give me a hint how to get this fixed ?
best regards
Dirk
Hi Viktor,
thanks or you reply.
On 25.05.2016 22:27, Viktor Dukhovni wrote:
> On Wed, May 25, 2016 at 10:00:55PM +0200, Dirk wrote:
>
>> Which user to what maildir is definend in.
>> virtual_mailbox_maps = hash:/etc/postfix/vmaps
>>
>> The second (sub)domain has
Hi Viktor,
thanks for pointing this out.
Works now after adding the virtual_alias_maps.
best regards
Dirk
On 25.05.2016 23:03, Viktor Dukhovni wrote:
> Nonsense, essentially the same regexp table can be used in
> virtual_alias_maps instead of virtual_mailbox_maps:
>
> /\.d...@x
do I want to go from here? A transport rule? Virtual? Always_bcc?
What would be the best/canonical way to achieve this?
--
Dirk Taggesell
Systemadministrator Experteer.de
Is there a know bug or race-condition in postfix 2.4.7 which can produce
such an email loss ?
I can't reproduce this case and it is only this use case which failed
until now.
Best Regards
Dirk
--
--
Wie Sie wissen, koennen ueber das Internet versandte E-Mails unter fremd
Thanks for the hint.
I found the missing eMail in an SPAM-Log for @r.com on a second Server.
--
Wie Sie wissen, koennen ueber das Internet versandte E-Mails unter fremdem
Namen erstellt oder der Inhalt veraendert werden. Aus diesem Grund sind unsere
als E-Mail verschickten Nachrichten grundsa
've gone through the virtual and local
readmes, but
I am not seeing the solution.
Dirk
This message was sent using IMP, the Internet Messaging Program.
Hello,
I'm lost and don't find any solution anymore, so I now need to ask.
I'm running three mail-servers with Postfix 2.9.6 (valid TLS cert), 2.7.2
(self-signed), 2.11.0 (self-signed).
And whatever I do I'm unable to get any of these three to show a trusted
connection to any of the others.
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
On Sun, Feb 23, 2014 at 02:28:07PM +0100, Dirk St?cker wrote:
And whatever I do I'm unable to get any of these three to show a
trusted connection to any of the others. It trusts Google and GMX
and whatever, but not my own servers. That's
On Mon, 24 Feb 2014, li...@rhsoft.net wrote:
Seems Postfix still need to learn a lot about secure connections
seems you need to do so
in case of opportunistic there is not real trust
trusted in case of a secure connection means both sides know each
other - opportunistic means the other side
On Sun, 23 Feb 2014, Dirk Stöcker wrote:
If this is important to you, set:
smtp_tls_exclude_ciphers=aNULL
for the transport that delivers mail between your internal systems.
Does not sound like what I want. I don't want to hardcode a specific handling
for some servers, I want tha
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
smtp_tls_verify_certs=whenpossible
SMTP is not HTTP. Due to MX indirection, peer authentication is
not possible without explicit per-destination configuration. Once
you've gone to all that trouble, you may as well configure a "secure"
channel.
I
On Sun, 23 Feb 2014, Viktor Dukhovni wrote:
I hope there aren't any TLS capable mailservers, which fallback to
unencrypted transmission, when I use this.
Fallback is up the client. I am not aware of any Internet facing
MX hosts that offer STARTTLS without any server certificate. Lots
of SMTP
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I know that there are many side-effects and things which don't work,
but that does not mean that one can at least try?
Sorry, no half-assed solutions that work only sometimes and break
unpredictably.
Yes, the same story again. When it does not work
On Mon, 24 Feb 2014, Wietse Venema wrote:
The absence of observed variation does not mean nothing of relevance
has changed, and the presence of benign observed changes drowns out
the malicious ones, assuming that the malicious party is stupid
enough to reveal itself.
Well, if the only output o
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
I don't want to have a perfection box which can't communicate with
the rest of the world, but something which helps with todays
internet.
