Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Jason Hirsh]

The thing is … that isn an INCOMING not an outgoing email..   Maybe its is 
failing a DKIM test for incoming


I can’t seem to get OpenDKIM to sign my OUTGOING

> On Oct 25, 2019, at 1:17 PM, Fazzina, Angelo  > wrote:
> 
>  
> From what I can tell the DNS record was not found.
>  
> Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key retrieval failed 
> (s=zendesk1, d=lightandmotion.com 
> ):
>  'zendesk1._domainkey.lightandmotion.com 
> '
>  record not found
>  
> And I can’t find it…..
>  
> [root@exa02dbadm01 ~]# dig -t txt zendesk1._domainkey.lightandmotion.com 
> 
>  
> ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t txt 
> zendesk1._domainkey.lightandmotion.com 
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33283
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>  
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;zendesk1._domainkey.lightandmotion.com 
> .IN TXT
>  
> ;; AUTHORITY SECTION:
> lightandmotion.com . 10800   IN  SOA 
> dns042.a.register.com . root.register.com 
> . 2019021518 28800 7200 604800 14400
>  
> ;; Query time: 65 msec
> ;; SERVER: 137.99.25.14#53(137.99.25.14)
> ;; WHEN: Fri Oct 25 13:12:38 EDT 2019
> ;; MSG SIZE  rcvd: 126
>  
>  
>  
> -ANGELO FAZZINA
>  
> ang...@uconn.edu 
> University of Connecticut,  ITS, SSG, Server Systems
> 860-486-9075
>  

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Christian Kivalo]

On October 25, 2019 9:58:28 PM GMT+02:00, Jason Hirsh  wrote:
>I am getting entries in my maiillog, but only in regards to OpenDKIM
>working to verify INCOMING
>These are clearly entries from OpenDKIM.  There is nothing
>corresponding for actions relative to outgoing mail
What happens when you comment the ExternalIgnoreList and InternalHost settings 
in opendkim.conf, restart the service and send a test mail originating from one 
of the domains you're trying to sign?
What do the logs show?

My opendkim.conf has refile: prefix also for the KeyTable option. 

Regards
Christian
-- 
Christian Kivalo

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Jason Hirsh]

I am getting entries in my maiillog, but only in regards to OpenDKIM working to 
verify INCOMING
These are clearly entries from OpenDKIM.  There is nothing corresponding for 
actions relative to outgoing mail

Jason

> On Oct 25, 2019, at 3:52 PM, Christian Kivalo  
> wrote:
> 
> On October 25, 2019 6:52:52 PM GMT+02:00, Jason Hirsh  wrote:
>> I have gone over my configuration with a fine tooth comb, but
>> considering I put them together it is not surprising I can’t spot
>> anything
>> 
>> 
>> O have been trying to locate opendkim action in my log file.  It
>> appears that that the  mail is being reviewed but now header added
> 
> You should revert to non debug logging for postfix as it makes it extremely 
> hard to discover the relevant log messages. 
> 
> I have the same opendkim config with regard to the Syslog, SyslogSuccess, 
> Logwhy  options
> 
> My opendkim logs show up in mail.log and syslog as that's how rsyslog in 
> Debian is configured. Opendkim logs with the mail.* facility to syslog so 
> whatever syslog daemon you use it's configuration should tell you where the 
> logging can be found. 
> 
>> The thing that concerns me is the appearance of “dummy”
>> 
>> Any thoughts any one/?
>>> On Oct 24, 2019, at 11:29 AM, Jason Hirsh  wrote:
>>> 
>>> Thank you  for the quick response
>>> 
>>> 
>>> I am 99% certain they are…I had the OpenDkim running for about a week
>> and did not change those (I think0
>>> 
>>> Trusted Hosts
>>> 
>>> 127.0.0.1
>>> localhost
>>> example.com 
>>> example1.com 
>>> 
>>> 
>>> 
>>> KeyTable
>>> 
>>> default._domainkey.example.com
>> :default:/usr/local/etc/opendkim/keys/example.com.com/default.private
>> 
>>> default._domainkey.example1.com
>> :default:/usr/local/etc/opendkim/keys/example1.com/default.private
>> 
>>> 
>>> SigningTable
>>> 
>>> *@example.com default._domainkey.example.com
>> 
>>> *@example1.com default._domainkey.example1.com
>> 
>>> 
>>> In my maillog.  I did find something a little strange response to an
>> outgoing message
>>> 
>>> 
>>> Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key
>> retrieval failed (s=zendesk1, d=lightandmotion.com
>> ): 'zendesk1._domainkey.lightandmotion.com
>> ' record not found
>>> Oct 24 10:23:10 triggerfish opendkim[5845]: 9B3A8CB4A69:
>> s=verifier201208 d=port25.com  SSL 
>>> Oct 24 11:02:02 triggerfish opendkim[5845]: 93C75CB4A9A:
>> s=verifier201208 d=port25.com  SSL 
>>> Oct 24 11:18:43 triggerfish opendkim[5845]: 4AADACB4A99: key
>> retrieval failed (s=zendesk1, d=lightandmotion.com
>> ): 'zendesk1._domainkey.lightandmotion.com
>> ' record not found
>>> 
>>> Light and Motion was who the message was going to and has no presence
>> in my mail system
>>> 
>>> 
>>> Is this log entry a clue??
>>> 
>>> 
 On Oct 24, 2019, at 10:50 AM, Dominic Raferd
>> mailto:domi...@timedicer.co.uk>> wrote:
 
