[pfx] Re: quieting postscreen logging of dnsbl-rejected connections?

On 17/05/2025 16:23, pgnd via Postfix-users wrote: > logs (/var/log/postfix/postfix.log) routinely report postscreen doing its job > well at fending off 'pulses' of spammy > connection attempts. e.g., > the number of attempts varies from any one IP -- from just one to

[pfx] Re: action=DUNNO with two \n\n gives a server configuration error

Jorge Bastos via Postfix-users: > Hi thanks, > > even with: > > echo -e "action=DUNNO\n" > > it fails with the same reason Postfix logging? See: https://www.postfix.org/DEBUG_README.html#logging DO NOT turn on debug logging with '-v' options in

[pfx] Re: action=DUNNO with two \n\n gives a server configuration error

Hi thanks, even with: echo -e "action=DUNNO\n" it fails with the same reason On 2025-05-17 19:45, Wietse Venema via Postfix-users wrote: https://pastebin.com/gMrRx9Ny https://pastebin.com/xX1hj38H First, echo -e "action=DUNNO\n\n" will send THREE newline

[pfx] Re: action=DUNNO with two \n\n gives a server configuration error

Jorge Bastos via Postfix-users: > Hi Guys, > > I'm having an issue with my: > > check_policy_service unix:private/policy-dnswl > > That has the information bellow, I've been looking at the docs for two > weeks and cant figure why action=DUNNO still gives me

[pfx] Re: quieting postscreen logging of dnsbl-rejected connections?

possible. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: action=DUNNO with two \n\n gives a server configuration error

Update, Even having the check_policy_service unix:private/policy-dnswl in smtpd_client_restrictions same behavior On 2025-05-17 18:07, Jorge Bastos via Postfix-users wrote: Hi Guys, I'm having an issue with my: check_policy_service unix:private/policy-dnswl That has the inform

[pfx] action=DUNNO with two \n\n gives a server configuration error

ent_restriction, What am I doing wrong in the DUNNO part? Thanks in advanced, https://pastebin.com/gMrRx9Ny https://pastebin.com/xX1hj38H_______ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] quieting postscreen logging of dnsbl-rejected connections?

e certainly not taxed. and, i know i can filter log output with grep or rsyslog. can pf's logging config itself, for these connections, be directly quieted -- or at least better aggregated? if so, how? if not, ndb -- just an inconvenience. _______ Postfi

[pfx] Re: Rate limit for authenticated users ?

> On May 15, 2025, at 9:53 AM, vom513 wrote: > > > >> On May 14, 2025, at 11:24 AM, Matus UHLAR - fantomas via Postfix-users >> wrote: >> >> On 14.05.25 10:37, vom513 via Postfix-users wrote: >>> I see docs on how to rate limit for certain netwo

[pfx] Re: Issues with authenticating after attempting mail

On Thu, May 15, 2025 at 06:48:00PM -0400, Wietse Venema via Postfix-users wrote: > > > I'd have thought it'd at least try, similar to how it does in when > > > using my sendmail host. My configuration remained the same, except > > > for changing the host t

[pfx] Re: Issues with authenticating after attempting mail

Bill Cole via Postfix-users: > On 2025-05-15 at 14:53:47 UTC-0400 (Thu, 15 May 2025 19:53:47 +0100) > Maya Copeland via Postfix-users > is rumored to have said: > > > I'd have thought it'd at least try, similar to how it does in when > > using my > > send

[pfx] Re: Issues with authenticating after attempting mail

On 2025-05-15 at 14:53:47 UTC-0400 (Thu, 15 May 2025 19:53:47 +0100) Maya Copeland via Postfix-users is rumored to have said: I'd have thought it'd at least try, similar to how it does in when using my sendmail host. My configuration remained the same, except for changing the h

