Re: "Authentication-Results" header order

On 7/4/21 4:10 PM, Juri Haberland wrote: On 03/07/2021 13:29, Markus E. wrote: By the way, I like the way Google merges the headers into one, like: an additional option is: https://github.com/fastmail/authentication_milter very config'able, a typical header appears as: Authenticati

Re: Can send but not receive

On 7/8/21 1:59 PM, techli...@phpcoderusa.com wrote: Any thought how I can troubleshoot this? map out your traffic one step at a time. connect with openssl s_client curl from an external server, and manually exec an smtp transaction. &/or, less convenietly, (re)send mail from

Re: Stopping backscatter spam to a specific domain

On 7/11/21 3:46 PM, Ron Garret wrote: Ah. That may be my problem then. I’m using Dovecot via LMTP for local delivery. I thought that postfix would receive information about non-existent users via that protocol, but I guess it doesn’t and ends up just accepting everything. So… is dovecot ac

Re: Conditional milter_header_checks?

On 7/13/21 6:06 PM, post...@ptld.com wrote: I am not meaning to confrontational, i want to develop a deeper understanding and educate myself. your issues are not with Postfix, & likely won't be further addressed/solved here they're with your understanding of DMARC policy/usage, and the par

heads up: dkimpy-milter signing breaks w/ python 3.10 (e.g., @ fedora 45 -> 35 upgrade)

i've reported the bug here, python 3.10 incompat, exec FAILs @ "SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats" https://bugs.launchpad.net/dkimpy-milter/+bug/1949520 fwiw, python 3.9 still works as expected now to poke at it ...

Re: heads up: dkimpy-milter signing breaks w/ python 3.10 (e.g., @ fedora 45 -> 35 upgrade)

On 11/2/21 16:26, Scott Kitterman wrote: Thanks. From the error message, that looks like something from the Python C API, so it's almost certainly in the pymilter Python binding for libmilter, not in dkimpy-milter itself. +1 https://github.com/sdgathman/pymilter/issues/44 thx

Re: heads up: dkimpy-milter signing breaks w/ python 3.10 (e.g., @ fedora 45 -> 35 upgrade)

On 11/2/21 16:26, Scott Kitterman wrote: On November 2, 2021 8:18:54 PM UTC, PGNet Dev wrote: i've reported the bug here, python 3.10 incompat, exec FAILs @ "SystemError: PY_SSIZE_T_CLEAN macro must be defined for '#' formats" https://bugs.launchpad.net/d

after adding IPv6 config, getting fail on submission -> "fatal: open dictionary: expecting "type:name" form instead of "::1"" ?

I'm trying to add IPv6 addresses to a previously IPv4-only/working internal-network submission node (mx1); the node receives submissions from another sending postfix instance (mx2) I've botched something, & am getting an error I don't yet recognize/understand, fatal: open dictionary: e

Re: after adding IPv6 config, getting fail on submission -> "fatal: open dictionary: expecting "type:name" form instead of "::1"" ?

On 1/3/22 11:03, Wietse Venema wrote: There's a 'bare' ::1 where [::1] is needed. To find these in main.cf or master.cf: postconf | grep '[^[]::1' postconf -P | grep '[^[]::1' The 'bare' ::1 may also appear in a /file/name that is referenced by mynetworks or by some other Postfix feature. Ther

"ignoring DNS RR:" for only google.com MX ?

in the process of turning on IPv6, send to public 'net via my outbound smtp instance, smtp-out-ext unix - - n - - smtp -o syslog_name=postfix/smtp-out-ext -o smtp_line_length_limit=990 -o smtp_tls_security_level=dane -o smtp_tls_policy_maps

Re: "ignoring DNS RR:" for only google.com MX ?

