[pfx] Re: postfix repo

On Thu, Jan 11, 2024 at 03:53:35PM +0100, natan via Postfix-users wrote: > Hi Wietse Have you thought about postfix repo for Debian, just like dovecot > has for his relase ? > What is a "Postfix repo for Debian"? Do you mean binary release packages? What's wrong with the packages from the Debia

[pfx] Re: postfix repo

On Thu, Jan 11, 2024 at 07:29:40PM +0100, Benny Pedersen via Postfix-users wrote: > Wietse Venema via Postfix-users skrev den 2024-01-11 15:56: > > natan via Postfix-users: > > > Hi Wietse Have you thought about postfix repo for Debian, just like > > > dovecot has for his relase ? > > > > > > I'

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Fri, Jan 12, 2024 at 07:43:51PM +0100, Gerd Hoerst via Postfix-users wrote: > im using ubuntu 22.04 and i setup complete feature set  with spf / dkim / > dmarc / dane during the last time i get some emails related to this domain > which i do not understand (if the problem is on my side) The pr

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Fri, Jan 12, 2024 at 11:10:52PM +0100, Gerd Hoerst via Postfix-users wrote: > Hi ! > > In my main.cf > > non_smtpd_milters = $smtpd_milters > > is already configured... > > Where else can I check ? The milter configuration, and Postfix cleanup(8) milter macros How does the milter decide w

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Fri, Jan 12, 2024 at 08:07:02PM -0500, Wietse Venema via Postfix-users wrote: > > In my case it is the "daemon_name" macro, and so I have: > > > > $ postconf -Mf cleanup/unix > > cleanupunix n - n - 0 cleanup > > -o milter_macro_daemon_name=OR

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Sun, Jan 14, 2024 at 04:20:29PM +0100, Gerd Hoerst via Postfix-users wrote: > How can i check if its now correct with my setup, that mail which is not > coming from smpt or esmtp ? Log in to the machine and send an email message (to some address you receive) via sendmail(1) or the mail(1) or m

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Sun, Jan 14, 2024 at 06:05:20PM +0100, Gerd Hoerst via Postfix-users wrote: > Still no success.. > > non_smtpd_milters is set and mail send via mailx or sendmail is still not > signed.. > > btw: with mailx or sendmail  email will send with u...@host.domain.tld > instead of u...@domain.tld We

[pfx] Re: DKIM => Undelivered Mail Returned to Sender

On Mon, Jan 15, 2024 at 08:14:13AM +0100, Gerd Hoerst via Postfix-users wrote: > I added > > masquerade_domains > = hoerst.net > > to main.cf and mail sent via mailx is sent asu...@domain.tld and it has also > both DKIM Signatures

[pfx] Re: relay_domains override for smtpd

On Tue, Jan 16, 2024 at 06:12:58PM +0100, Marc Dierksen via Postfix-users wrote: > I am running Postfix 3.5.23 on Debian 11 as an edge mailserver that accepts > mails on port 25 for a list of domains defined as relay_domains in the > main.cf. > > I am currently trying to setup a second smtpd proce

[pfx] Re: client checks with suspect IPs

On Tue, Jan 16, 2024 at 02:28:50PM -0500, Alex via Postfix-users wrote: In addition to other comments, beware sloppy and inappropriate use of "regular" expressions: > /etc/postfix-118/client_checks.pcre: > /74\.203\.184\.40/ OK This should be a "cidr:" table lookup instead,

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching

On Sat, Jan 20, 2024 at 03:42:52PM +0100, Simon Hoffmann via Postfix-users wrote: > I am currently planning to switch from OpenSMTPd to postfix for two reasons > > - smtpd_sender_login_maps functionality not really implemented in OpenSMTPd > - always_bcc not possible on OpenSMTPd FWIW, I'd like

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching

On Sat, Jan 20, 2024 at 05:44:25PM +0100, Simon Hoffmann wrote: > > > I am currently planning to switch from OpenSMTPd to postfix for two > > > reasons > > > > > > - smtpd_sender_login_maps functionality not really implemented in > > > OpenSMTPd > > > - always_bcc not possible on OpenSMTPd > >

[pfx] Seeking contact with Postfix SELinux policy maintainers...

I am looking to make contact with the maintainers of the SELinux policy profile for Postfix on Fedora (presumably ultimately also RHEL), Debian and other systems that ship with pre-installed SELinux policy rules for Postfix. If you're a maintainer of such policy rules please reach out. I had a ra

[pfx] Re: How to reject messages on submission with typo in To address?

