[pfx] Re: texthash aliases

2025-08-02 Thread Viktor Dukhovni via Postfix-users
On Sat, Aug 02, 2025 at 01:27:53PM +0200, Matteo Bini via Postfix-users wrote: > Hello Postfix users, > I have a very quick and easy question for you. > > Is it possible to use a texthash database for both alias_database and > alias_maps parameters? The correct setting would be: # EMPTY! S

[pfx] Re: tlsproxy service role client is not available

2025-07-31 Thread Viktor Dukhovni via Postfix-users
On Thu, Jul 31, 2025 at 02:33:53PM +0200, John Doe via Postfix-users wrote: > Any clue what is happening here ? > > postfix/tlsproxy[2399702]: CONNECT to [10.10.10.20]:25 > postfix/smtp[2399701]: warning: private/tlsproxy service role "client" is not > available > postfix/smtp[2399701]: 4bt4ws1G

[pfx] Re: Check Client Access

2025-07-30 Thread Viktor Dukhovni via Postfix-users
On Wed, Jul 30, 2025 at 11:01:53AM +0200, Jaroslaw Rafa via Postfix-users wrote: > regex: type table supports only basic regular expressions, does not Actually the table type supports POSIX EREs (extended regular expressions), as in "egrep" (now "grep -E"), not BREs (basic regular expressions), a

[pfx] Re: Keep ESN requests through content_filter

2025-07-27 Thread Viktor Dukhovni via Postfix-users
On Sun, Jul 27, 2025 at 07:28:41PM +0200, Sven Scholle via Postfix-users wrote: > unfortunately, I have a legacy system that uses content_filter for outgoing > mail. It is a script called by pipe. > > Because of a current lack of time: Is there a quick way to keep the request > for ESNs (required

[pfx] Re: Routing based on number of recipients

2025-07-21 Thread Viktor Dukhovni via Postfix-users
On Mon, Jul 21, 2025 at 02:59:40PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > > Otherwise, use check_policy_service with custoim policy server > > that returns FILTER commands to route the message. > > postfwd works as policy filter, so it can do that. > > Note that in order to k

[pfx] Re: sending emails times out

2025-07-15 Thread Viktor Dukhovni via Postfix-users
On Tue, Jul 15, 2025 at 09:02:33AM -0700, Curtis Vaughan via Postfix-users wrote: > Yeah, I heard about that as well, but I thought I'm not Cloudflare so surely > that's not the issue. Hm The simplest, and ethically correct, solution is not conduct any business dealings with Russia, or deal

[pfx] Re: Make postfix additionally relay?

2025-07-15 Thread Viktor Dukhovni via Postfix-users
On Tue, Jul 15, 2025 at 10:49:56AM -0400, Wietse Venema via Postfix-users wrote: > > Perhaps an example, like the above, that puts multiple pieces of the > > puzzle together could make a useful addition to ADDRESS_REWRITING_README? > > I've been collecting 'advanced' examples. They could be locat

[pfx] Re: Make postfix additionally relay?

2025-07-14 Thread Viktor Dukhovni via Postfix-users
On Mon, Jul 14, 2025 at 01:36:00PM -0400, Wietse Venema via Postfix-users wrote: > > Looks very interesting. But unfortunately there's no regexp support > > available. > > And the installations of postfix and OS are quite old. Old enough, so that i > > seriously do not want to touch it as long as

[pfx] Re: include dir for config snippets?

2025-07-14 Thread Viktor Dukhovni via Postfix-users
On Mon, Jul 14, 2025 at 09:31:46AM -0500, Matt Zagrabelny via Postfix-users wrote: > I've grepped the man page (man 5 postconf) and performed some searching on > the internet regarding the idea of an include directory for config snippets. An operator can always choose to use a Makefile or simila

[pfx] Re: no reverse dns

2025-07-14 Thread Viktor Dukhovni via Postfix-users
On Mon, Jul 14, 2025 at 12:31:27PM +0200, Benny Pedersen via Postfix-users wrote: > > Maybe your resolver is broken? > > no my bind respect too little time to live > > ;; ANSWER SECTION: > postfix.charite.de. 300 IN A 141.42.206.35 A 5 minute TTL is not excessively low. It am

[pfx] Re: Patch: postfix-3.11-20250713 build failure

2025-07-14 Thread Viktor Dukhovni via Postfix-users
On Mon, Jul 14, 2025 at 10:28:17AM +0200, Eray Aslan via Postfix-users wrote: > postfix-3.11-20250713 build fails with > [...] > multi_server.c: In function ‘multi_server_drain’: > event_server.c: In function ‘event_server_drain’: > multi_server.c:300:9: error: ‘return’ with no value, in function

[pfx] Re: Make postfix additionally relay?

