RE: Initial test of postfix 3.0.2
This example should wil not relay over outlook.com without the correct outlook.com settings in the dns. Base on : from=to= proto=ESMTP @mygnus.com is missing the ms= and spf settings in the dns Greetz, Louis > -Oorspronkelijk bericht- > Van: njo...@megan.vbhcs.org [mailto:owner-postfix-us...@postfix.org] > Namens Noel Jones > Verzonden: vrijdag 18 september 2015 5:31 > Aan: postfix-users@postfix.org > Onderwerp: Re: Initial test of postfix 3.0.2 > > On 9/17/2015 9:17 PM, Tom Browder wrote: > > I have a brand new installation, from source, of Postfix 3.0.2 on > > Debian 7, 64-bit. I successfully did the initial local tests for > > postfix as described in "The Book of Postfix." > > Please note the book is now rather dated. While the examples and > general concepts are still valuable, lots of things have changed > since then. The official up-to-date documentation is supplied with > the source code, and also available on the postfix web page > http://www.postfix.org/documentation.html > > At a minimum, you should review the various RELEASE_NOTES to see > what has changed since the book was published. > > > (Note that I have > > virtual servers but have not yet configured postfix for handling > > them.) Then I made my first test for outbound mail to my personal > > gmail address and the mail.info file shows this: > > > > Sep 18 01:57:18 dedi2 postfix/smtpd[3154]: connect from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254] > > This is the smtpd process, which handles incoming mail. Someone who > uses Microsoft services is trying to send mail to your server. > > > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454 > > 4.7.1 : Relay access denied; > > "Relay access denied" means that postfix is not configured to > receive mail for the mygnus.com domain, and the recipient is rejected. > http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydestination > http://www.postfix.org/VIRTUAL_README.html#canonical > http://www.postfix.org/ADDRESS_CLASS_README.html > http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions > > > from= to= proto=ESMTP > > helo= > > more details from the rejection. > > > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: NOQUEUE: reject: RCPT from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254]: 454 > > 4.7.1 : Relay access denied; > > from= to= proto=ESMTP > > helo= > > A second rejected recipient... > > > Sep 18 01:57:19 dedi2 postfix/smtpd[3154]: disconnect from > > mail-am1hn0254.outbound.protection.outlook.com[157.56.112.254] ehlo=1 > > mail=1 rcpt=0/2 quit=1 commands=3/5 > > ... and the outlook.com client disconnects. > > Note these are 4xx deferrals, not 5xx rejects, so the sending client > will likely retry delivery periodically over the next several days. > > > > > And I have received no mail at my gmail address. > > The above logging shows attempts to receive mail. No logging here > about sending mail. > > > > > Looking at the messages above I note that the address > > is at one of my virtual hosts but I have no user > > by that name (and the IP address 157.56.112.254 is not known to me. > > > > I have set up my DNS records according to advice from this mailing list. > > > > I will read more in the book tonight but hope someone can point me in > > the right direction while I continue to study the problem. > > Basic debugging info: > http://www.postfix.org/DEBUG_README.html > > And to get help from this list: > http://www.postfix.org/DEBUG_README.html#mail > > > > -- Noel Jones
Re: Conditional Greylisting
I think he is out after doing a temporary fail after the DATA stage, thus avoiding the chicken and egg problem. -Ursprungligt meddelande- From: Wietse Venema Sent: Friday, September 18, 2015 7:50 PM To: Postfix users Subject: Re: Conditional Greylisting Bruce Marriner: I'd like to have DKIM/SPF setup and if an e-mail passed those I want to to completely bypass greylisting. However, if it soft-fails those checks then I want it to greylist next. You have a chicken and egg problem. DKIM signature verification requires that Postfix receives the email message. Greylisting happens BEFORE Postfix receives the email message. Wietse smime.p7s Description: S/MIME Cryptographic Signature
Re: Conditional Greylisting
On Friday, September 18, 2015 01:41 PM CDT, wie...@porcupine.org (Wietse Venema) wrote: > Since DKIM requires content inspection and you want decisions before > Postfix replies to end-of-data, another option is to use the > smtpd_proxy_filter or smtpd_milters feature (both as before-queue > content filters) and to let the filter tempfail the message depending > on DKIM/greylist results. > > http://www.postfix.org/SMTPD_PROXY_README.html > http://www.postfix.org/MILTER_README.html > > Wietse Oh, thanks I'll read about those more too. The guide I followed to setup opendkim actually did have me set it up using the smtpd_milters setting. I'll have to read up on how to.. tempfail :)