 On Thu, 24 Oct 2019 at 15:28, Jason Hirsh > > wrote:
> 
> I am trying to revive my OpenDKIM installation. I had it working
>> but managed to break it when I updated my ports.  It is running but not
>> signing outgoing messages
> 
> My main.cf configuration relative to OpenDkim is
> 
> smtpd_milters =  inet:localhost:8891
> non_smtpd_milters =  $smtpd_milters
> milter_default_action = accept
> 
> My OpenDkim.conf is
> 
> AutoRestart Yes
> AutoRestartRate 10/1h
> LogWhy  Yes
> Syslog  Yes
> SyslogSuccess   Yes
> Modesv
> Canonicalizationrelaxed/simple
> ExternalIgnoreList  refile:/usr/local/etc/opendkim/TrustedHosts
> InternalHosts   refile:/usr/local/etc/opendkim/TrustedHosts
> KeyTable/usr/local/etc/opendkim/KeyTable
> SigningTablerefile:/usr/local/etc/opendkim/SigningTable
> SignatureAlgorithm  rsa-sha256
> Socket  inet:8891@127.0.0.1 
> UMask   022
> UserID  opendkim:opendkim
> TemporaryDirectory  /var/tmp
> 
> As I stated it is running... But not signing from a test site...
> 
> Any thoughts would be appreciated
 
 Are files /usr/local/etc/opendkim/TrustedHosts, KeyTable and
 SigningTable set up correctly? Do you need to use KeyTable and
 SigningTable - this is a more complex setup; standard setup uses
 parameters Domain, Selector and KeyFile - see
 http://www.opendkim.org/opendkim-README
>> 

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Christian Kivalo]

On October 25, 2019 6:52:52 PM GMT+02:00, Jason Hirsh  wrote:
>I have gone over my configuration with a fine tooth comb, but
>considering I put them together it is not surprising I can’t spot
>anything
>
>
>O have been trying to locate opendkim action in my log file.  It
>appears that that the  mail is being reviewed but now header added

You should revert to non debug logging for postfix as it makes it extremely 
hard to discover the relevant log messages. 

I have the same opendkim config with regard to the Syslog, SyslogSuccess, 
Logwhy  options

My opendkim logs show up in mail.log and syslog as that's how rsyslog in Debian 
is configured. Opendkim logs with the mail.* facility to syslog so whatever 
syslog daemon you use it's configuration should tell you where the logging can 
be found. 

