[pfx] Re: Change Domain of "from="
On Wed, May 29, 2024 at 5:49 PM Wietse Venema via Postfix-users wrote: > I think it's a bad idea to send your double bounces to a different site. > The Postfix design really wants to handle them locally. Thank you Wietse. I moved to a conservative configuration for tonight including deleting the SPF record I created for mail01.raystedman.org. We will likely see four or five SPF failures from Google which we know to be -- at least safe. I would like to capture the double-bounces on the local machine to get a look at the message headers. I'm sure this additional data will give me insight on the cause of the double-bounces which is now unclear -- at least to me. Perhaps you can give me an idea of how to capture just the double-bounces locally. Thanks again, Greg ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Question about the DMARC setting for lists
Hello the list, I saw some open source providers who have these dmarc settings: _dmarc.disroot.org. 3495 IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:ab...@disroot.org; ruf=mailto:ab...@disroot.org;; _dmarc.autistici.org. 3504 IN TXT "v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:live-repo...@autistici.org; _dmarc.dismail.de. 14400 IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:dmarc-...@dismail.de; As you see their dmarc policy is "reject". I know many tech users use these providers for subscribing to mailing lists. Since mailing lists: 1) mostly have SRS enabled, the rewrited sender address has no help to SPF validation of the original sender. 2) mostly add the list signature in the body, so DKIM will break for the orignal message. since SPF/DKIM are in failure, then DMARK fails. this message will be rejected by most MTAs (following the DMARC setting). So how to handle the case? Thanks. Northwind ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
Greg Sims via Postfix-users:
> On Wed, May 29, 2024 at 2:52?PM Wietse Venema via Postfix-users
> wrote:
>
> > Presumably you have to DKIM or SPF or DMARC for hostname.raystedman.org,
> > so any way to get double-bou...@raystedman.org should help.
> >
> > You have to be careful about mailer loops, though.
> >
> > Postfix gives special treatment to <> and
> > to avoid an infinite loop of notifications for failed notifications.
>
> Please note mail01 receives email from our private network Only. This
> email is created by our servers.
> mail01 does not receive email from the Internet. All of our MX records
> point to Google.
> If we can get the double-bounce to Google, there seems to be little
> chance of a mailer loop.
I may have a different solution below.
First the worse news:
Suppose that delivery of the double-bounce to Google fails. Postfix
will then try to notify the envelope sender address. If we're not
careful, that can result in non-delivery notifiation loop.
I just checked the implemenation. The Postfix bounce daemon handles
failed double bounces by not generating a non-delivery notification
(i.e. it ignores a failed double bounce). But it ignores them only
when the sender address was
$double_bounce_sender@$myhostname
Othwerwise, this special handling won't work, and the Postfix bounce
daemon will generate a new notification, and the process may repeat
over and over.
The better news is that unlike (sender_)canonical_maps, the
smtp_generic_maps feature does not change the (double bounce) sender
address that Postfix uses internally. This feature changes only
what is sent in SMTP commands.
So, get rid of my (sender_)canonical mapping, and update master.cf:
master.cf:
special-smtp-client . .. .. .. .. .. .. smtp
-o { notify-classes = bounce, ... }
-o { smtp_generic_maps = inline:{
{ double-bou...@hostname.raystedman.org =
double-bou...@raystedman.org } } }
Thus, the sending Postfix will ignore a failed notification from
double-bou...@hostname.raystedman.org as intended, and the receiving
Google server will see SMTP commands with double-bou...@raystedman.org
which are good for SPF and DKIM.
If you need to DKIM sign bounces, and you are using non_smtpd_milters
to do that, then you may have to specify:
main.cf:
internal_mail_filter_classes = bounce
See https://www.postfix.org/postconf.5.html#internal_mail_filter_classes
> We have two DMARC/DKIM/SPF setups:
> (1) email with domain raystedman.org is relayed through Google.
