Postfix - Check SPF for outgoing email

Hi everyone, We currently have a webhosting-environment with many websites. Those websites is capable of sending email (obviously) via the local SMTP function. But sometimes, some of the websites is compromised and used to send quite alot of spam from the websites - often using random domains.

Re: way to test delivery to me

January 31, 2021 10:29 PM, "Viktor Dukhovni" wrote: > On Sun, Jan 31, 2021 at 07:15:05PM +0100, Patrick Proniewski wrote: > >> fixed: >> >> $ telnet mail.patpro.net 25 >> Trying 193.30.227.216... >> Connected to mail.patpro.net. >> Escape character is '^]'. >> 220-rack.patpro.net Do not say any

Re: way to test delivery to me

On Mon, Feb 01, 2021 at 09:54:47AM +, pat...@patpro.net wrote: > > but more importantly, your DNSSEC implementation is FUBAR: > > I've chosen to go with huge keys from the start to be "future proof", > not so smart I guess. Yes, turned out to just be a source of problems, with no benefit. >

Re: Postfix - Check SPF for outgoing email

Hi Jonathan Can you not restrict the SMTP relay to allow only those allowed servers and reject emails from all other sites? or may be allow only specific domains to relay through. Regards Ahsan On Mon, Feb 1, 2021 at 3:02 PM Jonathan Sélea wrote: > Hi everyone, > > We currently have a webhos

Re: Postfix - Check SPF for outgoing email

On 01.02.21 10:32, Jonathan Sélea wrote: We currently have a webhosting-environment with many websites. Those websites is capable of sending email (obviously) via the local SMTP function. But sometimes, some of the websites is compromised and used to send quite alot of spam from the websites -

Re: spamcop has been taken

Den 31.01.2021 14:20, skrev natan: Hi For users who use spamcop in postfix RBL list. Domain is lost or has been taken https://t.co/4Skoy0JjmQ First: why the spammy look on your mail ? I mean  "Content-Type: text/html; charset=utf-8  Content-Transfer-Encoding: b

Re: way to test delivery to me

February 1, 2021 11:07 AM, "Viktor Dukhovni" wrote: > On Mon, Feb 01, 2021 at 09:54:47AM +, pat...@patpro.net wrote: > >> What would be the main steps to renew keys with best practice in mind >> (algorithm 13 with ECDSA P256 keys)? I'm trying and find a good >> how-to but most are quite old

Re: way to test delivery to me

On Mon, Feb 01, 2021 at 12:09:38PM +, pat...@patpro.net wrote: > I do run BIND 9.16.x and I've just read a few things about > dnssec-keymgr and dnssec-policy.conf that I need to dig in > (https://www.sidn.nl/en/dnssec/dnssec-signatures-in-bind-named). Good luck, feel free to post your experie

Re: way to test delivery to me

On Mon, Feb 01, 2021 at 12:09:38PM +, pat...@patpro.net wrote: > It's a risk I can take if I'm stuck but I'm willing to try the dual-sign > method. I should mention that given the humongous sizes of your current signatures, dual signing will make things noticeably worse in the meantime, unle

Re: rejecting 'fancy' TLDs, allowing a specified one ?

On 30 Jan 2021, at 11:20, Phil Stracchino wrote: > On 12/18/20 8:38 AM, @lbutlr wrote: >> I do this: >> >> /.*automators\.fm$/ DUNNO >> /.*counter\.social/ DUNNO >> /.*ometria.email/ DUNNO >> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ >>

Re: Reverse canonical for a certain receiver domain only?

Gerben Wierda (LinkedIn ) R&A Enterprise Architecture (main site) Book: Chess and the Art of Enterprise Architecture Book: Mastering ArchiMate > On 28 Jan 2021, a

Re: Reverse canonical for a certain receiver domain only?

On Mon, Feb 01, 2021 at 03:43:55PM +0100, Gerben Wierda wrote: > > Yes, at the cost of a dedicated transport whose master.cf entry contains > > an override for smtp_generic_maps: > > > >master.cf: > >mycanon unix ... smtp > >-o smtp_generic_maps=$mycanon_generic_maps > >

Re: Reverse canonical for a certain receiver domain only?

