[pfx] wildcast for virtual domains
Hello list, sorry for the silly question. does virtual domains (such as virtual_alias_domains) support wildcast? such as putting this one in the file: *.foo.com so that one.foo.com, two.foo.com... will be a recipient domain. Thanks. -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DANE and DNSSEC
On Mon, May 22, 2023 at 02:34:41PM +0200, Joachim Lindenberg via Postfix-users wrote: > reusing the private key for too long (say a year or more) is > considered a bad security practice. Imho it is easier to monitor > changes of the issuing CA (I do) or just mark your calendar to update > in September 2025 than to pin 3 1 1. Don´t want to be fundamental, > just opinionated. Everyone has to decide on her/his own. FWIW, I don't agree. There are still ~270 domains publishing TLSA records matching the long-retired Let's Encrypt X3/X4 CAs. Dilligently tracking issuing CA transitions is not that easy in practice, and the security of ACME is fairly dubious. Key reuse as a *default* rollover approach is robust. When it is time to change keys, one can do so deliberately, and with due care to prepublish TLSA records matching the *next* key, then after a few TTLs deploy the next certificate, and at that point drop the outdated TLSA RR matching the old keys. Meanwhile, root CAs reuse the same RSA 2048-bit key for decades. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
On Mon, May 22, 2023 at 06:06:00PM -0400, Alex wrote: > Yes, I wasn't aware that's how it worked. I've now explicitly defined the > bcc-user to use the same transport, but the problem is that there is one > bcc-user but multiple transports, each with their own policy. This is where recipient_bcc_maps comes into play, you can have a bcc recipient per domain or per-user (the latter preserves the message envelope as part of the BCC side-channel). Or (in a multi-instance configuration), you can add Bcc recipients in a per-domain output (back-end) instance. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
On 2023-05-22 at 19:53:11 UTC-0400 (Tue, 23 May 2023 07:53:11 +0800) Tom Reed via Postfix-users is rumored to have said: PS: Why do you (think you) need a backup MX? Hello I am not sure why I need a backup mx indeed, If you don't know why you want the added complexity, you do not want the added complexity. (See Also: "Cargo Cult") but if you make a simple dig, you find gmail, fastmail, protonmail, comcast, free.fr those big providers do have backup MXs. And they handle thousands of simultaneous SMTP sessions 24x7x365. Do you need that sort of scale? Though yahoo, outlook don't have backup MX as a comparison. Right, because multiple MXs are really NOT made necessary by scale, that's just a feature of some possible scaling architectures. The historical justification for the complexity of MX records was the Internet of the 1980s. That complexity (or robustness, if you prefer) turned out to be useful in the scaling of mail to hundreds of millions of users in thousands of domains in essentially unified systems with very high availability to 100% of the open Internet. If you do not have connectivity like the 1980s or scale like Google or GMX, you should have some *architectural* justification for a backup MX. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
Hello. It really depends on your mail volume and the reliability of your primary MX hostname. Typically the RFC permits mail to be delayed for up to 5 days at which mail will bounce back as undeliverable. For most low-volume sites, a primary only MX configuration is fine. Both of those domains have either Round-Robin DNS or multiple MX servers which provide a similar function. outlook.com mail is handled by 5 outlook-com.olc.protection.outlook.com. outlook-com.olc.protection.outlook.com has address 104.47.14.33 outlook-com.olc.protection.outlook.com has address 104.47.13.33 Yahoo has multiple server weight 1 servers providing redunancy. yahoo.com mail is handled by 1 mta6.am0.yahoodns.net. yahoo.com mail is handled by 1 mta5.am0.yahoodns.net. yahoo.com mail is handled by 1 mta7.am0.yahoodns.net Thanks Matthew On 5/22/2023 6:53 PM, Tom Reed via Postfix-users wrote: PS: Why do you (think you) need a backup MX? Hello I am not sure why I need a backup mx indeed, but if you make a simple dig, you find gmail, fastmail, protonmail, comcast, free.fr those big providers do have backup MXs. Though yahoo, outlook don't have backup MX as a comparison.___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
Tom Reed via Postfix-users skrev den 2023-05-23 01:53: I am not sure why I need a backup mx indeed, but if you make a simple dig, you find gmail, fastmail, protonmail, comcast, free.fr those big providers do have backup MXs. Though yahoo, outlook don't have backup MX as a comparison. one mx can have miltiple hostnames, one domain can have multiple hostnames/a//mx, what is backup mx for you ? my defination is if over 5 days should be catched on backup mx, then on recipient need a backup-mx host that have max query lifetime longer then 5 days, else its waste of resources gmail.com have over 30 spf ipv4 addresses, not counting ipv6, what if 30+ ipv4 is down at the same time should google just use all there listed ipv6 as backup-mx then ? :) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
