[pfx] Re: Turn Off Verify Service?
On 29/11/2023 15:38, Viktor Dukhovni via Postfix-users wrote: On Wed, Nov 29, 2023 at 03:00:24PM +1100, duluxoz via Postfix-users wrote: I was reading an on-line guide about hardening Postfix and came across a line that said that the Verify service could/should be turned off I the master.cf file. Is this actually good advice, or is there some sort of "gotcha" hiding in the background that'll bite us in the @rse? The advice is largely misguided, but mostly harmless, if you don't use sender or recipient verification. Leaving the service enabled does not materially affect the Postfix "attack surface", but it off when unused is fine too. Thanks Viktor, For what it's worth, it is my opinion that misguided information, harmless or otherwise, is worse than useless, because it encourages bad habits which then enter the zeitgeist and perpetuate (see mandatory rotating passwords every 90 days) :-) Cheers ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Turn Off Verify Service?
On Wed, Nov 29, 2023 at 03:00:24PM +1100, duluxoz via Postfix-users wrote: > I was reading an on-line guide about hardening Postfix and came across > a line that said that the Verify service could/should be turned off I > the master.cf file. > > Is this actually good advice, or is there some sort of "gotcha" hiding in > the background that'll bite us in the @rse? The advice is largely misguided, but mostly harmless, if you don't use sender or recipient verification. Leaving the service enabled does not materially affect the Postfix "attack surface", but it off when unused is fine too. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Turn Off Verify Service?
Hey All, I was reading an on-line guide about hardening Postfix and came across a line that said that the Verify service could/should be turned off I the master.cf file. Is this actually good advice, or is there some sort of "gotcha" hiding in the background that'll bite us in the @rse? This is for a Mail Hub server, but could also be used on Null Client servers as well. Thanks in advance for any advice Cheers Dulux-Oz ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: What does postfix do with malformed messages?
On Tue, Nov 28, 2023 at 10:04:53PM -0500, John Levine via Postfix-users wrote: > If a malformed mail message shows up by SMTP (not local sendmail or > submission), will postfix generally try to clean it up or just > pass it along? You have to be a bit more specific. What does "malformed" mean? Generally speaking, Postfix leaves messages alone, other than folding very long lines when forwarding to a remote SMTP server. Postfix will however insert a blank line after the last header and before the first body line if there isn't one. This can happen when there's a malformed header (missing a ":" or the header name is too far out of spec). > I see the cleanup program and all the options about when to run it and > what to tell it to do, but in practice, will a typical system clean > everything up, just locally submitted stuff, or soemthing else? TNx. The cleanup service is not about fixing the message syntax, its job is primarily to perform address rewriting (primarily 1-to-1 canonical on the envelope and headers followed by 1-to-n virtual on just the envelope recipients). The cleanup(8) service is also responsible for orchestrating the optional header/body checks (user-provided regexp filters) and passing the message content (headers and body) through any milters. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] What does postfix do with malformed messages?
If a malformed mail message shows up by SMTP (not local sendmail or submission), will postfix generally try to clean it up or just pass it along? I see the cleanup program and all the options about when to run it and what to tell it to do, but in practice, will a typical system clean everything up, just locally submitted stuff, or soemthing else? TNx. R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
Hello. I was able to replicate this error, however it's not a misconfiguration in Postfix, but rather a policy change by Google. I didn't notice the bounce message sooner, since it was routed to my SPAM folder on Gmail. If I use a GMAIL From: address and attempt to email another GMAIL account, it bounces back with this error. Only, when I use a third-party to relay the message. I think what is happening is that Google has implemented a new anti-spam policy, rejecting any emails that have GMAIL email hosted domain that is failing SPF/DKIM. Only messages relayed via Google are valid. If you are using a contact form, the From: address is typically munged to be the user filling out the form. -- Forwarded message -- From: Matthew McGehrin To: Matthew McGehrin Cc: Bcc: Date: Tue, 28 Nov 2023 20:25:24 -0600 Subject: Testing to Gmail Test : host gmail-smtp-in.l.google.com[142.251.167.27] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Thank you. Matthew ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
Linkcheck via Postfix-users: > On 28/11/2023 3:07 pm, Bill Cole via Postfix-users wrote: > > That's not a result, that's part of the DMARC policy > > Oh. Thank you for the correction, Bill. :) > > > That should not be enough... > > Something is wrong. I wonder if there is a DNS-resolving delay but I > guess Im not going to easily discover that. :( You discover that by using a delivery agent with soft_bounce turned on. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix authenticated sender and From: header verification
