[pfx] Re: Sanity check for check_sasl_access

On Wed, 5 Feb 2025 at 11:06, Allen Coates via Postfix-users < postfix-users@postfix.org> wrote: > > In my access lists I have found that 0.0.0.0/0 matches every IPv4 > address, and ::/0 matches every IPv6 address. > > (Unless, of course you are expressly testing for a specific IP address) > I se

[pfx] Re: Sanity check for check_sasl_access

On 05/02/2025 10:50, Gilgongo via Postfix-users wrote: > > And have the following in my access file: > > user1 192.x.x.x     PERMIT > user1 2001:x:x:x::x PERMIT > user1 REJECT > > In my access lists I have found that  0.0.0.0/0 matches every IPv4 address, and ::/0 matches every

[pfx] Re: Sanity check for check_sasl_access

On Wed, 5 Feb 2025 at 09:32, Gilgongo wrote: > I just wanted to make sure I've read the docs > correctly. > I'd like to restrict a couple of sasl users by IP4/6 (I can't test this on > my sandbox setup), so if I have this in my master.cf

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 16:14, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > If you need permit_mx_backup, that means postfix doesn't have a > clear idea of domains it is responsible for. > > Please read and study: > http://www.postfix.org/BASIC_CONFIGURATION_README.html > > my

[pfx] Re: Sanity check/suggestions appreciated

On 6/11/2024 4:05 AM, Gilgongo via Postfix-users wrote: On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users mailto:postfix-users@postfix.org>> wrote: You should remove permit_mx_backup. This feature is intended for ISP-scale users that may not have a complete list of domains

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 11:52, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > On 11.06.24 11:02, Gilgongo via Postfix-users wrote: > >OK so I assume I can use the IP address of the primary and secondary MX > >servers, since all our domains are hosted on those IPs. >

[pfx] Re: Sanity check/suggestions appreciated

>BTW in the meantime, if I add this (where mx2.mydomain.com is our >secondary MX hostname), I take it that would be a good idea: > >permit_mx_backup_networks = $mynetworks mx2. mydomain.com On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrot

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > >BTW in the meantime, if I add this (where mx2.mydomain.com is our > secondary > >MX hostname), I take it that would be a good idea: > > > >permit_mx_backup_networks = $mynetworks mx2. my

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: You should remove permit_mx_backup. This feature is intended for ISP-scale users that may not have a complete list of domains that use their server as a backup MX. In this case, permit_mx_backup_netwo

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > You should remove permit_mx_backup. > > This feature is intended for ISP-scale users that may not have a > complete list of domains that use their server as a backup MX. In > this case, permit_mx_backu

[pfx] Re: Sanity check/suggestions appreciated

On 6/10/2024 12:10 PM, Gilgongo via Postfix-users wrote: On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users > wrote: 3. smtpd_recipient_restrictions = permit_mx_backup avoid this whenever possible. Or at least define permit

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > 3. > smtpd_recipient_restrictions = permit_mx_backup > > avoid this whenever possible. Or at least define permit_mx_backup_networks > > Thanks - I forgot to ask about this. Am I right in

[pfx] Re: Sanity check/suggestions appreciated

On 2024-06-10 at 10:34:09 UTC-0400 (Mon, 10 Jun 2024 16:34:09 +0200) Matus UHLAR - fantomas via Postfix-users is rumored to have said: >>> On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < >>> postfix-users@postfix.org> wrote: why not postscreen for this purpose? > >> On 2024-06-1

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: why not postscreen for this purpose? On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100) Gilgongo via Postfix-users is rumored to have said: Thanks - I thought about postscreen, bu

[pfx] Re: Sanity check/suggestions appreciated

On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100) Gilgongo via Postfix-users is rumored to have said: On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: why not postscreen for this purpose? Thanks - I thought about postscreen,

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: > why not postscreen for this purpose? > Thanks - I thought about postscreen, but wasn't sure if it would be overkill for such a small server? Could look again though. __

