On Thu, Mar 21, 2024 at 11:06:12AM -0500, Noel Jones via Postfix-users wrote:
> > Surely the generalisation is:
> >
> >smtpd_discard_ehlo_keyword_address_maps =
> >cidr:{
> > {if 0.0.0.0/0}
> > # Private IPv4 addresses
> > {!10.0.0.0/8 s
On Wed, Mar 20, 2024 at 10:25:26PM +0800, Cowbay via Postfix-users wrote:
> I'm using debian 10, an old debian distribution. The Postfix version is
> 3.4.23.
The base 4.0 release is ~5 years old, but not materially different in
its core TLS functionality. You'd see the same results with the late
On Sat, Mar 23, 2024 at 01:57:39PM +0100, Matthias Nagel via Postfix-users
wrote:
> Also note, that the file which is configured in
> `smtpd_tls_chain_files` is only a symbolic link, e.g.
>
> # ls -lha /etc/letsencrypt/live/my-host.my-domain.tld:smtps/fullchain.pem
> lrwxrwxrwx 1 root root 51 11
On Sat, Mar 23, 2024 at 12:36:23PM +0100, Matthias Nagel via Postfix-users
wrote:
> I am currently assessing the TLS security of a Postfix mail server and
> among other things sslscan reported that the server allows a (non-EC)
> DH exchange with only 1024 bits.
The Postfix SMTP server uses whate
On Sat, Mar 23, 2024 at 03:58:15PM +0100, Matthias Nagel via Postfix-users
wrote:
> So the question still stand, how do I ensure that Postfix uses at
> least 2048bit DH, if TLS 1.2 and FFDH have been negotiated?
As an SMTP server, Postfix uses a 2048-bit build-in group, or else
whatever group yo
On Sat, Mar 23, 2024 at 08:04:18AM -0400, Wietse Venema via Postfix-users wrote:
> Please note that Postfix does not automatically use the "system"
> root CA store that openssl s_client and curl may use. That could
> result in verification differences between Postfix and other tools.
>
> https://
On Sat, Mar 23, 2024 at 06:24:50PM +0800, Cowbay via Postfix-users wrote:
> My smtp_tls_policy_maps points to a hash table and the relevant entry is
> [smtp.gmail.com]:465secure
OK, nothing unusual there.
> > No, the self-signed certificate might have been some root CA that isn't
>
On Sat, Mar 23, 2024 at 12:45:04PM +0100, Matthias Nagel via Postfix-users
wrote:
> what is the rationale behind the deprecation of the setting
> `smtpd_tls_cipherlist`? Are there any plans to remove it entirely in
> some future versions?
Superseded by smtpd_tls_cipher_grade and tls_medium_ciphe
On Sat, Mar 23, 2024 at 11:43:02PM +0100, Benny Pedersen via Postfix-users
wrote:
> It go into endless loop if mx is missing, so it does not do a/ failback
> testing, is this a bug ?
This is an off-topic question. The code behind dane.sys4.de is a Perl
script that tests the correctness of D
On Sun, Mar 24, 2024 at 05:22:26PM +0100, Benny Pedersen via Postfix-users
wrote:
> Viktor Dukhovni via Postfix-users skrev den 2024-03-24 02:31:
>
> > The code should be fixed, but nobody has complained loudly enough.
>
> time out or not, dnssec is green, tlsa is yellow, s
On Sun, Mar 24, 2024 at 11:34:35PM +0800, Cowbay via Postfix-users wrote:
> > You might not get to observe the problem for quite some time (if ever
> > again).
>
> I'm quite seldom sending mail by gmail via my postfix server.
>
> If the "posttls-finger" has the identical behavior as postfix, then
On Sun, Mar 24, 2024 at 04:32:15PM +0100, Jack Raats via Postfix-users wrote:
> Can any help me. I want to recieve email via ipv4 and ipv6. I want to send
> email via ipv6 only.
> I tried using smtp_address_preference = ipv6, but that didn't work.
