Safe to assume the 11th character is always 'z'?
Until July 2596.
Is it possible for two different servers to have a same long_queue_ids ?
Are the long queue ID's unique to the world or only unique to that postfix
instance?
Given 2040 Postfix mail servers that each have queued a mail at the exact same time, up to micro seconds, and a pool of 3 million
inodes
That's interesting... 8.4 saw the upgrade to Postfix 3.5.8 (from 3.3.1
I believe)
http://rpmfind.net/linux/centos/8.3.2011/BaseOS/x86_64/os/Packages/postfix-3.3.1-12.el8.x86_64.rpm
already had PrivateTmp.
reject_sender_login_mismatch can be setup to only allow emails being
sent out where the from, not just the envelope-from, has to match the
users login credentials
Are you sure? The documentation only mentions the MAIL FROM address.
I've been a little bit terrified of doing an upgrade, because I do have a couple of people using my mail server for real work
email and I don't want to disrupt them.
Besides Postfix you could have a look at
https://doc.dovecot.org/installation_guide/upgrading/from-2.2-to-2.3/
There are 2 different and contradictory DMARC records in DNS for
raf.org. That guarantees breakage.
Interesting, according to [1] they shouldn't receive reports at all.
[1] https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.3 point 5
Oct 20 20:07:49 libertyfp postfix/smtpd[174025]: warning: hostname
ip245.tervelnet.com does not resolve to address 87.246.7.245
Oct 20 20:07:49 libertyfp postfix/smtpd[174025]: connect from
unknown[87.246.7.245]
Oct 20 20:07:51 libertyfp postfix/smtpd[174025]: warning:
unknown[87.246.7.245]: SASL
Question really says it all. Everything in postfix, except these, seems to be
lower case. I’m not sure if this is a stylistic thing, or something having to
do with an openssl internal, but if these get lowercased in a config, will it
break?
root@265a6a1736b3:~# postconf -d smtp_tls_CAfile
smt
I can think of some (messy) ways to do this, but before I start cobbling
something together, I am hoping this is something someone has already done.
Are you asking for software or ideas?
I am looking for input how to implement a DANE- and MTA-STS-capable
Postfix setup which is able to produce SMTP TLS reports (RFC8460).
Right now I see several obstacles.
There is postfix-mta-sts-resolver [1], and my first reflex was to use it
with smtp_tls_policy_maps as documented, and fall b
how can I sub-scr1be to this list?
Sorry to write it this way, but there is a stupid filter in place that
blocks the email.
https://mail.sys4.de/mailman/listinfo/dane-users does not work?
I am trying to understand "allow_untrusted_routing = yes" and the
circumstances where it is (un)safe. The documentation mentions an open
relay loophole in the context of backup MXes. Is untrusted routing safe,
if Postfix has no explicit *_mx_* configuration?
Consider the sample setup:
mydest
Damian:
I am trying to understand "allow_untrusted_routing = yes" and the
circumstances where it is (un)safe. The documentation mentions an open
relay loophole in the context of backup MXes. Is untrusted routing safe,
if Postfix has no explicit *_mx_* configuration?
This is a
Wietse:
Postfix looks for @, % or ! in the address localpart, for example,
user%not-your-domain@your-domain.
There is no special resolver.
I believe, this is what I wrote.
If Postfix finds any, like it would in user%not-your-domain@your-domain,
and "allow_untrusted_routing = yes" is configured
Wietse:
There. And to repeat myself, it depends on the destination
MTA how it delvers user%not-your-domain@your-domain.
Viktor:
You'll ideally let go of the goal, but if not, you'll need to allow
untrusted routing, and regularly test carefully to make sure that it
does not create open relay
Oh Lord.
> Resending Jaroslaw Rafa's message, so that people who don't see his
> email can see it here.
>
> Apparently, Gmail considers Jaroslaw;s email address as a source
> of spam, because his postfix-users messages are sent to many people
> in a relatively short time.
>
> So if you could loo
Hi,
is it possible, in principle, to define new milter macros that are
passed to smtpd_milters? [1] does not list a macro that carries
information whether SMTPUTF8 is set. [2] mentions SMFIC_MACRO, but I
have no idea if that is what I think it might be.
Damian
[1] http://www.postfix.org
I just realized this is an X-Y problem. The flag is on-the-wire as a
part of the M macro.
