On Tue, Sep 17, 2024 at 06:38:15AM +0800, Wesley via Postfix-users wrote:
> I want to deny all messages for a local user.
> if I setup policy like this:
>
> smtpd_recipient_restrictions = hash:/etc/postfix/recipient-access
>
> in recipient-access:
>
> u...@domain.com reject
>
> Will this
On Tue, Sep 17, 2024 at 01:24:01PM +1000, Viktor Dukhovni wrote:
> Makefile:
> # Or (.cdb, ...) depending on the default database type
> DBEXT = db
> WANTS = recipient-access.${DBEXT}
>
> .SUFFIXES:
> .SUFFIXES: .${DBEXT}
>
> all: ${WANTS}
>
> %.${DBEXT}: %
>
On Tue, Sep 17, 2024 at 07:20:18PM +0800, Wesley via Postfix-users wrote:
>
>
> Viktor Dukhovni via Postfix-users :
> > - Just inbound mail from external sources? Or also other mail (locally
> >submitted or generated)?
>
> yes I just reject message to that us
On Tue, Sep 17, 2024 at 08:01:51AM -0400, John Hill via Postfix-users wrote:
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_recipient_restrictions = ${indexed}recipient-access
>
> I see what your doing here.
> It is less to type.
> Is there any other advantage
On Tue, Sep 17, 2024 at 08:01:51AM -0400, John Hill via Postfix-users wrote:
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtpd_recipient_restrictions = ${indexed}recipient-access
And of course it really should be:
smtpd_recipient_restrictions =
chec
On Tue, Oct 08, 2024 at 07:36:53PM -0400, Wietse Venema via Postfix-users wrote:
> I then asked it to generate a deep-dive audio podcast conversation
> for the INSTALL instructions. The result, after a few minutes, was
> interesting, for example, at the end where it goes into the details
> of myor
On Mon, Oct 14, 2024 at 01:03:48PM +0900, Nico Schottelius via Postfix-users
wrote:
> We at ungleich [0] plan to switch towards IPv6 only mail services
A substantial fraction of email domains are IPv4-only? Why is IPv6-only
a good idea at this time?
> in the near future and we would like to "r
On Mon, Oct 14, 2024 at 02:33:13PM +0900, Nico Schottelius via Postfix-users
wrote:
> >> - All participating mail servers are IPv6 only [1]
> >> - Every participating entity has an OpenGPG keypair [2]
> >
> > Unlikely to scale.
>
> Can you elaborate on this? I don't see why it should not scale,
On Fri, Oct 11, 2024 at 07:10:54PM -0400, Wietse Venema via Postfix-users wrote:
> Otherwise, this would take a Postfix restriction class:
>
> main.cf:
> restriction_classes = allow_certain_subnets
That should of course be:
smtpd_restriction_classes = allow_certain_subnets
> # Uses
On Tue, Oct 08, 2024 at 02:03:23PM +0200, Ralf Hildebrandt via Postfix-users
wrote:
> Just a minor issue: When a access(5) maps is causing a mail to be
> held, I don't see any log line indicating this.
>
> Yes, the mail is on hold, but when I want to check WHY the mail was
> put on hold.
The fi
On Fri, Oct 04, 2024 at 09:23:12PM +0200, Steffen Nurpmeso via Postfix-users
wrote:
> |For good reasons, Postfix 3.x does not enable chroot by default
> |since 10+ years. If a distro maintainer keeps it on, then they own
> |the responsibility to inform users of how to solve chroot related
>
On Sun, Sep 29, 2024 at 05:38:16PM -0400, Steve Matzura via Postfix-users wrote:
> 2024-09-29T21:31:27.402601+00:00 tgv24 postfix/error[1775]: B9E5510584F:
> to=, orig_to=, relay=none,
> delay=48744, delays=48594/150/0/0.01, dsn=4.4.1, status=deferred (delivery
> temporarily suspended: connect to
On Wed, Oct 16, 2024 at 03:01:06PM +0100, Dominic Preston via Postfix-users
wrote:
> Thanks, I'm not currently running a DNS resolver on the server, but if the
> unresponsive PTR record issue persists I'll look into Unbound or maybe
> Dnsmasq.
