Re: dnssec DS set, but no RRSIG

DNS servers are returning DNSKEYs. Even if they returned RRSIGs with their responses (which they don't), nobody could validate them. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises

Re: SPF and DKIM and DMARC records for a relay, on my !

~all" = at least two lookups Multiple SPF records ? Even with a crazy number of senders, you should be able to figure out a way to limit yourself to only a couple of levels of indirection. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises

Re: Precedence of transport and virtual

On 2021-04-09 21:08:08 (+0800), Wietse Venema wrote: Philip Paeps: On mx1.freebsd.org, we have a configuration that (vastly simplified) looks something like this: virtual_maps = hash:/usr/local/etc/postfix/virtual transport_maps = hash:/usr/local/etc/postfix/transport We have freebsd.org

Precedence of transport and virtual

chieve the same with a check_recipient_access and REJECT but I wonder why the transport option isn't working. (In the specific example above, simply not including [elided] in virtual would also work but the way our virtual is generated is ... intricate). Thanks for any insights. Philip

Re: OFF TOPIC Are there problems on the list?

o the list, in any case, if you were wondering. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises

Re: should we use plaintext for message?

iscussions. Trying to force people to limit themselves to plain text is not a productive use of anyone's time. Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises

Re: postscreen_pipelining_enable vs. Exim / BDAT

On 2019-10-13 15:56:23 (-0700), Viktor Dukhovni wrote: On Oct 13, 2019, at 6:48 PM, Philip Paeps wrote: I'll see if I can find an appropriate Exim mailing list to post this on. That'd be exim-us...@exim.org it is a GNU Mailman list, so sign up on the web if you like. Or is the

Re: PATCH: postscreen_pipelining_enable vs. Exim / BDAT

On 2019-10-13 16:05:07 (-0700), Wietse Venema wrote: Philip Paeps: On 2019-10-13 13:29:27 (-0700), Wietse Venema wrote: Philip Paeps: I've started noticing messages like these in my logs and the logs on mx1.FreeBSD.org in recent months: Oct 13 00:58:21 rincewind postfix/postscreen[

Re: postscreen_pipelining_enable vs. Exim / BDAT

On 2019-10-13 13:29:27 (-0700), Wietse Venema wrote: Philip Paeps: I've started noticing messages like these in my logs and the logs on mx1.FreeBSD.org in recent months: Oct 13 00:58:21 rincewind postfix/postscreen[76460]: COMMAND PIPELINING from [46.101.147.153]:59818 after BDAT:

postscreen_pipelining_enable vs. Exim / BDAT

egitimate email deferred (and timed out). Philip -- Philip Paeps Senior Reality Engineer Alternative Enterprises

Re: Blacklistd interaction

e to measure except under extreme load. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Misconfiguration and documentation clarification help

usion. Yes ... it would be a lot easier if you simply subscribed to the mailing list instead of using a web frontend. After all, email is what you're trying to configure so a mailing list seems like an appropriate interface? Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Current ideas on DKIM signing ?

lter and I've not had any difficulties with it. I used to run OpenDKIM but when I switched from SpamAssassin to rspamd, I configured it to do DKIM signing too. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: A problem I'm not sure how best to solve

clude your configuration.) Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: any api to read logs ?

ibxo: http://juniper.github.io/libxo/libxo-manual.html -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Can a ISP block partially the traffic over the port 25 ??

connections; just with some email servers, specially outlook.com, but microsoft answer us to they dont have problems related with our IP. Whoever is running the middlebox may only be selectively interfering with connections. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: New EFF certbot plugin for Postfix

STARTTLS be for unauthenticated mail and smtps or submission + STARTTLS for authenticated mail. Maybe the protocol just needs a fourth port. I'm sure the IETF discussions would be entertaining. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Removing trace records on submission MSA

On 2018-05-02 20:52:46 (+0200), @lbutlr wrote: On 2018-05-01 (04:02 MDT), Philip Paeps wrote: I wonder if it wouldn't be easier to add a configuration option to smtpd to suitably expurgate Received: headers of sensitive information. What information in the Received header do you con

Re: Root user's sent mail

onfigure Mutt to use Maildir rather than mbox: set mbox_type= Maildir See the muttrc(5) manual for how to configure where sent mail is stored. You'll probably also want to set the `folder` and `record` options in addition to `mbox_type`. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Removing trace records on submission MSA

t seems to work for all my users and the exotic devices they use. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Certificate Replacement

when you're simply reissuing your certificates. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Removing trace records on submission MSA

ders in the hash (which you should not do according to the RFC), your DKIM signatures will continue to be correct if you anonymise the first trace header like I do. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Removing trace records on submission MSA