> > PS: Why do you (think you) need a backup MX? Hello I am not sure why I need a backup mx indeed, but if you make a simple dig, you find gmail, fastmail, protonmail, comcast, free.fr those big providers do have backup MXs. Though yahoo, outlook don't have backup MX as a comparison. regards. -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filter sends mail twice
Hi, > > The BCC recipient is processed in much the same way as any other message > recipient. The only special handling that comes to mind is DSN, where > this recipient is treated as if NOTIFY=NEVER were specified. > > > local_transport = error:5.1.1 Mailbox unavailable > > default_transport = smtp:[127.0.0.1]:10024 > > relay_transport = $default_transport > > virtual_transport = $default_transport > > transport_maps = ${indexed}transport > > Perhaps the BCC recipient (domain) did not match any transport > table keys, but the real recipient did? > Yes, I wasn't aware that's how it worked. I've now explicitly defined the bcc-user to use the same transport, but the problem is that there is one bcc-user but multiple transports, each with their own policy. > > > /etc/postfix-120/transport > > domain1.comalex:[127.0.0.1]:10029 > > What is the domain part of the always BCC address. > It's the same as the hostname, while domain1.com (and domain2, domain3, etc) each use their own transport. Associating bcc-user with the policy that corresponds with domain would help me to better understand how the policy is being applied to users and be able to view header details as if they were to the actual user. Hopefully that makes sense. Email to one domain may be blocked with a given policy, while email to another domain may not, so it would be good to have the same policy applied to the always BCC user as every other user using that transport. Thanks, Alex > > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
Thank you Victor, you are the embodiment of truth. > On Mon, May 22, 2023 at 08:26:19PM +0800, Tom Reed via Postfix-users > wrote: > >> 1. postfix is a backup MX for foo.com >> 2. this postfix uses other MTA as relay_host > > This would be a misconfiguration. A backup MX host MUST NOT be an > effective null client that relays *all* non-local mail to a "smarthost" > relay. Rather, a backup MX host MUST be at least smart enough to > relay mail for the domain(s) in question to better (lower) preference > MX hosts. > > The best way to do this, is to configure an explicit nexthop in > default_transport, and be sure to leave relayhost empty. > > main.cf: > # MUST be empty, to avoid backup MX domain loops. > relayhost = > relay_domains = foo.com > > # Regularly updated list of valid foo.com (and any other relay > # domain) recipients: > relay_recipient_maps = ... > > # Replace "smarthost.example" with actual default relayhost. > default_transport = smtp:smarthost.example > > Relay domains will use "relay_transport" (default "relay", which is > a clone of "smtp"), so will not in error use the smarhost. > > -- > Viktor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
Tom Reed via Postfix-users: > Hello list, > > Given the case that: > > 1. postfix is a backup MX for foo.com > 2. this postfix uses other MTA as relay_host Please don't do that. By design a Postfix backup MX host will deliver to an MX host with a 'better' MX preference. You are frustrating that logic with your relayhost setting. As others have mentioned, you can override your relayhost override with a transprt_maps override, but double overrides are silly. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
On 22.05.23 20:26, Tom Reed via Postfix-users wrote: Given the case that: 1. postfix is a backup MX for foo.com 2. this postfix uses other MTA as relay_host When the primary MX for foo.com is down, messages to u...@foo.com will be delivered into backup MX. And, backup MX delivers the message to relay_host, which find that primary MX can't be reachable, so relay_host deliver message to backup MX again. Will this delivery loop happen in real world? as I answered in my last mail in previous thread: https://marc.info/?l=postfix-users=168466205702341=2 you should set-up transport map for example.com directly to primary server to avoid this loop: example.com relay:[primary-mx.example.com] you have replied to my previous mail, which I didn't respond to, as I expected you to read my followup. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
