Re: Problems with rspamd, DKIM and a body getting altered after dkim signing because of changed content-transfer-encoding

[Ralph Seichter]

* Michael Ludwig:

> So any help is greatly appreciated.

I doubt that Postfix is the culprit. I ran into similar issues a while
ago: E-Mail sent by me which included German umlauts did not arrive with
a valid DKIM signature. I thought that disabling the 8BITMIME extension
in Postfix was a possible solution, but that did not make a difference.

After fruitless experiments, I found that Thunderbird was (at least
partly) to blame. Only after setting "mail.strictly_mime=true" via TB's
config editor did I no longer experience DKIM signature breakage.

My point is that it is not trivial to figure out where your problem
originates. If you find a solution, I would be very interested hearing
about it.

-Ralph

Re: Problems with rspamd, DKIM and a body getting altered after dkim signing because of changed content-transfer-encoding

[Wietse Venema]

Michael Ludwig:
> Hi to all of you,
> 
> since weeks I'm struggling with this problem, not being able to solve
> it on my own and I think the last possibility of getting help is to
> ask you, the experts right here.
> I set up a mailserver with the help of a howto I found on the net.
> Mainly everything is okay, mails are received and sending is also
> possible. Spam is getting sorted out and DKIM, SPF and DMARC is
> working on the domains I switched to that new mailserver.
> 
> A few weeks ago I figured out that there is a problem when a
> conversation is going on via mail, at some point the postfix changes
> the content-transfer-encoding from 7bit to quoted-printable.

No, it doesn't. Postfix may convert 8bit mail into 7bit quoted-printable,
depending on whether disable_mime_output_conversion is yes or no,
and whether a down-stream SMTP receiver anounces 8BITMIME support.

Postfix does not convert 7bit mail into quoted-printable. That is
how it has worked since 2002.

Please solve the right problem.

Wietse

Problems with rspamd, DKIM and a body getting altered after dkim signing because of changed content-transfer-encoding

[Michael Ludwig]

Hi to all of you,

since weeks I'm struggling with this problem, not being able to solve
it on my own and I think the last possibility of getting help is to
ask you, the experts right here.
I set up a mailserver with the help of a howto I found on the net.
Mainly everything is okay, mails are received and sending is also
possible. Spam is getting sorted out and DKIM, SPF and DMARC is
working on the domains I switched to that new mailserver.

A few weeks ago I figured out that there is a problem when a
conversation is going on via mail, at some point the postfix changes
the content-transfer-encoding from 7bit to quoted-printable.
This makes sense, the MTA postfix is doing what it is expected to.
I've read about line-lengths, 8bitmime, utf8 and so on. But this
behaviour is breaking DKIM signing, as signing with rspamd is done
before the encoding conversion.

So I hope there is a possibility to get this problem solved with your help.
Please forgive me that at this point I did not post any details as I
am waiting for you telling me what configs, logs, snippets, headers
and so on you need to have in order to be able to help.
What I know is that rspamd is called via the milter functionality of
postfix. But I didn't find any ressources on the net on how to change
the order, so that rspamd dkim signing comes last.
This seems to be important in the master.cf as that must be the point
where the smtps-session is controlled. But I can't see anything where
it calls the milter, so that is why I have no clue where to begin
searching.

So any help is greatly appreciated.

Best regards,
Michael

Re: DKIM setup writeup for multi domain?

[Michael]

I found my notes. This is for RHEL:


yum -y install 
https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
subscription-manager repos --enable "rhel-*-optional-rpms" --enable 
"rhel-*-extras-rpms"

yum -y install opendkim

#generate keys for each domain
cd /etc/opendkim/keys
mkdir example1.com
mkdir example2.com
opendkim-genkey -D /etc/opendkim/keys/example1.com/ -d example1.com -s 
dkim1 -a
opendkim-genkey -D /etc/opendkim/keys/example2.com/ -d example2.com -s 
dkim1 -a


chown -R root:opendkim /etc/opendkim/keys/*
chmod 640 /etc/opendkim/keys/example1.com/dkim1.private
chmod 644 /etc/opendkim/keys/example1.com/dkim1.txt
chmod 640 /etc/opendkim/keys/example2.com/dkim1.private
chmod 644 /etc/opendkim/keys/example2.com/dkim1.txt