[pfx] Re: Sanity check/suggestions appreciated

On 10.06.24 12:27, Gilgongo via Postfix-users wrote: Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4) config is pretty old and confusing, and may not be doing things we want. So I'd like to re-jig it. Here's how I think I'd like to have it: 1. Incoming mail (not from $mynetw

[pfx] Re: Sanity check/suggestions appreciated

why not postscreen for this purpose? BTW I'm using a script (policyd.pl ) that does weighted scoring for RBLs (as well as SPF), which I'd prefer rather than doing that with Postfix directly. ___ Postfix-users mailing list -- post

Re: Sanity Check Request: smtpd_*_restrictions

On 5/17/2022 9:14 AM, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the se

Re: [EXTERNAL] Re: Sanity Check Request: smtpd_*_restrictions

Excellent points. And thanks for the access list tip. I will lose the final reject from client and relay and exclude the MX servers from mynetworks Thanks. On 5/17/22, 11:54, "owner-postfix-us...@postfix.org on behalf of Matus UHLAR - fantomas" wrote: >> > smtpd_client_restrictions =

Re: Sanity Check Request: smtpd_*_restrictions

> smtpd_client_restrictions = you'll block incoming mail with last reject. This is right off of http://www.postfix.org/SMTPD_ACCESS_README.html#lists /etc/postfix/main.cf: # Allow connections from trusted networks only. smtpd_client_restrictions = permit_mynetworks, reject On 17.05.22 1

Re: Sanity Check Request: smtpd_*_restrictions

> > smtpd_client_restrictions = > you'll block incoming mail with last reject. This is right off of http://www.postfix.org/SMTPD_ACCESS_README.html#lists /etc/postfix/main.cf: # Allow connections from trusted networks only. smtpd_client_restrictions = permit_mynetworks, reject I only per

Re: Sanity Check Request: smtpd_*_restrictions

On 17.05.22 15:14, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the sende

Re: sanity-check postfix XCLIENT usage ?

On 23/10/2020 09:27, Nick Tait wrote: On 22/10/20 6:13 am, PGNet Dev wrote: Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the

Re: sanity-check postfix XCLIENT usage ?

On 23/10/20 2:26 pm, Bob Proulx wrote: The tragicomical thing is that Gmail does follow policy and when the policy of the sending site is strict DMARC and the mailing list does not rewrite then Gmail subscribers to mailing lists will get automatically unsubscribed when/if the bounce ratio exceeds

Re: sanity-check postfix XCLIENT usage ?

On 22/10/20 6:13 am, PGNet Dev wrote: Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the specific intuit.com case above, that w

Re: sanity-check postfix XCLIENT usage ?

et of message headers in this ordering, From: Reply-To: Resent-From: To: Cc: Mail-Followup-To: Subject: Date:) Date: Thu, 22 Oct 2020 19:17:35 -0400 (EDT) From: Wietse Venema To: Postfix users Subject: Re: sanity-check postfix XCLIENT usage ? Reply-To: Postfix users :-) > W

Re: sanity-check postfix XCLIENT usage ?

On 22 Oct 2020, at 17:17, Wietse Venema wrote:= > > Demi M. Obenour: >> That's because MUAs display the From: header, not the envelope address. >> DMARC is aimed at preventing spoofing. If someone sends a message >> that claims to be from me, but is not, that could damage my reputation >> or wor

Re: sanity-check postfix XCLIENT usage ?

Demi M. Obenour: > That's because MUAs display the From: header, not the envelope address. > DMARC is aimed at preventing spoofing. If someone sends a message > that claims to be from me, but is not, that could damage my reputation > or worse. If GMail had p=reject, such a message would be droppe

Re: sanity-check postfix XCLIENT usage ?

On 10/22/20 3:35 PM, Bob Proulx wrote: > Demi M. Obenour wrote: >> Viktor Dukhovni wrote: Demi M. Obenour wrote: This is really a security hole in gmail. Given the popularity of gmail, however, I seriously suggest somehow treating gmail as if it had p=reject, as it should. >>>

Re: sanity-check postfix XCLIENT usage ?