Re: Conditional Greylisting
I have (well had, technically) all of these running under the smtpd_recipient_restrictions with check_policy_service statements. On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote: > I think he is out after doing a temporary fail after the DATA stage, thus > avoiding the chicken and egg problem. > > -Ursprungligt meddelande- > From: Wietse Venema > Sent: Friday, September 18, 2015 7:50 PM > To: Postfix users > Subject: Re: Conditional Greylisting > > Bruce Marriner: > > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to > > to completely bypass greylisting. However, if it soft-fails those > > checks then I want it to greylist next. > > You have a chicken and egg problem. DKIM signature verification > requires that Postfix receives the email message. Greylisting > happens BEFORE Postfix receives the email message. > > Wietse >
Re: Conditional Greylisting
Bruce Marriner: > Thanks, I'll read about that tool. I'm pretty new to DKIM/SPF and am > just now trying to set it up. I've been using postgrey for awhile and Since DKIM requires content inspection and you want decisions before Postfix replies to end-of-data, another option is to use the smtpd_proxy_filter or smtpd_milters feature (both as before-queue content filters) and to let the filter tempfail the message depending on DKIM/greylist results. http://www.postfix.org/SMTPD_PROXY_README.html http://www.postfix.org/MILTER_README.html Wietse
Re: Conditional Greylisting
Bruce Marriner: > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to > to completely bypass greylisting. However, if it soft-fails those > checks then I want it to greylist next. You have a chicken and egg problem. DKIM signature verification requires that Postfix receives the email message. Greylisting happens BEFORE Postfix receives the email message. Wietse
Re: Conditional Greylisting
I'm also using a policy daemon to build a score based on Whitelists, SPF, RBLs, GeoIP, etc. And then apply greylisting, rejects based on the score. (as in mtpolicyd example configuration: https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf) But you can't do content checks in a recipient_restriction. DKIM is based on message content. Markus Am 2015-09-18 20:09, schrieb Bruce Marriner: I have (well had, technically) all of these running under the smtpd_recipient_restrictions with check_policy_service statements. On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote: I think he is out after doing a temporary fail after the DATA stage, thus avoiding the chicken and egg problem. -Ursprungligt meddelande- From: Wietse Venema Sent: Friday, September 18, 2015 7:50 PM To: Postfix users Subject: Re: Conditional Greylisting Bruce Marriner: > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to > to completely bypass greylisting. However, if it soft-fails those > checks then I want it to greylist next. You have a chicken and egg problem. DKIM signature verification requires that Postfix receives the email message. Greylisting happens BEFORE Postfix receives the email message. Wietse -- https://markusbenning.de/
Re: Forward rejected by yahoo
Its the SPF checking that is configured to check against From: header. The reason it says "envelope-from" is that I use a ready-made library (Mail::SPF) to do the dirty work, while I feed it with the "From:" header value as the adress to do the check against. But you are right about the real MAIL FROM that is set to "Return-Path:" -Ursprungligt meddelande- From: Wietse Venema Sent: Friday, September 18, 2015 7:43 PM To: Postfix users Subject: Re: Forward rejected by yahoo Sebastian Nielsen: Yeah, all the list mail from postfix fails SPF, at my server: X-SPF-Signature: fail (junc.eu: Sender is not authorized by default to use 'm...@junc.eu' in 'mfrom' identity (mechanism '-all' matched)) receiver=server-desktop; identity=mailfrom; envelope-from="m...@junc.eu"; client-ip="2604:8d00:0:1::7" That is not right. Mail from the postfix-users list has an envelope sender "owner-postfix-us...@postfix.org", not your email address. Otherwise, you would receive the bounces from failed mailing list deliveries. Wietse smime.p7s Description: S/MIME Cryptographic Signature
Re: Conditional Greylisting