> This is our transactional email (subscription double opt-in and the
> like).
> (2) email with domain devotion.raystedman.org is sent directly onto
> the Internet.
>
> I am reluctant to create a third DMARC/DKIM/SPF for the double-bounce
> case which is now using domain mail01.raystedman.org.
>
> I created a SPF record for mail01.raystedman.org -- for tonight. This
> should be enough to get DMARC to pass when the double-bounce email is
> received by Google -- at least this is the hope. I will work on this
> again Thursday.
I think it's a bad idea to send your double bounces to a different site.
The Postfix design really wants to handle them locally.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
On Wed, May 29, 2024 at 2:52 PM Wietse Venema via Postfix-users wrote: > Presumably you have to DKIM or SPF or DMARC for hostname.raystedman.org, > so any way to get double-bou...@raystedman.org should help. > > You have to be careful about mailer loops, though. > > Postfix gives special treatment to <> and > to avoid an infinite loop of notifications for failed notifications. Please note mail01 receives email from our private network Only. This email is created by our servers. mail01 does not receive email from the Internet. All of our MX records point to Google. If we can get the double-bounce to Google, there seems to be little chance of a mailer loop. We have two DMARC/DKIM/SPF setups: (1) email with domain raystedman.org is relayed through Google. This is our transactional email (subscription double opt-in and the like). (2) email with domain devotion.raystedman.org is sent directly onto the Internet. I am reluctant to create a third DMARC/DKIM/SPF for the double-bounce case which is now using domain mail01.raystedman.org. I created a SPF record for mail01.raystedman.org -- for tonight. This should be enough to get DMARC to pass when the double-bounce email is received by Google -- at least this is the hope. I will work on this again Thursday. Thanks, Greg ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
Greg Sims via Postfix-users:
> I wrote software that reviews the bounces in the Gmail mailbox and
> unsubscribes email addresses from the daily devotion distribution as
> needed.The software is very conservative in the way this is done.
> Bounces 3 out of 5 consecutive days and only for certain types of errors.
> If our software recognises the bounce, the bounce email is deleted by the
> software from the mailbox. Once per month I log into Gmail and review the
> remaining bounces manually. RSM uses Gmail for all of the people who work
> & volunteer for the ministry. This pattern seemed to fit.
>
> I am looking for a way to resolve our SPF issue. If sender_canonical_maps
> is the solution, I will give it a try. Did you expect that using "myorigin
> = raystedman.org" would resolve the SPF issue?
Presumbaly you have to DKIM or SPF or DMARC for hostname.raystedman.org,
so any way to get double-bou...@raystedman.org should help.
You have to be careful about mailer loops, though.
Postfix gives special treatmment to <> and
to avoid an infinite loop of notifications for failed notifications.
So there waas a typo in my earlier sender_canonical_maps example,
where I used _ instead of -.
sender_canonical_maps = inline:{
{ double-bou...@mail01.raystedman.ora =
double-bou...@raystedman.org } }
Specitying a domain in the double_bounce_sender setting will not work.
