implementing DMARC with postfix
Hi, Can anyone give me a manual or guide how to implement dmarc with postfix? thanks Grtz., Jack
Re: Postfix 2.9.2, 2.8.11, 2.7.10, 2.6.16 available
On Mon, 2012-05-21 at 08:55:13 -0400, Wietse Venema wrote: > ... > To avoid repeated warnings from postscreen(8) with "connect to > private/dnsblog service: Connection refused" on FreeBSD, the > dnsblog(8) daemon now uses the single_server program driver instead of > the multi_server driver. This one-line code change has no performance > impact for other systems, and eliminates a high-frequency accept() > race on a shared socket that appears to cause trouble on FreeBSD. The > same single_server program driver has proven itself for many years in > smtpd(8). Problem reported by Sahil Tandon. I've been running 2.10-20120520 for the past 48 hours with no sign of the 'Connection refused' problem. Thanks very much for the time you spent implementing this workaround, Wietse. -- Sahil Tandon
Re: Postfix SMTP Client Segfaults over TLS
Thanks Wietse - I don't have a 'solution' yet but I now know where the problem lies ... Daniel Sutcliffe wrote: >> I have now tried stopping postfix, downgrading my openssl package back >> to this previous version, deleting the TLS session caches, and >> starting postfix again and the same problem is occurring - which would >> infer to me that it isn't an OpenSSL package version which caused the >> problem - and maybe the upgrade of this package in the same time-frame >> as when the problem started occurring may be a bit of a red herring :( >> >> The only other change in system which would seem to be even slightly >> related was that the kernel was updated and a reboot occurred just >> before the errors started to occur. I am contemplating going back to Wietse Venema wrote: > I suggest looking at > > % ldd /usr/libexec/postfix/smtp > > and examining all the libraries referenced. I did this exactly, and from their followed the threads of evidence through my logfiles. > Perhaps the update has introduced a new library-to-library dependency, > such as a new LDAP library dependency on a different SASL library > than Postfix wants. Dependencies may also be introduced via > nsswitch.conf; those don't show up in ldd output. > > Kernel APIs don't change randomly. This was my thought too - I was definitely clutching at straws there - I did try with the older kernel, glibc, openssl and everything else that could have possibly changed since the setup was last known to work... luckily I had a snapshot of the server I was able to bring up as a virtual instance to test all the combinations out. I have now tracked this down to the fact that I began using the Percona version of the mysql-libs package that contains libmysqlclient.so.16 - obviously some incompatibility there as the original worked but the Percona version cause postfix smtp to segfault over TLS... As far as I am aware I don't use any postfix mysql features so I don't even need to be linked against that library - will this be fixed at compile time or can I somehow disbale config to stop this library even being loaded by smtp? Any other ideas? I really need to use the Percona MySQL server so am stuck with their versions of the client libraries ... I think !? All ideas welcome as to how I can workaround this - preferably without rebuilding RPMs Cheers /dan -- Daniel Sutcliffe
Re: newsreader and subscription
Le 30/05/2012 00:06, Simon Brereton a écrit : > On May 29, 2012 6:03 PM, "mouss" wrote: >> >> Le 28/05/2012 09:53, Georg Schönweger a écrit : >>> Hi, >>> >>> i'm using a Newsreader to read this list (via news.gname.org). But afaik >>> i have to be subscribed to write to this list. And if i'm subscribed i >>> will receive every post via email too, so i receive it twice. >>> Is there a way to be subscribed without "receving" posts to my mail > address? >> >> no. almost all mailing lists work this way (posters = members = >> recipients). believe it or not, many of us have considered this problem, >> but it's not a simple one (open lists such as debian lists currently get >> more abuse...). I personally worked on a much much simpler problem: N >> persons in a company are subscribed to a single list: the company gets N >> copies of the sames messages. would there be a way to get only one copy, >> yet allow each person to post "individually"? my anwser so far is: live >> with that (not even pruning N-1 messages, because it's harder than it >> looks...). keep it simple... >> >> to fix your problem, get yourself an address that you don't consult, such > as >>gschoewgere.posto...@gmail.com >> it's sub-optimal, but it's so simple. > > By default gmail doesn't show you your own post. > > Some mailing software doesn't either.. > looks like you misread OP (I did at first). the issue isn't with one own messages being resent. he gets the message both on his email address via list re-post and on his news reader. (and gmail behaviour is subject to debate, some like it, some don't. but this is not the right list for such debates).