2025-07-14 Thread Viktor Dukhovni via Postfix-users
On Sun, Jul 13, 2025 at 09:12:28PM +0200, oftl--- via Postfix-users wrote: > Have an already up and running postfix *also* relay everything to another > postfix. Yes, via an envelope-recipient preserving PCRE recipient Bcc table, and helper machinery to route and unmunge the addresses. main

[pfx] Re: A couple questions

2025-07-13 Thread Viktor Dukhovni via Postfix-users
On Sun, Jul 13, 2025 at 07:32:46AM -0600, James Lay via Postfix-users wrote: > My other question:  I run split dns here, so what I would LOVE to do is > have an in house certificate used for smtps and submission which are > used internally only on the inside interface, and a world valid ( if > tha

[pfx] Re: postfix3.9.1 restrictions

2025-07-08 Thread Viktor Dukhovni via Postfix-users
On Tue, Jul 08, 2025 at 02:02:20PM +0200, natan via Postfix-users wrote: > I have postfix 3.9.1 and the configuration file is 1:1 with postfix 3.8.5 > It seems to me that postfix 3.9.x is more restrictive because when I try to > send using a perl script, I can't send the message via postfix3.9 but

[pfx] Re: Hardcoded "451 4.6.0" error code for Alias expansion error

2025-07-05 Thread Viktor Dukhovni via Postfix-users
On Sat, Jul 05, 2025 at 10:08:12AM -0400, Wietse Venema via Postfix-users wrote: > > I don't think this is a sound feature to add, it would be misunderstood > > by naive users. > > This reminds me of a similar concern that we had in mail delivering > contexts. In the mail receiving context, the s

[pfx] Re: Hardcoded "451 4.6.0" error code for Alias expansion error

2025-07-04 Thread Viktor Dukhovni via Postfix-users
On Fri, Jul 04, 2025 at 10:26:09PM +0200, Dmytro Alieksieiev via Postfix-users wrote: > > Only if you (choose to?) ignore problems. Others have an opportunity to > > fix them and not lose mail. > > But on system where you far ago from user and have 0 contact with him > getting such information

[pfx] Re: Hardcoded "451 4.6.0" error code for Alias expansion error

2025-07-04 Thread Viktor Dukhovni via Postfix-users
On Fri, Jul 04, 2025 at 07:39:45PM +0200, Dmytro Alieksieiev via Postfix-users wrote: > Does anybody know the original reason of why there is no way to adjust > response code for Alias expansion error (internal loop detected) in Postfix > settings? Configuration errors detected by Postfix result

[pfx] Re: Postfix authentication with LDAP

2025-07-02 Thread Viktor Dukhovni via Postfix-users
On Wed, Jul 02, 2025 at 02:22:37PM +0530, Burn Zero wrote: > > If you really mean authentication, a key question is whether this is an > > ActiveDirectory environment, or just some standalone (though networked) > > Windows servers? > > It is an active directory environment. But the problem is ema

[pfx] Re: Postfix authentication with LDAP

2025-07-01 Thread Viktor Dukhovni via Postfix-users
On Wed, Jul 02, 2025 at 11:59:09AM +0530, Burn Zero wrote: > > Typically, neither is a good choice for *authentication* (logins via a > > password of some sort). Are you sure you're looking for > > *authentication* rather that email address validation? > > Yes, I am looking for authentication. Fo

[pfx] Re: Postfix authentication with LDAP

2025-07-01 Thread Viktor Dukhovni via Postfix-users
On Wed, Jul 02, 2025 at 12:02:44PM +0530, Burn Zero via Postfix-users wrote: > > With 400k/day, you can expect loads up to 100 requests/second. > > > > If this uses the Postfix ldap: or mysql: clients, then maybe using > > memcache: with backup=ldap:/foo or backup=mysql:/bar can help. > > > > Than

[pfx] Re: Postfix authentication with LDAP

2025-07-01 Thread Viktor Dukhovni via Postfix-users
On Tue, Jul 01, 2025 at 04:32:18PM +0530, Burn Zero via Postfix-users wrote: > I am trying to implement postfix authentication with LDAP (Active > Directory) where the postfix server will act as relay. The expected traffic > is huge (around 400K / day), so is it better to use LDAP as authenticatio

[pfx] Re: SMTPUTF8 best practices

2025-06-30 Thread Viktor Dukhovni via Postfix-users
On Tue, Jul 01, 2025 at 12:17:13AM +0200, Steffen Nurpmeso via Postfix-users wrote: > |Postfix would forward SMTPUTF8 mail to an LMTP server only if the > |server announces SMTPUTF8 (in LHLO). > > Only to make this clear: postfix simply does not deal with any message > nor header reencoding at

[pfx] Re: TLSA record hygiene for Let's Encrypt issuer CAs

2025-06-30 Thread Viktor Dukhovni via Postfix-users
On Mon, Jun 30, 2025 at 08:43:17AM +0200, Danjel Jungersen via Postfix-users wrote: > > Do I get this right, if I say that it only applies to me, if I'm using the > "advised against" method 2 x x? > Or rather planning to use, I'm not up and running with inbound dane yet That specific post i

[pfx] Re: smtpd_sasl_auth_enable=no and smtpd_sender_restrictions=reject_sender_login_mismatch

2025-06-22 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 22, 2025 at 09:40:41AM -0400, Wietse Venema via Postfix-users wrote: > Matthew via Postfix-users: > > Hi Viktor, > > > > I think it is more: > > > > 1. "reject_unauthenticated_sender_login_mismatch" implies to a > > reasonable person that "unauthenticated senders" for our trusted do

[pfx] Pruning outdated TLSA DANE-EE(3) records

2025-06-22 Thread Viktor Dukhovni via Postfix-users
[ Also posted to dane-us...@list.sys4.de ] Some MTA operators neglect to prune outdated TLSA records with "usage" DANE-EE(3). As keys or certificates are replaced, they add new matching TLSA records, never dropping the records matching the outdated keys. This largely defeats the purpose of key o