A Postfix MTA *should* have a local Unbound or simil
On Wed, Oct 16, 2024 at 02:05:09PM +0100, Dominic Preston via Postfix-users
wrote:
> When sending email via my email client, there is a delay of about 5 seconds
> before the email sends. I believe this is as a result of my ISP's DNS
> servers being unresponsive when responding to PTR record looku
On Mon, Oct 21, 2024 at 11:55:27AM +0800, Joan Moreau via Postfix-users wrote:
> Here the output of the command:
>
> /opt/postfix/postmulti -x -- sh -c '
> printf "\n%s:\n" "$MAIL_CONFIG"
> /opt/postfix/postconf -f config_directory import_environment
> queue_directory
> syslo
On Mon, Oct 21, 2024 at 09:31:53AM +0800, Joan Moreau via Postfix-users wrote:
> I am using the " multi" postifx
> : https://www.postfix.org/MULTI_INSTANCE_README.html
>
> When an email is ending in the queue for relaunch, it goes to the
> principal process, not the one where it has firstly manag
On Mon, Oct 21, 2024 at 03:55:54PM +0800, Joan Moreau via Postfix-users wrote:
> > This should be either the instance independent:
> >
> > relay/unix/syslog_name =
> > ${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name
> >
> How to do that ?
By not NOT setting:
relay
On Mon, Oct 21, 2024 at 12:28:59PM -0400, Wietse Venema via Postfix-users wrote:
> > Cute. I'll just throw that into an access map, and... nope, they get
> > 550 5.0.0, as noted in access(5). Makes sense, but standards compliance
> > isn't a terribly compelling argument when the other side can't
On Wed, Oct 23, 2024 at 10:51:38AM +0300, Ivan Ionut via Postfix-users wrote:
> 2) I have two lists of ipsets ip and ip-cidr blocked for ports
> 110,143,993,995,465 - daily updated with a custom script
That's too tedious to maintain. You can block known compromised SASL
attempts on submission vi
On Tue, Oct 22, 2024 at 06:53:03PM -0600, James Feeney via Postfix-users wrote:
> > It does not give permission to relay. An SMTP client still has to
> > SASL authentication before they have "permit_sasl_authenticated"
> > privileges.
>
> And, the reverse. An SMTP client also *has* to have rela
On Wed, Oct 23, 2024 at 10:04:06AM +0300, Ivan Ionut via Postfix-users wrote:
> Does Postfix can detect an initiated sasl login (before any failed/success).
> If so, does it have built in option or I must create a shell script or a
> custom filter in master.cf for this?
>
> P.S. I'm interesting t
On Tue, Oct 29, 2024 at 09:07:00AM +, Ken Gillett via Postfix-users wrote:
> However, natural curiosity and desire to know more has meant spending
> far more time on this than intended, but I would still like to find
> the solution.
The local_recipient_maps table is queried by:
- The ful
On Mon, Oct 21, 2024 at 07:16:20PM +, Etienne Gladu via Postfix-users wrote:
> Thanks for the config, but it still closes the port when I try to do a test.
> Anyway the task changed a bit, we have to keep the original From, but only
> change the Return-Path/Reply-to for every email sent.
> A
On Fri, Oct 25, 2024 at 01:42:40PM +1100, Viktor Dukhovni via Postfix-users
wrote:
> So we only support "postgresql:" and [not] "postgres:", because with non-URL
> hosts, we use a legacy API to separately specify host, port, database,
> username and password:
&
On Thu, Oct 24, 2024 at 07:35:26PM -0400, Wietse Venema via Postfix-users wrote:
> > Note, my cursory look at the code suggests that URI connection strings
> > MUST specify a database name, the required "dbname" parameter is never
> > used to augment the URI, even if it appears to not include the
On Thu, Oct 24, 2024 at 10:24:29PM -0400, Wietse Venema via Postfix-users wrote:
> I suppose that the PostgreSQL client library code is looking up the
> username, and using that as the default database name for a connection
> URI.
Yes, something like that.
