[pfx] SPF format question

Hello If I have a mx server: mx.host.com whose ip is 1.2.3.4. The domain.com who use this mx server may have the following SPF. v=spf1 mx ~all v=spf1 ip4:1.2.3.4 ~all v=spf1 a:mx.host.com ~all v=spf1 mx:domain.com ~all May i know if they mean the same stuff for SPF? Thanks. __

[pfx] Re: Sanity check/suggestions appreciated

why not postscreen for this purpose? BTW I'm using a script (policyd.pl ) that does weighted scoring for RBLs (as well as SPF), which I'd prefer rather than doing that with Postfix directly. ___ Postfix-users mailing list -- post

[pfx] SSL_accept error for smtpd

Hello what's this error in mail.log? Jun 11 01:52:15 tls-mail postfix/smtpd[67409]: connect from unknown[172.210.47.140] Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: SSL_accept error from unknown[172.210.47.140]: -1 Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning: TLS library problem

[pfx] Re: SSL_accept error for smtpd

Thanks Wietse. The request is not maken by our client, so I am safe to ignore the error. If this does not happen with a legitimate client, then this could be someone who is looking for trouble (they failed) and you can ignore the problem. ___ Post

[pfx] DKIM policy question

Hello spf, dmarc have the policy to reject a message. My question is, why dkim has no choice for rejecting messages? for example, if dkim signature failed, where to instruct this message can be rejected? Thank you. ___ Postfix-users mailing list -- p

[pfx] Re: DKIM policy question

nice to know the info. thanks Viktor. Per the specification, a DKIM signature that fails to match the message content MUST be treated the same as absence of DKIM signatures. Also, absent a DKIM-Signature header, you can't even find the DKIM DNS record, because the selector is unknown. Any ass

[pfx] secure the email system

Hello friends, I am trying to make my email system on tls-mail.com more secure and solid. I have taken the following deployments. 1. close port 587 and 143, use port 993 and 465 with ssl only. 2. disable sasl auth on port 25. 3. use policyd-rate-limit to limit sending rate. 4. use postscreen f

[pfx] Re: secure the email system

On 2024-06-13 15:07, Dimitris via Postfix-users wrote: Στις 13/6/24 03:51, ο/η Jeff Peng via Postfix-users έγραψε: 3. use policyd-rate-limit to limit sending rate. 5. use policyd-spf to check sender IP's SPF and reject the failed one. 6. use opendmarc to check sender domain's DMARC

[pfx] Re: secure the email system

Hello Wietse, I have added this line: smtpd_reject_unlisted_sender = yes into main.cf. May I ask, this option is for submission request, or for MX request? Thanks. On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote: Wietse Venema via Postfix-users: A paranoid configuration could

[pfx] distributed email system

Hello, Is there any guide to setup a distributed email system? there should be multiple MX, multiple IMAP/storage servers, and sasl server cluster etc. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email t

[pfx] Re: distributed email system

On 2024-06-14 22:31, Wietse Venema via Postfix-users wrote: Jeff Peng via Postfix-users: Hello, Is there any guide to setup a distributed email system? there should be multiple MX, multiple IMAP/storage servers, and sasl server cluster etc. That could be a job interview question. The

[pfx] Re: distributed email system

On 2024-06-15 06:32, Wietse Venema via Postfix-users wrote: There is a difference between IMAP/POP and SMTP. With IMAP/POP a front end proxy needs to connect each user to the right message store instance. With SMTP, different sessions can be handled by different servers. The servers can figure

[pfx] Re: distributed email system

On 2024-06-15 12:46, Jean-François Bachelet via Postfix-users wrote: Hello folks :) isn't it what sql databases replication is good for ? Replication becomes bad when network partition. ;) ___ Postfix-users mailing list -- postfix-users@postfix.or

[pfx] Re: Fastest way to reject unwanted sender

On 2024-06-15 18:14, John Levine via Postfix-users wrote: People I'm working with have a short list of addresses from which they don't want to accept mail at all, and they'd like to reject as early as possible without running it through anti-spam milters, ideally by rejecting the SMTP MAIL FROM c

[pfx] Re: distributed email system

On 2024-06-15 21:35, Wietse Venema via Postfix-users wrote: This is a bit off topic for Postfix, but a comnmon approach is to shard a global database into regional ones and limit the impact of outages. Some database systems support sharding out of the box (for example, MongoDB, supported by Pos

[pfx] Re: Best practices?

# SMTPd SERVER TLS/SSL Settings tls_daemon_random_bytes = 64 tls_random_bytes = 64 smtpd_tls_cert_file = /etc/letsencrypt/live/email.broker/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/email.broker/privkey.pem smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_manda

[pfx] Re: Do I have sals authentication properly configured?