Thanks, I'll read about that tool. I'm pretty new to DKIM/SPF and am just now trying to set it up. I've been using postgrey for awhile and it does work great but it creates a lot of lag and causes problems (lost e-mail) with a lot of email senders. So I want to be able to set up Postfix so, if it passes DKIM or other checks that give me a high confidence then just skip the postgrey stuff entirely. But, if it's a "Not sure" e-mail, then go ahead and postgrey it. I'll read about mtpolicyd and see if I can understand what my options with that would be. On Fri, 2015-09-18 at 20:20 +0200, Benning, Markus wrote: > I'm also using a policy daemon to build a score based on Whitelists, > SPF, RBLs, GeoIP, etc. > And then apply greylisting, rejects based on the score. > (as in mtpolicyd example configuration: > https://github.com/benningm/mtpolicyd/blob/master/etc/mtpolicyd.conf) > > But you can't do content checks in a recipient_restriction. > DKIM is based on message content. > > > Markus > > Am 2015-09-18 20:09, schrieb Bruce Marriner: > > I have (well had, technically) all of these running under the > > smtpd_recipient_restrictions with check_policy_service statements. > > > > On Fri, 2015-09-18 at 19:56 +0200, Sebastian Nielsen wrote: > >> I think he is out after doing a temporary fail after the DATA stage, > >> thus > >> avoiding the chicken and egg problem. > >> > >> -Ursprungligt meddelande- > >> From: Wietse Venema > >> Sent: Friday, September 18, 2015 7:50 PM > >> To: Postfix users > >> Subject: Re: Conditional Greylisting > >> > >> Bruce Marriner: > >> > I'd like to have DKIM/SPF setup and if an e-mail passed those I want to > >> > to completely bypass greylisting. However, if it soft-fails those > >> > checks then I want it to greylist next. > >> > >> You have a chicken and egg problem. DKIM signature verification > >> requires that Postfix receives the email message. Greylisting > >> happens BEFORE Postfix receives the email message. > >> > >> Wietse > >> >
Re: Forward rejected by yahoo
On 18 Sep 2015, at 13:54, Sebastian Nielsen wrote: Its the SPF checking that is configured to check against From: header. The reason it says "envelope-from" is that I use a ready-made library (Mail::SPF) to do the dirty work, while I feed it with the "From:" header value as the adress to do the check against. That particular misapplication of SPF records is inconsistent with any standardized mechanism. Specifically, that is NOT consistent with a formally correct DMARC implementation. The DMARC specification(RFC7489) clearly says that SPF is to be used ONLY to authenticate the RFC5321.MailFrom (a.k.a. "envelope-from") domain. If that SPF check gets any result other than an explicit "pass" then it is meaningless to DMARC: SPF cannot provide an "Authenticated Identifier" domain for DMARC's use. The DMARC specification *DOES NOT* say that the domain part of the RFC5322.From field (the "From:" header address) should be authenticated using SPF. Obviously one can run one's mail system by whatever whimsical rules one's magical thinking can generate, but this particular application of SPF records is inconsistent with any standardized mechanism. The original poster's problem is that he is doing traditional mostly-transparent forwarding yet is somehow managing to break Yahoo's DKIM signatures in the process. Yahoo publishes a DMARC Policy Record with a "p=reject" tag for the domain(s) it uses in From: headers and also honors that declaration on mail it is offered by requiring that mail claiming to be "From:" its users pass either a DKIM validation for an aligned domain OR SPF authentication for an aligned domain. Since any flavor of forwarding eliminates any chance of SPF authentication with a Yahoo domain, DMARC success relies solely on the DKIM check. DKIM signatures should generally resist invalidation by simple forwarding but forwarding isn't always simple.
Re: Conditional Greylisting
On 18 Sep 2015, at 14:29, Bruce Marriner wrote: So I want to be able to set up Postfix so, if it passes DKIM or other checks that give me a high confidence then just skip the postgrey stuff entirely. In what exactly does a valid DKIM signature give you high confidence? I suspect that this is misplaced... All a DKIM signature validation tells you is that a message was in fact signed at the mail system where it claimed to have been signed by an entity in control of the DNS for the domain identified the signature and that none of the message fields specified in the DKIM header have been changed in transit. Looking at the spam that has made it through my filters this year, I see that 27% of those messages had a valid DKIM signature, because in fact any spammer who can open a Yahoo account or register a domain can send mail with a valid DKIM signature.
