Best way to run Postfix on a single server for multiple domains

[Nitin N]

Dear friends,

I have been using Postfix for sometime now for a single domain and it has
been running smoothly with Dovecot. I use milters for Spamassasin, Clamav,
Dkim, Dmarc & SPF. Postgrey has also been configured (although I think it
could be removed in the long run). I have Postscreen enabled. TLS support
has  been enabled with self-signed certificates.

Now, I have to migrate to a new server that is running FreeBSD 11. I need
to support 4 domains on this single server with each domain having its own
Trusted CA certified SSL digital certificate.

I can think of three ways to accomplish this and I am looking for some
guidance based on your knowledge/experience with Postfix.

Method 1]

Use virtual domains on a single Postfix instance and override master.cf to
take care of the individual SSL certificate for each domain using a
separate IP in each case. Based on my research, I believe this could get
complicated with Postscreen and other milters enabled. So I am not too keen
on going this path. Correct me if I am wrong...

Method 2]

Use postmulti and create a separate instance for each domain. In this case,
I am not sure how complex it might get if I want to create further
instances for each domain to handle outgoing, incoming and null-client
scenarios.

Method 3]

Use FreeBSD jails for each domain and a common jail for all the spam/virus
protection services and use a proxy + NAT on the main host. This could also
help me use postmulti in each jail in case I need to have multiple
instances based on functions.

So based on your experience/expertise, which method would you recommend?
Further, do you think I can stop using Postgrey as I also have Postscreen
enabled?

I look forward to your responses.

Warm regards,

Nitin

Re: Unable to use encrypted password for imap and pop3

[Admin Beckspaced]

postfix does not provide pop3 & imap!
have a look at the Dovecot (your pop3 & imap service)  SSL configuration 
as pointed in the tutorial:


http://wiki2.dovecot.org/SSL/DovecotConfiguration

greetings
Becki


On 11.02.2017 08:25, dan...@msw.it wrote:

Hi friends,
Following the Workaround tutorial for Jessie 
(https://workaround.org/ispmail/jessie ) I've set up six month ago my 
first Postfix email server and all works very fine, except for the 
ability from the user to encrypt login password.

I can use the encrypted password with smtp, but not with pop3 and imap.
The certificates are from Letsencrypt.

Could you suggest me where I should look into?

Many many thanks!


davide





Here are 'postconf -nf' and 'postconf -Mf':


-- postconf -nf 




alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
milter_connect_macros = i j {daemon_name} v {if_name} _
mydestination = server.sio4.org, localhost.sio4.org, , localhost
myhostname = server.sio4.org
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = reject_unknown_reverse_client_hostname
smtpd_milters = unix:/spamass/spamass.sock
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_unauth_destination, reject_unknown_reverse_client_hostname,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
reject_unknown_sender_domain, reject_non_fqdn_recipient
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
mysql:/etc/postfix/mysql-email2email.cf,mysql:/etc/postfix/mysql-virtual-alias-maps.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/server.sio4.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.sio4.org/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps =
mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_mailbox_domains = 
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp



-- postconf -Mf 




smtp   inet  n   -   -   -   -   smtpd
submission inet  n   -   -   -   -   smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o 
smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf,mysql:/etc/postfix/mysql-virtual-alias-maps.cf

-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o 
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

pickup unix  n   -   -   60  1   pickup
cleanupunix  n   -   -   -   0   cleanup
qmgr   unix  n   -   n   300 1   qmgr
tlsmgr unix  -   -   -   1000?   1   tlsmgr
rewriteunix  -   -   -   -   - trivial-rewrite
bounce unix  -   -   -   -   0   bounce
defer  unix  -   -   -   -   0   bounce
trace  unix  -   -   -   -   0   bounce
verify unix  -   -   -   -   1   verify
flush  unix  n   -   -   1000?   0   flush
proxymap   unix  -   -   n   -   -   proxymap
proxywrite unix  -   -   n   -   1   proxymap
smtp   unix  -   -   -   -   -   smtp
relay  unix  -   -   -   -   -   smtp
showq  unix  n   -   -   -   -   showq
error  unix  -   -   -   -   -   error
retry  unix  -   -   -   -   -   error
discardunix  -   -   -   -   -   discard
local  unix  -   n   n   -   -   local
virtualunix  -   n   n   -   -   virtual
lmtp   unix  -   -   -   -   -   l

Re: Best way to run Postfix on a single server for multiple domains

[/dev/rob0]

On Sat, Feb 11, 2017 at 01:55:26PM +0530, Nitin N wrote:
> Now, I have to migrate to a new server that is running FreeBSD 11. 
> I need to support 4 domains on this single server with each domain 
> having its own Trusted CA certified SSL digital certificate.
> 
> I can think of three ways to accomplish this and I am looking for 
> some guidance based on your knowledge/experience with Postfix.
> 
> Method 1]
> 
> Use virtual domains on a single Postfix instance and override 
> master.cf to take care of the individual SSL certificate for each 
> domain using a separate IP in each case. Based on my research, I 
> believe this could get complicated with Postscreen and other 
> milters enabled. So I am not too keen on going this path. Correct 
> me if I am wrong...

