Re: Relay denied - failed from WORLD 2 LAN

On Fri, May 28, 2021 at 10:40 AM Maurizio Caloro wrote: > Hello > > want to put this setup into operation and it failed. I have a Postfix > server with this setup and Spamassassin. > > in the background there is an HCL Domino server. I was able to E-Mail from > (LAN) to myself (WORLD), but > > E-

Re: Newbie question about transport_maps failing

On Fri, May 28, 2021 at 6:28 PM David Favor wrote: > My goal is to limit allowed sender domains, to ensure no > mail config problem sends from a domain with no no SPF > authorization for sending IP. > If you want to choose transport based on sender, you probably want "sender_dependent_default_tr

Re: Newbie question about transport_maps failing

> > > > If you want to choose transport based on sender, you probably want > > "sender_dependent_default_transport_maps" > > > > > http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps > > > > It seems that this option doesn't support wildcards. It says >The tables are sear

Re: Clarification request for mua_*_restrictions

> What are the $mua_helo_restrictions and $mua_sender_restrictions in the > master.cf http://www.postfix.org/master.5.html -o name=value (short form) Override the named main.cf configuration parameter. The parameter value can refer to other parameters as $name etc., just like in main.cf. See pos

Re: Question about separate MTA and MDA servers and how to get them communicating properly

> > > Our dilemma is that most online tutorials and how-to's have everything on > one server. > I'd start with http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall

Re: can't get mails to be sent outside my server using Postfix!

> problem is that despite all the tutos I can read / use I can't get > Postfix to send any mail from that server to the outside. using SSL ot not. > Hi. 1. Please show the last 20 messages from your ``mail.log`` 2. ``postconf -n`` output please 3. Did you change anything in your ``main.cf`` or do

Re: can't get mails to be sent outside my server using Postfix!

Hello. > relayhost = [smtp.externalserver] Do you really want to send all emails via this host or do you want to send them directly? > Jun 24 12:50:53 amiga postfix/smtpd[26449]: connect from localhost[127.0.0.1] > Jun 24 12:53:14 amiga postfix/smtpd[26449]: SSL_accept error from localhost[127.0.

Re: can't get mails to be sent outside my server using Postfix!

> > > I know this, it's exactly why I want my out mail to use only secure > ports 465 and/or 587. > You can't connect to 465 on some random MTA to send email. These ports are only used by local clients. Ask your hoster support for relayhost and configure it as "relayhost"

Re: Can send but not receive

> > > Nothing that looks like an error in : /var/log/mail.log or > /var/log/syslog > > try to send email to your domain from some host outside of your network and see what is in /var/log/mail.log I just checked and can confirm that your host accepts email for @ keiththewebguy.com. So you s

Re: Can send but not receive

> > > I can send and receive via Yahoo mail. I can not receive when I use an > email account on my VPS which has worked for years. > Check your VPS MTA logs or contact your VPS support

Forward mail and obey SPF and DKIM

Hello. I have postfix running on linux box. I setup OpenDKIM with both smtpd and non_smtp milters. I also set my address in DNS as permitted IP for SPF. So far, so good. But I want all my mail to be forwarded to gmail. Some user sends me email from user@some_sender_domain. If I use .forward or

Re: Forward mail and obey SPF and DKIM

en failure is soft. It seems that I can't fix it, right? On Mon, Sep 14, 2020 at 4:53 PM Dominic Raferd wrote: > On 14/09/2020 14:31, IL Ka wrote: > > Hello. > > I have postfix running on linux box. > > > > I setup OpenDKIM with both smtpd and non_smtp mi

Re: strange issue with postfix

Hi. I'd start with checking your logs (i.e. "/var/log/maillog") On Thu, Oct 1, 2020 at 10:01 PM Ranjan Maitra wrote: > Hi, > > I have an issue that I can not resolve at my work environment. > > When I use commandline mail, my e-mail gets delivered. > > However, when I use a mailer (like sylpheed

Re: I'm a beginner and want to setup Postfix on CentOS.

