[pfx] Re: SOLVED: Escaping of braces {} in configuration (master(5))
Steffen Nurpmeso via Postfix-users wrote in <20240306000832.cK3_SjGH@steffen%sdaoden.eu>: |Steffen Nurpmeso via Postfix-users wrote in | <20240306000454.itbj3nHU@steffen%sdaoden.eu>: | | Authentication-Results: list.sys4.de; dkim=fail header.d=sdaoden.eu; | arc=none (Message is not ARC signed); dmarc=none | Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) | |Why does sys4 fail but gmail.com does not? |And which of the two keys did fail? Hate! (Or back to school.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SOLVED: Escaping of braces {} in configuration (master(5))
Steffen Nurpmeso via Postfix-users wrote in <20240306000454.itbj3nHU@steffen%sdaoden.eu>: Authentication-Results: list.sys4.de; dkim=fail header.d=sdaoden.eu; arc=none (Message is not ARC signed); dmarc=none Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) Why does sys4 fail but gmail.com does not? And which of the two keys did fail? --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SOLVED: Escaping of braces {} in configuration (master(5))
Hello Wietse Venema! Wietse Venema via Postfix-users wrote in <4tq1wl2k2czj...@spike.porcupine.org>: |Wietse Venema via Postfix-users: |> With this in master.cf: |> |> dkim-sign unix - n n - 0 spawn |> user=_postfix_xlocal argv=/tmp/s-dkim-sign |> --milter-macro-sign {daemon_name},sign |> --key rsa-sha256,rsa,/tmp/pri-rsa.pem |> |> These are options to a non-Postfix program, so I need to investigate |> why the syntax parser is treating it as Postfix syntax. | |This behavior was introduced on 20140927, and it is partially |documented in the master(5) manpage. | | Other command-line arguments | Specify "{" and "}" around command arguments that contain | whitespace (Postfix 3.0 and later). Whitespace after"{" | and before "}" is ignored. | |The text should have said: | | Other command-line arguments | Specify "{" and "}" around command arguments that must start | with "{" or that must contain whitespace (Postfix 3.0 and | later). These outer "{" and "}" are removed from the input, | together with any leading or trailing whitespace. | |Basically, Postfix strips one level of {} around any command-line |argument that starts with "{". | |In that light, if you want "{daemon_name},sign", you need to specify |{{daemon_name},sign} like this: | |dkim-sign unix - n n - 0 spawn |user=_postfix_xlocal argv=/tmp/s-dkim-sign |--milter-macro-sign {{daemon_name},sign} |--key rsa-sha256,rsa,/tmp/pri-rsa.pem I can confirm this works (of course). It was a no-brainer from my side actually. Though i shortly thought about the above, but did not try because, hm, likely having seen plenty of nested tables in examples on this list. (And mostly i tried \ then that var thing then simply used a resource file format.) |I'll update the manpage text. Thank you. Yes that i searched, both. And it would have helped. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: filter header from on forwarded mail
* Juerg Reimann via Postfix-users: > So, but now I still have to filter such incoming mail in a way that I'd be > able to block certain senders by their *header* From: on a user basis. I heartily recommend milter-regex [1]. It serves me well by allowing me to configure all kinds of complex antispam rules. [1] https://www.benzedrine.ch/milter-regex.html -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] SOLVED: Escaping of braces {} in configuration (master(5))
Wietse Venema via Postfix-users: > With this in master.cf: > > dkim-sign unix - n n - 0 spawn > user=_postfix_xlocal argv=/tmp/s-dkim-sign > --milter-macro-sign {daemon_name},sign > --key rsa-sha256,rsa,/tmp/pri-rsa.pem > > These are options to a non-Postfix program, so I need to investigate > why the syntax parser is treating it as Postfix syntax. This behavior was introduced on 20140927, and it is partially documented in the master(5) manpage. Other command-line arguments Specify "{" and "}" around command arguments that contain whitespace (Postfix 3.0 and later). Whitespace after"{" and before "}" is ignored. The text should have said: Other command-line arguments Specify "{" and "}" around command arguments that must start with "{" or that must contain whitespace (Postfix 3.0 and later). These outer "{" and "}" are removed from the input, together with any leading or trailing whitespace. Basically, Postfix strips one level of {} around any command-line argument that starts with "{". In that light, if you want "{daemon_name},sign", you need to specify {{daemon_name},sign} like this: dkim-sign unix - n n - 0 spawn user=_postfix_xlocal argv=/tmp/s-dkim-sign --milter-macro-sign {{daemon_name},sign} --key rsa-sha256,rsa,/tmp/pri-rsa.pem I'll update the manpage text. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Postfix stable release 3.8.6, and legacy releases 3.7.11, 3.6.15, 3.5.25