Postscreen (which, BTW, is *not* a milter) and submission do not play 
well together.  If you must accept submission on port 25, do so with 
a distinct IP address which isn't published as MX for any of your 
domains, and only accept authenticated users there.

If there's only one IP address and you cannot fix the problem of mail 
users submitting mail on port 25, you're probably going to have to 
disable postscreen.

Certificates only matter on submission, and there only if your user 
base is large and beyond your control, such as at an ISP or 
university.  Small-timers can just tell their users, "this is the TLS 
certificate we're using, accept it."

> Method 2]
> 
> Use postmulti and create a separate instance for each domain. In 
> this case, I am not sure how complex it might get if I want to 
> create further instances for each domain to handle outgoing, 
> incoming and null-client scenarios.

Why would you want to do this?  If you're seeking Perfect Headers, 
why?  Users mostly can't read nor understand headers.

> Method 3]
> 
> Use FreeBSD jails for each domain and a common jail for all the 
> spam/virus protection services and use a proxy + NAT on the main 
> host. This could also help me use postmulti in each jail in case I 
> need to have multiple instances based on functions.
> 
> So based on your experience/expertise, which method would you 
> recommend?

Method 4: use a single IP address for mail, tell users what name it 
is (no reason why that name has to be "in their domain"), tell them 
what certificate they need to accept in their MUAs.  Offer and accept 
AUTH only on port 587; accept mail exchange only on port 25.

Your question and stated 3 methods indicate you don't understand much 
about the place of TLS in SMTP.  Yes, a user sending mail through 
your server needs to check (and to trust) your certificate, but 
remote MTAs will usually not ask for it and do not care.

> Further, do you think I can stop using Postgrey as I also have 
> Postscreen enabled?

With after-220 tests enabled, postscreen will easily block anything 
postgrey might have blocked.  Also, greylisting, ISTM, is mostly 
defeated by spammers' current methods.  It's typical for zombies to 
go through their lists more than once.

> I look forward to your responses.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: Moving from version 2 to 3

[Steve Matzura]

Thank you. I know it's been about three weeks since I asked the
question, but I've been swamped with other projects so haven't had a
chance to try it. I will, and will report back.

On Thu, 19 Jan 2017 15:22:57 -0500 (EST), you wrote:

>Steve Matzura:
>> I'm currently running an implementation of version 2 on a Fedora
>> version 17 system, moving to a Ubuntu 16.04 LTS system which gave me
>> version 3. Before I start pulling my hair out, which I already did
>> going from version 1 to 2, is there an easy migration path for a
>> configuration file that's working perfectly under 2?
>
>Yes. 
>
>postconf compatibility_level=0
>postfix reload
>
>   Wietse

Re: Moving from version 2 to 3

[Steve Matzura]

Peter:

On Fri, 20 Jan 2017 11:01:25 +1300, you wrote:

>F17 came with postfix 2.9 (the 9 is important here).  I would also do
>this to make a new setting in 2.10 compatible to previous versions:
>
>postconf smtpd_relay_restrictions=permit

I must be lucky then, because 'postconf -d|grep mail_version' reports
2.10.

Why no List-ID header in the postfix-users posts?

[Josh Good]

Hello.

I'm trying to set up a new procmail recipe to automatically file this
mailing list's traffic into its own folder - because my old procmail
recipe (filtering by TO: postfix-users@postfix.org) has proven to be
not 100% effective (somehow, some posts to the mailing list are
addressed to postfix-us...@cloud9.net instead, and are landing directly
into my Inbox, where I can miss them or directly delete them as they are
not subject-tagged).

Anyway, from studying the headers in several posts to the list, I
haven't found the typical "List-Id:" header [1], which would have
been my first choice. I see, however, that I can use the "Sender:
owner-postfix-us...@postfix.org" header for my procmail recipe. OK,
so problem solved.

All that piqued my curiosity, and I became aware that this mailing list
is not using the customary subject [tags] and body footer-disclaimer,
which are common in many other mailing lists, so I thought that posts
to this list with a DKIM signature from the original sender surely must
be received by the list subscribers with that DKIM signature not having
been invalidated - so I checked some posts to the list which had a DKIM
signature and sure enough, their DKIM signature validated fine.