[pfx] Re: smtpd_sasl_auth_enable=no and smtpd_sender_restrictions=reject_sender_login_mismatch

2025-06-22 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 22, 2025 at 01:02:44PM -0400, Wietse Venema via Postfix-users wrote: > > What I am talking about is the comment about the meaning "when SASL is > > enabled", as possibly applying to SASL being enabled somewhere else > > in Postfix, rather than the smtpd(8) service that is processing th

[pfx] Re: smtpd_sasl_auth_enable=no and smtpd_sender_restrictions=reject_sender_login_mismatch

2025-06-22 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 22, 2025 at 01:39:09PM +0100, Matthew via Postfix-users wrote: > Thank you for your e-mail. I thought I had searched for similar discussions > beforehand but obviously I had not done a very thorough job. Yes, exactly > the same observations. It is rather odd to apply a login-mismatch

[pfx] Re: No DNS found

2025-06-21 Thread Viktor Dukhovni via Postfix-users
On Sat, Jun 21, 2025 at 01:31:01PM +0200, Christian H. Kuhn via Postfix-users wrote: > > Assign both instances explicit distinct $myhostname values. > > But i started rethinking the whole setup. And it does not end with removing > localhost ip from the public instance. What is the idea behind th

[pfx] Re: No DNS found

2025-06-20 Thread Viktor Dukhovni via Postfix-users
On Fri, Jun 20, 2025 at 10:37:53PM +0200, Christian H. Kuhn via Postfix-users wrote: > Dear Wietse, > > Am 20.06.2025 um 22:26 schrieb Wietse Venema via Postfix-users: > > Christian H. Kuhn via Postfix-users: > > I see only one inet_interfaces setting, and two differfent myhostname > > settings.

[pfx] Re: Postfix TLS Library Problem No such file

2025-06-19 Thread Viktor Dukhovni via Postfix-users
On Tue, May 06, 2025 at 11:50:55AM -0400, Jason Hirsh via Postfix-users wrote: [ Just noticed this post from May 06... ] > # TLS CONFIG > smtp_tls_note_starttls_offer = yes > smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/kasdivi.com/privkey.key > smtpd_tls_cert_file = > /usr/local/etc/let

[pfx] Re: TLSRPT: master.cf overrides are being ignored and warning logs when relaying TLS report emails generated by sys4 tlsrpt-reporter

2025-06-19 Thread Viktor Dukhovni via Postfix-users
On Thu, Jun 19, 2025 at 09:53:38PM +1000, Viktor Dukhovni via Postfix-users wrote: > However, there's a problematic interaction with DANE TLSA records. > Patch below. I should not have trimmed the patch context so radically, better patch below, in case your sources are slightly old

[pfx] Re: TLSRPT: master.cf overrides are being ignored and warning logs when relaying TLS report emails generated by sys4 tlsrpt-reporter

2025-06-19 Thread Viktor Dukhovni via Postfix-users
On Thu, Jun 19, 2025 at 09:24:27AM +, Michael Webb via Postfix-users wrote: > When relaying TLS report emails generated by sys4 tlsrpt-reporter, > Postfix built with TLSRPT library seems to ignore master.cf overrides > and generates warning logs. The master.cf overrides you've specified are n

[pfx] Re: Postscreen STARTTLS bug?

2025-06-18 Thread Viktor Dukhovni via Postfix-users
On Wed, Jun 18, 2025 at 10:13:21AM -0400, Wietse Venema via Postfix-users wrote: > > After setting "postscreen_tls_security_level = none", when I now send a > > STARTTLS, I get a "502 5.5.1 Error: command not implemented", and then > > /the SMTP session/ stops responding to any subsequent comman

[pfx] Re: Postscreen STARTTLS bug?

2025-06-18 Thread Viktor Dukhovni via Postfix-users
On Wed, Jun 18, 2025 at 10:59:37PM +1200, Nick Tait via Postfix-users wrote: > On 18/06/2025 22:33, Nick Tait via Postfix-users wrote: > > Prior to making the configuration change, the response to the STARTTLS > > was "454 4.7.0 TLS not available due to local problem", and the SMTP > > session rem

[pfx] Re: more SELinux denials - fifo_file

2025-06-18 Thread Viktor Dukhovni via Postfix-users
On Wed, Jun 18, 2025 at 09:13:25AM +0200, lejeczek via Postfix-users wrote: > All these SELinux denials were caused by an external tool (part of the HA > management actually & running on the same box as postfix), a script which > part is: > >     sendmail) >     sendmail -t -r "${emai

[pfx] Re: more SELinux denials - fifo_file

2025-06-17 Thread Viktor Dukhovni via Postfix-users
On Tue, Jun 17, 2025 at 07:54:41PM +0200, lejeczek via Postfix-users wrote: > -> $ postconf -Mf | egrep -i '(pickup|qmgr)' > pickup unix  n   -   n   60  1   pickup > qmgr   unix  n   -   n   300 1   qmgr Reasonable so far, can you also post a listi

[pfx] Re: more SELinux denials - fifo_file

2025-06-17 Thread Viktor Dukhovni via Postfix-users
On Tue, Jun 17, 2025 at 07:13:49PM +0200, lejeczek via Postfix-users wrote: > Could it be something that postfix uses, something calls out, a third-party? > There is nothing 'explicit' in my master.cf nor in main.cf which mentions > 'fifo/file'. Can you post your master.cf file, or more precisely

