[pfx] content filter sends mail twice

[Alex via Postfix-users]

Hi,
I'm using postfix (postmulti) with amavisd and trying to have separate
content filters based on the domain so I can make decisions on the destiny
of the email from within amavisd. Currently all mail is processed by the
same amavisd policy_bank. The problem now is that mail is being sent
through the content filter designated in my transport map as well as the
default transport filter.

default_transport = smtp:[127.0.0.1]:10024
local_transport = error:5.1.1 Mailbox unavailable
relay_transport = $default_transport
transport_maps = ${indexed}transport
virtual_transport = $default_transport

/etc/postfix-120/transport:
   example.comrelay:[127.0.0.1]:10029

How do I exclude example.com from also being sent through 10024? Is it
necessary to then disable the default transport altogether and explicitly
list all relay_domains?

I recall having some difficulty with transport maps when I first set up
this multi-instance postfix, and Viktor helped me. I had content_filter
defined as:

content_filter = smtp-amavis[127.0.0.1]:10024

and the following service defined in master.cf:
smtp-amavis unix-   -   n   -   2   smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

but that was disabled when I moved to a multi-instance postfix in favor of
transport maps, but I think I'm still confused.

Thanks for any ideas you might have.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: logging strangeness

[Eugene R via Postfix-users]

But it seems that all the useful information is already shown in the 
dovecot log line (unless we want to differentiate SASL vs IMAP auth 
failures for some reason).


Eugene

On 17.05.2023 14:06, Wietse Venema via Postfix-users wrote:

Matus UHLAR - fantomas via Postfix-users:
[ Charset ISO-8859-2 converted... ]

On 2023-05-16 at 12:19:03 UTC-0400 (Tue, 16 May 2023 18:19:03 +0200)
V?ctor Rubiella Monfort via Postfix-users 
is rumored to have said:

For example for imap/pop login failures dovecot log email account
that produces the failure.

On 16.05.23 13:57, Bill Cole via Postfix-users wrote:

If you are using Dovecot for SASL and have auth_verbose enabled in
Dovecot, it will log failures. For failed Postfix authentications, you
will see lines logged by auth-worker in the info log with the
username, remote IP, and failure type.

this is how it looks:

May 17 00:00:08 mail dovecot[20429]: auth-worker(32269): 
pam(smbuser,46.148.40.154): pam_authenticate() failed: Authentication failure 
(Password mismatch?)
May 17 00:00:10 mail postfix/smtps/smtpd[29904]: warning: 
unknown[46.148.40.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

it's not easy to pair these two log lines though.

You correlate them on IP address 46.148.40.154 and on time stamp
(00:00:08 is a little before 00:00:10).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [ext] Re: DKIM and DMARC

[Benny Pedersen via Postfix-users]

Tom Reed via Postfix-users skrev den 2023-05-17 09:31:

On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote:

dmarc does not imho use ARC results yet :/


You must configure trusted ARC signers.
You can't blindly trust ARC just like you can't blindly trust SPF



May I ask what policyd or milter you use for SPF checks?


sadly none exists imho, only sid-milter does, if it could turn of 
spfv2/pra it would be ok,


https://www.freshports.org/mail/py-spf-engine/ best option, hopefully it 
can run on python 3.11 soon

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [ext] Re: DKIM and DMARC

[Benny Pedersen via Postfix-users]

Matus UHLAR - fantomas via Postfix-users skrev den 2023-05-17 09:28:

On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote:

dmarc does not imho use ARC results yet :/


You must configure trusted ARC signers. You can't blindly trust ARC
just like you can't blindly trust SPF


i recheck my opendmarc.conf
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM and DMARC

[Dominic Raferd via Postfix-users]

On 17/05/2023 08:18, Matus UHLAR - fantomas via Postfix-users wrote:

On 16.05.23 22:11, Tom Reed via Postfix-users wrote:

For OpenDMARC this setting:

SPFSelfValidate true

this only causes opendmarc to resolve SPF itself instead of using existing
Authentication-Results: header.
Actually (from man opendmarc.conf) it causes the filter to perform SPF 
check itself *when it can find no SPF results in the message header*.  
If SPFIgnoreResults is also set, it never looks for SPF results in 
headers and always  performs SPF check itself.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix delimiter question

[Markus Schönhaber via Postfix-users]

17.05.23, 13:20 +0200, Tom Reed via Postfix-users:


multiple items for a given directive, "," or space or "," + space all are
valid delimiters. Am I right? Such as the following.