Re: Conditional Greylisting
On Friday, September 18, 2015 04:59 PM CDT, "Bill Cole"wrote: > On 18 Sep 2015, at 14:29, Bruce Marriner wrote: > > > So I want to be able to set up Postfix so, if it passes DKIM or other > > checks that give me a high confidence then just skip the postgrey > > stuff > > entirely. > > In what exactly does a valid DKIM signature give you high confidence? I > suspect that this is misplaced... > > All a DKIM signature validation tells you is that a message was in fact > signed at the mail system where it claimed to have been signed by an > entity in control of the DNS for the domain identified the signature and > that none of the message fields specified in the DKIM header have been > changed in transit. Looking at the spam that has made it through my > filters this year, I see that 27% of those messages had a valid DKIM > signature, because in fact any spammer who can open a Yahoo account or > register a domain can send mail with a valid DKIM signature. Ah, well. I think you might be right about misplaced. I've been reading about this all day learning it and I've started to realize the same thing. I would like Now, why can't all the spammers just add a ThisIsSpam header. Sure would make my life easier :) I'd still like to reduce my dependency on postgrey. So, if has valid SPF, valid DKIM, has a low SpamAssassin score, then I could skip it without raising spam too much, or at all :). Postgrey just works so well :) I mean, if I have that on I get almost no spam. But sometimes somethings that should come though don't and many things are delayed. When I turn it off, I get tons of spam. So, I need to start adding more stuff into the mix like SpanAssassin, SPF, DKIM, whatever so I can reduce my Postgrey dependency a little. My first few google searches were covered in the DKIM/SPF stuff so I guess that's where I've started first.
Re: Postfix ML Configuration for Sender Header
* Wietse Venema[2015-09-10 15:00]: > Sebastian Wiesinger: > > Hello, > > > > a while ago I changed my mail configuration for mailinglists. I have > > individual mail addresses for every mailing list and the configuration > > now looks like this: > > > > From: Sebastian Wiesinger > > Sender: postfix-us...@ml.karotte.org > > > > This has the advantage that off-list answers go to my main > > mailaddress. > > > > This seems to work with all of my mailinglists (most of them use > > Mailman I think) but not with postfix-users. Here my list address > > needs to be in the From: field. > > > > Is this something that can be changed in Majordomo (and you would be > > willing to change)? > > Sorry, that sounds bogus. No-one replies to the sender: address. No, it's the other way around. I want off-list replies to my From: address (which is my main mailaddress). But I'm subscribed to the ML with the address in the Sender: header (which is unique for each ML). Other MLs use the Sender: header in addition to the From: to check if the sender is authorized to post to the list. The Postfix ML doesn't do that apparently. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Initial test of postfix 3.0.2
On Sep 17, 2015 10:32 PM, "Noel Jones"wrote: > On 9/17/2015 9:17 PM, Tom Browder wrote: > > I have a brand new installation, from source, of Postfix 3.0.2 on > > Debian 7, 64-bit. I successfully did the initial local tests for > > postfix as described in "The Book of Postfix." > > Please note the book is now rather dated. While the examples and ... Thanks very much for the help, Noel. Note I have had a successful send and receive from the mail host to my personal gmail account. Now I will get my virtual hosts working. -Tom
Re: Forward rejected by yahoo
Thats exactly what im talking about, this DMARC Strict Identity Alignment. If a host only publishes a SPF record (no DKIM record), and sets up DMARC with Strict Identity Alignment, then you will need to rewrite or encapsulate the From: & MAIL FROM adress on any forwarded email to match your own server instead. The best thing to do as I said, is to encapsulate the mail in a new message/rfc822 container, where the outer container will have your domain and your DKIM signature, while the inner container contains the original email, and where the outer subject contains "Fwd:" in addition to the original subject. Just like you pressed "Forward" in your email client. By doing so, you have covered so your service can forward any email, with any SPF/DKIM/DMARC configuration, without any problems. smime.p7s Description: S/MIME Cryptographic Signature
Re: Trouble with ORCPT variable IN RCPT TO command
-Message d'origine- From: Wietse Venema Sent: Thursday, September 17, 2015 4:13 PM To: Postfix users Subject: Re: Trouble with ORCPT variable IN RCPT TO command Jean-Francois Couture: Last weekend one of our service provider for our application upgraded there email server (Apache JAMES). And now, there telling us that the ORCPT variable is not supported. SMTP servers that announce DSN support and reject ORCPT are BROKEN. You can configure Postfix to pretend that a server does not support DSN. See: http://www.postfix.org/postcon5.5/html#smtp_discard_ehlo_keyword_address_maps http://www.postfix.org/postcon5.5/html#smtp_discard_ehlo_keywords Wietse Thank you, that did the trick. Jeff C.
