RE: Initial test of postfix 3.0.2

[L . P . H . van Belle]

This example should wil not relay over outlook.com without the correct 
outlook.com settings in the dns. 

Base on :  from= to= proto=ESMTP 

@mygnus.com is missing the ms= and spf settings in the dns

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org]
> Namens Noel Jones
> Verzonden: vrijdag 18 september 2015 5:31
> Aan: postfix-users@postfix.org
> Onderwerp: Re: Initial test of postfix 3.0.2
> 
> On 9/17/2015 9:17 PM, Tom Browder wrote:
> > I have a brand new installation, from  source, of Postfix 3.0.2 on
> > Debian 7, 64-bit.  I successfully did the initial local tests for
> > postfix as described in "The Book of Postfix."
> 
> Please note the book is now rather dated.  While the examples and
> general concepts are still valuable, lots of things have changed
> since then.  The official up-to-date documentation is supplied with
> the source code, and also available on the postfix web page
> http://www.postfix.org/documentation.html
> 
> At a minimum, you should review the various RELEASE_NOTES to see
> what has changed since the book was published.
> 
> > (Note that I have
> > virtual servers but have not yet configured postfix for handling
> > them.) Then I made my first test for outbound mail to my personal
> > gmail address and the mail.info file shows this:
> >
> > Sep 18 01:57:18 dedi2 postfix/smtpd[3154]: connect from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]
> 
> This is the smtpd process, which handles incoming mail.  Someone who
> uses Microsoft services is trying to send mail to your server.
> 
> > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454
> > 4.7.1 : Relay access denied;
> 
> "Relay access denied" means that postfix is not configured to
> receive mail for the mygnus.com domain, and the recipient is rejected.
> http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination
> http://www.postfix.org/VIRTUAL_README.html#canonical
> http://www.postfix.org/ADDRESS_CLASS_README.html
> http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions
> 
> > from= to= proto=ESMTP
> > helo=
> 
> more details from the rejection.
> 
> > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454
> > 4.7.1 : Relay access denied;
> > from= to= proto=ESMTP
> > helo=
> 
> A second rejected recipient...
> 
> > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: disconnect from
> > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254] ehlo=1
> > mail=1 rcpt=0/2 quit=1 commands=3/5
> 
> ... and the outlook.com client disconnects.
> 
> Note these are 4xx deferrals, not 5xx rejects, so the sending client
> will likely retry delivery periodically over the next several days.
> 
> >
> > And I have received no mail at my gmail address.
> 
> The above logging shows attempts to receive mail.  No logging here
> about sending mail.
> 
> >
> > Looking at the messages above I note that the address
> >  is at one of my virtual hosts but I have no user
> > by that name (and the IP address 157.56.112.254 is not known to me.
> >
> > I have set up my DNS records according to advice from this mailing list.
> >
> > I will read more in the book tonight but hope someone can point me in
> > the right direction while I continue to study the problem.
> 
> Basic debugging info:
> http://www.postfix.org/DEBUG_README.html
> 
> And to get help from this list:
> http://www.postfix.org/DEBUG_README.html#mail
> 
> 
> 
>   -- Noel Jones

Re: Conditional Greylisting

[Sebastian Nielsen]

I think he is out after doing a temporary fail after the DATA stage, thus 
avoiding the chicken and egg problem.


-Ursprungligt meddelande- 
From: Wietse Venema

Sent: Friday, September 18, 2015 7:50 PM
To: Postfix users
Subject: Re: Conditional Greylisting

Bruce Marriner:

I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
to completely bypass greylisting.  However, if it soft-fails those
checks then I want it to greylist next.


You have a chicken and egg problem. DKIM signature verification
requires that Postfix receives the email message.  Greylisting
happens BEFORE Postfix receives the email message.

Wietse 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Conditional Greylisting

[Bruce Marriner]

On Friday, September 18, 2015 01:41 PM CDT, wie...@porcupine.org (Wietse 
Venema) wrote:

> Since DKIM requires content inspection and you want decisions before
> Postfix replies to end-of-data, another option is to use the
> smtpd_proxy_filter or smtpd_milters feature (both as before-queue
> content filters) and to let the filter tempfail the message depending
> on DKIM/greylist results.
>
> http://www.postfix.org/SMTPD_PROXY_README.html
> http://www.postfix.org/MILTER_README.html
>
>   Wietse


Oh, thanks I'll read about those more too.  The guide I followed to setup 
opendkim actually did have me set it up using the smtpd_milters setting.  I'll 
have to read up on how to.. tempfail :)

Re: Conditional Greylisting

[Bruce Marriner]

I have (well had, technically) all of these running under the
smtpd_recipient_restrictions with check_policy_service statements.