I have a machine where IPv6 connectivity is secon
On Sun, Mar 24, 2024 at 08:39:16PM +0100, Jack Raats via Postfix-users wrote:
> > master.cf:
> > smtp .. .. .. .. .. .. smtp
> > -o inet_protocols=ipv6
>
> What to do if my smtp line ends with postscreen?
That's "smtp inet", while the delivery agent is "smtp unix ...", see my
post for a
On Mon, Mar 25, 2024 at 10:08:59AM +0800, Cowbay via Postfix-users wrote:
> On 2024/3/25 01:12, Viktor Dukhovni via Postfix-users wrote:
> > > If the "posttls-finger" has the identical behavior as postfix, then I
> > > could write a simple cronjob script to "
On Mon, Mar 25, 2024 at 12:00:12PM +0800, Cowbay via Postfix-users wrote:
> On 2024/3/25 10:55, Viktor Dukhovni via Postfix-users wrote:
> > > I checked posttls-finger on my another container which is Ubuntu
> > > 22.04.4, posttls-finger still doesn't support ipv6, weird.
On Mon, Mar 25, 2024 at 09:24:23AM +0100, Alexander Leidinger wrote:
> thought-chain could be:
> IF there is no MITM, and IF the session is encrypted, then at least use good
> encrpytion so that an attacker which is only able to listen, is not able to
> get the content.
But, in that case, the vas
On Mon, Mar 25, 2024 at 04:11:47PM +0100, Daniel Marquez-Klaka via
Postfix-users wrote:
> I have a problem with check_sender_access that I can't find a solution to.
>
> 2 postfix mail server, one, mail-server1, is connected to the
> internet, the second, calling it list-server1, which serves a fe
On Tue, Mar 26, 2024 at 01:52:42PM +, Colin McKinnon via Postfix-users
wrote:
> I want to provision load balancing for my relays.
What kind of "load balancing"? Why won't MX records do? For uneven
weights, you can even use SRV records:
use_srv_lookup = smtp
relayhost = mx.example.
On Tue, Mar 26, 2024 at 05:22:52PM +, Colin McKinnon wrote:
> > What kind of "load balancing"? Why won't MX records do? For uneven
> > weights, you can even use SRV records:
>
> I'm trying to setup load balancing across a cluster of relays for a
> SAAS application. There's several problems
On Tue, Mar 26, 2024 at 02:20:55PM -0400, Wietse Venema via Postfix-users wrote:
> Viktor Dukhovni via Postfix-users:
> > That's fine, the SRV records can be keyed by destination domain.
>
> Locally-managed SRV records, keyed by the final destination domain
> name, to se
On Wed, Mar 27, 2024 at 11:57:22AM +0100, Daniel Marquez-Klaka via
Postfix-users wrote:
> Why my setup looks like this? mail-server1 servs a couple of other mail
> domains, not only the one destined for the mailing lists. An access list
> here would affect all domains, right?
Only if the access
On Wed, Mar 27, 2024 at 03:28:38PM +0200, Levente Birta via Postfix-users wrote:
> Please help me out with the following error. It's a not very old DVR
> equipment sending notification emails on submission with TLS.
>
> Before (with Centos 7 and postfix 3.6) was working, but now, with rocky 8
>
On Wed, Mar 27, 2024 at 10:41:08AM -0400, Wietse Venema via Postfix-users wrote:
> Viktor Dukhovni via Postfix-users:
> > On Tue, Mar 26, 2024 at 02:20:55PM -0400, Wietse Venema via Postfix-users
> > wrote:
> > > Viktor Dukhovni via Postfix-users:
> > > >
On Mon, Apr 01, 2024 at 01:45:11PM -0400, David Mehler via Postfix-users wrote:
> I've tried configuring with both the automatic configuration and the
> manual configuration, in both cases I am getting an error in my
> maillog from submission/smtpd service stating error improper command
> pipelini
On Mon, Apr 01, 2024 at 04:09:34PM -0400, David Mehler via Postfix-users wrote:
> In my master.cf I do have smtpd_tls_wrappermode but it's in the commented
> out service for port 465, I'm using submission.