Re: Forward rejected by yahoo
Am 18.09.2015 schrieb Sebastian Nielsen: If the domain has strict identity alignment set up, then From: body must match MAIL FROM, which must match the SPF record. sorry, this is simply not correct. No wide spread "strict identity alignment" bind RFC5322.From (From: body) to RFC5321.MailFrom (MAIL FROM) first poster mentioned yahoo.com. I suspect he fail to forward a message "from" a yahoo user back "to" an other yahoo user. But he did not present logs to be sure... most probably reason is DMARC. And yahoo.com uses a DMARC policy which could be named "strict" DMARC authorize the visible RFC5322.From by using SPF or DKIM and announce a policy how to handle unauthorized messages. This give anybody in the world exact two possibilities to send a message /to/ a MX server enforcing DMARC policies claiming to be /From:/ yahoo: 1) send from an IP included in `dig yahoo.com txt +short` 2) send content that was DKIM-signed by the DKIM-domain yahoo.com The first option isn't realistic option for most people outside yahoo. The second option is only possible for yahoo itself. So it includes all messages /send out/ by yahoo. And that's the point. If someone receive a message /From:/ yahoo, reroute the message totally unchanged back to an other yahoo user, this message has still the valid DKIM signature and will be accepted even by yahoo MX server. Because DKIM signature validates and that prove the message is not forged. That's DMARC. An for that reason it's so important to NOT MODIFY ANY (DKIM SIGNED) MESSAGE on transit. back to the initial poster: compare the message you receive with the message you later send. If they differ ( apart from some Received: lines ) then yahoo will reject your forward. Andreas
Re: Postfix ML Configuration for Sender Header
Sebastian Wiesinger: > No, it's the other way around. I want off-list replies to my From: > address (which is my main mailaddress). But I'm subscribed to the ML > with the address in the Sender: header (which is unique for each ML). > > Other MLs use the Sender: header in addition to the From: to check if > the sender is authorized to post to the list. The Postfix ML doesn't > do that apparently. Majordomo uses the following: Reply-To: (most preferred), From:, and Apparently-From: (least preferred). It does not use Sender:. The list manager runs on someone elses system. I would not want to run it on my own. Wietse
Using Postfix as an SMTP server
I would like to know if I can use Postfix for this scenario (I just need a yes or no, please, and I'll take the next steps with assistance from this list as necessary): given 1. a remote server successfully hosting multiple virtual servers 2. my local server from whence I update and maintain the remote server via ssh 3. a working Postfix (for a single domain at the moment) desired = 1. use Postfix and Mail on my local host to send mail to the remote server to one of several mailing lists available on multiple virtual hosts 2. on the remote server, have postfix rewrite my incoming message so that it appears to come from an account at the virtual host the mailing list is associated with (I would use specially formatted subject, CC, and text as necessary to aid rewriting) Thanks. Best regards, -Tom
Re: Using Postfix as an SMTP server
On Fri, Sep 18, 2015 at 09:12:37AM -0500, Tom Browder wrote: > given > > > 1. a remote server successfully hosting multiple virtual servers > 2. my local server from whence I update and maintain the remote server via ssh > 3. a working Postfix (for a single domain at the moment) > > desired > = > > 1. use Postfix and Mail on my local host to send mail to the remote > server to one of several mailing lists available on multiple virtual > hosts > 2. on the remote server, have postfix rewrite my incoming message so > that it appears to come from an account at the virtual host the > mailing list is associated with (I would use specially formatted > subject, CC, and text as necessary to aid rewriting) Yes. Keep in mind that it is simplest to just send the mail with the desired purported author (I assume you're looking to change the "From:" header), rather than implement complex rewriting on the next-hop SMTP relay. You might also do this on the "local" Postfix, the earlier, the better. -- Viktor.
