[pfx] Re: Postfix Options Override Or Add When In Both mater.cfg & main.cfg
On Fri, Nov 03, 2023 at 02:29:55PM +1100, duluxoz via Postfix-users wrote: > Quick Q: Do the individual `-o` options in the `master.cfg` file *add to* or > *override* the equivalent option in the `main.cfg` file? https://www.postfix.org/master.5.html -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Postfix Options Override Or Add When In Both mater.cfg & main.cfg
Hi All, Quick Q: Do the individual `-o` options in the `master.cfg` file *add to* or *override* the equivalent option in the `main.cfg` file? For eg: In the `master.cfg` file I've got a `-o smtpd_relay_restriction =` line with a couple of restrictions set on the `submission` service. I've got the same `smtpd_relay_restriction =` option set in the `main.cfg` with a different set of restrictions (with some overlap). When *submitting* mail is the list of restrictions the union of both sets (those listed in both files) or only the set listed in the `master.cfg` file? Cheers Dulux-Oz ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Matus UHLAR - fantomas via Postfix-users wrote in : |>Jens Hoffrichter via Postfix-users wrote in |> : |>|On Mon, Oct 30, 2023 at 8:12 PM Steffen Nurpmeso via Postfix-users |>| wrote: |> ... |>|> Btw i would wonder: why do -- as email operators -- still use DKIM |>|> at all, since there is ARC and it also offers signatures and |>|> verification? The OpenSSL (-users) ML uses it, and it only. |> ... |>|Because Google / Gmail / Google Workspace will put out DKIM |>|requirements for every email from bulk senders from Feb 1st - not ARC |>|requirements. From what I understand, DMARC alignment only happens on |>|SPF and DKIM alignment, not on ARC alignment - and because of that, |>|DKIM is relevant for us. | |On 01.11.23 03:15, Steffen Nurpmeso via Postfix-users wrote: |>I did not know that. I had the impression Google pushes ARC. But |>i never find anything in their help (and stopped pressing buttons |>for "was this page helpful"), nor have i ever heard such. I make it a bit shorter, as i am coming from a different view. |ARC is third-party signature basically saying that |"DMARC was okay when we receive this e-mail". | |You must configure trust to the concrete ARC signers, as you cannot simply |trust mail from random domain saying "this mail from gmail.com was \ |okay when |we received it", as creating ARC signatures with fake original content is |easy. | |with DKIM, everyone signs their own mail, so this 3rd-party trust issue \ |does |not appear. - DKIM was introduced without any support for mailing-lists, effectively breaking all mailing-list of the world. Unless they strip DKIM. Even that not. In the end you have to rewrite fields to totally hide the real author. Mailing-lists are the absolute foundation of email and "forums" for the "community" since at least the earliest 80s. |>I myself have deepest respect for the engineering of SPF (the RFC |>that is), but do not understand it regarding email flow, you have |>to run postsrsd to make this work if you have redirecting aliases, | |When you forward mail from gmail.com to us, keeping original envelope \ |sender |e.g. postmas...@gmail.com, we only see mail claiming be from gmail, but |originating your server, which means the sender may be forged. | |SPF is here to block this e-mail, and SRS is one of techniques to rewrite |envelope sender to your domain, while keeping enough of intormation \ |for you |to later see that the mail indeed was forwardd through your server, if the |forward fails. - SPF breaks all hosts which have users that effectively want their email to be forwarded to a different address. This is basically any campus, and much, much more. Your are forced to install software which complicates the email stack, that creates temporary "users" for a "configurable" amount of time in order to handle emails. The database can grow a bit. |You of course can set your sender to anything in your domain, but with |setting sender to the original recipient, which may seem reasonable |(setting sender to the user who wishes to forward their e-mail to gmail) |you risk creating forwarding loop to |- each mail to that user gets forwarded to non-existent address, bounce is |generated which is again forwarded to non-existent address... |(and some servers or software don't create bounces with empty