>
> I've checked with postconf and smtpd_tls_wrappermode is set to no.
Of course, but Thun
On Tue, Apr 02, 2024 at 04:14:29AM -0400, Dan Mahoney via Postfix-users wrote:
> Hey there all,
>
> I’m setting up a staging version of dayjob’s ticket system, and we’d
> basically like postfix to still function, but instead of touching the
> internet at all, just deliver everything to a single
On Tue, Apr 02, 2024 at 12:11:03PM -0400, David Mehler wrote:
> Here is the complete log of the connections, IPS x-d out, but I tried
> twice, once on 587, once with smtps enabled. Any help appreciated.
As noted by Wietse, debug (verbose) logging is not useful here. Just
normal logging is quite
On Thu, Mar 28, 2024 at 09:58:13AM +0200, Levente Birta via Postfix-users wrote:
> > That's worth a try:
> >
> > 588 inet ... smtpd
> > -o smtpd_tls_security_level=encrypt
> > -o smtpd_tls_mandatory_protocols=TLSv1.2
> > ...
>
> Limiting to only TLSv1.2 did the jo
On Wed, Apr 03, 2024 at 09:23:26AM +0300, Levente Birta via Postfix-users wrote:
> > The other possibility, is that the client never tried TLS 1.3, and was
> > implemented by a clueless keyboard-monkey, who decided to always send
> > the fallback SCSV even though there was no fallback. That's sad
On Wed, Apr 10, 2024 at 11:39:24PM -0400, Dan Mahoney via Postfix-users wrote:
> > On Apr 2, 2024, at 10:52, Viktor Dukhovni via Postfix-users
> > wrote:
> >
> > On Tue, Apr 02, 2024 at 04:14:29AM -0400, Dan Mahoney via Postfix-users
> > wrote:
> >> Hey
On Sat, Apr 13, 2024 at 11:14:34AM -0400, Dan Mahoney wrote:
> >>> virtual_alias_maps = static:allmail@$mydomain
> >>> default_transport = virtual
> >>> virtual_mailbox_maps = static:/var/spool/virtual/allmail/
> >>> virtual_uid_maps = static:12345
> >>> virtual_gid_maps = static:12345
>
On Mon, Apr 22, 2024 at 12:21:01AM -0400, 785 243 via Postfix-users wrote:
> Recently i'm seeing a few messages deferred with status=deferred
> (bounce or trace service failure)
>
> instead of status=deferred (host .. said: 450 ...)
>
> from the logs:
>
> postfix/smtp[272605]: warning: unexpect
The isi.edu DNS nameservers were apparently being DoSed today, and
reverse and forward lookups (from my MX host) were failing. I was
however surprised to then see:
postfix/smtpd[2530673]: NOQUEUE: reject: RCPT from unknown[128.9.29.254]:
550 5.7.1 Client host rejected: cannot find you
On Tue, Apr 23, 2024 at 11:46:22AM -0700, Doug Hardie via Postfix-users wrote:
> > RFC 3676 addresses this.
>
> That was an amazing and helpful response. RFC 2045 showed exactly
> what caused the problem. When the message was delivered to a file,
> the CRLFs were replaced by \n. An = followed
On Wed, Apr 24, 2024 at 01:01:46AM -, John Levine via Postfix-users wrote:
> >I must be interpreting this wrong because it appears postfix is not
> >accepting that. Here is the complete process. A message arrives at
> >my MTA addressed to a specific address. Postfix delivers that
> >message
On Wed, Apr 24, 2024 at 07:43:35AM +0200, Reto via Postfix-users wrote:
> On Mon, Apr 22, 2024 at 03:50:34PM GMT, Viktor Dukhovni via Postfix-users
> wrote:
> > and this (specifically, !UNAVAIL=return) turns soft DNS failures into
> > hard errors.
> >
> > The so
On Wed, Apr 24, 2024 at 07:23:00PM +0200, Kim Sindalsen via Postfix-users wrote:
> > Regardless, as things stand, the default Fedora 39 nsswitch.conf
> > makes Postfix restrictions much too fragile, and needs to be
> > avoided.