On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote:
> I think he is out after doing a temporary fail after the DATA stage, thus 
> avoiding the chicken and egg problem.
> 
> -Ursprungligt meddelande- 
> From: Wietse Venema
> Sent: Friday, September 18, 2015 7:50 PM
> To: Postfix users
> Subject: Re: Conditional Greylisting
> 
> Bruce Marriner:
> > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
> > to completely bypass greylisting.  However, if it soft-fails those
> > checks then I want it to greylist next.
> 
> You have a chicken and egg problem. DKIM signature verification
> requires that Postfix receives the email message.  Greylisting
> happens BEFORE Postfix receives the email message.
> 
> Wietse 
> 

Re: Conditional Greylisting

[Wietse Venema]

Bruce Marriner:
> Thanks, I'll read about that tool.  I'm pretty new to DKIM/SPF and am
> just now trying to set it up.  I've been using postgrey for awhile and

Since DKIM requires content inspection and you want decisions before
Postfix replies to end-of-data, another option is to use the
smtpd_proxy_filter or smtpd_milters feature (both as before-queue
content filters) and to let the filter tempfail the message depending
on DKIM/greylist results.

http://www.postfix.org/SMTPD_PROXY_README.html
http://www.postfix.org/MILTER_README.html

Wietse

Re: Conditional Greylisting

[Wietse Venema]

Bruce Marriner:
> I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
> to completely bypass greylisting.  However, if it soft-fails those
> checks then I want it to greylist next.

You have a chicken and egg problem. DKIM signature verification
requires that Postfix receives the email message.  Greylisting
happens BEFORE Postfix receives the email message.

Wietse

Re: Conditional Greylisting

[Benning, Markus]

I'm also using a policy daemon to build a score based on Whitelists, 
SPF, RBLs, GeoIP, etc.

And then apply greylisting, rejects based on the score.
(as in mtpolicyd example configuration: 
https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf)


But you can't do content checks in a recipient_restriction.
DKIM is based on message content.


 Markus

Am 2015-09-18 20:09, schrieb Bruce Marriner:

I have (well had, technically) all of these running under the
smtpd_recipient_restrictions with check_policy_service statements.

On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote:
I think he is out after doing a temporary fail after the DATA stage, 
thus

avoiding the chicken and egg problem.

-Ursprungligt meddelande-
From: Wietse Venema
Sent: Friday, September 18, 2015 7:50 PM
To: Postfix users
Subject: Re: Conditional Greylisting

Bruce Marriner:
> I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
> to completely bypass greylisting.  However, if it soft-fails those
> checks then I want it to greylist next.

You have a chicken and egg problem. DKIM signature verification
requires that Postfix receives the email message.  Greylisting
happens BEFORE Postfix receives the email message.

Wietse



--
https://markusbenning.de/

Re: Forward rejected by yahoo

[Sebastian Nielsen]

Its the SPF checking that is configured to check against From: header.
The reason it says "envelope-from" is that I use a ready-made library 
(Mail::SPF) to do the dirty work, while I feed it with the "From:" header 
value as the adress to do the check against.
But you are right about the real MAIL FROM that is set to "Return-Path: 
"


-Ursprungligt meddelande- 
From: Wietse Venema

Sent: Friday, September 18, 2015 7:43 PM
To: Postfix users
Subject: Re: Forward rejected by yahoo

Sebastian Nielsen:

Yeah, all the list mail from postfix fails SPF, at my server:
X-SPF-Signature: fail (junc.eu: Sender is not authorized by default to use
'm...@junc.eu' in 'mfrom' identity (mechanism '-all' matched))
receiver=server-desktop; identity=mailfrom; envelope-from="m...@junc.eu";
client-ip="2604:8d00:0:1::7"


That is not right. Mail from the postfix-users list has an envelope
sender "owner-postfix-us...@postfix.org", not your email address.
Otherwise, you would receive the bounces from failed mailing list
deliveries.

Wietse



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Conditional Greylisting

[Bruce Marriner]

Thanks, I'll read about that tool.  I'm pretty new to DKIM/SPF and am
just now trying to set it up.  I've been using postgrey for awhile and
it does work great but it creates a lot of lag and causes problems (lost
e-mail) with a lot of email senders. 