Nonsense. Patrick Koetter's .de domain is DNSSEC signed. His
mailserver has TLSA records. Enabling DNSSEC doe
On Mon, 24 Feb 2014, Viktor Dukhovni wrote:
With a bit of luck roughly 5 years. Exim has not implemented DANE
yet, and the RFC for DANE TLS for SMTP has not yet been ratified
by the IETF. The first Postfix release with DANE just came out
last month, and is not in most O/S distributions.
You'
On Mon, 24 Feb 2014, /dev/rob0 wrote:
Oh yes - DNSSEC. When will it come? In hundred years?
Dirk, do you mind explaining this? Are you having trouble finding
DNSSEC-enabled DNS hosting?
Reading about it for years - always with "Delayed" as main information
(same like for IPv6)
Hello,
But I have no idea how to use the postfix tools to start a TLS
connection to such an server without sending an email. This requires
too much internal knowledge I fear. Last time I tried to call smtp
tool by hand it told me not to do so and I took that advice.
/usr/sbin/sendmail -f $(
On Tue, 25 Feb 2014, Dirk Stöcker wrote:
Hmpf. It says "dane configured with dnssec lookups disabled". Seems I need to
fix the RPM first.
No, a
smtp_dns_support_level = dnssec
was enough to fix this. I'll see how many servers will have a "Verified"
connection in t
On Tue, 25 Feb 2014, Viktor Dukhovni wrote:
smtp_dns_support_level = dnssec
was enough to fix this. I'll see how many servers will have a
"Verified" connection in the future.
I hope you read the note about the importance of having 127.0.0.1
and/or ::1 as the only nameservers listed in /etc/re
er has changed his mail from u...@sub.dom.com
<mailto:u...@sub.dom.com> to u...@dom.com <mailto:u...@dom.com>
What's going wrong here?
Regards and thanks for your help
Dirk
stfix-users@postfix.org; u...@porcupine.org
Betreff: Re: STMP is rejecting and i'm not sure why
Dirk Laurenz:
> Hello $list,
>
> my server rejects an email from certiain domain:
>
> : host
> server.sub.dom.local [xx.xx.xx.xx] said: 550 5.7.1
> mailto:onl...@serve
iction?
Von: owner-postfix-us...@postfix.org Im
Auftrag von Dirk Laurenz
Gesendet: Donnerstag, 2. April 2020 16:52
An: postfix-users@postfix.org
Betreff: STMP is rejecting and i'm not sure why
Hello $list,
my server rejects an email from certiain domain:
mailto:onl...@se
I run the server which is throwing this error...
-Ursprüngliche Nachricht-
Von: owner-postfix-us...@postfix.org Im
Auftrag von Wietse Venema
Gesendet: Freitag, 3. April 2020 19:54
An: Postfix users
Betreff: Re: AW: STMP is rejecting and i'm not sure why
Dirk Laurenz:
> Hel
On Tue, 13 Oct 2020, Fred Morris wrote:
Perfect, thanks! billmail.scconsult.com is not delegated from scconsult.com
(has no SOA or NS), and sccconsult.com is delegated from .com (of course),
with SOA and NS.
Bonus points: billmail has SPF.
Same concept, but a bit different (also has SPF, DA
Hello,
openSUSE is switching from hash: to lmdb: in recent postfix version 3.5.8
(I assume to get rid of old legacy libraries).
Now postmap and postalias will by default use lmdb:, but the man pages for
these two tools don't even contain lmdb:
Can lmbdb: please be added to the man pages so
Hello,
openSUSE is switching from hash: to lmdb: in recent postfix version 3.5.8
(I assume to get rid of old legacy libraries).
Now postmap and postalias will by default use lmdb:, but the man pages for
these two tools don't even contain lmdb:
Can lmbdb: please be added to the man pages so the
Hello,
I don't think you're in the right forum for these questions, as they
aren't really realted to postfix.