>The thing that concerns me is the appearance of “dummy”
>
>Any thoughts any one/?
>> On Oct 24, 2019, at 11:29 AM, Jason Hirsh  wrote:
>> 
>> Thank you  for the quick response
>> 
>> 
>> I am 99% certain they are…I had the OpenDkim running for about a week
>and did not change those (I think0
>> 
>> Trusted Hosts
>> 
>> 127.0.0.1
>> localhost
>> example.com 
>> example1.com 
>> 
>> 
>> 
>> KeyTable
>> 
>> default._domainkey.example.com
>:default:/usr/local/etc/opendkim/keys/example.com.com/default.private
>
>> default._domainkey.example1.com
>:default:/usr/local/etc/opendkim/keys/example1.com/default.private
>
>> 
>> SigningTable
>> 
>> *@example.com default._domainkey.example.com
>
>> *@example1.com default._domainkey.example1.com
>
>> 
>> In my maillog.  I did find something a little strange response to an
>outgoing message
>> 
>> 
>> Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key
>retrieval failed (s=zendesk1, d=lightandmotion.com
>): 'zendesk1._domainkey.lightandmotion.com
>' record not found
>> Oct 24 10:23:10 triggerfish opendkim[5845]: 9B3A8CB4A69:
>s=verifier201208 d=port25.com  SSL 
>> Oct 24 11:02:02 triggerfish opendkim[5845]: 93C75CB4A9A:
>s=verifier201208 d=port25.com  SSL 
>> Oct 24 11:18:43 triggerfish opendkim[5845]: 4AADACB4A99: key
>retrieval failed (s=zendesk1, d=lightandmotion.com
>): 'zendesk1._domainkey.lightandmotion.com
>' record not found
>> 
>> Light and Motion was who the message was going to and has no presence
>in my mail system
>> 
>> 
>> Is this log entry a clue??
>> 
>> 
>>> On Oct 24, 2019, at 10:50 AM, Dominic Raferd
>mailto:domi...@timedicer.co.uk>> wrote:
>>> 
>>> On Thu, 24 Oct 2019 at 15:28, Jason Hirsh > wrote:
 
 I am trying to revive my OpenDKIM installation. I had it working
>but managed to break it when I updated my ports.  It is running but not
>signing outgoing messages
 
 My main.cf configuration relative to OpenDkim is
 
 smtpd_milters =  inet:localhost:8891
 non_smtpd_milters =  $smtpd_milters
 milter_default_action = accept
 
 My OpenDkim.conf is
 
 AutoRestart Yes
 AutoRestartRate 10/1h
 LogWhy  Yes
 Syslog  Yes
 SyslogSuccess   Yes
 Modesv
 Canonicalizationrelaxed/simple
 ExternalIgnoreList  refile:/usr/local/etc/opendkim/TrustedHosts
 InternalHosts   refile:/usr/local/etc/opendkim/TrustedHosts
 KeyTable/usr/local/etc/opendkim/KeyTable
 SigningTablerefile:/usr/local/etc/opendkim/SigningTable
 SignatureAlgorithm  rsa-sha256
 Socket  inet:8891@127.0.0.1 
 UMask   022
 UserID  opendkim:opendkim
 TemporaryDirectory  /var/tmp
 
 As I stated it is running... But not signing from a test site...
 
 Any thoughts would be appreciated
>>> 
>>> Are files /usr/local/etc/opendkim/TrustedHosts, KeyTable and
>>> SigningTable set up correctly? Do you need to use KeyTable and
>>> SigningTable - this is a more complex setup; standard setup uses
>>> parameters Domain, Selector and KeyFile - see
>>> http://www.opendkim.org/opendkim-README
>.
>> 

-- 
Christian Kivalo

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Jason Hirsh]

I am trying to get rid of the amount of background

I was pretty sure that OPenDKIM should be doing the hard lifting.The think 
that is throwing me for a loop  is the absence of any indication of it 
operating in conjunction with the outgoing mail in the mallow.  As show else 
where it is involved with INCOMING.

