Re: client and ehlo hostname mismatch
My primary outbound relay cluster connects through a load balancer NAT so when it gives "helo host1.services.domain.tld" it actually reverses to the hostname assigned to the load balancer (relay.domain.tld). there are multiple nodes that all lookup with the single NAT IP when connecting outbound. RobertC (Sorry for top-posting, I can't find any options in Outlook Web to change the reply thread settings!) From: owner-postfix-us...@postfix.org on behalf of Viktor Dukhovni Sent: Wednesday, February 10, 2021 18:39 To: postfix-users@postfix.org Subject: Re: client and ehlo hostname mismatch > On Feb 10, 2021, at 9:38 PM, Eugene Podshivalov wrote: > > Are there any wise cases for a legitimate client to provide a valid ehlo > hostname (which maps to some address) but that address will differ from > the address it connects from? I don't know about "wise", but this is not uncommon. As an example of a less blatant mismatch, today I received a legitimate newsletter from Cornell: Received: from mm.list.cornell.edu (vs-01.mm.list.cornell.edu [128.253.150.167]) The EHLO name resolves to the same IP as the connecting client, but the PTR is a variant of that name. Here the sort of mismatch you're asking about: Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5a::72c]) The EHLO name (presently) resolves to: $ getent hosts NAM12-MW2-obe.outbound.protection.outlook.com 2a01:111:f400:fe5a::200 NAM12-MW2-obe.outbound.protection.outlook.com $ getent hosts mail-mw2nam12on2072c.outbound.protection.outlook.com 2a01:111:f400:fe5a::72c mail-mw2nam12on2072c.outbound.protection.outlook.com $ getent hosts 2a01:111:f400:fe5a::72c 2a01:111:f400:fe5a::72c mail-mw2nam12on2072c.outbound.protection.outlook.com -- Viktor.
Re: client and ehlo hostname mismatch
> On Feb 10, 2021, at 9:38 PM, Eugene Podshivalov wrote: > > Are there any wise cases for a legitimate client to provide a valid ehlo > hostname (which maps to some address) but that address will differ from > the address it connects from? I don't know about "wise", but this is not uncommon. As an example of a less blatant mismatch, today I received a legitimate newsletter from Cornell: Received: from mm.list.cornell.edu (vs-01.mm.list.cornell.edu [128.253.150.167]) The EHLO name resolves to the same IP as the connecting client, but the PTR is a variant of that name. Here the sort of mismatch you're asking about: Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5a::72c]) The EHLO name (presently) resolves to: $ getent hosts NAM12-MW2-obe.outbound.protection.outlook.com 2a01:111:f400:fe5a::200 NAM12-MW2-obe.outbound.protection.outlook.com $ getent hosts mail-mw2nam12on2072c.outbound.protection.outlook.com 2a01:111:f400:fe5a::72c mail-mw2nam12on2072c.outbound.protection.outlook.com $ getent hosts 2a01:111:f400:fe5a::72c 2a01:111:f400:fe5a::72c mail-mw2nam12on2072c.outbound.protection.outlook.com -- Viktor.
Re: client and ehlo hostname mismatch
Are there any wise cases for a legitimate client to provide a valid ehlo hostname (which maps to some address) but that address will differ from the address it connects from? чт, 11 февр. 2021 г. в 01:01, Bob Proulx : > Eugene Podshivalov wrote: > > Then what is the sense of doing this if the name can be whoever else's > name? > > For anti-spam and anti-abuse software. It's all available for the > anti-spam to use to decided how to classify the message. Perhaps not > as a hard block as that would definitely have false positives. But as > part of a larger scoring system it can add to the filter analysis. > > Bob >
Re: client and ehlo hostname mismatch
Eugene Podshivalov wrote: > Then what is the sense of doing this if the name can be whoever else's name? For anti-spam and anti-abuse software. It's all available for the anti-spam to use to decided how to classify the message. Perhaps not as a hard block as that would definitely have false positives. But as part of a larger scoring system it can add to the filter analysis. Bob
Re: client and ehlo hostname mismatch
On Thu, Feb 11, 2021 at 12:15:32AM +0300, Eugene Podshivalov wrote: > > Viktor Dukhovni: > > Postfix can check that the EHLO name resolves to some IP address. > > Then what is the sense of doing this if the name can be whoever else's name? Spam bots are sloppy, and typicall default to the name from the RHS of the PTR. If that has no forward name, and you require a forward IP then you'll block them. I would not recommend a global rule of that sort. Rather, I do this selectively for name suffixes from various ISP dynamic pools that I've observed to sources of repeat spam that evades other filters and where filtering the HELO is effective. My filters are fairly light, some junk gets through, but I don't lose legitimate mail. I'm willing to engage in occasional whack-a-mole updates to some of the local rules. -- Viktor.
Re: HELO and nothing else
On Wed, Feb 10, 2021 at 01:20:30PM -0800, Ron Garret wrote: > I am working on a spam filter and so I find myself spending a lot more > quality time with mail logs than I used to. One of the things I have > noticed is that I will get a lot of connections that send a HELO > command and then disconnect. Sometimes I get this repeated several > times a minute from the same IP for hours on end. What is going on > here? Should I block these IPs? Am I being scanned? By what? To > what end? Generally, just ignore these. Focus instead on the systems that attempt to send junk mail. Some of the EHLO mail systems are various systems doing legitimate Internet surveys. My DANE survey bot (dnssec-stats.ant.isi.edu) is generously hosted by isi.edu (with thanks to Wes Hardaker for making that possible), and will typically connect to an MX host of a DNSSEC-signed domain once or twice per IP address (listed in DNS for its hostname) per day, provided the MX host is also in a DNSSEC-signed zone and has DANE TLSA records. Other surveys focus on other features and have a different connection pattern. Once a minute for several hours on end does seem rather more frequent than I would expect of a legitimate survey, if you're sufficiently curious, you could check to see whether there is an associated website that documents the activity, and/or any relevant TXT (or RP) DNS records. For example: dnssec-stats.ant.isi.edu. IN TXT "v=spf1 ip4:128.9.29.254 ip6:2001:1878:401::8009:1dfe ~all" dnssec-stats.ant.isi.edu. IN TXT "DNSSEC/DANE deployment survey. See https://stats.dnssec-tools.org/ for details." I should probably also add an "RP" record, though few publish or know about these: https://tools.ietf.org/html/rfc1183#section-2 -- Viktor.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10 Feb 2021, at 15:52, Chris Green wrote:
On Wed, Feb 10, 2021 at 02:13:22PM -0500, Viktor Dukhovni wrote:
On Wed, Feb 10, 2021 at 05:41:49PM +, Chris Green wrote:
OK, what I want to do is as follows:-
I have several headless machines which need to be able to send error
and other messages to me ch...@isbd.co.uk.
Directly to that address, or indirectly by sending mail to various
local
accounts that alias to this address? If the latter, and $myorigin is
listed in $mydestination, then alias these various accounts to the
desired recipient address.
I don't mind how it gets there. :-) However the case in question is
a headless virtual server isbd.uk which is run by Gandi Internet in
France. I want the messages from there to get to my main E-Mail
address which is ch...@isbd.co.uk hosted on an entirely different
hosting service in the UK.
Looking at what you say above I see the following (on one of the
existing systems in the LAN behind zbmc.eu) :-
chris$ postconf -d myorigin
myorigin = $myhostname
Now you're reporting built-in default values ("-d" option of
"postconf"). That's not useful. I was specifically telling what the
*default* value is. If you have a non-default value you can report
it via "postconf -n".
chris$ hostname -f
t470.zbmc.eu
This is irrelevant.
chris$ hostname
t470
This shows a non-FQDN hostname.
Which seems to be how just about every system configures itself.
Little do they know that we humans are actually in control... :)
It's all very well saying that the 'hostname' should include the
domain name but in the real world nothing ever seems to be actually
like that.
Unless you make it that way. Put the FQDN in /etc/hostname (on most
Linux distros...) and it is done.