>
> files dns is standard on my installation (Gentoo Linux/OpenRC)
C
On Fri, Apr 26, 2024 at 07:21:24AM +0200, Tobi via Postfix-users wrote:
> Or would it be possible to use a sender_dependent_relayhost_maps and
> define just the transport ex smtps: (without nexthop) in there so
> postfix would use that transport (to be defined in master.cf) and the
> normal MX of
On Sun, Apr 28, 2024 at 07:15:38PM -0700, Doug Hardie wrote:
> > I suppose, but sending bare LF in SMTP is definitely wrong, so he needs to
> > fix that first.
>
> Well, the header lines are properly terminated by CRLF. However, the
> text lines are whatever I get from postfix. Generally that is
On Mon, May 06, 2024 at 11:37:54AM +0200, Дилян Палаузов via Postfix-users
wrote:
> My reading is that a domain in virtual_alias_domains can be mentioned
> neither in virtual_mailbox_domains nor as mydestination domain.
Correct, note however, that *all* recipients are subject to virtual(5)
alias
On Tue, May 07, 2024 at 10:07:15AM +0200, Denis Krienbühl via Postfix-users
wrote:
> Ultimately, I ended up with the following rule, but I have a problem with it
> (or any other that I've found):
>
> /^\s*Received:[^\n]+(.*)/ REPLACE Received: from
> [127.0.0.1] (localhost
On Fri, May 10, 2024 at 09:47:31PM -0400, Alex via Postfix-users wrote:
> Hi, I'm using postfix-3.7.9 multi-instance on fedora38 and can't figure out
> why always_bcc and recipient_bcc_maps aren't working on the outbound
> instance.
>
> 127.0.0.1:10025 inet n- n - 16smtp
On Fri, May 10, 2024 at 08:47:26PM -0400, Jason Hirsh via Postfix-users wrote:
> I am running Postfix/Dovecot/MySQL mail server. It was doing ok
> until I tried to improve it.
Reverting back to the "unimproved" prior state may be the best course of
action.
> May 10 20:11:27 triggerfish postfix
On Fri, May 10, 2024 at 01:13:06PM -0400, Wietse Venema via Postfix-users wrote:
> > Logs:
> > grep relay=nlp[123456].*status=sent /var/log/maillog | sed
> > 's/.*relay=//' | sed 's/,.*//' | sort | uniq -c
This fails to deduplicate multi-recipient deliveries, which record
the same relay= for each
On Sat, May 11, 2024 at 11:11:30AM +0200, Benny Pedersen via Postfix-users
wrote:
> > I am running Postfix/Dovecot/MySQL mail server. It was doing ok
> > until I tried to improve it., I
>
> maybe just reboot ? :)
Unlikely to help. Just restarting dovecot would be about the most
that's needed
On Sun, Apr 28, 2024 at 05:31:21PM -0700, Peter via Postfix-users wrote:
> The ideal end goal would be to use the same general set of controls as
> v4, but to start off I would like to use a more permissive/less
> restrictive set of controls, and initially only enable v6 for
> receiving (as that's
On Sun, May 12, 2024 at 03:59:27AM +0200, Steffen Nurpmeso via Postfix-users
wrote:
> Well here i am indeed back again, to announce
>
> v0.6.1, 2024-05-12:
> - Adds the algorithm big_ed-sha256 which effectively is RFC 8463
> (aka ed25519-sha256), but performs three digest operations
On Sat, May 11, 2024 at 11:55:14PM -0400, Jason Hirsh via Postfix-users wrote:
> I have they error message
>
> postfix/smtps/smtpd[39559]: warning: TLS library problem:
> error:14094416:SSL routines:ssl3_read_bytes:
> sslv3 alert certificate unknown:
> /usr/src/crypto/openssl/ssl/record/rec_layer
On Mon, May 13, 2024 at 11:56:30AM +0200, Peter Uetrecht via Postfix-users
wrote:
> I have a working multi-instance setup with Postfix version 3.8.4 What
> surprises me is that “recipient_canonical” works for some recipients
> but not for all. It seems that "recipient_canonical" works for
> orig
On Tue, May 21, 2024 at 08:33:58AM +0100, Adam Weremczuk via Postfix-users
wrote:
> When I email "bugzi...@mydomain.com" from another account I get "Recipient
> address rejected: User unknown in local recipient table".