On 1/3/22 18:15, Viktor Dukhovni wrote: On Mon, Jan 03, 2022 at 12:32:03PM -0500, Wietse Venema wrote: offhand, is that generally needed/beneficial for google.com MXs? I don't know, does anyone want to be the guinea pig and discover if they still randomly bounce email over IPv6? Last I hear

testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

i'm prepping postfix tls on the way to DANE implementation current check with testssl -t smtp mx.example.com:25 reports, Testing server defaults (Server Hello) TLS extensions (standard)"renegotiation info/#65281" "EC point formats/#11" "session ticket/#35"

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

The other ??? item, "Session Resumption   Tickets: yes, ID resumption test failed, pls report" I've not found any guidance on at all, yet. For postfix, do I care? And if so, what/where is a fix? did find this comment at SF, "Certbot — Post-Handshake New Session Ticket a

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

Session ID resumption is by default disabled. This is a feature, let the client store a session ticket if it wants, otherwise it does a fresh handshake. This makes sense for SMTP. OCSP staplingnot offered ???OCSP must staple extension requires OCSP stapling

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

i've clearly not noticed my mistake 'til now, and afaict have seen no unexplained breakage. dunno if i should've and missed it, or it's just noisy and ignorable? Best to not solicit misbehaviour, even if typically nothing bad happens. sure. not hoping to avoid fixing it! asking if i should'v

Re: testssl reports issues with "Session Resumption" & "OCSP stapling" ; expected status/use for Postfix?

yup, I have separate certs for mail & web. i'd just mistakenly added the ocsp opts to all. quick fixed the mail cert, removing it; web certs keep it 'on', here. testssl check of mail cert now confirms: ... Certificate Revocation List -- OCSP URI

Re: TLS ciphers

for those following along, I find this a useful, summary reference Hands-on: implementing DANE in PostfixCryptographic security for mail transport https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-dane-in-postfix

Re: GhettoForge Postfix3

Are there other options (repos) for getting current versions of Postfix using dnf on a RHEL system? fwiw, use existing pkgs from https://src.fedoraproject.org/rpms/postfix for 'Fedora ELN, if that fits your needs or rebuild & package from those sources, or your own tweaked/modified .spec, on

Re: Doing something wrong.

following along & just curious, i checked a postfix 3.6.3 here that's using LetsEncrypt certs, where conf includes smtpd_tls_cert_file = /usr/local/etc/postfix/sec/fullchain.rsa.crt.pem smtpd_tls_eccert_file = /usr/local/etc/postfix/sec/fullchain.ec.crt.pem smtpd_tls_ecke

Re: Doing something wrong.

On 1/19/22 16:46, Viktor Dukhovni wrote: Only "-l dane" can produce a "Verified" result with no explicit trust ... the default is to not trust any CAs. ah. thx! o/ posttls-finger -cC -lsecure -F /etc/ssl/certs/ca-bundle.trust.crt '[mx.example.com]' posttls-finger: mx.example.com[X

use of inet_protocols= option in policy maps?

i've a relay def'd in master.cf relay-test unix - - n - - smtp ... -o smtp_tls_policy_maps=${def_db_type}:${conf_dir}/test/relay_tls_policy entries is 'relay_tls_policy' take usual form, per http://www.postfix.org/TLS_README.html#client_tls_policy, e.g.

Re: use of inet_protocols= option in policy maps?

On 2/3/22 9:28 AM, Viktor Dukhovni wrote: Multiple transports can use the same policy table: relay-test4 unix - - n - - smtp ... -o inet_protocols=ipv4 -o smtp_tls_policy_maps=${def_db_type}:${conf_dir}/test/relay_tls_policy relay-test6 unix

Re: Setting Up Header Checks

On 3/4/22 4:46 PM, Wietse Venema wrote: Austin Witmer: For some reason I can't make Milter-regex install on ubuntu? The "make" command gives me an error when I try to run it. Does it have to run on a BSD based server? Did you try apt-get? Wietse sigh. https://packages.ubuntu.com/

Re: Setting Up Header Checks

What do I need to modify in the Makefile.linux file for my Ubuntu system? short answer: to whatever YOUR system, and your interests, need i don't use ubuntu, so can't help you specifically i strongly suggest you look at the defaults, and modify path accordingly for your ubu sys; if you're buil

Re: milter_header_checks, pcre, chroot

Just an FYI re: an alternative: https://github.com/fastmail/authentication_milter It's freely available AND used in commercial production by the Fastmail crew. I switched to it a while ago, from a similar setup. I use it in its smtpd mode -- and does a good/reliable job of providing an integ

Re: DMARC in postfix ?