The implementation does not expect @ in the double_bounce_sender
value, and should handle that.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
Wietse Venema via Postfix-users:
> Greg Sims via Postfix-users:
> > Hello,
> >
> > We found the following in our email logs this morning. I ran
> > "collate" and here is the result:
> >
> > May 29 02:10:04 mail01.raystedman.org postfix/bounce[31220]:
> > AFC7030537E6: postmaster non-delivery notification: 7A80D32EDB2C
> > May 29 02:10:04 mail01.raystedman.org postfix/cleanup[31245]:
> > 7A80D32EDB2C: message-id=<20240529091004.7a80d32ed...@mail01.raystedman.org>
> > May 29 02:10:04 mail01.raystedman.org postfix/qmgr[27525]:
> > 7A80D32EDB2C: from=, size=3380,
> > nrcpt=1 (queue active)
> > May 29 02:10:04 mail01.raystedman.org postfix/t122/smtp[31017]:
> > Trusted TLS connection established to
> > aspmx.l.google.com[142.250.141.27]:25: TLSv1.3 with cipher
> > TLS_AES_256_GCM_SHA384 (256/2
> > 56 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest
> > SHA256
> > May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> > 7A80D32EDB2C: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26
> > Your email has been rate limited because it is unauthenticated. Gmail
> > 421-4.7.26 requires all senders to authenticate with either SPF or
> > DKIM. 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM
> > = did not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip:
> > [209.73.152.122] = did not pass 421-4.7.26 421-4.7.26 For
> > instructions on setting up authentication, go to 421 4.7.26
> > https://support.google.com/mail/answer/81126#authentication
> > d2e1a72fcca58-6f8fc04d880si9913771b3a.16 - gsmtp (in reply to end of
> > DATA command)
> > May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> > Trusted TLS connection established to
> > alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
> > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> > server-signature ECDSA (P-256) server-digest SHA256
> > May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> > 7A80D32EDB2C: to=, orig_to=,
> > relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.2,
> > delays=0/0/0.92/0.3, dsn=4.7.26, status=deferred (host
> > alt2.aspmx.l.google.com[74.125.126.26] said: 421-4.7.26 Your email has
> > been rate limited because it is unauthenticated. Gmail 421-4.7.26
> > requires all senders to authenticate with either SPF or DKIM.
> > 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did
> > not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip:
> > [209.73.152.122] = did not pass 421-4.7.26 421-4.7.26 For
> > instructions on setting up authentication, go to 421 4.7.26
> > https://support.google.com/mail/answer/81126#authentication
> > ca18e2360f4ac-7e9c1b21032si328213139f.60 - gsmtp (in reply to end of
> > DATA command))
> >
> > main.cf contains:
> >
> > # 24-05-28
> > # email comes from raystedman.org instead of mail0.raystedman.org
> > # note: the mail01 subdomain does not need a SPF record in DNS as a result
> > myorigin = raystedman.org
> >
> > I hoped this would allow the message being sent to be
> > from=. Please note the qmgr record
> > above shows the name of the sending machine -- mail01.raystedman.org.
>
> How about using sender_canoical_maps?
>
> sender_canonical_maps = inline:{
> { double-bou...@mail01.raystedman.ora = double_bou...@raystedman.org } }
Or maybe double_bounce_sender = double-bou...@raystedman.org
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
>
>
> > main.cf contains:
> >
> > # 24-05-28
> > # email comes from raystedman.org instead of mail0.raystedman.org
> > # note: the mail01 subdomain does not need a SPF record in DNS as a
> result
> > myorigin = raystedman.org
> >
> > I hoped this would allow the message being sent to be
> > from=. Please note the qmgr record
> > above shows the name of the sending machine -- mail01.raystedman.org.
>
> How about using sender_canoical_maps?
>
> sender_canonical_maps = inline:{
> { double-bou...@mail01.raystedman.ora =
> double_bou...@raystedman.org } }
>
> Why are you sending these notifications to Google?
>
>
Hi Wietse,
Our design point of sending the bounces to a Gmail mailbox at Google may
not be the best -- but it is practical for us.
I wrote software that reviews the bounces in the Gmail mailbox and
unsubscribes email addresses from the daily devotion distribution as
needed.The software is very conservative in the way this is done.
Bounces 3 out of 5 consecutive days and only for certain types of errors.
If our software recognises the bounce, the bounce email is deleted by the
software from the mailbox. Once per month I log into Gmail and review the
remaining bounces manually. RSM uses Gmail for all of the people who work
& volunteer for the ministry. This pattern seemed to fit.
I am looking for a way to resolve our SPF issue. If sender_canonical_maps
is the solution, I will give it a try. Did you expect that using "myorigin
= raystedman.org" would resolve the SPF issue?