Yes. From the doc[1]:
| Specify a list of restrictions, separated by commas
| and/or whitespace.


smtpd_relay_restrictions =
permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination


This is invalid nevertheless, because you failed to follow this
| Continue long lines by starting the next line
| with whitespace.
part of the doc[1].

--
Regards
  mks

[1]: 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix delimiter question

[Wietse Venema via Postfix-users]

Tom Reed via Postfix-users:
> 
> Hello,
> 
> multiple items for a given directive, "," or space or "," + space all are
> valid delimiters. Am I right? Such as the following.

No, it is different for some.

> smtpd_relay_restrictions =
> permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

TFM says:
 smtpd_relay_restrictions  (default:  permit_mynetworks,  permit_sasl_authenti-
   cated, defer_unauth_destination)
...
   Specify a list of restrictions, separated by commas and/or  whitespace.

known_tcp_ports is notably different, as it is a list of lists.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] postfix delimiter question

[Tom Reed via Postfix-users]

Hello,

multiple items for a given directive, "," or space or "," + space all are
valid delimiters. Am I right? Such as the following.


smtpd_relay_restrictions =
permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination


Thanks.

-- 
sent from https://dkinbox.com/

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: logging strangeness

[Wietse Venema via Postfix-users]

Matus UHLAR - fantomas via Postfix-users:
[ Charset ISO-8859-2 converted... ]
> >On 2023-05-16 at 12:19:03 UTC-0400 (Tue, 16 May 2023 18:19:03 +0200)
> >V?ctor Rubiella Monfort via Postfix-users 
> >is rumored to have said:
> >>For example for imap/pop login failures dovecot log email account 
> >>that produces the failure.
> 
> On 16.05.23 13:57, Bill Cole via Postfix-users wrote:
> >If you are using Dovecot for SASL and have auth_verbose enabled in 
> >Dovecot, it will log failures. For failed Postfix authentications, you 
> >will see lines logged by auth-worker in the info log with the 
> >username, remote IP, and failure type.
> 
> this is how it looks:
> 
> May 17 00:00:08 mail dovecot[20429]: auth-worker(32269): 
> pam(smbuser,46.148.40.154): pam_authenticate() failed: Authentication failure 
> (Password mismatch?)
> May 17 00:00:10 mail postfix/smtps/smtpd[29904]: warning: 
> unknown[46.148.40.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
> 
> it's not easy to pair these two log lines though.

You correlate them on IP address 46.148.40.154 and on time stamp
(00:00:08 is a little before 00:00:10).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: said: 550 Mail was identified as spam

[Wietse Venema via Postfix-users]

You are ignoring my response. That is rude. Stop spamming 
the postfix-users list with your repeated information.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [ext] Re: DKIM and DMARC

[Matus UHLAR - fantomas via Postfix-users]

On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote:

dmarc does not imho use ARC results yet :/



You must configure trusted ARC signers.
You can't blindly trust ARC just like you can't blindly trust SPF


On 17.05.23 15:31, Tom Reed via Postfix-users wrote:

May I ask what policyd or milter you use for SPF checks?


I use pyspf-milter, the same source spf-engine provides policyd package.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and DNSSEC

[Byung-Hee HWANG via Postfix-users]

Now i added DNSSEC. Currently it is being registra job. 10 minutes ago,
i did make some DS record at Cloudfalre.

Thanks to Joachim, Patrick and raf ^^^


Sincerely, Byung-Hee
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: said: 550 Mail was identified as spam

[Matus UHLAR - fantomas via Postfix-users]

On 17.05.23 10:43, lty--- via Postfix-users wrote:

May 16 08:41:14 smtp3 postfix-sen/qmgr[27776]: 3420CA2062F:
from=, size=56791841, nrcpt=1 (queue active)

May 16 08:41:31 smtp3 postfix-sen/smtp[10076]: 3420CA2062F:
to=, relay=x.x.x.x[x.x.x.x]:25, delay=18,
delays=0.52/0/0.1/17, dsn=5.0.0, status=bounced (host x.x.x.x[x.x.x.x]
said: 550 Mail was identified as spam. (in reply to end of DATA
command))


the recipient's mail dserver with IP address x.x.x.x refused accepting 56MB 
mail from you, noting that it is spam.