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
Is this normal or a point for worry? It did say "not spam".
I'd assume you did not add a milter which
On Wed, 10 Feb 2021, Bob Proulx wrote:
Eugene Podshivalov wrote:
I've just received a spam email from a client who presented itself as
emx.mail.ru but its ip 117.30.137.22 resolves to
22.137.30.117.broad.xm.fj.dynamic.163data.com.cn
Are reverse client hostname and the ehlo one not supposed to
On Wed, 24 Feb 2021, Wietse Venema wrote:
Postfix version 3.6 deprecates terminology that implies white is
better than black. Instead, Postfix prefers 'allowlist', 'denylist',
and variations on those words.
We had a late start, but it seems Newspeak will be established until 2050
as originall
Hello,
I searched the net but didn't find the a description so I ask here. I'm
operating two mail servers with postfix and I see that the servers always
switch between IPv4 and IPv6 when sending mails from one to the other.
Is there a mechanism in postfix to switch randomly between the IP
ad
On Thu, 8 Oct 2015, Wietse Venema wrote:
I searched the net but didn't find the a description so I ask here. I'm
operating two mail servers with postfix and I see that the servers always
switch between IPv4 and IPv6 when sending mails from one to the other.
Is there a mechanism in postfix to sw
Hello,
does anyone here have statistics about DANE enabled mail servers? And
maybe also a timeline showing an increase (hopefully)? I'm running DANE
for some time now and I don't ever get a Verified connection (except to my
second server). That's a bit discouraging. I'd like to have at least o
On Thu, 10 Dec 2015, Viktor Dukhovni wrote:
There are just ~30 domains with TLSA records that large enough for you
to have heard of them. Here's a sample:
...
bund.de
Sadly that's only the main domain. Each subsection has own servers, so
bkg.bund.de does not support DANE ATM and that'
On Fri, 11 Dec 2015, Viktor Dukhovni wrote:
Over the years there have from time to time been requests for
server-side SNI support in Postfix, but most users have found
workable alternatives, such as above.
A key reason that SNI support is not there yet, is that we like to
do things right(TM) in
On Sat, 12 Dec 2015, Viktor Dukhovni wrote:
And SMTP has the big advantage, that you can define the name of the host in
MX, so the name of the mail server can be independent from the domain of the
email address.
Simply wait a bit longer and maybe that issue solves itself :-)
Thanks for the mo
On Sun, 13 Dec 2015, Alice Wonder wrote:
A big negative to Thunderbird autoconfig - it looks for http before https
resulting in MITM vulnerability.
They say it is because hosting companies like godaddy don't want to have a
TLS cert for every e-mail domain.
I agree with both :-)
They should
Hello,
yesterday updating the tlsa tool I thought about making a set of domains
which contain different errors or non-errors for DANE-TLSA records, like
DANE-TA with incomplete TLS chain, but the missing part in full cert TLSA
record and similar examples.
Before doing so I want to ask if may
On Mon, 4 Jan 2016, Bill Cole wrote:
The certificate I got is for "mail..com" which should be correct.
My MX record redirects to "mail..com" while I also have an A
record with a prefix "mail" which redirects to the correct IP. But
Thunderbird sees the Location as "imap..com" opposed to the
Hello,
with a recent update I got confused about virtual domains and
mydestination, as they seem to do different things with subdomains
I had following setup:
mydomain = stoecker.eu
myhostname = mail.stoecker.eu
mydestination = $myhostname, localhost.$mydomain, $mydomain
virtual_alias_domains
On Sat, 13 Feb 2016, Viktor Dukhovni wrote:
Now I checked the postfix virtual domain documentation and parameter
descriptions and I don't understand it much better. Is that intended
behaviour, that mydestination includes subdomains and
virtual_alias_domains not?
Neither includes sub-domains,
On Thu, 31 Mar 2016, A. Schulze wrote:
As mentioned we see numerous domains with the same broken MX.
