Re: Postfix stable release 3.4.8
Hi Wietse on 2019/11/27 23:38, Wietse Venema wrote: [An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-3.4.8.html] Fixed in Postfix 3.4: It's really nice to see postfix gets continuous development for these many years. Wish it becomes more and more stronger. Thanks for your team's work. regards.
Re: question on a SPF setting
On 27 Nov 2019, at 16:31, @lbutlr wrote:
> On 27 Nov 2019, at 00:15, Wesley Peng wrote:
>> -exists:%{ir}.spf.rambler.ru
>
> That expands to if the IP address (reverse check) plus /spf/rambler.ru exists…
>
> So, of you see a connection from 1.2.3.444 and 1.2.3.444.spf.rambler.ru
> exists, pass the spf check.
Sorry, it 444.3.2.1.spf.rembler.ru exists (that’s the ‘r’ in ir).
--
> I miss the old days. I haven't killed anyone in years.
>
That's sad.
Re: question on a SPF setting
On 27 Nov 2019, at 00:15, Wesley Peng wrote:
> -exists:%{ir}.spf.rambler.ru
That expands to if the IP address (reverse check) plus /spf/rambler.ru exists…
So, of you see a connection from 1.2.3.444 and 1.2.3.444.spf.rambler.ru exists,
pass the spf check.
--
Fairy Tales are more than true; not because they tell us that dragons
exist, but because they tell us that dragons can be beaten.
Re: single instance multi-tenant service
> On Nov 27, 2019, at 1:35 PM, Wietse Venema wrote: > >> Would adding a new tenant to the system (i.e. a new route in Postfix) >> require a restart, interrupting mail flow for existing tenants? > > Service disruption is unnecessary. "postfix reload" (not stop+start) > should suffice. When lists of relay, virtual, ... domains etc., are stored in tables rather than listed verbatim in main.cf, even a reload is not generally required, but may in some cases speed up the visibility of the new data. The main difficulty with multi-tenant configurations is hosting of mailing lists (mailman and the like), this often requires per-tenant user accounts which own the respective alias files, run maintenance scripts, ... If you're providing shared outbound mail, its "reputation" can be tainted by just a single user who buys a list to market to, or whose username/password is compromised. -- Viktor.
Re: single instance multi-tenant service
For the routing part I've written a small application that can translate Postfix' socketmap lookups, tcp lookups and policy requests into HTTP requests for integrating other applications for dynamic routing info: [1]. That application is part of a larger application I've build that does most of what you are asking for. [1]: https://github.com/pschichtel/postfix-rest-connector ~ Phillip Am 27. November 2019 19:35:59 schrieb Wietse Venema < wie...@porcupine.org>: > Penny Parker: > > Hello > > > > > > Does anyone have experience of building a multi-tenant service for > > processing incoming email using a single instance of Postfix? I'm > > talking about an Internet-facing service where all service > > subscribers > > configure their MX records to point to the same host, running a > > single > > instance of Postfix configured to route email for different domains > > to > > different back-end systems. > > That is covered under 'Configuring Postfix as primary or backup MX > host for a remote site' in > http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup > > This requires that you maintain a list of all valid email addresses > in a customer domain. If you can't maintain that information, then > see 'Recipient address verification' in > http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > > > Would adding a new tenant to the system (i.e. a new route in > > Postfix) > > require a restart, interrupting mail flow for existing tenants? > > Service disruption is unnecessary. "postfix reload" (not stop+start) > should suffice. > > > Would the service be able to serve up different TLS certificates > > for > > different subscribers, or would it have to respond with the same > > certificate for all subscribers? > > Postfix 3.4 supports SNI. One Postfix configuration also supports > different SMTP servers on different IP addresses with different > (TLS) configuration. > > > Many thanks and apologies if this has been answered before. > > Asked and answered many times. > > Wietse
Re: Forwarding mail without breaking SPF?