from). | |>and in the end i myself do not care at all how the mail is hopping |>if only it is delivered to the right place. Especially so if the |>email is DKIM signed and/or S/MIME aka PGP signed/encrypted. |>And DMARC i truly hate. :) | |>Well i keep on hoping that DKIM is fixed to work also for MLs |>without robot trouble (user interfaces are the other thing), it |>would be all i need. | |DKIM cryptographically signs the e-mail body and headers, so everyone can |verify if it really came from the domain in header From:. | |Mailing lists that modify signed heaers or body of mail by e.g. adding \ |list |signature to Subject: or body, invalidate this signature. | |One of solutions is to forward the original signed message intact as |attachment, other is to change From: and DKIM-sign the new message \ |with domain in |mailing list From:, so the new DKIM signature is correct. This is you operator view to work around this pale of mess that was thrown onto you from the IETF (or its driving forces). Btw the attachment thing does not work out was ensure to me on a different list with very famous people on it (and at least one idiot), it seems that many mailers are not capable to deal with that properly, then. |DMARC on domain simply configures, that all mail from that domain passes |DKIM ot SPF check from that domain, and what to do with mail that does not |pass either. |(once more: DKIM applies on header From:, SPF on envelope from:). Regarding SPF i can imagine that it really makes sense for some use cases. (However, in my opinion, it is a
[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4
> This can be verified on Solaris with: > > /usr/bin/elfdump -re 'dyn:' path/to/binary_or_library sorry, this must read: (solaris elfedit in read-only-mode) /usr/bin/elfedit -re 'dyn:' path/to/binary_or_library ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4
On Thu, Nov 02, 2023 at 03:56:16AM -0400, Viktor Dukhovni via Postfix-users wrote: > On Thu, Nov 02, 2023 at 09:35:47AM +0200, Jaco Lesch via Postfix-users wrote: > > > > I would have tried instead: > > > > > > PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig \ > > > make makefiles dynamicmaps=yes shared=yes \ > > > openssl_path="/usr/openssl/3/bin/openssl" \ > > > CC="/usr/bin/gcc -m64" \ > > > CCARGS="-DUSE_DB -DUSE_TLS $(pkg-config --cflags libssl > > > libcrypto)" \ > > > AUXLIBS="-ldb $(pkg-config --libs libssl libcrypto)" \ > > > > > > but, you may still also need an explicit "-R/usr/openssl/3/lib" option, > > > if that's not part of what "pkg-config" returns for "--libs". > > > > > And Viktor your options for make compile 100%, no need for the explicit > > "-R/usr/openssl/3/lib" option. Have compiled both static and dynamic to > > verify. Regards > > Given the output of your 'pkg-config' command, the "-R" options *are* > likely still needed. They augment the *run-time* shared library search > path. The code will compile without them, but it may not run, unless > that directly is on the system-wide search path (not expected). This can be verified on Solaris with: /usr/bin/elfdump -re 'dyn:' path/to/binary_or_library watch for lines "NEEDED" and "RUNPATH". If missing the runpath /usr/openssl/3/lib/64/ and needed library files libssl.so and libcrypto.so then yes, a "-R/usr/openssl/3/lib/64/" should be needed. or check what the actual run would load with: ldd -r path/to/binary_or_library or watch the whole lengthy search-and-load process the runtime linker does: LD_DEBUG=files,libs path/to/binary (or even: LD_DEBUG=files,libs,bindings path/to/binary) Even a daemon not normally called by the user should output useful information to verify linking to correct library entities. Regards, Thomas ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Connect Postfix to Dovecot SASL with TLS?
If I have Postfix configured to use Dovecot SASL via TCP, and Dovecot
is running on a remote server, can I set up Postfix to use TLS for its
connection to Dovecot SASL?
Postfix main.cf:
smtpd_sasl_path = inet:dovecot.example.com:12345
smtpd_sasl_type = dovecot
Dovecot:
service auth {
inet_listener {
address = * ::
port = 12345
ssl=yes
}
}
What are the Postfix settings for TLS between Postfix and Dovecot SASL?
Can you specify that TLS is required? Can you specify a trusted CA? Can
Postfix verify that the Dovecot SASL's certificate is valid and/or
signed by a certain authority?