Thanks, Greg
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
On Wed, May 29, 2024 at 11:24:58AM -0400, Wietse Venema via Postfix-users wrote:
> How about using sender_canoical_maps?
>
> sender_canonical_maps = inline:{
> { double-bou...@mail01.raystedman.ora = double_bou...@raystedman.org } }
>
> Why are you sending these notifications to Google?
And why set $myorigin to something unusable (at least in the eyes of
your e-mail provider)?
Bastian
--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 29/05/2024 14:07, Viktor Dukhovni via Postfix-users wrote:
On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:
The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.
465 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
All set up this way.
I will let it run overnight and see what hits.
Works like a charm.
1 SASL authentication failed ---
Only one.
Perhaps a bit of luck? For me, the XBL only catches around 10% of the
SASL probes. May your luck hold up.
The majority of the probes I see that are not stopped by XBL are
relatively harmless and don't get to try the AUTH command. They mainly
come from ips that repeat in a short space of time (where potentially
fail2ban could be used) and
* fail in the starttls for protocol or cipher issues
* disconnect without issuing starttls so never get to the AUTH command
* try issuing AUTH without starttls so get disconnected for too many
invalid commands
The cases I have where AUTH has been tried and failed are relatively
few. They mainly come from fast varying ips so fail2ban is not that
useful unless I want to start banning based on a single probe. They
usually appear to target specific existing users.
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Change Domain of "from="
Greg Sims via Postfix-users:
> Hello,
>
> We found the following in our email logs this morning. I ran
> "collate" and here is the result:
>
> May 29 02:10:04 mail01.raystedman.org postfix/bounce[31220]:
> AFC7030537E6: postmaster non-delivery notification: 7A80D32EDB2C
> May 29 02:10:04 mail01.raystedman.org postfix/cleanup[31245]:
> 7A80D32EDB2C: message-id=<20240529091004.7a80d32ed...@mail01.raystedman.org>
> May 29 02:10:04 mail01.raystedman.org postfix/qmgr[27525]:
> 7A80D32EDB2C: from=, size=3380,
> nrcpt=1 (queue active)
> May 29 02:10:04 mail01.raystedman.org postfix/t122/smtp[31017]:
> Trusted TLS connection established to
> aspmx.l.google.com[142.250.141.27]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/2
> 56 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest
> SHA256
> May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> 7A80D32EDB2C: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26
> Your email has been rate limited because it is unauthenticated. Gmail
> 421-4.7.26 requires all senders to authenticate with either SPF or
> DKIM. 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM
> = did not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip:
> [209.73.152.122] = did not pass 421-4.7.26 421-4.7.26 For
> instructions on setting up authentication, go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> d2e1a72fcca58-6f8fc04d880si9913771b3a.16 - gsmtp (in reply to end of
> DATA command)
> May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> Trusted TLS connection established to
> alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
> server-signature ECDSA (P-256) server-digest SHA256
> May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]:
> 7A80D32EDB2C: to=, orig_to=,
> relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.2,
> delays=0/0/0.92/0.3, dsn=4.7.26, status=deferred (host
> alt2.aspmx.l.google.com[74.125.126.26] said: 421-4.7.26 Your email has
> been rate limited because it is unauthenticated. Gmail 421-4.7.26
> requires all senders to authenticate with either SPF or DKIM.
> 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did
> not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip:
> [209.73.152.122] = did not pass 421-4.7.26 421-4.7.26 For
> instructions on setting up authentication, go to 421 4.7.26
> https://support.google.com/mail/answer/81126#authentication
> ca18e2360f4ac-7e9c1b21032si328213139f.60 - gsmtp (in reply to end of
> DATA command))
>
> main.cf contains:
>
> # 24-05-28
> # email comes from raystedman.org instead of mail0.raystedman.org
> # note: the mail01 subdomain does not need a SPF record in DNS as a result
> myorigin = raystedman.org
>
> I hoped this would allow the message being sent to be
> from=. Please note the qmgr record
> above shows the name of the sending machine -- mail01.raystedman.org.