Re: newsreader and subscription
On May 29, 2012 6:03 PM, "mouss" wrote: > > Le 28/05/2012 09:53, Georg Schönweger a écrit : > > Hi, > > > > i'm using a Newsreader to read this list (via news.gname.org). But afaik > > i have to be subscribed to write to this list. And if i'm subscribed i > > will receive every post via email too, so i receive it twice. > > Is there a way to be subscribed without "receving" posts to my mail address? > > no. almost all mailing lists work this way (posters = members = > recipients). believe it or not, many of us have considered this problem, > but it's not a simple one (open lists such as debian lists currently get > more abuse...). I personally worked on a much much simpler problem: N > persons in a company are subscribed to a single list: the company gets N > copies of the sames messages. would there be a way to get only one copy, > yet allow each person to post "individually"? my anwser so far is: live > with that (not even pruning N-1 messages, because it's harder than it > looks...). keep it simple... > > to fix your problem, get yourself an address that you don't consult, such as >gschoewgere.posto...@gmail.com > it's sub-optimal, but it's so simple. By default gmail doesn't show you your own post. Some mailing software doesn't either.. Simon
Re: newsreader and subscription
Le 28/05/2012 09:53, Georg Schönweger a écrit : > Hi, > > i'm using a Newsreader to read this list (via news.gname.org). But afaik > i have to be subscribed to write to this list. And if i'm subscribed i > will receive every post via email too, so i receive it twice. > Is there a way to be subscribed without "receving" posts to my mail address? no. almost all mailing lists work this way (posters = members = recipients). believe it or not, many of us have considered this problem, but it's not a simple one (open lists such as debian lists currently get more abuse...). I personally worked on a much much simpler problem: N persons in a company are subscribed to a single list: the company gets N copies of the sames messages. would there be a way to get only one copy, yet allow each person to post "individually"? my anwser so far is: live with that (not even pruning N-1 messages, because it's harder than it looks...). keep it simple... to fix your problem, get yourself an address that you don't consult, such as gschoewgere.posto...@gmail.com it's sub-optimal, but it's so simple.
Re: special mail queue ?
On 05/29/2012 04:09 PM, Viktor Dukhovni wrote: On Tue, May 29, 2012 at 03:54:19PM +0200, Frank Bonnet wrote: I have a request from staff here. They need to manually post personalized emails to around 100 professors the person who will send those emails wants to verify each email before sending it but all emails have to be send at the same time for administratives reasons ... Is it possible to define a temporary postfix spool queue for that usage to let emails stack in it , then when all emails have been sent and have the OK from staff push the button to send all emails at once ? Yes, definitely, just create a Postfix instance in which all mail is placed on hold. Then release when ready via: # postsuper -H ALL hold # Release from "hold" to "deferred" # postqueue -f # Flush the queue The hard part is routing selected mail into that instance, either the senders can use the custom Postfix as their submission service (custom MUA configuration), or you need to route all mail with a custom header or subject tag or sender address, ... to the special Postfix instance via header_checks or check_sender_access. A custom MUA is likely better. You should also consider implementing VERP for bounce processing, this can be done via a "simple" content filter that invokes sendmail(1) with the appropriate option when re-queueing the message. Place messages on hold downstream of the filter. An advanced (SMTP) filter is more efficient, but is more code if you don't already have an engine that does this. I've had occasion to implement exactly what you describe (on a larger scale) and created the initial implementation of Postfix SMTP connection caching to efficiently handle the delivery of a burst of pre-queued mail. The throughput was reasonably impressive, ~300 msgs/sec per sending machine, with some of the larger ESPs receiving over 100 msgs/sec. Hello Thanks for the answer I finally choose the lazy way :-) I've setup a "special" smtp server on a linux box "just for the event" which HOLD all incoming emails perfect for what I need.