On Sun, Jan 21, 2024 at 09:39:06AM +0100, Paul Menzel via Postfix-users wrote: > pg.de is currently a parked domain, so our users will not going to > email there, and I would like to reject such messages submitted to us, > that the email client shows an error as it’s done, when, for example, > use

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> behaviour of smtpd_sender_login_maps pattern matching

On Sun, Jan 21, 2024 at 06:53:58PM +0100, Simon Hoffmann via Postfix-users wrote: > > This copies only the message headers and body, but fails to capture the > > message envelope, which contains the true recipient list. With > > per-recipient addressing in "recipient_bcc_maps", and provided the

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> syntax/behaviuor of virtual_alias_maps

On Sun, Jan 21, 2024 at 07:21:26PM +0100, Simon Hoffmann via Postfix-users wrote: > The old virtual_domains file just lists all domains (one per line), and can > directly be used in > virtual_alias_domains. You're going about this the wrong way, by tryign to translate low-level artefacts from o

[pfx] Re: Preparation of switch from OpenSMTPd to Postfix -> syntax/behaviuor of virtual_alias_maps

On Sun, Jan 21, 2024 at 11:35:39PM +0100, Simon Hoffmann via Postfix-users wrote: > > DO NOT use the deprecated "virtual_domains" parameter, it mixes > > classification of domains with address mappings. > > I have read that and I thought I understood it. Simply put, use "virtual_alias_domains"

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On Mon, Jan 22, 2024 at 11:44:40AM -0300, Taco de Wolff via Postfix-users wrote: > Two questions really, one is that I can't enable TLS1.3 whatever I try. > Running CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm > that TLS1.3 ciphers are available: Protocol version negotiation is

[pfx] Re: Enabling TLS1.3 and allow sending over SMTPS/465

On Mon, Jan 22, 2024 at 02:57:16PM -0500, Bill Cole via Postfix-users wrote: > The reason implicit TLS isn't useful for SMTP (MTA-MTA) use is that port 25 > must always be backwards-compatible and so MUST start with a plaintext > server greeting, NOT a TLS handshake. Establishing a new secure port

[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check

On Wed, Jan 24, 2024 at 03:10:03PM +0100, Matthias Schneider via Postfix-users wrote: > Initially, I experimented with a Milter for logging the required > headers, but I found that employing a larger %s printf value proved to > be a more efficient solution. However, I'd like to point out that the

[pfx] Re: Documentation on upgrade 2.10 to 3.5

On Wed, Jan 24, 2024 at 09:38:06AM -0600, Bill Gee via Postfix-users wrote: > > 1) Is there any documentation about moving from Postfix 2 to 3?  I > > looked on the web site but saw nothing obvious. The RELEASE NOTES: https://github.com/vdukhovni/postfix/blob/master/postfix/RELEASE_NOTES-2.1

[pfx] Re: Documentation on upgrade 2.10 to 3.5

On Wed, Jan 24, 2024 at 11:17:16AM -0500, Viktor Dukhovni via Postfix-users wrote: > > > 2) The leapp output mentions a compatibility option.  I think I need to > > > use that.  Is there documentation on it? > > https://www.postfix.org/postconf.5.html#compati

[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check

On Wed, Jan 24, 2024 at 08:27:53PM +0100, Matthias Schneider via Postfix-users wrote: > Using a Milter is an option, but it often involves correlating > information from both the milter process and the log for a > comprehensive view. Everything of interest can be added as a message header. > Fo

[pfx] Re: [postfix] 3.4.23: virtual, pipe and ${original_recipient} vs. ${recipient}

On Thu, Jan 25, 2024 at 12:04:38PM +, hawky--- via Postfix-users wrote: > we're in the process to integrate SpamAssassin in our mail system. We > decided to use the after-queue attempt with > > > smtpd -o content_filter= > The problem we're facing right now is that pipe is getting the alias

[pfx] Re: Different rules for submission(s)

On Thu, Jan 25, 2024 at 08:31:44PM +0100, Paul van der Vlis via Postfix-users wrote: > Hello, > > Since over 20 years I use Postfix, but some things I don't understand... > > I want different rules for mail what comes through submission(s) and what > comes from other mailservers using port 25. W

[pfx] Re: Different rules for submission(s)

On Thu, Jan 25, 2024 at 09:13:22PM +0100, Paul van der Vlis via Postfix-users wrote: > Op 25-01-2024 om 20:40 schreef Viktor Dukhovni via Postfix-users: > > On Thu, Jan 25, 2024 at 08:31:44PM +0100, Paul van der Vlis via > > Postfix-users wrote: > > > Hello, > >