[pfx] Re: header_checks question

2025-06-16 Thread Viktor Dukhovni via Postfix-users
On Mon, Jun 16, 2025 at 01:59:05PM +0200, Florian Piekert via Postfix-users wrote: > I am seeking guidance on the following header_checks.pcre directives, > which do not seem to work. Especially the > /by .*\.t-com\.hr...$/ > lines apparently. You should have read the pcre_table(5) manpage. >

[pfx] TLSA record hygiene for Let's Encrypt issuer CAs

2025-06-15 Thread Viktor Dukhovni via Postfix-users
Please see: https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/thread/FUUH4KTUI5PMDD44X6JV5KLIPVRCH27P/ TL;DR: - DO publish ALL applicable intermediate CAs when any are published - DON'T publish TLSA records matching long-retired LE CAs. -- Viktor. __

[pfx] Re: Closing smtpd idle connections

2025-06-11 Thread Viktor Dukhovni via Postfix-users
On Wed, Jun 11, 2025 at 03:35:07PM +, Pedro David Marco via Postfix-users wrote: > I have tried setting  smtpd_timeout = 60s  but this only controls > per-command timeouts, and it doesn't ensure disconnection after some > idle time. That's not true. I configured a loopback SMTP listener on

[pfx] Re: blacklistd issues

2025-06-08 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 08, 2025 at 05:13:07PM -0700, Doug Hardie via Postfix-users wrote: > I believe that pf is not properly blocking IPs that are supposedly > blocked by blacklistd. In trying to test this, I am using postfix. > However, I don't seem to be able to get postfix to call blacklistd. > The appr

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 08, 2025 at 07:29:22PM +0200, Geert Hendrickx via Postfix-users wrote: > On Mon, Jun 09, 2025 at 00:42:20 +1000, Viktor Dukhovni via Postfix-users > wrote: > > On Sun, Jun 08, 2025 at 09:29:17AM -0400, Wietse Venema via Postfix-users > > wrote: > > &g

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 08, 2025 at 09:29:17AM -0400, Wietse Venema via Postfix-users wrote: > > Can the default be decided at build-time (#ifdef), instead of with > > run-time conditional configuration? > > That would result in an incompatible change for systems that are > not explicitly configured to enabl

[pfx] Re: Postfix interaction between access map, .forward and aliases

2025-06-06 Thread Viktor Dukhovni via Postfix-users
On Fri, Jun 06, 2025 at 10:55:10AM -0400, Paul Raines via Postfix-users wrote: > I was thinking of a third way by removing proxy:unix:passwd.byname > from local_recipient_maps and adding in a hash map with just the > "enabled" user accounts. That would be take more effort though (both > add user

[pfx] Re: DANE verification question

2025-06-06 Thread Viktor Dukhovni via Postfix-users
On Fri, Jun 06, 2025 at 09:40:31AM +0200, Florian Piekert via Postfix-users wrote: > I have (tried to) setup floppy.org with dnssec and TLSA records in the > zonefile. > > root@sonne:~# dig _25._tcp.floppy.org any > > _25._tcp.floppy.org.3600IN TLSA3 1 1 > 78D7BF87633081A2D1839

[pfx] Re: MTA-STS / DANE - postfix-tlspol

2025-06-05 Thread Viktor Dukhovni via Postfix-users
On Fri, Jun 06, 2025 at 12:15:53AM +0200, Luca vom Bruch wrote: > I think it may be some DNS related issue on my servers local bind9/named > install. It acts as its own nameserver with glue records. The sending domain > on It is DNSSEC signed. (the one I am sending mail from now). > > When I use

[pfx] Re: Postfix interaction between access map, .forward and aliases

2025-06-05 Thread Viktor Dukhovni via Postfix-users
On Thu, Jun 05, 2025 at 03:57:12PM -0400, Paul Raines via Postfix-users wrote: > As a quick fix for (1) I have changed the access map to use > olduser@primary.domain instead of just olduser@ but that only works for that > primary.domain. We have several secondary domains and I would have to list >

[pfx] Re: MTA-STS / DANE - postfix-tlspol

2025-06-05 Thread Viktor Dukhovni via Postfix-users
On Thu, Jun 05, 2025 at 09:11:01PM +0200, Luca vom Bruch via Postfix-users wrote: > to=, relay=none, delay=0.64, > delays=0.1/0.02/0.51/0, dsn=4.7.5, status=deferred (no TLSA records found) That's odd, when I query the DNS, I see DNSSEC-signed MX records for the domain with signed A, and TL

[pfx] Re: Pflogsumm: Postscreen Logging Questions And Request For Log Samples

2025-05-30 Thread Viktor Dukhovni via Postfix-users
On Fri, May 30, 2025 at 02:08:00PM -0400, Jim Seymour via Postfix-users wrote: > > First of all: Here's the list of postscreen status messages I have: > > BLACKLISTED > COMMAND COUNT LIMIT from > COMMAND LENGTH LIMIT from > COMMAND PIPELINING from > COMMAND TIME LIMIT from >

