Hi,
how can I bypass smtpd_milters for certain hosts?
I have asked a related question previously [0], and the only
solution seemed to be to redirect those hosts to a different smtpd
instance, but unfortunately, Linux cannot redirect IPv6 connections
yet (TPROXY is in preparation).
0. http://www.
also sprach Wietse Venema [2009.05.22.1826 +0200]:
> > how can I bypass smtpd_milters for certain hosts?
>
> Not. This question is related to the following question: how
> can I change the Milter depending on the client host.
Right, but I cannot really find anything on that either.
Why are *_c
I need to deliver mail to the primary MX of several hundred domains
via a different port. Unfortunately, putting the MX's address or IP
into the transport map does not seem to work. I'd prefer not to
maintain the list of domains in the transport table as well, so I am
wondering:
Is it possiblew to
also sprach martin f krafft [2009.05.22.1919 +0200]:
> Is it possiblew to instruct postfix to always deliver to a different
> port when it tries to connect to a specific machine?
iptables is not an option, since it cannot (yet) translate
destination sockets for IPv6. Sorry, should have men
also sprach Wietse Venema [2009.05.22.2010 +0200]:
> > > Is it possiblew to instruct postfix to always deliver to a different
> > > port when it tries to connect to a specific machine?
> >
> > iptables is not an option, since it cannot (yet) translate
> > destination sockets for IPv6. Sorry, shou
also sprach Sahil Tandon [2009.05.23.0037 +0200]:
> > Why are *_checks and *_milters not end-of-data restrictions, or
> > better yet, policy services?
>
> One example: 1.2.3.4 is rejected in an access(5) table referenced
> in smtpd_client_restrictions. Why wait for END-OF-DATA when you
> know, i
also sprach Robert Schetterer [2009.05.23.2244 +0200]:
> Hi Martin, after all most milters have option to whitelist hosts
> itself why dont use it
Because it means I have to maintain redunant list of exempt hosts.
--
martin | http://madduck.net/ | http://two.sentenc.es/
"die zeit für kleine p
also sprach Wietse Venema [2009.05.23.1442 +0200]:
> Before making architectural recommendations, it would help to step
> back into the reality of how policy servers and milters work. For
> one thing, policy servers don't handle message content, and for
> another, Milters must be able to see ever
also sprach Wietse Venema [2009.05.23.1442 +0200]:
> Before making architectural recommendations, it would help to step
> back into the reality of how policy servers and milters work. For
> one thing, policy servers don't handle message content, and for
> another, Milters must be able to see ever
also sprach Kouhei Sutou [2009.05.25.0148 +0200]:
> milter manager is placed at between Postfix and milters:
>
> Postfix <-milter protocol-> milter manager <-milter protocol->
> milters
>
> milter manager can bypass your milter if connected host is
> whitelisted host.
While this is definite
also sprach Kouhei Sutou [2009.05.25.1254 +0200]:
> What format are you using for whitelist?
[...]
> It seems that access(5) format support is useful.
> I'll add access(5) support to milter manager in the next
> stable release.
cidr_table(5) would make more sense.
--
martin | http://madduck.net
Dear postfix people,
I just sent a message I should not have sent, using my local postfix
setup, which forwards to a smarthost for further processing.
After sending the message, I almost immediately pulled the plug, and
looking at mailq, I felt good about that:
-Queue ID- --Size-- Arrival
also sprach Wietse Venema [2010.02.17.0241 +1300]:
> And that removed the file while Postfix was already delivering it.
>
> Unlike MSDOS and its successors, UNIX systems allow a file to be
> removed while it is open. The file storage is recycled after the
> last program closes the file.
So killi
Dear list,
I would be grateful for some input and confirmation about how
smtp_tls_policy_maps works. The documentation are a bit obscure on
the matter, and the results of my experimentation aren't perfectly
clear to me.
I found that smtp_tls_policy_maps is not necessarily indexed by the
"next-hop
also sprach Victor Duchovni
[2010.08.27.1946 +0200]:
> The recipient's domain *is* the nexthop destination. Don't confuse
> with the *nexthop* that is the input to DNS MX lookups with the
> output of the DNS lookup which returns hostnames.