[pfx] Re: [postfix] 3.4.23: virtual, pipe and ${original_recipient} vs. ${recipient}

On Thu, Jan 25, 2024 at 04:48:39PM -0500, Bill Cole via Postfix-users wrote: > > - Are you expected exactly one recipient per-invocation of the > > spamassassin filter? I'm not sure how spamc handles multiple > > recipients after "-u". > > It doesn't. The argument to '-u' is a key to identif

[pfx] Re: ldap + 550 5.1.1

On Fri, Jan 26, 2024 at 03:41:10PM +0100, Karsten Schmid via Postfix-users wrote: > So how would an appropriate entry in virtual_alias_maps look like? https://www.postfix.org/ldap_table.5.html > root@creampuff [/etc/postfix/ldap] # postfix reload > /usr/sbin/postconf: fatal: /etc/postfix/ld

[pfx] Re: Log/Capture outbound messages?

On Fri, Jan 26, 2024 at 07:51:31PM -0500, Wietse Venema via Postfix-users wrote: > joe a via Postfix-users: > > Postfix 3.5.9-5.9.2 > > > > Perhaps not a postfix question at all. Looking for a way to capture > > outbound email, for troubleshooting purposes. > > > > Is "smtp-sink" the way to do

[pfx] Re: different queue time based on the sender address

On Sat, Jan 27, 2024 at 12:01:55PM +0100, Aleksandar Ivanisevic via Postfix-users wrote: > in main.cf > sender_dependent_default_transport_maps = hash:/etc/postfix/relay_by_sender > > in /etc/postfix/relay_by_sender > mysender.com smtp:[localhost]:588 The listening SMTP service for that port wo

[pfx] Re: problem to add, alias failed

On Tue, Jan 30, 2024 at 07:57:18PM +0100, Maurizio Caloro via Postfix-users wrote: > if adding a new user with postfixadmin 3.3.8 or with cli this will run > without problem. > > GRANT ALL PRIVILEGES ON mailserver.* TO markus@'domain.com > ' IDENTIFIED BY > '*

[pfx] Re: Are multiple white spaces allowed in a date in headers?

On Wed, Jan 31, 2024 at 01:00:56PM +0100, Michael Storz via Postfix-users wrote: > day = ([FWS] 1*2DIGIT FWS) / obs-day > > This says a day can consist of one or two digits preceded by an optional > folding white space (FWS): > > FWS = ([*WSP CRLF] 1*WSP) / obs-FWS >

[pfx] Re: milter: how about a SMFIP_NOQUIT?

On Wed, Jan 31, 2024 at 12:13:51PM -0500, Wietse Venema via Postfix-users wrote: > - The MTA then needs to keep the Milter connection open while watting > for new work. Once there is work, the MTA sends SMFIC_CONNECT and > so on. > > - This sounds like the MTA needs a Milter connection cache that

[pfx] Re: Adjusting smtpd_recipient_restrictions

On Fri, Feb 02, 2024 at 08:26:20AM +0300, Mark via Postfix-users wrote: > I'm trying to adjust my smtpd_recipient_restrictions so that any emails > coming to a non-existent account on my server would be rejected BEFORE the > attempt reaches RBLs/RBL queries. If you're using Postfix 3.6 or later,

[pfx] Re: Is there a way to reject an internal domain on our border MXes

On Sat, Feb 03, 2024 at 05:52:17AM -0800, Dan Mahoney via Postfix-users wrote: > We have an internal domain, zimbra.example.org, but it's only used for > internal routing of our corporate mail (there's a master delivery map > that controls what addresses at example.org route to > zimbra.example.o

[pfx] Re: Is there a way to reject an internal domain on our border MXes

On Sat, Feb 03, 2024 at 04:57:05PM +0100, Jaroslaw Rafa via Postfix-users wrote: > > The "local" transport is a legacy Sendmail-compatibilty interface, > > and should generally be avoided. > > Why avoided? If you have local Unix users on your server, and you want those > users to receive mail, th

[pfx] Re: Is there a way to reject an internal domain on our border MXes

On Sat, Feb 03, 2024 at 10:17:45PM +0100, Jaroslaw Rafa via Postfix-users wrote: > Dnia 3.02.2024 o godz. 12:59:27 Viktor Dukhovni via Postfix-users pisze: > > > > These days, users are far better off with delivery to an IMAP store that > > is not tied directly to any logi