[pfx] Re: Postfix denies regular mail

2025-05-30 Thread Viktor Dukhovni via Postfix-users
On Fri, May 30, 2025 at 02:31:59PM +0200, Christian H. Kuhn via Postfix-users wrote: > reject: RCPT from list.sys4.de[45.90.5.195]: 450 4.1.1 : > Recipient address rejected: unverified address: User unknown in virtual > alias table; from= > to= proto=ESMTP helo= Address verification via "reject_

[pfx] Re: using fallback_transport for user migration

2025-05-29 Thread Viktor Dukhovni via Postfix-users
On Thu, May 29, 2025 at 07:46:20PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > Our customer reported that they started migrating users to 365 services > (yeah, after they started). > > Of course, this means that they are unable to send mail from local > system to addresses in local

[pfx] Re: Fwd: Killed postfix

2025-05-27 Thread Viktor Dukhovni via Postfix-users
On Tue, May 27, 2025 at 12:22:17PM -0400, Jason Hirsh wrote: > > From: Jason Hirsh > > Subject: Killed postfix > > Date: May 27, 2025 at 12:11:13 PM EDT > > To: postfix-u...@postfix.org [ Please format list posts as simple text, rather than HTML markup. ] > > Since changing my SSL certficates. I

[pfx] Re: inet_interfaces unable to deal with IPv6 link-local addresses

2025-05-27 Thread Viktor Dukhovni via Postfix-users
On Wed, May 28, 2025 at 03:14:32AM +0200, Daniel Roesen via Postfix-users wrote: > Postfix fails to start up due to inability to deal with inet_interface = > $myhostname resolving to (also) IPv6 link-local address(es): > > postfix/postfix-script[1200]: starting the Postfix mail system > postfix/m

[pfx] Re: postfix/cleanup warning: unsupported dictionary type: PATH=/bin.

2025-05-25 Thread Viktor Dukhovni via Postfix-users
On Sun, May 25, 2025 at 04:43:58PM -0400, Jason Hirsh wrote: > I am getting this error > > ay 25 14:10:18 triggerfish postfix/cleanup[71521]: error: unsupported > dictionary type: PATH=/bin > > > I know nothing about “cleanup”. But since master.c > f is referenced I must hav

[pfx] Re: Sender rewrite for Azure SMTP

2025-05-21 Thread Viktor Dukhovni via Postfix-users
On Wed, May 21, 2025 at 05:46:34PM -0400, Wietse Venema via Postfix-users wrote: > Matthew Kitchin via Postfix-users: > > Hey all, former longtime user, but been away from Postfix for about 13 > > years. > > I'm migrating a datacenter to Azure. We have a variety of things > > (websites, copiers,

[pfx] Re: Questions on a couple of log entries

2025-05-20 Thread Viktor Dukhovni via Postfix-users
On Tue, May 20, 2025 at 10:21:58AM -0700, Dan Mahoney wrote: > > The remote SMTP client reported not liking the server certificate (sent > > an alert to that effect): > > That was the bit that confused me — if we’re seeing an alert that says > bad certificate, is it because we’re misconfigured on

[pfx] Re: Questions on a couple of log entries

2025-05-20 Thread Viktor Dukhovni via Postfix-users
On Tue, May 20, 2025 at 08:26:37AM -0400, Wietse Venema via Postfix-users wrote: > > We're in the process of trolling all our logs to figure out what we can > > ignore/filter/take action on, and we have a couple entries that I'm > > wondering what's happening under the hood: > > > > 2025-05-18T

[pfx] Re: Issues with authenticating after attempting mail

2025-05-15 Thread Viktor Dukhovni via Postfix-users
On Thu, May 15, 2025 at 06:48:00PM -0400, Wietse Venema via Postfix-users wrote: > > > I'd have thought it'd at least try, similar to how it does in when > > > using my sendmail host. My configuration remained the same, except > > > for changing the host to the machine running postfix instead. > >

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

2025-05-14 Thread Viktor Dukhovni via Postfix-users
On Wed, May 14, 2025 at 11:47:25AM -0400, Sean McBride via Postfix-users wrote: > On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote: > > > The simplest setup is to have the full chain in a single file > > referred to by smtpd_tls_cert_file and NO smtpd_tls_chain_file. There is no such

[pfx] Re: MTA-STS and STARTTLS

2025-05-14 Thread Viktor Dukhovni via Postfix-users
On Wed, May 14, 2025 at 10:16:50AM +0200, Jaroslaw Rafa via Postfix-users wrote: > Dnia 14.05.2025 o godz. 08:29:06 Gregory Kohring via Postfix-users pisze: > > Unfortunately, this is standard industry practice and cannot be > > disabled." > > Utter bullshit. Doing a MiTM attack (because that's in

[pfx] Re: MTA-STS and STARTTLS

2025-05-14 Thread Viktor Dukhovni via Postfix-users
On Wed, May 14, 2025 at 08:29:06AM +0200, Gregory Kohring via Postfix-users wrote: > "All outgoing mail from our network is relayed through a spam > filtering system that may affect how certain TLS negotiation stages > (like 250-STARTTLS) are exposed during the SMTP handshake. > > That said, TLS

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Wed, May 14, 2025 at 01:36:09AM +1000, Matthew J Black via Postfix-users wrote: > But what do you get with 'openssl s_client -starttls smtp -connect > mail.peregrineit.net:587' - cause I get : The difference is that OpenSSL defaults to sending an SNI extension with the server hostname, while