If you want this to not happen, see:
https://www.postfix.org/postconf.5.
On Tue, May 21, 2024 at 06:51:08AM -0500, Greg Sims via Postfix-users wrote:
> Our main.cf contains:
> smtpd_tls_cert_file =
> smtpd_tls_key_file =
> smtpd_tls_security_level = none
There's no point in configuring SMTP server certificates when TLS is
disabled in the SMTP serv
On Tue, May 21, 2024 at 08:31:51AM -0500, Greg Sims wrote:
> Changes:
> * certs back to defaults
> * smtp_tls_loglevel = 1
Better. Now it is time to post a more detailed transcript of a single
message (the sender and recipient addresses can be obfuscated if you
wish, the recipient domain wou
On Wed, May 22, 2024 at 05:35:25AM -0500, Greg Sims wrote:
> Thank you again for your feedback on this issue.
You're welcome, but I don't see anything in your reply that responds
directly to my requests for more detailed configuration and log data.
> I watched the workload in real time this morn
On Wed, May 22, 2024 at 08:15:41AM -0500, Greg Sims via Postfix-users wrote:
> I am having problems with "collate". I greped a 10 minute portion of
> our mail.log which created a 6.8M file. I ran "collate" on this file
> and collected the output -- a 796M file. I looked at the file and it
> seem
On Wed, May 22, 2024 at 12:19:03PM -0500, Greg Sims wrote:
> [root@mail01 postfix]# postconf -nf
> maximal_backoff_time = 16m
> minimal_backoff_time = 2m
> queue_run_delay = 2m
FWIW (not related to your immediate issue) I would not recommend such a
short maximal backoff, you're potentiall
On Wed, May 22, 2024 at 11:27:15PM -0500, Scott Techlist via Postfix-users
wrote:
> >All of these entries are using the LOGIN mech. Unless you have an
> >extremely old outlook express MUA (or similar) you xan and should be
> >using the PLAIN mech. You can eliminate all of the above attacks by
>
On Thu, May 23, 2024 at 05:48:29PM -0400, Wietse Venema via Postfix-users wrote:
> Greg Sims via Postfix-users:
> > We see conn_use about 24% of the time:
>
> But none of the sessions shown in your message have that.
>
> Do they also have multiple-of-5-second type 'c' delays?
Indeed those multi
On Sun, May 26, 2024 at 08:22:53PM -0500, Greg Sims via Postfix-users wrote:
> May 26 00:35:57 mail01.raystedman.org postfix/t124/smtp[39065]:
> 0A7D630F1C7C:
> to==cecytebc.edu...@devotion.raystedman.org>,
> relay=aspmx.l.google.com[142.251.2.26]:25,
> delay=0.52, delays=0/0/0.21/0.31, dsn=5.7.2
On Tue, May 28, 2024 at 08:18:06PM -0400, John Hill via Postfix-users wrote:
> -o
> smtpd_recipient_restrictions=permit_sasl_authenticated,reject_rbl_client=zen.spamhaus,org=127.0.0.4,reject
>
> > I added and = after reject_rbl_client=
That's wrong, in multiple ways.
0. The RBL check shou
On Tue, May 28, 2024 at 09:32:29PM -0400, John Hill via Postfix-users wrote:
> On 5/28/24 9:23 PM, Viktor Dukhovni via Postfix-users wrote:
> >-o { smtpd_recipient_restrictions =
> > reject_rbl_client zen.spamhaus.org=127.0.0.4,
> > reject_
On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via Postfix-users
wrote:
> You might in fact want to reject XBL IPs early, before they even
> attempt authentication. So I have:
>
> 465inet n - n - - smtpd
> -o smtpd_
On Tue, May 28, 2024 at 10:03:05PM -0400, John Hill via Postfix-users wrote:
> Mail all works but I still can't block these SASL attempt.