[An on-line version of this announcement will be available at https://www.postfix.org/announcements/postfix-3.8.6.html] This is the first regular update after the SMTP smuggling episode. As the last regular update was early November, this update is larger than usual. Fixed with Postfix 3.8.6, 3.7.11, 3.6.15, 3.5.25: * Bugfix (defect introduced: Postfix 2.3, date 20051222): the Dovecot auth client did not reset the 'reason' from a previous Dovecot auth service response, before parsing the next Dovecot auth server response in the same SMTP session, resulting in a nonsensical "authentication failed" warning message. Reported by Stephan Bosch. * Bugfix (defect introduced: Postfix 3.1, date: 20151128): "postqueue -j" produced broken JSON when escaping a control character as \u. Found during code maintenance. * Cleanup: this fixes posttls-finger certificate match expectations for all TLS security levels, including warnings for levels that don't implement certificate matching. By Viktor Dukhovni. * Bugfix (defect introduced: Postfix 2.3): after prepending a header at the top of a message (with an access(5), header_checks(5) or Milter action), the Postfix Milter "delete header" or "update header" action was skipping the prepended header, instead of skipping the Postfix-generated Received: header. Problem report by Carlos Velasco. * Workaround: tlsmgr logfile spam. Reportedly, some OS lies under load: it says that a socket is readable, then it says that the socket has unread data, and then it says that read returns EOF, causing Postfix to spam the log with a warning message. * Bugfix (defect introduced: Postfix 3.4): the SMTP server's BDAT command handler could be tricked to read $message_size_limit bytes into memory. Found during code maintenance. * Safety: limit the total size of DNS lookup results to 100 records; drop the excess records, and log a warning. This limit is 20x larger than the number of server addresses that the Postfix SMTP client is willing to consider when delivering mail, and is far below the number of records that could cause a tail recursion crash in dns_rr_append() as reported by Toshifumi Sakaguchi. This fix also limits the number of DNS requests that a check_*_*_access restriction can make. * Performance, related to the previous problem: eliminate worst-case behavior where the queue manager could defer delivery to all destinations over a specific delivery transport, after only a single delivery agent crash. The scheduler now throttles deliveries to one destination, and allows other deliveries to keep making progress. You can find the updated Postfix source code at the mirrors listed at https://www.postfix.org/. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Escaping of braces {} in configuration (master(5))
With this in master.cf: dkim-sign unix - n n - 0 spawn user=_postfix_xlocal argv=/tmp/s-dkim-sign --milter-macro-sign {daemon_name},sign --key rsa-sha256,rsa,/tmp/pri-rsa.pem These are options to a non-Postfix peogram, so I need to investigate why the sytnax parser is treating it as Postfix syntax. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: filter header from on forwarded mail
> From: Juerg Reimann via Postfix-users > > So, but now I still have to filter such incoming mail in a way that I'd be > able to block certain senders by their *header* From: on a user basis. I Sorry, when I say user basis I mean domain basis of course... Juerg smime.p7s Description: S/MIME cryptographic signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] filter header from on forwarded mail
Hi everyone, I have rspamd in front of postfix and in certain situations I have to completely whitelist some sending servers on the rspamd level. These are cases where users have to forward mail from other systems and these nor have DMARC nor for that matter ARC implemented. So all forwarded mail with a reject policy on their DMARC config would in fact be rejected by rspamd when the sending servers are not whitelisted there. So, but now I still have to filter such incoming mail in a way that I'd be able to block certain senders by their *header* From: on a user basis. I tried the following approach (currently for two users): smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_unlisted_recipient, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unverified_recipient, check_recipient_access hash:/opt/local/etc/postfix/protected_destinations, reject_unauth_pipelining smtpd_restriction_classes = filter_user1, filter_user2 filter_user1 = check_sender_access hash:/opt/local/etc/postfix/filter/user1, permit filter_user2 = check_sender_access hash:/opt/local/etc/postfix/filter/user2, permit user1/user2: s...@email.addrREJECT While this works for any s...@email.addr coming in directly, it seems not to work with the forwarded mail from those hosts whitelisted on rspamd. Does anybody know why or how I should change my approach? Thanks, Juerg smime.p7s Description: S/MIME cryptographic signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org