> is it possible, in principle, to define new milter macros that are
> passed to smtpd_milters? [1] does not list a macro that carries
> information whether SMTPUTF8 is set. [2] mentions SMFIC_MACRO, but I
>
The validator [1] says TLSA is ok, so is this even be a DNS issue? If I
have to guess, Postfix encounters the following situation:
> When TLSA records are found, but are all unusable the effective security
> level is "encrypt"
The documentation does not state that self-signed certificates are
in
>> The validator [1] says TLSA is ok, so is this even be a DNS issue? If I
>> have to guess, Postfix encounters the following situation:
>>
>>
>> When TLSA records are found, but are all unusable the effective security
>> level is "encrypt"
>>
>> The documentation does not state that self-signed c
> I've defined OpenDKIM and OpenDMARC as smtpd_milters, using UNIX
> sockets. In the "normal" setup they work like a charm, but now I add
> Amavis to the mix, with smtpd_proxy_filter, and suddenly both milters
> disappear. Why?
>From [1]:
> When you use the before-queue content filter for incomin
Hello,
postconf(5) states that smtpd_relay_restrictions apply before
smtpd_recipient_restrictions. This seems incorrect since
postfix-3.3-20180106.
Regards
Damian
until day 31. But what happens
with mails for X between day 8 and 31? Will they be accepted by Postfix
and then bounced?
Thanks
Damian
then bounced?
Damian
Am 19.10.2018 um 16:29 schrieb Wietse Venema:
The time after which a successful address verification probe needs to
be refreshed. The address verification status is not updated when the
probe fails (optimistic caching).
It does not explain what happens with incoming mails
Thank you, this is explicit enough.
Regards
Damian
Am 19.10.2018 um 17:57 schrieb Wietse Venema:
Sorry, I don't have color fonts. Again, Postfix will ignore a failed
refresh probe, From that it follows that Postfix it will keep using
the cached positive result. From that it follows
Some while ago, I had a Perl script around Mail::GPG as mailbox_command,
or inside a procmailrc, I'm not sure. I had it trigger only for a
certain address extension, e.g. mailbox+...@domain.tld. It worked quite
alright.
> Can such filter work, without ever storing plaintext email on disk ?
>
> An
Hello everyone,
I have a Postfix box basically configured to send mail from my organization to
the Internet. Today I received a warning message telling me that the mail queue
was full.
It seems that some Spammer is using my server as an Open Relay, so I used the
"check_sender_access" function
>Damian,
>
>Please ignore the above bad advice. An OK in
>smtpd_sender_restrictions can not possibly make you an open
>relay. Likely it didn't work as expected because the mail
>isn's submitted via SMTP.
>Before you waste time on any other bad advice you may
>De: owner-postfix-us...@postfix.org [mailto:owner-postfix->us...@postfix.org]
>En nombre de /dev/rob0
>Enviado el: lunes, 11 de enero de 2010 16:50
>Para: postfix-users@postfix.org
>Asunto: Re: Spam Attack on my outgoing server
>>On Mon, Jan 11, 2010 at 03:27:05PM -
>>>On Mon, Jan 11, 2010 at 06:15:21PM -0300, Damian Rivas wrote:
> >> mynetworks = 127.0.0.0/8, 200.55.14.248/29, 190.210.52.88/29
>
> >These are the hosts allowed to relay. Don't mung the IP addresses.
snip
>> All mailing incomes seem to come from ns1.cht.
s all okay.
I am not an programmer and hardly understand the compiling process.
so can anyone tell me what I have done wrong?
I am new to the list and wasn't sure if it's suitable to post questions
here.
so please advice if I should try another.
Thanks
Damian J. L. Lee
Thank you for your answer Sahil.
In fact I don't fully understand the problem.
Do you mean I have to have a "*static* libdb library" inorder to compile my
Postfix in static linking?
2010/8/11 Sahil Tandon
> On Wed, 2010-08-11 at 11:10:31 +0800, damian lee wrote:
>
> &
/usr/lib/gcc/i386-redhat-linux/4.1.0/../../../libdb.a(mut_pthread.o): In
function `__db_pthread_mutex_destroy': undefined reference to
`pthread_mutex_destroy'
It seems my static linked version of libdb doesn't work.
Any suggestions?
Damian Lee
2010/8/11 Ralf Hildebrandt
>
s) and send a warning
> message stating again that we "will never ask you for your password". Yet
> each time someone falls for it...
>
> Charles
>
>>
>> Thanks
>> Ram
>>
>>
>>
>
--
Regards,
Damian Myerscough
> 250-XXXA
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> Disable smtp fixup in your router. It breaks more things than solves.
>
--
Regards,
Damian Myerscough
Hello,
I have been recently playing with Postfix a lot and I was curious of the
consequences of disabling the VRFY command. I have disabled the
VRFY command because it allow attackers to see what users
were valid e.g. local users could be identified.
--
Regards,
Damian Myerscough
Hello,
You can also use smtpd_sender_login_maps which allows you to map
email addresses to users e.g.
smtpd_sender_login_maps = hash:/etc/postfix/sender_maps
The contents of sender_maps would look like
dam...@example.com damian
2009/7/26 Benny Pedersen :
>
> On Sun, July 26, 2009
OK
>> b...@example.com OK
>>
>>
>> if you want more, use restriction classes.