To block SASL authentication attempts (rather than mail transactions),
you need to do the RBL check in "smtpd_client_restrictions", and have
"smtpd_delay_rejec
On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:
> > > The wrapper-mode TLS "smtps" rejects are naturally after the TLS
> > > handshake.
> > >
> >
> > 465 inet n - n - - smtpd
> > -o smtpd_delay_reject=no
> > -o
On Wed, May 29, 2024 at 08:40:50AM -0400, John Hill via Postfix-users wrote:
> On 5/29/24 8:31 AM, Benny Pedersen via Postfix-users wrote:
> > Viktor Dukhovni via Postfix-users skrev den 2024-05-29 14:07:
> >
> > > Perhaps a bit of luck? For me, the XBL only catches arou
On Fri, May 31, 2024 at 12:33:34AM +, Mailman29 via Postfix-users wrote:
> Yeah, so even changing the domain name on the server (Ubuntu) itself
> doesn't fix the issue. It must be ip based. Since the proxy and
> Postfix share an IP address, Postfix will always think it's looping
> back to itse
On Fri, May 31, 2024 at 01:06:20PM +0200, Gerben Wierda via Postfix-users wrote:
> Hmm, I just noticed (all outgoing smtp was going to a backup server
> that works) that one of my postfix instances cannot send mail (smtp
> doesn't work, postscreen and smtpd work fine).
What *exactly* do you mean
On Fri, May 31, 2024 at 02:01:50PM +0200, Gerben Wierda via Postfix-users wrote:
> It sends: "PROXY TCP4 192.168.2.2 192.168.2.2 65535 587\r\nQUIT\r\n"
> It expects a response that matches regex ^220
Don't send "QUIT\r\n", just send the PROXY handshake and wait for 220,
and then drop the connecti
On Sun, Jun 02, 2024 at 07:19:38AM +0800, Jeff P via Postfix-users wrote:
> I am using a subdomain xxx.eu.org for sending email.
> Though I have not set a dmarc for xxx.eu.org, but gmail says DMARC pass.
> So i checked that eu.org does have a DMARC record:
>
> _dmarc.eu.org.7200
On Mon, Jun 03, 2024 at 08:55:11PM +0800, Jeff P via Postfix-users wrote:
> I have closed sasl auth on port 25. but users still can use port 587
> for login with plain text. how can I force users to use submission
> via start-tls only? I know I can open port 465 for ssl connection.
> but for hi
Original text:
--
For those that haven't heard. Proofpoint is retiring SORBS effective
immediately(ish).
Zones will be emptied shortly and within a few weeks the SORBS domain will be
parked on dedicated "decommissioning" servers.
I am being made redundant as part of the shutdown and my la
On Thu, Jun 06, 2024 at 04:01:06PM -0400, Wietse Venema via Postfix-users wrote:
> GDS via Postfix-users:
> > Hello, I am seeing hundreds of lines like the one below in my mail.log from
> > this specific IP address, which belongs to Google.
> > Jun 5 19:09:32 arthemis postfix/error[86771]: 5D9D1
On Thu, Jun 06, 2024 at 10:40:20PM -0400, Wietse Venema via Postfix-users wrote:
> > It might be reasonable to infer "mydomain = $myhostname" when the latter
> > has two or fewer labels.
>
> There are top-level domains with more than 2 components.
Yes, but we could handle at least the obvious ca
On Fri, Dec 08, 2023 at 02:00:56PM -0500, Viktor Dukhovni wrote:
> It now turns out that they will also be switching to new underlying
> intermediate CAs. So you'll a random choice of *new* issuers.
>
>
> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/L7XoAXt_s1c/m/k_vdk9rQ
On Fri, Jun 07, 2024 at 10:20:58AM +0200, Daniel Hiepler via Postfix-users
wrote:
> I'm trying to rule out a config error on my setup since Postfix is a
> beast and I'm no beastmaster :)
If you're willing to keep making progress, just give it time...