I then asked to myself: this list not having subject [tags] and a body
footer, is perhaps a new development to satisfy the emerging "tyranny"
of several big ESP (email service providers) implementing DMARC [2]
with a policy of p=reject [3], or is it perhaps an old custom of this
list unrelated to DMARC? So I searched the list archives and found that
subject [tags] have never been used, but that a body footer was indeed
used in the beginning, with this message from 2002-11-06 15:32:04
being the first one to have an unaltered body without any footer:
http://marc.info/?l=postfix-users&m=103659674500641&w=2

I dug a little deeper still, and found that the domain in the Return-Path
for the list's messages (@postfix.org) has no SPF record in DNS. Also,
the mailing list host does not do any DKIM signing of the messages it
relays to the subscribers.

So I have questions.

1. Why the mailing list software is not configured to add a List-Id
header?

2. Why this mailing list has never used subject tags, and very early
in its infancy it even stopped injecting a footer into the posts? It's
obvious that was not done to accommodate for DMARC, so why was it done
this way?

3. Why is this mailing list's host not signing with DKIM the posts which
it is distributing to the subscribers?

4. Why there isn't any SPF declared for the domain (postfix.org) used
in the MAIL-FROM (a.k.a. Return-Path) of the messages sent to the
subscribers?


I will not fake ingenuity on my part, for I searched the list archives and
found this quote from Victor Duchovni [4]: "SPF cannot solve spam, but
it can, if adopted widely, do damage the Internet email infrastructure
which as it stands works very well at delivering email despite the
attacks being inflicted upon it. Spam will never go away completely
(neither will other crime), but we will learn to avoid it and police it,
despite the distraction of SPF."

So it's obvious key figures in Postfix have (had?) philosophical issues
with SPF (which I happen to love, actually). So that could answer my
fourth question above, but what about the other three?

Also, I'm curious: do you, Victor, still hold that negative view toward
SPF, thirteen years after your quoted comment above?


Regards,


[1] See RFC2919 - https://www.ietf.org/rfc/rfc2919.txt

[2] See RFC7489 - https://tools.ietf.org/html/rfc7489

[3] A DMARC policy of p=reject is known to cause trouble with so called
"indirect mail flows", of which a mailing list is the primary example -
see https://tools.ietf.org/html/rfc7960

[4] http://marc.info/?l=postfix-users&m=107415094130714&w=2


-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[Wietse Venema]

Josh Good:
> 1. Why the mailing list software is not configured to add a List-Id
> header?

Perhaps that's because the configuration was last updated in 2005,
at a time that List-Id was not as widely used. Let's see if this
message will have a List-Id header.

There are no footers, because to do that correctly, software has
to be MIME-aware, and the list software isn't. Having no footer is
better than having a footer that sometimes comes out as garbage.

Wietse

Re: Why no List-ID header in the postfix-users posts?

[Benny Pedersen]

Josh Good skrev den 2017-02-12 01:53:


1. Why the mailing list software is not configured to add a List-Id
header?


good question :)


2. Why this mailing list has never used subject tags, and very early
in its infancy it even stopped injecting a footer into the posts? It's
obvious that was not done to accommodate for DMARC, so why was it done
this way?


this will break dkim

3. Why is this mailing list's host not signing with DKIM the posts 
which

it is distributing to the subscribers?


its good to see its not needed if dkim is sender signed, and the 
maillist preserve that signing, so no need for more signing of maillist, 
and another possible reason if not signed by sender why would it make 
sense to se maillist sign it ?


what if maillist indeed is signed with dkim, would you so be 
unsubscribed if some mta outthere forward it and it breaked the dkim ?



4. Why there isn't any SPF declared for the domain (postfix.org) used
in the MAIL-FROM (a.k.a. Return-Path) of the messages sent to the
subscribers?


and why is enveloppe sender sometimes cloud9.org ?

hopefully no change is needed

worst kind of management is to not check that ones own dkim get pass on 
maillists


let it continue to not break dkim, other maillists have a hobby of 
breaking it

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

On 2017 Feb 11, 20:27, Wietse Venema wrote:
> Josh Good:
> > 1. Why the mailing list software is not configured to add a List-Id
> > header?
> 
> Perhaps that's because the configuration was last updated in 2005,
> at a time that List-Id was not as widely used. Let's see if this
> message will have a List-Id header.
> 
> There are no footers, because to do that correctly, software has
> to be MIME-aware, and the list software isn't. Having no footer is
> better than having a footer that sometimes comes out as garbage.

