Re: client and ehlo hostname mismatch

> > Bob Proulx: > Instead of Forward-Reverse-DNS matching the newer Best Practice is to > set up SPF, DKIM, DMARC for your own outgoing mail and other > anti-abuse for incoming mail. Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? чт, 11 февр. 2021 г. в 08:46, Coope

Re: client and ehlo hostname mismatch

On 11/02/2021 09:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? I would say not. I quarantine DMARC failures but do not reject - there are still fps because of misconfiguration by senders or mailing lists that are not DMARC-friend

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On 10.02.21 15:55, Chris Green wrote: > I could just edit the value in each system, but then all the main.cf > files would be different. On Wed, Feb 10, 2021 at 05:31:47PM +0100, Matus UHLAR - fantomas wrote: setting "myhostname = $(dnsdomainname)" what Wietse recommended would not. On 10.02

Re: client and ehlo hostname mismatch

Viktor Dukhovni: The actual expectation is that the EHLO name is a valid DNS hostname, and should resolve to the IP address of the client. On 10.02.21 23:59, Eugene Podshivalov wrote: Postfix does not seem to be able to check this right now. Wouldn't it be good to have such features in smtpd_he

Re: client and ehlo hostname mismatch

Bob Proulx: Instead of Forward-Reverse-DNS matching the newer Best Practice is to set up SPF, DKIM, DMARC for your own outgoing mail and other anti-abuse for incoming mail. On 11.02.21 12:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc?

Possible to "import" a file into postfix queue?

Hi all we have a very strange issue with our postfix and its external content-filter. To debug this we wanted to take an affected message (postcat -bhq QID >/tmp/file) and use swaks with --data command to send it again to postfix and through the content filter. But the swaks message does NOT trigg

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Thu, Feb 11, 2021 at 11:36:24AM +0100, Matus UHLAR - fantomas wrote: > > > On 10.02.21 15:55, Chris Green wrote: > > > > I could just edit the value in each system, but then all the main.cf > > > > files would be different. > > > On Wed, Feb 10, 2021 at 05:31:47PM +0100, Matus UHLAR - fantomas

email loops back from localhost

Hi, Can you help me please why does this fall into a loop? postfix > localhost:1 > localhost:1 > localhost:1 > etc. until too much hops. --- main.cf: transport_maps = hash:/etc/postfix/transport --- /etc/postfix/transport: recipi...@domain.com smtp:[127.0.0.1]:1 --- master

Re: email loops back from localhost

Hi On Thu, Feb 11, 2021 at 01:14:59PM +0100, Zsombor B wrote: > Can you help me please why does this fall into a loop? > postfix > localhost:1 > localhost:1 > localhost:1 > etc. until > too much hops. > --- master.cf > 127.0.0.1:1 inet n - y - - smtpd >-o transport_maps=hash:/

Re: client and ehlo hostname mismatch

Hi On Thu, Feb 11, 2021 at 12:32:25PM +0300, Eugene Podshivalov wrote: > Is it safe enough nowadays to drop dmarc failed incoming mail with > opendmarc? No. You can reject them however. Bastian -- Prepare for tomorrow -- get ready. -- Edith Keeler, "The City On the Edge of For

RE: HELO and nothing else

> I am working on a spam filter and so I find myself spending a lot more > quality time with mail logs than I used to. One of the things I have noticed > is that I will get a lot of connections that send a HELO command and then > disconnect. Sometimes I get this > repeated several times a mi

Re: Possible to "import" a file into postfix queue?

Tobi: > So we thought it could be possible to somehow "import" such an affected > message directly into postfix queue to leave out swaks which may fix > something in the message. Is there such a postfix command to "import" a > file as message directly into postfix queues? sendmail -f sender recipi

Re: client and ehlo hostname mismatch

On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? No. It very likely never will be, particularly as long as Sendmail is in widespread use. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo a

smtpd_relay_restrictions and smtpd_recipient_restrictions evaluation order

Hello, postconf(5) states that smtpd_relay_restrictions apply before smtpd_recipient_restrictions. This seems incorrect since postfix-3.3-20180106. Regards  Damian

smtp_tls_CAfile and smtp_tls_CApath doc

As of today, doc says for 'smtp_tls_CAfile': "A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates." and for 'smtp_tls_CApath': "Directory with PEM format Certification Authority certificates that the Postfix SMTP cl