I have to list them one by one in the transport table
or did I forgot a cool configuration to catch any destination domain with
this specific MX?
Did you try to contact them to fix their serve
On Thu, 14 Apr 2016, Viktor Dukhovni wrote:
The web.de domain has just published DANE TLSA records for its MX
hosts. This follows earlier "pilot" deployments with the smaller
mail.com and mail.de domains.
Fine!
I already thought they wouldn't do it. The announcement was in August last
year
On Fri, 15 Apr 2016, Christian Kivalo wrote:
One would think so, but: I asked my main domain provider
domaindiscount24
which introduced DNSSEC last year when they will offer TLSA, DS and
SSHFP
records also. Their answer: Currently the requested features aren't
available and we can make no statem
On Fri, 15 Apr 2016, David Mehler wrote:
I'm looking for an autoresponder, free, and one that does not rely on
postfixadmin.
I saw one featured in a howtoforge article called Autoresponse 1.6.3
but that has been taken down, which is unfortunate, because how it
worked, sending an email to an add
On Tue, 19 Apr 2016, Viktor Dukhovni wrote:
On Tue, Apr 19, 2016 at 02:51:58PM +0100, Danny Horne wrote:
Can anyone follow up on this? In other words, are any of you using
Let's Encrypt certificates with any of the TLSA options written about?
In my survey of 12000 DANE TLSA-enabled domains
On Thu, 8 Sep 2016, /dev/rob0 wrote:
I am not in any hurry to move my email into IPv6 land. For now I am
satisfied to have IPv4-only MX records for my domains. My server is
IPv4-only, for that matter.
I'm operating dual stacked servers for years now and don't see negative
impact. Majority o
Hello,
after nearly a year I was now able to setup a testing domain which
supports DANE with a German domain provider. Now I'm in the testing stage
to see if I did everything right.
DNSSEC-validation is fine:
http://dnssec-debugger.verisignlabs.com/cryptedmail.eu
DANE/TLSA existence is fine:
On Thu, 27 Nov 2014, Viktor Dukhovni wrote:
which shows a non-broken DoE response, so it looks your domain is
all set. Though sometimes the issue is triggered by a wildcard at
the zone apex ("*.example.com") that is incorretly applied to
I stopped using wildcards for my active used domains. T
Hello,
I did clean up my mail server a bit to finally get rid of my known issues
(i.e. filtering outgoing mails with SpamAssasin).
Using the approach like in
http://www.postfix.org/FILTER_README.html#remote_only
I did setup separate entries for localhost and external IP. Now with IPv4
and I
On Wed, 22 Feb 2017, Peter wrote:
Yes, at least for a linux box and possibly other unix hosts. You will
want to make sure that /etc/host.conf has the setting, "multi on", then
you can list multiple IPv4 and IPv6 addresses for the same name in
/etc/hosts and use those names in your master.cf fil
On Wed, 22 Feb 2017, Peter wrote:
On 22/02/17 09:18, Dirk Stöcker wrote:
main.cf:
inet_interfaces = localhost, mail.stoecker.eu
Just remove the above, so it defaults to, "all".
That assumes that mail.stoecker.eu is the only external IPv6 address.
The advantage of IPv6 is that ea
Hello,
in one project I'm sending a bunch of status mails to a number of
different recepients. From time some of them cannot be delivered
(address changes, server misconfigurations, employment changes, ...).
The bounces from the mail come back to my mail server and should go to a
contractor
On Tue, 28 Feb 2017, Noel Jones wrote:
in one project I'm sending a bunch of status mails to a number of
different recepients. From time some of them cannot be delivered
(address changes, server misconfigurations, employment changes, ...).
The bounces from the mail come back to my mail server a
On Sat, 4 Mar 2017, Viktor Dukhovni wrote:
This is much too complex. To attach email message to another message,
just pipe it through the shell script below my signature. This can
be used as part of a pipe(8) transport with the output submitted via
sendmail(1) for delivery.