If (and it's a big if) I configure the hostname to be a FQDN how do I
then get mail sent to 'chris' out of isbd.uk to ch...@isbd.co.uk?
echo "ch...@isbd.co.uk" > ~chris/.forward
If you need a generalized mapping, see 'man 5 generic' and note that it
can use regexp/pcre tables.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: HELO and nothing else
On Wed, Feb 10, 2021 at 4:21 PM Ron Garret wrote: > > Hello (not helo :-) > > I am working on a spam filter and so I find myself spending a lot more > quality time with mail logs than I used to. One of the things I have noticed > is that I will get a lot of connections that send a HELO command and then > disconnect. Sometimes I get this repeated several times a minute from the > same IP for hours on end. What is going on here? Should I block these IPs? > Am I being scanned? By what? To what end? > That reminds me of the incomplete TCP handshake scan. You may want to run something like fail2ban and block that. > Thanks, > rg >
Re: HELO and nothing else
On 2/10/2021 3:20 PM, Ron Garret wrote: Hello (not helo :-) I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to. One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect. Sometimes I get this repeated several times a minute from the same IP for hours on end. What is going on here? Should I block these IPs? Am I being scanned? By what? To what end? Thanks, rg Each connecting IP may have a different reason... My first two thoughts are either a broken spambot, or an MTA that doesn't like something about your server's response. Probably not a scan or anything to be overly concerned with, unless it looks like you might want their mail. Unless they repeat thousands of times for hours it's not worth blocking - just ignore them. -- Noel Jones
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 09:05:03PM +, Chris Green wrote: > OK, but every system I know about has hostname as just the hostname > with no domain. Only because you configured it that way, perhaps via an "installer" that made that default choice for you, but all these systems allow you to configure the system hostname to an FQDN. The DANE survey server is a Fedora 31 system, there I have: $ cat /etc/hostname dnssec-stats.ant.isi.edu $ uname -n dnssec-stats.ant.isi.edu > It's how systems are configured 'out of the box' as installed with > various different (OK, mostly LInux) different operating systems. It > *may* be wrong but I'm afraid it's the way things are. More precisely, it is the way you let them stay after running the base installer. You then customise them in various other ways, but have so far chosen to not override the hostname. On a Postfix server, it is IMHO simplest to set the hostname to an FQDN. You *can* avoid doing that, but at a greater complexity cost. Your choice. > So, I have several local systems on a LAN behind a single NATted ipv4 > address which is zbmc.eu, they have to have names, those names are > necessarily invalid 'outside'. See: http://www.postfix.org/SOHO_README.html#fantasy > Yes, I think you have hit exactly on the issue! :-) Not everyone > agrees what the 'hostname' should be. I'm stuck in the crossfire. You're going around in cicles. Ultimately, your systems need a working setting of "myhostname", "mydomain", "myorigin", "mydestination", "smtp_helo_name", "inet_interfaces" and "proxy_interfaces". Some of these can be inferred from an FQDN hostnames, or else explicitly set. You should first get a working configuration by setting explicit values that do what you want. Then you can decide whether to use explicit or inferred settings to scale these to multiple machines. This thread is going nowhere, because your immediate goal is rather unclear. Do you have a working explicit configuration? If not, fix that *first*. Once that's done, you can think about how to abstract it across multiple machines. > Thanks Bob, I think you have convinced me that there probably is no > simple answer to this. Maybe I'll just have to have more than one > main.cf, one for the systems on the zbmc.uk domain and one (or more) > for systems on other domains. It's probably the easiest to understand > solution at least. Not the conclusion I would draw, but certainly a possibility. As explained earlier, if the systems are "cookie-cutter" nodes differing only in where they happen to be hosted, it is simplest in fact to just give each a unique FQDN, and otherwise identical configurations. If the FQDN is configured via /etc/hostname (evidenced via `uname -n`), then the main.cf files can typically be identical and may not require any further machine-specific post-processing. -- Viktor.
HELO and nothing else
Hello (not helo :-) I am working on a spam filter and so I find myself spending a lot more quality time with mail logs than I used to. One of the things I have noticed is that I will get a lot of connections that send a HELO command and then disconnect. Sometimes I get this repeated several times a minute from the same IP for hours on end. What is going on here? Should I block these IPs? Am I being scanned? By what? To what end? Thanks, rg
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
I'm sorry everyone if I got a bit heated about this. I *think* I have most of the information I need to sort it out one way or another, and there probably isn't a 'right' answer. :-) ... and as I said before, a big thank you for all the help, I do appreciate it even if it might not seem like it sometimes. -- Chris Green
Re: client and ehlo hostname mismatch
> > Viktor Dukhovni: > Postfix can check that the EHLO name resolves to some IP address. Then what is the sense of doing this if the name can be whoever else's name? чт, 11 февр. 2021 г. в 00:03, Viktor Dukhovni : > On Wed, Feb 10, 2021 at 11:59:39PM +0300, Eugene Podshivalov wrote: > > > > Viktor Dukhovni: > > > The actual expectation is that the EHLO name is a valid DNS hostname, > > > and should resolve to the IP address of the client. > > > > Postfix does not seem to be able to check this right now. Wouldn't it be > > good to have such features in smtpd_helo_restrictions? > > Postfix can check that the EHLO name resolves to some IP address. There > is no check that the address is that of the connecting client, because > that is not a sufficiently useful policy criterion. > > -- > Viktor. >
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Dnia 10.02.2021 o godz. 20:52:01 Chris Green pisze: > > If (and it's a big if) I configure the hostname to be a FQDN how do I > then get mail sent to 'chris' out of isbd.uk to ch...@isbd.co.uk? That seems to be completely unrelated to the hostname problem. If you alias "chris" to "ch...@isbd.co.uk" (for example in /etc/aliases file), and just to be sure you may also alias "ch...@isbd.uk" to "ch...@isbd.co.uk", then the mail sent to "chris" (or "ch...@isbd.uk") should be forwarded to "ch...@isbd.co.uk". Unless there are still some things you didn't describe... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 01:11:49PM -0700, Bob Proulx wrote: > Chris Green wrote: > > Viktor Dukhovni wrote: > > > Chris Green wrote: > > > > Local hostname doesn't have FQDN by default though:- > > > > > > > > chris@isbdGandi$ hostname > > > > isbdGandi > > > > chris@isbdGandi$ hostname -f > > > > isbdGandi.isbd.uk > > > > > > > > > Do your OS instances have their hostnames? > > > > > > > > See above. > > > > > > The simplest solution is to arrange for the systems to instead have > > > fully-qualified hostnames. This will likely have additional benefits > > > down the line. > > > > They have, it doesn't seem to help. > > I believe there is some confusion between "hostname" and "hostname -f" > that is creating problems. When people say "hostname" should return > the FQDN they mean that this should be true. > > $ hostname > isbdGandi.isbd.uk # simulation > > That is completely different from this. Completely different. > > $ hostname -f > isbdGandi.isbd.uk # simulation > OK, but every system I know about has hostname as just the hostname with no domain. This is how systems are *actually* configured in the main. It's not just my systems. It's how systems are configured 'out of the box' as installed with various different (OK, mostly LInux) different operating systems. It *may* be wrong but I'm afraid it's the way things are. I have looked at Debian, Ubuntu, Raspberry Pi - they are all this way. I have found one exception, one of my hosting services has the full domain as the hostname. > Also, it was previously noted that isbdGandi.isbd.uk is not a valid > domain name. > > $ host isbdGandi.isbd.uk > Host isbdGandi.isbd.uk not found: 3(NXDOMAIN) > > Therefore using that as the system hostname would not be helpful. > So, I have several local systems on a LAN behind a single NATted ipv4 address which is zbmc.eu, they have to have names, those names are necssarily invalid 'outside'. The hostname isbdGandi.isbd.uk is similar, it just happens to be a single system on the isbd.uk IP. The system has a name, the domain is isbd.uk, what should I call it? > Philosophical Discussion Time > > However there is a split in the thinking. Most of the people on this > list are in the side that wants the hostname to be a FQDN. And then > it applies globally to every program running on the system. The > Highlander principle. "There can only be one." That's a BSD > traditional behavior. > > But the other side of the split wants the hostname to be the short > hostname. And then the domain is specified in applications. Then > there can be many IP addresses on a host and many domains serviced by > the many IP addresses. Most GNU/Linux systems default this way. > > You appear to be using a GNU/Linux distribution that is typical and > defaults to the short hostname. Which means you can override that > locally and follow "The BSD Way" and have one IP and one domain > globally. Or you can set it for Postfix. Or you can use a Debian, > Ubuntu, Mint, Trisquel, others, specific behavior of /etc/myorigin. > Or you can customize main.cf's myhostname. Or any other of the many > possible solutions to this problem. > Yes, I think you have hit exactly on the issue! :-) Not everyone agrees what the 'hostname' should be. I'm stuck in the crossfire. > > What exactly do you mean by "... have fully-qualified hostnames?". I > > know what you mean by FQDN but in general although 'hostname -f' and > > 'dnsdomainname' return the domain name postfix still doesn't use it. > > When Postfix says "hostname" it means "hostname" not "hostname -f". > > The operation of "hostname -f" is to do a reverse DNS lookup on an IP > address associated with the host. This is actually not something that > is guarenteed to be configured on the host. Unless it is configured > in /etc/hosts locally it will fall through to DNS and depend upon the > DNS entry for the IP address. (Which also requires live networking > active at that moment too.) But which IP address? > > The actual configuration values for /etc/hosts is also problematic. > Because 127.0.0.1 should map to "localhost" and "localhost" should map > to 127.0.0.1. However many people have hacked this locally to map to > The One FQDN globally for the system. This topic by itself is a large > discussion of a surprisingly large number of combinations, some of > which work for some things but not others, and the reverse. > > This area of messy stuff was the motivation for Debian making a local > patch to default to "myorigin = /etc/myorigin" as that allows a single > main.cf to be used if /etc/myorigin is customized. Personally I don't > like it as much however and don't use that functionality. But it > might be perfect for you since it was designed with your case in mind. > Sadly not all of my systems are Debian derived, but it might be one approach. > And then there is a systemd module too. (Isn't there always yet > anoth
Re: client and ehlo hostname mismatch
On Wed, Feb 10, 2021 at 11:59:39PM +0300, Eugene Podshivalov wrote: > > Viktor Dukhovni: > > The actual expectation is that the EHLO name is a valid DNS hostname, > > and should resolve to the IP address of the client. > > Postfix does not seem to be able to check this right now. Wouldn't it be > good to have such features in smtpd_helo_restrictions? Postfix can check that the EHLO name resolves to some IP address. There is no check that the address is that of the connecting client, because that is not a sufficiently useful policy criterion. -- Viktor.