[pfx] Re: Adjusting smtpd_recipient_restrictions

On Sun, Feb 04, 2024 at 01:22:45PM +0200, Mark via Postfix-users wrote: > Is it better to list reject_unauth_destination after; > > permit_mynetworks, > permit_sasl_authenticated, > > Or before these? And why? Best practice is to require submission users sending outbound mail do so via ports 46

[pfx] Re: postscreen segfault since 3.8.4

On Sun, Feb 04, 2024 at 01:37:18PM -0500, Christophe Kalt via Postfix-users wrote: > /usr/libexec/postfix/postscreen pid 93 killed by signal 11 > > These connections are from an SMTP probe that goes EHLO STARTTLS EHLO QUIT > > I've not run postscreen previously, so I cannot tell whether this is

[pfx] Re: postscreen segfault since 3.8.4

On Sun, Feb 04, 2024 at 05:06:22PM -0500, Viktor Dukhovni via Postfix-users wrote: > > - 3.8.4 on alpine 3.19.0 > > - 3.8.5 on alpine 3.19.1 > > > > but apparently not for 3.8.3 on alpine 3.18.3 > > There's perhaps an issue in the OpenSSL or other library de

[pfx] Re: postscreen segfault since 3.8.4

On Sun, Feb 04, 2024 at 08:12:56PM -0500, Christophe Kalt via Postfix-users wrote: > These are the alpine packages themselves, but I'm not familiar with how > they're built so I can't rule out a bad build. It's also possible that I > didn't let the 3.8.3 version run long enough for it to crash as

[pfx] Re: Forward mails if user unknown in local recipient table

On Tue, Feb 06, 2024 at 10:31:06PM +0530, Akshay Pushparaj via Postfix-users wrote: > I would like to know if i can configure postfix to forward mails if user not > found in local recipient table. That's not the right question. The right question is: - How to deliver some users for a domai

[pfx] Re: why tls library problem?

On Tue, Feb 06, 2024 at 06:50:28PM +0100, Maurizio Caloro via Postfix-users wrote: > Feb6 time P postfix/tlsproxy[300980]: warning: TLS library problem: > error:1417A0C1:SSL routines:tls_post_process_client_hello: > no shared cipher:../ssl/statem/statem_srvr.c:2283: This looks like a client

[pfx] Re: One user unable to send email

On Tue, Feb 06, 2024 at 10:27:17PM -0500, Ken Wright via Postfix-users wrote: > I honestly don't know if this is an issue with Postfix or Roundcube, > but I thought I'd start here. > > I'm running Postfix 3.8.1 on Ubuntu Server 23.10 and I'm hosting a > friend's website and email in addition to m

[pfx] Re: Server etiquette

On Wed, Feb 07, 2024 at 07:59:44AM -0500, John Hill via Postfix-users wrote: > Do mail servers as a whole stop sending an email after a few errors? For a single message, surer On soft errors (4XX), most retry, typically stopping after a maximal delay. The retry strategy varies, but 4,00

[pfx] Re: Server etiquette

On Wed, Feb 07, 2024 at 11:21:10AM -0500, John Hill via Postfix-users wrote: > I use fail2ban as well. I'm just going to see if the sender sever will give > up! I prefer to have logs that record what I'm blocking. With firewall rules there's not sufficient forensic evidence left behind. --

[pfx] Re: Alias forwarding request

On Thu, Feb 08, 2024 at 07:08:35PM +0100, Maurizio Caloro via Postfix-users wrote: > To forwarding alias to emailaddress, mysql are setuped followed: > > Files : > > * /etc/folder/mysql-virtual_alias_maps.cf > * /etc/folder/mysql-virtual_mailbox_domains.cf > * /etc/folder/mysql-virt

[pfx] Re: Understanding log entries

On Sun, Feb 11, 2024 at 07:13:38PM +1300, Peter via Postfix-users wrote: > Right, and further to that a 554 response at connection time is a rejection > of the *connection*. No attempt was ever made to send the *message*, so in > a manner of speaking the message is still valid and a different con

[pfx] Re: How to forward submitted mails under the identity of an email alias to all other members of that alias?