On 4/12/22 11:31 PM, John Levine wrote: For doing DMARC validation, I know about the opendmarc milter. Is that what everyone uses? Is there anything else used in pratice? for inbound validation, i use https://github.com/fastmail/authentication_milter usable as milter or smtp filter integ

always_bcc for selected recipients? map support?

I'd like to have my Postfix receiving instance always bcc mail for a specific set of recipients to another , off-site server. And to do so regardless of the intended 'main' recipient address being 'up' for receiving @ subsequent Postfix transport delivery targets, or not. Reading, http

Re: always_bcc for selected recipients? map support?

Try sender_bcc_maps or recipient_bcc_maps. once again, looking in the wrong place! perfect, thx.

Re: Where to place spamhaus tests

For reference, a couple of samples of the blocked emails are: NOQUEUE: reject: RCPT from o4.email.wetransfer.com[192.254.123.89]: 554 5.7.1 Service unavailable; Client host [192.254.123.89] blocked using zen.spamhaus.org; from= to=<(redacted)> proto=ESMTP helo= Zen list is an amalgam of X

Re: Where to place spamhaus tests

ANY has to be after DIG, not at the end, but... dig 2.0.0.127.zen.spamhaus.org. any ; <<>> DiG 9.16.30-RH <<>> 2.0.0.127.zen.spamhaus.org. any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16710 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0,

Re: Where to place spamhaus tests

You should read: https://www.spamhaus.org/news/article/788/spamhaus-dnsbl-return-codes-technical-update. and https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/020-Postfix.html +1 and, https://www.google.com/search?q=spamhaus+postfix+zen -> first four link

Re: Where to place spamhaus tests

spamassassin isn't causing those rejections. for that matter, neither is spamhaus. something in your config is. there are folks here that can likely assist. unless/until your share the configs etc that've been asked for, noone's going to guess.

Re: Where to place spamhaus tests

I didn't say SA / spamhaus was causing rejections, merely that I was following up a discussion on the subject. And I gave the relevant configs in the OP. sounds like you're good then o/

Re: Where to place spamhaus tests

http://rob0.nodns4.us/postscreen.html +1 glad to see that's still there! it's where *I* started oh so many years ago ;-)

Re: send mail from the domain directly to the local server without going out to the Internet

I'd say "especially for connections crossing not-secured network". mails within LAN/DMZ should be safe unencrypted, unless you have reason not to trust the network or someone on it. that's one choice. some prefer to consider a Zero Trust policy e.g., see https://en.wikipedia.org/wiki/Zero_

Re: postfix service does not start, timeout

# journalctl -r -u postfix Sep 29 15:55:48 vserver systemd[1]: Failed to start Postfix Mail Transport Agent. Sep 29 15:55:48 vserver systemd[1]: postfix.service: Failed with result 'timeout'. 1st quick check is to exec the systemd service's start cmd manually at shell.

outbound smtp " warning: DANE TLSA lookup problem" ... problem with my local resolver, or my postfix config?

running postfix 3.7.2 mailing to cas...@state.gov i see lots of these, 2022-10-05T17:30:08.780807-04:00 mx03 postfix/qmgr[1392]: 4MjvVm57Jhz3n: from=, size=7604, nrcpt=1 (queue active) 2022-10-05T17:30:08.781256-04:00 mx03 postfix/submit-from-local/smtpd[847

Re: egrep deprecation warning (Re: Urgent Postfix stable release 3.7.3 and non-urgent legacy releases 3.6.7, 3.5.17, 3.4.27)

perhaps of use https://www.phoronix.com/news/GNU-Grep-3.8-Stop-egrep-fgrep https://lists.gnu.org/archive/html/info-gnu/2022-09/msg1.html

Re: egrep deprecation warning (Re: Urgent Postfix stable release 3.7.3 and non-urgent legacy releases 3.6.7, 3.5.17, 3.4.27)

I didn't suggest that it was, or should be. As I didn't notice the reference in the thread, thought it might be helpful. Not an issue for me either way.

real-world DANE -- which DNSSEC signing algo(s) to use?

when selecting DNSSEC signing algorithms for eventual use with DANE setup, checking first @ https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 both algos 8 & 13 are listed as options: Number Description Mnemonic

command (octal?) strings caught in postscreen pregreet ?

in postfix logs i see lots of these sort of entries postfix/postscreen[46378]: PREGREET 182 after 0 from [137.220.233.97]:33196: \026\245\001\000\261\310\000\000\255\003\003'_\260T\362\266\255\001\370\255\037\003\000\334+\213\364 the backslashed/numeric strings vary from message to mes

Re: How do check DKIM and SPF on incoming email?