Thanks a lot. Tha
Hello,
I'm operating a bug tracker which sends out emails to participants
notifying of ticket changes. For new submitters it often happened, that
they simply did reply by mail which wont work with this instance.
Now I changed our setup a bit
In postfix main.cf:
smtpd_recipient_restrictions =
On Sat, 18 Mar 2017, Wietse Venema wrote:
I'm operating a bug tracker which sends out emails to participants
notifying of ticket changes. For new submitters it often happened, that
they simply did reply by mail which wont work with this instance.
Now I changed our setup a bit
In postfix main.c
On Sat, 18 Mar 2017, Richard Damon wrote:
- On your side, don't reject RCPT TO for the no-reply address.
- On your side, add a telepathic policy service that can distinguish
between RCPT TO to verify an address, and RCPT to deliver mail.
smtpd_recipient_restrictions =
reje
On Sun, 19 Mar 2017, Peter wrote:
I would move your check_recipient_access to smtpd_data_restrictions,
then it should work that it will not reject until the DATA command, but
servers performing address verification will have bailed by that point.
So you end up rejecting actual messages but not v
On Tue, 21 Mar 2017, Mike Guelfi wrote:
If people want to use a non RFC compliant verification system, then they're
going to have problems with false positives on their spam filter.
The operative word being: they.
Your customer needs to get their email vendor to whitelist your trac
instance.
On Sat, 25 Mar 2017, Paul C wrote:
I wish the world would use ipv6 enough for this to be worth doing, but
it's not going to have much benefit to you as there's almost no one
using it for smtp, from the last time I checked which was a few months
ago, google uses it perfectly, verizon too (maybe a
On Tue, 29 Aug 2017, Tom Browder wrote:
Gmail has a list of steps recommended to minimize spam identification,
particularly mail sent as bulk mail (as from mailing lists).
One of the recommendations is to use DKIM and that is clearly explained on the
postfix website.
The other steps are fair
Hello,
IF SMTP error code = 5.7.1
AND remote server = GMail
DON’T generate a bounce message (my server)
ELSE
Generate bounce messages (my server)
I use following approach for this problem, which not only affects GMail,
but also T-Online and any other service rej
On Mon, 6 Nov 2017, Viktor Dukhovni wrote:
/.*infusionmail.com$/ 550 Infusionmail is not wanted or welcome
/.*\yahoo\.com/ 550 Yahoo.com is not allowed here, use gmail or someone who
hasn't leaked 3 billion passwords
/\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|j
On Thu, 23 Nov 2017, Jonathan Sélea wrote:
I did struggle alot to understand and deploy a secure cipher list that
https://hardenize.com and https://ssl-tool.net would not complain on, so I
came up with this:
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smt
On Wed, 24 Jan 2018, Danny Horne wrote:
On 22/01/2018 3:52 pm, Viktor Dukhovni wrote:
On Jan 22, 2018, at 10:06 AM, Danny Horne wrote:
Private CA sounds interesting, will have to read up about it
You can get away with a lot less complexity than the usual OpenSSL CA.
See, for example:
h
On Wed, 24 Jan 2018, Viktor Dukhovni wrote:
One one want to start with "umask 077", to avoid creating
world-readable private key files. This should not be
necessary with OpenSSL 1.1.0 and later, but older versions
(e.g. OpenSSL 1.0.2) create all output files with default
permissions, constraine
On Wed, 24 Jan 2018, Harald Koch wrote:
It's not sooo complicated:
The length of your message contradicts that statement.