On Wednesday, November 27, 2019 2:03:40 PM EST Ralph Seichter wrote: > * Matus UHLAR: > > Once again, SPF does not apply to mail headers. > > Matus, I feel your frustration. > > I mentioned RFC 7208 before in this thread. If only people would read > section 2.2 (https://tools.ietf.org/html/rfc7208#section-2.2) ff., to > understand how SPF authorization works and where in the STMP transaction > it occurs. And, amazing as it may seem to some people, we weren't blind to these kind of architectural issues when we wrote RFC 7208. There's even an appendix [1] devoted to discussion of alternatives available to ameliorate such issues. This was argued approximately to death in 2004/2005 when SPF was first standardized and repeatedly since then. I think it's been at least a good decade since anyone had any new ideas on the topic. There is a mailing list devoted to giving people help with SPF [2]. Asking SPF specific questions is really more on topic there. Scott K [1] https://tools.ietf.org/html/rfc7208#appendix-D [2] https://spf.topicbox.com/groups/spf-help
Re: Forwarding mail without breaking SPF?
* Matus UHLAR: > Once again, SPF does not apply to mail headers. Matus, I feel your frustration. I mentioned RFC 7208 before in this thread. If only people would read section 2.2 (https://tools.ietf.org/html/rfc7208#section-2.2) ff., to understand how SPF authorization works and where in the STMP transaction it occurs. -Ralph
Re: Postfix stable release 3.4.8
Gerard E. Seibert: > I assume that this bug either does not exist in the "3.5" beta > versions, or has been squashed. These fixes were tested in Postfix 3.5, and therefore exposed to real traffic, before they were released in the stable release. Wietse
Re: single instance multi-tenant service
Penny Parker: > Hello > > Does anyone have experience of building a multi-tenant service for > processing incoming email using a single instance of Postfix? I'm > talking about an Internet-facing service where all service subscribers > configure their MX records to point to the same host, running a single > instance of Postfix configured to route email for different domains to > different back-end systems. That is covered under 'Configuring Postfix as primary or backup MX host for a remote site' in http://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup This requires that you maintain a list of all valid email addresses in a customer domain. If you can't maintain that information, then see 'Recipient address verification' in http://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient > Would adding a new tenant to the system (i.e. a new route in Postfix) > require a restart, interrupting mail flow for existing tenants? Service disruption is unnecessary. "postfix reload" (not stop+start) should suffice. > Would the service be able to serve up different TLS certificates for > different subscribers, or would it have to respond with the same > certificate for all subscribers? Postfix 3.4 supports SNI. One Postfix configuration also supports different SMTP servers on different IP addresses with different (TLS) configuration. > Many thanks and apologies if this has been answered before. Asked and answered many times. Wietse
Re: Postfix stable release 3.4.8
On Wed, 27 Nov 2019 10:38:58 -0500 (EST), Wietse Venema stated: >[An on-line version of this announcement will be available at >http://www.postfix.org/announcements/postfix-3.4.8.html] > >Fixed in Postfix 3.4: > > * Fix for an Exim interoperability problem when postscreen after-220 >checks are enabled. Bug introduced in Postfix 3.4: the code >that detected "PIPELINING after BDAT" looked at the wrong >variable. The warning now says "BDAT without valid RCPT", and >the error is no longer treated as a command PIPELINING error, >thus allowing mail to be delivered. Meanwhile, Exim has been >fixed to stop sending BDAT commands when postscreen rejects all >RCPT commands. > > * Usability bug, introduced in Postfix 3.4: the parser for >key/certificate chain files rejected inputs that contain an EC >PARAMETERS object. While this is technically correct (the >documentation says what types are allowed) this is surprising >behavior because the legacy cert/key parameters will accept >such inputs. For now, the parser skips object types that it >does not know about for usability, and logs a warning because >ignoring inputs is not kosher. > > * Bug introduced in Postfix 2.8: don't gratuitously enable all >after-220 tests when only one such test is enabled. This made >selective tests impossible with 'good' clients. This will be >fixed in older Postfix versions at some later time. > >You can find the updated Postfix source code at the mirrors listed >at http://www.postfix.org/. > > Wietse I assume that this bug either does not exist in the "3.5" beta versions, or has been squashed.
