Out of curiosity, why does postfix display the base64 encoded "Password:"
string on failed authentication, instead of the user/email that actually failed?
eg:
warning: unknown[59.2.250.144]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
warning: unknown[1.219.223.120]: SASL LOGIN authenticatio
mailmary--- via Postfix-users:
>
> Out of curiosity, why does postfix display the base64 encoded "Password:"
> string on failed authentication, instead of the user/email that actually
> failed?
>
> eg:
> warning: unknown[59.2.250.144]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
...
>
> Isn
lty--- via Postfix-users:
> SMTP server og:
>
> May 16 08:41:14 smtp3 postfix-sen/qmgr[27776]: 3420CA2062F:
> from=, size=56791841, nrcpt=1 (queue active)
> May 16 08:41:31 smtp3 postfix-sen/smtp[10076]: 3420CA2062F:
> to=, relay=x.x.x.x[x.x.x.x]:25, delay=18,
> delays=0.52/0/0.1/17, dsn=5.0.0,
I am talking about the authentication email, not MAIL FROM or RCPT TO.
hmm, when using the -v parameter, just above the "SASL LOGIN authentication
failed: UGFzc3dvcmQ6" log entry, I can clearly see the email/password
thus postfix knows the email address being authenticated BEFORE the error
me
Hello list,
Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?
Thanks.
--
sent from https://dkinbox.com/
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-
On 16/05/2023 13:16, Tom Reed via Postfix-users wrote:
Hello list,
Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?
Just my opinion...
I see lots (and I mean lots) of DKIM failures due to mails sent to
mailing lists that have clueless administra
>
> On 16/05/2023 13:16, Tom Reed via Postfix-users wrote:
>> Hello list,
>>
>> Should we reject failed message on DKIM validation stage, or DMARC
>> validation stage, or both?
>
> Just my opinion...
>
> I see lots (and I mean lots) of DKIM failures due to mails sent to
> mailing lists that have
Yes, straight to a Spam folder.
On 16/05/2023 13:41, Tom Reed via Postfix-users wrote:
On 16/05/2023 13:16, Tom Reed via Postfix-users wrote:
Hello list,
Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?
Just my opinion...
I see lots (and I mean
On May 16, 2023 12:16:21 PM UTC, Tom Reed via Postfix-users
wrote:
>Hello list,
>
>Should we reject failed message on DKIM validation stage, or DMARC
>validation stage, or both?
No and it depends.
DKIM has no policy mechanism associated with it, so there's no basis in any
standardized mecha
On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800)
Tom Reed via Postfix-users
is rumored to have said:
Hello list,
Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?
Generally, neither.
IF (and ONLY IF) the "From: " header address
* Scott Kitterman via Postfix-users :
> DKIM has no policy mechanism associated with it, so there's no basis in any
> standardized mechanism to determine if a DKIM failure should be cause for
> rejection. I don't think it makes logical sense to treat a message with a
> DKIM signature that fail
Dnia 16.05.2023 o godz. 20:16:21 Tom Reed via Postfix-users pisze:
>
> Should we reject failed message on DKIM validation stage, or DMARC
> validation stage, or both?
There is no rule ststing what you "should" do in these cases. It depends on
what you *want* to do, that is - what exact result you
Hi,
I have a postfix-3.7.3 fedora37 system and have a few users who want me to
disable reject_non_fqdn_sender because it seems many of their users have
DNS problems. For example, email from nore...@info.apr.gov.rs fails to
resolve with:
$ host info.apr.gov.rs
Host info.apr.gov.rs not found: 2(SERV
mailmary--- via Postfix-users:
>
> I am talking about the authentication email, not MAIL FROM or RCPT TO.
>
> hmm, when using the -v parameter, just above the "SASL LOGIN
> authentication failed: UGFzc3dvcmQ6" log entry, I can clearly see
> the email/password
>
> thus postfix knows the email addr
Tom Reed via Postfix-users writes:
> Hello list,
>
> Should we reject failed message on DKIM validation stage, or DMARC
> validation stage, or both?
I even DKIM-sign the mail one more time. For forwarding to Gmail.
See https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/setup-policy.lua
Sincere
Alex via Postfix-users:
> Hi,
> I have a postfix-3.7.3 fedora37 system and have a few users who want me to
> disable reject_non_fqdn_sender because it seems many of their users have
> DNS problems. For example, email from nore...@info.apr.gov.rs fails to
> resolve with:
>
> $ host info.apr.gov.rs
In all honesty, the current situation of logging the base64 string
"UGFzc3dvcmQ6" does not help us.
Maybe we could reconsider, and actually log the data (raw or base64-decoded)?
On Tue, 16 May 2023 09:30:44 -0400 (EDT) Wietse Venema via Postfix-users
wrote:
> mailmary--- via Postfix-user
mailmary--- via Postfix-users:
>
> In all honesty, the current situation of logging the base64 string
> "UGFzc3dvcmQ6" does not help us.