> Viktor, I don't think that Postfix's
On Thu, Oct 24, 2024 at 09:28:30AM -0400, Wietse Venema via Postfix-users wrote:
> Can that (also) be fixed? If mail is delivered with LMTP, please add
>
> -o flags=D
IIRC Wietse "misspoke" here, the "flags=..." argument is not a main.cf
parameter override, so this is a positional argument
On Thu, Oct 24, 2024 at 08:32:22PM +0800, Wesley via Postfix-users wrote:
> On 2024-10-24 20:13, Ralf Hildebrandt via Postfix-users wrote:
>
> Why they had a chinese string added in the subject?
A typical corporate "security" feature, the Chinese text reads "External
Mail". Sadly the same syste
On Thu, Oct 24, 2024 at 01:24:07PM +0300, Eugene R via Postfix-users wrote:
> On 24.10.2024 08:24, Viktor Dukhovni via Postfix-users wrote:
> > Yes, of course, as documented. TLS is off by default, this is
> > backwards-compatible behaviour, and Postfix aims to not "surprise
On Wed, Oct 23, 2024 at 06:53:32PM +0200, postfixmailing--- via Postfix-users
wrote:
> I would like change Domain name of all outgoing Email:
>
> user@domainA -> user@domainB
main.cf:
smtp_generic_maps = inline:{ {@domainA = @domainB} }
If you are relaying some SMTP email inbound a
On Tue, Oct 29, 2024 at 02:15:42PM +, Ken Gillett via Postfix-users wrote:
> It then runs ken against unix:passwd.byname and gets a result:-
>
> > dict_proxy_lookup: table=unix:passwd.byname flags=lock|utf8_request key=ken
> > -> status=0 result=ken::xxx:xx:Ken Gillett:/Users/ken:/bi
On Tue, Oct 29, 2024 at 01:35:54PM +, Ken Gillett via Postfix-users wrote:
> I have found why:-
>
> user@mydomain works
> user@myhostname fails
>
> The first is listed in virtual_users, but the latter is not.
Indeed users listed in virtual(5) get a free ride regardless of addres
On Tue, Oct 29, 2024 at 09:44:16PM +0800, Adriel via Postfix-users wrote:
> I would like to set up two MX servers with equal priority, both using
> Postfix as the MTA software. One MX server resides on the same physical
> machine as the Dovecot service, and I am familiar with their configuration.
On Tue, Oct 29, 2024 at 02:07:56PM +0900, Nico Schottelius via Postfix-users
wrote:
> Viktor Dukhovni via Postfix-users writes:
>
> > On Sat, Oct 26, 2024 at 12:06:12AM +0900, Nico Schottelius via
> > Postfix-users wrote:
> >
> >> The maps/hashes that make
On Mon, Oct 28, 2024 at 06:17:56PM -0400, Wietse Venema via Postfix-users wrote:
> > My problem is that I have to slow down the sending rate to domain1, but
> > in the same time I need to segregate (send out on different IP address)
> > based on sender address.
> >
> > So, as I understand this
On Wed, Oct 30, 2024 at 08:57:32PM +0800, Adriel via Postfix-users wrote:
> I have another question. Suppose I have two domains: foo.com and bar.com.
> Both point to an MX server: mx1.sample.com. However, on mx1.sample.com, I
> want to route bar.com's emails to mx2.sample.com, because mx2.sample.c
On Sat, Nov 02, 2024 at 06:53:56PM -0400, Wietse Venema via Postfix-users wrote:
> example.com relay:[inside-gateway.example.com]:port
>
> The port can be numeric (465, 587) or symbolic (smtps, submissions,
> submission).
With port 465 (a.k.a. "smtps"), don't forget to use a dedicated clon
On Tue, Nov 05, 2024 at 12:46:42PM +0100, Thomas Landauer via Postfix-users
wrote:
> A detail first:
> At http://www.postfix.org/postconf.5.html#smtpd_delay_open_until_valid_rcpt
> please change "mail transaction ID" to "queue ID" for consistency here:
> > The downside is that rejected recipients
On Mon, Nov 04, 2024 at 08:23:37PM +0800, Adriel via Postfix-users wrote:
> say i have a subdomain sub.xyz.com.