On Sun, Feb 11, 2024 at 10:59:37AM +0100, Matthias Nagel via Postfix-users wrote: > How do I forward submitted mails under the identity of an email alias > to all other members of that alias? Is that even possible with Postfix > only? Yes, with sender_bcc_maps, and with the proviso that the BCC

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

On Sun, Feb 11, 2024 at 07:42:24PM -0600, Jakob Cornell via Postfix-users wrote: > smtpd_recipient_restrictions = > check_sender_access regexp:/etc/postfix/db/sender_access_table > ... As documented regexp, pcre, ... tables don't do "partial key" lookups. This is deliberate and correc

[pfx] Re: masquerade_domains does not work for relayed domain

On Mon, Feb 12, 2024 at 04:28:41PM +0100, Aleksandar Ivanisevic via Postfix-users wrote: > > Is it true that masquerade_domains does not work for header From: in relayed > emails? I have a fairly generic setup: > > masquerade_classes = envelope_sender, header_sender, header_recipient > masquera

[pfx] Re: Unexpected behavior of regexp table in check_sender_access directive

On Mon, Feb 12, 2024 at 09:05:12PM -0600, Jakob Cornell via Postfix-users wrote: > Can we improve this so it's easier to get this right on the first try > as a newcomer, and make it more clear what's happening at run time? It > looks like a code change to skip the logging along with the actual > t

[pfx] DANE: ATTENTION: Let's Encrypt drops DST X3 from default chain, breaking "depth 2" ISRG "2 1 1" TLSA records...

As of roughly the start of this month, the DANE survey at is seeing a steady stream of validation failures for MX hosts that rely only on: _25._tcp.mail.domain.example. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 [ Some also

[pfx] Re: What features to deprecate

On Tue, Feb 13, 2024 at 12:23:32PM -0500, Wietse Venema via Postfix-users wrote: > Over 25 years, Postfix has accumulated some features that > are essentially obsolete. > > - permit_mx_backup is fundamentally incompatible with recipient > address validation. There is no way to work around that w

[pfx] Re: What features to deprecate

On Tue, Feb 13, 2024 at 06:32:14PM +0100, Geert Hendrickx via Postfix-users wrote: > On Tue, Feb 13, 2024 at 12:23:32 -0500, Wietse Venema via Postfix-users wrote: > > - masquerade_domains complicates table-driven address validation. > > Log a deprecation warning with compatibility_levels>=3.9. >

[pfx] Re: What features to deprecate

On Tue, Feb 13, 2024 at 01:20:00PM -0500, Wietse Venema via Postfix-users wrote: > > Obsoleted by automatic negotiation in the SSL code: > > > > - smtpd_tls_dh1024_param_file = auto > > - smtpd_tls_eecdh_grade = auto > > > > [ We could delete the underlying support code for the explicit

[pfx] Re: removing Authentication-Results, how?

On Tue, Feb 20, 2024 at 06:02:22PM -0500, Wietse Venema via Postfix-users wrote: > - You'd better add $$ at the end of the pattern, to anchor the regular > expression. Actually, that hostname is typically followed by additional data separated by whitespace or a ';'. > header_checks = pcre:{ {

[pfx] Re: Postconf.5 smtp_tls_loglevel 2

On Wed, Feb 21, 2024 at 08:32:49AM +, Rune Philosof via Postfix-users wrote: > It seems a bit unclearly phrased > > 2 Also log levels during TLS negotiation. Indeed this is not very helpful. See the description of the "-L" option in . > Should it

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Wed, Feb 28, 2024 at 08:55:04AM -0500, Scott Hollenbeck via Postfix-users wrote: > Would someone please describe the configuration settings needed to support > TLS 1.2 and 1.3 with no weak ciphers? Here's what I currently have in my > configuration files: This is not the right question. Some

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Thu, Feb 29, 2024 at 08:59:44AM +0100, Alexander Leidinger via Postfix-users wrote: > # grep tls main.cf | grep -vE '^#' > smtp_tls_security_level = encrypt > smtpd_tls_ask_ccert = yes > smtpd_tls_CApath = $smtp_tls_CApath Not generally applicable. > smtp_tls_mandatory_protocols = !SSLv2 ,

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Thu, Feb 29, 2024 at 06:36:09AM -0500, Scott Hollenbeck wrote: > Sorry, context is important. This server needs to pass a Payment Card > Industry (PCI) compliance scan. Their definition of weak: "key lengths of > less than 112 bits, or else use the 3DES encryption suite". Opportunistic > TLS is

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Fri, Mar 01, 2024 at 12:26:33AM +0100, Steffen Nurpmeso wrote: > i still use the > > # super modern, forward secrecy TLSv1.2 / TLSv1.3 selection.. > tls_high_cipherlist = EECDH+AESGCM:EECDH+AES256:EDH+AESGCM:CHACHA20 I don't recommend cargo-culting random cipher lists. > smtpd_tls_mand

[pfx] Re: Configuration Settings for TLS 1.2 and 1.3 with No Weak Ciphers

On Fri, Mar 01, 2024 at 08:58:07AM +0100, Alexander Leidinger wrote: > > > tls_high_cipherlist=ALL:!RSA:!CAMELLIA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SHA1:!SHA256:!SHA384; > > > > Not recommended. It disables all non-AEAD ciphers, and aNULL ciphers, > > which are fine to use.