>
> Maybe we could reconsider, and actually log the data (raw or base64-decoded)?
Absolutely not. As a matter of security principle, one does not
log the cont
On May 16, 2023 1:20:53 PM UTC, Ralf Hildebrandt via Postfix-users
wrote:
>* Scott Kitterman via Postfix-users :
>
>> DKIM has no policy mechanism associated with it, so there's no basis in any
>> standardized mechanism to determine if a DKIM failure should be cause for
>> rejection. I don'
For OpenDMARC this setting:
SPFSelfValidate true
Can it handle the case when incoming message has rewritten
envelope address by SRS then no SPF found for header From address?
If opendmarc can implement SPF checks for header From address ,
That would be much better.
Thanks
> On 2023-05-16 at
Tom Reed via Postfix-users skrev den 2023-05-16 14:16:
Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?
if dkim is based on reject you will ignore dmarc policy, just dont
reject is safe :)
tip, add ipwhitelist in both so you never ever reject mai
Tom Reed via Postfix-users skrev den 2023-05-16 14:41:
so for both DKIM and DMARC failure you send them to spam folder?
what dmarc policy ?, none, quarantine, reject ?
forget dkim here, its not designed to be a spam scanner
___
Postfix-users mailing
João Silva via Postfix-users skrev den 2023-05-16 14:49:
Yes, straight to a Spam folder.
a bit silly if its a maillist, if its spam why not unsubscribe ?
i loose maybe :/
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send
Scott Kitterman via Postfix-users skrev den 2023-05-16 15:04:
DMARC does have such a policy component. Rejecting mail which fails
DMARC for domains that have a policy of p=reject is common. DMARC
does have a high error rate for some types of email, so I would
recommend a careful evaluation of
Ralf Hildebrandt via Postfix-users skrev den 2023-05-16 15:20:
* Scott Kitterman via Postfix-users :
DKIM has no policy mechanism associated with it, so there's no basis
in any standardized mechanism to determine if a DKIM failure should be
cause for rejection. I don't think it makes logical
mailmary--- via Postfix-users skrev den 2023-05-16 11:50:
Isn't the above useless? Should it say something like:
SASL LOGIN authentication failed: failed@email.address
PS:
I know that I can add -v to the smtpd submission process to get
thousands of debug lines and among them is the user/email
Wietse Venema via Postfix-users skrev den 2023-05-16 13:52:
That is not the case.
i know my weakforced is not perfekt but i see all detail before reject,
even if postfix dont log it
https://github.com/PowerDNS/weakforced
___
Postfix-users mailing
mailmary--- via Postfix-users skrev den 2023-05-16 14:14:
so why not report the email, instead of a base64 string?
how usefull is decode of base64 here ?
its what happens next it more usefull to log
https://github.com/PowerDNS/weakforced
___
Postfi
Hi,
> I have a postfix-3.7.3 fedora37 system and have a few users who want me to
> > disable reject_non_fqdn_sender because it seems many of their users have
> > DNS problems. For example, email from nore...@info.apr.gov.rs fails to
> > resolve with:
> >
> > $ host info.apr.gov.rs
> > Host info.ap
On 2023-05-16 at 10:11:39 UTC-0400 (Tue, 16 May 2023 22:11:39 +0800)
Tom Reed via Postfix-users
is rumored to have said:
For OpenDMARC this setting:
SPFSelfValidate true
Can it handle the case when incoming message has rewritten
envelope address by SRS then no SPF found for header From addres
Alex:
> Hi,
>
> > I have a postfix-3.7.3 fedora37 system and have a few users who want me to
> > > disable reject_non_fqdn_sender because it seems many of their users have
> > > DNS problems. For example, email from nore...@info.apr.gov.rs fails to
> > > resolve with:
> > >
> > > $ host info.apr.g
On 2023-05-16 at 11:27:52 UTC-0400 (Tue, 16 May 2023 11:27:52 -0400)
Alex via Postfix-users
is rumored to have said:
> Is there a way to control smtpd_recipient_restrictions on a per-domain
> basis so I can relax some of these restrictions for cases like this,
> instead of a more reactive approac
Hi,
But what about show user login? Currently we have issues when fail2ban
blocks IPS for a high number or failed logins, but is a customer with
several mail accounts and he don't know which bad-configured account is
causing the ban.
Would be so healpfull shows the sasl_username that produce
Hello,
Am I correct that the string in question should normally contain the
SASL response? While the "Password:" is apparently some interactive
prompt, indicating that something might be wrong with the connection or
configuration?