#/etc/opendkim.conf
Mode s
#LogWhy yes
#KeyFile /etc/opendkim/keys/default.private
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

#/etc/opendkim/KeyTable
dkim1._domainkey.example1.com 
example1.com:dkim1:/etc/opendkim/keys/example1.com/dkim1.private
dkim1._domainkey.example2.com 
example2.com:dkim1:/etc/opendkim/keys/example2.com/dkim1.private


#/etc/opendkim/SigningTable
*@example1.com dkim1._domainkey.example1.com
*@example2.com dkim1._domainkey.example2.com

#/etc/opendkim/TrustedHosts
127.0.0.1
10.0.0.0/8

#/etc/postfix/main.cf
#OpenDKIM
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept





On 2019-03-12 1:52 pm, Fazzina, Angelo wrote:

Hi, wouldn't the answer to the OP's question be to just list all the 
domains they want signed in the file

/etc/opendkim/SigningTable

Assuming they are using Opendkim.

I wrote some documentation here.
https://linux.uits.uconn.edu/dkim-review-of-all-aspects/

-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  
On Behalf Of Michael

Sent: Tuesday, March 12, 2019 2:48 PM
To: postfix-users@postfix.org
Subject: {SPAM?} Re: DKIM setup writeup for multi domain?

I think this is the one I used.  Works great.
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stevejenkins.com%2Fblog%2F2011%2F08%2Finstalling-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora%2Fdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C9624b05d01574a99475608d6a71b7196%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636880133650788591sdata=YTfwUuvVVUSb8bzRRKXWNg1xpaVCclorJ6eKAxz2ybw%3Dreserved=0

On 2019-03-12 7:31 am, li...@sbt.net.au wrote:


I;m looking at adding DKIM to my Postfix

is there some up to date DKIM setup write up for multi domain Postfix
setup ? most of the ones I've found are for single domain, and, use
different setups, hence I'm trying to figure out what's the best way 
to

set this up.

V

Re: DKIM setup writeup for multi domain?

[Fazzina, Angelo]

Hi, wouldn't the answer to the OP's question be to just list all the domains 
they want signed in the file
/etc/opendkim/SigningTable

Assuming they are using Opendkim.

I wrote some documentation here.
https://linux.uits.uconn.edu/dkim-review-of-all-aspects/


-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-Original Message-
From: owner-postfix-us...@postfix.org  On 
Behalf Of Michael
Sent: Tuesday, March 12, 2019 2:48 PM
To: postfix-users@postfix.org
Subject: {SPAM?} Re: DKIM setup writeup for multi domain?

I think this is the one I used.  Works great. 
https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stevejenkins.com%2Fblog%2F2011%2F08%2Finstalling-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora%2Fdata=02%7C01%7Cangelo.fazzina%40uconn.edu%7C9624b05d01574a99475608d6a71b7196%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636880133650788591sdata=YTfwUuvVVUSb8bzRRKXWNg1xpaVCclorJ6eKAxz2ybw%3Dreserved=0


On 2019-03-12 7:31 am, li...@sbt.net.au wrote:

> I;m looking at adding DKIM to my Postfix
> 
> is there some up to date DKIM setup write up for multi domain Postfix
> setup ? most of the ones I've found are for single domain, and, use
> different setups, hence I'm trying to figure out what's the best way to
> set this up.
> 
> V

Re: DKIM setup writeup for multi domain?

[Michael]

I think this is the one I used.  Works great. 
https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/



On 2019-03-12 7:31 am, li...@sbt.net.au wrote:


I;m looking at adding DKIM to my Postfix

is there some up to date DKIM setup write up for multi domain Postfix
setup ? most of the ones I've found are for single domain, and, use
different setups, hence I'm trying to figure out what's the best way to
set this up.

V

Re: DKIM setup writeup for multi domain?

[Ralph Seichter]

> is there some up to date DKIM setup write up for multi domain Postfix
> setup ?

Amavisd and OpenDKIM each support multiple domains. Since Postfix does
not handle DKIM signatures, you need to look into external tools.

-Ralph

Re: How to match 2a04:5200:fff4:0 in access table?