Re: client and ehlo hostname mismatch
> > Viktor Dukhovni: > The actual expectation is that the EHLO name is a valid DNS hostname, > and should resolve to the IP address of the client. Postfix does not seem to be able to check this right now. Wouldn't it be good to have such features in smtpd_helo_restrictions? ср, 10 февр. 2021 г. в 23:38, Viktor Dukhovni : > On Wed, Feb 10, 2021 at 01:20:23PM -0700, Bob Proulx wrote: > > Eugene Podshivalov wrote: > > > I've just received a spam email from a client who presented itself as > > > emx.mail.ru but its ip 117.30.137.22 resolves to > > > 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn > > > > > > Are reverse client hostname and the ehlo one not supposed to match? > > > > And now some very large service providers will not provide Reverse-DNS > > mapping for server's IP addresses. This means that valid servers will > > not be able to have a valid reverse mapping. This means that if one > > hard blocks on this full circle validity check then they will drop > > valid email and people will not be happy. > > The actual expectation is that the EHLO name is a valid DNS hostname, > and should resolve to the IP address of the client. This is not always > the same as the IP address resolving back to that name. > > Thus for a client connecting from 192.0.2.1 with an EHLO name of > "ehlo.example" we might find a set of DNS records of the form: > > ehlo.example. IN A 192.0.2.1 > 1.2.0.192.in-addr.arpa. IN PTR some.name.example. > some.name.example. IN A 192.0.2.1 > > Where the EHLO name is consistent with the connecting IP address when > mapped forward from the name to the address. Also the IP address has a > PTR record, which in turn maps back that name, which may be different > from the EHLO name. > > Best practice is for both names to be the same, but this is not > required. And sometimes either or both of the forward mappings may be > missing or may map to a different address. > > -- > Viktor. >
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 02:13:22PM -0500, Viktor Dukhovni wrote:
> On Wed, Feb 10, 2021 at 05:41:49PM +, Chris Green wrote:
>
> > OK, what I want to do is as follows:-
> >
> > I have several headless machines which need to be able to send error
> > and other messages to me ch...@isbd.co.uk.
>
> Directly to that address, or indirectly by sending mail to various local
> accounts that alias to this address? If the latter, and $myorigin is
> listed in $mydestination, then alias these various accounts to the
> desired recipient address.
>
I don't mind how it gets there. :-) However the case in question is
a headless virtual server isbd.uk which is run by Gandi Internet in
France. I want the messages from there to get to my main E-Mail
address which is ch...@isbd.co.uk hosted on an entirely different
hosting service in the UK.
>
> > Looking at what you say above I see the following (on one of the
> > existing systems in the LAN behind zbmc.eu) :-
> >
> > chris$ postconf -d myorigin
> > myorigin = $myhostname
>
> Now you're reporting built-in default values ("-d" option of
> "postconf"). That's not useful. I was specifically telling what the
> *default* value is. If you have a non-default value you can report
> it via "postconf -n".
>
> > chris$ hostname -f
> > t470.zbmc.eu
>
> This is irrelevant.
>
> > chris$ hostname
> > t470
>
> This shows a non-FQDN hostname.
>
Which seems to be how just about every system configures itself.
It's all very well saying that the 'hostname' should include the
domain name but in the real world nothing ever seems to be actually
like that.
If (and it's a big if) I configure the hostname to be a FQDN how do I
then get mail sent to 'chris' out of isbd.uk to ch...@isbd.co.uk?
--
Chris Green
Re: client and ehlo hostname mismatch
On Wed, Feb 10, 2021 at 01:20:23PM -0700, Bob Proulx wrote: > Eugene Podshivalov wrote: > > I've just received a spam email from a client who presented itself as > > emx.mail.ru but its ip 117.30.137.22 resolves to > > 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn > > > > Are reverse client hostname and the ehlo one not supposed to match? > > And now some very large service providers will not provide Reverse-DNS > mapping for server's IP addresses. This means that valid servers will > not be able to have a valid reverse mapping. This means that if one > hard blocks on this full circle validity check then they will drop > valid email and people will not be happy. The actual expectation is that the EHLO name is a valid DNS hostname, and should resolve to the IP address of the client. This is not always the same as the IP address resolving back to that name. Thus for a client connecting from 192.0.2.1 with an EHLO name of "ehlo.example" we might find a set of DNS records of the form: ehlo.example. IN A 192.0.2.1 1.2.0.192.in-addr.arpa. IN PTR some.name.example. some.name.example. IN A 192.0.2.1 Where the EHLO name is consistent with the connecting IP address when mapped forward from the name to the address. Also the IP address has a PTR record, which in turn maps back that name, which may be different from the EHLO name. Best practice is for both names to be the same, but this is not required. And sometimes either or both of the forward mappings may be missing or may map to a different address. -- Viktor.
Re: client and ehlo hostname mismatch
On Wed, 10 Feb 2021, Bob Proulx wrote: Eugene Podshivalov wrote: I've just received a spam email from a client who presented itself as emx.mail.ru but its ip 117.30.137.22 resolves to 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn Are reverse client hostname and the ehlo one not supposed to match? It's been an old traditional recommendation and best practice. https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS RFC1912 dates from 1996. Back then we could count the number of systems on the Internet. Possibly someone knew each of them individually! I'm not saying it wasn't possible then. And requiring reverse DNS to map was one way to avoid dynamically assigned addressing often used by abusers. But now there are so many systems on the network and they change so fast that this is definitely not possible now. The more important question is how many services are running on a single host. It's not uncommon that a host has more than one purpose and thus also multiple domain names. With IPv4 this means DNS and reverse DNS cannot match, as you always can satisfy only one of the services (except you have too many IPv4 addresses). E.g. my mail server mail.stoecker.eu resolves correctly for the IPv6 address, but for v4 the name differs. Ciao -- https://www.dstoecker.eu/ (PGP key available)
Re: client and ehlo hostname mismatch
Eugene Podshivalov wrote: > I've just received a spam email from a client who presented itself as > emx.mail.ru but its ip 117.30.137.22 resolves to > 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn > > Are reverse client hostname and the ehlo one not supposed to match? It's been an old traditional recommendation and best practice. https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS RFC1912 dates from 1996. Back then we could count the number of systems on the Internet. Possibly someone knew each of them individually! I'm not saying it wasn't possible then. And requiring reverse DNS to map was one way to avoid dynamically assigned addressing often used by abusers. But now there are so many systems on the network and they change so fast that this is definitely not possible now. And now some very large service providers will not provide Reverse-DNS mapping for server's IP addresses. This means that valid servers will not be able to have a valid reverse mapping. This means that if one hard blocks on this full circle validity check then they will drop valid email and people will not be happy. Instead of Forward-Reverse-DNS matching the newer Best Practice is to set up SPF, DKIM, DMARC for your own outgoing mail and other anti-abuse for incoming mail. Bob
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Chris Green wrote: > Viktor Dukhovni wrote: > > Chris Green wrote: > > > Local hostname doesn't have FQDN by default though:- > > > > > > chris@isbdGandi$ hostname > > > isbdGandi > > > chris@isbdGandi$ hostname -f > > > isbdGandi.isbd.uk > > > > > > > Do your OS instances have their hostnames? > > > > > > See above. > > > > The simplest solution is to arrange for the systems to instead have > > fully-qualified hostnames. This will likely have additional benefits > > down the line. > > They have, it doesn't seem to help. I believe there is some confusion between "hostname" and "hostname -f" that is creating problems. When people say "hostname" should return the FQDN they mean that this should be true. $ hostname isbdGandi.isbd.uk # simulation That is completely different from this. Completely different. $ hostname -f isbdGandi.isbd.uk # simulation Also, it was previously noted that isbdGandi.isbd.uk is not a valid domain name. $ host isbdGandi.isbd.uk Host isbdGandi.isbd.uk not found: 3(NXDOMAIN) Therefore using that as the system hostname would not be helpful. Philosophical Discussion Time However there is a split in the thinking. Most of the people on this list are in the side that wants the hostname to be a FQDN. And then it applies globally to every program running on the system. The Highlander principle. "There can only be one." That's a BSD traditional behavior. But the other side of the split wants the hostname to be the short hostname. And then the domain is specified in applications. Then there can be many IP addresses on a host and many domains serviced by the many IP addresses. Most GNU/Linux systems default this way. You appear to be using a GNU/Linux distribution that is typical and defaults to the short hostname. Which means you can override that locally and follow "The BSD Way" and have one IP and one domain globally. Or you can set it for Postfix. Or you can use a Debian, Ubuntu, Mint, Trisquel, others, specific behavior of /etc/myorigin. Or you can customize main.cf's myhostname. Or any other of the many possible solutions to this problem. > What exactly do you mean by "... have fully-qualified hostnames?". I > know what you mean by FQDN but in general although 'hostname -f' and > 'dnsdomainname' return the domain name postfix still doesn't use it. When Postfix says "hostname" it means "hostname" not "hostname -f". The operation of "hostname -f" is to do a reverse DNS lookup on an IP address associated with the host. This is actually not something that is guarenteed to be configured on the host. Unless it is configured in /etc/hosts locally it will fall through to DNS and depend upon the DNS entry for the IP address. (Which also requires live networking active at that moment too.) But which IP address? The actual configuration values for /etc/hosts is also problematic. Because 127.0.0.1 should map to "localhost" and "localhost" should map to 127.0.0.1. However many people have hacked this locally to map to The One FQDN globally for the system. This topic by itself is a large discussion of a surprisingly large number of combinations, some of which work for some things but not others, and the reverse. This area of messy stuff was the motivation for Debian making a local patch to default to "myorigin = /etc/myorigin" as that allows a single main.cf to be used if /etc/myorigin is customized. Personally I don't like it as much however and don't use that functionality. But it might be perfect for you since it was designed with your case in mind. And then there is a systemd module too. (Isn't there always yet another systemd rewrite that does things almost correctly but subtly buggy?) libnss_myhostname is a plugin module for the NSS Name Service Switch part of libc and modifies the value returned by gethostname(2). It's really quite a messy topic! I myself set myhostname to the FQDN in main.cf and main.cf is customized on every host. I recommend a system configuration infrastructure as that will generally be useful. I wrote my own but the popular ones are puppet, chef, salt, ansible, others... Bob
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10 Feb 2021, at 11:37, @lbutlr wrote: > A trivial script of a couple of lines should do the trick. postconf -e mydomain=$( dnsdomainname ) && postfix reload -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: why people connect clamav as milter in main.cf and smapassassin in master.cf?