Is Postfix capable of checking DKIM and SPF records on incoming email and adding headers based upon its findings? Not the postfix code itself, but postfix supports milters which do this. My google searches have only returned results on how to do DKIM signing on outbound email and not how to v

Re: Spammer succeeded in relaying through my server

Actually I would appreciate advice on how to do this on an internal environment. google's your friend on this one https://www.google.com/search?q=postfix+docker+testing first link, https://fabianlee.org/2019/10/23/docker-running-a-postfix-container-for-testing-mail-during-dev

Re: run script on new connection?

I want to be able to run my own "idp" type script when someone tries to connect to my mailserver. Basically I want to refuse them even a tcp connection to smtpd if the connecting ip is in our internal blacklist. is there a reason you want to involve postfix at all? fail2ban scans logs, and th

Re: run script on new connection?

The first one is to avoid having a scheduled task running at least every minute to keep the list updated. How were you planning to get the lists into postfix, and keep them updated? The second one is that I only want to add the relevant firewall rules to the mailserver. I don't know how many

Re: Are non_smtpd_milters applied to mail delivered via smtpd?

I guess the best way to combat this would be to use spamassassin as a milter as well? Or do you have another idea? I had exactly the same problem when I was configuring DKIM on my server, and I did exactly this - switched from using SA as a post-queue filter to using it as a milter. Works good f

smtp_line_length_limit vs Sendmail?

Current default for  http://www.postfix.org/postconf.5.html#smtp_line_length_limit is == 998, per smtp std. Ages ago, Sendmail added an errant "!", causing overruns -- I think that's in part why the prior Postfix value == 990? to accommodate 'broken' Sendmail? Time's passed, clearly the Postfi

Re: smtp_line_length_limit vs Sendmail?

> I don't see any mention of Sendmail in that text. As I said, 'ages ago'. Per a conversation, https://mailing.postfix.users.narkive.com/nhbtm7Fg/smtp-line-length-limit-998 It apparently was an issue; I'm asking if it still is.

Re: smtp_line_length_limit vs Sendmail?

> The limit was still 990 in Sendmail 8.15. To deal with that in production, is setting value in Postfix to == 990 sufficient? recommended? Does a setting of == 990 (continue to) break any particular service/functionality? The Sendmail 'Usenet'/Google Group is a bit of a sewer; cc'ing Claus to

Re: smtp_line_length_limit vs Sendmail?

> No idea. One could equally-well argue for setting it to zero. Noted. It was changed here long-ago, guessing for a reason, but I've no current metrics to convince me, or not, that there's a problem (anymore). My inclination is to stick with Postfix's 'new(er)' default/standard == 998, for no

postfix 3.5.0 + gcc10 build fail, "multiple definition of `var_inet_protocols'; master_vars.o:(.bss+0x10): first defined here" ?

(my bad, shouldn't have sent to -devel) i'm building a new/clean postfix 3.5.0 instance on linux/64 currently, with gcc --version gcc (SUSE Linux) 10.0.1 20200408 (experimental) [revision 13e41d8b9d3d7598c72c38acc86a3d97046c8373] my usually problem-free `make`,

Re: postfix 3.5.0 + gcc10 build fail, "multiple definition of `var_inet_protocols'; master_vars.o:(.bss+0x10): first defined here" ?