>
> if I make a CNAME as,
>
> sub.xyz.com CNAME to xyz.net
A CNAME redirects *all* RRsets for a given owner name other than
(DNSSEC) RRSIG and NSEC. So MX and TXT records, ... will b
On Tue, Nov 05, 2024 at 12:19:20PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> > > Sep 2 16:51:11 mail postfix/smtps/smtpd[3697]: connect from
> > > a.b.t-com.sk[178.41.x.y]
> > > Sep 2 16:51:11 mail postfix/smtps/smtpd[3697]: 4WyBXH6Dp7z6C7g:
> > > client=a.b.t-com.sk[178.41.x.y
On Sun, Nov 03, 2024 at 06:43:31PM +0100, Jaroslaw Rafa via Postfix-users wrote:
> Make sure that you DON'T list domain names included in "mydestination"
> parameter elsewhere, for example in virtual alias file.
This warrants some clarification:
- The actual requirement is to not list the sa
On Tue, Nov 05, 2024 at 12:50:53AM +0100, Thomas Landauer via Postfix-users
wrote:
> my use case: I want to find out if outgoing messages were delivered
> successfully, so I'm looking at the lines containing `status=` in the
> logfile.
>
> But I need this only for some mails (not all). To find ou
On Wed, Oct 30, 2024 at 02:14:26PM +0100, Paul Menzel via Postfix-users wrote:
> We are using DANE, but of course the external service provider does not.
> Internally I configured the tls_policy *dane-only* for
> molgen.mpg.de/.molgen.mpg.de which of course leads to trouble in this
> situation. To
On Wed, Oct 30, 2024 at 09:11:13PM +0800, Adriel wrote:
> If I don’t set the recipient table, what’s the trouble?
You'll accept mail to non-existent recipients, which will later bounce,
and if spam and perhaps a joe-job, will annoy the forged senders and
damage the reputation of your system. Als
On Sat, Nov 02, 2024 at 06:34:36AM +0800, Adriel via Postfix-users wrote:
> There is a mail system said,
>
> host east.xxx.com[3.138.xx.xx] said:
> 554 5.7.1 : Sender address rejected: We reject all
> .click domains.
>
> I am just not sure, does the .click domain have low reputation on i
On Sat, Oct 26, 2024 at 08:31:39PM +0200, Benny Pedersen via Postfix-users
wrote:
> i like to stop using one.com for servial ressons, first that do not support
> rfc 7505, why ?
You mean, I guess, as a DNS provider? If so most users want email for
their domains, and those that don't probably do
On Sat, Oct 26, 2024 at 12:06:12AM +0900, Nico Schottelius via Postfix-users
wrote:
> The maps/hashes that make a lot of sense on VMs/servers for avoiding
> reloading postfix, do not make much sense in the k8s/container context.
Restarts are much more disruptive that reloads, because the entire
On Sun, Oct 27, 2024 at 12:55:17PM +, Ken Gillett via Postfix-users wrote:
> $Subject: Re: [pfx] User unknown in local recipient table (in reply to RCPT TO
> Postfix has been running for some years on my Mac server, with some
> limitations that I have been working around. However, another ser
On Mon, Oct 28, 2024 at 10:29:20AM +, Ken Gillett wrote:
> > And what is in your alias table, please report the output of:
> >
> >$ id ken
>
> uid=xxx(ken) gid=yy(staff)
So the bare username is a login account.
> >$ postconf mail_version append_dot_mydomain \
> >alias_maps
On Mon, Nov 11, 2024 at 11:17:16AM +0100, A. Schulze via Postfix-users wrote:
> $ host 2a03:4000:60:db7::138
> 8.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0.7.b.d.0.0.6.0.0.0.0.0.4.3.0.a.2.ip6.arpa
> domain name pointer list02.sys4.de.
>
> -> shouldn't this point to 'list', not 'list02'?