On 10 Feb 2021, at 5:55, Marek Kozlowski wrote: I've read the recommended way of connecting clamav is via smtpd_milters in main.cf. But spamassassin in those tutorial is not connected that way but a master.cf entry is defined and a "-o content_filter=that_entry" for smtp service is added. If so many people do that there must be some reason for it. I'm wondering: what is the reason? Cargo cult. It worked for someone, they wrote a web page to help others. Others used it and maybe tweaked something that made it work better or maybe they just preferred their own words or they wanted the credit for plagiarized work, and another web page goes up. Now there are 2 pages saying the same thing and they become the progenitors of more. In addition to that, ClamAV includes a maintained Milter program. SpamAssassin comes with a bespoke client & server as well as a test script, but no Milter and no officially recommended methodology for integrating it with any particular MTA or MUA. There are at least 3 Milter programs that can be used to integrate SA with Postfix or Sendmail but there's also the traditional Postfix way of using AmavisD in a SMTP proxy mode and the oft-documented mechanism of using a content_filter service defined in master.cf. what's the difference? Postfix has multiple interfaces that can be used for content filtering. The details of each can be seen in these README files in the Postfix documentation: FILTER_README, BUILTIN_FILTER_README, SMTPD_PROXY_README, and MILTER_README. The high-level difference between a Milter and a content_filter service is that the Milter API operates as an advisory service callable at each SMTP phase before Postfix accepts a message, while content_filter services are handed messages after Postfix has accepted and queued them. There is no particular reason to use ClamAV via Milter and SA via content_filter. I personally prefer using SA via a Milter, because it eliminates the dilemma of what to do with suspect mail that you've already accepted but do not want to deliver normally. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: client and ehlo hostname mismatch
On 10 Feb 2021, at 14:41, Eugene Podshivalov wrote: Hello, I've just received a spam email from a client who presented itself as emx.mail.ru but its ip 117.30.137.22 resolves to 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn Are reverse client hostname and the ehlo one not supposed to match? In principle, yes. In reality, they very often do not, even with entirely legitimate email. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
client and ehlo hostname mismatch
Hello, I've just received a spam email from a client who presented itself as emx.mail.ru but its ip 117.30.137.22 resolves to 22.137.30.117.broad.xm.fj.dynamic.163data.com.cn Are reverse client hostname and the ehlo one not supposed to match? --Eugene
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 05:41:49PM +, Chris Green wrote:
> OK, what I want to do is as follows:-
>
> I have several headless machines which need to be able to send error
> and other messages to me ch...@isbd.co.uk.
Directly to that address, or indirectly by sending mail to various local
accounts that alias to this address? If the latter, and $myorigin is
listed in $mydestination, then alias these various accounts to the
desired recipient address.
> Looking at what you say above I see the following (on one of the
> existing systems in the LAN behind zbmc.eu) :-
>
> chris$ postconf -d myorigin
> myorigin = $myhostname
Now you're reporting built-in default values ("-d" option of
"postconf"). That's not useful. I was specifically telling what the
*default* value is. If you have a non-default value you can report
it via "postconf -n".
> chris$ hostname -f
> t470.zbmc.eu
This is irrelevant.
> chris$ hostname
> t470
This shows a non-FQDN hostname.
> So one can see why (at present) I need to set 'mydomain = zbmc.eu'
> explicitly in main.cf, however I don't quite see how to change things
> so that they work how I want.
You still have not actually explained what specifically you want, but
if it is just ensuring FQDN header and envelope sender and recipient
addresses, then:
1. Make sure "myorigin" is the desired FQDN.
* You can leave at its default value of "$myhostname"
* You can set to to "$mydomain", which is inferred by
from the system hostname (with the expected result
if that's an FQDN).
* You can set it explicitly to, e.g. "someorigin.example"
2. Make sure that mydestination is either empty or lists only
$myorigin.
* If mydestination is empty, your envelope recipient address
rewriting will be via virtual_alias_maps.
* If mydestination is $myorigin, your envelope recipient address
rewriting will be via alias_maps.
In either case, your header address rewriting can be via either
or both of canonical_maps and smtp_generic_maps.
If you're setting up lots of nullclient Postfix configurations, you may
find some of the ideas in MULTI_INSTANCE_README helpful:
http://www.postfix.org/MULTI_INSTANCE_README.html#split
But get the basics working first.