Thanks a lot Wietse for your answers.

And yes, your post did have a List-ID:

List-Id: Postfix users 

That's great! Thank you.

And I don't mean to be an annoyance, but why no subject [tags]?

Regards,

-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[Benny Pedersen]

Josh Good skrev den 2017-02-12 02:40:


And I don't mean to be an annoyance, but why no subject [tags]?


this would break dkim

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

On 2017 Feb 12, 02:33, Benny Pedersen wrote:
> Josh Good skrev den 2017-02-12 01:53:
> 
> >2. Why this mailing list has never used subject tags, and very early
> >in its infancy it even stopped injecting a footer into the posts? It's
> >obvious that was not done to accommodate for DMARC, so why was it done
> >this way?
> 
> this will break dkim

It would break the original sender's DKIM, if any. But then the mailing
list host could DKIM sign all messages just before sending them to the
list subscribers.

Because the original sender's DKIM may or may not exist, the mailing
list doing its own DKIM signing is the only way to make that list posts
are tamper-proof at all times.

> >3. Why is this mailing list's host not signing with DKIM the posts 
> >which
> >it is distributing to the subscribers?
> 
> its good to see its not needed if dkim is sender signed, and the 
> maillist preserve that signing, so no need for more signing of maillist, 
> and another possible reason if not signed by sender why would it make 
> sense to se maillist sign it ?

In the post-Snowden era, cryptographically signing ALL is the way to go.
Remember, NSA not only "spies", it also "impersonates" when it needs to
do so (if it can do it). So yes, it makes sense for a mailing list to
DKIM sign the posts it sends to its subscribers.

Regards,

-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[Wietse Venema]

Josh Good:
> On 2017 Feb 11, 20:27, Wietse Venema wrote:
> > Josh Good:
> > > 1. Why the mailing list software is not configured to add a List-Id
> > > header?
> > 
> > Perhaps that's because the configuration was last updated in 2005,
> > at a time that List-Id was not as widely used. Let's see if this
> > message will have a List-Id header.
> > 
> > There are no footers, because to do that correctly, software has
> > to be MIME-aware, and the list software isn't. Having no footer is
> > better than having a footer that sometimes comes out as garbage.
> 
> Thanks a lot Wietse for your answers.
> 
> And yes, your post did have a List-ID:
> 
> List-Id: Postfix users 
> 
> That's great! Thank you.
> 
> And I don't mean to be an annoyance, but why no subject [tags]?

Tags are not needed. If you subscribe to this list, file the messages
to a dedicated folder for that list. Receiving list mail in the
primary inbox is discouraged.

Wietse

Re: Why no List-ID header in the postfix-users posts?

[Sebastian Nielsen]

I agree about the DKIM signing. I get regularly authentication failures 
(forensic reports) when posting to this list. Propably because my domain is set 
to require mandatory DKIM signing and postfix list server isn't.

However, I don't think there should be any subject tags.

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Why no List-ID header in the postfix-users posts?

[Benny Pedersen]

Josh Good skrev den 2017-02-12 02:51:


It would break the original sender's DKIM, if any. But then the mailing
list host could DKIM sign all messages just before sending them to the
list subscribers.


how should dkim handle this ?, how should dmarc handle it ?, how should 
arc handle it ?


how should mailrealays handle it when dkim is not all getting dkim pass 
?


you open a can of worms when dkim is breaked


Because the original sender's DKIM may or may not exist, the mailing
list doing its own DKIM signing is the only way to make that list posts
are tamper-proof at all times.


what will happend if signers signs all ?

and there signed public key is missing in dns ?

In the post-Snowden era, cryptographically signing ALL is the way to 
go.

Remember, NSA not only "spies", it also "impersonates" when it needs to
do so (if it can do it). So yes, it makes sense for a mailing list to
DKIM sign the posts it sends to its subscribers.


no, dkim is not pgp

Re: Why no List-ID header in the postfix-users posts?

[Benny Pedersen]

Sebastian Nielsen skrev den 2017-02-12 02:55:

I agree about the DKIM signing. I get regularly authentication
failures (forensic reports) when posting to this list. Propably
because my domain is set to require mandatory DKIM signing and postfix
list server isn't.


in that case you have mailrelays that breaks dkim

postfix maillist is dmarc/dkim/spf/arc safe

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

On 2017 Feb 12, 03:00, Benny Pedersen wrote:
> >In the post-Snowden era, cryptographically signing ALL is the way to 
> >go.
> >Remember, NSA not only "spies", it also "impersonates" when it needs to
> >do so (if it can do it). So yes, it makes sense for a mailing list to
> >DKIM sign the posts it sends to its subscribers.
> 
> no, dkim is not pgp

I don't see how your assertion is related to my comment.