It makes little diffe
On Fri, Nov 08, 2024 at 08:44:16AM -0800, Randy Bush via Postfix-users wrote:
> Fairly new at trying a scaled postfix install, so I assume it is my
> lack of clue. Trying to use milter_header_checks to reject all marked
> spam on debian 12 running `mail_version = 3.7.11`
>
> milter_header_ch
On Wed, Sep 25, 2024 at 10:40:30AM +1000, raf via Postfix-users wrote:
> > Sep 24 21:49:18 mxback postfix/smtps/smtpd[24711]: warning: TLS library
> > problem: error:0A6C:SSL routines::bad key
> > share:../ssl/statem/extensions_srvr.c:646:
>
> But I'm not sure what "bad key" means specifical
On Fri, Nov 08, 2024 at 10:25:27PM -0800, Randy Bush via Postfix-users wrote:
> >> Fairly new at trying a scaled postfix install, so I assume it is my
> >> lack of clue. Trying to use milter_header_checks to reject all marked
> >> spam on debian 12 running `mail_version = 3.7.11`
> >>
> >> mi
On Wed, Oct 23, 2024 at 07:15:31PM +0800, Wesley via Postfix-users wrote:
> please see this default value,
>
> # postconf -d smtp_tls_security_level
> smtp_tls_security_level =
The default value maintains backwards-compatibility with Postfix ~2.2
when TLS support was first merged into Postfix ba
On Thu, Oct 24, 2024 at 12:00:42PM -0400, Wietse Venema via Postfix-users wrote:
> I have updated the hosts example, and added that the dbname field
> is required but ignored when the hosts field specifies only URI
> forms.
>
> Examples:
> hosts =
> postgresql://usern...@e
On Thu, Oct 24, 2024 at 06:34:16AM +0800, Wesley via Postfix-users wrote:
> $ postconf -d smtp_use_tls smtp_tls_security_level
> smtp_use_tls = no
> smtp_tls_security_level =
>
> Under these defaults, I am afraid if I don't setup them, Postfix will
> always talk to peer with plaintext, even peer
On Fri, Oct 25, 2024 at 12:39:50PM +0200, Thomas Landauer via Postfix-users
wrote:
> > Rather, Postfix address rewriting makes multiple queries against
> > whatever tables are configured, using various fragments of the input
> > address as documented for virtual(5), aliases(5), canonical(5), etc.
On Wed, Nov 13, 2024 at 12:46:10PM +0100, natan via Postfix-users wrote:
>
> main.cf:
> ...
> smtpd_recipient_restrictions =
>
> check_recipient_access hash:/etc/postfix/special_domains,
>
Add:
smtpd_restriction_classes = greylist
greylist = check_polic
Given:
On Tue, Nov 12, 2024 at 08:48:38PM +0100, Florian Piekert via Postfix-users
wrote:
> Nov 12 11:29:09 sonne postfix/tlsproxy[3242552]: warning: TLS library
> problem: error:0A000102:SSL routines::unsupported
> protocol:../ssl/statem/statem_srvr.c:1657:
> Nov 12 11:29:09 sonne postfix/mas
On Thu, Oct 31, 2024 at 12:52:51PM +0100, Thomas Landauer via Postfix-users
wrote:
> Hi,
>
> yeah, I think the docs about the connection are clearer now :-)
>
> However, the "three queries behavior" is still undocumented IMO. I did read
> https://www.postfix.org/virtual.5.html and it is nicely e
On Wed, Oct 30, 2024 at 05:33:47PM +1300, Peter via Postfix-users wrote:
> On 30/10/24 17:18, Adriel via Postfix-users wrote:
> > If users are added in main MX, how can they be synchronized to backup MX
> > for relay access?
>
> I would recommend revisiting your reasoning for wanting a second ser
On Fri, Nov 08, 2024 at 04:17:32PM +0100, Danjel Jungersen via Postfix-users
wrote:
> 2024-11-08T16:14:09.034570+01:00 mail postfix/submissions/smtpd[107564]:
> connect from unknown[192.168.1.1]
You're perhaps doing source NAT on external client IPs, which would make
your logs less useful.