> When I enabled "reject_plaintext_session"
On Fri, Jun 07, 2024 at 11:31:04AM +0200, Daniel Hiepler via Postfix-users
wrote:
> TLSv1.0 and TLSv1.1 were deprecated long ago (e.g. RFC 8996) and some
> legislation suggest or even requires to disable them. Doesn't that
> ">=TLSv1" statement mean "TLS1.0 or higher?".
Yes, it allows TLS 1.0 a
On Sat, Jun 08, 2024 at 07:12:01PM -0400, Wietse Venema via Postfix-users wrote:
> > |> Jun 7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
> > |> vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
> > |> be compatible with OpenSSL 3.2.0
> > ...
> > |[.] Ope
On Tue, Jun 11, 2024 at 09:55:56AM +0800, Jeff Peng via Postfix-users wrote:
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning:
> TLS library problem:error:1417A0C1:SSL routines:
> tls_post_process_client_hello:no shared cipher:
> ../ssl/statem/statem_srvr.c:2283:
> Jun 11 01:52:16 tls-mail
On Tue, Jun 11, 2024 at 10:18:17AM +0800, Jeff Peng via Postfix-users wrote:
> spf, dmarc have the policy to reject a message.
> My question is, why dkim has no choice for rejecting messages?
> for example, if dkim signature failed, where to instruct this message can be
> rejected?
Per the specif
On Thu, Jun 13, 2024 at 08:51:38AM +0800, Jeff Peng via Postfix-users wrote:
> 8. have reject_unknown_client_hostname, reject_unknown_sender_domain options
> for smtpd_sender_restrictions.
You may find "reject_unknown_client_hostname" to be too "aggressive", in
which case "reject_unknown_reverse_
On Sat, Jun 15, 2024 at 12:14:01PM +0200, John Levine via Postfix-users wrote:
> People I'm working with have a short list of addresses from which they
> don't want to accept mail at all, and they'd like to reject as early
> as possible without running it through anti-spam milters, ideally by
> re
On Sat, Jun 15, 2024 at 07:06:43PM +0800, Jeff Peng via Postfix-users wrote:
> On 2024-06-15 18:14, John Levine via Postfix-users wrote:
> > People I'm working with have a short list of addresses from which they
> > don't want to accept mail at all, and they'd like to reject as early
> > as possibl
On Sat, Jun 15, 2024 at 09:19:58AM -0400, Wietse Venema via Postfix-users wrote:
> > However, we would like our rootmail to respect our aliases file,
> > which tells root to go to a specific mail destination on a specific
> > box.
>
> Use virtual_alias_maps, as shown below.
The null-client overv
On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users wrote:
> John R. Levine via Postfix-users:
> > On Sat, 15 Jun 2024, Jeff Peng wrote:
> > > I think postscreen can block them easily.
> >
> > I'm looking at the postscreen man page and I don't see anything about mail
> > add
On Sun, Jun 16, 2024 at 01:41:44PM -0400, John Levine via Postfix-users wrote:
> Turns out it's more complicated than I thought, they want a restricted
> sending address to be able to send only to particular recipients.
> Suggestions?
If the allowed recipients are the same for all restricted send
On Mon, Jun 17, 2024 at 09:54:01AM +0800, Jeff Peng via Postfix-users wrote:
> smtp_use_tls = yes
Obsolete, ignored when the preferred form below is specified.
> smtp_tls_security_level = may
Keep this one.
> smtpd_use_tls = yes
Obsolete, ignored when the preferred form below is specified.
>
On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users wrote:
> That might have uncovered a problem.
>
> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"
>
> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
> posttls-finger: SSL_conn
On Tue, Jun 18, 2024 at 01:04:25AM -0500, Paul Schmehl via Postfix-users wrote:
> >> posttls-finger: warning: TLS library problem: error:1408F10B:SSL
> >> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> >
> > Your port 465 "smtps" service is misconfigured, it is mis
On Tue, Jun 18, 2024 at 03:20:46PM +0200, Benny Pedersen via Postfix-users
wrote:
> xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465"
> "www.stovebolt.com"
> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
> posttls-finger: server certificate verification fa
On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users wrote:
> The defaults for those settings, as far as postfix is concerned, are as
> follows:
>
> smtpd_tls_auth_only = no
Why? Surely, "yes" is the better choice...
