't see a problem. If someone has found a way to abuse
this, then the abuse should be reported to the provider.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
st providers require authentication to send any mail, but I
don't see where this is a problem.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
sender
just above the final reject to minimally check for an existing
sender address.
http://www.postfix.org/postconf.5.html#reject_unlisted_sender
http://www.postfix.org/postconf.5.html#reject_unverified_sender
-- Noel Jones
___
Postfix-users mailin
t; message.
One common error is hidden non-text characters in the config file, I
don't know if that's what you're seeing or not.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an
terminated with signal 11,
restarting
The problem is your opendmarc is crashing. I'm afraid I don't have
any insight into why.
-- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
post to see who replied.
Any workarounds in Thunderbird to override this behavior?
In thunderbird, I'm using the "Correspondents" column instead of
"From" and it works for me.
-- Noel Jones
___
Postfix-users mail
ol
panel by setting google to not handle your mail.
Anyway, this isn't a postfix problem. Rather, a google apps config
problem.
-- Noel Jones
e for more details and other examples.
http://www.postfix.org/postsuper.1.html
-- Noel Jones
try regex: instead of pcre:
postconf -m will show supported map types.
-- Noel Jones
that.
The postfix queue file format is (intentionally) not documented, and
dropping files directly into a queue directory is not supported.
-- Noel Jones
?
>
> Would you please advise?
>
> --
> Janos Dohanics
The goal is to have a matching PTR and A record. If you are able to have an A
record of customer.com pointing to only that IP address, then you can use it as
is.
If the customer has multiple IPs, particularly if they have a web server on a
different IP, then you’ll need to get this corrected.
— Noel Jones
SCARD will still log the action. There is no option to REJECT
or DISCARD without logging.
Some log systems have the ability to ignore certain entries, or you
can use grep etc. to preprocess a log file before analysis. That's
outside the scope of postfix.
-- Noel Jones
sage to be rejected, it can be rejected once
anywhere in the chain.
So even if a client is allowed in postscreen, it can still be
rejected by a later test.
You'll need to list the IP in postscreen, then also list the IP in a
check_client_access map before your policy services.
-- Noel Jones
that SPF check
altogether so it doesn't continue to reject this mail? How can I
otherwise permit the 209.177.165.0/24 <http://209.177.165.0/24> network?
Yes, using either a postfix check_sender_access table with
generalatlantic.com or a check_client_access cidr: table with that
IP address range would bypass both policy services completely.
-- Noel Jones
will be included in the scheduled November update.
-- Noel Jones
the
queue run parameters.
-- Noel Jones
ng is altered/sanitized for safety.
I can tell that im beating a dead horse now and will just let this
issue go. Bug or not, it is clear that it is not going to change.
Thank you everyone for the replies.
There is nothing to change, except possibly documenting this
behavior better.
-- Noel Jones
7; at the line break.
Unprintable characters are replaced with "?"
-- Noel Jones
need to be adjusted.
-- Noel Jones
On 8/24/2022 11:03 AM, Ivars Strazdiņš wrote:
Hi Julio,
I tested and it did not work for local users, access is denied
(sending not possible) only for external ones.
Mail is sent to l...@domain.com regardless if local sender address
is in the insiders
STARTTLS and send mail encrypted.
If you need further help, share your "postconf -nf" and "postconf
-Mf" and the actual log lines of both successful delivery and what
happens after you add the -o smtp_tls_wrappermode=yes
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
add something like
check_client_access inline:{192.0.2.1=permit_auth_destination}
using the IP of the offending client
For more complete examples and how to integrate this in your setup,
share your "postconf -nf" and the actual log entry.
-- Noel Jones
is there a better way of doing this check and
reject those mails with the certain +whatever part
Thanks
To reject the recipient, use a check_recipient_access table.
-- Noel Jones
I think you configure unbound with another forward-zone: name:
“zen.spamhaus.org” and then don’t list any forwarding addresses. That should
turn off forwarding for that zone.
A forum for your OS or for unbound will probably give an authoritative answer
— Noel Jones
> On Mar 4, 2022, a
possible some of their
back-end servers are blocked and some aren't, which will give you
unpredictable results.
To fix, insure you either use a local DNS nameserver installed on
your computer, such as unbound, or sign up for the free (for low
volume) Spamhaus Data Query Service
-- Noel Jones
> On Feb 18, 2022, at 7:02 AM, P.V.Anthony wrote:
> I am reporting back to say it works well.
>
> One more question. In the maps file is it possible to use a hostname instead
> of an ip address?
>
> P.V.Anthony
>
>
No. The docs say the table is not searched by hostname
— Noel Jones
answer, but should be close enough. This
subject has been discussed in the archives several times, but might
be hard to track down.
-- Noel Jones
216.109.104.12 starttls
-- Noel Jones
he queue, right. I
still need so modify main.cf to redirect the messages to get deferred.
To put everything on hold, insert check_client_access static:hold in
one of your restrictions. Something like:
smtpd_client_restrictions =
check_client_access static:hold
... stuff you have already ...
-- Noel Jones
1944 i1si9676536ybt.537 - gsmtp)
Feb 10 19:39:04 postfix postfix/qmgr[13849]: 7D1D0E0E6F: removed
What am I missing?
To test your existing filter, submit mail via SMTP on port 25. If
you intend to filter mail submitted via the command line sendmail,
you will need an Advanced Content Filter or milter.
-- Noel Jones
l need to use a milter or content_filter for complex actions
based on multiple headers, such as milter_regex
-- Noel Jones
will cause postfix to trust all hosts in the
88.103.239.0-255 subnet, which may not be appropriate.