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On 11.02.21 14:51, bitozoid wrote: As of today, doc says for 'smtp_tls_CAfile': "A file containing CA certificates of root CAs trusted to sign either remote SMTP server certificates or intermediate CA certificates." and for 'smtp_tls_CApath': "Directory with PEM format Certification Authority

Re: client and ehlo hostname mismatch

On 2021-02-11 15:12, Bill Cole wrote: On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? No. It very likely never will be, particularly as long as Sendmail is in widespread use. why ? is it the 8bitmime problem s

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On Thu, Feb 11, 2021 at 3:11 PM Matus UHLAR - fantomas wrote: > On 11.02.21 14:51, bitozoid wrote: > >As of today, doc says for 'smtp_tls_CAfile': > > > >"A file containing CA certificates of root CAs trusted to sign either > >remote SMTP server certificates or intermediate CA certificates." > >

double-bounce check applied to itself

When reject_unverified_sender param is set and an email is sent on behalf of the server the double-bounce check is still performed (i.e. sent to itself). Is this all right? Eugene

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On 11.02.21 14:51, bitozoid wrote: >As of today, doc says for 'smtp_tls_CAfile': > >"A file containing CA certificates of root CAs trusted to sign either >remote SMTP server certificates or intermediate CA certificates." > >and for 'smtp_tls_CApath': > >"Directory with PEM format Certification Aut

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote: > As of today, doc says for 'smtp_tls_CAfile': > > "A file containing CA certificates of root CAs trusted to sign either > remote SMTP server certificates or intermediate CA certificates." It can also contain intermediate CA certificates.

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On Thu, Feb 11, 2021 at 4:49 PM Viktor Dukhovni wrote: > > On Thu, Feb 11, 2021 at 02:51:02PM +, bitozoid wrote: > > > As of today, doc says for 'smtp_tls_CAfile': > > > > "A file containing CA certificates of root CAs trusted to sign either > > remote SMTP server certificates or intermediate

Re: var_relay_before_rcpt_checks multiple definition

J. Thomsen: > This problem seems to be related to whether shared=yes is included (no > problem) or shared=no > (problem) The variable was owned by the wrong code. Wietse diff '--exclude=man' '--exclude=html' '--exclude=README_FILES' '--exclude=INSTALL' '--exclude=.indent.pro' -r -ur /

Re: double-bounce check applied to itself

Eugene Podshivalov: > When reject_unverified_sender param is set and an email is sent on behalf > of the server the double-bounce check is still performed (i.e. sent to > itself). What is 'the double-bounce check'? Postfix probes use a sender address that does not receive email. There is even a f

Cloud9.net related responses

Hi team, can it be that responses in this mailinglist are also send by cloud9.net instead of only postfix.org? Just asking to prevent contermination by importing parallel newsgroup source. Best, Jos -- With both feet on the ground you can't make any step forward

Re: double-bounce check applied to itself

I meant Postfix probes use a sender address even when it is a local one. Example from logs: > postfix/qmgr[20192]: 9AE7A3F56E: from=, > size=269, nrcpt=1 (queue active) > postfix/local[20230]: 9AE7A3F56E: to=, *relay=local*, > delay=0.02, delays=0.01/0.01/0/0, dsn=2.0.0, status=deliverable (delive

Re: double-bounce check applied to itself

Eugene Podshivalov: > I meant Postfix probes use a sender address even when it is a local one. > Example from logs: > > > postfix/qmgr[20192]: 9AE7A3F56E: from=, > > size=269, nrcpt=1 (queue active) > > postfix/local[20230]: 9AE7A3F56E: to=, *relay=local*, > > delay=0.02, delays=0.01/0.01/0/0, dsn

Re: Cloud9.net related responses

Jos Chrispijn: > Hi team, can it be that responses in this mailinglist are also send by > cloud9.net instead of only postfix.org? > Just asking to prevent contermination by importing parallel newsgroup > source. postfix list mail has a postfix-org sender address. Wietse

Re: double-bounce check applied to itself

Let me put it this way: does Postfix do probe for outgoing mail? чт, 11 февр. 2021 г. в 21:35, Wietse Venema : > Eugene Podshivalov: > > I meant Postfix probes use a sender address even when it is a local one. > > Example from logs: > > > > > postfix/qmgr[20192]: 9AE7A3F56E: from=, > > > size=269

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On 11 Feb 2021, at 04:45, Chris Green wrote: > Yes, I think this is what it comes down to, *something* needs to be > changed for each system. I was just hoping that postfix could use > something that was there already (the systems do know their names and > domains already). You keep saying this,