[pfx] Re: Resolve sender domains in file before resorting to database

On Wed, Feb 28, 2024 at 12:17:27PM -0600, Joshua Flanagan via Postfix-users wrote: > Anyone else have suggestions on how to make sure postfix queries a file > table _by domain_ while still having a remote database lookup table as a > backup/last resort? To restrict database lookups to a subset o

[pfx] Re: pushing changes to remote system

On Wed, Mar 06, 2024 at 07:12:18PM -0500, Alex via Postfix-users wrote: > I have a few postfix systems on fedora38 with nearly identical > configurations. I'd like to be able to push changes to them from a third > system without having to login to them directly to do so. What's the > best/most sec

[pfx] Re: improving SRS support

On Wed, Mar 06, 2024 at 07:30:01PM -0500, Christophe Kalt via Postfix-users wrote: > The two options I've seen for implementing SRS are milter and > [sender_]canonical_maps but it seems to me that neither are a good fit when > rewriting the envelope From as they happen early on (smtpd and cleanup

[pfx] Re: DNSBL rank log messages after HANGUP

On Thu, Mar 07, 2024 at 01:06:53PM +1100, Phil Biggs via Postfix-users wrote: > Today I noticed that, occasionally, I see a syslog message stating "blocked > using zen.spamhaus..." but no matching "DNSBL rank ..." message. > > A couple of examples from the past two days: > > postfix/postscreen

[pfx] Re: Active queue congestion

On Thu, Mar 07, 2024 at 12:26:06PM +, Colin McKinnon via Postfix-users wrote: > I look after a SAAS site where customers can send emails to their own > domains. At times some of our customers can initiate sending of large mail > volumes - which can swamp the active queue. Given sufficient me

[pfx] Re: [ext] Re: [OT] postfwd3 as check_policy_service hogging the CPU

On Thu, Mar 07, 2024 at 04:24:56PM +0100, Ralf Hildebrandt via Postfix-users wrote: > * Matus UHLAR - fantomas via Postfix-users : > > > > envelope sender address and number of recipients. > > > > not authenticated user? ;-) > > Yes, I'm also checking if the come from our exchangeserver. > > >

[pfx] Re: verifying postfix github repo source tarballs?

On Thu, Mar 07, 2024 at 05:26:08PM -0500, pgnd via Postfix-users wrote: > I understand the "only official" release sources are the tarballs, > > TARBALL DL FROM MIRROR SITE > wget > https://mirror.reverse.net/pub/postfix-release/official/postfix-3.8.6.tar.gz > s

[pfx] Re: Active queue congestion

On Thu, Mar 07, 2024 at 01:11:09PM -0500, Wietse Venema via Postfix-users wrote: > > I am planning to look at increasing the size of the Active queue however I > > would need to resize to a minimum of 50x based on past events. > > That should be OK as long as your syustem has enough memory. A mi

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 01:28:00PM -0500, Michael W. Lucas via Postfix-users wrote: > Realistically, Gmail and Yahoo do not care about my MTA-STS > reports. All they care about is that I validate their X.509 certs. > > Is there any reason to use something like mta-sts-daemon in that > transport

[pfx] Re: preserving multi line header_checks REPLACE

On Fri, Mar 08, 2024 at 09:23:19PM +0200, Mailinglists35 via Postfix-users wrote: > The postmap input looks like this: > > echo -e"Received: from [127.0.0.1] (web1dev [10.11.12.13])\n\tby > email.domain.tld (Postfix) with ESMTPS id C9056 >7E002\n\tfor ; Fri,8 Mar 2024 19:20:29 +02

[pfx] Re: preserving multi line header_checks REPLACE

On Fri, Mar 08, 2024 at 03:45:42PM -0500, Wietse Venema via Postfix-users wrote: > The postmap command reads input from stdin one line at a time, and > applies each input line to all the header_checks patterns. It can't > be used for multiline inputs. Time has passed, and you've forgotten that y

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 10:01:29PM +0100, Joachim Lindenberg via Postfix-users wrote: > Imho you get pretty close to mta-sts if you use verify together with a > DNSSEC-validating resolver. You just validate the "authorized" MTAs by > different means. Yes, but google.com and yahoo.com (the domain