> mynetworks = 127.0.0.0/8, My Public IP > Trying ::1... It could be that you are using IPv6 to connect while "mynetworks" is IPv4 address. Try "telnet 127.0.0.1 25" On Mon, Oct 12, 2020 at 3:25 PM Jason Long wrote: > Hello, > I installed Postfix on CentOS and my "main.cf" file is as below: > >

Re: I'm a beginner and want to setup Postfix on CentOS.

citly disable IPv6: https://www.tecmint.com/disable-ipv6-in-centos-8/ Or use IPv4 address explicitly: "telnet 127.0.0.1 25". I'd stay with the latter case. On Mon, Oct 12, 2020 at 5:55 PM Jason Long wrote: > Thank you for your reply. > How can I sure I'm us

Re: Mail server without MX record.

What are you trying to achieve? There are alot of scenarios where Postfix may be used: * "Send only" email server for your website (to give your website ability to send emails). You never receive any emails from the outside. * Forward only: it just accepts mails from your apps, and sends them via

Re: Mail server without MX record.

> DNS server have another MX record for other mail server. Then all mail to your domain will go to that mail server. No way to change it. This is how SMTP works: If one or more MX RRs are found for a given name, SMTP systems MUST NOT utilize any A RRs https://tools.ietf.org/html/rfc2821#section

Re: Mail server without MX record.

>1- Each domain can have a MX record? If you want to receive email for this domain then yes, you should have an MX record for it. Without it "A" record will be used, but it is better to have MX. >2- If a company need multi MX record then it must have multi DNS server too? You can have multiple M

Re: OpenDKIM but no log of postfix milter running or trying to run

Set "milter_default_action" to "reject", reload postfix, and try to send mail. You should probably get some errors in maillog. Check your syslog config, to make sure opendkim logs are also written. Check your dkim is running (telnet 127.0.0.1 8891). Btw, I have not set "milter_mail_macros" explic

Re: OpenDKIM but no log of postfix milter running or trying to run

> The config file is active, however. You can check your milter config with $ postconf smtpd_milters non_smtpd_milters milter_default_action or even $ postconf | grep milter You can probably post output it here. Also, try to increase logging: http://www.postfix.org/DEBUG_README.html

Re: OpenDKIM but no log of postfix milter running or trying to run

Shutdown OpenDKIM, set "milter_default_action = tempfail", reload postfix and try to send something. If your mail is rejected, then Postfix configuration is ok, and you need to grep maillog (or other logs) for DKIM On Wed, Oct 14, 2020 at 5:28 PM Jeff Abrahamson wrote: > On 14/10/2

Re: Forward mail and obey SPF and DKIM

_canonical_maps = regexp:/etc/postfix/sender_canonical_map # In this file I change envelope address to my domain. Google is now perfectly happy with both SPF and DKIM. Shouldn't we add this recipe to the official postfix documentation? On Mon, Sep 14, 2020 at 4:31 PM IL Ka wrote: >

pass vs unix in master.cf

Hello. What is the difference between these two types? Thank you. Ilya.

Re: Mail server recently became an open relay

If someone hacked your PHP script, he or she may add any code to it, including code that connects to your smtpd and sends email. In PHP one can use mail() function (which can use TCP connection to the localhost:25 according to the settings in php.ini) or establish connection directly. As we can se

Re: Mail server recently became an open relay

Rock solid solution is to separate htdocs (a folder that is accessible via web) from the code folder (the one with scripts). I do not know how that could be done with PHP (I believe you can serve static files with nginx and run php as FPM connected to the nginx with FastCGI) but in Python world we

Re: Limiting HELO spoofing in Postfix?