[Wietse Venema]

Bill Cole:
> Also (as I discovered by testing) smtpd does not canonicalize 
> ADDR=IPv6:* strings given to it by XCLIENT, so testing that way requires 
> the tester to know how to canonicalize an address.

Aha, that is a good point. Added canonicalization to the todo list.

Wietse

Re: How to match 2a04:5200:fff4:0 in access table?

[Wietse Venema]

Vincent Lefevre:
> BTW, I'm wondering why a canonical form is used for the match
> instead of a form without compressed zeros. Wouldn't the latter
> be more useful in practice, while not slower?

Because the compressed form is what Postfix logs, therefore the
compressed form is what Postfix uses for access map lookups. If
Postfix were to use form X for logging and some unspecified different
form Y for access map lookups, then that would be a real WTF.
Instead, Postfix documents how it derives lookups from the from X.

Again, I recmmend using cidr if you need control over the matching
process.

Wietse

Re: How to match 2a04:5200:fff4:0 in access table?

[Bill Cole]

On 12 Mar 2019, at 11:39, Wietse Venema wrote:


Bill Cole:

On 12 Mar 2019, at 10:29, Wietse Venema wrote:


Bill, I think that an IPv6 address ending in  will work only in
a cidr access map, because all other maps use string comparison.


Did you notice the demo I included, using a hash map?


The postmap command does not know how the Postfix SMTP daemon converts
an IPv6 address to string, which means that IPv6 address tests with
the postmap command are valid only when using cidr maps.


I suspected that might be the case...


The Postfix SMTP daemon looks up the same address form as the form
that it logs in information about the remote SMTP client. For
example, 2604:8d00:0:1::4 or 2001:41d0:1:88ce:: (these are real
samples from my maillog files).


Also (as I discovered by testing) smtpd does not canonicalize 
ADDR=IPv6:* strings given to it by XCLIENT, so testing that way requires 
the tester to know how to canonicalize an address.





--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: How to match 2a04:5200:fff4:0 in access table?

[Vincent Lefevre]

On 2019-03-12 11:39:54 -0400, Wietse Venema wrote:
> Bill Cole:
> > On 12 Mar 2019, at 10:29, Wietse Venema wrote:
> > 
> > > Bill, I think that an IPv6 address ending in  will work only in
> > > a cidr access map, because all other maps use string comparison.

After looking at the postfix source, I think that it might work with
2 tests if they are written in the "right" way (see below).

> > Did you notice the demo I included, using a hash map?
> 
> The postmap command does not know how the Postfix SMTP daemon converts
> an IPv6 address to string, which means that IPv6 address tests with
> the postmap command are valid only when using cidr maps.
> 
> The Postfix SMTP daemon looks up the same address form as the form
> that it logs in information about the remote SMTP client. For
> example, 2604:8d00:0:1::4 or 2001:41d0:1:88ce:: (these are real
> samples from my maillog files).

IMHO, the access(5) man page should be clarified to mention that
and also how truncating is done. So, what is in canonical form is
not the access map lookup key, but the IPv6 address. After that,
this is just a sequence of purely string operations.

The ":octetpair" in the man page is not clear because when the
IPv6 address is in compressed form, one may wonder what this means
when reaching a "::". If I understand correctly, the code that does
the checks is check_addr_access in src/smtpd/smtpd_check.c, which
has:

#ifdef HAS_IPV6
if (strchr(addr, ':') != 0)
delim = ':';
else
#endif
delim = '.';
[...]
do {
[...]
} while (split_at_right(addr, delim));

So, what is removed in the truncation is the last sequence starting
with ":", whatever it means (not necessarily an octet pair).

On my example, 2a04:5200:fff4::fe would be successively transformed
into:

2a04:5200:fff4:
2a04:5200:fff4
2a04:5200
2a04

(even though the first key, which ends with ":", is not in some usual
form). Am I right? If yes, this would mean that

2a04:5200:fff4:0 REJECT Blacklisted
2a04:5200:fff4:  REJECT Blacklisted

would be equivalent to 2a04:5200:fff4::/64 in a cidr table, because
"2a04:5200:fff4:0" would match an uncompressed 0 in the 4th octet
pair and "2a04:5200:fff4:" would match a compressed 0 in the 4th
octet pair.