So I want to be able to set up Postfix so, if it passes DKIM or other
checks that give me a high confidence then just skip the postgrey stuff
entirely.  

But, if it's a "Not sure" e-mail, then go ahead and postgrey it.

I'll read about mtpolicyd and see if I can understand what my options
with that would be.


On Fri, 2015-09-18 at 20:20 +0200, Benning, Markus wrote:
> I'm also using a policy daemon to build a score based on Whitelists, 
> SPF, RBLs, GeoIP, etc.
> And then apply greylisting, rejects based on the score.
> (as in mtpolicyd example configuration: 
> https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf)
> 
> But you can't do content checks in a recipient_restriction.
> DKIM is based on message content.
> 
> 
>   Markus
> 
> Am 2015-09-18 20:09, schrieb Bruce Marriner:
> > I have (well had, technically) all of these running under the
> > smtpd_recipient_restrictions with check_policy_service statements.
> > 
> > On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote:
> >> I think he is out after doing a temporary fail after the DATA stage, 
> >> thus
> >> avoiding the chicken and egg problem.
> >> 
> >> -Ursprungligt meddelande-
> >> From: Wietse Venema
> >> Sent: Friday, September 18, 2015 7:50 PM
> >> To: Postfix users
> >> Subject: Re: Conditional Greylisting
> >> 
> >> Bruce Marriner:
> >> > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
> >> > to completely bypass greylisting.  However, if it soft-fails those
> >> > checks then I want it to greylist next.
> >> 
> >> You have a chicken and egg problem. DKIM signature verification
> >> requires that Postfix receives the email message.  Greylisting
> >> happens BEFORE Postfix receives the email message.
> >> 
> >> Wietse
> >> 
> 

Re: Forward rejected by yahoo

[Bill Cole]

On 18 Sep 2015, at 13:54, Sebastian Nielsen wrote:


Its the SPF checking that is configured to check against From: header.
The reason it says "envelope-from" is that I use a ready-made library 
(Mail::SPF) to do the dirty work, while I feed it with the "From:" 
header value as the adress to do the check against.


That particular misapplication of SPF records is inconsistent with any 
standardized mechanism. Specifically, that is NOT consistent with a 
formally correct DMARC implementation. The DMARC specification(RFC7489) 
clearly says that SPF is to be used ONLY to authenticate the 
RFC5321.MailFrom (a.k.a. "envelope-from") domain. If that SPF check gets 
any result other than an explicit "pass" then it is meaningless to 
DMARC: SPF cannot provide an "Authenticated Identifier" domain for 
DMARC's use. The DMARC specification *DOES NOT* say that the domain part 
of the RFC5322.From field (the "From:" header address) should be 
authenticated using SPF.


Obviously one can run one's mail system by whatever whimsical rules 
one's magical thinking can generate, but this particular application of 
SPF records is inconsistent with any standardized mechanism.


The original poster's problem is that he is doing traditional 
mostly-transparent forwarding yet is somehow managing to break Yahoo's 
DKIM signatures in the process. Yahoo publishes a DMARC Policy Record 
with a "p=reject" tag for the domain(s) it uses in From:  headers and 
also honors that declaration on mail it is offered by requiring that 
mail claiming to be "From:" its users pass either a DKIM validation for 
an aligned domain OR SPF authentication for an aligned domain. Since any 
flavor of forwarding eliminates any chance of SPF authentication with a 
Yahoo domain, DMARC success relies solely on the DKIM check. DKIM 
signatures should generally resist invalidation by simple forwarding but 
forwarding isn't always simple.

Re: Conditional Greylisting

[Bill Cole]

On 18 Sep 2015, at 14:29, Bruce Marriner wrote:


So I want to be able to set up Postfix so, if it passes DKIM or other
checks that give me a high confidence then just skip the postgrey 
stuff

entirely.


In what exactly does a valid DKIM signature give you high confidence? I 
suspect that this is misplaced...


All a DKIM signature validation tells you is that a message was in fact 
signed at the mail system where it claimed to have been signed by an 
entity in control of the DNS for the domain identified the signature and 
that none of the message fields specified in the DKIM header have been 
changed in transit. Looking at the spam that has made it through my 
filters this year, I see that 27% of those messages had a valid DKIM 
signature, because in fact any spammer who can open a Yahoo account or 
register a domain can send mail with a valid DKIM signature.