This seems like a case where you would want two-way TLS authentication
so both servers know they are talking to the legitimate other server,
since they are exchanging login information.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [pfx-dev] Re: Bug in Dovecot SASL driver: authentication failure reason is wrong
Stephan Bosch via Postfix-devel: > > Op 2-11-2023 om 15:22 schreef Wietse Venema: > > Stephan Bosch via Postfix-devel: > >> Looks like Postfix [...] somehow uses the data from the previous CONT auth > >> service > >> response as the reason. > > Does this patch address the problem? It resets any previous Dovecot > > auth service response before parsing the next Dovecot auth server > > response. > > > > Wietse > > It does get rid of the base64 mess: > > 18:43:38.179584 send: 'AUTH OAUTHBEARER =\r\n' 18:43:42.184373 reply: > b'334 > eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwib3BlbmlkLWNvbmZpZ3VyYXRpb24iOiJodHRwczovL2lkLm9wZW4teGNoYW5nZS5jb20vb2lkYy9jb25maWcifQ==\r\n' > > 18:43:42.184613 send: 'AQ==\r\n' 18:43:44.188326 reply: b'535 5.7.8 > Error: authentication failed: \r\n' > > Still, the error is now `Error: authentication failed: `. This also > looks wrong, since it just ends in a colon and white space. The absence > of a specific error message should be handled specially I guess. The 'reason' value is now an empty string. What would you suggest instead? Error: authentication failed\r\n Error: authentication failed: some other text here\r\n Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DEF_DB_TYPE change?
Eray Aslan via Postfix-users: > On Wed, Nov 01, 2023 at 09:41:07AM -0400, Wietse Venema via Postfix-users > wrote: > > Eray Aslan via Postfix-users: > > > Having said that, Berkeley DB is mature software and it works and is > > > widely available in various *nixes. Still, would it be prudent or worth > > > the effort to change the default db type to something else in > > > postfix-3.9? > > > > What problem are you trying to solve? > > I don't use BerkeleyDB so no personal problem. However, the recent > mailing list topic about postscreen database made me wonder if the > general public might be better served with a non-BerkeleyDB default as > well. postscreen has unique requirements, and I don't think they should drive the choice of a Postfix default database (low read/write latency, and either exclusive access or a lock-free architecture such as LMDB which is based on multi-version concurrency control). But, if LMDB is available as a package for all supported systems, then a switch would be feasible, though painful because it is a forced transition. We might just as well phase out the 'default database type' and require that all commands and configurations specifu an explcit database type. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question about postscreen
On 2023-11-02 at 04:49:37 UTC-0400 (Thu, 02 Nov 2023 10:49:37 +0200) Ivan Ionut via Postfix-users is rumored to have said: Hi, it's possible that postscreen does not block the email when postscreen_dnsbl_threshold is reached but to pass that email to spamassassin(with a score and a tag). No, postscreen is designed to be extremely lightweight and has no mechanism to 'pass' anything other than the active connection to a real smtpd process. It is intended to only catch the sorts of spambots that can be positively identified by bad behavior or *targeted* DNSBLs. If you have postscreen configured in a way that catches legitimate mail systems, you are misusing it. With that said, it is possible to set postscreen_blacklist_action to 'ignore' and have other tools like SA work with the same DNSBLs later in the transaction with more subtlety. Note that if you are running a local recursive caching DNS resolver (AS ANY MTA SHOULD) it is essentially free to "re-check" DNSBLs that postscreen has queried earlier, as the answers will be cached. This would effectively front-load the inherent delay of making DNSBL checks. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Hi! Thanks for the insight - it was not only about forwarding mail to gmail (although I understand that this is a big use case being discussed here), but really about just delivering email to Google / GMail / Workspace. The scenario I'm unsure about is the following: Envelope From is @amazonses.com SPF aligns to amazonses.com Header From is hoffrichter.no It is signed with a DKIM key under amazonses.com (with a valid signature), but doesn't have a valid signature from hoffrichter.no hoffrichter.no has a DMARC policy with p=none Will the mail be delivered to Google mail accounts if hoffrichter.no sends more than 5000 emails per day to Google? These are the new requirements, in case not everyone is aware of these: https://support.google.com/mail/answer/81126 This is producing quite a stir in the organization I'm working for :) Jens On Thu, Nov 2, 2023 at 12:29 PM Matus UHLAR - fantomas via Postfix-users wrote: > > On 02.11.23 12:04, Jens Hoffrichter via Postfix-users wrote: > >Actually, I was just discussing these things - this is just regarding > >the new requirements from Google and Yahoo starting Feb 1st. > > >What happens, if a mail is sent from AmazonSES, with a signature key > >from amazonses.com, but with a header from set to something different, > >like hoffrichter.no > > > >Would that count as signed from Google? Would that be just an invalid > >signature, even though it is technically validly signed? > > google will require hoffrichter.no to have DMARC record and pass DMARC. > > mail will pass the DMARC if it has valid DKIM signature from hoffrichter.no > domain. > > It will also pass, if the envelope from: is also in hoffrichter.no domain > AND passes SPF check. > > Thus, combined with previously posted information, mail with DKIM can be > forwarded without issued (unless you modify its content), while forwarding > mail with only SPF will lead to troubles. > > >It is only tangentially interesting for signing from Postfix, but a > >very interesting topic, especially together with someone who has a lot > >of experience in dkim signing! > > Note that you can have multiple DKIM keys in DNS for mail sent from > different sources. > > This is often used with massmailing services that have separate DKIM key > (selector) than your organizations' mail server. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Emacs is a complicated operating system without good text editor. > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Question about postscreen
* Matus UHLAR - fantomas via Postfix-users : > > And thus the solution is: Don't use the dnsbl in postscreen, but ONLY > > in spamassassin/rspamd instead. > > No problem, you can safely use postscreen with multiple DNSBLs and DNSWLs. > - just don't rely on single hit, unless it's your own DNSBL. Hey, it was not my idea, but the OP's :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Question about postscreen
On 02.11.23 10:49, Ivan Ionut via Postfix-users wrote: > Hi, it's possible that postscreen does not block the email when > postscreen_dnsbl_threshold is reached but to pass that email to > spamassassin(with a score and a tag). * Matus UHLAR - fantomas via Postfix-users : Postscreen does not tag. It passes or blocks the mail. On 02.11.23 12:49, Ralf Hildebrandt via Postfix-users wrote: And thus the solution is: Don't use the dnsbl in postscreen, but ONLY in spamassassin/rspamd instead. No problem, you can safely use postscreen with multiple DNSBLs and DNSWLs. - just don't rely on single hit, unless it's your own DNSBL. Example: postscreen_dnsbl_threshold=2 postscreen_dnsbl_sites = [censored]*4, zen.spamhaus.org=127.0.0.[0..255], dnsbl.sorbs.net=127.0.0.[0..255], bl.spamcop.net=127.0.0.2, list.dnswl.org=127.0.[0..255].[0..255]*-1, list.dnswl.org=127.0.[0..255].3*-1 which means, combination of two DNSBLs, three DNSBLs with DNSWL.org listing, four DNSBLs with DNSWL.org listing of priority HIGH. the [censored] DNSBL will override anything. I think there are multiple examples of postscreen_dnsbl_sites in this list's archives -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Question about postscreen
* Matus UHLAR - fantomas via Postfix-users : > On 02.11.23 10:49, Ivan Ionut via Postfix-users wrote: > > Hi, it's possible that postscreen does not block the email when > > postscreen_dnsbl_threshold is reached but to pass that email to > > spamassassin(with a score and a tag). > > Postscreen does not tag. It passes or blocks the mail. And thus the solution is: Don't use the dnsbl in postscreen, but ONLY in spamassassin/rspamd instead. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