Okay, thanks for clearing that up, and thanks for your e
Dear list,
We are using $smtp_tls_policy_maps, in addition to
$smtp_tls_security_level==may. Hence, the machine opportunistically
uses TLS, while the policy ensures that certain destinations are
protected by trusted and secure channels.
Due to some issues we've been having[0], I would like to hav
Hello list,
I am finding that
postmap -q address+withextens...@domain.com
pgsql:/etc/postfix/virtual_mailbox_maps
does not return a result, while the address without the extension
works fine. Is this expected behaviour?
--
martin | http://madduck.net/ | http://two.sentenc.es/
"the problem
also sprach Wietse Venema [2010.08.28.2330 +0200]:
> > does not return a result, while the address without the extension
> > works fine. Is this expected behaviour?
>
> YES.
Thank you.
--
martin | http://madduck.net/ | http://two.sentenc.es/
"common sense is the collection
of prejudices acq
also sprach Wietse Venema [2010.08.28.2324 +0200]:
> > Due to some issues we've been having[0], I would like to have a more
> > permanent means of confirmation that everything is in order.
> > Specifically, I would like to see in the logs when a security policy
> > was matched and applied. No matt
also sprach Victor Duchovni
[2010.08.30.1611 +0200]:
> > Is it intentional then that the TLS policy map is searched for
> > the nexthop, if one is defined there?
>
> Yes.
>
> > Does it /also/ check the policy for the recipient domain?
>
> No. TLS policy is by nexthop. TLS is a hop-by-hop secur
also sprach Victor Duchovni
[2010.08.30.2148 +0200]:
> Exactly as promised. Trusted != Verified. Trusted just means that
> the peer certificate signature is valid, but no actual validation
> of the peername took place.
Oh, I am sorry for this oversight on my side.
--
martin | http://madduck.ne
Dear list,
I found that a lot of spam can be weeded out by rejecting clients
who greet me with my own hostname. Initially, I achieved this with
the following:
main.cf:
smtpd_helo_restrictions =
[…]
check_helo_access pcre:$config_directory/reject_helo_myhostname
reject_helo_my
also sprach martin f krafft [2010.10.03.1434 +0200]:
> check_helo_access static:554
>
> but that got the message accepted too.
I found in access(5):
ACCEPT ACTIONS
all-numerical
An all-numerical result is treated as OK. This
also sprach martin f krafft [2010.10.03.1456 +0200]:
> How can I use a static map to return a "5xx message" result?
According to http://www.irbs.net/internet/postfix/0208/0380.html,
what I am trying to do is simply not possible. Is this still the
case?
--
martin | http://madduc
also sprach Noel Jones [2010.10.04.0507 +0200]:
> Lots easier to just use
> /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
Thanks to everyone who responded. I am now going the suggested way.
However, it occurs to me that this is something postfix could be
trivially doing itself,
also sprach Jeroen Geilman [2010.10.04.1822 +0200]:
> Where, exactly ?
The HELO greeting.
> The real client IP ? That can't be trivially spoofed, and so would
> actually BE your server.
I have seen clients who apparently connect to my MX with the IP and
then send the IP after HELO.
> Personall
also sprach Jeroen Geilman [2010.10.04.2004 +0200]:
> >I have seen clients who apparently connect to my MX with the IP and
> >then send the IP after HELO.
>
> With YOUR IP ? That's highly unlikely, to the point of unbelievability.
Yes, with my IP.
--
martin | http://madduck.net/ | http://two.s
also sprach Charles Marcus [2010.10.04.2029 +0200]:
> > Yes, with my IP.
>
> So your server is hacked?
I am talking about the argument to HELO/EHLO. No, my server is not
hacked.