DKIM does certify that a message with a valid signature has:

--authenticity (from where it comes, as control of the DNS of the sending
domain is needed).

--integrity (that the message has not been altered or mutilated).


PGP is end-to-end, DKIM is not end-to-end, but MTA-to-MTA. I never said
DKIM was end-to-end.

Regards,

-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[Sebastian Nielsen]

Theres no relay between me and postfix. And this is the report:

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: mx01.nausch.org; dmarc=fail header.from=sebbe.eu
Original-Envelope-Id: 68ED4C00088
Original-Mail-From: owner-postfix-us...@postfix.org
Source-IP: 168.100.1.3 (camomile.cloud9.net)
Reported-Domain: sebbe.eu

-
And original mail:
-
Authentication-Results: mx1.nausch.org;
dkim=pass (1024-bit key) header.d=sebbe.eu header.i=@sebbe.eu 
header.b="AnBtXcH6"
Authentication-Results: mx01.nausch.org; spf=none 
smtp.mailfrom= smtp.helo=camomile.cloud9.net
Received: by camomile.cloud9.net (Postfix)
id 7474A336498; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Delivered-To: postfix-users-outgo...@cloud9.net
Received: from localhost (localhost [127.0.0.1])
by camomile.cloud9.net (Postfix) with ESMTP id 728E83310A6
for ; Sat, 11 Feb 2017 20:55:58 
-0500 (EST)
X-Virus-Scanned: amavisd-new at cloud9.net
Received: from camomile.cloud9.net ([127.0.0.1])
by localhost (camomile.cloud9.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wFb_dh5o0Qze for ;
Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Received: by camomile.cloud9.net (Postfix, from userid 54)
id 50BF13364A0; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Delivered-To: postfix-us...@cloud9.net
Received: from localhost (localhost [127.0.0.1])
by camomile.cloud9.net (Postfix) with ESMTP id 328E4336498
for ; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
X-Virus-Scanned: amavisd-new at cloud9.net
Received: from camomile.cloud9.net ([127.0.0.1])
by localhost (camomile.cloud9.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eeHrKBrRbl4U for ;
Sat, 11 Feb 2017 20:55:58 -0500 (EST)
Received: from dns2.sebbe.eu (dns2.sebbe.eu [185.86.107.140])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by camomile.cloud9.net (Postfix) with ESMTPS id CE06D3310A6
for ; Sat, 11 Feb 2017 20:55:57 -0500 (EST)
Received: from linuxlite-desktop (localhost [127.0.0.1])
by dns2.sebbe.eu (Postfix) with ESMTP id 2E31476024B
for ; Sun, 12 Feb 2017 02:55:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sebbe.eu; s=root;
t=1486864555; bh=QG62M3r5Lc+7o9a5bmtrhKgDItf9g2IQHyYASOb1hFc=;
h=Date:From:To:In-Reply-To:References:Subject:From;
b=AnBtXcH6dIzWlO8tvRvhYxjFfHth6ioQDTnHiSmRl2ZFgRs6P9eUsrIRcUeJuABKT
 aXDhQlpzqGTNehqqtKamWb4cc5VqOLATXeR/2hD2Uiz63QQJHMyiC6eAzUzarfvwjU
 NpXW2pHtVj/J7c+XO/rrKeapamzY8aCTiPImxI6k=
Received: from [192.168.3.90] (unknown [192.168.3.90])
by dns1.sebbe.eu (Postfix) with ESMTP id 323CB76024B
for ; Sun, 12 Feb 2017 02:55:41 +0100 (CET)
Date: Sun, 12 Feb 2017 02:55:39 +0100
From: Sebastian Nielsen 
To: postfix-users@postfix.org
Message-ID: <3dfb9ae5-1bd8-417f-9b00-c3954c22e...@sebbe.eu>
In-Reply-To: <20170212015134.gb18...@naleco.com>
References: <20170212005312.ga12...@naleco.com> 
<1cf4d7a776ca97544eb0d21d36253...@junc.eu> <20170212015134.gb18...@naleco.com>
Subject: Re: Why no List-ID header in the postfix-users posts?
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; 
micalg=sha-256; 
boundary="=_Part_17_905167004.1486864541512"
User-Agent: WristMail for Android
X-Hashcash: 
1:26:170212:postfix-users@postfix.org::8sJRinKtSCxqHE9u:0003Mp9h
Sender: owner-postfix-us...@postfix.org
Precedence: bulk
List-Id: Postfix users 
List-Post: 
List-Help: 
List-Unsubscribe: 
List-Subscribe: 
-


As you see, its not going through even if dkim = pass.
I think DKIM on postfix list server would solve that.