On 4/13/20 9:51 AM, PGNet Dev wrote: > haven't seen this b4. not sure if something's changed, my config's wrong, or > this is a GCC-10 sensitivity ... looks like GCC10 related switching from CC=/usr/bin/gcc-10 CXX=/usr/bin/g++-10 to CC=/usr/bin/c

DNSSEC, DANE, Postfix for new-to-it admins?

all this back-n-forth on list re: DNSSEC/DANE has resulted in a flurry of interest among colleagues etc. and i've been getting emails. lots. for the what/why i've been tossing them Viktor's now just slightly dusty preso Real World DANE Inter-domain email transport https://static.ptbl.co/st

Re: DNSSEC, DANE, Postfix for new-to-it admins?

On 4/17/20 4:29 PM, Viktor Dukhovni wrote: > More at: all links appreciated. the summary's particularly nicely readable by those of among the minion masses of normal humans ;-) > Postfix documentation covers the client side still among the best, most-exhaustively detailed s/docs/reference man/

Re: Postfix stable release 3.5.1 and legacy releases 3.4.11, 3.3.9, 3.2.14

On 4/20/20 11:14 AM, Wietse Venema wrote: > Postfix versions 3.5.1, 3.4.11, 3.3.9, 3.2.14: > >* Bitrot workaround for broken builds after an incompatible change > in GCC 10. confirming, 3.5.1 build/install/exec all well-behaved again with _both_ gcc-10 & clang-10 Apr 20 11:51:36 test

are rsa certs/keys still needed/recommended for use in postfix? or can just ecc be relied on?

for websites it seems that, for all practical purposes, ecc ssl certs are all that's needed anymore cref e.g. comments at https://www.thesslstore.com/blog/you-should-be-using-ecc-for-your-ssl-tls-certificates/ " ... All modern Operating Systems and Browsers support ECC

Re: The historical roots of our computer terms

This has become irrelevant to postfix-users, and any technical discussion.

Re: Postfix restrictions

On 6/7/20 4:23 AM, Laura Smith wrote: > smtpd_recipient_restrictions = > permit_mynetworks,${indexed}custom_reject,reject_unauth_destination, > reject_rhsbl_sender > .dbl.dq.spamhaus.net=127.0.1.[2;4;5;6], > reject_rhsbl_helo > .dbl.dq.spamhaus.net=127.0.1.[2;4;5;6],

Re: Postfix restrictions

On 6/8/20 7:12 AM, Dominic Raferd wrote: > main.cf : > > rbl_reply_maps = pcre:/etc/postfix/rbl_reply_maps.pcre > postscreen_dnsbl_reply_map = pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre > > > # cat /etc/postfix/rbl_reply_maps.pcre > /[a-z0-9]*\.([a-z]*\.dq\.spamhaus\.net)/

Re: Postfix restrictions

On 6/8/20 8:37 AM, Dominic Raferd wrote: > This was discussed before: > https://www.mail-archive.com/postfix-users@postfix.org/msg85706.html thx! i had similarly "interpreted the text 'specify $$ to produce a $ character as output' as meaning that $$ would produce a hard-coded dollar sign"

lightweight/milter Spamassassin-integtration options for Postfix -- current experience / faves?

i run postfix 3.5.2 i'm -- revisiting spamassassin integration with postfix -- not interested in amavisd integration or rspamd alternative -- looking for lightweight & known to be (still/currently) reliable & active -- ideally, tho not absolutely req'd, milter-protocol -- aware of 3 options,

dnsblog filtering?

does dnsblog have a log map/filter/somesuch? or does the capability exist elsewhere in postfix? currently, with spamhaus dqs in the rbl/dnsbl mix, dnsblog spits out, e.g. /var/log/postfix/postfix.log:Jun 9 13:27:56 ms postfix/dnsblog[5378]: addr 72.43.215.122 listed by domain .zen.dq.s

Re: dnsblog filtering?

On 6/9/20 8:15 PM, Noel Jones wrote: > Postfix assumes the logs are private. They generally are. The very-recent switch to BLs with Acct-ID's is new, and complicated that a bit. > To sanitize the log, you'll need to use an external process ok. easy enough -- just an additional bit of kit. >

Re: lightweight/milter Spamassassin-integtration options for Postfix -- current experience / faves?