> /index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 That is fine: networks are constantly scanned by bots. They are trying to hack any site using well-known vulnerabilities. I have a lot of similar entries, although I do not have PHP on my sit

Re: multiple relay servers

I think you can install the DNS server locally (on the same machine where postfix runs) and configure postfix to use it On Wed, Oct 21, 2020 at 1:42 PM Zsombor B wrote: > > I can' force the customer changing their DNS. > > Any postfix solution? > > BTW it looks like postfix delivers mails to al

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

Hello. I haven't tried it yet, but DKIM with ed25519 is draft: https://tools.ietf.org/id/draft-ietf-dcrup-dkim-crypto-11.html and official RFC doesn't mention it: https://tools.ietf.org/html/rfc6376 Doesn't it mean that ed25519 support is optional and many MTAs over the Internet simply wouldn't b

Re: bug in debian10

It is just a warning, you can live with it. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926331 On Mon, Oct 26, 2020 at 7:59 PM natan wrote: > Hi > Probably bug in debian 10 ... > "warning: symlink leaves directory: /etc/postfix/./makedefs.out" > > ii postfix3.4.14-0+deb10u1 amd64

Re: SASL authentication failure: Internal Error

> > > Feb 18 13:03:31 server07 postfix/smtpd[11585]: warning: SASL > authentication failure: Internal Error -4 in server.c near line 1757 > Do you have cyrus sasl installed? >

Re: delay time between postfix send email on finding some code 4xx

On Tue, Feb 23, 2021 at 4:58 PM Francesc Peñalvez wrote: > I was looking in the postfix manual for the waiting parameter by which > an email is tried to send after receiving a 4xx code. I am interested in Hi. I think you need to configure qmgr: http://www.postfix.org/qmgr.8.html Look at "backof

Re: Rootless postfix

> > It is an *ANCIENT* reference, but the but the O'Reilly book "Building > Internet > Firewalls" describes a simple program called smap. It runs without root privileges and ONLY accepts incoming SMTP connections, > dropping messages into a queue for processing by another program. > (Could this be

Re: Certificate Postfix.org missing?

> > > There is neither a service at port 443, nor a postfix.org website. > > I believe this is about http://www.postfix.org/ There is no https there. It should be easy to install Letsencrypt certificate there, but I am not sure if it's worth the effort

Re: postfix newbe - which standard configuration to use

> > > Hi. Do you have email addresses in different domains? Do you own all these domains (have access to their DNS configuration etc)? Do you want to receive emails for these domains?

Re: postfix newbe - which standard configuration to use

Hi. In most cases you shouldn't send email from @gmail through your server, because gmail has SPF policy (srv record in DNS) and only gmail servers are allowed to send emails from this domain (email sent from another IP will go to spam). You can configure your server to forward these emails via gm

Re: postfix newbe - which standard configuration to use

> > > I do not need to receive any emails on my VPS (I using my home server to > that, storing emails starting from 2002 using dovecot and roundcube - we > are happy with this). > Hm.. how can you receive emails for your domain on your home server? What will the MX record contain? > Seem to be I

Re: postfix newbe - which standard configuration to use

> Mails are collected by fethcmail (as daemon using /etc/fetchmail.rc) > > > So, you aren't going to receive any email on your VPS, then you should configure inet_interfaces to listen only your VPN IP http://www.postfix.org/postconf.5.html#inet_interfaces You can even listen to the submission port

Re: postfix newbe - which standard configuration to use

> > just add that IP to "mynetworks" and send the mail to your server the > normal way via port 25... Less to set up... > IMHO: no need to listen to 25 on the public ip if you aren't going to receive any email from there. "mynetworks" will protect server from open relay, but still many bots will t

Re: Clients Sending Phantom Email

> > > We are getting reports, more and more, of email clients (Type App, Mac > Mail, iOS Mail) that seem to send email, and show that the email has > been sent on the client, but the mail server has no record of email ever > reaching the SMTP service, nor does it even seem that the client is > conn

Re: Redirect emails from localhost to a given host, and normally route the other emails

> > I would like to configure Postfix the following way: > >- emails from localhost -> 192.168.1.5 >- emails from my_network (192.168.1.0/24) -> the rest of the world >(with MX resolution) > > Do you know which sender will be used for your locally generated mail? If so, try http://www.p

"default_transport = smtp:relay" vs "relayhost = relay"