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Why no List-ID header in the postfix-users posts?

[Mick]

On 12/02/2017 00:53, Josh Good wrote:

Hello.

I'm trying to set up a new procmail recipe to automatically file this
mailing list's traffic into its own folder - because my old procmail
recipe (filtering by TO: postfix-users@postfix.org) has proven to be
not 100% effective (somehow, some posts to the mailing list are
addressed to postfix-us...@cloud9.net instead, and are landing directly
into my Inbox, where I can miss them or directly delete them as they are
not subject-tagged).

Suggestion :
When Sender is 'owner-postfix-us...@postfix.org' move message to 'Postfix'
The above works for me every time.

Best wishes,

Mick.

Re: Why no List-ID header in the postfix-users posts?

[Viktor Dukhovni]

On Sun, Feb 12, 2017 at 02:40:09AM +0100, Josh Good wrote:

> And I don't mean to be an annoyance, but why no subject [tags]?

This list carefully avoids modifying the message headers and body.
Therefore, this list requires no ugly DMARC work-around hacks.  I
am sure that we should keep it that way.

-- 
Viktor.

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

On 2017 Feb 12, 03:13, Sebastian Nielsen wrote:
> Theres no relay between me and postfix. And this is the report:
> 
> Feedback-Type: auth-failure
> Version: 1
> User-Agent: OpenDMARC-Filter/1.3.2
> Auth-Failure: dmarc
> Authentication-Results: mx01.nausch.org; dmarc=fail header.from=sebbe.eu
> Original-Envelope-Id: 68ED4C00088
> Original-Mail-From: owner-postfix-us...@postfix.org
> Source-IP: 168.100.1.3 (camomile.cloud9.net)
> Reported-Domain: sebbe.eu
> 
> -
> And original mail:
> -
> Authentication-Results: mx1.nausch.org;
>   dkim=pass (1024-bit key) header.d=sebbe.eu header.i=@sebbe.eu 
> header.b="AnBtXcH6"
> Authentication-Results: mx01.nausch.org; spf=none 
> smtp.mailfrom= smtp.helo=camomile.cloud9.net
> Received: by camomile.cloud9.net (Postfix)
>   id 7474A336498; Sat, 11 Feb 2017 20:55:58 -0500 (EST)
> Delivered-To: postfix-users-outgo...@cloud9.net
(...snip...)
> 
> 
> As you see, its not going through even if dkim = pass.
> I think DKIM on postfix list server would solve that.

That's weird, if the DKIM mechanism passes, then DMARC should pass too,
provided the email address in the Header-From is aligned with the DKIM
signature which passed..

In your headers, we see that DKIM passes OK when you received you own
post to the list.

And then this is your DMARC record:

$ host -t txt _dmarc.sebbe.eu
_dmarc.sebbe.eu descriptive text "v=DMARC1\; p=reject\; sp=reject\; ri=604800\; 
rf=afrf\; aspf=s\; adkim=s\; rua=mailto:ab...@sebbe.eu\; 
ruf=mailto:ab...@sebbe.eu\; pct=100\; fo=1\;"


See that non-default "fo=1" you have there? That's whay you are getting
a DMARC result of fail:

See RFC 7489, Section 6.3, page 18:

""
fo:  Failure reporting options (plain-text; OPTIONAL; default is "0")

0: Generate a DMARC failure report if all underlying
   authentication mechanisms fail to produce an aligned "pass"
   result.

1: Generate a DMARC failure report if any underlying
   authentication mechanism produced something other than an
   aligned "pass" result.
""

Go with the DMARC default of "fo=0" and you should be fine.


Also, you should NOT use p=reject in your DMARC record if you post to
mailing lists, see RFC7960, Section 3.2.3.1:

""
Mailing Lists may also have the following DMARC interoperability
issues: 

Subscribed members may not receive email from members that post
using domains that publish a DMARC "p=reject" policy.

Mailing Lists may interpret DMARC-related email rejections as an
inability to deliver email to the Recipients that are checking and
enforcing DMARC policy.  This processing may cause subscribers
that are checking and enforcing DMARC policy to be inadvertently
suspended or removed from the Mailing List.
""

It all means: if you post to a mailing list with a DMARC policy of
p=reject, you risk (A) not having your posts received by the other
subscribers, and (B) accidentally causing OTHER subscribers to be
unsubcribed from the list because they could start rejecting your posts
at anytime based on your owun published DMARC policy, and the mailing
software could wrongly assume the subscribed address of OTHER subscribers
has become stale.