> 20
On Sun, Nov 10, 2024 at 07:16:12AM -0500, Scott K via Postfix-users wrote:
> My mail server stopped working with this error:
>
> TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3
> alert bad certificate: SSL alert number 42
Far too little context, but we have is:
- Si
On Thu, Sep 19, 2024 at 12:54:41PM +1000, Viktor Dukhovni via Postfix-users
wrote:
> > Would it be an option to pass the list through SSL_CTX_set1_curves_list()
> > first, and only if that fails, fall back to checking the individual
> > elements?
>
> Not necessary.
On Wed, Sep 18, 2024 at 07:58:31PM +0200, Geert Hendrickx via Postfix-users
wrote:
> On Thu, Sep 19, 2024 at 02:02:50 +1000, Viktor Dukhovni via Postfix-users
> wrote:
> > This makes it possible to write "forward-looking" configs that will use
> > newer groups o
On Mon, Sep 23, 2024 at 10:09:12AM +0200, Geert Hendrickx via Postfix-users
wrote:
> Tested with OpenSSL 3.0 as well now (RHEL 9 version), with oqs-provider added.
>
> $ openssl version
> OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
>
> $ ./bin/postconf mail_version
> mail_versi
On Sun, Sep 22, 2024 at 07:29:30PM -0500, Greg Sims wrote:
> The only traffic we send on these ip addresses is a Bible
> Daily Devotion email using double opt-in subscriptions.
Despite the double opt-in, some receivers will report your mail as spam,
either because they fail to distinguish between
On Sun, Sep 22, 2024 at 05:54:38AM +0800, Wesley via Postfix-users wrote:
> Here are the output of my postconf -nf (it's quite simple). can you
> give suggestions for better options? Thanks in advance.
This is not a very productive way to get help, you really should be
asking *specific* questions
On Sun, Sep 22, 2024 at 10:28:14AM -0500, Greg Sims via Postfix-users wrote:
> We receive over 500 log entries per day from Comcast that look like this:
>
> Sep 18 03:05:07 mail0 r105/smtp[15929]: AE3378857BA: to=,
> relay=mx1.comcast.net[96.114.157.80]:25, delay=0.69,
> delays=0/0.01/0.6/0.08, d
On Mon, Sep 23, 2024 at 08:55:14AM -0400, Wietse Venema via Postfix-users wrote:
> And thanks for expanding the TLAs (*).
No worries, I should perhaps note a terminology nit, KEMs are
Key Encapsulation Mechanisms, rather than Key Encapsulation
Methods, though IMHO it hardly matters.
https://
On Mon, Sep 23, 2024 at 10:56:57AM +0200, Geert Hendrickx via Postfix-users
wrote:
> On Mon, Sep 23, 2024 at 18:32:00 +1000, Viktor Dukhovni via Postfix-users
> wrote:
> > This is not a release-notes-worthy change, just avoids loss of minor
> > forensic
> > detail f
On Tue, Sep 24, 2024 at 09:54:27PM +0800, Wesley via Postfix-users wrote:
> I have a backup MX server which shows this error in its mail.log:
>
> Sep 24 21:49:18 mxback postfix/smtps/smtpd[24711]: connect from
> unknown[165.154.138.57]
> Sep 24 21:49:18 mxback postfix/smtps/smtpd[24711]: SSL_accep
On Wed, Sep 18, 2024 at 05:38:25PM +0200, Geert Hendrickx via Postfix-users
wrote:
> Oh, I see now. If SSL_CTX_set1_curves_list() is defined, nginx runs
> it directly on the whole list (without checking the elements first).
> OBJ_sn2id is only used for older openssl.
The problem is that IIRC wh
On Wed, Sep 18, 2024 at 02:02:32PM +0200, Geert Hendrickx wrote:
> > > > warning: ignoring unknown key exchange group "x25519_kyber768"
> >
> > What Postfix process is logging this?
>
> smtpd, as soon as I connect to port 25 (ie., as soon as smtpd is started
> and reads this config). It gets lo
On Thu, Sep 19, 2024 at 09:02:39AM +0200, Geert Hendrickx via Postfix-users
wrote:
> Could the reverse lookup be fixed as well, for Received headers and logging?