Well, I assumed that for people who operate a proper postfix instance 3
different command sets and creating two files is't complicated. If that
assumption is untrue an
On Mon, 28 May 2018, Viktor Dukhovni wrote:
It might be useful, but probably not, to have a version of postconf -n that
showed the default value along sinde the changed value:
join <(postconf -n) <(postconf -d | sed 's/=/(default:/; s/$/)/')
Do you maybe also have a command to show only cha
On Tue, 29 May 2018, Wietse Venema wrote:
This is a task which I need something to change a vendor supplied main.cf
into the better understandable minimum configuration which does not
contain legacy settings.
Could "postconf" get a new "-N" paramater for that maybe ;-)
My Postfix cycles are c
or Google about using multiple
lists. Is this not possible (any more), does it need a different syntax?
Any hint or help is appreciated.
Dirk
On Thu, April 8, 2010 12:32 pm, Dirk H. Schulz said:
> I have configured my Postfix to use multiple access lists like that:
>> check_client_access hash:/usr/pkg/etc/postfix-in/list1,
>> hash:/usr/pkg/etc/postfix-in/list2
> I think this has worked some time, but it do
heartbeat/LinuxHA), a switchover would be
quite transparent for users.
One drawback is that you have to have a means of synchronizing deletes
and moves.
Dirk
11526 Aug 21 17:19
/usr/local/lib/postfix-policyd-spf-perl
The rights on the file and the path are the same or similar as those on
the gateways where that works. I am simply stuck where to look at - any
hint or help is appreciated.
Dirk
Hi Wietse,
Wietse Venema schrieb:
Dirk H. Schulz:
Hi folks,
I am running postfix mail gateways on several UNIXes, and they have the
same or similar configurations.
On my NetBSD gateway I get lots of these errors in the mail log:
spawn[18506]: fatal: spawn_comand: execvp
/usr/local
Hi all,
perhaps you should have a look at:
http://www.opencsw.org/about/
Kind regards,
Dirk
--
Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY
IT Information Fabrics Member of the Helmholtz Association
D-22603 HamburgNotkestrasse 85
Hi Joy,
depending on what you want to achieve, you might want to have
a look at http://www.milter.info/sendmail/milter-limit/
perhaps in combination with an outgoing-only instance of Postfix.
Kind regards
--
Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY
IT Information
using Kerberos. Get your
K5-Ticket-Granting-Ticket at your Kerberos server,
yes: using username password, and then use this ticket
during the next hours to authenticate against properly
configured servers (Dovecot, Apache, ...). May be this
is a hint into the direction of what might help you.
Cheers, Dirk.
Hello,
I recently did a misconfiguration of an internal mail server for a test
system and as a result broke the TLSA record. Postfix still delivered
mail to the system now with Trusted instead of Verified (BTW I find
these two outputs texts misleading, each time I check the logs I look
for a
Hello,
DANE TLSA records are strictly enforced when "well-formed", where
well-formed also requires a plausible TLSA "associated data" field
(expected length for SHA2-256 and SHA2-512 digests and valid DER
encoding of certs or keys for matching type Full(0)).
That's what I did expect. Starting
Hallo,
On my machine, the authoriative server (BIND) only listends on the
the ethernet IP interface, while the recursive server (unbound)
listends only on 127.0.0.1. It validates queries for my own domain,
just like for any other.
I wanted to prevent installing and caring for two software ins
Hello,
Postfix logs TLS status details before it logs delivery status details.
...
With plaintext delivery, that first line will not be logged.
I know.
In both cases the logging shows the SMTP client process name and
process ID, and the remote SMTP server name, IP address, and port.
With
Hello Wietse Venema,
This will print recipient addresses that were sent over TLS.
Based on your suggestion I improved it a bit. In case someone else has
the same problem here the full script. It prints outgoing non TLS and at
the end a summary.
I'm sending mainly TLS except many DMARC repo
Hello,
for outgoing TLS connections with smtp_tls_loglevel=1 I can see the
Trusted, Untrusted or Verified lines easily by a grep with " connection
established to " in the log.
Now I tried to find all remaining unencrypted connections and failed. I
neither found any specific log line for the
85 matches
Mail list logo