I have verified that ts process is running

opendkim 50261   0.0  0.1  25164  13000  -  Ss   10:45   0:00.23 
/usr/local/sbin/opendkim -l -p inet:8891@localhost -u opendkim:mailnull -P 
/var/run/milteropendkim/pid

Last week I had it running.  I had an issue with BIND which I corrected.. so I 
am 80% sure about the associated tables.

I was kind of hoping it was something simple and obvious.  So much for that idea

Thanks to all for the their time and efforts


> On Oct 25, 2019, at 2:55 PM, Wietse Venema  wrote:
> 
> Jason Hirsh:
>> I have gone over my configuration with a fine tooth comb, but considering I 
>> put them together it is not surprising I can?t spot anything
>> 
>> 
>> O have been trying to locate opendkim action in my log file.  It appears 
>> that that the  mail is being reviewed but now header added
>> 
> 
> I'm not encouraging you to post more logging here, but you might
> want to know that Milter content operations do not happen in smtpd,
> but in the cleanup daemon.
> 
> However, the real work happens in OpenDKIM. Postfix just sits between
> the queue file and OpenDKIM, moving bits fro one to the other and
> vice versa.
> 
>   Wietse

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Wietse Venema]

Jason Hirsh:
> I have gone over my configuration with a fine tooth comb, but considering I 
> put them together it is not surprising I can?t spot anything
> 
> 
> O have been trying to locate opendkim action in my log file.  It appears that 
> that the  mail is being reviewed but now header added
> 

I'm not encouraging you to post more logging here, but you might
want to know that Milter content operations do not happen in smtpd,
but in the cleanup daemon.

However, the real work happens in OpenDKIM. Postfix just sits between
the queue file and OpenDKIM, moving bits fro one to the other and
vice versa.

Wietse
> 
> postfix/submission/smtpd[52375]: milter8_send: milter inet:localhost:8891
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_name = inet:localhost:8891
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_version = 6
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_actions = 273
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_events = 1050370
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_non_events = 0
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_state = 4
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_conn_timeout = 30
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_cmd_timeout = 30
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_msg_timeout = 300
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_action = accept
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
> milter_macro_list = 0
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: dummy
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: dummy
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> value: (end)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: (list terminator)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: (end)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: dummy
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: dummy
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> value: (end)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: (list terminator)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: (end)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: status
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: status
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> value: 0
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: (list terminator)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: (end)
> Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: > 
> c-73-150-178-106.hsd1.nj.comcast.net[73.150.178.106]: 354 End data with 
> .
> Oct 25 12:45:14 triggerfish postfix/cleanup[52466]: E7D08CB4AA4: 
> message-id=
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: status
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: status
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
> value: 0
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: reason
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: reason
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
> value: (end)
> Oct 25 12:45:15 triggerfish postfix/qmgr[52120]: E7D08CB4AA4: 
> from=, size=2250, nrcpt=1 (queue active)
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
> socket: wanted attribute: (list terminator)
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
> name: (end)
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: > 
> c-73-150-178-106.hsd1.nj.comcast.net[73.150.178.106]: 250 2.0.0 Ok: queued as 
> E7D08CB4AA4
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: abort all milters
> Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: milter8_abort: 
> abort milter inet:localhost:8891
> 
> The thing that concerns me is the appearance of ?dummy?
> 
> Any thoughts any one/?
> > On Oct 24, 2019, at 11:29 AM, 

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Jason Hirsh]

Ahh ..  Interesting I had not understood that

But I am still not signing ….

> On Oct 25, 2019, at 2:00 PM, Fazzina, Angelo  > wrote:
> 
> From your original email
>  
> Modesv
>  
>  
> You are verifying and signing so yes that seems to be the case as you 
> describe.
>  
> -ANGELO FAZZINA
>  
> ang...@uconn.edu 
> University of Connecticut,  ITS, SSG, Server Systems
> 860-486-9075
>  

Re: A blog post that I hope will help people, can the community help me improve it?

[Shawn Heisey]

On 10/25/2019 11:13 AM, Shawn Heisey wrote:
I created a blog post for something I needed to get done and figured out 
how to do.


https://purg.atory.org/2019/10/24/creating-a-discard-noreply-email-address-with-postfix-and-postfixadmin/ 

If the community has any pointers that would make this better, or 
perhaps even a better way to accomplish it than what I came up with, I'm 
open to constructive criticism.