>>
>> In either case, users can forge the sender address. if this is an issue,
>> you need SASL authentication, preferably with smtpd_sender_login_maps
>> (the alternative would be to give no login:pass to "restricted" users).
>>
>
> THanks !!!
>
> This answer to my needs exactly what i want !!
>
>
--
Regards,
Damian Myerscough
n, should
>> one see spamassassin working (I am using a Ubuntu server)
>
> This might be better asked on an amavisd forum -
>
> But having said that, the spamassassin classes are actually called
> directly by amavis, so you won't see any spamassassin processes running.
hotmail.com via a DNS lookup?
--
Regards,
Damian Myerscough
quot;spam trap" by hotmail?
>
>
>> [snip]
>>
>
--
Regards,
Damian Myerscough
Hi, i have a problem with my 2 postfix instances. 2 separate IP's and
coressponding domain names are setup on networking, they are working fine.
I want second mail message (below) to have
`Received: from firstInstanceDomain.com (firstInstanceDomain.com.
[second.domain.ip])`
instead of
`Receiv
Thx for all answers. Setting sendmail_path = /usr/sbin/sendmail -t -i -C
/etc/postfix-third in httpd.conf did the trick. Now mails have correct
ip/domain information.
2012/1/6 Wietse Venema
> damian freelance:
> > Hi, i have a problem with my 2 postfix instances. 2 separate
Hi,
is there a reason that tcp_table has the DICT_FLAG_PATTERN flag instead of
DICT_FLAG_FIXED?
One could create more flexible transport map chains if tcp_table was also
queried for pure domains.
Regards
Damian
ostfix table-driven features.
>
> Likewise there is a need to specify the order of full and partial
> queries, but that could be specified via separate parameters:
>
> virtual_alias_maps_search = full, user, @domain
> access_maps_search = full, user@, domain, parent-domain
> transport_maps_search = full, domain, .parent-domain
>
> Wietse
Hi Wietse,
hi Viktor,
I would like to see this feature. :)
Regards
Damian
egitimate email from poorly-configured mail servers and DNS records.
For instance, say we have 500 employees with email accounts. If I have
a single sender that sends to more than 200 of them, I would want to
review it as a possible spamming attack.
Has anyone run into this?
Thanks.
clear.
Were these mails stuck in amavis, there were now dropped?
I'm not very familiar with amavis, so I'm unsure what logs to check. My
mail.log showed (queue active) on all mail ...emails were eventually
getting through, just severely delayed.
Thanks for any help.
Dam
that there's
a difference, but I'm not 100% into linux / Ubuntu yet.
Damian Bailey | baile...@lcps.k12.va.us
Lead Technician | LCPS Technology
540.894.4373x8220
Shipping Address:
Louisa County Public Schools
953 Davis Hwy
Mineral VA 23117
From: owner-postfix-us...@postfix.org
pipe
# flags=Ru user=dspam argv=/usr/bin/dspam-retrain $nexthop $sender
$recipient
Damian Bailey | baile...@lcps.k12.va.us
Lead Technician | LCPS Technology
540.894.4373x8220
Shipping Address:
Louisa County Public Schools
953 Davis Hwy
Mineral VA 23117
Scott,
Thanks, but I don't think this is my issue. (Thought the bugs are good
to know!)
My mail just isn't being relayed to my email server. I am running
Ubuntu, though it's 10.04.2 LTS
Damian Bailey | baile...@lcps.k12.va.us
Lead Technician | LCPS Technology
540.894.437
I tried this config but sadly it doesn’t work, OpenDMARC
(127.0.0.1:54321) gets skipped completely
If "getting skipped" means that you don't see Authentication-Results for
DMARC, I have a feeling that you didn't disable DKIM verification on
your content_filter Interface Policy. Amavis will rem
By “getting skipped” I mean I have no logs of opendmarc doing anything.
Do you have logs of opendmarc doing anything if you remove Amavis from
smtpd_milters?
I don’t understand how I would disable dkim in my content_filter
policy. Dkim verification is either enabled or disabled in Amavis
un
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
https://amavisd-milter.sourceforge.net/
just use that, it replace all milters you have
This is a confusing statement.
in what way ?
amavisd-milter was already part of Dino's smtpd_milters. It is like you would
have said:
> http://www.postfix.org/. Just use that, it replaces the /etc you ha
currect, but amavisd support rspamd with have dmarc
what?
Amavis has support for rspamd as a spam_scanner, i.e. for scoring, not
for DMARC policy enforcement.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
This question has stirred up a lot of answers but if I’m understanding
correctly, it looks like I cannot use opendmarc with amavisd in
postfix as a pre-queue filter for dkim. The only viable option is
opendkim with opendmarc as pre-queue milters like I was originally doing.