On 6/9/20 5:40 AM, Marvin Renich wrote: >> https://savannah.nongnu.org/projects/spamass-milt/ >> https://github.com/mpaperno/spampd >> https://gitlab.com/glts/spamassassin-milter >> >> anyone have any current experience with any of these? > > I also use the first one (Debian package sp

Re: lightweight/milter Spamassassin-integtration options for Postfix -- current experience / faves?

On 6/10/20 2:05 PM, Bill Cole wrote: > It uses the installed SpamAssasssin Perl modules directly, just as spamd does. fact noted. details admittedly i'll have to poke around in. > The socket permissions issues are probably solvable, but if running on the > loopback interface works, > there's no

identifying _which_ milter rejects in private logs?

my postfix instance config currently includes my list of milters -o smtpd_milters=unix:/run/opendkim/opendkim.sock,unix:/run/opendmarc/opendmarc.sock,unix:/run/milter-regex/milter-regex.sock,unix:/run/clamav/clamav-milter.sock,unix:/run/spamass-milter/spamass-milter.sock for a rejection

Re: identifying _which_ milter rejects in private logs?

On 6/11/20 11:24 AM, Wietse Venema wrote: > PGNet Dev: >> my postfix instance config currently includes my list of milters >> >> -o >> smtpd_milters=unix:/run/opendkim/opendkim.sock,unix:/run/opendmarc/opendmarc.sock,unix:/run/milter-regex/milter-regex.s

Re: identifying _which_ milter rejects in private logs?

On 6/11/20 12:57 PM, Bill Cole wrote: > In the case of SpamAssassin, if your milter is spamass-milter or anything > else using spamd, you could just use spamd's logging and correlate it with > Postfix via Message-Ids. sure. finding/correlating the information is certainly possible. i'm just cle

usage for late-match-> REJECT using milter_header_checks ?

I've set up a postfix instance [127.0.0.1]:10003 inet n - n - - smtpd -o syslog_name=postfix/after-filters ... -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings,no_milters -o content_filter=relay

Re: usage for late-match-> REJECT using milter_header_checks ?

On 6/13/20 4:05 PM, Wietse Venema wrote: > Postfix has milter_header_checks for message headers > that are added by a Milter. yes. that's exactly what I referenced in my OP, and included in my config. what exactly is your point?

latest postfix pkgs for Fedora32 ?

i typically build my own postfix. simple, and atm happily running 3.5.3 stable. i'm _considering_ distro package deployment, specifically looking for F32 packages. afaict, what's available in official F32 repos is Postfix v3.5.2 -- with v3.5.3 still in 'updates'testing'. since released on 6/14

Re: latest postfix pkgs for Fedora32 ?

> impatient not in the slightest. i'm happy with the version I run, and prefer consistency. just asked where currently up-to-date packages for Fedora32 can be found, if at all. some distros have it; Fedora seems not to. thx, tho.

fyi, +1 on lightweight postfix spam milter alternative: 'spamassassin-milter'

for anyone interested, 'spamassassin-milter' https://gitlab.com/glts/spamassassin-milter a modern/current, rust-coded, SpamAssassin milter -- that cleanly submits msgs via spamc to spamd -- is, for me, working quite nicely with current/latest Postfix. it appears to be lightweight, fast

lmd support -- available as an 'add on', or just 'compiled in'?

I build/use Postfix with LMDB. Works great. Looking at distro packages, don't alway find LMDB support compiled in. I can certainly rebuild my own, but wanted to check first: Reading http://www.postfix.org/LMDB_README.html "To build Postfix with LMDB support, use something like

Re: lmd support -- available as an 'add on', or just 'compiled in'?

On 7/6/20 10:32 AM, Wietse Venema wrote: > You can build plugins separately from Postfix, but it will not be > supported. noted, and found it I believe: http://www.postfix.org/INSTALL.html#build_dll will give it a whirl ... thx

Re: lmd support -- available as an 'add on', or just 'compiled in'?

On 7/6/20 11:01 AM, Viktor Dukhovni wrote: > Various OS distributions build separate packages for the Postfix > database table drivers. For example, in Fedora 31: > > $ rpm -qf /usr/lib64/postfix/postfix-cdb.so > postfix-cdb-3.4.13-1.fc31.x86_64 > > I don't see a similar package for lm

Re: lmd support -- available as an 'add on', or just 'compiled in'?