Eugene
On 16.05.2023 17:06, Wietse Venema via Postfix-users
On Tue, May 16, 2023 at 07:32:55PM +0300, Eugene R via Postfix-users wrote:
> Am I correct that the string in question should normally contain the SASL
> response? While the "Password:" is apparently some interactive prompt,
> indicating that something might be wrong with the connection or
> config
On Tue, May 16, 2023 at 09:44:41AM -0400, Wietse Venema via Postfix-users wrote:
> Looks like you have a *local* DNS problem. Check your routing,
> including netmasks.
The domain is broken. See
https://dnsviz.net/d/info.apr.gov.rs/dnssec/
On of the listed name servers is unresponsive and also dif
Bill Cole via Postfix-users skrev den 2023-05-16 17:34:
I have no idea what the answer to that is, as I don't use OpenDMARC.
You may want to figure out where, if anywhere, OpenDMARC support is
available.
http://www.trusteddomain.org/opendmarc/
___
Po
On 2023-05-16 at 12:19:03 UTC-0400 (Tue, 16 May 2023 18:19:03 +0200)
Víctor Rubiella Monfort via Postfix-users
is rumored to have said:
For example for imap/pop login failures dovecot log email account that
produces the failure.
If you are using Dovecot for SASL and have auth_verbose enabled
K.I.S.S.
Because of forwarding, both SPF or DKIM signatures *could* be broken. This is
what DMARC was introduced for.
DMARC checks the results of both SPF and DKIM, and as long as one of those two
passes then the mail is good so DMARC passes.
If both SPF and DKIM fail, then DMARC fails, and *TH
On Tue, May 16, 2023 at 11:27:52AM -0400, Alex via Postfix-users wrote:
> > > $ host info.apr.gov.rs
> > > Host info.apr.gov.rs not found: 2(SERVFAIL)
>
> There's definitely a problem with their name servers, but it also seems my
> version of bind is not permissive enough for such failures, althou
On 17/05/23 00:14, mailmary--- via Postfix-users wrote:
I am talking about the authentication email, not MAIL FROM or RCPT TO.
There is no "authentication email". There is a login username which can
be just about anything and in your case likely just happens to match the
user's email addres
Hi,
On Tue, May 16, 2023 at 4:16 PM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> On Tue, May 16, 2023 at 11:27:52AM -0400, Alex via Postfix-users wrote:
>
> > > > $ host info.apr.gov.rs
> > > > Host info.apr.gov.rs not found: 2(SERVFAIL)
> >
> > There's definitely a pro
On Tue, May 16, 2023 at 06:54:47PM -0400, Alex wrote:
> > The problems with their DNS are:
> >
> > - ns1.apr.gov.rs: EDNS(0) option intolerance, but returns
> > FORMERR, so fallback to non-EDNS queries should (and does) work.
> > [...]
> > Disabling use of cookies in your BIN
Greeting members,
I found that, after I enable opendmarc to reject messages, there are some
issues for list addresses. for example, this rejected message shows:
: host mx1.dkinbox.com[193.106.250.86] said: 550 5.7.1
rejected by DMARC policy for radlogic.com.au (in reply to end of DATA
c
It appears that Tom Reed via Postfix-users said:
>Since the message was sent to mailing list which rewrites envelope address
>and adds list signature, so:
>
>1) SPF for header From: address won't get pass due to SRS.
>2) DKIM won't get pass due to list signature.
>
>So the DMARC failed totally and
On Mon, May 15, 2023 at 08:40:50PM +0800, Tom Reed via Postfix-users
wrote:
> Hello list,
>
> for Postsrsd, it rewrite all the sender addresses even if messages should
> be delivered locally.
>
> how to setup it to not rewrite sender for local addresses?
>
> Thanks
If you only forward emails
On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800)
Tom Reed via Postfix-users
is rumored to have said:
[...]
Since the message was sent to mailing list which rewrites envelope
address
and adds list signature, so:
1) SPF for header From: address won't get pass due to SRS.
2) D
On Tue, May 16, 2023 at 10:15:35PM -0400, Bill Cole via Postfix-users
wrote:
> On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800)
> Tom Reed via Postfix-users
> is rumored to have said:
> [...]
> > Since the message was sent to mailing list which rewrites envelope
> > address
> On Tue, May 16, 2023 at 10:15:35PM -0400, Bill Cole via Postfix-users
> wrote:
>
>> On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800)
>> Tom Reed via Postfix-users
>> is rumored to have said:
>> [...]
>> > Since the message was sent to mailing list which rewrites envelope
https://www.mail-archive.com/postfix-users@postfix.org/msg99219.html [1]
https://www.mail-archive.com/postfix-users@postfix.org/msg99175.html
provide more information:
SMTP server log:
May 16 08:41:14 smtp3 postfix-sen/qmgr[27776]: 3420CA2062F:
from=, size=56791841, nrcpt=1 (queue active
50 matches
Mail list logo