BTW, I'm wondering why a canonical form is used for the match
instead of a form without compressed zeros. Wouldn't the latter
be more useful in practice, while not slower?

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: How to match 2a04:5200:fff4:0 in access table?

[Wietse Venema]

Bill Cole:
> On 12 Mar 2019, at 10:29, Wietse Venema wrote:
> 
> > Bill, I think that an IPv6 address ending in  will work only in
> > a cidr access map, because all other maps use string comparison.
> 
> Did you notice the demo I included, using a hash map?

The postmap command does not know how the Postfix SMTP daemon converts
an IPv6 address to string, which means that IPv6 address tests with
the postmap command are valid only when using cidr maps.

The Postfix SMTP daemon looks up the same address form as the form
that it logs in information about the remote SMTP client. For
example, 2604:8d00:0:1::4 or 2001:41d0:1:88ce:: (these are real
samples from my maillog files).

> > When the Postfix SMTP server queries a table it will use a system
> > library function to convert the client IP address to string, and
> > that function will
> > - first strip leading zeros, leaving a single zero when an octet pair 
> > is null.
> > - then it will collapse repeated '0' fields.
> >
> > So that is the canonical form for searching a non-cidr map.

Wietse

Re: How to match 2a04:5200:fff4:0 in access table?

[Bill Cole]

On 12 Mar 2019, at 10:29, Wietse Venema wrote:


Bill, I think that an IPv6 address ending in  will work only in
a cidr access map, because all other maps use string comparison.


Did you notice the demo I included, using a hash map?



When the Postfix SMTP server queries a table it will use a system
library function to convert the client IP address to string, and
that function will
- first strip leading zeros, leaving a single zero when an octet pair 
is null.

- then it will collapse repeated '0' fields.

So that is the canonical form for searching a non-cidr map.


That does not seem to match the experience of the OP or the behavior I 
documented with the posted demo, in which I *think* I reproduced the 
documented matching algorithm.


I expect that my puzzlement is related to postmap and smtpd not behaving 
quite identically.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Uhm... next bug or my faulty configuration?

[Wietse Venema]

A. Schulze:
> 
> Viktor Dukhovni:
> 
> > Your no-BDAT work-around is sufficient until the code is updated
> > along lines below
> 
> 
> Hello Viktor,
> 
> Thanks for that patch. I confirm it works like expected

Did you test it in smtpd_end_of_data_restrictions?

Wietse

Re: Uhm... next bug or my faulty configuration?

[A. Schulze]

Viktor Dukhovni:


Your no-BDAT work-around is sufficient until the code is updated
along lines below



Hello Viktor,

Thanks for that patch. I confirm it works like expected

Andreas

Re: How to match 2a04:5200:fff4:0 in access table?

[Wietse Venema]

Bill, I think that an IPv6 address ending in  will work only in
a cidr access map, because all other maps use string comparison.

When the Postfix SMTP server queries a table it will use a system
library function to convert the client IP address to string, and
that function will
- first strip leading zeros, leaving a single zero when an octet pair is null.
- then it will collapse repeated '0' fields.

So that is the canonical form for seearching a non-cidr map.

Wietse

Re: How to match 2a04:5200:fff4:0 in access table?

[Bill Cole]

On 12 Mar 2019, at 9:16, Vincent Lefevre wrote:


On 2019-03-12 08:49:28 -0400, Bill Cole wrote:

"0" is not an octet pair. Demo:

# cat accessdemo
2a04:5200:fff4:0REJECT 554 trailing zero
2a04:5200:fff4: REJECT 554 trailing octet pair zeros
2a04:5200:fff4  REJECT 554 NO trailing zero

# postmap hash:accessdemo

# postmap -q 2a04:5200:fff4::0001:::0001 accessdemo

# postmap -q 2a04:5200:fff4::0001:: accessdemo

# postmap -q 2a04:5200:fff4::0001: accessdemo

# postmap -q 2a04:5200:fff4::0001 accessdemo

# postmap -q 2a04:5200:fff4: accessdemo
REJECT 554 trailing octet pair zeros

# postmap -q 2a04:5200:fff4 accessdemo
REJECT 554 NO trailing zero


OK, so you mean that "0" must be written as ""?