Conceptually you ca
So as per your previous post, setting a policy such as this one would
do the trick?
...
This would be necessary to keep DMARC AR headers after they passed the
content_filter Amavis. It is not necessary for OpenDMARC to do its work.
It was not clear what "skipping OpenDMARC" means exactly, but
SHORT-TERM WORKAROUNDS
A short-term workaround can be deployed now, before the upcoming long
holiday and associated production change freeze.
NOTE: This will stop only the published form of the attack. Other forms
exist that will not be stopped in this manner.
* With all Postfix versions, "s
It really does not matter much, but leaving BDAT enabled can help in
some cases. It is not necessary to go this deep down the rabbit hole.
So what could be smuggled into a Postfix that defines "reject_unauth_pipelining" but does not define "smtpd_discard_ehlo_keywords
= chunking"?
__
The recommended settings are:
#
The test tool [1] revealed that my 3.7.9 Postfix using `smtpd_forbid_bare_newline = yes` admits smuggling for the `\r\n.\n` case.
One still needs `smtpd_data_restrictions = reject_unauth_pipelining` to close that one as well.
After a small adaptation to the tool to use BDAT one can see what Wiet
smuggling for the `\r\n.\n` case.
Sorry, that was a bad copypaste, I meant '\r\n.\r'.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
If I remember correctly, on the wire there was \r\n\r\n.\r\r\n
I will assemble a pcap and some logs when I'm back home.
> In other words, I need to see proff in the form of a PCAP file and
> NON-VERBOSE logging, or it did not happen.
___
Postfix-users
People are welcome to test tools against postfix-3.9-20240106.
I could test against a 3.7.9 codebase if you posted a patch for it.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.o
I create test VPS (outside my infrastructure) and install all for
python3 for testing
root@hanz:~# python3 smtp_smuggling_scanner.py --sender-domain
gmail.com piot...@mydomain.ltd
Don't use a sender-domain you don't have control over. The default
should be good enough for basic smuggling tests
SMUGGLING WORKS with '\r\n\x00.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r\n' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\r' as "fake" end-of-data sequence!
SMUGGLING WORKS with '\r.\n' as "fake" end-of-data sequence!
Are those really standalone emails with subj
Does Postfix support Brainpool curves?
The Forward Secrecy Readme mentions X25519 and X448 explicitly, P-256
implicitly, while Brainpool curves don't come up anywhere.
I still tried with Postfix 3.9.1 and OpenSSL 3.4.0 but failed to
establish a TLS connection between `openssl s_client` and Po
OpenSSL supports or does not support curves, Postfix just uses OpenSSL,
but the *default* list of curves passed to OpenSSL:
tls_eecdh_auto_curves = X25519 X448 prime256v1 secp384r1 secp521r1
tls_ffdhe_auto_groups = ffdhe2048 ffdhe3072
is deliberately pruned to just the mainstream optio
I would like some opinions on how certain RFCs are to be interpreted.
My core question is: Is it possible to send mail RFC-conformly into a
Postfix, such that there are more than 1000 consecutive Non-CRLFs?
I think everybody agrees that this is not possible with DATA. The
BDAT_README seems to
Postfix supports 8bit Data, with lines of 998 between CRLF, as
defined inhttps://datatracker.ietf.org/doc/html/rfc2045#section-2.8
Therefore, Postfix announces 8BITMIME in EHLO.
Postfix does not support Binary Data, as defined in
https://datatracker.ietf.org/doc/html/rfc2045#section-2.9 Binary
Th
Your last two statements are exactly the crux of the matter, and I don't see
them justified, yet.
And yet they are justified. Wishful thinking does not change that. 🙁
Absent BINARYMIME the body time of a BDAT message is 8BITMIME, which is
still line-oriented.
If they are justified, then not by R
You may have noticed that BDAT and BINARYMIME are distinct features.
Yes, but I have argued that RFC2045 compliance of mail data is a property of said data, not of the transport, so that BDAT,
BINARYMIME and even SMTP don't actually matter. RFC2045 has references to RFC821 because it was design
A tcpdump between smtp and smtpd shows a TCP handshake but no payload at
all.
That looks like the remote SMTP server wants to use TLS wrappermode,
but your Postfix SMTP client wants to use STARTTLS.
Ok, that was really dumb. Not seeing a banner should have given me a
clue that I broke the remo
I am currently doing some tests with Postfix 3.10 and postfix-tlspol
(using QUERYwithTLSRPT).
I see positive feedback for DANE as well as MTA-STS on the tlsrpt
socket. However, I was not able to produce negative feedback yet. In
case of "non DNSSEC destination", nothing is written to the tlsrp
74 matches
Mail list logo