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Tue, May 13, 2025 at 05:07:04PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > any reverse proxy between you and server? > no multiple postfix instances used? Let's not encourage further pointless waste of time. The OP needs to post: $ postconf -nf $ postconf -Mf and some

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Wed, May 14, 2025 at 12:56:34AM +1000, Matthew J Black via Postfix-users wrote: > > There's no magic, Postfix loads certificates and keys from the > > configured locations. > > > > https://www.postfix.org/DEBUG_README.html#mail > > Yeah, I realise that - that's why it's so weird! :-) > (Which

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Wed, May 14, 2025 at 12:17:29AM +1000, Matthew J Black via Postfix-users wrote: > [q2AY6ESDEdxdcaKPIjGrwB1r7irZNrS9NMjjOyd3RyDvDnZMS2-sTQhrVffoXSQ5YfoHS >mIcYF9Dtgcyg6uqQNRONtN6fjtE7FhanYwbNm07AoA0WypPtbent8SCQHFw3oKlNwb8geri >jbVIdLhnAzelVvNmW4ujeNXfWCDKM6iFsokflWxvpn_FvMEODKjqJj2

[pfx] Re: MTA-STS and STARTTLS

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Tue, May 13, 2025 at 02:43:52PM +0200, Gregory Kohring via Postfix-users wrote: > posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary > "[gmail-smtp-in.l.google.com]" > > posttls-finger: initializing the client-side TLS engine > posttls-finger: Connected to gmail-smtp-in.

[pfx] Re: MTA-STS and STARTTLS

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Tue, May 13, 2025 at 01:44:14PM +0200, Gregory Kohring via Postfix-users wrote: > > More likely misconfiguration, or perhaps some middlebox between you and > > Gmail. Test with: > > > > $ posttls-finger -c -F /etc/ssl/cert.pem -lsecure -Lsummary > > "[gmail-smtp-in.l.google.com]" > >

[pfx] Re: MTA-STS and STARTTLS

2025-05-13 Thread Viktor Dukhovni via Postfix-users
On Tue, May 13, 2025 at 12:23:40PM +0200, Gregory Kohring via Postfix-users wrote: > Gmails MTA-STS policy says that all mails sent to google must be over TLS. No, it says no such thing, rather it provides the parameters necessary to upgrade from opportunistic TLS to MTA-STS when the client supp

[pfx] Re: SSL cert authority, letsencrypt error

2025-05-08 Thread Viktor Dukhovni via Postfix-users
On Fri, May 09, 2025 at 10:18:19AM +1000, Carl Brewer via Postfix-users wrote: > I changed it to this : > > smtpd_tls_security_level = may > smtpd_tls_cert_file = > /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/fullchain.pem > smtpd_tls_key_file = > /usr/local/etc/letsencrypt/live/roll

[pfx] Re: Configuration Request: Restrict Outgoing Emails to Allowed Domains, Allow All Incoming, and Bypass Restrictions for Privileged Users

2025-05-07 Thread Viktor Dukhovni via Postfix-users
ail.com. Well, this address is not matched in the table at all, so it just falls through to "permit_mynetworks", which allows the delivery. > From: Viktor Dukhovni via Postfix-users > Sent: 07 May 2025 13:29 > To: postfix-users@postfix.org > Subject: [pfx] Re: Configuration

[pfx] Re: Configuration Request: Restrict Outgoing Emails to Allowed Domains, Allow All Incoming, and Bypass Restrictions for Privileged Users

2025-05-07 Thread Viktor Dukhovni via Postfix-users
On Wed, May 07, 2025 at 12:57:29PM +0530, Srinivasa Gowd S via Postfix-users wrote: > 1.Allow incoming emails from all external domains to all internal > users. > 2.Restrict outgoing emails for all users so they can only send to > a list of allowed domains. > 3.Allow speci

[pfx] Re: Would Postfix be suitable for transferring data from local mobile devices via email?

2025-04-30 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 30, 2025 at 09:57:41AM -0400, Marvin Renich via Postfix-users wrote: > * Bill Cole via Postfix-users [250430 09:23]: > > As a full "Message Transport Agent" (MTA) handling initial mail submission, > > > Message Transfer Agent > > > See e.g. RFC 6409 and RFC 5598. This sort of corr

[pfx] Re: message archival

2025-04-24 Thread Viktor Dukhovni via Postfix-users
On Thu, Apr 24, 2025 at 09:43:34AM -0400, Wietse Venema via Postfix-users wrote: > > This is a sketch, fill in the details and test with care. > > I wish this were easier. If Postfix were to provide native support, > what should it look like? I'm thinking of an intermediate program > that annotat

[pfx] Re: How to correctly prepend headers to email with multiple recipients?

2025-04-24 Thread Viktor Dukhovni via Postfix-users
On Thu, Apr 24, 2025 at 10:21:37AM +0300, Mike Teplynin via Postfix-users wrote: > On Thu, Apr 24, 2025 at 9:46 AM Viktor Dukhovni via Postfix-users > wrote: > > > Well, that's rather important information, that wasn't originally > > provided. So this an email ar

[pfx] Re: How to correctly prepend headers to email with multiple recipients?