Yes, if you need it to match (i.e. if it isn't just a placeholder.)


Then why does the access(5) man page say "The access map lookup key
must be in canonical form" while "" is not the canonical form?


I have no answer for that. All I know is what actually works.

The RFC definition of "canonical form" is arguably inconsistent with the 
description of the required format for Postfix and its matching strategy 
in the access(5) man page.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Old bug: reject_multi_recipient_bounce

[Wietse Venema]

A. Schulze:
> Hello,
> 
> updated from 3.4.1 to 3.4.3 and at the same time dovecot-2.2 to dovecot-2.3 ( 
> + pigeonhole)
> I assume the changes behavior is dovecot/pigeonhole now using the advertised 
> "CHUNKING" extension.
> 
> Now an echo service (dovecot-2.3-pigeonhole) don't send messages anymore.
> Reason: "Data command rejected: Multi-recipient bounce" while there is 
> clearly only one recipient.

This is 13 years old: reject_multi_recipient_bounce has had the same
false rejects in smtpd_end_of_data_restrictions since Postfix 2.2.

Victor's patch addresses the symptom (BDAT) but not the root cause.
The patch below fixes both BDAT and smtpd_end_of_data_restrictions.

In this case, smaller is better.

Wietse

diff -bur /var/tmp/postfix-3.5-20190310/src/smtpd/smtpd_check.c 
./src/smtpd/smtpd_check.c
--- /var/tmp/postfix-3.5-20190310/src/smtpd/smtpd_check.c   2018-08-23 
09:44:18.0 -0400
+++ ./src/smtpd/smtpd_check.c   2019-03-12 08:28:20.627312192 -0400
@@ -4583,7 +4583,7 @@
status = check_recipient_rcpt_maps(state, state->recipient);
} else if (strcasecmp(name, REJECT_MUL_RCPT_BOUNCE) == 0) {
if (state->sender && *state->sender == 0 && state->rcpt_count
-   > (strcmp(state->where, SMTPD_CMD_DATA) ? 0 : 1))
+   > (strcmp(state->where, SMTPD_CMD_RCPT) != 0))
status = smtpd_check_reject(state, MAIL_ERROR_POLICY,
var_mul_rcpt_code, "5.5.3",
"<%s>: %s rejected: Multi-recipient bounce",

Re: How to match 2a04:5200:fff4:0 in access table?

[Wietse Venema]

Vincent Lefevre:
[ Charset ISO-8859-1 converted... ]
> I would like to match the 2a04:5200:fff4:0 IPv6 addresses (/64 block)
> in an access table (and I'd like to avoid using a cidr lookup table
> for specific cases). I have
> 
> 2a04:5200:fff4:0 REJECT Blacklisted

Short answer: 2a04:5200:fff4 (strip zero octets).

Or use a cidr map fox maximal control.

Wietse

Re: How to match 2a04:5200:fff4:0 in access table?

[Vincent Lefevre]

On 2019-03-12 08:49:28 -0400, Bill Cole wrote:
> "0" is not an octet pair. Demo:
> 
> # cat accessdemo
> 2a04:5200:fff4:0  REJECT 554 trailing zero
> 2a04:5200:fff4:   REJECT 554 trailing octet pair zeros
> 2a04:5200:fff4REJECT 554 NO trailing zero
> 
> # postmap hash:accessdemo
> 
> # postmap -q 2a04:5200:fff4::0001:::0001 accessdemo
> 
> # postmap -q 2a04:5200:fff4::0001:: accessdemo
> 
> # postmap -q 2a04:5200:fff4::0001: accessdemo
> 
> # postmap -q 2a04:5200:fff4::0001 accessdemo
> 
> # postmap -q 2a04:5200:fff4: accessdemo
> REJECT 554 trailing octet pair zeros
> 
> # postmap -q 2a04:5200:fff4 accessdemo
> REJECT 554 NO trailing zero

OK, so you mean that "0" must be written as ""?

Then why does the access(5) man page say "The access map lookup key
must be in canonical form" while "" is not the canonical form?