--
Viktor.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10 Feb 2021, at 10:41, Chris Green wrote: >chris$ postconf -d myorigin >myorigin = $myhostname >chris$ postconf -d myhostname >myhostname = t470.localdomain >chris$ dnsdomainname >zbmc.eu >chris$ hostname -f >t470.zbmc.eu >chris$ hostname >t470 > > So one can see why (at present) I need to set 'mydomain = zbmc.eu' > explicitly in main.cf, however I don't quite see how to change things > so that they work how I want. Or, as was mentioned above, set your computer's name to a FQDN instead of a .localdomain and everything will work properly? And >chris@isbdGandi$ postconf -d myhostname mydomain myorigin >myhostname = isbdGandi.isbd.uk >mydomain = isbd.uk >myorigin = $myhostname > > ... and:- >chris@isbdGandi$ hostname >isbdGandi.isbd.uk >chris@isbdGandi$ dnsdomainname >isbd.uk >chris@isbdGandi$ hostname -f >isbdGandi.isbd.uk >chris@isbdGandi$ > > With the system configure like this postfix sends mail for 'chris' to > 'ch...@isbd.uk' which isn't very helpful, I need it to be sent to > 'ch...@isbd.co.uk'. Again, if you set your computer's to FQDNs everything will work. Why are you using isbn.uk instead of isbn.co.uk which is the actual domain? Anyway, whatever the reason this seems to be the source of all your troubles. Set the domain names properly and then you can use a single unmodified main.cf. -- Clarke's Law: Sufficiently advanced technology is indistinguishable from magic Clark's Law: Sufficiently advanced cluelessness is indistinguishable from malice Clark Slaw: Anything that has been severely damaged or destroyed by application of Clark's Law
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 10:37:15AM -0700, @lbutlr wrote: > On 10 Feb 2021, at 10:05, Chris Green wrote: > > but this doesn't seem to have worked. What am I doing wrong now? (I > > have run 'newaliases'). > > what does > > postconf -d myhostname mydomain myorigin > > Report? > > It should report: > > myhostname = isbdGandi.isbd.uk > mydomain = isbd.uk > myorigin = $myhostname > chris@isbdGandi$ postconf -d myhostname mydomain myorigin myhostname = isbdGandi.isbd.uk mydomain = isbd.uk myorigin = $myhostname ... and:- chris@isbdGandi$ hostname isbdGandi.isbd.uk chris@isbdGandi$ dnsdomainname isbd.uk chris@isbdGandi$ hostname -f isbdGandi.isbd.uk chris@isbdGandi$ With the system configure like this postfix sends mail for 'chris' to 'ch...@isbd.uk' which isn't very helpful, I need it to be sent to 'ch...@isbd.co.uk'. The above is with hostname set to the fqdn by running 'hostname isbdGandi.isbd.uk' as root. However this isn't persistent, rebooting sets hostname back to just isbdGandi. If I reboot and don't explicitly set hostname I see:- chris@isbdGandi$ hostname isbdGandi chris@isbdGandi$ hostname -f isbdGandi.isbd.uk chris@isbdGandi$ dnsdomainname isbd.uk chris@isbdGandi$ postconf -d myhostname mydomain myorigin myhostname = isbdGandi.localdomain mydomain = localdomain myorigin = $myhostname Obviously postfix uses localdomain as the domain and mail gets rejected. The configuration with just isbdGandi as the hostname seems to be the default/right way that Linux systems expect to be. -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 12:17:47PM -0500, Viktor Dukhovni wrote: > On Wed, Feb 10, 2021 at 05:05:52PM +, Chris Green wrote: > > This may be a good time to clearly (re)state what problem you're trying > to solve, now that you're apparently able to assign the desired mydomain > to each machine. > OK, what I want to do is as follows:- I have several headless machines which need to be able to send error and other messages to me ch...@isbd.co.uk. All these systems have 'send only' postfix configurations whose sole function is to send these messages to me. Originally all these systems were on a LAN behind zbmc.eu so setting 'mydomain = zbmc.eu' in main.cf worked for all of them and I could use the same main.cf. I now would like to use the same main.cf file in a few more systems which are not on the same LAN and thus not the same domain. Ideally I'd like to continue using the same main.cf for all these systems, this is simply to make my life easier maintaining them and such. Looking at what you say above I see the following (on one of the existing systems in the LAN behind zbmc.eu) :- chris$ postconf -d myorigin myorigin = $myhostname chris$ postconf -d myhostname myhostname = t470.localdomain chris$ dnsdomainname zbmc.eu chris$ hostname -f t470.zbmc.eu chris$ hostname t470 So one can see why (at present) I need to set 'mydomain = zbmc.eu' explicitly in main.cf, however I don't quite see how to change things so that they work how I want. Thanks for all the help so far everybody, I really do appreciate it. -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10 Feb 2021, at 10:05, Chris Green wrote: > but this doesn't seem to have worked. What am I doing wrong now? (I > have run 'newaliases'). what does postconf -d myhostname mydomain myorigin Report? It should report: myhostname = isbdGandi.isbd.uk mydomain = isbd.uk myorigin = $myhostname NONE of these should need to be set in main.cf, as the are default values. -- 'Ah... I see that the new traffic division is having the desired effect.' He indicated a large pile of paper. 'I am getting any amount of complaints from the Carters' and Drovers' Guild. Well done. Do pass on my thanks to Sergeant Colon and his team.' 'I will, sir.' 'I see in one day they clamped seventeen carts, ten horses, eighteen oxen and one duck.' 'It was parked illegally, sir.'
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 05:14:57PM +, Chris Green wrote: > What exactly do you mean by "... have fully-qualified hostnames?". This means that the raw system hostname reported via `uname -n` or `hostname` commands (really the underlying system calls) is an FQDN. > I know what you mean by FQDN but in general although 'hostname -f' and > 'dnsdomainname' return the domain name postfix still doesn't use it. Neither of these reports the raw system hostname (on Linux). -- Viktor.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 05:05:52PM +, Chris Green wrote: > So I have the FQDN everywhere:- > > chris@isbdGandi$ hostname > isbdGandi.isbd.uk > > ... and now postfix sends cron mail *to* ch...@isbd.uk as well as from > ch...@isbd.uk which doesn't help at all! I have an entry for chris in > /etc/aliases:- The built-in default is: $ postconf -d myorigin myorigin = $myhostname Looks like you've set "myorigin = $mydomain", with my $mydomain inferred from the hostname by dropping the first FQDN label. > chris:ch...@isbd.co.uk > > but this doesn't seem to have worked. What am I doing wrong now? (I > have run 'newaliases'). The aliases(5) table is only consulted when delivering mail to local recipients (domain listed in $mydestination) via the local(8) delivery agent. Alias expansion applies only to envelope recipient addresses, and generally (absent an "owner-" alias) does not affect the envelope sender or mail headers. This may be a good time to clearly (re)state what problem you're trying to solve, now that you're apparently able to assign the desired mydomain to each machine. -- Viktor.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 11:36:42AM -0500, Viktor Dukhovni wrote: > On Wed, Feb 10, 2021 at 03:01:44PM +, Chris Green wrote: > > > Local hostname doesn't have FQDN by default though:- > > > > chris@isbdGandi$ hostname > > isbdGandi > > chris@isbdGandi$ hostname -f > > isbdGandi.isbd.uk > > > > > Do your OS instances have their hostnames? > > > > See above. > > The simplest solution is to arrange for the systems to instead have > fully-qualified hostnames. This will likely have additional benefits > down the line. > They have, it doesn't seem to help. What exactly do you mean by "... have fully-qualified hostnames?". I know what you mean by FQDN but in general although 'hostname -f' and 'dnsdomainname' return the domain name postfix still doesn't use it. -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 05:31:47PM +0100, Matus UHLAR - fantomas wrote: > > > Dnia 10.02.2021 o godz. 15:10:09 Chris Green pisze: > > > > > > > > These systems are all systemd'ed so I can't just run postfix as above. > > > > However will 'postconf "myhostname = $(dnsdomainname)"' actually > > > > change/set the myhostname value in main.cf? If so then simply putting > > > > the postconf command in /etc/rc.local will do all I need, especially > > > > after one reboot. > > > On Wed, Feb 10, 2021 at 04:40:13PM +0100, Jaroslaw Rafa wrote: > > > Are these machines moved from domain to domain? Ie. is it possible that > > > "dnsdomainname" will change, or is it the same all the time? If the > > > latter, > > > I don't see why do you need to set it at each reboot - it is enough to set > > > it once. So I would try to set it in a script that deploys/copies Postfix > > > configuration to the target machine. > > On 10.02.21 15:55, Chris Green wrote: > > I could just edit the value in each system, but then all the main.cf > > files would be different. > > setting "myhostname = $(dnsdomainname)" what Wietse recommended would not. > Yes, but since I'd have to add something to each rc.local (and they're mostly default, i.e. as installed) it's more stuff to keep maintained. > Setting FQDN hostname or maybe setting own IP with FQDN in /etc/hosts would > not (I'm not sure whether te latter one would be enough, you can try) > Yes, I've tried these. I added the FQDN to /etc/hosts such that dnsdomainname returns the domain but postfix doesn't use that. I've also tried setting 'hostname ' and that hasn't helped either. > I was in your situation some years ago, when I maintained the same configs > for multiple apps on multiple servers. I maintained /etc/hosts and > hostnames per-machine and most of the rest was the same. > So I have the FQDN everywhere:- chris@isbdGandi$ hostname isbdGandi.isbd.uk chris@isbdGandi$ more /etc/hosts # The following lines are desirable for IPv4 capable hosts 127.0.0.1 isbdGandi.isbd.uk isbdGandi isbd localhost ... ... chris@isbdGandi$ dnsdomainname isbd.uk chris@isbdGandi$ ... and now postfix sends cron mail *to* ch...@isbd.uk as well as from ch...@isbd.uk which doesn't help at all! I have an entry for chris in /etc/aliases:- chris:ch...@isbd.co.uk but this doesn't seem to have worked. What am I doing wrong now? (I have run 'newaliases'). -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10 Feb 2021, at 07:36, Chris Green wrote: > So myhostname isn't explicitly set. That is correct. Myshostname is not normally set, it is taken from the machine name by postfix. The only reason you would declare it in main.cf is to override the name for some reasons. postconf -d myhostname Will return the DEFAULT value for myhostname. Should be unique to each of your machines. -- "Life is one damned kitten after another." Mehitabel the Alley Cat