[pfx] Re: Issues with authenticating after attempting mail

Maya Copeland via Postfix-users: > IMAP DEBUG 14:17:19 5/15: 220 hostname ESMTP Postfix > IMAP DEBUG 14:17:19 5/15: EHLO desktop > IMAP DEBUG 14:17:19 5/15: 250-hostname > IMAP DEBUG 14:17:19 5/15: 250-PIPELINING > IMAP DEBUG 14:17:19 5/15: 250-SIZE 25000 > IMAP DEBUG 14:17

[pfx] Re: Issues with authenticating after attempting mail

.1.5 ... Recipient ok IMAP DEBUG 11:01:57 5/13: DATA Maya On Thu, 15 May 2025 at 19:14, Wietse Venema via Postfix-users < postfix-users@postfix.org> wrote: > Maya Copeland via Postfix-users: > > IMAP DEBUG 14:17:19 5/15: 220 hostname ESMTP Postfix > > IMAP DEBUG 14:17:19 5/15:

[pfx] Issues with authenticating after attempting mail

ot;554 5.7.1 : Relay access denied" IMAP DEBUG 14:17:19 5/15: QUIT IMAP DEBUG 14:17:19 5/15: 221 2.0.0 Bye call_mailer ERROR: Mail not sent: : Relay access denied Send failed, continuing Thanks, Maya _______ Postfix-users mailing list -- postfix-u

[pfx] Re: Rate limit for authenticated users ?

> On May 14, 2025, at 11:24 AM, Matus UHLAR - fantomas via Postfix-users > wrote: > > On 14.05.25 10:37, vom513 via Postfix-users wrote: >> I see docs on how to rate limit for certain networks / IPs - but can custom >> rate limiting be applied to authenticated users

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 2025-05-14 at 21:29:59 UTC-0400 (Thu, 15 May 2025 11:29:59 +1000) Viktor Dukhovni via Postfix-users is rumored to have said: On Wed, May 14, 2025 at 11:47:25AM -0400, Sean McBride via Postfix-users wrote: On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote: The simplest setup

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 15/5/25 00:20, Jaroslaw Rafa via Postfix-users wrote: Dnia 14.05.2025 o godz. 20:37:40 Matthew J Black via Postfix-users pisze: - as you are no doubt aware, I had an "interesting" situation where my email were being turned into html by a service I am no-longer using. Hopefully

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Wed, May 14, 2025 at 11:47:25AM -0400, Sean McBride via Postfix-users wrote: > On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote: > > > The simplest setup is to have the full chain in a single file > > referred to by smtpd_tls_cert_file and NO smtpd_tls_chain_file.

[pfx] Re: Let's Encrypt ending TLS Client Authentication

Dnia 14.05.2025 o godz. 15:55:22 Scott Techlist via Postfix-users pisze: > Apologies in advance for the slightly OT question. I've used Postfix since > the beginning on a relatively small server. I was thankful when Let's > Encrypt made it possible for me to automate and have

[pfx] Re: Let's Encrypt ending TLS Client Authentication

It appears that Scott Techlist via Postfix-users said: >Apologies in advance for the slightly OT question. I've used Postfix since >the beginning on a relatively small server. I was thankful when Let's Encrypt >made it possible for me to automate and have "real"

[pfx] Let's Encrypt ending TLS Client Authentication

ry_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtp_tls_protocols=!SSLv2,!SSLv3 tls_preempt_cipherlist = yes _______ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 14 May 2025, at 12:06, Bill Cole via Postfix-users wrote: >> OTOH that setup doesn't seem so simple in that (AFAICT) neither certbot nor >> acme.sh can generate such a combined file. > > Really? > > $ postconf smtpd_tls_eccert_file > smtpd_tls_

[pfx] Re: MTA-STS and STARTTLS

On Wed, 14 May 2025 08:29:06 +0200 Gregory Kohring via Postfix-users wrote: [snip] > > "All outgoing mail from our network is relayed through a spam > filtering system that may affect how certain TLS negotiation > stages (like 250-STARTTLS) are exposed during the > SMTP

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 2025-05-14 at 11:47:25 UTC-0400 (Wed, 14 May 2025 11:47:25 -0400) Sean McBride via Postfix-users is rumored to have said: On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote: The simplest setup is to have the full chain in a single file referred to by smtpd_tls_cert_file and NO