Hello, Does there any difference between setting "relayhost" and default_transport smtp with explicit next hop? Ilya.

backup mx: relay_domains vs permit_mx_backup

Hello, It is suggested to provide list of relay_domains explicitly for the backup mx: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup But another solution is to set "permit_mx_backup" for "smtp_relay_restrictions". It seems to be a flexible approach (since only DNS should be chan

Re: backup mx: relay_domains vs permit_mx_backup

Thank you Bill, This is the part I missed: > Anyone can make their domain point to your MTA as a > backup MX. And my postfix will automatically act as backup MX for anyone who simply adds my ip as back MX unless I set "permit_mx_backup_networks". Now it is clear

Re: "default_transport = smtp:relay" vs "relayhost = relay"

> > Yes, "relayhost" also affects the routing of mail to "relay_domains". > > Thank you, Viktor. I see: "relay_domains" -> "relay_transport". "relayhost" affects both: default_transport and relay_transport

masquerade_domains and local_header_rewrite_clients: small doc inconsistence

Hello, As I understand, local_header_rewrite_clients is used for 2 purposes: * Add $mydomain to the incomplete address * Masquerade domain (remove redundant part) Latter is documented here: http://www.postfix.org/ADDRESS_REWRITING_README.html#masquerade and it seems to work correctly But "local_

Re: Postfix: SASL authentication failure

> > > May 10 09:17:42 smtp01 postfix/smtpd[21033]: warning: SASL > authentication failure: cannot connect to saslauthd server: No such file > or directory > this is a problem > > /var/run/saslauthd is present - yes > /var/spool/postfix/var/run/saslauthd is present - yes > Is one dir link to anothe

Re: Postfix: SASL authentication failure

saslauthd creates a socket (usually in /var/run/saslauthd) and listens to it. Here what I see when run saslauthd from the command line: (I use getpwent but pam should be used probably) # saslauthd -a getpwent -d saslauthd[22825] :main: num_procs : 5 saslauthd[22825] :main

Re: postfix-users@postfix.org

> > > Is there any security benefits to creating this smart host as a separate > SMTP server? Are there any "best practices" for this kind of situation? > It depends on your network structure and how much do you trust your new clients. If your client resides directly at your local network (eithe

Re: Monitoring logs for blocks and deferrals

> > > Postfix have any native capabilities good for detecting these issues and > acting on them, or would I just need to do some kind of checks on the > pflogsumm output each day? Obviously the sooner I can catch these messages > and act on them, the better, so the more realtime I can do this, the

Re: zendesk and relay denied

> > > Hi, > Hello, > > I've set up postfix to be the mail relay for a domain so we can > process it through amavis/spamassassin prior to it being forwarded on > to our O365 domain. > You need to add this domain to the "relay_domains" > > I've set up a recipient check to allow relaying for our z

Re: zendesk and relay denied

> > > So I'm unable to send mail as a...@mydomain.com to any domain other > than the ones managed by our mail server. How do I convince postfix > that it should route mail for mydomain.com from > outbound.protection.outlook.com? > > 1. If you want postfix to route/relay email TO some domain from A

Re: zendesk and relay denied

> > > > We've created an outbound O365 connector to route outbound mail > through our servers before being delivered to their final destination > - I believe this is effectively relaying mail from > outbound.protection.outlook.com: > I am a little bit confused). Zenddesk sends email to the O365,

Re: Managing allow/block list for outbound traffic

> > > > If now a user of such a domain requests that he can be blocked > from receiving email from my domain, due to abuse of my service, > would be a simple REJECT of his email address in the same > transport map list be sufficient, or does postfix may get confused? > > transport(5) can have "erro

Re: zendesk and relay denied

> > I've done a terrible job of explaining this, partly because I don't > fully understand and also don't have all the facts. > Try to gather as much information as possible and draw a diagram on a piece of paper) > > We are trying to provide mail filtering using postfix/amavis for a > company u

Re: Message sent by SMTP get lost whereas those via pickup(sendmail) are OK

> > > I am trying to debug it by connecting directly to port 25 on localhost > using telnet and composing mail that way. It appears to be sent > according to the postfix mail.log but it just disappears. > It could be that it went to spam because you misused some headers while sending mail manually

Re: Submission Only, Not Listening on 25.