Re: Make smtpd/Postscreen compatible with load balancers
Willy Tarreau: > Hi Wietse, > > On Tue, May 29, 2012 at 08:18:35AM -0400, Wietse Venema wrote: > > Willy Tarreau: > > > > >Regardless of command format details, if the proxy prepends a command > > > > >to the client's SMTP stream, then postscreen must use unbuffered > > > > >I/O to read that command. If buffering were turned on, the buffering > > > > >layer could read past the proxy's and eat up part of the > > > > >client input kind-of like CVE-2011-0411. > > > > > > Precisely on this point there is an easier way, it consists in using > > > recv(MSG_PEEK). The big advantage is that you don't need to store the > > > temporary bytes you've read since they remain in the kernel's buffers. > > > So it more or less looks like this : > > > > First, just like SMTP and HTTP protocol documentation, HAPROXY > > documentation states nowhere that any particular information must > > be sent (or received) in exactly one TCP segment. > > No, there is no such requirement, as this can never be guaranteed anywhere. > That's why in my example, there was a return on incomplete lines, waiting > for the next event to try to complete the line. Postscreen, faced with the same non-problem in SMTP, does exactly the same thing. The line read routine would need to be moved out of the dummy SMTP engine so that it can be reused to read proxy data, whether from haproxy, xclient or something else. Wietse
Re: conditional body_checks
Hello, Thank you for your response. Indeed, in my case it's not a good idea to go through a header_checks. I resolved my problem using maildrop. Loïc On Thu, May 24, 2012 at 4:22 AM, Bill Cole wrote: > On 23 May 2012, at 7:59, Loïc Latreille wrote: > >> Hello, >> >> I would check if a string is present in the message body only if the >> "To" field is equal to "j...@example.org". > > > Read the man page for header_checks. Note the first bullet point in the > "BUGS" section. > > Alternatively, read $readme_directory/BUILTIN_FILTER_README, particularly > the section on limitations. > > > >> I tried to use IF...ENDIF but it doesn't work because the pattern >> between IF and ENDIF doesn't match the same input string that the IF >> pattern. >> >> A part of the body : >> ... >> To: JDOE >> From: "t...@otherexample.org" >> X-Email-Type-Id: TT123MM >> ... >> >> My pcre table for the body_checks : >> IF /To: JDOE / >> /X-Email-Type-Id: TT123MM/ REDIRECT m...@example.org >> ENDIF >> >> I need some help to run my filter, I can not seem to find a solution >> to this problem :( > > > > The solutions you could use do not include the built-in body_checks and > header_checks features of Postfix, but rather to use one of the available > interfaces to external filters.
Re: special mail queue ?
On Tue, May 29, 2012 at 03:54:19PM +0200, Frank Bonnet wrote: > I have a request from staff here. > > They need to manually post personalized emails to around 100 professors > the person who will send those emails wants to verify each email before > sending it but all emails have to be send at the same time for > administratives reasons ... > > Is it possible to define a temporary postfix spool queue for that > usage to let > emails stack in it , then when all emails have been sent and have the OK > from staff push the button to send all emails at once ? Yes, definitely, just create a Postfix instance in which all mail is placed on hold. Then release when ready via: # postsuper -H ALL hold # Release from "hold" to "deferred" # postqueue -f # Flush the queue The hard part is routing selected mail into that instance, either the senders can use the custom Postfix as their submission service (custom MUA configuration), or you need to route all mail with a custom header or subject tag or sender address, ... to the special Postfix instance via header_checks or check_sender_access. A custom MUA is likely better. You should also consider implementing VERP for bounce processing, this can be done via a "simple" content filter that invokes sendmail(1) with the appropriate option when re-queueing the message. Place messages on hold downstream of the filter. An advanced (SMTP) filter is more efficient, but is more code if you don't already have an engine that does this. I've had occasion to implement exactly what you describe (on a larger scale) and created the initial implementation of Postfix SMTP connection caching to efficiently handle the delivery of a burst of pre-queued mail. The throughput was reasonably impressive, ~300 msgs/sec per sending machine, with some of the larger ESPs receiving over 100 msgs/sec. -- Viktor.
special mail queue ?