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Wed, May 14, 2025 at 05:47:25PM CEST, Sean McBride via Postfix-users said: > On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote: > > > The simplest setup is to have the full chain in a single file referred to > > by smtpd_tls_cert_file and NO smtpd_tls_chain_fi

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote: > The simplest setup is to have the full chain in a single file referred to by > smtpd_tls_cert_file and NO smtpd_tls_chain_file. OTOH that setup doesn't seem so simple in that (AFAICT) neither certbot nor acme.sh can gene

[pfx] Re: Rate limit for authenticated users ?

On 14.05.25 10:37, vom513 via Postfix-users wrote: I see docs on how to rate limit for certain networks / IPs - but can custom rate limiting be applied to authenticated users ? postfwd as policy filter can do that -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning

[pfx] Rate limit for authenticated users ?

Hello all, I see docs on how to rate limit for certain networks / IPs - but can custom rate limiting be applied to authenticated users ? Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users

[pfx] Re: MTA-STS and STARTTLS

Dnia 14.05.2025 o godz. 20:17:31 Viktor Dukhovni via Postfix-users pisze: > Regardless, indeed it should be possible to find an ISP with a less > invasive policy, though they'd still need to be responsive to spam > complaints and close down SMTP access for customers who violate AUP,

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

Dnia 14.05.2025 o godz. 20:37:40 Matthew J Black via Postfix-users pisze: > - as you are no doubt aware, I had an "interesting" situation where > my email were being turned into html by a service I am no-longer > using. Hopefully this email (which uses a different system/se

[pfx] Re: MTA-STS and STARTTLS

On Wed, May 14, 2025 at 10:16:50AM +0200, Jaroslaw Rafa via Postfix-users wrote: > Dnia 14.05.2025 o godz. 08:29:06 Gregory Kohring via Postfix-users pisze: > > Unfortunately, this is standard industry practice and cannot be > > disabled." > > Utter bullshit. Doing a M

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

ic recreation of the relevant sni map file with the new/renewed LE Certificates.Thank you all - issue(s) resolved, thread (can be) closed.On 14/5/25 15:33, Viktor Dukhovni via Postfix-users wrote:> On Wed, May 14, 2025 at 01:36:09AM +1000, Matthew J Black via Postfix-users wrote:>>> But what d

[pfx] Re: MTA-STS and STARTTLS

Dnia 14.05.2025 o godz. 08:29:06 Gregory Kohring via Postfix-users pisze: > Unfortunately, this is standard industry practice and cannot be > disabled." Utter bullshit. Doing a MiTM attack (because that's in fact what they do) on your server is a "standard industry p

[pfx] Re: MTA-STS and STARTTLS

On Wed, May 14, 2025 at 08:29:06AM +0200, Gregory Kohring via Postfix-users wrote: > "All outgoing mail from our network is relayed through a spam > filtering system that may affect how certain TLS negotiation stages > (like 250-STARTTLS) are exposed during the SMTP handshake.

[pfx] Re: MTA-STS and STARTTLS

s your outgoing messages are still being delivered securely, even if 250-STARTTLS isn't explicitly shown during your tests. Unfortunately, this is standard industry practice and cannot be disabled." On 5/13/25 15:13, Gregory Kohring wrote: On 5/13/25 15:04, Viktor Dukhovni via Po

[pfx] Re: Adaptative delivery

Am 13.05.25 um 19:54 schrieb Dmitriy Alekseev via Postfix-users: Postfix not the right tools for doing such filtration, it's MTA, not antispam or reputation system. Fighting outbound spam is not an easy task and requires continuous human resources no matter how your antispam is good,

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Wed, May 14, 2025 at 01:36:09AM +1000, Matthew J Black via Postfix-users wrote: > But what do you get with 'openssl s_client -starttls smtp -connect > mail.peregrineit.net:587' - cause I get : The difference is that OpenSSL defaults to sending an SNI extension with the server