So take action:
1. change "fo=1" to "fo=0".
2. remove "p=reject", or use a different subdomain/domain to post to
mailing lists.

Regards,

-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[lists]

  How would a get a print out of email uses that fail DKIM, SPF, or both?A few months ago there was chatter about how to rewrite the subject header to indicate the SPF and DKIM status. Unfortunately nothing further.Further, how does DKIM prove the message wasn't altered? To my knowledge, SPF proves the message came from a qualified server and DKIM proves the FQDN is a match. From: Sebastian NielsenSent: Saturday, February 11, 2017 5:56 PMTo: postfix-users@postfix.orgSubject: Re: Why no List-ID header in the postfix-users posts?I agree about the DKIM signing. I get regularly authentication failures (forensic reports) when posting to this list. Propably because my domain is set to require mandatory DKIM signing and postfix list server isn't.

However, I don't think there should be any subject tags.

Re: Why no List-ID header in the postfix-users posts?

[Benny Pedersen]

Sebastian Nielsen skrev den 2017-02-12 03:13:

Theres no relay between me and postfix. And this is the report:


spf strict

https://dmarcian-eu.com/dmarc-inspector/sebbe.eu

why ?

note you get dkim pass ?

Re: Why no List-ID header in the postfix-users posts?

[Chris]

On Sun, 2017-02-12 at 01:53 +0100, Josh Good wrote:
> Hello.
> 
> I'm trying to set up a new procmail recipe to automatically file this
> mailing list's traffic into its own folder - because my old procmail
> recipe (filtering by TO: postfix-users@postfix.org) has proven to be
> not 100% effective (somehow, some posts to the mailing list are
> addressed to postfix-us...@cloud9.net instead, and are landing
> directly
> into my Inbox, where I can miss them or directly delete them as they
> are
> not subject-tagged).
> 
> Anyway, from studying the headers in several posts to the list, I
> haven't found the typical "List-Id:" header [1], which would have
> been my first choice. I see, however, that I can use the "Sender:
> owner-postfix-us...@postfix.org" header for my procmail recipe. OK,
> so problem solved.
> 
-%<

I've been using this recipe for, well, for years

:0
* ^Sender: owner-postfix-us...@postfix.org
$POSTF

HTH

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
20:59:21 up 8 days, 12:57, 2 users, load average: 0.39, 0.23, 0.19
Ubuntu 16.04.1 LTS, kernel 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18
14:10:15 UTC 2017

signature.asc
Description: This is a digitally signed message part

Re: Why no List-ID header in the postfix-users posts?

[Bill Cole]

On 11 Feb 2017, at 21:53, li...@lazygranch.com wrote:

Further, how does DKIM prove the message wasn't altered? To my 
knowledge, SPF proves the message came from a qualified server and 
DKIM proves the FQDN is a match. 


DKIM signs a hash of the canonicalized message body and the set of 
headers specified in the signature. Modify the body or any of those 
headers, the signature breaks.

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

On 2017 Feb 11, 18:53, li...@lazygranch.com wrote:
> 
>How would a get a print out of email uses that fail DKIM, SPF, or
>both?
> 
>A few months ago there was chatter about how to rewrite the subject
>header to indicate the SPF and DKIM status. Unfortunately nothing
>further.
> 
>Further, how does DKIM prove the message wasn't altered? To my
>knowledge, SPF proves the message came from a qualified server and
>DKIM proves the FQDN is a match.

Anyone can DKIM sign an email message which passed through his systems,
even if the DKIM signer is not the original sender.

DMARC exists to ensure that a valid DKIM signature is aligned (~coincides) with
the email address in the Header-From.

A valid DKIM signature, irrespective of DMARC alignment, cryptographically
assures that the message has not been altered/tampered with since it
was signed.

A valid DKIM signature plus DMARC alignment, cryptographically assures
the message has not been altered and that it is authentic (i.e., the
provenance of the message is authenticated).

That's not saying all DKIM signed and DMARC aligned email is legit.
Spammers can perfectly send spam with a header-from like this:

From: PayPal Notification 

and have it DKIM signed and DMARC aligned.

However, if you get an email with a Header-From like this:

From: Paypal Notification 

with a valid DKIM signature and which is DMARC aligned, you can rest
assured that either the email is legit, or Paypal has been hacked to
death from the inside.

Regards,

-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[lists]

So technically integrity is assured from server to server, but not between 
clients and  server.



  Original Message  
From: Bill Cole
Sent: Saturday, February 11, 2017 7:08 PM
To: Postfix users
Reply To: Postfix users
Subject: Re: Why no List-ID header in the postfix-users posts?