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10 Feb 2021, at 07:03, ludic...@gmail.com wrote: >> It would be really handy if I could get postfix to use the value returned by >> the dnsdomainname command for its mydomain value as I could then use the >> same main.cf file in several headless 'send only' >> systems where postfix is used solely for sending error messages from cron >> and similar. > Can't this be simply done by bash/cron? Yes. Or even just sed. Create the case file with a placeholder my domain and then replace it. I'm not sure why you would need to do this though, unless myhostname is not getting set properly. > postfix reload Ah, yes, a shell script would be the simplest way to reload after making the change. > Not sure about startup / system boot. Unless the hostname is changing at boot that shouldn't be any issue, but If it is it should be trivial to hook into the rc.d startup script to do this. A trivial script of a couple of lines should do the trick. -- If there's a bustle in your hedgerow don't be alarmed now.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 03:01:44PM +, Chris Green wrote: > Local hostname doesn't have FQDN by default though:- > > chris@isbdGandi$ hostname > isbdGandi > chris@isbdGandi$ hostname -f > isbdGandi.isbd.uk > > > Do your OS instances have their hostnames? > > See above. The simplest solution is to arrange for the systems to instead have fully-qualified hostnames. This will likely have additional benefits down the line. If, for some reason, that is not something you're willing/able to do, then you can use "make" to construct the "main.cf" file for each host, distributing instead a "Makefile" and a "main.cf.in": Makefile: main.cf:main.cf.in mkdir -p staged cp main.cf.in staged/main.cf domain=`domainname` && postconf -c `pwd`/staged mydomain=$$domain if ! cmp -s staged/main.cf main.cf; then mv staged/main.cf main.cf; fi main.cf.in: # whatever ... Deployment command: "umask 022; cd /etc/postfix; make". You can even do something similar for deploying multi-instance configurations, by iterating "make" over each instance. -- Viktor.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Dnia 10.02.2021 o godz. 15:10:09 Chris Green pisze: > > These systems are all systemd'ed so I can't just run postfix as above. > However will 'postconf "myhostname = $(dnsdomainname)"' actually > change/set the myhostname value in main.cf? If so then simply putting > the postconf command in /etc/rc.local will do all I need, especially > after one reboot. On Wed, Feb 10, 2021 at 04:40:13PM +0100, Jaroslaw Rafa wrote: Are these machines moved from domain to domain? Ie. is it possible that "dnsdomainname" will change, or is it the same all the time? If the latter, I don't see why do you need to set it at each reboot - it is enough to set it once. So I would try to set it in a script that deploys/copies Postfix configuration to the target machine. On 10.02.21 15:55, Chris Green wrote: I could just edit the value in each system, but then all the main.cf files would be different. setting "myhostname = $(dnsdomainname)" what Wietse recommended would not. Setting FQDN hostname or maybe setting own IP with FQDN in /etc/hosts would not (I'm not sure whether te latter one would be enough, you can try) I was in your situation some years ago, when I maintained the same configs for multiple apps on multiple servers. I maintained /etc/hosts and hostnames per-machine and most of the rest was the same. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Dnia 10.02.2021 o godz. 15:55:23 Chris Green pisze: > > Currently I have a single main.cf file kept in mercurial that I deploy > on all these systems. If I change the file in my mercurial repository > the change gets distributed to all systems (by a file synchronising > process). I'm just trying to see if I can keep my single master > version of main.cf with a different domain name for each system. [...] > I don't currently have a mechanism for manipulating files during > deployment from the mercurial repository to the destination. I was thinking of using some placeholder in your "master" cf file instead of domain name, that gets replaced by a proper value during copying file to the destination server. This would probably require adding some custom script to the command that deploys files onto the target that modifies the file after downloading it. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: disable local delivery for virtual alias domain
Thanks! all is clear. Il 10/02/2021 16:41, Matus UHLAR - fantomas ha scritto: On 10.02.21 16:19, Matteo Cazzador wrote: Hi , i've a problem related to forwarding external (using relayhost) mail on my server, my mail server host "x.com" like virtual domain, but i need to force to send every email direct (by forward) to domain "x.com" using an external relayhost. x.com is registered domain, is is yours? If not, use example.com, example.net, example org. But i obtain an error "*User unknown in virtual alias table*" when i try to send email to a user "@x.com". If mailserver hosts x.com as virtual domain, it's treated locally and thus mail to it is resolved locally. That's why you get "User unknown". If mail for x.com is to be forwarded, it must not be hosted locally. see: https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.postfix.org%2FADDRESS_CLASS_README.html&e=d9b44b61&h=6a0fd485&f=y&p=y webser...@x.com must be forwarded to 4 email address,? us...@x.com us...@x.com ect etc that reside on external mail server. you can alias webser...@x.com locally using virtual_alias_maps, without x.com being configured locally. Note that the destination server should know how to expant webser...@x.com properly, otherwise you can get inconsistent results. I want to force to send all email direct to virtual "x.com" using relayhost and not locally delivered. put it out of virtual_alias_domains or wherever it's defined. -- Rispetta l'ambiente: se non ti è necessario, non stampare questa mail. Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare, inoltrare a terzi e diffondere il contenuto della presente senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento. ** Ing. Matteo Cazzador NetLite snc di Cazzador Gagliardi Corso Vittorio Emanuele II, 188 37069 Villafranca di Verona VR Tel 0454856656 Fax 0454856655 Email: mat...@netlite.it Web: http://www.netlite.it **
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 04:40:13PM +0100, Jaroslaw Rafa wrote: > Dnia 10.02.2021 o godz. 15:10:09 Chris Green pisze: > > > > These systems are all systemd'ed so I can't just run postfix as above. > > However will 'postconf "myhostname = $(dnsdomainname)"' actually > > change/set the myhostname value in main.cf? If so then simply putting > > the postconf command in /etc/rc.local will do all I need, especially > > after one reboot. > > Are these machines moved from domain to domain? Ie. is it possible that > "dnsdomainname" will change, or is it the same all the time? If the latter, > I don't see why do you need to set it at each reboot - it is enough to set > it once. So I would try to set it in a script that deploys/copies Postfix > configuration to the target machine. I could just edit the value in each system, but then all the main.cf files would be different. Currently I have a single main.cf file kept in mercurial that I deploy on all these systems. If I change the file in my mercurial repository the change gets distributed to all systems (by a file synchronising process). I'm just trying to see if I can keep my single master version of main.cf with a different domain name for each system. I can keep different versions of main.cf for each system in mercurial but that means if I want/need to change something related to postfix I have to remember to make the change in multiple main.cf files. I don't currently have a mechanism for manipulating files during deployment from the mercurial repository to the destination. -- Chris Green
Re: why people connect clamav as milter in main.cf and smapassassin in master.cf?
Dnia 10.02.2021 o godz. 10:42:08 Kris Deugau pisze: > > I would say the main reason for the difference is that the core > SpamAssassin project itself doesn't have a milter component, so > there's no way to use that method to link it in, whereas ClamAV > doesn't really have a content-filter-compatible mode that I recall > where it can pass through complete messages with optional flagging - > but it does natively include a milter component. But there are separate projects (at least three if I remember correctly) that provide milter for spamassassin. Plus there's amavis, very popular, that integrates clamav and spamassassin. Myself I stopped using spamassassin as content filter when I needed to implement DKIM signing milter in my server, because use of a content filter caused outgoing mail to be signed twice - and switched to spamass-milter. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: why people connect clamav as milter in main.cf and smapassassin in master.cf?