How about using sender_canoical_maps?
sender_canonical_maps = inline:{
{ double-bou...@mail01.raystedman.ora = double_bou...@raystedman.org } }
Why are you sending these notifications to Google?
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: "delivered to command" config
After adding both lines and running postmap on /etc/postfix/virtual, both the base address and the alias reach the destination machine (server2). Thank you sir! On 28/05/2024 19:27, Wietse Venema via Postfix-users wrote: Wietse Venema via Postfix-users: Adam Weremczuk via Postfix-users: I've tried your suggestion. SERVER1 is still trying to deliver test email locally rather than forward to SERVER2: According to your postfinger output, you did not confihgure virtual_alias_maps on server1 to send bugzilla mail to server2. Therefore, Postfix on server1 will deliver it locally. There needs to be a virtual_alias_maps rule like this: bugzi...@matrixscience.co.uk bugzi...@server2.matrixscience.co.uk or like thisL bugzi...@matrixscience.com bugzi...@server2.matrixscience.co.uk or maybe both. See my previous email for how to configure and manage Postfix virtual alias maps. Wietse : host mx0.myLANdomain.com[/var/run/cyrus/socket/lmtp] said: 550-Mailbox unknown. Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command) The NEW virtual_alias_maps configuration takes effect ONLY for new messages. For more support, follow https://www.postfix.org/DEBUG_README.html#mail Wiuetse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-29 at 10:02:59 UTC-0400 (Thu, 30 May 2024 00:02:59 +1000) Viktor Dukhovni via Postfix-users is rumored to have said: [...] I'd be curious to hear whether you'll find much AUTH brute-force activity from SBL + CSS (and not XBL) and as mentioned previously, blocking based on PBL is not viable for most submission servers with users on dynamic IPs. CSS frequently lists addresses which engage in cred-stuffing. Very often these are in cheap cloud VM provider ranges, so simply blocking whole networks from accessing authenticated services at the packet level usually works. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On Wed, May 29, 2024 at 08:40:50AM -0400, John Hill via Postfix-users wrote: > On 5/29/24 8:31 AM, Benny Pedersen via Postfix-users wrote: > > Viktor Dukhovni via Postfix-users skrev den 2024-05-29 14:07: > > > > > Perhaps a bit of luck? For me, the XBL only catches around 10% of the > > > SASL probes. May your luck hold up. > > > > https://www.abuseipdb.com/user/139902 enless tryes :) > > > > all zen.spamhaus.org should be used as authbl, but not pbl 127.0.0.10 > > and 127.0.0.11 > > I'll fix this I'd be curious to hear whether you'll find much AUTH brute-force activity from SBL + CSS (and not XBL) and as mentioned previously, blocking based on PBL is not viable for most submission servers with users on dynamic IPs. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Change Domain of "from="
Hello, We found the following in our email logs this morning. I ran "collate" and here is the result: May 29 02:10:04 mail01.raystedman.org postfix/bounce[31220]: AFC7030537E6: postmaster non-delivery notification: 7A80D32EDB2C May 29 02:10:04 mail01.raystedman.org postfix/cleanup[31245]: 7A80D32EDB2C: message-id=<20240529091004.7a80d32ed...@mail01.raystedman.org> May 29 02:10:04 mail01.raystedman.org postfix/qmgr[27525]: 7A80D32EDB2C: from=, size=3380, nrcpt=1 (queue active) May 29 02:10:04 mail01.raystedman.org postfix/t122/smtp[31017]: Trusted TLS connection established to aspmx.l.google.com[142.250.141.27]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/2 56 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]: 7A80D32EDB2C: host aspmx.l.google.com[142.250.141.27] said: 421-4.7.26 Your email has been rate limited because it is unauthenticated. Gmail 421-4.7.26 requires all senders to authenticate with either SPF or DKIM. 