Re: Conditional Greylisting

[Bruce Marriner]

On Friday, September 18, 2015 04:59 PM CDT, "Bill Cole" 
 wrote:

> On 18 Sep 2015, at 14:29, Bruce Marriner wrote:
>
> > So I want to be able to set up Postfix so, if it passes DKIM or other
> > checks that give me a high confidence then just skip the postgrey 
> > stuff
> > entirely.
>
> In what exactly does a valid DKIM signature give you high confidence? I
> suspect that this is misplaced...
>
> All a DKIM signature validation tells you is that a message was in fact
> signed at the mail system where it claimed to have been signed by an 
> entity in control of the DNS for the domain identified the signature and
> that none of the message fields specified in the DKIM header have been
> changed in transit. Looking at the spam that has made it through my 
> filters this year, I see that 27% of those messages had a valid DKIM 
> signature, because in fact any spammer who can open a Yahoo account or
> register a domain can send mail with a valid DKIM signature.


Ah, well.  I think you might be right about misplaced.  I've been reading about 
this all day learning it and I've started to realize the same thing.  I would 
like

Now, why can't all the spammers just add a ThisIsSpam header.  Sure would make 
my life easier :)

I'd still like to reduce my dependency on postgrey.  So, if has valid SPF, 
valid DKIM, has a low SpamAssassin score,  
then I could skip it without raising spam too much, or at all :).

Postgrey just works so well :) I mean, if I have that on I get almost no spam.  
But sometimes somethings that should come though don't and many things are 
delayed.  When I turn it off, I get tons of spam.

So, I need to start adding more stuff into the mix like SpanAssassin, SPF, 
DKIM, whatever so I can reduce my Postgrey dependency a little.

My first few google searches were covered in the DKIM/SPF stuff so I guess  
that's where I've started first.

Re: Postfix ML Configuration for Sender Header

[Sebastian Wiesinger]

* Wietse Venema  [2015-09-10 15:00]:
> Sebastian Wiesinger:
> > Hello,
> > 
> > a while ago I changed my mail configuration for mailinglists. I have
> > individual mail addresses for every mailing list and the configuration
> > now looks like this:
> > 
> > From: Sebastian Wiesinger 
> > Sender: postfix-us...@ml.karotte.org
> > 
> > This has the advantage that off-list answers go to my main
> > mailaddress.
> > 
> > This seems to work with all of my mailinglists (most of them use
> > Mailman I think) but not with postfix-users. Here my list address
> > needs to be in the From: field.
> > 
> > Is this something that can be changed in Majordomo (and you would be
> > willing to change)?
> 
> Sorry, that sounds bogus. No-one replies to the sender: address.

No, it's the other way around. I want off-list replies to my From:
address (which is my main mailaddress). But I'm subscribed to the ML
with the address in the Sender: header (which is unique for each ML).

Other MLs use the Sender: header in addition to the From: to check if
the sender is authorized to post to the list. The Postfix ML doesn't
do that apparently.

Regards

Sebastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant

Re: Initial test of postfix 3.0.2

[Tom Browder]

On Sep 17, 2015 10:32 PM, "Noel Jones"  wrote:
> On 9/17/2015 9:17 PM, Tom Browder wrote:
> > I have a brand new installation, from  source, of Postfix 3.0.2 on
> > Debian 7, 64-bit.  I successfully did the initial local tests for
> > postfix as described in "The Book of Postfix."
>
> Please note the book is now rather dated.  While the examples and
...

Thanks very much for the help, Noel.  Note I have had a successful send and
receive from the mail host to my personal gmail account. Now I will get my
virtual hosts working.

-Tom

Re: Forward rejected by yahoo

[Sebastian Nielsen]

Thats exactly what im talking about, this DMARC Strict Identity Alignment.
If a host only publishes a SPF record (no DKIM record), and sets up DMARC 
with Strict Identity Alignment, then you will need to rewrite or encapsulate 
the From: & MAIL FROM adress on any forwarded email to match your own server 
instead.


The best thing to do as I said, is to encapsulate the mail in a new 
message/rfc822 container, where the outer container will have your domain 
and your DKIM signature, while the inner container contains the original 
email, and where the outer subject contains "Fwd:" in addition to the 
original subject.

Just like you pressed "Forward" in your email client.

By doing so, you have covered so your service can forward any email, with 
any SPF/DKIM/DMARC configuration, without any problems. 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Trouble with ORCPT variable IN RCPT TO command

[Jean-Francois Couture]

-Message d'origine- 
From: Wietse Venema

Sent: Thursday, September 17, 2015 4:13 PM
To: Postfix users
Subject: Re: Trouble with ORCPT variable IN RCPT TO command

Jean-Francois Couture:

Last weekend one of our service provider for our application
upgraded there email server (Apache JAMES). And now, there telling
us that the ORCPT variable is not supported.