--
martin | http://madduck.net/ | http://two.sentenc.es/
"if english was good enough for jesus christ,
it's good
Hello,
we are trying to solve a mail problem on the New Zealand Red Cross
mail server, which is sending confirmation messages for earthquake
donations from an invalid address, e.g.
postfix/smtp[26060]: 44B9C100CA13: to=,
relay=b.mx.madduck.net[213.203.238.82]:25, delay=10,
delays=0.01/0/6.8
also sprach martin f krafft [2011.02.25.0935 +0100]:
> root@redxprdww02:/etc/postfix# cat sender_rewrite
> www-d...@redxprdww02.netspace.net.nz www-d...@redcross.org.nz
> www-d...@netspace.net.nz www-d...@redcross.org.nz
(yes, I did run postmap)
--
martin | http://madduck.ne
also sprach martin f krafft [2011.02.25.0935 +0100]:
> root@redxprdww02:/etc/postfix# cat sender_rewrite
> www-d...@redxprdww02.netspace.net.nz www-d...@redcross.org.nz
Thanks to freenode staffer Tabmow: there was an 'r' missing after
the '@' symbol.
Sorry for the
also sprach Victor Duchovni
[2011.02.25.0944 +0100]:
> > I wanted to approach this using a canonical rewriting map:
>
> Why not just set "myorigin" correctly?
I did not want to make such potentially far-reaching modifications
to a server that I did not set up nor control. I was only an
emergen
also sprach Wietse Venema [2011.02.24.1729 +0100]:
> This week I was doing some expiriments: I configured Postfix to
> make postscreen listen on both primary AND backup MX addresses.
> This was a matter of adding a second IP address to the ethernet
> interface of my mail server, then adding a back
also sprach Wietse Venema [2011.08.09.2141 +0200]:
> > Has anyone found out how to make this work in combination with
> > a physically-separate secondary MX?
>
> At this time, Postfix supports no suitable database type that can
> be shared AND provide the performance level (milliseconds latency)
also sprach Noel Jones [2011.08.10.0120 +0200]:
> > 10 primary-0.mx 20 secondary.mx 30 primary-1.mx
> >
> > In this scenario, what will the spammers hit?
>
> All of them. What is your intent here?
My intent is to combine postscreen, using the dual-MX approach
outlined by Wietse, with a physica
also sprach Quanah Gibson-Mount [2012.06.26.2254 +0200]:
> The person who set up the system had:
>
> "nameserver fc00:10:112:16::169 "
>
> in /etc/resolv.conf (without quotes). I.e., there was a space after
> the IP address for the nameserver, which, of course, is a pain to
> notice.
… and obv
Hi,
As of yesterday, the primary MX for madduck.net supports IPv6 and
I've added the appropriate record. Unfortunately, this now
causes b.mx.madduck.net, the backup MX, to reject mails, since I use
permit_mx_backup_networks set to 213.203.238.82/32.
b.mx.madduck.net is also IPv6-connected, a
Hey folks,
thanks to a hint on IRC, I started experimenting with postscreen(8)
to fend off some hefty zombie attacks.
I can't help but notice that
http://www.postfix.org/POSTSCREEN_README.html#config
suggests to disable the chroot on all new services, and notably
smtpd. Also, all socket paths
Hello,
I am doing greylisting in smtpd_client_restrictions and later
a policy server check in smtpd_recipient_restrictions (postconf
included below). smtpd_delay_reject is on (the default).
The weird behaviour I am seeing is that despite a greylisting match
(4xx) in sender restrictions, the recip
also sprach Viktor Dukhovni [2015-11-14 05:43
+1300]:
> > I am doing greylisting in smtpd_client_restrictions and later
> > a policy server check in smtpd_recipient_restrictions (postconf
> > included below). smtpd_delay_reject is on (the default).
>
> Greylisting typically generates a "defer_if
Hello,
As far as I can tell, postfix can authenticate its clients using
certificates in two ways:
check_ccert_access (also permit_tls_clientcerts), which
authorizes clients based on the cert fingerprint;
permit_tls_all_clientcerts, which authorizes clients if they
present a cert signed b
also sprach Wietse Venema [2017-09-17 16:34 +0200]:
> 1) Use smtpd_tls_CA_file to trust ONLY the letsencrypt CA.
Right, especially since I could set this only for the smtpd handling
submissions and need not impose this setting on regular port 25 SMTP
connections.
I suppose it would get difficult
also sprach Wietse Venema [2017-09-17 17:26 +0200]:
> > > 2) Use a new check_certname_access feature to reject out-of-doman
> > >names. Postfix should not make 'allow' decisions based on name
> > >information in a certificate with an untrusted CA.