single instance multi-tenant service
Hello Does anyone have experience of building a multi-tenant service for processing incoming email using a single instance of Postfix? I'm talking about an Internet-facing service where all service subscribers configure their MX records to point to the same host, running a single instance of Postfix configured to route email for different domains to different back-end systems. Is Postfix suitable for offering this type service, or are there security concerns e.g. leaking information from one tenant to another? Would adding a new tenant to the system (i.e. a new route in Postfix) require a restart, interrupting mail flow for existing tenants? Would the service be able to serve up different TLS certificates for different subscribers, or would it have to respond with the same certificate for all subscribers? Many thanks and apologies if this has been answered before.
Postfix stable release 3.4.8
[An on-line version of this announcement will be available at http://www.postfix.org/announcements/postfix-3.4.8.html] Fixed in Postfix 3.4: * Fix for an Exim interoperability problem when postscreen after-220 checks are enabled. Bug introduced in Postfix 3.4: the code that detected "PIPELINING after BDAT" looked at the wrong variable. The warning now says "BDAT without valid RCPT", and the error is no longer treated as a command PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has been fixed to stop sending BDAT commands when postscreen rejects all RCPT commands. * Usability bug, introduced in Postfix 3.4: the parser for key/certificate chain files rejected inputs that contain an EC PARAMETERS object. While this is technically correct (the documentation says what types are allowed) this is surprising behavior because the legacy cert/key parameters will accept such inputs. For now, the parser skips object types that it does not know about for usability, and logs a warning because ignoring inputs is not kosher. * Bug introduced in Postfix 2.8: don't gratuitously enable all after-220 tests when only one such test is enabled. This made selective tests impossible with 'good' clients. This will be fixed in older Postfix versions at some later time. You can find the updated Postfix source code at the mirrors listed at http://www.postfix.org/. Wietse
Re: Loggin original ip address in relay connection
Emanuel: > Hi,? i use exim locally, with an smarthost through Postfix. It's > possible add in the log the real IP the real client? > > Actually i only see the IP of the relay connection. The remote client IP address is in the Received: header that EXIM has added. Use a Postfix header_checks rule to log that specific Received: header. I am not familiar with the detailed format of EXIM headers, but you should have plenty examples :-) Wietse
Loggin original ip address in relay connection
Hi, i use exim locally, with an smarthost through Postfix. It's possible add in the log the real IP the real client? Actually i only see the IP of the relay connection. Nov 27 10:23:59 smarthost01 postfix/cleanup[18611]: 0F4F8180058A1: warning: header From: Emanuel from server.backend[172.17.110.155]; from=<> to= proto=ESMTP helo= Regards.!!
Re: Bounce spam configuration.
Am Wed, 27 Nov 2019 09:17:36 +0100 schrieb Postfix users : Looks like I get listed (again) becouse my conf recjects spam messages with full body. I don't fully understand this, can you rephrase? What to change in postfix configuration to get reject with my message only and SPAM message added as eml attachment ? this looks like job for spam filter like spamassassin or amavis, not postfix. On 27.11.19 09:35, Julian Kippels wrote: maybe you should look into rejecting Spam pre-queue with smtpd_proxy_filter I recommend milter over using smtpd proxy. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: Forwarding mail without breaking SPF?