2025-04-23 Thread Viktor Dukhovni via Postfix-users
On Thu, Apr 24, 2025 at 09:37:37AM +0300, Mike Teplynin via Postfix-users wrote: > Unfortunately, for internal purposes we need to store not only copies > of messages, but also envelope headers. Sendmail with a full session > log was the ideal solution, but we are (finally!) abandoning it on the >

[pfx] Re: How to correctly prepend headers to email with multiple recipients?

2025-04-23 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 23, 2025 at 08:32:31PM +0300, Mike Teplynin wrote: > > Why do you want to break Bcc by recording all envelope recipients in > > headers? Unless you can guarantee that all messages are > > single-recipient, or that Bcc is never used/intended by the user, > > adding such headers is like

[pfx] Re: How to correctly prepend headers to email with multiple recipients?

2025-04-23 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 23, 2025 at 05:35:54PM +0300, Mike Teplynin via Postfix-users wrote: > I want to add custom headers with "envelope from" and "envelope to" info > received emails. To do this, I added the following lines to > smtpd_relay_restrictions: Why do you want to break Bcc by recording all envel

[pfx] Re: Question about /etc/aliases and virtual_alias_maps?

2025-04-21 Thread Viktor Dukhovni via Postfix-users
On Mon, Apr 21, 2025 at 12:48:16PM +0200, Klaus Tachtler via Postfix-users wrote: > Yes, you are right - in $mydestination is, as described in the > documentation, $myorigin = tachtler.net - NOT - included and > $virtual_mailbox_domains = tachtler.net (only). > > So, if I understand this correct

[pfx] Re: Question about /etc/aliases and virtual_alias_maps?

2025-04-20 Thread Viktor Dukhovni via Postfix-users
On Mon, Apr 21, 2025 at 08:33:44AM +0200, Klaus Tachtler via Postfix-users wrote: > When creating the e-mail using > > echo “Test email (virtual domain)” | /usr/sbin/sendmail root > > Is not taken into account in the subsequent configuration of virtual domains > /etc/aliases: See ADDRESS_CLASS

[pfx] Re: Question about /etc/aliases and virtual_alias_maps?

2025-04-20 Thread Viktor Dukhovni via Postfix-users
On Sun, Apr 20, 2025 at 09:02:43AM +0200, Klaus Tachtler via Postfix-users wrote: > I have a question of understanding: > > If virtual_alias_maps is configured and working successfully and an email > address is defined in /etc/aliases to forward the emails of the root user, > the configuration f

[pfx] Re: error lmdb update

2025-04-19 Thread Viktor Dukhovni via Postfix-users
On Sat, Apr 19, 2025 at 11:11:11AM -0400, John Hill via Postfix-users wrote: > When I manually update my lmdb access tables, adding or deleting. I see this > message in the log: error: accept connection: Socket operation on > non-socket. > > The line before this error: table > lmdb:/etc/postfix/m

[pfx] Re: smtp_tls_security_level = may vs. encrypt with "enabling PIX workarounds" on destination MX server

2025-04-19 Thread Viktor Dukhovni via Postfix-users
On Sat, Apr 19, 2025 at 05:12:06PM +0200, Florian Piekert via Postfix-users wrote: > #smtp_tls_security_level = may > smtp_tls_security_level = encrypt > > for a while, until just now. When I noticed that some target mx > destination had delivery issues with this, I put the exception in my > smt

[pfx] Re: Localpart length validation

2025-04-19 Thread Viktor Dukhovni via Postfix-users
On Sat, Apr 19, 2025 at 04:50:04PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > > I recommend against "recipient_canonical_maps", it rewrites a subset of > > the message headers, (To/Cc or Resent-To/Resent-Cc), while in almost all > > cases one should really rewrite all address-valued

[pfx] Re: Localpart length validation

2025-04-19 Thread Viktor Dukhovni via Postfix-users
On Sat, Apr 19, 2025 at 01:31:28PM +0200, Dmitriy Alekseev wrote: > I do not rewrite any headers and have 0 intention to do so as it break > existing dkim and arc signatures. No modification except envelopes needed. Therefore, avoid 'recipient_canonical_maps', and if you need envelope sender rewri

[pfx] Re: Localpart length validation

2025-04-19 Thread Viktor Dukhovni via Postfix-users
On Sat, Apr 19, 2025 at 12:13:52PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > On 18.04.25 22:00, Dmytro Alieksieiev via Postfix-users wrote: > > So you say it's better to do recipient_canonical_maps on incoming mail? > > How it will improve situation? SRS will still throw same error

[pfx] Re: what is "netscape" in config params docs referring to?

2025-04-15 Thread Viktor Dukhovni via Postfix-users
On Tue, Apr 15, 2025 at 11:48:55AM -0400, Sean McBride via Postfix-users wrote: > The docs here: > > https://www.postfix.org/postconf.5.html > > contain the string "netscape" a few times, and in each case the meaning is > not clear (IMHO). > > example: "Some clients (Netscape 4 at least) have

[pfx] Re: pipe service program failing (signal handler?)

2025-04-15 Thread Viktor Dukhovni via Postfix-users
On Tue, Apr 15, 2025 at 11:38:55AM -0400, Wietse Venema via Postfix-users wrote: > > Wouldn't the below do the trick: > > > > foo unix ... pipe > > -o { export_environment = HOME=/some/where } > > ... > > > > As it should for any Postfix service that forks subprocesses? > >

[pfx] Re: pipe service program failing (signal handler?)