> On 1 Feb 2021, at 16:12, Viktor Dukhovni wrote: > > On Mon, Feb 01, 2021 at 03:43:55PM +0100, Gerben Wierda wrote: > >>> Yes, at the cost of a dedicated transport whose master.cf entry contains >>> an override for smtp_generic_maps: >>> >>> master.cf: >>> mycanon unix ... smtp >>>

Re: way to test delivery to me

On 01 Feb 2021, at 13:38, Viktor Dukhovni wrote: > > On Mon, Feb 01, 2021 at 12:09:38PM +, pat...@patpro.net wrote: > >> It's a risk I can take if I'm stuck but I'm willing to try the dual-sign >> method. > > I should mention that given the humongous sizes of your current > signatures, dua

Re: bl.spamcop.net false positives

>> Given the ip 1.2.3.4 - if postfix is configured to query the spamcop >> blacklist then a dns query like this is issued: >> >> [gerry@noc ~]$ dig 4.3.2.1.bl.spamcop.net >> [...] >> ;; ANSWER SECTION: >> 4.3.2.1.bl.spamcop.net. 300 IN A 91.195.240.87 > > But isn't this a comm

srs rewrite

Hullo I’ve been running my email domain using postfix for most, possibly all of this century. Recently, I’ve had to add in the SPF/DMARC capabilities, and postsrsd to rewrite the return addresses of forwarded email. I do have a number of users who forward using the Unix ~/.forward mechanism. R

Re: Postfix - Check SPF for outgoing email

On Monday, February 1, 2021 4:32:21 AM EST Jonathan Sélea wrote: > Hi everyone, > > We currently have a webhosting-environment with many websites. Those > websites is capable of sending email (obviously) via the local SMTP > function. > But sometimes, some of the websites is compromised and used t

Re: srs rewrite

On 1 Feb 2021, at 14:35, Tim Coote wrote: Hullo I’ve been running my email domain using postfix for most, possibly all of this century. Recently, I’ve had to add in the SPF/DMARC capabilities, and postsrsd to rewrite the return addresses of forwarded email. I do have a number of users who fo

Address rewrite and DKIM (was: sender rewrite for specific receiver domain)

What I am trying to do is create a ‘reverse alias’ (next to an alias). The alias must be used when mail is sent to a specific domain. > On 1 Feb 2021, at 17:59, Gerben Wierda wrote: > > master.cf gets: > > mycanon unix - - y - - smtp > -o smtp_generic_m

Re: bl.spamcop.net false positives

Dnia 1.02.2021 o godz. 20:31:51 Antonio Leding pisze: > > That aside, IMHO, this is a huge screw-up for SC - not even in the > realm of acceptable… On the other hand, why did the domain registrar put a blanket entry for *.spamcop.net pointing to their server's IP when the domain expired instead

Re: bl.spamcop.net false positives

On the other hand, why did the domain registrar put a blanket entry for *.spamcop.net pointing to their server's IP when the domain expired instead of just returning NXDOMAIN? Well, this could also have been a screw-up by SC and if so, I would view that as merely part of the same set of mista

Re: Address rewrite and DKIM (was: sender rewrite for specific receiver domain)

On Mon, Feb 01, 2021 at 10:21:32PM +0100, Gerben Wierda wrote: > What I suspect here is that DKIM is the problem. As trivial-rewrite > changes the message, the DKIM signature is no longer valid. @gmail.com > reports the fail (spf is OK) but delivers anyway. Office365 is more > strict it seems. In

Re: bl.spamcop.net false positives

>> That aside, IMHO, this is a huge screw-up for SC - not even in the >> realm of acceptable… > > On the other hand, why did the domain registrar put a blanket entry for > *.spamcop.net pointing to their server's IP when the domain expired instead of > just returning NXDOMAIN? Because you can't m

Re: bl.spamcop.net false positives

Great points - my view from earlier was that it really isn’t the registrar’s job to make sure someone’s doing is cfg’d properly. I would much rather have the registrar take a more hand-off approach to configuring domains rather than the alternative. Just imagine registrars who try and poke th