Den 26-11-2019 kl. 17:59 skrev Marek Kozlowski: OK. I do not insist on postsrsd. I'd really appreciate any suggestion: what can I use instaed of it - what do you recommend? On 11/26/19 2:07 PM, Benny Pedersen wrote: no one uses spf anymore incorrect. since it breaks mailling lists very badly ?, postfix maillist have not even spf helo pass :) They don't have SPF helo fail. "No SPF" is correct result. spf works only on direkt mail, not mailling lists since envelope sender changes on maillists spf can work on any mail, even mailing list. so if you add spf to your domain it would not make bad things ever dmarc is another storry not to try On 26.11.19 23:20, Richard Damon wrote: SPF does NOT break from a properly configured mailinglist, as SPF doesn't check just from, but can also use sender/envelope-from, incorrect. SPF is only supposed to check envelope from:, not any headers. Checking header From: was stupid microsoft attempt for spf/2 that failed. Once again, SPF does not apply to mail headers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors
Re: question on a SPF setting
> Thanks.
> While I am still not clear about what the description in mxtoolbox.
> Can you give more details?
>
> regards.
>
> on 2019/11/27 16:08, patpro wrote:
>> On 2019-11-27 08:15, Wesley Peng wrote:
>>> Hello
>>>
>>> I saw myrambler.ru has a special setting for SPF:
>>>
>>> myrambler.ru. 3599IN TXT "v=spf1
>>> ip4:81.19.78.96/27 ip4:81.19.78.0/27 ip4:81.19.88.0/24
>>> -exists:%{ir}.spf.rambler.ru ~all"
>>>
>>> what does it mean for this part:
>>>
>>> -exists:%{ir}.spf.rambler.ru
>> You'll find an explanation here:
>> https://mxtoolbox.com/SuperTool.aspx?action=spf%3amyrambler.ru=toolpage
>> patpro
The details are here: https://tools.ietf.org/html/rfc4408#page-22
Also see 8. Macros / Page 27
Gerald
Re: question on a SPF setting
On 2019-11-27 09:31, Wesley Peng wrote: Thanks. While I am still not clear about what the description in mxtoolbox. Can you give more details? I've never used the "exists" keyword, it's for more advanced use case and rely on SPF macros. You'll find some examples online, like here: https://scotthelme.co.uk/email-security-spf/ A more complete source can be found in the SPF RFC: https://tools.ietf.org/html/rfc7208#section-7.2 regards
Re: Bounce spam configuration.
Am Wed, 27 Nov 2019 09:17:36 +0100 schrieb Postfix users : > Hello, > > Looks like I get listed (again) becouse my conf recjects spam > messages with full body. > > What to change in postfix configuration to get reject with my message > only and SPAM message added as eml attachment ? > > Sebastian > Hi, maybe you should look into rejecting Spam pre-queue with smtpd_proxy_filter Julian
Re: question on a SPF setting
Thanks.
While I am still not clear about what the description in mxtoolbox.
Can you give more details?
regards.
on 2019/11/27 16:08, patpro wrote:
On 2019-11-27 08:15, Wesley Peng wrote:
Hello
I saw myrambler.ru has a special setting for SPF:
myrambler.ru. 3599 IN TXT "v=spf1
ip4:81.19.78.96/27 ip4:81.19.78.0/27 ip4:81.19.88.0/24
-exists:%{ir}.spf.rambler.ru ~all"
what does it mean for this part:
-exists:%{ir}.spf.rambler.ru
You'll find an explanation here:
https://mxtoolbox.com/SuperTool.aspx?action=spf%3amyrambler.ru=toolpage
patpro
Bounce spam configuration.
Hello, Looks like I get listed (again) becouse my conf recjects spam messages with full body. What to change in postfix configuration to get reject with my message only and SPAM message added as eml attachment ? Sebastian
Re: question on a SPF setting
On 2019-11-27 08:15, Wesley Peng wrote:
Hello
I saw myrambler.ru has a special setting for SPF:
myrambler.ru. 3599IN TXT "v=spf1
ip4:81.19.78.96/27 ip4:81.19.78.0/27 ip4:81.19.88.0/24
-exists:%{ir}.spf.rambler.ru ~all"
what does it mean for this part:
-exists:%{ir}.spf.rambler.ru
You'll find an explanation here:
https://mxtoolbox.com/SuperTool.aspx?action=spf%3amyrambler.ru=toolpage
patpro