>
> > Anonymous TLS connection established from X: TLSv1.3 with cipher
> > TLS_AES_128_GCM_SHA256
> > (128/128 bits) key-exchange UND
On Fri, Sep 20, 2024 at 01:53:10AM +1000, Viktor Dukhovni via Postfix-users
wrote:
> Let's let the code bake in, and if nothing further needs to change, I'll
> drop Wietse a fresh pointer to the git branch.
I looked more closely at the available OpenSSL APIs, and found a way f
On Mon, Sep 30, 2024 at 09:38:46AM -0400, Steve Matzura via Postfix-users wrote:
> When I do it, I get:
>
> posttls-finger: warning: DNSSEC validation may be unavailable
> posttls-finger: warning: reason: dnssec_probe 'ns:.' received a response
> that is not DNSSEC validated
Your DNS resolver (a
On Wed, Sep 18, 2024 at 01:04:58PM +0200, Geert Hendrickx wrote:
> Specifically, this provider implements new Key Encapsulation Methods like
> "x25519_kyber768", which I can use with `openssl s_server -groups`, or with
> nginx as `ssl_ecdh_curve`, but not with Postfix in `tls_eecdh_auto_curves`.
>
On Thu, Sep 19, 2024 at 09:18:23PM +1200, Peter via Postfix-users wrote:
> On 19/09/24 21:10, Viktor Dukhovni via Postfix-users wrote:
> > On Thu, Sep 19, 2024 at 10:01:16AM +0200, Geert Hendrickx via Postfix-users
> > wrote:
> >
> > > > Anonymous TLS connection
On Thu, Sep 19, 2024 at 12:36:23PM +0200, Geert Hendrickx via Postfix-users
wrote:
> It works, and it's even interoperable with gmail's MX. But provider
> key exchanges aren't logged for outbound connections by smtp(8) or
> posttls-finger:
That's unexpected, it is the same code generating the l
On Thu, Sep 19, 2024 at 02:39:11PM +0200, Geert Hendrickx via Postfix-users
wrote:
> On Thu, Sep 19, 2024 at 21:41:44 +1000, Viktor Dukhovni via Postfix-users
> wrote:
> > Can you build Postfix after running "makedefs" with "OPT='-g -ggdb3'",
> >
[ Thread unhijacked ]
On Thu, Sep 19, 2024 at 01:16:59PM -0400, John Levine via Postfix-users wrote:
> We have a bunch of role addresses that we forward to the people in the role.
aliases:
owner-localuser: postmaster
localuser: mbox@provider.example
> If the messages have
On Thu, Sep 19, 2024 at 05:04:03PM +0200, Geert Hendrickx via Postfix-users
wrote:
> On Fri, Sep 20, 2024 at 00:40:35 +1000, Viktor Dukhovni via Postfix-users
> wrote:
>
> > So you should be able to apply the top-most commit at:
> >
> > https://github.co
On Thu, Sep 19, 2024 at 10:01:16AM +0200, Geert Hendrickx via Postfix-users
wrote:
> > Anonymous TLS connection established from X: TLSv1.3 with cipher
> > TLS_AES_128_GCM_SHA256
> > (128/128 bits) key-exchange x25519_kyber768 server-signature ECDSA
> > (prime256v1)
> > server-digest SHA256
>
On Thu, Sep 19, 2024 at 05:44:36PM +1000, Viktor Dukhovni via Postfix-users
wrote:
> > (FWIW, nginx logs unknown groups by their group id, in this case "0x6399")
> >
> > https://github.com/nginx/nginx/blob/master/src/event/ngx_event_openssl.c#L5138
>
> No
On Wed, Nov 06, 2024 at 10:39:41AM +0100, Florian Piekert via Postfix-users
wrote:
> I found the solution by using in main.cf the
>
> smtpd_relay_restrictions = permit_mynetworks,
>check_sender_access
> btree:$meta_directory/restricted_senders,
>
On Thu, Oct 24, 2024 at 11:31:13AM +0200, Thomas Landauer via Postfix-users
wrote:
> I think I found some bugs in `postfix-pgsql` lookup, or at least the
> docs don't match the actual behavior.
>
> 1:
> The expansion parameters `%s`, `%u` and `%d` are not working as documented:
You're mistaken.