[pfx] Re: Incoming OpenDKIM signature verification failing

Marvin Renich via Postfix-users: > * Matus UHLAR - fantomas via Postfix-users > [250513 10:08]: > > > Matus UHLAR - fantomas via Postfix-users: > > > > These should not be used globally but only at submission level. > > > > > > > > This can

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Tue, May 13 2025, 19:28:58 CEST Jaroslaw Rafa wrote via Postfix-users: > Please, please, don't send HTML-only mail to the list. It's a part of > longstanding mailing list etiquette that you don't do this. Some of us are > reading the eamil in plain text. There is som

[pfx] Re: Adaptative delivery

3 May 2025, 19:08 Israel britto via Postfix-users, < postfix-users@postfix.org> wrote: > Hello, > I have a question. I've done a lot of research and haven't found a way to > make Postfix work with adaptive delivery (in an easy way). > I have a small ESP and I can

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

Dnia 13.05.2025 o godz. 23:42:54 Matthew J Black via Postfix-users pisze: > src="https://gfbjcce.r.bh.d.sendibt3.com/tr/op/BRjIpuSsyQ_w30QEpE8hT7WGsqTTSw7PbBYo5UxUvIOxN20GTDi-gVg1bX96dW3hiLDLftCm8Pigp2CkYTOrVRd8yWdmXZQDeohq0zk8PfSe8zRGbbmtIuZu8CgJLbNfpQ4Xb8scxKZpR8e0yjwxpH3zFb5Yvp

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 13.05.25 23:42, Matthew J Black via Postfix-users wrote: This is really weird - Our Postfix server is presenting old/expired LE TLS Certs, even though we've updated the certs AND restarted Postfix (and Dovecot) (and even rebooted the server) multiple times. I've done

[pfx] Adaptative delivery

e a way forward? _______ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 2025-05-13 at 11:36:09 UTC-0400 (Wed, 14 May 2025 01:36:09 +1000) Matthew J Black via Postfix-users is rumored to have said: Cool - that's what I get But what do you get with 'openssl s_client -starttls smtp -connect mail.peregrineit.net:587' - cause I get : depth=0 CN=

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Tue, May 13, 2025 at 05:07:04PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: > any reverse proxy between you and server? > no multiple postfix instances used? Let's not encourage further pointless waste of time. The OP needs to post: $ postconf -nf $ postconf -M

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Tue, May 13 2025 at 17:19:19 CEST Matthew J Black wrote via Postfix-users: > so if there are suggesting (...) I'm more than happy to hear them and > try them. Please stop sending HTML-only. -- Thanks Tom _______ Postfix-users m

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Wed, May 14, 2025 at 12:56:34AM +1000, Matthew J Black via Postfix-users wrote: > > There's no magic, Postfix loads certificates and keys from the > > configured locations. > > > > https://www.postfix.org/DEBUG_README.html#mail > > Yeah, I real

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

4/5/25 01:20, Viktor Dukhovni via Postfix-users wrote: On Tue, May 13, 2025 at 05:07:04PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: any reverse proxy between you and server? no multiple postfix instances used? Let's not encourage further pointless waste of time. The OP needs to p

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 14/5/25 00:08, Matus UHLAR - fantomas via Postfix-users wrote:>> are you sure the proper smtpd_tls_cert_file and smtpd_tls_key_file are > configured in postfix configuration?>Triple-checked it  :-)And as I said, I can't find the old certs on the box anywhere, so even if they

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 14/5/25 01:07, Matus UHLAR - fantomas via Postfix-users wrote:>>   >> On 14/5/25 00:08, Matus UHLAR - fantomas via Postfix-users wrote:>>   >> >>>   >> > are you sure the proper smtpd_tls_cert_file and >> smtpd_tls_key_file>>   >> &

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 14/5/25 01:12, Viktor Dukhovni via Postfix-users wrote:> On Wed, May 14, 2025 at 12:56:34AM +1000, Matthew J Black via Postfix-users wrote:>>>> There's no magic, Postfix loads certificates and keys from the>>> configured locations.>>>>>> https://w