- Did the client connect to port 25 or 578? 578 isn't the port 587? :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] questions around the configuration

Hello experts, for my these settings, smtp_use_tls = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache my questions in

[pfx] Re: questions around the configuration

Got it. Thanks Victor very much. On 2024-06-17 12:18, Viktor Dukhovni via Postfix-users wrote: On Mon, Jun 17, 2024 at 09:54:01AM +0800, Jeff Peng via Postfix-users wrote: smtp_use_tls = yes Obsolete, ignored when the preferred form below is specified. smtp_tls_security_level = may

[pfx] Re: Troubleshooting roundcube connections to postfix

I am also using roundcube + postfix + dovecot. the host configuration for roundcube should be FQDN. for example, mine is: $config['imap_host'] = 'ssl://mail.tls-mail.com:993'; $config['smtp_host'] = 'ssl://mail.tls-mail.com:465'; you can't use something like: $config['imap_host'] = 'ssl://local

[pfx] Re: Troubleshooting roundcube connections to postfix

On 2024-06-18 07:30, Peter via Postfix-users wrote: On 17/06/2024 17:28, Paul Schmehl wrote: How do you set up roundcube to not use authentication? I really don’t need it since it’s on the same machine as the mail server. What config options do I need to use? To be honest, you still likely wa

[pfx] Re: Troubleshooting roundcube connections to postfix

On 2024-06-18 10:40, postfix--- via Postfix-users wrote: To be honest, you still likely want authentication. Keep in mind that you don't need to authenticate as a single user for roundcube but rather you can have roundcube pass authentication through from it's own user login and therefore supp

[pfx] Help with reject_sender_login_mismatch

Hello, I have this section in master.cf: smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject -o

[pfx] Re: Help with reject_sender_login_mismatch

On 2024-06-18 15:51, Gilgongo wrote: On Tue, 18 Jun 2024 at 08:31, Jeff Peng via Postfix-users < postfix-users@postfix.org> wrote: Hello, I have this section in master.cf: smtps inet n - y - - smtpd -o syslog_name=postfix/smtps

[pfx] Re: Help with reject_sender_login_mismatch

Thanks for all the kind helps. I have resolved the issue and wrote a note for it. https://notes.postno.de/how-to-use-reject-sender-login-mismatch-in-postfix.html if you find any issue in this note, please let me know. Thanks. Oh, sorry I didn't see you weren't using smtpd_sender_login_ma

[pfx] Re: Best practices?

On 2024-06-19 05:15, Cody Millard via Postfix-users wrote: I am not sure what SRS or AUC are right now. I saw Dr. Lindenberg has a similar test suite like your site. https://blog.lindenberg.one/EmailSecurityTest ___ Postfix-users mailing list -- post

[pfx] Re: Best practices?

On 2024-06-19 17:29, Matt Kinni via Postfix-users wrote: On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote: On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: smtpd_helo_restrictions = ... reject_non_fqdn_helo_hostname, ... I've found this to block some legitimate mai

[pfx] discard message

Hello does smtp have an action "discard"? if so where messages will be discarded? I see smtp code has "reject" while sieve has "discard". So I am asking this question. Thank you. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsub

[pfx] Re: discard message

best is to use a milter to reject spam, such as rspamd or amavisd-milter, no forged header checks then i know rspamd is a milter, but spamassassin not working as milter? thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsu

[pfx] question for a directive in master.cf

Hello for these options for submission in master.cf: submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes # -o smtpd_tls_auth_only=yes # -o smtpd_reject_unlisted_recipient=no #

[pfx] Re: question for a directive in master.cf

The default value is "no", as expected. $ postconf -d smtpd_sasl_auth_enable smtpd_sasl_auth_enable = no Best practice is to enable SASL auth only on the submission ports and NOT on port 25. I have changed the setting for submission to: submission inet n - y -

[pfx] Re: question for a directive in master.cf

If you want to enable them, you have to uncomment ALL lines for submission service to work correctly. That's good idea. Thanks Rafa. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@po

[pfx] Re: question for a directive in master.cf

If you want to enable them, you have to uncomment ALL lines for submission service to work correctly. just further, for smtps service, can i just comment out all of options to enable it? #smtps inet n - y - - smtpd # -o syslog_name=postfix/smtps # -o s

[pfx] how to implement this route

Hello I saw gmx.de/web.de have a policy that, if the submission IP is not from DE/EU, messages will be routed to a different gateway which is listed in spamhaus already. Otherwise if submission client's IP is in DE/EU, messages will be routed out via the normal gateway whose IP is clean. How

[pfx] Re: how to implement this route

On 2024-06-23 20:24, Wietse Venema via Postfix-users wrote: Jeff Peng via Postfix-users: Hello I saw gmx.de/web.de have a policy that, if the submission IP is not from DE/EU, messages will be routed to a different gateway which is listed in spamhaus already. Otherwise if submission client&#

[pfx] inquiry for milter server

what's the mainstream milter server for customized content analysis such as headers and languages? I may want to block some special messages which have a special header or special language (like middle-east). Thanks in advance. regards. ___ Postfix-u

[pfx] Re: managing multi instances

If you were using cloud VM There is a tech called live migration Under which you take no care on applications such as postfix. Hi, I have two questions regarding multi instance management. 1. is there a way to batch migrate multi instances from serverA to serverB? We are planning to replace

[pfx] Roundcube question

Does one roundcube installation support only one SASL backend? For example I configure it to access aol then it cannot access gmail. Other webmail such as snappy can connect to many smtp/imap backends, such as yahoo/outlook/gmail, they can be set up in one installation. Thanks ___

[pfx] Re: News about The new Postfix book ?

I will order one as well. Here's a link to the web site where you can order it: https://www.tiltedwindmillpress.com/product/ryoms-preorder/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le.