Re: Forward rejected by yahoo
On September 18, 2015 4:24:40 PM "Sebastian Nielsen"wrote: Thats exactly what im talking about, this DMARC Strict Identity Alignment. If a host only publishes a SPF record (no DKIM record), and sets up DMARC with Strict Identity Alignment, then you will need to rewrite or encapsulate the From: & MAIL FROM adress on any forwarded email to match your own server instead. your forward system are brokken spf is not from: header possible ask dmarc domain to change fo= in that domain to accept no dkim testing
Re: Forward rejected by yahoo
On September 18, 2015 6:31:46 PM "Sebastian Nielsen"wrote: Yeah, all the list mail from postfix fails SPF, at my server: https://dmarcian.com/spf-survey/postfix.org there is no spf there, so fix your own spf test
Conditional Greylisting
Is it possible to configure Postfix so that greylisting only happens under specific conditions? I'd like to have DKIM/SPF setup and if an e-mail passed those I want to to completely bypass greylisting. However, if it soft-fails those checks then I want it to greylist next. I have all of the above things working already - just not the conditional greylisting. I'd love some help accomplishing this! Thank you very much!
Re: Forward rejected by yahoo
On September 18, 2015 4:40:52 AM "Sebastian Nielsen"wrote: If the domain has strict identity alignment set up, then From: body must match MAIL FROM, which must match the SPF record. postfix.org have no spf record, not my fault Thats why you need to replace or encapsulate the From: aswell, incase the sender domain has strict identity aligment set up. no no no and no, cc to you so you see your error
Re: Forward rejected by yahoo
Yeah, all the list mail from postfix fails SPF, at my server: X-SPF-Signature: fail (junc.eu: Sender is not authorized by default to use 'm...@junc.eu' in 'mfrom' identity (mechanism '-all' matched)) receiver=server-desktop; identity=mailfrom; envelope-from="m...@junc.eu"; client-ip="2604:8d00:0:1::7" But I have decided to not reject SPF failing email, instead I just tag it, so I know, that incase my bank mails me and ask for my details, I know if the mail is genuine or not by looking at the SPF flag. To cope with all sorts of misconfigurations, its better to encapsulate email like you press "Forward" in your mail client. -Ursprungligt meddelande- From: Benny Pedersen Sent: Friday, September 18, 2015 6:23 PM To: Sebastian Nielsen ; postfix-users@postfix.org Subject: Re: Forward rejected by yahoo On September 18, 2015 4:40:52 AM "Sebastian Nielsen"wrote: If the domain has strict identity alignment set up, then From: body must match MAIL FROM, which must match the SPF record. postfix.org have no spf record, not my fault Thats why you need to replace or encapsulate the From: aswell, incase the sender domain has strict identity aligment set up. no no no and no, cc to you so you see your error smime.p7s Description: S/MIME Cryptographic Signature
Re: Using Postfix as an SMTP server
\On Fri, Sep 18, 2015 at 9:18 AM, Viktor Dukhovniwrote: > On Fri, Sep 18, 2015 at 09:12:37AM -0500, Tom Browder wrote: ... > Keep in mind that it is simplest to just send the mail with the > desired purported author (I assume you're looking to change the > "From:" header), rather than implement complex rewriting on the > next-hop SMTP relay. You might also do this on the "local" Postfix, > the earlier, the better. Many thanks, Viktor. -Tom
Re: Forward rejected by yahoo
Sebastian Nielsen: > Yeah, all the list mail from postfix fails SPF, at my server: > X-SPF-Signature: fail (junc.eu: Sender is not authorized by default to use > 'm...@junc.eu' in 'mfrom' identity (mechanism '-all' matched)) > receiver=server-desktop; identity=mailfrom; envelope-from="m...@junc.eu"; > client-ip="2604:8d00:0:1::7" That is not right. Mail from the postfix-users list has an envelope sender "owner-postfix-us...@postfix.org", not your email address. Otherwise, you would receive the bounces from failed mailing list deliveries. Wietse