Relay server log:

May 16 08:41:14 smtp520 postfix-sen16/smtpd[28709]: connect from
unknown[x.x.x.x]

May 16 08:41:14 smtp520 postfix-sen16/smtpd[28709]: D2E6DFFFD7:
client=unknown[x.x.x.x]

May 16 08:41:31 smtp520 postfix-sen16/smtpd[28709]: lost connection
after DATA (48169779 bytes) from unknown[x.x.x.x]


looks like destination server with the same IP address x.x.x.x refused 
accepting 48MB mail from your relay too.


looks like they just don't like your e-mail.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: A strange DMARC failure

[Matus UHLAR - fantomas via Postfix-users]

On 17.05.23 09:09, Tom Reed via Postfix-users wrote:

I found that, after I enable opendmarc to reject messages, there are some
issues for list addresses. for example, this rejected message shows:

: host mx1.dkinbox.com[193.106.250.86] said: 550 5.7.1
   rejected by DMARC policy for radlogic.com.au (in reply to end of DATA
   command)


And I checked that, radlogic.com.au does have a p=reject policy:

_dmarc.radlogic.com.au. 3600IN  TXT "v=DMARC1; p=reject; fo=1;
rua=mailto:ad...@radlogic.com.au;

Following their policy, I have the permission to reject it.


Since the message was sent to mailing list which rewrites envelope address
and adds list signature, so:

1) SPF for header From: address won't get pass due to SRS.
2) DKIM won't get pass due to list signature.

So the DMARC failed totally and the message was rejected.

How to improve this?


common ways to work around this problem:

from mailing list site:
- don't modify mail headers/body  when resending e-mail, so you keep the 
  original DKIM signature correct
- rewrite From: to your domain and sign with your DKIM key so DKIM signature 
  will be OK.



from recipients side:
- allow sending IP to send mail that fail DMARC

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [ext] Re: DKIM and DMARC

[Tom Reed via Postfix-users]

> On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote:
>>dmarc does not imho use ARC results yet :/
>
> You must configure trusted ARC signers.
> You can't blindly trust ARC just like you can't blindly trust SPF
>

May I ask what policyd or milter you use for SPF checks?


-- 
sent from https://dkinbox.com/

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: [ext] Re: DKIM and DMARC

[Matus UHLAR - fantomas via Postfix-users]

On 16.05.23 16:38, Benny Pedersen via Postfix-users wrote:

dmarc does not imho use ARC results yet :/


You must configure trusted ARC signers. 
You can't blindly trust ARC just like you can't blindly trust SPF


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM and DMARC

[Tom Reed via Postfix-users]

> SPF is designed for validating envelope from: and should not be used for
> header From:
>
> Microsoft attempt to create SPF/2 has failed and should not be used
> either.
>

That's OK. thanks for the info.


-- 
sent from https://dkinbox.com/

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DKIM and DMARC

[Matus UHLAR - fantomas via Postfix-users]

On 16.05.23 22:11, Tom Reed via Postfix-users wrote:

For OpenDMARC this setting:

SPFSelfValidate true


this only causes opendmarc to resolve SPF itself instead of using existing 
Authentication-Results: header.



Can it handle the case when incoming message has rewritten
envelope address by SRS then no SPF found for header From address?

If opendmarc can implement SPF checks for header From address ,
That would be much better.


SPF is designed for validating envelope from: and should not be used for 
header From:


Microsoft attempt to create SPF/2 has failed and should not be used either.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: logging strangeness

[Matus UHLAR - fantomas via Postfix-users]

On 2023-05-16 at 12:19:03 UTC-0400 (Tue, 16 May 2023 18:19:03 +0200)
Víctor Rubiella Monfort via Postfix-users 
is rumored to have said:
For example for imap/pop login failures dovecot log email account 
that produces the failure.


On 16.05.23 13:57, Bill Cole via Postfix-users wrote:
If you are using Dovecot for SASL and have auth_verbose enabled in 
Dovecot, it will log failures. For failed Postfix authentications, you 
will see lines logged by auth-worker in the info log with the 
username, remote IP, and failure type.


this is how it looks:

May 17 00:00:08 mail dovecot[20429]: auth-worker(32269): 
pam(smbuser,46.148.40.154): pam_authenticate() failed: Authentication failure 
(Password mismatch?)
May 17 00:00:10 mail postfix/smtps/smtpd[29904]: warning: 
unknown[46.148.40.154]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

it's not easy to pair these two log lines though.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org