>> Various OS distributions build separate packages for the Postfix >> database table drivers. For example, in Fedora 31: >> >> $ rpm -qf /usr/lib64/postfix/postfix-cdb.so >> postfix-cdb-3.4.13-1.fc31.x86_64 >> >> I don't see a similar package for lmdb in Fedora 31, but there is >> for exa

Re: lmd support -- available as an 'add on', or just 'compiled in'?

On 7/6/20 2:38 PM, Wietse Venema wrote: > The plugin MUST be built with the exact same source code That I figured. > and the > exact same compiler options that Postfix was built with. that hadn't dawned on me yet. > If there are differences then you end up with a Frankenstein monster > with par

Re: lmd support -- available as an 'add on', or just 'compiled in'?

On 7/6/20 2:52 PM, Viktor Dukhovni wrote: > Well, Fedora 31 does provide separate packages for multiple optional > lookup table drivers: > > postfix-cdb.x86_64 : Postfix CDB map support > postfix-ldap.x86_64 : Postfix LDAP map support > postfix-mysql.x86_64 : Postfix MySQL map suppo

re-directing disto-pkg'd postfix's bins etc to other config dir location?

i'm deploying a postfix server, using distr-pkg'd postfix to date, i've always/only used postfix that i've built/installed to my liking. i prefer to keep my configs under /usr/local/etc/postfix. my postfix is config'd/built with config dir == /usr/local/etc/postfix. so its bins (postconf, post

Re: re-directing disto-pkg'd postfix's bins etc to other config dir location?

On 7/17/20 7:52 PM, Viktor Dukhovni wrote: > On Fri, Jul 17, 2020 at 07:31:11PM -0700, PGNet Dev wrote: > >> I simply want to ensure that the distro-pkg's bins get pointed to my >> configs in /usr/local/etc/postfix. >> >> two simple ways to do that are >>

Re: re-directing disto-pkg'd postfix's bins etc to other config dir location?

> (3) Move the damned files to /etc/postfix honestly . take a pill. do me a favor. put me in your delete filter. or feel free to screech into the wind ...

permit_tls_clientcerts usage in multiple restrictions?

i'd like to clarify mumble restrictions' checking in the case of tls clientcerts. with settings of relay_clientcerts=lmdb:/etc/postfix/relay_clientcerts smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_cache smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtpd_cache if i

how to map per-smtp-transport ssl certs/keys ?

i'm modifying a relay config. atm, i've master.cf ... [127.0.0.1]:10001 inet n - n - - smtpd ... -o content_filter=lmdb:/etc/postfix/relay_transports relay-out unix - - n - - smtp

Re: how to map per-smtp-transport ssl certs/keys ?

On 7/20/20 2:45 PM, Viktor Dukhovni wrote: > Perhaps you meant per-nexthop? That's not presently supported, Well that'll certainly make it harder to find! Noted. > instead you can configure a second transport, with a different set of keys, > and > use that transport for the destinations in que

more detail in diagnosing verify "conversation ... timed out while receiving the initial server greeting" error?

i'm setting up 2 postfix instances on 2 separate boxes, 'frontend' & 'backend', to use address verification probes from front- to back-end testing @ 'frontend', I can see the VRFY offered by the backend openssl s_client \ -4 \ -bind 10.0.0.11 \ -connect interna

Re: more detail in diagnosing verify "conversation ... timed out while receiving the initial server greeting" error?

On 7/20/20 10:19 PM, Viktor Dukhovni wrote: > This is plainly logged as a *cache* lookup. The data in the cache entry > was set to expire at epoch time 1595290292, or 2020-07-20T20:11:32-0400. although that doesn't tell me _why_ the problem exists, it did point to _what_ it (apparently) was. wa

managing multiple virtual_alias_map *flat* files ?

I'm exploring an all flat-file virtual-address-only postfix setup. well, using lmdb -- NOT sql or ldap, to be accurate. When it comes to alias management, I'm not convinced my approach is (easily) doable in flat-files. For each virtual address defined in virtual_mailbox_maps= lmdb

Re: managing multiple virtual_alias_map *flat* files ?