Wietse Venema via Postfix-users: > Vijay S Sarvepalli via Postfix-users: > > Hello Postfix community, > > > > This may be a feature request. As far as I can tell it is currently > > not possible to verify if an authenticated user has sent email > > that uses a From: header (After DATA command) that does not match > > his/her credentials. > ... > > The only way I found is using some third party software > > https://github.com/magcks/milterfrom/ > > This is intentional. Apart from simple header/body checks to block > known evil, Postfix generally does not implement configurable > policies on header/body content, leaving such policies up to plugins. Added note: most email 'user' software does not show the From: address, but instead shows the "display name" in the From: header. From: "display name" Or the obsolete form: From: address (display name) Tools like "milterfrom" replace the address without updating the display name. A more sophisticated solution would use a lookup table that maps an envelope sender to a complete new From: header, and thaht would drop the existing From: header if such a mapping exists. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
On 28/11/2023 3:07 pm, Bill Cole via Postfix-users wrote: That's not a result, that's part of the DMARC policy Oh. Thank you for the correction, Bill. :) > That should not be enough... Something is wrong. I wonder if there is a DNS-resolving delay but I guess Im not going to easily discover that. :( ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
On 2023-11-28 at 06:21:14 UTC-0500 (Tue, 28 Nov 2023 11:21:14 +) Linkcheck via Postfix-users is rumored to have said: If it's only "largely redundant" I would expect G to possibly ignore it but not fail on it. The expectations of others are known to be poor predictors of GMail behavior. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
On 2023-11-28 at 06:15:47 UTC-0500 (Tue, 28 Nov 2023 11:15:47 +) Linkcheck via Postfix-users is rumored to have said: The dmarc results are ambiguous: r That's not a result, that's part of the DMARC policy pass although dkim fails both tests. So, DKIM signatures are failing. That should not be enough to reject the mail if its SPF is passing and aligns with the From header. = google.com noreply-dmarc-supp...@google.com https://support.google.com/a/answer/2466580 10845692433607357330 1701043200 1701129599 bristolweb.net r r reject reject 100 reject 185.35.151.121 1 none fail pass mail.bristolweb.net mail.bristolweb.net pass = ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix authenticated sender and From: header verification
On 2023-11-27 at 17:55:32 UTC-0500 (Mon, 27 Nov 2023 22:55:32 +) Vijay S Sarvepalli via Postfix-users is rumored to have said: Hello Postfix community, This may be a feature request. As far as I can tell it is currently not possible to verify if an authenticated user has sent email that uses a From: header (After DATA command) that does not match his/her credentials. The features https://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch allows for SMTP MAIL FROM: address to be verified with the authenticated user. However if a user spoofs From: header inside an email and leave the SMTP MAIL FROM: to be matching, it cannot be inspected or verified using any Postfix configuration parameters. Correct. As Dr. Venema said, this is a design choice. An important and correct one, in my opinion. The only way I found is using some third party software https://github.com/magcks/milterfrom/ Actually there are MANY ways to attack this issue with add-ons for Postfix. For example, if you use any of the mechanisms for integrating Apache SpamAssassin, it has a suite of rules related to the coherence of various sender-related values. So you could just use SpamAssassin with Amavis, MIMEDefang, MailMunge, spamass-milter, or in a simple content_filter to get those rules applied at whatever weights you like. There are also other anti-spam tools that can be integrated with Postfix by its various interfaces. Is it possible to include this as a feature so it is possible for large scale ISP’s to prevent any one user using another user hosted on the same server. This type of spoofing of the From: header inside the email could go unnoticed, potentially get a SPF verified delivery and/or even get a DKIM signature due to the lack of native capability to inspect and reject such misuse. Something like reject_authenticated_from_login_mismatch could be used to distinguish this configuration parameter. Sophisticated analysis of the contents of a message (which may or may not be in a standard format and may even be designed to thwart analysis) is a complicated and potentially dangerous task. As a transport agent, Postfix should not be spending the resources or taking the risk of such analysis. It is much safer to delegate that analysis to specialized external software. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
> ipv6 I have... inet_protocols = ipv4 ... with no AAA record But thanks anyway, Peter. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] gmail failing SPF/DKIM
If it's only "largely redundant" I would expect G to possibly ignore it but not fail on it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
The dmarc results are ambiguous: r pass although dkim fails both tests. = google.com noreply-dmarc-supp...@google.com https://support.google.com/a/answer/2466580 10845692433607357330 1701043200 1701129599 bristolweb.net r r reject reject 100 reject 185.35.151.121 1 none fail pass mail.bristolweb.net mail.bristolweb.net pass = ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail-headers
Thanks for that, Matthew. So not all gmail ones fail. Hmm. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: gmail failing SPF/DKIM
Wietse Venema via Postfix-users writes: > (...) > gmail rejects all messsages with that sender domain name? Some > messages? I have found that Gmail may treat some 'soft' errors (DNS > timeout) as 'hard' errors. My workaround is to retry deliveries. > > /etc/postfix/main.cf: > transport_maps = hash:/etc/postfix/transport > > /etc/postfix/transport: > gmail.com google: > gmail.com google: > # List other domains hosted at google... > # Postfix needs the ability to group mail by recipient's MX servers. > # It is becoming urgent. > > /etc/postfix/master.cf: > google unix - - - - - smtp > -o soft_bounce=yes > > You'd need to monitor your mail queue for messages that are really > undeliverable. > Hellow Wietse, Again, i learn another new thing from you, thanks! Sincerely, Byung-Hee -- ^고맙습니다 _布德天下_ 감사합니다_^))// ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org