Hello I have a request from staff here. They need to manually post personalized emails to around 100 professors the person who will send those emails wants to verify each email before sending it but all emails have to be send at the same time for administratives reasons ... Is it possible to define a temporary postfix spool queue for that usage to let emails stack in it , then when all emails have been sent and have the OK from staff push the button to send all emails at once ? thank you
Re: newsreader and subscription
Am 29.05.2012 12:56, schrieb Ansgar Wiechers: > On 2012-05-29 Georg Schönweger wrote: >> Am 29.05.2012 09:37, schrieb Stan Hoeppner: >>> On 5/29/2012 2:10 AM, Georg Schönweger wrote: How can i activate "no mail mode"? >>> >>> Your list options are here: >>> http://www.postfix.org/lists.html#lists >>> >>> Browsing those, it appears there is no method to accomplish what you >>> desire. Thus, I'd suggest you simply create an access list and discard >>> all mail from this list, something like: > [...] >>> If you use the 'everything-under-smtpd_recipient_restrctions' style of >>> main.cf, simply add the check_sender_access there. >> >> Good idea, but unfortunately i do not host our domain on our own server >> (at least not yet). > > Unsubscribe from the newsgroup. Problem solved. > > Regards > Ansgar Wiechers Yes but then i can't post anymore to the list ... kind regards, Georg
Re: Make smtpd/Postscreen compatible with load balancers
Willy Tarreau: > > >Regardless of command format details, if the proxy prepends a command > > >to the client's SMTP stream, then postscreen must use unbuffered > > >I/O to read that command. If buffering were turned on, the buffering > > >layer could read past the proxy's and eat up part of the > > >client input kind-of like CVE-2011-0411. > > Precisely on this point there is an easier way, it consists in using > recv(MSG_PEEK). The big advantage is that you don't need to store the > temporary bytes you've read since they remain in the kernel's buffers. > So it more or less looks like this : First, just like SMTP and HTTP protocol documentation, HAPROXY documentation states nowhere that any particular information must be sent (or received) in exactly one TCP segment. If this atomicity is an essential requirement of the HAPROXY protocol, then that had better be made explicit in the documentation. Second, it makes little sense to re-invent all the error and time-limit handling that Postfix already has. I prefer to reuse the line reading routine that postscreen already has, instead of reaching for the lowest-level kernel API. Wietse
Re: smtpd_reject_footer wrong error code
Marko Weber: > > hello, > > on our mx01 and mx02 we validate recipient adresses with > 'reject_unverified_recipient'. > now i one case, the mx01 or mx02 connects on the destination machine > and tries to validate the recipient. > > the result is: > > 550 5.1.1 : Recipient address rejected: undeliverable > address: host 192.168.50.1[192.168.50.1] said: 550 5.1.1 User unknown > (in reply to RCPT TO command); from= > to= proto=ESMTP helo= > > seems okay. > > but the mx01 or mx02 says to sender: > > 450-4.1.1 : Recipient address rejected: unverified > address: Address lookup failed. If in doubt, read the documentation, CAREFULLY. http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient Wietse
smtpd_reject_footer wrong error code
hello, on our mx01 and mx02 we validate recipient adresses with 'reject_unverified_recipient'. now i one case, the mx01 or mx02 connects on the destination machine and tries to validate the recipient. the result is: 550 5.1.1 : Recipient address rejected: undeliverable address: host 192.168.50.1[192.168.50.1] said: 550 5.1.1 User unknown (in reply to RCPT TO command); from= to= proto=ESMTP helo= seems okay. but the mx01 or mx02 says to sender: 450-4.1.1 : Recipient address rejected: unverified address: Address lookup failed. so sender server will try and try and try again. why is the mx01/mx02 answering with 4xx code, the destination said 5xx code recipient unknown? thank you for any help marko