According to https://tools.ietf.org/html/rfc5952


4.1.  Handling Leading Zeros in a 16-Bit Field

   Leading zeros MUST be suppressed.  For example, 2001:0db8::0001 is
   not acceptable and must be represented as 2001:db8::1.  A single 16-
   bit  field MUST be represented as 0.


-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: DKIM setup writeup for multi domain?

[Andrey Repin]

Greetings, li...@sbt.net.au!

> I;m looking at adding DKIM to my Postfix

> is there some up to date DKIM setup write up for multi domain Postfix
> setup ?

Since postfix itself does not perform DKIM signing or validation, the postfix
setup is no different, no matter, how many domains you are using.

> most of the ones I've found are for single domain, and, use
> different setups, hence I'm trying to figure out what's the best way to
> set this up.

You just set "this" up and tell your DKIM handler what to do.


-- 
With best regards,
Andrey Repin
Tuesday, March 12, 2019 15:48:27

Sorry for my terrible english...

Re: How to match 2a04:5200:fff4:0 in access table?

[Bill Cole]

On 12 Mar 2019, at 7:53, Vincent Lefevre wrote:


I would like to match the 2a04:5200:fff4:0 IPv6 addresses (/64 block)
in an access table (and I'd like to avoid using a cidr lookup table
for specific cases). I have

2a04:5200:fff4:0 REJECT Blacklisted

However, 2a04:5200:fff4::fe was not caught.

The access(5) man page says "The access map lookup key must be in
canonical form" but this is ambiguous as RFC 5952 does not specify
canonical form for subnetworks. For instance, if the IPv6 address
is 2a04:5200:fff4:0:1:0:0:1, then its canonical form would be
2a04:5200:fff4:0:1::1, so that the 2a04:5200:fff4:0 prefix is
necessarily valid.


From the access(5) man page:

   netMatches  the  specified IPv6 host address or subnetwork. 
An IPv6
  host address is a sequence of three to eight  hexadecimal 
 octet

  pairs separated by ":".
[...]
  Subnetworks  are  matched  by  repeatedly  truncating  
the  last
  ":octetpair" from the remote IPv6 host address  string  
until  a
  match  is found in the access table, or until further 
truncation

  is not possible.

  NOTE 1: the truncation and comparison are done with  the  
string
  representation  of  the IPv6 host address. Thus, not all 
the ":"

  subnetworks will be tried.

"0" is not an octet pair. Demo:

# cat accessdemo
2a04:5200:fff4:0REJECT 554 trailing zero
2a04:5200:fff4: REJECT 554 trailing octet pair zeros
2a04:5200:fff4  REJECT 554 NO trailing zero

# postmap hash:accessdemo

# postmap -q 2a04:5200:fff4::0001:::0001 accessdemo

# postmap -q 2a04:5200:fff4::0001:: accessdemo

# postmap -q 2a04:5200:fff4::0001: accessdemo

# postmap -q 2a04:5200:fff4::0001 accessdemo

# postmap -q 2a04:5200:fff4: accessdemo
REJECT 554 trailing octet pair zeros

# postmap -q 2a04:5200:fff4 accessdemo
REJECT 554 NO trailing zero



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

DKIM setup writeup for multi domain?

[lists]

I;m looking at adding DKIM to my Postfix

is there some up to date DKIM setup write up for multi domain Postfix
setup ? most of the ones I've found are for single domain, and, use
different setups, hence I'm trying to figure out what's the best way to
set this up.

V

How to match 2a04:5200:fff4:0 in access table?

[Vincent Lefevre]

I would like to match the 2a04:5200:fff4:0 IPv6 addresses (/64 block)
in an access table (and I'd like to avoid using a cidr lookup table
for specific cases). I have

2a04:5200:fff4:0 REJECT Blacklisted

However, 2a04:5200:fff4::fe was not caught.

The access(5) man page says "The access map lookup key must be in
canonical form" but this is ambiguous as RFC 5952 does not specify
canonical form for subnetworks. For instance, if the IPv6 address
is 2a04:5200:fff4:0:1:0:0:1, then its canonical form would be
2a04:5200:fff4:0:1::1, so that the 2a04:5200:fff4:0 prefix is
necessarily valid.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)