On 02.11.23 12:04, Jens Hoffrichter via Postfix-users wrote: Actually, I was just discussing these things - this is just regarding the new requirements from Google and Yahoo starting Feb 1st. What happens, if a mail is sent from AmazonSES, with a signature key from amazonses.com, but with a header from set to something different, like hoffrichter.no Would that count as signed from Google? Would that be just an invalid signature, even though it is technically validly signed? google will require hoffrichter.no to have DMARC record and pass DMARC. mail will pass the DMARC if it has valid DKIM signature from hoffrichter.no domain. It will also pass, if the envelope from: is also in hoffrichter.no domain AND passes SPF check. Thus, combined with previously posted information, mail with DKIM can be forwarded without issued (unless you modify its content), while forwarding mail with only SPF will lead to troubles. It is only tangentially interesting for signing from Postfix, but a very interesting topic, especially together with someone who has a lot of experience in dkim signing! Note that you can have multiple DKIM keys in DNS for mail sent from different sources. This is often used with massmailing services that have separate DKIM key (selector) than your organizations' mail server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Dnia 2.11.2023 o godz. 09:42:01 Matus UHLAR - fantomas via Postfix-users pisze: (once more: DKIM applies on header From:, SPF on envelope from:). On 02.11.23 11:18, Jaroslaw Rafa via Postfix-users wrote: And DMARC requires that both be identical (actually, from the same domain - user part may be different), which makes things even harder. If mail has valid DKIM signature matching the From: domain, it passes. If the above does not pass, but SPF does pass AND domain in envelope from: is the same as domain in header From:, it passes as well. So, you only need to pass one of DKIM/SPF, but for SPF the envelope domain must be the same as header domain. On 02.11.23 10:49, Scott Kitterman via Postfix-users wrote: This is only true for strict alignment, which is not the default. For relaxed alignment (which is the default and what most domains use), the Mail From domain (for SPF) and the DKIM signing domain (for DKIM) need to be either the same domain as the body From domain or a subdomain. This provides significant flexibility relative to the strict alignment requirements, but this is little to do with the topic of the thread. The alignment is about subdomains, not about SPF/DKIM. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Question about postscreen
On 02.11.23 10:49, Ivan Ionut via Postfix-users wrote: Hi, it's possible that postscreen does not block the email when postscreen_dnsbl_threshold is reached but to pass that email to spamassassin(with a score and a tag). Postscreen does not tag. It passes or blocks the mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Actually, I was just discussing these things - this is just regarding the new requirements from Google and Yahoo starting Feb 1st. What happens, if a mail is sent from AmazonSES, with a signature key from amazonses.com, but with a header from set to something different, like hoffrichter.no Would that count as signed from Google? Would that be just an invalid signature, even though it is technically validly signed? It is only tangentially interesting for signing from Postfix, but a very interesting topic, especially together with someone who has a lot of experience in dkim signing! Regards, Jens On Thu, Nov 2, 2023 at 11:50 AM Scott Kitterman via Postfix-users wrote: > > > > On November 2, 2023 10:18:38 AM UTC, Jaroslaw Rafa via Postfix-users > wrote: > >Dnia 2.11.2023 o godz. 09:42:01 Matus UHLAR - fantomas via Postfix-users > >pisze: > >> (once more: DKIM applies on header From:, SPF on envelope from:). > > > >And DMARC requires that both be identical (actually, from the same domain - > >user part may be different), which makes things even harder. > > This is only true for strict alignment, which is not the default. For > relaxed alignment (which is the default and what most domains use), the Mail > From domain (for SPF) and the DKIM signing domain (for DKIM) need to be > either the same domain as the body From domain or a subdomain. This provides > significant flexibility relative to the strict alignment requirements, but > this is little to do with the topic of the thread. > > Scott K > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