On 11 Feb 2017, at 21:53, li...@lazygranch.com wrote:

> Further, how does DKIM prove the message wasn't altered? To my 
> knowledge, SPF proves the message came from a qualified server and 
> DKIM proves the FQDN is a match. 

DKIM signs a hash of the canonicalized message body and the set of 
headers specified in the signature. Modify the body or any of those 
headers, the signature breaks.

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

On 2017 Feb 11, 19:18, li...@lazygranch.com wrote:
> So technically integrity is assured from server to server, but not between 
> clients and  server.

That is correct. DKIM is for MTA-to-MTA integrity.

I you want end-to-end (in-the-flesh sender to in-the-flesh recipient)
integrity, you need to use S/MIME or PGP, which run in your MUA (mail
client program) and not in the MTA (mail server program).

Why is MTA-to-MTA integrity important? Because it's better than nothing
(how many people do you know using S/MIME and/or PGP), and because
post-Snowden it can not hurt anyway to have it.

Regards,

-- 
Josh Good

Re: Why no List-ID header in the postfix-users posts?

[Josh Good]

OK, so I sent a message to the list which was rejected, I got a NDR like
this:



This message was sent by a program, not by a human person.

Your submission to the postfix-users mailing list was blocked because
your address is not subscribed, or because the submission contains
words like "subscribe", "unsubscribe", "change address", or "help",
in the subject or in the first few lines.

Here is the reason:

BOUNCE postfix-users@postfix.org: Admin request of type
/\bsubscribe\b/i at line 3

If you are not subscribed, see the instructions at
http://www.postfix.org/lists.html.

If you are subscribed, avoid using words that the filter rejects
(if you must use a forbidden word, insert spaces between the letters).
It is admittedly a stupid filter, but it prevents irritated responses
from people on the mailing list.
---


And the message rejected was this:


---
On 2017 Feb 11, 20:50, Wietse Venema wrote:

> Tags are not needed. If you subscribe to this list, file the messages
> to a dedicated folder for that list. Receiving list mail in the
> primary inbox is discouraged.

OK, understood.

I manage fine without the tags, I just was curious about why not having
them when it's so common in other lists.

--
Josh Good
---



Yeah, I see that "suscribe" in the 3rd line (first quoted line) of the
original message. It's funny, but no problem, I repost it.

Regards,

-- 
Josh Good

Re: [postfix-users] Why no List-ID header in the postfix-users posts?

[Kiss Gabor (Bitman)]

> > Further, how does DKIM prove the message wasn't altered? To my knowledge,
> > SPF proves the message came from a qualified server and DKIM proves the FQDN
> > is a match. 
> 
> DKIM signs a hash of the canonicalized message body and the set of headers
> specified in the signature. Modify the body or any of those headers, the
> signature breaks.

Maybe DKIM verification should ignore list tags in the subject
if the first attempt was unsuccesful.
I.e. I could imagine a smarter canonicalization.

Gabor
-- 
"Spider-Pig, Spider-Pig
Does whatever a Spider-Pig does.
Can he swing from a web?
No, he can't, he's a pig.
Look out! He is a Spider-Pig."

Re: Why no List-ID header in the postfix-users posts?

[Dominic Raferd]

On 12/02/2017 02:44, Viktor Dukhovni wrote:

On Sun, Feb 12, 2017 at 02:40:09AM +0100, Josh Good wrote:


And I don't mean to be an annoyance, but why no subject [tags]?

This list carefully avoids modifying the message headers and body.
Therefore, this list requires no ugly DMARC work-around hacks.  I
am sure that we should keep it that way.



This thread has been informative, thank you to all contributors.

​To go back to a point made by OP about SPF being 'good', it seems to me 
that SPF is fundamentally and irretrievably flawed - and frankly should 
be dropped. The fact that it works in 99.5% of situations just makes it 
worse. Any email that is passed by a recipient through an intermediate 
MTA (like all of mine, for instance) will have broken SPF when it 
reaches its final destination MTA. It is impossible for the sender to 
avoid this or indeed the recipient (unless they stop using an 
intermediate relaying server, which may however be required for instance 
to rewrite the destination mail address). Fortunately DMARC depends on 
DKIM *or* SPF and it is very rare for legitimate emails from a 
DMARC-enabled domain to fail DKIM and rely for success on passing SPF.


Secondly, IMO mailing lists should stop faking sender addresses and 
instead should send either from the mailing list address or at least 
from the mailing list domain e.g. 
postfix-users-from-sender-at-domain@postfix.org. That way the emails 
could be fully DMARC-compliant and avoid problems even for original 
senders with p=reject policy (for instance, yahoo users).