SMTP servers that announce DSN support and reject ORCPT are BROKEN.
You can configure Postfix to pretend that a server does not support
DSN. See:

http://www.postfix.org/postcon5.5/html#smtp_discard_ehlo_keyword_address_maps
http://www.postfix.org/postcon5.5/html#smtp_discard_ehlo_keywords

Wietse


Thank you, that did the trick.

Jeff C. 

Re: Forward rejected by yahoo

[A. Schulze]

Am 18.09.2015 schrieb Sebastian Nielsen:

If the domain has strict identity alignment set up, then From: body must match 
MAIL FROM, which must match the SPF record.


sorry, this is simply not correct. No wide spread "strict identity alignment" 
bind
RFC5322.From (From: body) to RFC5321.MailFrom (MAIL FROM)

first poster mentioned yahoo.com.
I suspect he fail to forward a message "from" a yahoo user back "to" an other 
yahoo user.
But he did not present logs to be sure...

most probably reason is DMARC. And yahoo.com uses a DMARC policy which could be named 
"strict"
DMARC authorize the visible RFC5322.From by using SPF or DKIM and announce a 
policy how to handle unauthorized messages.

This give anybody in the world exact two possibilities to send a message /to/ a 
MX server enforcing DMARC policies claiming to be /From:/ yahoo:
1) send from an IP included in `dig yahoo.com txt +short`
2) send content that was DKIM-signed by the DKIM-domain yahoo.com

The first option isn't realistic option for most people outside yahoo.
The second option is only possible for yahoo itself. So it includes all 
messages /send out/ by yahoo.

And that's the point. If someone receive a message /From:/ yahoo, reroute the 
message totally unchanged back to an other yahoo user,
this message has still the valid DKIM signature and will be accepted even by 
yahoo MX server.
Because DKIM signature validates and that prove the message is not forged.

That's DMARC.
An for that reason it's so important to NOT MODIFY ANY (DKIM SIGNED) MESSAGE on 
transit.

back to the initial poster:
compare the message you receive with the message you later send. If they differ 
( apart from some Received: lines )
then yahoo will reject your forward.

Andreas

Re: Postfix ML Configuration for Sender Header

[Wietse Venema]

Sebastian Wiesinger:
> No, it's the other way around. I want off-list replies to my From:
> address (which is my main mailaddress). But I'm subscribed to the ML
> with the address in the Sender: header (which is unique for each ML).
> 
> Other MLs use the Sender: header in addition to the From: to check if
> the sender is authorized to post to the list. The Postfix ML doesn't
> do that apparently.

Majordomo uses the following: Reply-To: (most preferred), From:,
and Apparently-From: (least preferred). It does not use Sender:.
The list manager runs on someone elses system. I would not want
to run it on my own.

Wietse

Using Postfix as an SMTP server

[Tom Browder]

I would like to know if I can use Postfix for this scenario (I just
need a yes or no, please, and I'll take the next steps with assistance
from this list as necessary):

given


1. a remote server successfully hosting multiple virtual servers
2. my local server from whence I update and maintain the remote server via ssh
3. a working Postfix (for a single domain at the moment)

desired
=

1. use Postfix and Mail on my local host to send mail to the remote
server to one of several mailing lists available on multiple virtual
hosts
2. on the remote server, have postfix rewrite my incoming message so
that it appears to come from an account at the virtual host the
mailing list is associated with (I would use specially formatted
subject, CC, and text as necessary to aid rewriting)

Thanks.

Best regards,

-Tom

Re: Using Postfix as an SMTP server

[Viktor Dukhovni]

On Fri, Sep 18, 2015 at 09:12:37AM -0500, Tom Browder wrote:

> given
> 
> 
> 1. a remote server successfully hosting multiple virtual servers
> 2. my local server from whence I update and maintain the remote server via ssh
> 3. a working Postfix (for a single domain at the moment)
> 
> desired
> =
> 
> 1. use Postfix and Mail on my local host to send mail to the remote
> server to one of several mailing lists available on multiple virtual
> hosts
> 2. on the remote server, have postfix rewrite my incoming message so
> that it appears to come from an account at the virtual host the
> mailing list is associated with (I would use specially formatted
> subject, CC, and text as necessary to aid rewriting)

Yes.  