Re: client and ehlo hostname mismatch

On 11 Feb 2021, at 10:25, Benny Pedersen wrote: On 2021-02-11 15:12, Bill Cole wrote: On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? No. It very likely never will be, particularly as long as Sendmail is in wid

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On Thu, Feb 11, 2021 at 12:12:53PM -0700, @lbutlr wrote: > On 11 Feb 2021, at 04:45, Chris Green wrote: > > Yes, I think this is what it comes down to, *something* needs to be > > changed for each system. I was just hoping that postfix could use > > something that was there already (the systems d

Re: double-bounce check applied to itself

Eugene Podshivalov: > Let me put it this way: does Postfix do probe for outgoing mail? reject_unverified_recipient and reject_unverified_sender make no such distinction. That is a feature, not a bug. reject_unverified_recipient has been used on internet gateways that have no complete table of all

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

Chris Green: > On Thu, Feb 11, 2021 at 12:12:53PM -0700, @lbutlr wrote: > > On 11 Feb 2021, at 04:45, Chris Green wrote: > > > Yes, I think this is what it comes down to, *something* needs to be > > > changed for each system. I was just hoping that postfix could use > > > something that was there

Re: smtpd_relay_restrictions and smtpd_recipient_restrictions evaluation order

> On Feb 11, 2021, at 12:39 PM, Damian wrote: > > postconf(5) states that smtpd_relay_restrictions apply before > smtpd_recipient_restrictions. This seems incorrect since > postfix-3.3-20180106. https://github.com/vdukhovni/postfix/commit/237852e8312750799b548165c7e46acbcd9efa64#diff-9e014842e28

Re: double-bounce check applied to itself

Assume reject_unverified_sender is set and an email is sent From:u...@mydomain.com. When the email is sent directly from mail.mydomain.com there is no probe, right? But when the message is sent from another server that uses mydomain.com as relay then the probe is done, in which case Postfix probes

Re: double-bounce check applied to itself

> On Feb 11, 2021, at 6:29 PM, Eugene Podshivalov wrote: > > Assume reject_unverified_sender is set and an email is sent > From:u...@mydomain.com. This is an smtpd(8)/access(5) feature, and so only applies when email is received via SMTP and the restriction in question is applied to the messag

Re: double-bounce check applied to itself

Eugene Podshivalov: > Assume reject_unverified_sender is set and an email is sent > From:u...@mydomain.com. > When the email is sent directly from mail.mydomain.com there is no probe, > right? reject_unverified_recipient etc. do not care where mail comes from, or where it is being sent to. > But

Re: double-bounce check applied to itself

> > Wietse: The address can be transformed > with canonical_maps, virtual_alias_maps, it may be routed to a > different system with transport_maps, and it may be aliased with > /etc/aliases to some other local or remote address All these things apply to locally sent messages as well, don't they?

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

Chris Green wrote: > Matus UHLAR - fantomas wrote: > > >chris@isbdGandi$ more /etc/hosts > > >127.0.0.1 isbdGandi.isbd.uk isbdGandi isbd localhost > > > > no no no. > > 127.0.0.1 is always supposed to resolve to "localhost". > > If those hosts don't have their assigned IP, Debian use

Re: HELO and nothing else

Hello (not helo :-) I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to. One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect. Sometimes I get this repeated sever

Re: Possible to "import" a file into postfix queue?

On Thu, Feb 11, 2021 at 07:49:30AM -0500, Wietse Venema wrote: > > So we thought it could be possible to somehow "import" such an affected > > message directly into postfix queue to leave out swaks which may fix > > something in the message. Is there such a postfix command to "import" a > > file a

Re: double-bounce check applied to itself

Eugene Podshivalov: > > > > Wietse: > > The address can be transformed > > with canonical_maps, virtual_alias_maps, it may be routed to a > > different system with transport_maps, and it may be aliased with > > /etc/aliases to some other local or remote address > > All these things apply to local

Re: smtp_tls_CAfile and smtp_tls_CApath doc

On Thu, Feb 11, 2021 at 05:04:24PM +, bitozoid wrote: > > It can also contain intermediate CA certificates. Storing non-root CAs > > carries a risk that they may expire before you remove them, and then > > they may take precedence over non-expired intermediate CA certs that the > > remote pee

Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?