I am continuing to tweak the post as I notice problems or think of 
changes.  So if you have any interest in helping, be sure to reload the 
page to see if I've already dealt with something you noticed.


Thanks,
Shawn

RE: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Fazzina, Angelo]

From what I can tell the DNS record was not found.


Oct 23 18:26:14 triggerfish opendkim[5845]: E0C34CB4A69: key retrieval failed 
(s=zendesk1, 
d=lightandmotion.com):
 
'zendesk1._domainkey.lightandmotion.com'
 record not found

And I can’t find it…..

[root@exa02dbadm01 ~]# dig -t txt zendesk1._domainkey.lightandmotion.com

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t txt 
zendesk1._domainkey.lightandmotion.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33283
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zendesk1._domainkey.lightandmotion.com.IN TXT

;; AUTHORITY SECTION:
lightandmotion.com. 10800   IN  SOA dns042.a.register.com. 
root.register.com. 2019021518 28800 7200 604800 14400

;; Query time: 65 msec
;; SERVER: 137.99.25.14#53(137.99.25.14)
;; WHEN: Fri Oct 25 13:12:38 EDT 2019
;; MSG SIZE  rcvd: 126



-ANGELO FAZZINA

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

From: owner-postfix-us...@postfix.org  On 
Behalf Of Jason Hirsh
Sent: Friday, October 25, 2019 12:53 PM
To: Dominic Raferd ; postfix-users@postfix.org
Subject: Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

I have gone over my configuration with a fine tooth comb, but considering I put 
them together it is not surprising I can’t spot anything


O have been trying to locate opendkim action in my log file.  It appears that 
that the  mail is being reviewed but now header added




Any thoughts any one/?
On Oct 24, 2019, at 11:29 AM, Jason Hirsh 
mailto:kasd...@mac.com>> wrote:

Thank you  for the quick response


I am 99% certain they are…I had the OpenDkim running for about a week and did 
not change those (I think0

Trusted Hosts

127.0.0.1
localhost
example.com
example1.com



KeyTable

default._domainkey.example.com:default:/usr/local/etc/opendkim/keys/example.com.com/default.private
default._domainkey.example1.com:default:/usr/local/etc/opendkim/keys/example1.com/default.private

SigningTable

*@example.com 
default._domainkey.example.com
*@example1.com 

A blog post that I hope will help people, can the community help me improve it?

[Shawn Heisey]

I created a blog post for something I needed to get done and figured out 
how to do.


https://purg.atory.org/2019/10/24/creating-a-discard-noreply-email-address-with-postfix-and-postfixadmin/

If the community has any pointers that would make this better, or 
perhaps even a better way to accomplish it than what I came up with, I'm 
open to constructive criticism.


Thanks,
Shawn

Re: OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

[Jason Hirsh]

I have gone over my configuration with a fine tooth comb, but considering I put 
them together it is not surprising I can’t spot anything


O have been trying to locate opendkim action in my log file.  It appears that 
that the  mail is being reviewed but now header added



postfix/submission/smtpd[52375]: milter8_send: milter inet:localhost:8891
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_name = inet:localhost:8891
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_version = 6
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_actions = 273
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_events = 1050370
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_non_events = 0
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_state = 4
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_conn_timeout = 30
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_cmd_timeout = 30
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_msg_timeout = 300
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_action = accept
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: send attr 
milter_macro_list = 0
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: dummy
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: dummy
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
value: (end)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: (list terminator)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: (end)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: dummy
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: dummy
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
value: (end)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: (list terminator)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: (end)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: status
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: status
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
value: 0
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: (list terminator)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: (end)
Oct 25 12:45:14 triggerfish postfix/submission/smtpd[52375]: > 
c-73-150-178-106.hsd1.nj.comcast.net[73.150.178.106]: 354 End data with 
.
Oct 25 12:45:14 triggerfish postfix/cleanup[52466]: E7D08CB4AA4: 
message-id=
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: status
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: status
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
value: 0
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: reason
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: reason
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
value: (end)
Oct 25 12:45:15 triggerfish postfix/qmgr[52120]: E7D08CB4AA4: 
from=, size=2250, nrcpt=1 (queue active)
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: public/cleanup 
socket: wanted attribute: (list terminator)
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: input attribute 
name: (end)
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: > 
c-73-150-178-106.hsd1.nj.comcast.net[73.150.178.106]: 250 2.0.0 Ok: queued as 
E7D08CB4AA4
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: abort all milters
Oct 25 12:45:15 triggerfish postfix/submission/smtpd[52375]: milter8_abort: 
abort milter inet:localhost:8891