[pfx] Re: mta-sts and smtp_tls_security_level

On Fri, Mar 08, 2024 at 11:11:40PM +0100, Joachim Lindenberg via Postfix-users wrote: > But is there any reason that prevents google to use DNSSEC other than > the arrogance of power? My read is that there is not sufficient market pressure to make it a priority. Robust implementation at scale i

[pfx] Re: Dumb question about logging

On Sat, Mar 09, 2024 at 12:49:42PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > In case of domains in relay_domains, the command could be even > postfix/relay, so one needs to exclude that one as well. Actually, no, the "relay" transport is implemented by the smtp(8) delivery agent,

[pfx] Re: mta-sts and smtp_tls_security_level

On Sat, Mar 09, 2024 at 10:46:17AM +0100, Joachim Lindenberg via Postfix-users wrote: > > Viktor Dukhovni: > > not sufficient market pressure to make it a priority. > Unfortunately yes, not yet. > > various load balancers would need to do online DNSSEC signing > Can you please elaborate why that s

[pfx] Re: mta-sts and smtp_tls_security_level

On Sat, Mar 09, 2024 at 07:21:53PM +0100, Joachim Lindenberg via Postfix-users wrote: > I thought almost all cloud providers use anycast these days, > elminating the need to serve different IPs per region. No. That's not the case. Anycast is a useful tool, but isn't the whole story. The respon

[pfx] Re: Dumb question about logging

On Sat, Mar 09, 2024 at 12:58:38PM -0500, Wietse Venema via Postfix-users wrote: > Viktor Dukhovni via Postfix-users: > > On Sat, Mar 09, 2024 at 12:49:42PM +0100, Matus UHLAR - fantomas via > > Postfix-users wrote: > > > > > In case of domains in relay_doma

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Sun, Mar 10, 2024 at 09:19:09PM -0700, Glenn Tenney via Postfix-users wrote: > Gmail can login to the imap as "auser", but... when it tries to send > as "au...@domain.name" I get the following error: > > Mar 8 20:41:08 MACHINE postfix/submission/smtpd[28831]: NOQUEUE: > reject: RCPT from mail

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Mon, Mar 11, 2024 at 03:17:01PM -0700, Glenn Tenney via Postfix-users wrote: > So, the actual SASL login is "auser"? (which is what I've told gmail > to use to login) I don't know what it is, the logs will tell the true story. Please post both the "client=" and the "reject:" log entries for o

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Mon, Mar 11, 2024 at 07:50:22PM -0700, Glenn Tenney via Postfix-users wrote: > > You should also remove the "smtpd_sasl_auth_enable = yes" from > > "mail.cf", leaving just the "-o smtpd_sasl_auth_enable=yes" above, and > > in main.cf set: > > No "mail.cf", but only "-o" is left... I meant "ma

[pfx] Re: Postfix + Dovecot FreeBSD - a problem

On Mon, Mar 11, 2024 at 10:30:19PM -0700, Glenn Tenney wrote: > > Right, the missing "client=" is because the message was not accepted, > > and so no queue id was assigned. It seems this was before the changes > > to master.cf were made effective. > > Ok... that does sound like it's always been

[pfx] Re: Dynamic transport?

On Wed, Mar 13, 2024 at 04:29:19PM +, Colin McKinnon via Postfix-users wrote: > In my previous question [1] Viktor Dukhovni suggested > > > you could use a policy service to impose rate limits per SASL login, or > > sender address > > as a means of preventing active queue congestion. ht

[pfx] Re: Behavior of smtp_tls_security_level = dane

On Fri, Mar 15, 2024 at 10:13:01PM +0100, Dirk Stöcker via Postfix-users wrote: > I recently did a misconfiguration of an internal mail server for a test > system and as a result broke the TLSA record. Exactly *how* was the TLSA record broken? Logs? And were alternative MX hosts available for the

[pfx] Re: Behavior of smtp_tls_security_level = dane

On Sat, Mar 16, 2024 at 11:04:46PM +0100, Dirk Stöcker via Postfix-users wrote: > From the server which has the local name server the answer has the > aa flag, but not the ad flag. That's expected when the nameserver in question is authoritative for the requested domain, no DNSSEC validation is p

[pfx] Re: Behavior of smtp_tls_security_level = dane

On Sun, Mar 17, 2024 at 03:19:02PM +0100, Dirk Stöcker via Postfix-users wrote: > Hallo, > > > On my machine, the authoriative server (BIND) only listends on the > > the ethernet IP interface, while the recursive server (unbound) > > listends only on 127.0.0.1. It validates queries for my own dom