Re: newsreader and subscription
On 2012-05-29 Georg Schönweger wrote: > Am 29.05.2012 09:37, schrieb Stan Hoeppner: >> On 5/29/2012 2:10 AM, Georg Schönweger wrote: >>> How can i activate "no mail mode"? >> >> Your list options are here: >> http://www.postfix.org/lists.html#lists >> >> Browsing those, it appears there is no method to accomplish what you >> desire. Thus, I'd suggest you simply create an access list and discard >> all mail from this list, something like: [...] >> If you use the 'everything-under-smtpd_recipient_restrctions' style of >> main.cf, simply add the check_sender_access there. > > Good idea, but unfortunately i do not host our domain on our own server > (at least not yet). Unsubscribe from the newsgroup. Problem solved. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky
Re: newsreader and subscription
Am 29.05.2012 09:37, schrieb Stan Hoeppner: > On 5/29/2012 2:10 AM, Georg Schönweger wrote: >> How can i activate "no mail mode"? > > Your list options are here: > http://www.postfix.org/lists.html#lists > > Browsing those, it appears there is no method to accomplish what you > desire. Thus, I'd suggest you simply create an access list and discard > all mail from this list, something like: > > /etc/postfix/discard-list-mail > owner-postfix-us...@postfix.org DISCARD > > /etc/postfix/main.cf > ... > smtpd_sender_restrictions > ... > check_sender_access hash:/etc/postfix/discard-list-mail > ... > > If you use the 'everything-under-smtpd_recipient_restrctions' style of > main.cf, simply add the check_sender_access there. > Good idea, but unfortunately i do not host our domain on our own server (at least not yet). kind regards, Georg
Re: newsreader and subscription
On 5/29/2012 2:10 AM, Georg Schönweger wrote: > How can i activate "no mail mode"? Your list options are here: http://www.postfix.org/lists.html#lists Browsing those, it appears there is no method to accomplish what you desire. Thus, I'd suggest you simply create an access list and discard all mail from this list, something like: /etc/postfix/discard-list-mail owner-postfix-us...@postfix.org DISCARD /etc/postfix/main.cf ... smtpd_sender_restrictions ... check_sender_access hash:/etc/postfix/discard-list-mail ... If you use the 'everything-under-smtpd_recipient_restrctions' style of main.cf, simply add the check_sender_access there. -- Stan > kind regards, > Georg Schönweger > > Am 28.05.2012 21:52, schrieb Dennis Carr: >> Set your subscription to no mail mode. >> >> -Dennis >> >> "Georg Schönweger" wrote: >> >>> Hi, >>> >>> i'm using a Newsreader to read this list (via news.gname.org). But >>> afaik >>> i have to be subscribed to write to this list. And if i'm subscribed i >>> will receive every post via email too, so i receive it twice. >>> Is there a way to be subscribed without "receving" posts to my mail >>> address? >>> >>> kind regards, >>> Georg >
Re: newsreader and subscription
How can i activate "no mail mode"? kind regards, Georg Schönweger Am 28.05.2012 21:52, schrieb Dennis Carr: > Set your subscription to no mail mode. > > -Dennis > > "Georg Schönweger" wrote: > >> Hi, >> >> i'm using a Newsreader to read this list (via news.gname.org). But >> afaik >> i have to be subscribed to write to this list. And if i'm subscribed i >> will receive every post via email too, so i receive it twice. >> Is there a way to be subscribed without "receving" posts to my mail >> address? >> >> kind regards, >> Georg -- Georg Schönweger Tel.direct 0473 49 77 33 H&S Service Schönweger™ Snitec srl Via Bersaglio 19 39012 Merano Tel 0473 207 007 Fax 0473 22 22 31 www.plott.it ATTENZIONE Questo messaggio di posta elettronica contiene informazioni di carattere confidenziale rivolte esclusivamente al destinatario sopra indicato.E' vietato l'uso, la diffusione, distribuzione o riproduzione da parte di ogni altra persona. Nel caso aveste ricevuto questo messaggio di posta elettronica per errore, siete pregati di segnalarlo immediatamente al mittente e distruggere quanto ricevuto (compresi i file allegati) senza farne copia.Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze.