Marek Kozlowski wrote: :-) I know that clamav and spamassassin are out of scope of this list. But my question is more postfix-related. Most systems and Linux distros have tutorials on postfix, spamassassin and clamav. In most of I've read the recommended way of connecting clamav is via smtpd_milters in main.cf. But spamassassin in those tutorial is not connected that way but a master.cf entry is defined and a "-o content_filter=that_entry" for smtp service is added. If so many people do that there must be some reason for it. I'm wondering: what is the reason? what's the difference? I would say the main reason for the difference is that the core SpamAssassin project itself doesn't have a milter component, so there's no way to use that method to link it in, whereas ClamAV doesn't really have a content-filter-compatible mode that I recall where it can pass through complete messages with optional flagging - but it does natively include a milter component. Personally I'd rather call both from a secondary glue layer for more flexibility (especially for certain ClamAV tests that are valuable but which I don't trust as absolute go/no-go results). My own favoured tool is MIMEDefang since it can express complex filtering policies based on results from multiple tools like SpamAssassin or ClamAV plus anything you can code up in Perl. For inbound mail I prefer to push SpamAssassin out to the final delivery for more flexible per-user handling as well as integrating it with mail sorting. -kgd
Re: disable local delivery for virtual alias domain
On 10.02.21 16:19, Matteo Cazzador wrote: Hi , i've a problem related to forwarding external (using relayhost) mail on my server, my mail server host "x.com" like virtual domain, but i need to force to send every email direct (by forward) to domain "x.com" using an external relayhost. x.com is registered domain, is is yours? If not, use example.com, example.net, example org. But i obtain an error "*User unknown in virtual alias table*" when i try to send email to a user "@x.com". If mailserver hosts x.com as virtual domain, it's treated locally and thus mail to it is resolved locally. That's why you get "User unknown". If mail for x.com is to be forwarded, it must not be hosted locally. see: http://www.postfix.org/ADDRESS_CLASS_README.html webser...@x.com must be forwarded to 4 email address,? us...@x.com us...@x.com ect etc that reside on external mail server. you can alias webser...@x.com locally using virtual_alias_maps, without x.com being configured locally. Note that the destination server should know how to expant webser...@x.com properly, otherwise you can get inconsistent results. I want to force to send all email direct to virtual "x.com" using relayhost and not locally delivered. put it out of virtual_alias_domains or wherever it's defined. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Dnia 10.02.2021 o godz. 15:10:09 Chris Green pisze: > > These systems are all systemd'ed so I can't just run postfix as above. > However will 'postconf "myhostname = $(dnsdomainname)"' actually > change/set the myhostname value in main.cf? If so then simply putting > the postconf command in /etc/rc.local will do all I need, especially > after one reboot. Are these machines moved from domain to domain? Ie. is it possible that "dnsdomainname" will change, or is it the same all the time? If the latter, I don't see why do you need to set it at each reboot - it is enough to set it once. So I would try to set it in a script that deploys/copies Postfix configuration to the target machine. -- Pozdrowienia, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
disable local delivery for virtual alias domain
Hi , i've a problem related to forwarding external (using relayhost) mail on my server, my mail server host "x.com" like virtual domain, but i need to force to send every email direct (by forward) to domain "x.com" using an external relayhost. But i obtain an error "*User unknown in virtual alias table*" when i try to send email to a user "@x.com". I try to use transport without success. My scenario is: webser...@x.com must be forwarded to 4 email address, us...@x.com us...@x.com ect etc that reside on external mail server. I want to force to send all email direct to virtual "x.com" using relayhost and not locally delivered. Somethig like disable all local delivery or ignore local virtual tabel user. Is it possible? Thanks -- Rispetta l'ambiente: se non ti è necessario, non stampare questa mail. Le informazioni contenute in questa e-mail e nei files eventualmente allegati sono destinate unicamente ai destinatari della stessa e sono da considerarsi strettamente riservate. E' proibito copiare, salvare, utilizzare, inoltrare a terzi e diffondere il contenuto della presente senza il preventivo consenso, ai sensi dell'articolo 616 c.p. e della Legge n. 196/2003. Se avete ricevuto questo messaggio per errore siete pregati di comunicarlo immediatamente all'indirizzo mittente, nonché di cancellarne il contenuto senza procedere ad ulteriore o differente trattamento. ** Ing. Matteo Cazzador NetLite snc di Cazzador Gagliardi Corso Vittorio Emanuele II, 188 37069 Villafranca di Verona VR Tel 0454856656 Fax 0454856655 Email:mat...@netlite.it Web:http://www.netlite.it **
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 09:53:02AM -0500, Wietse Venema wrote: > Chris Green: > > On Wed, Feb 10, 2021 at 03:14:11PM +0100, Matus UHLAR - fantomas wrote: > > > On 10.02.21 13:57, Chris Green wrote: > > > > It would be really handy if I could get postfix to use the value > > > > returned by the dnsdomainname command for its mydomain value as I > > > > could then use the same main.cf file in several headless 'send only' > > > > systems where postfix is used solely for sending error messages from > > > > cron and similar. > > > > > > > > There isn't an 'include' type directive in postfix configuration so I > > > > can't see any way of doing this by capturing the output of > > > > dnsdomainname at startup and then including this in main.cf. > > > > > > > > Has anyone else wanted to do anything like this and come up with a > > > > solution? > > > > > > > > > the default is get from your myhostname, can't you set up that one? > > > > > > btw are you sure you dont mean myorigin instead of mydomain? > > > > > Apart from the TLS/SASL bits the main.cf for all these headless > > systems is:- > > > > mydomain = zbmc.eu > > myorigin = $mydomain > > relayhost = [mail.gandi.net]:465 > > luser_relay = ch...@isbd.co.uk > > local_recipient_maps = > > # > > # > > # We don't accept any incoming connections > > # > > mydestination = > > inet_interfaces = loopback-only > > > > So myhostname isn't explicitly set. > > > > Having 'mydomain = zbmc.eu' worked until now because the systems in > > question were on a LAN which is zbmc.eu. However I'd now rather like > > to use the same main.cf on some systems which aren't on the same LAN. > > It does need to be set so that one can tell easily where messages come > > from. > > First, there is no requirement to SET myhostname. Postfix uses the SYSTEM > HOSTNAME by default. Postfix will automatically append $mydomain > if the SYSTEM HOSTNAME is not in FQDN form. > Yes, OK, that's exactly what I'm seeing. > Second, please don't run sed on main.cf or master.cf. Use postconf > commands instead. > > For example: > > postconf "myhostname = $(dnsdomainname)" > postfix start > OK, I was just explaining why I didn't particularly want to do this sort of thing, sed was just the first thing that came to mind. These systems are all systemd'ed so I can't just run postfix as above. However will 'postconf "myhostname = $(dnsdomainname)"' actually change/set the myhostname value in main.cf? If so then simply putting the postconf command in /etc/rc.local will do all I need, especially after one reboot. > Not all the world is LINUX, and most systems get along with the > defaults just fine. > Yes, I know, I'm from a mixed background of Sun Solaris and Dec Ultrix in days gone by. I just get my ?nix fix by running Linux on all my own systems! :-) -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 03:47:29PM +0100, Matus UHLAR - fantomas wrote: > On 10.02.21 14:36, Chris Green wrote: > > Apart from the TLS/SASL bits the main.cf for all these headless > > systems is:- > > > >mydomain = zbmc.eu > >myorigin = $mydomain > >relayhost = [mail.gandi.net]:465 > >luser_relay = ch...@isbd.co.uk > >local_recipient_maps = > ># > ># > ># We don't accept any incoming connections > ># > >mydestination = > >inet_interfaces = loopback-only > > > > So myhostname isn't explicitly set. > > myhostname is set by default to your local hostname and mydomain is set by > default to your hostname stripped of first segment. > Local hostname doesn't have FQDN by default though:- chris@isbdGandi$ hostname isbdGandi chris@isbdGandi$ hostname -f isbdGandi.isbd.uk > Do your OS instances have their hostnames? > See above. > > Having 'mydomain = zbmc.eu' worked until now because the systems in > > question were on a LAN which is zbmc.eu. However I'd now rather like > > to use the same main.cf on some systems which aren't on the same LAN. > > It does need to be set so that one can tell easily where messages come > > from. > > don't set the myhostname or mydomain in main.cf, and you'll get the default > values. You can use them. > If I remove the mydomain setting from main.cf outgoing mail fails:- Feb 10 15:42:03 isbdGandi postfix/smtp[3852]: A59B186D46: to=, relay=mail.gandi.net[217.70.178.9]:465, delay=0.35, delays=0.06/0/0.07/0.21, dsn=5.5.2, status=bounced (host mail.gandi.net[217.70.178.9] said: 504 5.5.2 : Recipient address rejected: need fully-qualified address (in reply to RCPT TO command)) -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Chris Green: > On Wed, Feb 10, 2021 at 03:14:11PM +0100, Matus UHLAR - fantomas wrote: > > On 10.02.21 13:57, Chris Green wrote: > > > It would be really handy if I could get postfix to use the value > > > returned by the dnsdomainname command for its mydomain value as I > > > could then use the same main.cf file in several headless 'send only' > > > systems where postfix is used solely for sending error messages from > > > cron and similar. > > > > > > There isn't an 'include' type directive in postfix configuration so I > > > can't see any way of doing this by capturing the output of > > > dnsdomainname at startup and then including this in main.cf. > > > > > > Has anyone else wanted to do anything like this and come up with a > > > solution? > > > > > > the default is get from your myhostname, can't you set up that one? > > > > btw are you sure you dont mean myorigin instead of mydomain? > > > Apart from the TLS/SASL bits the main.cf for all these headless > systems is:- > > mydomain = zbmc.eu > myorigin = $mydomain > relayhost = [mail.gandi.net]:465 > luser_relay = ch...@isbd.co.uk > local_recipient_maps = > # > # > # We don't accept any incoming connections > # > mydestination = > inet_interfaces = loopback-only > > So myhostname isn't explicitly set. > > Having 'mydomain = zbmc.eu' worked until now because the systems in > question were on a LAN which is zbmc.eu. However I'd now rather like > to use the same main.cf on some systems which aren't on the same LAN. > It does need to be set so that one can tell easily where messages come > from. First, there is no requirement to SET myhostname. Postfix uses the SYSTEM HOSTNAME by default. Postfix will automatically append $mydomain if the SYSTEM HOSTNAME is not in FQDN form. Second, please don't run sed on main.cf or master.cf. Use postconf commands instead. For example: postconf "myhostname = $(dnsdomainname)" postfix start Not all the world is LINUX, and most systems get along with the defaults just fine. Wietse
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 03:14:11PM +0100, Matus UHLAR - fantomas wrote: > On 10.02.21 13:57, Chris Green wrote: > > It would be really handy if I could get postfix to use the value > > returned by the dnsdomainname command for its mydomain value as I > > could then use the same main.cf file in several headless 'send only' > > systems where postfix is used solely for sending error messages from > > cron and similar. > > > > There isn't an 'include' type directive in postfix configuration so I > > can't see any way of doing this by capturing the output of > > dnsdomainname at startup and then including this in main.cf. > > > > Has anyone else wanted to do anything like this and come up with a > > solution? > > > the default is get from your myhostname, can't you set up that one? > > btw are you sure you dont mean myorigin instead of mydomain? > Apart from the TLS/SASL bits the main.cf for all these headless systems is:- mydomain = zbmc.eu myorigin = $mydomain relayhost = [mail.gandi.net]:465 luser_relay = ch...@isbd.co.uk local_recipient_maps = # # # We don't accept any incoming connections # mydestination = inet_interfaces = loopback-only So myhostname isn't explicitly set. Having 'mydomain = zbmc.eu' worked until now because the systems in question were on a LAN which is zbmc.eu. However I'd now rather like to use the same main.cf on some systems which aren't on the same LAN. It does need to be set so that one can tell easily where messages come from. -- Chris Green
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On 10.02.21 13:57, Chris Green wrote: It would be really handy if I could get postfix to use the value returned by the dnsdomainname command for its mydomain value as I could then use the same main.cf file in several headless 'send only' systems where postfix is used solely for sending error messages from cron and similar. There isn't an 'include' type directive in postfix configuration so I can't see any way of doing this by capturing the output of dnsdomainname at startup and then including this in main.cf. Has anyone else wanted to do anything like this and come up with a solution? the default is get from your myhostname, can't you set up that one? btw are you sure you dont mean myorigin instead of mydomain? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Can I get postfix to use what's returned by dnsdomainname for mydomain?