The thing that concerns me is the appearance of “dummy”

Any thoughts any one/?
> On Oct 24, 2019, at 11:29 AM, Jason Hirsh  wrote:
> 
> Thank you  for the quick response
> 
> 
> I am 99% certain they are…I had the OpenDkim running for about a week and did 
> not change those (I think0
> 
> Trusted Hosts
> 
> 127.0.0.1
> localhost
> example.com 
> example1.com 
> 
> 
> 
> KeyTable
> 
> default._domainkey.example.com 
> :default:/usr/local/etc/opendkim/keys/example.com.com/default.private
>  
> 

Re: Ambiguous logging of mail senders

[Wietse Venema]

Sven Bartscher:

Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> Greetings,
> 
> recently I stumbled across a log line like this:
> 
> Oct 25 10:34:59 hostname postfix/smtpd[12345]: NOQUEUE: reject: RCPT
> from client.example[1.2.3.4]: 554 5.7.1 : Relay access
> denied; from= to= proto=ESMTP
> helo=
> 
> The important part is the "to=". Parsing this to find
> out which part is the local-part and which is the domain isn't exactly
> trivial, both for me as a human or for a machine automatically parsing
> the log. As it turns out, the original address was "a...@b.com; c"@d.com,
> but it could have been "a...@b.com; c...@d.com" (i.e. local-part only, without
> a domain) just as well. There is no way to know for sure from the log alone.

Agreed. One would have to know that Postfix logs the 'internal'
form.

Why does Postfix use the internal form(*)? Because there can be
multiple original forms for the same address, for example using
quotes or backslashes. And having multiple forms for the same thing
is bad if one wants to implement, for example, SMTP access policies.

Why does Postfix not log the original form in addition to the
internal form? That would require code changes to everything code
that logs an envelope sender or recipient. It would have to log
both the original form and the form that Postfix uses for table
lookup, otherwise table lookups would be difficult to debug.

I would just configure Postfix to reject the garbage instead of
doing a lot of work to log the garbage unambiguously.

Wietse

(*) As an aside, Postfix is in a transition from using internal
address forms in lookup tables to using external forms, so that the
tables can handle addresses with whitespace. But it still uses the
unquoted form internally, instead of the original form, to avoid
ambiguity due to quotes or backslashes.

Re: reject_unknown_sender_domain seems not to work

[Lars Liedtke]

Am 25.10.19 um 10:55 schrieb Matus UHLAR - fantomas:
>>> Lars Liedtke:
 I am having trouble using reject_unknown_sender_domain. I boiled the
 whole restrictions down to

 smtpd_recipient_restrictions = warn_if_reject
 reject_unknown_sender_domain

 and still a mail do an invalid domain is not rejected or I am not
 warned
 about rejection:
>
>> Am 24.10.19 um 20:20 schrieb Wietse Venema:
>>> reject_unknown_sender_domain will consider the domain as "existing"
>>> - if a DNS query of type MX, A, or  (if compiled with IPv6
>>>   support) produces a resource record,
>>> - or the above query produces a response and you have configured
>>>   an smtpd_dns_reply_filter that removed those resource records.
>
> On 25.10.19 10:00, Lars Liedtke wrote:
>> Unfortunately both cases turn out negative:
>>
>> - $ drill domain.invalid any
>>   ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 49179
>
> this is your problem, the rcode should be NXDOMAIN.
>
> SERVFAIL means that the dns server failed to find out whether the domain
> exists.
>
> it's a DNS problem.