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

>> On 14/5/25 00:08, Matus UHLAR - fantomas via Postfix-users wrote: >> > >> > are you sure the proper smtpd_tls_cert_file and smtpd_tls_key_file >> > are >> > configured in postfix configuration? > On Wed, May 14, 2025 at 12:17:29AM +10

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On 14/5/25 00:48, Viktor Dukhovni via Postfix-users wrote:> On Wed, May 14, 2025 at 12:17:29AM +1000, Matthew J Black via Postfix-users wrote:>>> [q2AY6ESDEdxdcaKPIjGrwB1r7irZNrS9NMjjOyd3RyDvDnZMS2-sTQhrV

[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

On Wed, May 14, 2025 at 12:17:29AM +1000, Matthew J Black via Postfix-users wrote: > [q2AY6ESDEdxdcaKPIjGrwB1r7irZNrS9NMjjOyd3RyDvDnZMS2-sTQhrVffoXSQ5YfoHS >mIcYF9Dtgcyg6uqQNRONtN6fjtE7FhanYwbNm07AoA0WypPtbent8SCQHFw3oKlNw

[pfx] Re: Incoming OpenDKIM signature verification failing

* Matus UHLAR - fantomas via Postfix-users [250513 10:08]: > > Matus UHLAR - fantomas via Postfix-users: > > > These should not be used globally but only at submission level. > > > > > > This can be achieved by using separate postfix instance for submitted mai

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10.05.25 13:32, Ken Biggs via Postfix-users wrote: > So continuing the saga ... digging into /etc/postfix/header_checks I found > a revision I made back in January to try to keep our outgoing email from > having headers with the IP address of the email client that sent the email

[pfx] Postfix Not Refreshing TLS Certs Even After Reboot

incipal ROLE:CEO/CIO ORG:PEREGRINE I.T. Pty Ltd BDAY;VALUE=DATE:19680928 END:VCARD _______ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: MTA-STS and STARTTLS

On 5/13/25 15:04, Viktor Dukhovni via Postfix-users wrote: On Tue, May 13, 2025 at 02:43:52PM +0200, Gregory Kohring via Postfix-users wrote: posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary "[gmail-smtp-in.l.google.com]" posttls-finger: initializing the c

[pfx] Re: MTA-STS and STARTTLS

On Tue, May 13, 2025 at 02:43:52PM +0200, Gregory Kohring via Postfix-users wrote: > posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary > "[gmail-smtp-in.l.google.com]" > > posttls-finger: initializing the client-side TLS engine > posttls-finger

[pfx] Re: MTA-STS and STARTTLS

On 5/13/25 14:16, Viktor Dukhovni via Postfix-users wrote: On Tue, May 13, 2025 at 01:44:14PM +0200, Gregory Kohring via Postfix-users wrote: More likely misconfiguration, or perhaps some middlebox between you and Gmail. Test with: $ posttls-finger -c -F /etc/ssl/cert.pem -lsecure

[pfx] Re: MTA-STS and STARTTLS

On Tue, May 13, 2025 at 01:44:14PM +0200, Gregory Kohring via Postfix-users wrote: > > More likely misconfiguration, or perhaps some middlebox between you and > > Gmail. Test with: > > > > $ posttls-finger -c -F /etc/ssl/cert.pem -lsecure -Lsummary > >

[pfx] Re: MTA-STS and STARTTLS

On 5/13/25 13:10, Viktor Dukhovni via Postfix-users wrote: On Tue, May 13, 2025 at 12:23:40PM +0200, Gregory Kohring via Postfix-users wrote: Gmails MTA-STS policy says that all mails sent to google must be over TLS. No, it says no such thing, rather it provides the parameters necessary

[pfx] Re: MTA-STS and STARTTLS

On Tue, May 13, 2025 at 12:23:40PM +0200, Gregory Kohring via Postfix-users wrote: > Gmails MTA-STS policy says that all mails sent to google must be over TLS. No, it says no such thing, rather it provides the parameters necessary to upgrade from opportunistic TLS to MTA-STS when the cli