> smtpd_tls_security_level =
Why empty? Surely "may" is
On Tue, Jun 18, 2024 at 10:02:20PM -0500, Cody Millard via Postfix-users wrote:
> as for why I set these explicitly, I figured that more random bits means
> more secure.
>
> tls_random_bytes = 64
> tls_daemon_random_bytes = 64
No need to clutter the configuration with overzealous low-level
setti
> On 19 Jun 2024, at 4:29 PM, Gilgongo via Postfix-users
> wrote:
>
> > The defaults for those settings, as far as postfix is concerned, are as
> > follows:
> >
> > smtpd_tls_auth_only = no
>
> Why? Surely, "yes" is the better choice...
>
> You need to set this to "yes" if you plan to have ac
On Thu, Jun 20, 2024 at 02:33:08PM +0200, Michael Grimm via Postfix-users wrote:
> > One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
>
> Please correct me if I am mistaken, but that won't catch scores >= 10?
Yes, but easily adapted.
> But I don't know how such a regex should be
On Fri, Jun 21, 2024 at 07:54:40AM +0800, Jeff Peng via Postfix-users wrote:
> Hello
>
> for these options for submission in master.cf:
>
> submission inet n - y - - smtpd
> # -o syslog_name=postfix/submission
> # -o smtpd_tls_security_level=encrypt
> -o smtpd_sa
On Sun, Jun 23, 2024 at 06:06:40PM +, Дилян Палаузов wrote:
> «sendmail -v myself@domain» however hangs.
Of course it does, it is waiting to read the message headers and body
from standard input as expected.
> until I press Ctrl+C. This is Postfix 3.4.13. On Postfix 2.11 the
> same command
On Tue, Jun 25, 2024 at 10:24:31AM +0200, Alexander Leidinger via Postfix-users
wrote:
> > how to deploy the following email security features?
> > RFC 7672 SMTP-DANE
>
> Outgoing:
> # validate DANE
> smtp_dns_support_level = dnssec
> smtp_tls_security_level = dane # or dane-only
> (https
On Wed, Jun 26, 2024 at 11:26:59AM +0200, Gerd Hoerst via Postfix-users wrote:
> I checked my domain with posttls-finger it brings some errors (I can
> only do it on the machine itself)
>
> posttls-finger: warning: DNSSEC validation may be unavailable
> posttls-finger: warning: reason: dnssec_pro
On Wed, Jun 26, 2024 at 07:19:01PM +0800, Jeff Pang via Postfix-users wrote:
> May I ask if the main providers like gmail, outlook, yahoo, proton, gmx etc,
> have smtp-dane deployed?
- gmail: NO
- yahoo: NO
- outlook:
- outbound: YES
- inbound: Still in development/pil
On Wed, Jun 26, 2024 at 07:45:20PM +0800, Jeff Pang via Postfix-users wrote:
> Can you also add SecuMail.de into the list? Thanks victor.
The list of MX hosters is machine-generated by aggregating DNSSEC-signed
customer domains by their MX host domain. Only providers with 1000 or
more DNSSEC-sig
On Wed, Jun 26, 2024 at 01:35:30PM +0200, Joachim Lindenberg via Postfix-users
wrote:
> I have done some testing via my own tool and published results on
> https://blog.lindenberg.one/EmailSecurityTest.
>
> Gmx and web.de do support SMTP-DANE (with bugs)
Can you provide a bit more detail on the
On Wed, Jun 26, 2024 at 04:29:53PM -0400, John Levine via Postfix-users wrote:
> I'm trying to set up a little POP toaster on debian that has a few
> addreses all in virtual domains.
>
> I'm using Cyrus SASL (no Dovecot allowed for reasons)
That's unfortunate, b/c often much simpler...
> and to
501 - 600 of 1061 matches
Mail list logo