. It doesn't interfere with debugging much because the logs will mentain the replacement and it's easy to grep for. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Offering STARTTLS in postfix. need help!

so. I am running postfix on RHEL 7. Any help is greatly appreciated! I'm surprised Google couldn't find http://www.postfix.org/TLS_README.html DuckDuckGo returns it as the first hit for "Postfix TLS". Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Calendar & Contacts

t up in a jail. It stores its data in a PostgreSQL database (or possibly other kinds of databases -- I haven't looked). If you're on FreeBSD, you can install it in a fresh jail with `pkg install nextcloud`. The documentation is fairly comprehensive. Philip -- Philip Paeps Seni

Re: Temporarily stop mail delivery

ice unavailable} That will stop Postfix from acccepting mail from the network. Oh wow. Thanks for that tip! I really need to get used to start using more of these static: maps. I have a couple single-entry /^.*$/ pcre: tables which should probably all be static:. Philip -- Philip Paeps Senior R

Re: Postfix vs Exim

one you find most comfortable. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Postfix vs Exim

ich I apparently upgraded to "19991231-pl13" in early 2001. Version numbers didn't come along until a year or so after that :) Happy days!) Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: How can I "reject_unverified_LOCAL_sender"?

On 2017-10-20 21:28:29 (+0200), Rick van Rein wrote: On 2017-10-20 21:17:26 (+0200), Philip Paeps wrote: On 2017-10-20 19:51:07 (+0200), Rick van Rein wrote: Wouldn't it be a lot easier simply to reject those with SPF? If you're seeing mail from one of your domains coming in from

Re: How can I "reject_unverified_LOCAL_sender"?

7;s not even simple in a policy due to the cyclic risk. What are others doing in this respect? I use SPF. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Increasing spam level to backup MX

temporary whitelist between machines. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Lists and spam prevention / use of Reply-To:

Sorry for continuing to drift. I'll shut up again. :) Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: postfix mail parsing

x should be able to "just do". Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: pickup/maildrop being used to spam through my machine.

logs and time stamp on pickup line. Check for other processes running as the apache user. Check the crontab of that user too. Also firewall off any ports. I would definitely advise taking a disk image of the machine for forensic analysis and then doing a clean reinstall. Philip -- Philip

Re: Berkeley DB reads DB_CONFIG from cwd

= db->set_cachesize(db, 0, dict_db_cache_size, 0)) != 0) - msg_fatal("set DB cache size %d: %m", dict_db_cache_size); Is this change intentional, or did it sneak in? It seems unrelated to the environment workaround. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Proper Forwarding Procedure?

te-limiting may not be a big problem long-term but eventually all email coming from you will be filed as spam. And then users will blame you for that ... Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Proper Forwarding Procedure?

But you really want users to pull mail from you. Unfortunately, forwarding is no longer a viable option in the current world of email. The spammers have broken that for everyone. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Feasible to encrypt the virtual_mailbox_base directory with ecryptfs?

On 2017-05-20 20:33:01 (-0700), pbw wrote: Has anyone tried to do this? Was it feasible? As long as the encryption is transparent to Postfix, it shouldn't matter. I run all my mail systems on encrypted volumes. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: TLS warning

There are other good reasons to disable SSLv3. But POODLE is a distraction in the context of SMTP. In general though, when it comes to SMTP, any encryption is better than none. And opportunistic encryption is the way to go. Read RFC 7435: https://tools.ietf.org/html/rfc7435 Philip -- P

Re: SPF best practices

your various domains. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Does white-listing 'postmaster' white-list all the other recipients?

going to convince me is legitimate. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Automatically substitute FQDN of local system in config

On 2017-04-19 18:52:56 (+0300), Marat Khalili wrote: On 19/04/17 18:39, Philip Paeps wrote: Linux systems often only configure their shortname with `sethostname()` (for reasons I've never understood). If you set a FQDN though, it will be returned with `gethostname()`. Try to figur

Re: Automatically substitute FQDN of local system in config

articular flavour of Linux sets its hostname and teach it to set a FQDN instead of a shortname. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: ECDSA and RSA: setting preference

than that. In general, you should probably leave this setting alone unless you have a very specify reason to change it. And even then, you will likely be better served with an entry in `smtp_tls_policy_maps` overriding the default for a specific destination. Philip -- Philip Paeps Seni