[pfx] MTA-STS and STARTTLS

this works. I would me thankful for any clarifications. Thanks, Greg _______ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Incoming OpenDKIM signature verification failing

On 11/05/2025 07:45, Dmitriy Alekseev via Postfix-users wrote: You can drop received header without dedicated postfix, just do it with milter instead. Rspamd can do it for you with very small Lua script, and do SPF/DKIM/DMARC & ARC all together. This discussion has reminded me of an op

[pfx] Re: Incoming OpenDKIM signature verification failing

You can drop received header without dedicated postfix, just do it with milter instead. Rspamd can do it for you with very small Lua script, and do SPF/DKIM/DMARC & ARC all together. -- *Best Regards,* Dmitriy Alekseev DevOps Engineer On Sat, 10 May 2025, 21:37 Ken Biggs via Postfix-u

[pfx] Re: Incoming OpenDKIM signature verification failing

e. I like having my own server and managing the install from the operating system up, so maybe I just have to live with some spam filtering of our outgoing email. > On May 10, 2025, at 2:29 PM, Wietse Venema via Postfix-users > wrote: > > Matus UHLAR - fantomas via Postfix-use

[pfx] Re: Incoming OpenDKIM signature verification failing

Matus UHLAR - fantomas via Postfix-users: > On 10.05.25 13:32, Ken Biggs via Postfix-users wrote: > > So continuing the saga ... digging into /etc/postfix/header_checks I found > > a revision I made back in January to try to keep our outgoing email from > > having headers w

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10.05.25 13:32, Ken Biggs via Postfix-users wrote: So continuing the saga ... digging into /etc/postfix/header_checks I found a revision I made back in January to try to keep our outgoing email from having headers with the IP address of the email client that sent the email to the server

[pfx] Re: Incoming OpenDKIM signature verification failing

On 2025-05-10 at 14:51:36 UTC-0400 (Sat, 10 May 2025 20:51:36 +0200) Dmitriy Alekseev via Postfix-users is rumored to have said: Can you say why do you drop Mime-Version header? This should never be done! Indeed. It is also worth noting that missing that header in a MIME message correlates

[pfx] Re: Incoming OpenDKIM signature verification failing

Can you say why do you drop Mime-Version header? This should never be done! You can without issues drop some received header, but your regex is bad. On Sat, 10 May 2025, 20:33 Ken Biggs via Postfix-users, < postfix-users@postfix.org> wrote: > So continuing the saga ... digging into /et

[pfx] Re: Incoming OpenDKIM signature verification failing

main.cf DKIM still appears to work properly. So, looks like I probably broke it back in January. Gack ... apparently I didn't test that revision correctly and it was rewriting incoming email headers. -Ken > On May 10, 2025, at 1:06 PM, Scott Kitterman via Postfix-users > wrote: >

[pfx] Re: Incoming OpenDKIM signature verification failing

On May 10, 2025 5:57:34 PM UTC, Dan Mahoney via Postfix-users wrote: >Mime-version was listed as a signed header but was absent. > >I suspect his header checks cleaned that out. > >Note that having a header listed in the H equals list, but having that header >be absent is

[pfx] Re: Incoming OpenDKIM signature verification failing

there. especially for a mailing list generator that presumably generates lots of the same thing. -Dan Sent from my iPhone > On May 10, 2025, at 09:41, Matus UHLAR - fantomas via Postfix-users > wrote: > >  >> >> Dnia 9.05.2025 o godz. 16:18:35 Matus UHLAR - fa

[pfx] Re: Incoming OpenDKIM signature verification failing

Dnia 9.05.2025 o godz. 16:18:35 Matus UHLAR - fantomas via Postfix-users pisze: I use pyspf-milter which is from the same package I believe (python, there's also perl version policyd-spf) and it only accepts/rejects e-mail and adds Authentication-Results: header. On 09.05.25 16:41, Jar