On Wed, Feb 10, 2021 at 03:03:47PM +0100, ludic...@gmail.com wrote: > > Von: owner-postfix-us...@postfix.org Im > > Auftrag von Chris Green > > Gesendet: Mittwoch, 10. Februar 2021 14:57 > > An: postfix-users@postfix.org > > Betreff: Can I get postfix to use what's returned by dnsdomainname for > > mydomain? > > > > It would be really handy if I could get postfix to use the value returned by > > the dnsdomainname command for its mydomain value as I could then use the > > same main.cf file in several headless 'send only' > > systems where postfix is used solely for sending error messages from cron > > and similar. > > > > There isn't an 'include' type directive in postfix configuration so I can't > > see any way of doing this by capturing the output of dnsdomainname at > > startup and then including this in main.cf. > > > > Has anyone else wanted to do anything like this and come up with a solution? > > Can't this be simply done by bash/cron? > > Execute dnsdomainname > Alter main.cf > postfix reload > > Not sure about startup / system boot. > > Just my first thoughts. > Yes, I *could* do something like this but it's quite a bit of added complexity for what is really quite a simple requirement. I'd have to add a bit of code to run from (say) /etc/rc.local which would have to run sed or something similar against the main.cf file. -- Chris Green
AW: Can I get postfix to use what's returned by dnsdomainname for mydomain?
Can't this be simply done by bash/cron? Execute dnsdomainname Alter main.cf postfix reload Not sure about startup / system boot. Just my first thoughts. Greets, Ludi -Ursprüngliche Nachricht- Von: owner-postfix-us...@postfix.org Im Auftrag von Chris Green Gesendet: Mittwoch, 10. Februar 2021 14:57 An: postfix-users@postfix.org Betreff: Can I get postfix to use what's returned by dnsdomainname for mydomain? It would be really handy if I could get postfix to use the value returned by the dnsdomainname command for its mydomain value as I could then use the same main.cf file in several headless 'send only' systems where postfix is used solely for sending error messages from cron and similar. There isn't an 'include' type directive in postfix configuration so I can't see any way of doing this by capturing the output of dnsdomainname at startup and then including this in main.cf. Has anyone else wanted to do anything like this and come up with a solution? -- Chris Green
Can I get postfix to use what's returned by dnsdomainname for mydomain?
It would be really handy if I could get postfix to use the value returned by the dnsdomainname command for its mydomain value as I could then use the same main.cf file in several headless 'send only' systems where postfix is used solely for sending error messages from cron and similar. There isn't an 'include' type directive in postfix configuration so I can't see any way of doing this by capturing the output of dnsdomainname at startup and then including this in main.cf. Has anyone else wanted to do anything like this and come up with a solution? -- Chris Green
Re: Stucked with "unable to look up host"
On 10 Feb 2021, at 04:13, Matus UHLAR - fantomas wrote: > On 09.02.21 14:22, @lbutlr wrote: >> But yes, each admin needs to look at their logs and see who >> is still using encryption they should not be using (especially since this >> probably indicates they have not updated the ssl libraries and are going >> to be open to any flaws/attacks/CVEs discovered since TLSv1 and TLSv1.1 >> were EOLed, making them less-trustworthy in general. > still more trustworthy than no encryption at all That is one way of looking at it, yes. Another way of looking at it is that a server that hasn't updated their cryptography libraries in nearly a year is not a trustworthy source of mail. There's not a single answer. (I haven't dropped TLSv1/1.1 yet, but I am checking the logs over the next week or so and probably will if I continue to see only spammers suing it.) -- 'In the Fyres of Struggle let us bake New Men, who Will Notte heed the old Lies.'
Re: why people connect clamav as milter in main.cf and smapassassin in master.cf?
On 10.02.21 11:55, Marek Kozlowski wrote: I know that clamav and spamassassin are out of scope of this list. But my question is more postfix-related. Most systems and Linux distros have tutorials on postfix, spamassassin and clamav. In most of I've read the recommended way of connecting clamav is via smtpd_milters in main.cf. But spamassassin in those tutorial is not connected that way but a master.cf entry is defined and a "-o content_filter=that_entry" for smtp service is added. If so many people do that there must be some reason for it. I'm wondering: what is the reason? what's the difference? the difference between content_filter and milter is that milter runs during SMTP session, while content_filter after mail is received. Thus, you can reject mail with milter, so the sender has to handle it, while rejecting in content_filter means you have to handle it. The difference between main.cf and master.cf is that main.cf applies for all (unless overridden), while master.cf overrides I guess clamav scanning is faster than spamassassin scanning, so admins may consider it more safe. I remember that when filtering mail with milter at SMTP level, customers complained about long time needed to send the mail. Thus, I switched to content_filter when receiving mail from end-users - usually services submission/587 submissions(smtps)/465, while using milter when receiving mail from the world (port 25). Few places where users send mail on port 25 but run server behing NAT, I ask to NAT 25 from the world to other port where I run postscreen and milters. Note that I usually run amavis which calls both spamassassin and clamav. Either as content_filter, or via amavisd-milter. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: Stucked with "unable to look up host"
On 09 Feb 2021, at 04:23, Dominic Raferd wrote: This shows plenty of 'good' servers still using TLSv1 or TLSv1.1 - including the postfix-users list servers. Of course they would probably downgrade to plaintext if required, but that would reduce security. On 09/02/2021 12:36, @lbutlr wrote: That is odd. My mails from the postfix list server are using TLSv1.2. Are you sure the postfix list is using end-of-life encryption?... On 09 Feb 2021, at 06:21, Dominic Raferd wrote: It depends how far back one's logs go! Now I look just at my logs for this calendar year I see you are right. But there are still a few other 'good' senders using TLSv1 or TLSv1.1, even if they shouldn't be. Not 'plenty', I admit... On 09.02.21 14:22, @lbutlr wrote: Ah, I am only looking at recent logs. I don't see how moths-ago behavior is relevant. But yes, each admin needs to look at their logs and see who is still using encryption they should not be using (especially since this probably indicates they have not updated the ssl libraries and are going to be open to any flaws/attacks/CVEs discovered since TLSv1 and TLSv1.1 were EOLed, making them less-trustworthy in general. still more trustworthy than no encryption at all, as was multiple times mentioned here. https://marc.info/?l=postfix-users&m=143884497605106&w=2 https://marc.info/?l=postfix-users&m=152907910501143&w=2 https://marc.info/?l=postfix-users&m=158344470515844&w=2 and, of course: https://tools.ietf.org/html/rfc7435#section-1.2 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
why people connect clamav as milter in main.cf and smapassassin in master.cf?
:-) I know that clamav and spamassassin are out of scope of this list. But my question is more postfix-related. Most systems and Linux distros have tutorials on postfix, spamassassin and clamav. In most of I've read the recommended way of connecting clamav is via smtpd_milters in main.cf. But spamassassin in those tutorial is not connected that way but a master.cf entry is defined and a "-o content_filter=that_entry" for smtp service is added. If so many people do that there must be some reason for it. I'm wondering: what is the reason? what's the difference? Best regards, Marek smime.p7s Description: S/MIME Cryptographic Signature