For more info on CIDR or "slash notation" you can start here:
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
-- Noel Jones
5.6.7.8,
work?
Yes, you can add a comment by itself and continue the line by
starting real data with a space.
mynetworks =
# local host
192.168.2.12
# accounting
10.10.1.0/24
# production
10.1.0.0/16
-- Noel Jones
arco
You can do that with milter-regex or some other milter.
-- Noel Jones
attempts.
-- Noel Jones
y the
notes under the "backup" and "ttl" options.
-- Noel Jones
On 8/5/2021 12:56 PM, Gomes, Rich wrote:
Anywhere else to look?
The logs.
-- Noel Jones
ADME.html
If you need more help, please see:
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
d the anti-http stuff because of ALPACA or was it
already there?
R's,
John
I think 2004, so it's been there a while. Back then sometimes open
web proxies were used to send spam knowing the MTA would ignore the
invalid commands.
-- Noel Jones
starting from scratch.
-- Noel Jones
logs
http://www.postfix.org/DEBUG_README.html#mail
-- Noel Jones
On 7/20/2021 3:31 PM, post...@ptld.com wrote:
Also meaning if a client passed reject_unknown_client_hostname then
it would be procedurally pointless to check both reject_rhsbl_client
and reject_rhsbl_reverse_client, right?
It's ALWAYS pointless to check both.
-- Noel Jones
the PTR hostname lookup result, but it
considers it "unknown" until it's been verified with FCrDNS.
Or am i misunderstanding what "unverified reverse client hostname"
means?
Apparently yes.
Unverified PTR hostnames are easily forged, so postfix tries to warn
you (by the feature name) when you're using a potentially forged
hostname.
-- Noel Jones
ost.domain part - of an
email address. Since HELO is already a hostname and not an email
address, rhs of helo is nonsense.
-
-- Noel Jones
x27;s supposed to go to gmail, either remove
mydomain from main.cf:mydestination, or add a transport_maps entry
as a hint.
-- Noel Jones
ement in-memory cache" is
a deal-breaker for me.
If most of the mail handled by postfix-A goes to postfix-B, updating
the transport table map might be a better solution.
-- Noel Jones
y local mail
to the remote B instance periodically.
Actually, my first thought is if the vpn is frequently down, then
*that's* the problem to fix. Or just keep all the mail on the
cloud-A and access IMAP over the internet.
-- Noel Jones
the valid recipients should be listed in
relay_recipient_maps, and the routing to the final destination is
defined in transport_maps.
-- Noel Jones
nal policy service could also do this.
http://www.postfix.org/SMTPD_POLICY_README.html
Usually postfwd is recommended as a good general-purpose policy
service, maybe there's another that would suit your needs better.
http://www.postfix.org/addon.html#policy
-- Noel Jones
rsion 3.5.6.
Thank you.
As the docs say, the brackets disable MX lookups, not DNS lookups.
Sounds like you should read
http://www.postfix.org/postconf.5.html#smtp_host_lookup
and probably use "dns, native"
-- Noel Jones
On 5/17/2021 6:27 PM, Benny Pedersen wrote:
On 2021-05-18 00:29, Noel Jones wrote:
127.0.0.1:submission inet n - n - - smtpd
[::1]:submission inet n - n - - smtpd
localhost:submission inet n - n - - smtpd
imho postfix will accept this aswell, not tested
Yes, postfix will attempt to
n - n - - smtpd
[::1]:submission inet n - n - - smtpd
-- Noel Jones
On 5/12/2021 2:21 PM, Noel Jones wrote:
On 5/12/2021 2:11 PM, David Mehler wrote:
Hello,
Thanks. Here's my master.cf submission entry:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
cated internet connections have to pass.
add something like
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-- Noel Jones
that
won't break your SPF check, it does make the error response
confusing. Maybe time to update your SPF service too.
-- Noel Jones
$smtpd_policy_maps
For reference, all postfix parameters, including deprecated ones,
are listed here:
http://www.postfix.org/postconf.5.html
-- Noel Jones
There is no such thing.
>
> When a Milter asks Postfix to add a header to the message, then
> Postfix runs that header through milter_header_checks before updating
> the queue file (or taking some other action as specified in the
> milter_header_checks result).
>
>Wietse
You could probably log added headers with a WARN action if that would be useful
to you.
/./ WARN
— Noel Jones
/^(.+)@backup\.example\.com$/ $1...@example.com
#transport
backup.example.com relay:mx.backup.example.com
-- Noel Jones
xymap.8.html
A step further would be to periodically dump your SQL data to a cdb
database. These scale to millions of records with very low latency
and low resource usage.
http://www.postfix.org/CDB_README.html
Or switch to LMDB.
http://www.postfix.org/LMDB_README.html
-- Noel Jones
subdomains on all levels.
Best
Marc
To control how many levels are matched you'll need a regex or pcre
table.
for matching one level, maybe:
/^[a-z0-9]+\.example\.com$/ transport:nexthop
-- Noel Jones
such as katie@localhost.local
-- Noel Jones
x.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/VIRTUAL_README.html
and several others.
-- Noel Jones
ns).
# virtual_alias
dom@business-domain dom.w@business-domain
-- Noel Jones
ith no/bad PTR hostname. This is mostly
safe since many major mail providers will either mark such mail as
spam or outright reject it.
If these aren't causing you any trouble, feel free to keep using them.
-- Noel Jones
1 - 100 of 4093 matches
Mail list logo