[pfx] Re: Incoming OpenDKIM signature verification failing

! The users on this mailing list are amazing! -Ken > On May 9, 2025, at 11:07 PM, Nick Tait via Postfix-users > wrote: > > On 10/05/2025 15:29, Nick Tait via Postfix-users wrote: >> But of course if the first scenario still exhibits the issue, then that >> probably dis

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10/05/2025 08:23, Ken Biggs via Postfix-users wrote: Return-Path: X-Original-To:x...@xxx.com Delivered-To:y...@yyy.jkbiggs.com Received: from mail-qk1-f169.google.com (mail-qk1-f169.google.com [209.85.222.169]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange

[pfx] Re: Incoming OpenDKIM signature verification failing

HI Nick, I had cut and pasted from the "Raw Source" view in mac Mail, but double checked in the spool file and those are the headers received in that order. Thanks, Ken > On May 9, 2025, at 7:27 PM, Nick Tait via Postfix-users > wrote: > > On 10/05/2025 08:23, Ken B

[pfx] Re: Incoming OpenDKIM signature verification failing

If any of those mailing lists are open, regular lists that I could be subscribed to, for testing, I’d be happy to try to do so to validate this for you. -Dan > On May 9, 2025, at 21:07, Nick Tait via Postfix-users > wrote: > > On 10/05/2025 15:29, Nick Tait via Postfix-users w

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10/05/2025 15:29, Nick Tait via Postfix-users wrote: But of course if the first scenario still exhibits the issue, then that probably disproves my theory immediately? Just thinking a bit more about this... If the first test fails, then you can compare the headers and body in the received

[pfx] Re: Incoming OpenDKIM signature verification failing

On 10/05/2025 14:09, Ken Biggs via Postfix-users wrote: HI Nick, I had cut and pasted from the "Raw Source" view in mac Mail, but double checked in the spool file and those are the headers received in that order. Thanks, Ken Thanks for confirming. My set-up is very similar to

[pfx] Re: Incoming OpenDKIM signature verification failing

On 5/9/25 16:23, Ken Biggs via Postfix-users wrote: Hi Matus, I commented out policyd-spf and still am getting DKIM failure from google.com <http://google.com/>. Here are maillog entries from a gmail test: May 9 15:11:36 xxx postfix/smtpd[815073]: connect from mail-qk1-f169.goog

[pfx] Re: Incoming OpenDKIM signature verification failing

28d-- A lot (but not all) of the failed DKIM validation emails are from mailing lists. -Ken > On May 9, 2025, at 9:18 AM, Matus UHLAR - fantomas via Postfix-users > wrote: > > On 09.05.25 08:14, Ken Biggs via Postfix-users wrote: >> Looking at the maillog, I notice policyd-spf

[pfx] Re: Incoming OpenDKIM signature verification failing

Hi Benny, Yes, our outgoing emails are signed and validate properly. The incoming email DKIM signature validation is our current issue. Thanks, Ken > On May 9, 2025, at 10:17 AM, Benny Pedersen via Postfix-users > wrote: > > Matus UHLAR - fantomas via Postfix-users skrev den 2

[pfx] Re: Incoming OpenDKIM signature verification failing

Matus UHLAR - fantomas via Postfix-users skrev den 2025-05-09 16:18: On 09.05.25 08:14, Ken Biggs via Postfix-users wrote: Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation? it should not. I use pyspf-milter

[pfx] Re: Incoming OpenDKIM signature verification failing

On 09.05.25 08:14, Ken Biggs via Postfix-users wrote: Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation? it should not. I use pyspf-milter which is from the same package I believe (python, there's also

[pfx] Re: Incoming OpenDKIM signature verification failing

Dnia 9.05.2025 o godz. 16:18:35 Matus UHLAR - fantomas via Postfix-users pisze: > I use pyspf-milter which is from the same package I believe (python, > there's also perl version policyd-spf) and it only accepts/rejects > e-mail and adds Authentication-Results: header. That