> > > I am setting up a postfix instance as submission only to compliment > dovecot in imap mode. > Is there a way to turn off listening on port 25 and only have submission > listen on 587? > I already know how to bind the submission service to 587 in the > master.cf Any service could be commente

Re: Mail sent thru submission to user on same server.

> > And i know you all keep politely telling me im crazy for not > understanding postfix wants to deliver to user's mailboxes. I get that. > Not knowing the inner workings of postfix, from a logical point of view, > submission isn't smtp:25, it has its own service spawn, it works on its > own port,

Re: Mail sent thru submission to user on same server.

> > > The issue im trying to avoid is that when postfix/submission accepts a > message meant for another user on the same domain, it delivers it > directly to maildir and does not put that message through the same > filters, milters, policy servers as if the message was accepted by > smtp:25. You

Re: Emails sent as an authenticated user does not route throu amavis

> Hi! > > I am having trouble to figure out why emails send as an authenticated > user (saslauthd) seems to not be "routed" via milters or amavis? > Does the user use SMTP or sendmail command? There are 2 types of milters: http://www.postfix.org/postconf.5.html#non_smtpd_milters http://www.postfix

Re: Submission behind haproxy, TLS issues

> > > Server haproxy.example.com:587 accepts public connections and proxies to > submission.example.com:587 Why forward it via haproxy? What is wrong with postfix connected to the public IP? > > Each server was given its own SSL cert (Let's Encrypt certbot). > If you use haproxy TLS support, th

Re: Submission behind haproxy, TLS issues

> > > > The client is trying to TLS with postfix, who has a certificate for > submission.example.com > The client is connected to haproxy.example.com > > haproxy.example.com:587 != crt submission.example.com You can create a certificate with several domain names. Honestly, I have never tried that

Re: Submission behind haproxy, TLS issues

> > Load balancing. > Do you really have such a big load so one submission postfix isn't enough? If you are speaking about fault tolerance only, then you could run "submission only" postfix instead of haproxy. This postfix will then store messages in queue and send them to the appropriate backend

Re: Submission behind haproxy, TLS issues

Disclaimer: I am not a network guru, but here is what I know. WIth CNAME scenario you can't have more than one backend. Because HAProxy acts as L4 (TCP) balancer, it has no idea which server you are trying to connect to and which server's certificate you are waiting for. It just sends your packe

Re: Submission behind haproxy, TLS issues

> > > 2. This (same) certificate chain and associated private key is > deployed > on all the backend servers that sit behind the load-balancer. > > I wrote that CNAME doesn't work with several backends. I now see it works if all backends share the same key and cert. Sounds good) Thank

Re: Submission behind haproxy, TLS issues

> > > 2. This (same) certificate chain and associated private key is > > > deployed > > > on all the backend servers that sit behind the load-balancer. > > > > > > I wrote that CNAME doesn't work with several backends. > > I now see it works if all backends share the same key and cert.

Re: Submission behind haproxy, TLS issues

> Proxies are only needed for very large mail plants, where the message > rate is too high for any one machine to handle, and you also need > GeoIP DNS load-balancing, front-end proxies per datacentre, ... > > For those of us not working for Google, much simpler approaches > are more robust (easier

Re: Submission behind haproxy, TLS issues

> Using certbot (with a validation method that works with auto renew) i > can create a certificate on the backend.exmample.com server and tell > certbot the certificate will be for submission.example.com even though > submission.example.com will not resolve to the server im running certbot > on? >

Re: Submission behind haproxy, TLS issues

> > > Which "backend"? > "random or designated" Viktor's comment: 7. Some suitable process arranges to update the peer servers whenever a new certificate is obtained by some ( *random ordesignated)* server in the cluster. Or some completely separate provisioning syst