On Mon, May 22, 2023 at 08:26:19PM +0800, Tom Reed via Postfix-users wrote: > 1. postfix is a backup MX for foo.com > 2. this postfix uses other MTA as relay_host This would be a misconfiguration. A backup MX host MUST NOT be an effective null client that relays *all* non-local mail to a "smarthost" relay. Rather, a backup MX host MUST be at least smart enough to relay mail for the domain(s) in question to better (lower) preference MX hosts. The best way to do this, is to configure an explicit nexthop in default_transport, and be sure to leave relayhost empty. main.cf: # MUST be empty, to avoid backup MX domain loops. relayhost = relay_domains = foo.com # Regularly updated list of valid foo.com (and any other relay # domain) recipients: relay_recipient_maps = ... # Replace "smarthost.example" with actual default relayhost. default_transport = smtp:smarthost.example Relay domains will use "relay_transport" (default "relay", which is a clone of "smtp"), so will not in error use the smarhost. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
On 2023-05-22 at 08:36:49 UTC-0400 (Mon, 22 May 2023 14:36:49 +0200 (CEST)) Bernardo Reino via Postfix-users is rumored to have said: My world is only a very small subset of the real world :), but in that world, if I say that a given server is the MX for a domain, then that's that, it should not relay further. No. Historically, domains would be configured with multiple MX records pointing to diverse machines because one could not rely on perfect connectivity and in some cases it was actually more or less expensive (in resources or actual money) to route mail via one or another path. This is why MX records have a "cost" field, and it is expected that whichever MX host one relays to, it will end up in the same mailbox. Usually this means that higher-cost MX hosts relay messages with SMTP to the lowest-cost MX host, but not always. In the modern world, connectivity and individual host availability have become good enough for most cases that it is more trouble than it is worth to have diverse MX hosts with varied cost metrics. The use of multiple MX records has evolved into a mechanism for load balancing and availability in very large systems and playing standard-compliance games with spammers ("no-listing") for smaller systems. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DANE and DNSSEC
Joachim Lindenberg via Postfix-users writes: > (...) just mark your calendar to update in September 2025 ... Hellow Joachim! Thanks for remarkble tip ^^^ Sincerely, Byung-Hee ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: delivery loop?
On Mon, 22 May 2023, Tom Reed via Postfix-users wrote: Given the case that: 1. postfix is a backup MX for foo.com 2. this postfix uses other MTA as relay_host When the primary MX for foo.com is down, messages to u...@foo.com will be delivered into backup MX. And, backup MX delivers the message to relay_host, which find that primary MX can't be reachable, so relay_host deliver message to backup MX again. I think the idea is that the MX for a given domain is expected to accept the mail, rather than relay it somewhere else. (Otherwise the other host should be the MX). But obviously, if your "other MTA" decides to send the mail to your "backup MX" then I'd say you can have a loop. Will this delivery loop happen in real world? My world is only a very small subset of the real world :), but in that world, if I say that a given server is the MX for a domain, then that's that, it should not relay further. Maybe others with more experience and/or a wider world can provide better info. Cheers. PS: Why do you (think you) need a backup MX? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DANE and DNSSEC
reusing the private key for too long (say a year or more) is considered a bad security practice. Imho it is easier to monitor changes of the issuing CA (I do) or just mark your calendar to update in September 2025 than to pin 3 1 1. Don´t want to be fundamental, just opinionated. Everyone has to decide on her/his own. Cheers, Joachim -Ursprüngliche Nachricht- Von: raf via Postfix-users Gesendet: Samstag, 20. Mai 2023 00:53 An: postfix-users@postfix.org Betreff: [pfx] Re: DANE and DNSSEC On Thu, May 18, 2023 at 08:54:16PM +0200, Joachim Lindenberg via Postfix-users wrote: > For Letsencrypt certificates I´d definitely go with 2 1 1 > 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D and > optionally the R4 derivate and add their successors when these are about to > expire, rather than 3 1 1 and change every two months. > Best Regards, > Joachim The certificate might change every few months, but that doesn't mean that the key has to change at the same time. As Viktor pointed out, with certbot you can configure reuse_key = True which prevents the renewal from creating a new key. That way, the user can decide when they want the key to rollover. cheers, raf ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] delivery loop?
Hello list, Given the case that: 1. postfix is a backup MX for foo.com 2. this postfix uses other MTA as relay_host When the primary MX for foo.com is down, messages to u...@foo.com will be delivered into backup MX. And, backup MX delivers the message to relay_host, which find that primary MX can't be reachable, so relay_host deliver message to backup MX again. Will this delivery loop happen in real world? Thank you. -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org