2025-04-15 Thread Viktor Dukhovni via Postfix-users
On Tue, Apr 15, 2025 at 08:05:20AM -0400, Wietse Venema via Postfix-users wrote: > berg...@panix.com: > > Perhaps $HOME could be set in the environment for the pipe service command. > > This is a subtle difference between local(8) and pipe(8). > > local(8) delivers mail for real users that are

[pfx] Re: [pfx-dev] Possible milter command timeout issue? Log milter commands sent from postfix to milter?

2025-04-14 Thread Viktor Dukhovni via Postfix-users
On Mon, Apr 14, 2025 at 11:23:49AM +0200, Benoit Panizzon via Postfix-devel wrote: > As smtpd milter we use: > > MIMEDefang (using spamassassin / clamav) > milter-greylist > opendmarc > > Every now and then, an email to multiple recipients is constantly being > rejected by Postfix with: > > mi

[pfx] Re: postscreen_access_list limitations?

2025-04-13 Thread Viktor Dukhovni via Postfix-users
On Sun, Apr 13, 2025 at 10:19:29PM -0400, Greg Klanderman via Postfix-users wrote: > > This has little to do with hash tables, but as documented in > > https://www.postfix.org/postconf.5.html#postscreen_access_list the only > > supported lookup key is the full IP address, table lookups happen pri

[pfx] Re: postscreen_access_list limitations?

2025-04-13 Thread Viktor Dukhovni via Postfix-users
On Sun, Apr 13, 2025 at 08:12:26PM -0400, Greg Klanderman via Postfix-users wrote: > Am I not able to match on the client FQDN in postscreen_access_list? > I.e. using a hash: table? This has little to do with hash tables, but as documented in https://www.postfix.org/postconf.5.html#postscreen_ac

[pfx] Re: Inconsistent failure pattern with smtp_tls_wrappermode

2025-04-11 Thread Viktor Dukhovni via Postfix-users
On Fri, Apr 11, 2025 at 05:08:39PM +, Jeff Kletsky via Postfix-users wrote: > 2025 Apr 11 00:27:36.696 -07:00 mx1 warning: postfix/relay/smtp[69584]:  > warning: smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt" > (or stronger) The warning is clear enough, to use "wrapper mode

[pfx] Re: Virtual alias expansion in milter

2025-04-10 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 09, 2025 at 04:13:40PM +0200, Gioele Pannetto via Postfix-users wrote: > On 09/04/25 15:50, Viktor Dukhovni via Postfix-users wrote: > > You have a choice between running milters while the SMTP client is still > > waiting for a response, and therefore being able

[pfx] Re: Virtual alias expansion in milter

2025-04-10 Thread Viktor Dukhovni via Postfix-users
On Thu, Apr 10, 2025 at 10:27:24AM +0200, Gioele Pannetto via Postfix-users wrote: > On 09/04/25 16:28, Viktor Dukhovni via Postfix-users wrote: > > > For this use case a post-queue milter is more suitable. By the way, are > > > you > > > referring to non_smt

[pfx] Re: Virtual alias expansion in milter

2025-04-09 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 09, 2025 at 05:22:05PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > On 10.04.25 00:29, Viktor Dukhovni via Postfix-users wrote: > > No, that's not always the case... > > now I'm curious how. > maybe I missed something? Yes, my reply to the s

[pfx] Re: Virtual alias expansion in milter

2025-04-09 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 09, 2025 at 04:23:17PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > > On 09/04/25 15:50, Viktor Dukhovni via Postfix-users wrote: > > > You have a choice between running milters while the SMTP client is still > > > waiting for a response, and

[pfx] Re: Virtual alias expansion in milter

2025-04-09 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 09, 2025 at 03:26:27PM +0200, Gioele Pannetto via Postfix-users wrote: > Hi, > I'm configuring an inbound-only Postfix server and I have connected an > antispam software using the milter interface of Postfix with the > smtpd_milters propriety. > > Suppose I have a mailbox (u...@exampl

[pfx] Re: list.sys4.de

2025-04-08 Thread Viktor Dukhovni via Postfix-users
On Wed, Apr 09, 2025 at 07:57:57AM +0200, Jack Raats via Postfix-users wrote: > My only ipv6 mailserver tries to connect with list.sys4.de which is > ipv6 only??? It is presently IPv4-only. Apr 06 18:41:03 amnesiac postfix/smtp[968777]: Verified TLS connection established to list.sys4.de[45

[pfx] Re: Bogus HELO not being blocked

2025-04-08 Thread Viktor Dukhovni via Postfix-users
On Tue, Apr 08, 2025 at 09:08:12AM -0400, Phillip Susi via Postfix-users wrote: > I have: > > smtpd_helo_required = yes > smtpd_helo_restrictions = reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_unknown_helo_hostname I would

[pfx] Re: A question about the configuration of postscreen

2025-04-06 Thread Viktor Dukhovni via Postfix-users
On Sun, Apr 06, 2025 at 06:46:04PM +0200, Andreas Kuhlen via Postfix-users wrote: > since "smtpd_sasl_auth_enable=no" is the default, it really makes little > sense to add this to master.cf or main.cf. It is redundant then. So I > will leave it as I configured postscreen in master.cf in the first

  1   2   3   4   5   6   7   8   9   10   >