Right and not :-(

Right: The SERVFAIL part.

Wrong: even with a domain that does not exist and a DNS-Lookup delievers
NXDOMAIN still the Domain ist not rejected.

$ drill dgibsjaganicht.de
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 31428
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; dgibsjaganicht.de.   IN  A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 10.0.2.3
;; WHEN: Fri Oct 25 11:31:55 2019
;; MSG SIZE  rcvd: 35


Oct 25 11:25:26 mailstore postfix/smtpd[16444]: >>> START Recipient
address RESTRICTIONS <<<
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_sender_domain
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_unknown_address:
t...@dgibsjaganicht.de
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: ctable_locate: leave
existing entry key mailte...@punkt.de?t...@dgibsjaganicht.de
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_sender_domain status=0
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_recipient_domain
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_unknown_address:
mailte...@punkt.de
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: ctable_locate: move
existing entry key t...@dgibsjaganicht.de?mailte...@punkt.de

Additionally, I only see the status=0 in the logfile if
reject_unknown_sender_domain is inside the smtpd_recipient_restrictions;
if it is in the smtpd_sender_restrictions I only see this:

Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_non_fqdn_sender
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_non_fqdn_address:
t...@dgibsjaganicht.de
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_non_fqdn_sender status=0
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: generic_checks:
name=reject_unknown_sender_domain
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: reject_unknown_address:
t...@dgibsjaganicht.de
Oct 25 11:25:26 mailstore postfix/smtpd[16444]: rewrite_clnt: cached:
local: mailte...@punkt.de -> mailte...@punkt.de

-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
i...@punkt.de   https://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285



0xDD6D744EC1628062.asc
Description: application/pgp-keys

Ambiguous logging of mail senders

[Sven Bartscher]

Greetings,

recently I stumbled across a log line like this:

Oct 25 10:34:59 hostname postfix/smtpd[12345]: NOQUEUE: reject: RCPT
from client.example[1.2.3.4]: 554 5.7.1 : Relay access
denied; from= to= proto=ESMTP
helo=

The important part is the "to=". Parsing this to find
out which part is the local-part and which is the domain isn't exactly
trivial, both for me as a human or for a machine automatically parsing
the log. As it turns out, the original address was "a...@b.com; c"@d.com,
but it could have been "a...@b.com; c...@d.com" (i.e. local-part only, without
a domain) just as well. There is no way to know for sure from the log alone.

There are more obscure examples like this:

Aug 29 12:52:50 hostname postfix/smtpd[12345] NOQUEUE: reject: RCPT from
client.example[1.2.3.4]: 554 5.7.1 : Helo command rejected: Access
denied; from= to= from= to= proto=ESMTP
helo=

In this case it is not possible to say with certainty, what the envelope
addresses actually are. It can be either of these:

to: "x@y.z> from= to= to= from=

signature.asc
Description: OpenPGP digital signature

Re: reject_unknown_sender_domain seems not to work

[Wietse Venema]

Lars Liedtke:
> Wrong: even with a domain that does not exist and a DNS-Lookup delievers
> NXDOMAIN still the Domain ist not rejected.
> 
> $ drill dgibsjaganicht.de
 ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 31428

Please provide evidence that this query uses the same
resolver as Postfix.

Use tcpdump or some equivalent. 

Wietse

Re: reject_unknown_sender_domain seems not to work

[Lars Liedtke]

Am 24.10.19 um 19:01 schrieb P.V.Anthony:
> On 25/10/19 12:34 am, Lars Liedtke wrote:
>
>> I am having trouble using reject_unknown_sender_domain. I boiled the
>> whole restrictions down to
>>
>> smtpd_recipient_restrictions = warn_if_reject
>> reject_unknown_sender_domain
>
> For me I use it in smtpd_sender_restrictions.
>
> Also check if your postfix version can support
> reject_unknown_sender_domain.
>
> I am not an expert. Please wait for other advice.
>
> P.V.Anthony

Yes i would have put it in the smtpd_sender_restricitons myself as well,
but I am working with a book and that shows it in the
smtpd_recipient_restrictions, so in my many tries I put it there as well
just to be sure.