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip: [209.73.152.122] = did not pass 421-4.7.26 421-4.7.26 For instructions on setting up authentication, go to 421 4.7.26 https://support.google.com/mail/answer/81126#authentication d2e1a72fcca58-6f8fc04d880si9913771b3a.16 - gsmtp (in reply to end of DATA command) May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]: Trusted TLS connection established to alt2.aspmx.l.google.com[74.125.126.26]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 May 29 02:10:05 mail01.raystedman.org postfix/t122/smtp[31017]: 7A80D32EDB2C: to=, orig_to=, relay=alt2.aspmx.l.google.com[74.125.126.26]:25, delay=1.2, delays=0/0/0.92/0.3, dsn=4.7.26, status=deferred (host alt2.aspmx.l.google.com[74.125.126.26] said: 421-4.7.26 Your email has been rate limited because it is unauthenticated. Gmail 421-4.7.26 requires all senders to authenticate with either SPF or DKIM. 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did not pass 421-4.7.26 SPF [mail01.raystedman.org] with ip: [209.73.152.122] = did not pass 421-4.7.26 421-4.7.26 For instructions on setting up authentication, go to 421 4.7.26 https://support.google.com/mail/answer/81126#authentication ca18e2360f4ac-7e9c1b21032si328213139f.60 - gsmtp (in reply to end of DATA command)) main.cf contains: # 24-05-28 # email comes from raystedman.org instead of mail0.raystedman.org # note: the mail01 subdomain does not need a SPF record in DNS as a result myorigin = raystedman.org I hoped this would allow the message being sent to be from=. Please note the qmgr record above shows the name of the sending machine -- mail01.raystedman.org. Thank you, Greg ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/29/24 8:31 AM, Benny Pedersen via Postfix-users wrote: Viktor Dukhovni via Postfix-users skrev den 2024-05-29 14:07: Perhaps a bit of luck? For me, the XBL only catches around 10% of the SASL probes. May your luck hold up. https://www.abuseipdb.com/user/139902 enless tryes :) all zen.spamhaus.org should be used as authbl, but not pbl 127.0.0.10 and 127.0.0.11 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org I'll fix this thanks --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
Viktor Dukhovni via Postfix-users skrev den 2024-05-29 14:07: Perhaps a bit of luck? For me, the XBL only catches around 10% of the SASL probes. May your luck hold up. https://www.abuseipdb.com/user/139902 enless tryes :) all zen.spamhaus.org should be used as authbl, but not pbl 127.0.0.10 and 127.0.0.11 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 2024-05-28 at 20:25:14 UTC-0400 (Wed, 29 May 2024 02:25:14 +0200) John Fawcett via Postfix-users is rumored to have said: On 29/05/2024 01:11, Bill Cole via Postfix-users wrote: On 2024-05-28 at 18:50:11 UTC-0400 (Wed, 29 May 2024 00:50:11 +0200) John Fawcett via Postfix-users is rumored to have said: [...] Hi John I think you are missing the following in master.cf for the submission service -o smtpd_delay_reject=no Without that the smtpd_client_restrictions will not be evaluated when the client connects and so you will allow the connected client to try authentication. That is not what is happening here. The order of restrictions within the same restriction list matters, and Postfix is careful about logic. If you put permit_sasl_authenticated ahead of reject_rbl_client, the permit must be able to take effect without evaluating the reject condition. That demands allowing as many AUTH commands as your other config will allow to fail. Hi Bill You're right that the order matters and the reject_rbl_client should be the first restriction in smtpd_client_restrictions for the submission service. Actually it is probably the only one that is really needed. With all the flux and piecemeal configs posted, I'm not quite certain, but you are likely correct. I may be wrong but I don't believe that specifying permit_sasl_authenticated influences behaviour in allowing AUTH attempts. I believe it will just evaluate to permitting the access if at the time of the evaluation the user is authenticated. Based on what Viktor has posted since, which I consider authoritative, you were right about needing smtpd_delay_reject=no and reject_rbl_client in the client restrictions for rejection to happen before any AUTH command can be tried. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On Wed, May 29, 2024 at 07:26:10AM -0400, John Hill via Postfix-users wrote:
> > > The wrapper-mode TLS "smtps" rejects are naturally after the TLS
> > > handshake.