Re: team alias and SPF

On 2017-04-18 00:04:07 (+0200), Benny Pedersen wrote: Philip Paeps skrev den 2017-04-17 19:49: On 2017-04-17 19:33:36 (+0200), Geert Stappers wrote: teamfoo: localcopy j...@example.com b...@domain.tld john@some.where Bob checks SPF on incoming messages. Bob should not be checking SPF from

Re: team alias and SPF

f whether the address was expanded. https://github.com/roehling/postsrsd Mailman and postsrsd are both trivial to set up. My preference would be for mailman because postsrsd will but it will rewrite all envelopes, something which I personally would find upsetting but your views may differ.

Re: new installation questions

ave to ask more specific questions on this list if you run into difficulties. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: exclude a host(s) and allow it without authentication

On 2017-04-15 13:29:37 (+0100), lejeczek wrote: I'm fiddling with settings but thought, someone already must know - how to achieve above, if possible at all? Simply add it to $mynetworks and add ``permit_mynetworks`` to the relevant ``smtpd_{foo}_restrictions``? Philip -- Philip

Re: ECDSA and RSA: setting preference

On 2017-04-13 17:28:44 (+0200), Zbyszek Żółkiewski wrote: Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o godz. 16:04: On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski wrote: Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o godz. 15:50: On 2017-04-13 14:53:50 (+0200

Re: ECDSA and RSA: setting preference

On 2017-04-13 08:16:29 (-0600), @lbutlr wrote: On 2017-04-13 (07:50 MDT), Philip Paeps wrote: egrep "TLS connection established from.*with cipher" \ /var/log/maillog* | awk \ '{printf("%s %s %s %s\n", $12, $13, $14, $15)}' | \ sort | uniq -c | sort -n In

Re: ECDSA and RSA: setting preference

On 2017-04-13 15:55:12 (+0200), Zbyszek Żółkiewski wrote: Wiadomość napisana przez Philip Paeps w dniu 13.04.2017, o godz. 15:50: On 2017-04-13 14:53:50 (+0200), Zbyszek Żółkiewski wrote: Wiadomość napisana przez Zbyszek Żółkiewski w dniu 13.04.2017, o godz. 13:33: Question: postfix 2.11

Re: ECDSA and RSA: setting preference

ery specific need. Note that many senders will fall back to plain SMTP if they can't negotiate TLS with you. I feel a little security is better than no security at all. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: lots of € From: owner-postfix-users-dig...@cloud9.net (Majordomo Pseudo User)

On 2017-04-13 04:27:09 (+0200), Benny Pedersen wrote: body only contained € chars only me that was maked millionare ? :=) I get surprisingly little spam from Postfix mailing lists. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: relay server - mass mailing tuning

On 2017-04-11 14:04:08 (-0400), Viktor Dukhovni wrote: On Apr 11, 2017, at 1:55 PM, Philip Paeps wrote: It is worth repeating that the spinning rust actually matters in this case: Postfix fsync()s when accepting a message into the queue. The time to it takes to enqueue a message is at

Re: relay server - mass mailing tuning

you like and you'll still be doing a lot of waiting for DNS. (This can be mitigated with the cache-min-ttl setting in Unbound). Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Disabling SMTPUTF8 per destination

On 2017-04-10 09:51:42 (-0400), Wietse Venema wrote: > Philip Paeps: > > My system is configured with default SMTPUTF8 settings [...] > > > > This works perfectly fine (probably because, sadly, SMTPUTF8 is still > > quite rare in the wild) except occasionally I'

Disabling SMTPUTF8 per destination

e documentation and the archives? Has this been discussed before? Thanks. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: Recommended way to pause postfix local delivery while taking snapshot for backup

nd blocking new connections with the firewall would do it. Postfix will queue messages for later delivery when it can't connect to the LMTP server. Philip -- Philip Paeps Senior Reality Engineer Ministry of Information

Re: postfix uses A record for MX less domains

> > Yes. > > > If so, can i disable this somewhere? > > No. If you own a domain that should not be receiving email, you can prevent MTAs trying to send mail to it by explicitly specifying a null MX in the DNS: bikinibottom.com. IN MX 0 . Philip -- Philip Paeps Senior Reality Engineer Ministry of Information