On November 2, 2023 10:18:38 AM UTC, Jaroslaw Rafa via Postfix-users wrote: >Dnia 2.11.2023 o godz. 09:42:01 Matus UHLAR - fantomas via Postfix-users >pisze: >> (once more: DKIM applies on header From:, SPF on envelope from:). > >And DMARC requires that both be identical (actually, from the same domain - >user part may be different), which makes things even harder. This is only true for strict alignment, which is not the default. For relaxed alignment (which is the default and what most domains use), the Mail From domain (for SPF) and the DKIM signing domain (for DKIM) need to be either the same domain as the body From domain or a subdomain. This provides significant flexibility relative to the strict alignment requirements, but this is little to do with the topic of the thread. Scott K ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Dnia 2.11.2023 o godz. 09:42:01 Matus UHLAR - fantomas via Postfix-users pisze: > (once more: DKIM applies on header From:, SPF on envelope from:). And DMARC requires that both be identical (actually, from the same domain - user part may be different), which makes things even harder. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Question about postscreen
Hi, it's possible that postscreen does not block the email when postscreen_dnsbl_threshold is reached but to pass that email to spamassassin(with a score and a tag). -- Ivan Ionuț Str. Mircea cel Bătrân nr 1, Galati 800023 Tel/Fax: +40236 493277 Email: ivan.io...@tehnopol-gl.ro _The content of this email is confidential and intended for the recipient specified in message only. It is strictly forbidden to share any part of this message with any third party, without a written consent of the sender. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited. Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Recommendation for dkim signing
Jens Hoffrichter via Postfix-users wrote in : |On Mon, Oct 30, 2023 at 8:12 PM Steffen Nurpmeso via Postfix-users | wrote: ... |> Btw i would wonder: why do -- as email operators -- still use DKIM |> at all, since there is ARC and it also offers signatures and |> verification? The OpenSSL (-users) ML uses it, and it only. ... |Because Google / Gmail / Google Workspace will put out DKIM |requirements for every email from bulk senders from Feb 1st - not ARC |requirements. From what I understand, DMARC alignment only happens on |SPF and DKIM alignment, not on ARC alignment - and because of that, |DKIM is relevant for us. On 01.11.23 03:15, Steffen Nurpmeso via Postfix-users wrote: I did not know that. I had the impression Google pushes ARC. But i never find anything in their help (and stopped pressing buttons for "was this page helpful"), nor have i ever heard such. ARC is third-party signature basically saying that "DMARC was okay when we receive this e-mail". You must configure trust to the concrete ARC signers, as you cannot simply trust mail from random domain saying "this mail from gmail.com was okay when we received it", as creating ARC signatures with fake original content is easy. with DKIM, everyone signs their own mail, so this 3rd-party trust issue does not appear. I myself have deepest respect for the engineering of SPF (the RFC that is), but do not understand it regarding email flow, you have to run postsrsd to make this work if you have redirecting aliases, When you forward mail from gmail.com to us, keeping original envelope sender e.g. postmas...@gmail.com, we only see mail claiming be from gmail, but originating your server, which means the sender may be forged. SPF is here to block this e-mail, and SRS is one of techniques to rewrite envelope sender to your domain, while keeping enough of intormation for you to later see that the mail indeed was forwardd through your server, if the forward fails. You of course can set your sender to anything in your domain, but with setting sender to the original recipient, which may seem reasonable (setting sender to the user who wishes to forward their e-mail to gmail) you risk creating forwarding loop to - each mail to that user gets forwarded to non-existent address, bounce is generated which is again forwarded to non-existent address... (and some servers or software don't create bounces with empty from). and in the end i myself do not care at all how the mail is hopping if only it is delivered to the right place. Especially so if the email is DKIM signed and/or S/MIME aka PGP signed/encrypted. And DMARC i truly hate. :) Well i keep on hoping that DKIM is fixed to work also for MLs without robot trouble (user interfaces are the other thing), it would be all i need. DKIM cryptographically signs the e-mail body and headers, so everyone can verify if it really came from the domain in header From:. Mailing lists that modify signed heaers or body of mail by e.g. adding list signature to Subject: or body, invalidate this signature. One of solutions is to forward the original signed message intact as attachment, other is to change From: and DKIM-sign the new message with domain in mailing list From:, so the new DKIM signature is correct. DMARC on domain simply configures, that all mail from that domain passes DKIM ot SPF check from that domain, and what to do with mail that does not pass either. (once more: DKIM applies on header From:, SPF on envelope from:). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4