On 9/12/20 3:26 PM, Viktor Dukhovni wrote: > What is the actual goal here? having recently migrated a few boxes from my own, DIY'd app & prereq builds to distro pkg'ing reminded of the 'joys' of pulling in bloated dependencies, etc. i'm simply exploring an as-thin-as-possible/lightweight deplo

Re: managing multiple virtual_alias_map *flat* files ?

On 9/12/20 5:03 PM, Viktor Dukhovni wrote: > If this is just your own way to organise data managed by a single > authority (you) in _this_ case, it is. > then organise it any way you like, then run "make" > to create a single virtual(5) aliases file that you "postmap" in > the usual way. to date

local postfix re-delivery of dovecot sieve-redirected mail fails; normal/direct deliveries are OK ?

i've postfix + dovecot running on the same box; delivery between them is via lmtp. all in/out-bound, direct traffic flows as expected, securely with TLS. i've set up a sieve redirect @ dovecot. on test send, the filter triggers, submits the redirect to local postfix ... and then the delivery o

Re: local postfix re-delivery of dovecot sieve-redirected mail fails; normal/direct deliveries are OK ?

On 9/28/20 1:27 PM, Viktor Dukhovni wrote: > On Sun, Sep 27, 2020 at 11:31:43AM -0700, PGNet Dev wrote: > >> i've postfix + dovecot running on the same box; delivery between them >> is via lmtp. > > The main thing that stands to me is the timeout connecing to the >

Re: local postfix re-delivery of dovecot sieve-redirected mail fails; normal/direct deliveries are OK ?

On 9/28/20 2:06 PM, PGNet Dev wrote: > already posted; waiting on any interest/reply there. > > useful to know that this is completely !postfix, if indeed the case. ironically, the problem's NOT that postfix *is* 'involved', but that it *isn't*. use of dovec

Re: Recommended milters for small setup

On 10/15/20 8:19 AM, Ian Evans wrote: > Is there a more efficient, memory stingy, faster milter way to run > spamassassin, clamav, etc, or would you recommend sticking with amavis? very much personal choice. each comes with it's challenges. for any set of choices, you'll get the usual assor

implementing offline/maintenance mode, with SMTP reply?

my usual postfix front-end workflow is postscreen if 'fail', reject if 'pass', then internal smtp etc i'd like to implement a 'maintenance/offline mode' -- WITH smtp response -- effectively adding po

Re: implementing offline/maintenance mode, with SMTP reply?

On 10/16/20 11:54 AM, Viktor Dukhovni wrote: If the custom 4XX response is not a hard requirement, the simplest solution is: main.cf: # To defer all email, change to: lunchtime = y lunchtime = smtpd_recipient_restrictions = ${lunchtime?defer_if_permit

address verify probe cache not refreshing on new user/alias add'n ?

i've set up two postfix instances on 2 separate machines frontend backend 'backend' gets user data via postfixadmin/sqlite3 DB i've setup address verification between the instances on mail receipt @ 'frontend', a verify probe is sent to 'backend'. if 'exists', then mail is sent

right tool for creating an 'accurate' test email from an external domain?

I'm troubleshooting an annoyingly problematic single-sender's rejections. With my usual simple monkeying with smtpd_mumble_restrictions, per-milter whitelisting, etc. I haven't yet found all the problems. For testing, I'd *like* to 'accurately' spoof an email from sender's IP/helo/from/to -- w

Re: right tool for creating an 'accurate' test email from an external domain?

On 10/20/20 7:41 PM, Viktor Dukhovni wrote: On Tue, Oct 20, 2020 at 07:22:24PM -0700, PGNet Dev wrote: What's the right tool/method for the job? Specifically, for synthesizing a 'faux legit' email? http://www.postfix.org/XCLIENT_README.html simple & does the trick. perfect. thx!

sanity-check postfix XCLIENT usage ?

I'm using Postfix's XCLIENT to synthesize/inject a test email into my postfix->filter/milter->delivery chain. I'd like to verify that my XCLIENT usage isn't the cause of the delivery failure I see below ... @ this postfix instance, mail flows as -> postscreen (@ IP = 203.0.113.1) |

  1   2   >