[pfx] Re: Incoming OpenDKIM signature verification failing

omehow. I'm not using smtp proxy and I don't believe I have any content filter set up. I've tried running opendkim as the only milter (commenting out opendmarc and spamassassin). There were no changes to validation results. > On May 9, 2025, at 6:17 AM, Matus UHLAR - fantom

[pfx] Re: Incoming OpenDKIM signature verification failing

Looking at the maillog, I notice policyd-spf is running before opendkim. Could that be modifying the email before dkim validation? > On May 9, 2025, at 8:04 AM, Ken Biggs via Postfix-users > wrote: > > I'm running spamass-milter. > /etc/mail/spamassassin/v312.pre al

[pfx] Re: Incoming OpenDKIM signature verification failing

On 09.05.25 12:58, Dmitriy Alekseev via Postfix-users wrote: Did maybe you considering spin up rspamd proxy + normal instead of sa+opendkim+opendmarc, even if you do not move in end to rspamd you will at least get what issue relates to. It useless to honestly trying to analyze eml with

[pfx] Re: Incoming OpenDKIM signature verification failing

broken, because now it's definitely broken ;) On Fri, 9 May 2025, 09:30 Matus UHLAR - fantomas via Postfix-users, < postfix-users@postfix.org> wrote: > On 08.05.25 15:06, Ken Biggs via Postfix-users wrote: > > OpenDKIM is failing signature verification on most incoming emails.

[pfx] Re: Incoming OpenDKIM signature verification failing

On 08.05.25 15:06, Ken Biggs via Postfix-users wrote: OpenDKIM is failing signature verification on most incoming emails. Out of 1,146 incoming emails, 173 have been successfully verified and 973 have "bad signature data". The failing emails include email from google, amazon, sai

[pfx] Re: SSL cert authority, letsencrypt error

On 9/05/2025 10:49 am, Viktor Dukhovni via Postfix-users wrote: On Fri, May 09, 2025 at 10:18:19AM +1000, Carl Brewer via Postfix-users wrote: I changed it to this : smtpd_tls_security_level = may smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/fullchain.pem

[pfx] Re: SSL cert authority, letsencrypt error

On Fri, May 09, 2025 at 10:18:19AM +1000, Carl Brewer via Postfix-users wrote: > I changed it to this : > > smtpd_tls_security_level = may > smtpd_tls_cert_file = > /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/fullchain.pem > smtpd_tls_key_file = > /usr/local

[pfx] Re: SSL cert authority, letsencrypt error

thing as long as the certs are in the correct order. -Dan On May 8, 2025, at 15:34, Carl Brewer via Postfix-users wrote: Hi, I've been running postscript on a FreeBSD 13.x server with Letsencrypt running as a cron job to keep SSL certs up to date automagically : in main.cf : smt

[pfx] Re: SSL cert authority, letsencrypt error

On 9/05/2025 10:06 am, Carl Brewer via Postfix-users wrote: On 9/05/2025 9:08 am, Dan Mahoney wrote: There’s only one certificate in your chain, you need to send the intermediate cert as well. The cert you’re signing with isn’t trusted by browsers. Certificate chain   0 s:CN = rollcage13

[pfx] Re: SSL cert authority, letsencrypt error

your cert chain, it will do the right thing as long as the certs are in the correct order. -Dan > On May 8, 2025, at 15:34, Carl Brewer via Postfix-users > wrote: > > > Hi, > > I've been running postscript on a FreeBSD 13.x server with Letsencrypt > runnin

[pfx] Re: SSL cert authority, letsencrypt error

You will want the domain certificate first, then the certificate authority bundle in a pem file. > On May 8, 2025, at 6:08 PM, Dan Mahoney via Postfix-users > wrote: > > There’s only one certificate in your chain, you need to send the intermediate > cert as well. > > Th

[pfx] SSL cert authority, letsencrypt error

27;m no wizz when it comes to SSL setups, and am pretty rusty here. ___________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

  1   2   3   4   5   6   7   8   9   10   >