On Thu, Oct 24, 2024 at 10:50:18AM +0200, Geert Hendrickx via Postfix-users
wrote:
> > warning: run-time library vs. compile-time header version mismatch:
> > OpenSSL 3.4.0 may not be compatible with OpenSSL 3.3.0
>
> Is this warning still relevant with OpenSSL's new versioning scheme,
> where O
On Thu, Oct 24, 2024 at 08:57:00AM +0200, Jaroslaw Rafa via Postfix-users wrote:
> Something bad happened to the list (?), as your message seems to be repeated
> multiple times, with Chinese characters prepended to the subject and list
> footer appended to the body multiple times.
I already (~90
On Fri, Oct 25, 2024 at 10:52:38AM +0200, Thomas Landauer via Postfix-users
wrote:
> > > The expansion parameters `%s`, `%u` and `%d` are not working as
> > > documented:
> >
> > You're mistaken. The behaviour is exactly as documented.
>
> Sorry, but where is this documented at
> https://www.
On Wed, Nov 06, 2024 at 11:57:11AM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> On 06.11.24 21:14, Viktor Dukhovni via Postfix-users wrote:
> > This is too fragile, you're liable to create an open relay, if any of
> > the sender checks return "OK" bas
> On 21 Nov 2024, at 9:30 PM, Thomas Landauer via Postfix-users
> wrote:
>
> What I was looking for is a way to kinda "suspend" Postfix while doing
> maintenance on the server (i.e. local transport not available).
>
> I now solved this by adding:
>
>> smtpd_client_restrictions = check_client_
On Thu, Nov 28, 2024 at 03:02:36PM +0100, Ivica Glavočić via Postfix-users
wrote:
> I wanted to enable SSL/TLS implicit encryption on port 465, in order
> to do that, I added option smtpd_tls_wrappermode = yes in main.cf
> config file, it worked.
No, it did not "work", because in main.cf it affe
On Thu, Nov 28, 2024 at 01:57:57PM +0100, natan via Postfix-users wrote:
> print("DUNNO") # REJECT, PERMIT, DUNNO
You did not read the docs carefully, the output should be:
action=DUNNO\n\n
> Nov 28 13:54:15 mx postfix/smtpd[2953675]: warning: missing attribute action
> in input fr
On Tue, Nov 19, 2024 at 10:01:14PM +0100, Thomas Landauer via Postfix-users
wrote:
> when handing over incoming messages to an external command (i.e. a `pipe`
> delivery in `master.cf`), is it possible to keep the sender "on hold" in the
> SMTP session and then answer with 500 right away (if the
On Thu, Nov 14, 2024 at 02:13:11PM -0600, Matt Saladna via Postfix-users wrote:
> In situations where either a server has run out of storage, a btree database
> can become corrupted. I see this evidenced in the following manner,
> specifically "no cursor":
>
> Nov 14 20:10:44 web2 postfix/postscr
On Sat, Nov 16, 2024 at 05:23:05PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> Note that directives like default_extra_recipient_limit and
> default_destination_rate_delay apply mail that is already in your queue, not
> incoming mail.
True, but also neither are good candidates for o
On Fri, Nov 15, 2024 at 09:21:45PM +0800, Hua Y via Postfix-users wrote:
>
> Hi list
>
> can you help check if my options for smtps/submission are correct?
>
> in master.cf:
>
> ascleanup unix n - y - 0 cleanup
> -o header_checks=pcre:/etc/postfix/header_check
On Fri, Nov 15, 2024 at 02:25:14PM +0100, Florian Piekert via Postfix-users
wrote:
> the problem surely is on my end. But where and why. Maybe someone has an idea.
What problem exactly?
> -all three have in master.cf for tlsproxy the -D parameter at the end
Why?
> -all three have same debugge
On Sun, Nov 17, 2024 at 04:47:17PM -0800, Randy Bush via Postfix-users wrote:
> 2024-11-18T00:03:12.077805+00:00 m0 postfix/smtpd[1756]: warning:
> TLS library problem: error:0A000102:SSL routines:
> :unsupported protocol
-
> :../ssl/statem/statem_
701 - 800 of 1061 matches
Mail list logo