[pfx] Re: postfix not working with squarespace domains

On Sun, Mar 17, 2024 at 09:38:27AM -0500, Paxton Houston via Postfix-users wrote: > i'm trying to set up a mail server using postfix. i currently have a > squarespace domain and are using mailutils to send the email. do i need to > set up some kinda dns record? thanks bye For novice users wantin

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Sun, Mar 17, 2024 at 01:22:29PM -0700, Glenn Tenney via Postfix-users wrote: > I have to convert all of my "virtusertable" entries over to postfix. > I've read through > https://www.postfix.org/VIRTUAL_README.html & > https://www.postfix.org/postconf.5.html & > https://www.postfix.org/virtual.5

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Mon, Mar 18, 2024 at 02:04:55PM +1100, Phil Biggs via Postfix-users wrote: > Monday, March 18, 2024, 1:52:46 PM, Glenn Tenney via Postfix-users wrote: > Not sure about the rest of your requirements but perhaps > > smtpd_recipient_restrictions = reject_unverified_recipient > > https://www.pos

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Sun, Mar 17, 2024 at 04:28:00PM -0700, Glenn Tenney via Postfix-users wrote: > Are you saying that if I want "username1" at my local domain to be > delivered to "user2" at my local domain, that that should be in the > virtual table and not in aliases? That's a 1-to-1 rewrite, not a > 1-to-many.

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Sun, Mar 17, 2024 at 09:52:10PM -0700, Glenn Tenney via Postfix-users wrote: > > It is a reserved domain name, (one of many) that you can use internally, > > without clashing with *real domains*. > > Wow. Once you KNOW it's there, you can find out about "local.invalid". > BUT if you didn't kno

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Mon, Mar 18, 2024 at 12:50:18AM -0700, Glenn Tenney via Postfix-users wrote: > On Monday, March 18, 2024, Benny Pedersen via Postfix-users < > > > Victor gave a vierd config :) > > > > postfix must not return any result on non existsing users, so if this > > gives no result user is unknown, with

[pfx] Re: Help please on converting SENDMAIL VIRTUSERTABLE to postfix

On Mon, Mar 18, 2024 at 12:20:09AM -0700, Glenn Tenney via Postfix-users wrote: > > transport: > > u...@domain.nameerror:5.1.1 purported to not exist > > > > > > Thank you very much. A question please… the above two “solutions” seem to > accomplish very similar tasks: to reject us

[pfx] Re: postfix and from

On Tue, Mar 19, 2024 at 11:39:29AM +0100, natan via Postfix-users wrote: > Hi > I have one question regarding the RFC of the FROM field: in the message > header. > > Is there any restriction that will force the FROM field to be correct > according to the RFC? Nothing builtin to Postfix. > I'm as

[pfx] Re: Feature request

On Wed, Mar 20, 2024 at 01:42:16PM +0100, Ralf Hildebrandt via Postfix-users wrote: > Hi! > > I wonder if this is possible: > > If a PCRE/regexp style map is triggering, it can be quite hard to > find out WHICH pattern actually caused the action. > > So maybe postmap (when invoked with "-b", "-

[pfx] Re: Feature request

On Wed, Mar 20, 2024 at 09:17:58AM -0400, Viktor Dukhovni via Postfix-users wrote: > With bash <(command) inline file syntax, make the RHS unique on the fly: > > $ keystr=... > $ remap=/etc/postfix/... > $ postmap -q "$keystr" pcre:<(perl -pe '

[pfx] Re: Trouble with qmqp

On Wed, Mar 20, 2024 at 09:40:56PM +, Brad Koehn via Postfix-users wrote: > I’m trying to deliver email with Postfix 3.7.10 using `qmqpd`. > Unfortunately when I do this, the email is often unreadable by a > variety of email clients.  Can you be more specific about what you mean by "deliver u

[pfx] Re: smtpd_discard_ehlo_keyword_address_maps all but internal

On Thu, Mar 21, 2024 at 03:20:23PM +0100, Matus UHLAR - fantomas via Postfix-users wrote: > > Wietse Venema via Postfix-users: > > > smtpd_discard_ehlo_keyword_address_maps = > > > cidr:{ {!10/8 silent-discard,dsn} } > > On 23.02.24 11:12, Wietse Venema via Postfix-users wrote: > > But that

<    1   2   3   4   5   6   7   8   9   10   >