>
> Any CA that is not in smtpd_tls_CA_fi
also sprach Viktor Dukhovni [2017-09-17 18:09
+0200]:
> Can you explain your use-case in a bit more detail? What sort of
> SMTP clients are these, that they authenticate using TLS client
> certificates not issued by a CA you control and you're then
> providing submission access to said clients ba
also sprach Viktor Dukhovni [2017-09-17 21:49
+0200]:
> I think you're saying your organization places machines you
> (collectively) build on other people's networks, but the machines
> need to send call home to send email, which is sometimes outbound
> to other domains?
I'll go with that.
> Yo
also sprach Wietse Venema [2017-09-17 21:51 +0200]:
> I wonder, if this is used for 'internal' email traffic, why bother
> with certificates that require frequent renewal? If the organization
> is that large, I would expect that all external email is handled
> by relay hosts on the perimeter, inst
also sprach Viktor Dukhovni [2017-09-18 00:31
+0200]:
> So your certral system generates the keys, and obtains the LE
> certificates on behalf of the far-flung hosts? And then pushes
> these keys to the hosts over an SSH tunnel?
>
> Is that only for the initial key issuance? And then each host
also sprach Viktor Dukhovni [2017-09-18 22:39
+0200]:
> > No, they're all managed centrally and pushed regularly.
>
> So, though this is not your best option, you can centrally capture
> the updated fingerprints and automate their deployment (along with
> the most recent previous fingerprint to
Folks,
I hope this is not too off-topic, but I figure this is the best
mailing list because we're probably not in this boat alone, wherein
we're annoyed (very) and a bit helpless about Google. I have to ask
here, because Google of course doesn't care about us.
We operate several postfix mail
Quoting "Benny Pedersen", who wrote on 2019-10-06 at 18:44 Uhr +0200:
dkkim running in test mode ?, see if domain have t= in dns
Yes, on some domains it's still running in test mode. Is that enough
reason for Google admins to flick us the finger?
--
@martinkrafft | https://riot.im/app/#/room
Quoting "Bill Cole", who wrote on 2019-10-06 at 12:50 Uhr -0400:
The MailOp list is probably a better choice:
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
Thanks! I didn't know about that. Will re-ask there. Sorry for the
noise.
--
@martinkrafft | https://riot.im/app/#/room/#m
Quoting "Wietse Venema", who wrote on 2019-10-06 at 19:13 Uhr -0400:
Perhaps the SMTP client IP address 2001:db8:bad::cafe:: has no PTR
record (or the name does not resolve to 2001:db8:bad::cafe::).
Good point, but the address has a PTR record to a name with an
record pointing to the addr
Quoting "Allen Coates", who wrote on 2019-10-07 at 10:15 Uhr +0100:
Only one set of double-colons is allowed in an IPv6 address. It expands to an
unspecified number of zeros; doing it twice results in ambiguity.
Quoting "Wietse Venema", who wrote on 2019-10-07 at 07:00 Uhr -0400:
The form "2
Quoting "Robert Schetterer", who wrote on 2019-10-07 at 18:21 Uhr +0200:
Also a wide bug is not to include the ipv6 stuff in SPF, did you
checked this, in the past creating a extra transport for google
only via ipv4 was helpfull too
At least for madduck.net, I have SPF set to "v=spf1 ?all", wh
Quoting "Peter", who wrote on 2019-10-09 at 10:54 Uhr +1300:
Does ambassador.madduck.net match the EHLO banner as well?
Yes, of course. ;)
% swaks -q EHLO -s ambassador.madduck.net
=== Trying ambassador.madduck.net:25...
=== Connected to ambassador.madduck.net.
<- 220-ambassador.madduck.net E
Quoting "Peter", who wrote on 2019-10-09 at 23:16 Uhr +1300:
Wrong test that's the smtpd banner. The EHLO banner is specified in
the smtp_helo_name setting and is sent when postfix makes a client
connection to another server, not when you make a connection to
postfix.
Oh, I should have known
56 matches
Mail list logo