Demi M. Obenour wrote: > Viktor Dukhovni wrote: > >> Demi M. Obenour wrote: > >> This is really a security hole in gmail. Given the popularity of > >> gmail, however, I seriously suggest somehow treating gmail as if it > >> had p=reject, as it should. > > No it should not have "p=reject" that's o

Re: sanity-check postfix XCLIENT usage ?

On 10/22/20 12:25 PM, Viktor Dukhovni wrote: >> On Oct 22, 2020, at 2:11 PM, Demi M. Obenour wrote: >> >> I know :( >> >> This is really a security hole in gmail. Given the popularity of >> gmail, however, I seriously suggest somehow treating gmail as if it >> had p=reject, as it should. > No it

Re: sanity-check postfix XCLIENT usage ?

> On Oct 22, 2020, at 2:11 PM, Demi M. Obenour wrote: > > I know :( > > This is really a security hole in gmail. Given the popularity of > gmail, however, I seriously suggest somehow treating gmail as if it > had p=reject, as it should. No it should not have "p=reject" that's only for sites th

Re: sanity-check postfix XCLIENT usage ?

On 10/22/20 3:23 AM, Bastian Blank wrote: > Hi name less > > On Wed, Oct 21, 2020 at 10:13:54AM -0700, PGNet Dev wrote: >> I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok. >> I've cranked up opendmarc logging level to >> MilterDebug 5 >> with that, on failed attem

Re: sanity-check postfix XCLIENT usage ?

Hi name less On Wed, Oct 21, 2020 at 10:13:54AM -0700, PGNet Dev wrote: > I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok. > I've cranked up opendmarc logging level to > MilterDebug 5 > with that, on failed attempt, I see only an unhelpful > Oct 21 09:43:39

Re: sanity-check postfix XCLIENT usage ?

On 22/10/2020 00:39, PGNet Dev wrote: On 10/21/20 4:31 PM, Wietse Venema wrote: PGNet Dev: Two questions: clear. i'll focus just on just the dmarc bits. both debugging opendmarc, and replacing it with another option to see if behavior changes. xclient's extremely helpful in any case.

Re: sanity-check postfix XCLIENT usage ?

On 10/21/20 4:31 PM, Wietse Venema wrote: PGNet Dev: Two questions: clear. i'll focus just on just the dmarc bits. both debugging opendmarc, and replacing it with another option to see if behavior changes. xclient's extremely helpful in any case.

Re: sanity-check postfix XCLIENT usage ?

PGNet Dev: > Two questions: > > (1) my postfix config includes, > > strict_rfc821_envelopes = yes > > the FROM: & RCPT TO: addressed i inject, as well as those in the originally > sent mail, appear to be compliant. > > is there _more_ that strict restriction that might be relevant? Post

Re: sanity-check postfix XCLIENT usage ?

On 10/21/20 11:13 AM, Wietse Venema wrote: If your XCLIENT arguments match Postfix logging, including the name and IP address info they do and you used HELO or EHLO depending on Postfix's proto= logging proto=ESMTP, so I used EHLO then I think that the Postfix SMTP daemon cannot distingui

Re: sanity-check postfix XCLIENT usage ?

If your XCLIENT arguments match Postfix logging, including the name and IP address info and you used HELO or EHLO depending on Postfix's proto= logging, then I think that the Postfix SMTP daemon cannot distinguish between a real intuit.com connection and one made with XCLIENT. That leaves the poss

RE: Sanity check - of my postfix setup.

: Tuesday, May 09, 2017 9:40 AM To: postfix users Subject: Re: Sanity check - of my postfix setup. I had similar issues and my Maildir was misnamed. I solved it by making a link from the existing name to the correct name. On 05/09/2017 07:36 AM, Noel Jones wrote: > On 5/9/2017 6:59 AM, John wr

Re: Sanity check - of my postfix setup.

I had similar issues and my Maildir was misnamed. I solved it by making a link from the existing name to the correct name. On 05/09/2017 07:36 AM, Noel Jones wrote: On 5/9/2017 6:59 AM, John wrote: As Andreas pointed out it might help is I outlined the problem. I am losing mail, it just disa

Re: Sanity check - of my postfix setup.