Keep in mind that it is simplest to just send the mail with the
desired purported author (I assume you're looking to change the
"From:" header), rather than implement complex rewriting on the
next-hop SMTP relay.  You might also do this on the "local" Postfix,
the earlier, the better.

-- 
Viktor.

Re: Forward rejected by yahoo

[Benny Pedersen]

On September 18, 2015 4:24:40 PM "Sebastian Nielsen"  
wrote:



Thats exactly what im talking about, this DMARC Strict Identity Alignment.
If a host only publishes a SPF record (no DKIM record), and sets up DMARC
with Strict Identity Alignment, then you will need to rewrite or encapsulate
the From: & MAIL FROM adress on any forwarded email to match your own server
instead.


your forward system are brokken

spf is not from: header

possible ask dmarc domain to change fo= in that domain to accept no dkim 
testing

Re: Forward rejected by yahoo

[Benny Pedersen]

On September 18, 2015 6:31:46 PM "Sebastian Nielsen"  
wrote:



Yeah, all the list mail from postfix fails SPF, at my server:


https://dmarcian.com/spf-survey/postfix.org

there is no spf there, so fix your own spf test

Conditional Greylisting

[Bruce Marriner]

Is it possible to configure Postfix so that greylisting only happens
under specific conditions?

I'd like to have DKIM/SPF setup and if an e-mail passed those I want to
to completely bypass greylisting.  However, if it soft-fails those
checks then I want it to greylist next.

I have all of the above things working already - just not the
conditional greylisting.  I'd love some help accomplishing this!

Thank you very much!

Re: Forward rejected by yahoo

[Benny Pedersen]

On September 18, 2015 4:40:52 AM "Sebastian Nielsen"  
wrote:



If the domain has strict identity alignment set up, then From: body must
match MAIL FROM, which must match the SPF record.


postfix.org have no spf record, not my fault


Thats why you need to replace or encapsulate the From: aswell, incase the
sender domain has strict identity aligment set up.


no no no and no, cc to you so you see your error

Re: Forward rejected by yahoo

[Sebastian Nielsen]

Yeah, all the list mail from postfix fails SPF, at my server:
X-SPF-Signature: fail (junc.eu: Sender is not authorized by default to use 
'm...@junc.eu' in 'mfrom' identity (mechanism '-all' matched)) 
receiver=server-desktop; identity=mailfrom; envelope-from="m...@junc.eu"; 
client-ip="2604:8d00:0:1::7"


But I have decided to not reject SPF failing email, instead I just tag it, 
so I know, that incase my bank mails me and ask for my details, I know if 
the mail is genuine or not by looking at the SPF flag.


To cope with all sorts of misconfigurations, its better to encapsulate email 
like you press "Forward" in your mail client.


-Ursprungligt meddelande- 
From: Benny Pedersen

Sent: Friday, September 18, 2015 6:23 PM
To: Sebastian Nielsen ; postfix-users@postfix.org
Subject: Re: Forward rejected by yahoo

On September 18, 2015 4:40:52 AM "Sebastian Nielsen" 
wrote:


If the domain has strict identity alignment set up, then From: body must
match MAIL FROM, which must match the SPF record.


postfix.org have no spf record, not my fault


Thats why you need to replace or encapsulate the From: aswell, incase the
sender domain has strict identity aligment set up.


no no no and no, cc to you so you see your error 



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Using Postfix as an SMTP server

[Tom Browder]

\On Fri, Sep 18, 2015 at 9:18 AM, Viktor Dukhovni
 wrote:
> On Fri, Sep 18, 2015 at 09:12:37AM -0500, Tom Browder wrote:
...
> Keep in mind that it is simplest to just send the mail with the
> desired purported author (I assume you're looking to change the
> "From:" header), rather than implement complex rewriting on the
> next-hop SMTP relay.  You might also do this on the "local" Postfix,
> the earlier, the better.

Many thanks, Viktor.

-Tom

Re: Forward rejected by yahoo

[Wietse Venema]

Sebastian Nielsen:
> Yeah, all the list mail from postfix fails SPF, at my server:
> X-SPF-Signature: fail (junc.eu: Sender is not authorized by default to use 
> 'm...@junc.eu' in 'mfrom' identity (mechanism '-all' matched)) 
> receiver=server-desktop; identity=mailfrom; envelope-from="m...@junc.eu"; 
> client-ip="2604:8d00:0:1::7"

That is not right. Mail from the postfix-users list has an envelope
sender "owner-postfix-us...@postfix.org", not your email address.
Otherwise, you would receive the bounces from failed mailing list
deliveries.

Wietse