On 11 Feb 2021, at 12:56, Chris Green wrote: > On Thu, Feb 11, 2021 at 12:12:53PM -0700, @lbutlr wrote: >> On 11 Feb 2021, at 04:45, Chris Green wrote: >>> Yes, I think this is what it comes down to, *something* needs to be >>> changed for each system. I was just hoping that postfix could use >>

Re: Cloud9.net related responses

On 12/02/2021 7:09 am, Jos Chrispijn wrote: Hi team, can it be that responses in this mailinglist are also send by cloud9.net instead of only postfix.org? Just asking to prevent contermination by importing parallel newsgroup source. All mail that I receive from this mailing list is relayed to

Re: Cloud9.net related responses

On Fri, Feb 12, 2021 at 05:11:32PM +1300, Nick Tait wrote: > On 12/02/2021 7:09 am, Jos Chrispijn wrote: > > Hi team, can it be that responses in this mailinglist are also send by > > cloud9.net instead of only postfix.org? > > Just asking to prevent contermination by importing parallel newsgroup

Re: Cloud9.net related responses

I'm seeing some mailing list messages with to: postfix-us...@cloud9.net in the header. I had to update my filters to get them sorted into my postfix mailing list folder. On Thu, Feb 11, 2021 at 11:16 PM Viktor Dukhovni wrote: > > On Fri, Feb 12, 2021 at 05:11:32PM +1300, Nick Tait wrote: > > > On

Re: client and ehlo hostname mismatch

On 12/02/2021 8:50 am, Bill Cole wrote: On 11 Feb 2021, at 10:25, Benny Pedersen wrote: On 2021-02-11 15:12, Bill Cole wrote: On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? No. It very likely never will be, p

Allow unauth for some users on port 465

Hi, I have a fairly typical postfix install with port 465 requiring authentication. I'd like to allow one sender (email address or IP) to inject email on port 465 without providing login/password authentication. Is this somehow possible?

Re: client and ehlo hostname mismatch

On 12/02/2021 5:49 pm, Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then as long as you don't mind rejecting emails from m

Re: Allow unauth for some users on port 465

On Fri, Feb 12, 2021 at 02:54:29PM +1000, Mark Constable wrote: > Hi, I have a fairly typical postfix install with port 465 requiring > authentication. I'd like to allow one sender (email address or IP) to > inject email on port 465 without providing login/password authentication. Permitting emai

Re: client and ehlo hostname mismatch

On 11 Feb 2021, at 23:49, Nick Tait wrote: To me that sounds like a reason not to use Sendmail, rather than a reason not to apply DMARC policy? ;-) Any mail system of significant size will receive some legitimate messages that have passed through a Sendmail machine under other management, an

Re: client and ehlo hostname mismatch

Nick Tait wrote: > Nick Tait wrote: > > Perhaps the advice should be: If you are using Sendmail, then (a) you > > shouldn't publish a DMARC policy and (b) you shouldn't reject emails > > based on failed DMARC check; but if you aren't using Sendmail then as > > long as you don't mind rejecting email

Re: Cloud9.net related responses

Bryan L. Gay wrote: > I'm seeing some mailing list messages with to: > postfix-us...@cloud9.net in the header. I had to update my filters to > get them sorted into my postfix mailing list folder. If one is filtering mail selecting for mail through a mailing list then one should not use the To: or

Re: client and ehlo hostname mismatch

On 11 Feb 2021, at 23:55, Nick Tait wrote: On 12/02/2021 5:49 pm, Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then as l

Re: Cloud9.net related responses

On 11 Feb 2021, at 23:09, Bob Proulx wrote: > P.S. It's a little strange to see an '@' in the List-Id. But other > than mentioning it in passing I am going to ignore it. :-) It is a bit unusual, and back when I was using proemial I had to account for that with a special case check to grab the p

Re: client and ehlo hostname mismatch

On 12/02/21 6:57 pm, Bob Proulx wrote: Nick Tait wrote: Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then as long as you d

Re: client and ehlo hostname mismatch

On 12/02/21 7:12 pm, Bill Cole wrote: Mail transport often involves MTAs not under the control of the original sender or ultimate recipient or the authorities for the sender's domain. Traditional forwarding (e.g. ~/.forward) still exists and many systems supporting it run Sendmail, which will m

Re: Possible to "import" a file into postfix queue?

Wietse, On 2/11/21 1:49 PM, Wietse Venema wrote: > sendmail -f sender recipient... < file We could debug and solve the issue just wonder for next time: does delivery via sendmail command not change the msg by one bit? Especially no new or changed headers. Because we found our problem to be the ex