On 5/9/2017 6:59 AM, John wrote: > As Andreas pointed out it might help is I outlined the problem. > > I am losing mail, it just disappears. Postfix seems to deliver it, > hands it off the dovecot LMTP and then shows "removed" > > Dovecot shows ... : saved to INBOX. Both postfix and dovecot are

Re: Sanity check - of my postfix setup.

As Andreas pointed out it might help is I outlined the problem. I am losing mail, it just disappears. Postfix seems to deliver it, hands it off the dovecot LMTP and then shows "removed" Dovecot shows ... : saved to INBOX. But messages disappear. I am deeply suspicious of the Dovecot/Thunderb

Re: Sanity check

On 2/19/2015 8:18 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 14:11 schrieb John: On 2/19/2015 7:48 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wro

Re: Sanity check

Am 19.02.2015 um 14:11 schrieb John: On 2/19/2015 7:48 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydo

Re: Sanity check

On 2/19/2015 7:48 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /roo

Re: Sanity check

Am 19.02.2015 um 13:22 schrieb John: On 2/19/2015 6:49 AM, Richard James Salts wrote: On Thu, 19 Feb 2015 06:32:29 John wrote: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are th

Re: Sanity check

Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any

Re: Sanity check

On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need clie

Re: Sanity check

On 2/19/2015 6:49 AM, Richard James Salts wrote: On Thu, 19 Feb 2015 06:32:29 John wrote: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need

Re: Sanity check

On Thu, 19 Feb 2015 06:32:29 John wrote: > On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: > >> smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem > >> smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key > > > > Are there any destinations for which you need client certs to gain > > access?

Re: Sanity check

Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need client certs to gain access? If not set these empt

Re: Sanity check

On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need client certs to gain access? If not set these empty. I thought these were needed for TLS

Re: Sanity check

On Tue, Feb 17, 2015 at 07:07:04AM -0500, Wietse Venema wrote: > Viktor Dukhovni: > > > submission inet n - n - 30 smtpd > > > -o syslog_name=postfix/submission > > > -o smtpd_tls_wrappermode=no > > > > Postfix 3.0? (smtpd_tls_wrappermode is new with 3.0 IIRC, just

Re: Sanity check

On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: On Mon, Feb 16, 2015 at 09:46:17PM -0500, John Allen wrote: smtp_dns_support_level = dnssec smtp_tls_security_level = dane Givent he above, the following are pointless: smtp_tls_enforce_peername = no A Postfix 2.2 parameter Obsoleted by smt

Re: Sanity check

Viktor Dukhovni: > > submission inet n - n - 30 smtpd > > -o syslog_name=postfix/submission > > -o smtpd_tls_wrappermode=no > > -o smtpd_tls_security_level=encrypt > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject >

Re: Sanity check

On Mon, Feb 16, 2015 at 09:46:17PM -0500, John Allen wrote: > smtp_dns_support_level = dnssec > smtp_tls_security_level = dane Givent he above, the following are pointless: > smtp_tls_enforce_peername = no A Postfix 2.2 parameter Obsoleted by smtp security levels. Remove from main.cf.

Re: sanity check

Noel Jones: > On 3/13/2010 10:38 PM, Adam Lanier wrote: > > I've inherited a relatively large Postfix installation. Servers have a > > range of Postfix versions from 2.1.1 to 2.6.5. Master.cf and main.cf are > > included below. > > > > The inbound mail gateways are connected to the internet beh

Re: sanity check

* Adam Lanier : > inet_interfaces = all > inet_interfaces = all Remove the duplication > smtpd_banner = *l10ESMTP Leave the default. > smtpd_recipient_limit = 50 What is the idea behind this? > smtpd_client_restrictions = reject_unauth_destination, > reject_un

Re: sanity check

On 3/13/2010 10:38 PM, Adam Lanier wrote: I've inherited a relatively large Postfix installation. Servers have a range of Postfix versions from 2.1.1 to 2.6.5. Master.cf and main.cf are included below. The inbound mail gateways are connected to the internet behind a load-balancing switch.