On Thu, Nov 02, 2023 at 09:35:47AM +0200, Jaco Lesch via Postfix-users wrote: > > I would have tried instead: > > > > PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig \ > > make makefiles dynamicmaps=yes shared=yes \ > > openssl_path="/usr/openssl/3/bin/openssl" \ > > CC="/usr/bin/gcc -m64" \ > > CCARGS="-DUSE_DB -DUSE_TLS $(pkg-config --cflags libssl > > libcrypto)" \ > > AUXLIBS="-ldb $(pkg-config --libs libssl libcrypto)" \ > > > > but, you may still also need an explicit "-R/usr/openssl/3/lib" option, > > if that's not part of what "pkg-config" returns for "--libs". > > > And Viktor your options for make compile 100%, no need for the explicit > "-R/usr/openssl/3/lib" option. Have compiled both static and dynamic to > verify. Regards Given the output of your 'pkg-config' command, the "-R" options *are* likely still needed. They augment the *run-time* shared library search path. The code will compile without them, but it may not run, unless that directly is on the system-wide search path (not expected). -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4
On 2023/11/01 17:53, Viktor Dukhovni via Postfix-users wrote: On Wed, Nov 01, 2023 at 12:07:31PM +0200, Jaco Lesch via Postfix-users wrote: Building an OpenSSL Application The development files are available in the /usr/openssl/3/sub-directo- ries. To build an OpenSSL application, use the following cc command line options: export PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig cc `pkg-config --cflags --libs libssl libcrypto` [ flag... ] file Can you share the output you see for: $ export PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig $ pkg-config --cflags --libs libssl libcrypto The output from pkg-config: ~$ export PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig ~$ pkg-config --cflags --libs libssl libcrypto -I/usr/openssl/3/include -L/usr/openssl/3/lib/amd64 -lssl -lcrypto For comparison, my build of OpenSSL 3.2 beta from stock upstream sources (with a custom --prefix) yields: $ export PKG_CONFIG_PATH=/usr/local/siteexec/lib/pkgconfig $ pkg-config --cflags libssl libcrypto -I/usr/local/siteexec/include $ pkg-config --libs libssl libcrypto -L/usr/local/siteexec/lib -lssl -lcrypto To compile the Postix source I used the following options for make: = export PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig make makefiles dynamicmaps=yes shared=yes \ CC="/usr/bin/gcc `pkg-config --cflags --libs libssl libcrypto`" \ CCARGS="-m64 -DUSE_DB -DUSE_TLS -I/usr/openssl/3/include" \ AUXLIBS="-ldb -R/usr/openssl/3/lib -L/usr/openssl/3/lib -lssl -lcrypto" \ openssl_path="/usr/openssl/3/bin/openssl" I would have tried instead: PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig \ make makefiles dynamicmaps=yes shared=yes \ openssl_path="/usr/openssl/3/bin/openssl" \ CC="/usr/bin/gcc -m64" \ CCARGS="-DUSE_DB -DUSE_TLS $(pkg-config --cflags libssl libcrypto)" \ AUXLIBS="-ldb $(pkg-config --libs libssl libcrypto)" \ but, you may still also need an explicit "-R/usr/openssl/3/lib" option, if that's not part of what "pkg-config" returns for "--libs". And Viktor your options for make compile 100%, no need for the explicit "-R/usr/openssl/3/lib" option. Have compiled both static and dynamic to verify. Regards -- --- Jaco Lesch SAIX HLS Emai:ja...@saix.net ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: DEF_DB_TYPE change?
On Wed, Nov 01, 2023 at 09:41:07AM -0400, Wietse Venema via Postfix-users wrote: > Eray Aslan via Postfix-users: > > Having said that, Berkeley DB is mature software and it works and is > > widely available in various *nixes. Still, would it be prudent or worth > > the effort to change the default db type to something else in > > postfix-3.9? > > What problem are you trying to solve? I don't use BerkeleyDB so no personal problem. However, the recent mailing list topic about postscreen database made me wonder if the general public might be better served with a non-BerkeleyDB default as well. -- Eray ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