> > >
> >
> > 465 inet n - n - - smtpd
> > -o smtpd_delay_reject=no
> > -o {smtpd_client_restrictions=reject_rbl_client
> > zen.spamhaus.org=127.0.0.4}
> > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> > ...
> >
> > submission inet n - n - - smtpd
> > -o smtpd_delay_reject=no
> > -o {smtpd_client_restrictions=reject_rbl_client
> > zen.spamhaus.org=127.0.0.4}
> > -o
> > smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
> >
> > All set up this way.
> > I will let it run overnight and see what hits.
>
> Works like a charm.
>
> 1 SASL authentication failed ---
>
> Only one.
Perhaps a bit of luck? For me, the XBL only catches around 10% of the
SASL probes. May your luck hold up.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Masters.cf
On 5/28/24 10:15 PM, John Hill via Postfix-users wrote:
On 5/28/24 10:11 PM, Viktor Dukhovni via Postfix-users wrote:
On Wed, May 29, 2024 at 11:58:31AM +1000, Viktor Dukhovni via
Postfix-users wrote:
You might in fact want to reject XBL IPs early, before they even
attempt authentication. So I have:
465 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
Example logs showing early enforcement for the above:
postfix/smtps/smtpd[3583655]: connect from unknown[115.44.140.188]
postfix/smtps/smtpd[3583655]: Anonymous TLS connection
established from unknown[115.44.140.188]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix/smtps/smtpd[3583655]: NOQUEUE: reject: CONNECT from
unknown[115.44.140.188]:
554 5.7.1 Service unavailable; Client host [115.44.140.188]
blocked using zen.spamhaus.org;
Listed by XBL, see
https://check.spamhaus.org/query/ip/115.44.140.188 /
Listed by CSS, see
https://check.spamhaus.org/query/ip/115.44.140.188; proto=SMTP
postfix/smtps/smtpd[3583655]: lost connection after CONNECT from
unknown[115.44.140.188]
postfix/smtps/smtpd[3583655]: disconnect from
unknown[115.44.140.188] commands=0/0
postfix/submission/smtpd[3583513]: connect from
burger.census.shodan.io[66.240.219.146]
postfix/submission/smtpd[3583513]: NOQUEUE: reject: CONNECT from
burger.census.shodan.io[66.240.219.146]:
554 5.7.1 Service unavailable; Client host [66.240.219.146]
blocked using zen.spamhaus.org;
Listed by CSS, see
https://check.spamhaus.org/query/ip/66.240.219.146 /
Listed by XBL, see
https://check.spamhaus.org/query/ip/66.240.219.146; proto=SMTP
postfix/submission/smtpd[3583513]: lost connection after CONNECT
from burger.census.shodan.io[66.240.219.146]
postfix/submission/smtpd[3583513]: disconnect from
burger.census.shodan.io[66.240.219.146] ehlo=0/1 commands=0/1
The wrapper-mode TLS "smtps" rejects are naturally after the TLS
handshake.
465 inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
...
submission inet n - n - - smtpd
-o smtpd_delay_reject=no
-o {smtpd_client_restrictions=reject_rbl_client
zen.spamhaus.org=127.0.0.4}
-o
smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject
All set up this way.
I will let it run overnight and see what hits.
Thank you
--john
Works like a charm.
1 SASL authentication failed ---
Only one.
Thanks everyone for putting up with me!!
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