-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
i...@punkt.de   https://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285



0xDD6D744EC1628062.asc
Description: application/pgp-keys

Re: reject_unknown_sender_domain seems not to work

[Bastian Blank]

On Fri, Oct 25, 2019 at 11:37:04AM +0200, Lars Liedtke wrote:
> Right and not :-(

Sadly, our crystal ball is in revision.  So please do as you are told
and read http://www.postfix.org/DEBUG_README.html#mail.

Bastian

-- 
The heart is not a logical organ.
-- Dr. Janet Wallace, "The Deadly Years", stardate 3479.4

Re: reject_unknown_sender_domain seems not to work

[Matus UHLAR - fantomas]

Lars Liedtke:

I am having trouble using reject_unknown_sender_domain. I boiled the
whole restrictions down to

smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain

and still a mail do an invalid domain is not rejected or I am not warned
about rejection:



Am 24.10.19 um 20:20 schrieb Wietse Venema:

reject_unknown_sender_domain will consider the domain as "existing"
- if a DNS query of type MX, A, or  (if compiled with IPv6
  support) produces a resource record,
- or the above query produces a response and you have configured
  an smtpd_dns_reply_filter that removed those resource records.


On 25.10.19 10:00, Lars Liedtke wrote:

Unfortunately both cases turn out negative:

- $ drill domain.invalid any
  ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 49179


this is your problem, the rcode should be NXDOMAIN.

SERVFAIL means that the dns server failed to find out whether the domain
exists.

it's a DNS problem.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton

Re: reject_unknown_sender_domain seems not to work

[Lars Liedtke]

Am 24.10.19 um 20:20 schrieb Wietse Venema:
> Lars Liedtke:
>> Hello,
>>
>> I am having trouble using reject_unknown_sender_domain. I boiled the
>> whole restrictions down to
>>
>> smtpd_recipient_restrictions = warn_if_reject reject_unknown_sender_domain
>>
>> and still a mail do an invalid domain is not rejected or I am not warned
>> about rejection:
> reject_unknown_sender_domain will consider the domain as "existing" 
> - if a DNS query of type MX, A, or  (if compiled with IPv6
>   support) produces a resource record,
> - or the above query produces a response and you have configured
>   an smtpd_dns_reply_filter that removed those resource records.
>
>   Wietse

Unfortunately both cases turn out negative:

- $ drill domain.invalid any
  ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 49179
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; domain.invalid.  IN  TYPE255

  ;; ANSWER SECTION:

  ;; AUTHORITY SECTION:

  ;; ADDITIONAL SECTION:

  ;; Query time: 0 msec
  ;; SERVER: 10.0.2.3
  ;; WHEN: Fri Oct 25 09:47:04 2019
 ;; MSG SIZE  rcvd: 32

- $ postconf | grep smtpd_dns
  smtpd_dns_reply_filter =

-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
i...@punkt.de   https://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285



0xDD6D744EC1628062.asc
Description: application/pgp-keys

Re: reject_unknown_sender_domain seems not to work

[Lars Liedtke]

Am 24.10.19 um 19:01 schrieb P.V.Anthony:
> On 25/10/19 12:34 am, Lars Liedtke wrote:
>
>> I am having trouble using reject_unknown_sender_domain. I boiled the
>> whole restrictions down to
>>
>> smtpd_recipient_restrictions = warn_if_reject
>> reject_unknown_sender_domain
>
> For me I use it in smtpd_sender_restrictions.
>
> Also check if your postfix version can support
> reject_unknown_sender_domain.
>
> I am not an expert. Please wait for other advice.
>
> P.V.Anthony

-- 
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
i...@punkt.de   https://www.punkt.de
Gf: Jürgen Egeling  AG Mannheim 108285



0xDD6D744EC1628062.asc
Description: application/pgp-keys