[pfx] Re: REJECT sending mails to no-reply accounts
So many replies! @Ralph Is an automated/unattended email notifying the user about something, providing proper ways of contacting. As this email is not read in any way, rejecting the mail would be a better way to handle than an automatic response. IMHO. @Peter My /etc/postfix/no-reply_reject contains lines like: do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not reply to this email. Regards ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: discard message
> On Jun 19, 2024, at 7:13 PM, Wietse Venema via Postfix-users > wrote: > > postfix--- via Postfix-users: >>> does smtp have an action "discard"? if so where messages will be discarded? >>> I see smtp code has "reject" while sieve has "discard". So I am asking this >>> question. >> >> http://www.postfix.org/header_checks.5.html >> There is a DISCARD action. > > Also in http://www.postfix.org/access.5.html This discussion raises a question for me. I use spamassassin: in master.cf: spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Is there a place in postfix where I could discard mail if it has a spam score higher than say 4 or 5? I know that postfix hands the mail off to spamassassin for processing and then receives it back for delivery, but I’m unclear what checks could be implemented to catch spam and discard it. This is what I could match on: X-Spam-Status: Yes, score=2.1 If the score was higher than some number (e.g >4) than reject the mail. Paul Schmehl paul.schm...@gmail.com ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: discard message
postfix--- via Postfix-users: > > does smtp have an action "discard"? if so where messages will be discarded? > > I see smtp code has "reject" while sieve has "discard". So I am asking this > > question. > > http://www.postfix.org/header_checks.5.html > There is a DISCARD action. Also in http://www.postfix.org/access.5.html Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: discard message
does smtp have an action "discard"? if so where messages will be discarded? I see smtp code has "reject" while sieve has "discard". So I am asking this question. http://www.postfix.org/header_checks.5.html There is a DISCARD action. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 20/06/24 04:35, John Levine via Postfix-users wrote: It appears that Peter via Postfix-users said: On 19/06/24 18:51, Tan Mientras via Postfix-users wrote: Hi *Trying to setup email REJECT when users try to send to a no-reply email.* There is no such thing as a no-reply email, there is no part of the email specification that allows a message to be marked as unable to be replied to. You might want to take a look at RFCs 7504 and 7505. Those discuss means by which an entire domain or server can be set to not accept mail. I'm referring to setting the envelope sender and/or From: header in a message to an invalid address which is questionable at best and disallowed by RFC at worst. IRT the Envelope sender see RFC 5321 4.5.5 where it says: "All other types of messages (i.e., any message which is not required by a Standards-Track RFC to have a null reverse-path) SHOULD be sent with a *valid* (emphasis added), non-null reverse-path." In this case "reverse-path" is a reference to the envelope sender. For the From: header RFC5322 3.6.2 says: "In all cases, the "From:" field SHOULD NOT contain any mailbox that does not belong to the author(s) of the message." ...which at the very least strongly suggests that the mailbox should be valid. I do agree that sending mail you can't reply to is rude, regardless of the technical details. Indeed, and how difficult is it for these companies to set it to a help@ or info@ mailbox anyways? Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] discard message
Hello does smtp have an action "discard"? if so where messages will be discarded? I see smtp code has "reject" while sieve has "discard". So I am asking this question. Thank you. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Ralph Seichter via Postfix-users: > * Ansgar Wiechers via Postfix-users: > > > [...] > > Did I ever send mail to you using the mailing list address you got > barred from targeting, or send mail to you at all from my servers? No, > I did not. > > You tried to initiate communication by sending mail to an address you > had no reason to contact, this being a mailing list, and you were thus > redirected to a page explaining how you could ask for permission to send > to said protected address in case you had a legitimate reason to (which > you don't). I have also provided an unrestricted email address so > anybody can send mail to in order to ask for clearance for the protected > address, something which you didn't do. > > All this is nothing like using a no-reply address, which is easy enough > to understand. TL;DR: Apples and oranges. > > > Guess what just happened to horus-it.com on my mail server. > > Go on, guess if I care. :-) No, don't. Please take this off-list. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Ansgar Wiechers via Postfix-users: > [...] Did I ever send mail to you using the mailing list address you got barred from targeting, or send mail to you at all from my servers? No, I did not. You tried to initiate communication by sending mail to an address you had no reason to contact, this being a mailing list, and you were thus redirected to a page explaining how you could ask for permission to send to said protected address in case you had a legitimate reason to (which you don't). I have also provided an unrestricted email address so anybody can send mail to in order to ask for clearance for the protected address, something which you didn't do. All this is nothing like using a no-reply address, which is easy enough to understand. TL;DR: Apples and oranges. > Guess what just happened to horus-it.com on my mail server. Go on, guess if I care. :-) -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
It appears that Peter via Postfix-users said: >On 19/06/24 18:51, Tan Mientras via Postfix-users wrote: >> Hi >> >> *Trying to setup email REJECT when users try to send to a no-reply email.* > >There is no such thing as a no-reply email, there is no part of the >email specification that allows a message to be marked as unable to be >replied to. You might want to take a look at RFCs 7504 and 7505. I do agree that sending mail you can't reply to is rude, regardless of the technical details. R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL_README correction
Rob Sterenborg (Lists) via Postfix-users: > Hi, > > I was reading the SASL_README, "The ldapdb plugin" at: > > https://www.postfix.org/SASL_README.html#auxprop_ldapdb > > [quote] > Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the > LDAP database directly, with appropriate configuration in > saslauthd.conf, as described here. [...snip...] > [/quote] > > The link for "as described here" points to: > > http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD > > Which returns a "No page found" message. > > I guess it is currently hosted at: > > https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD Confirmed, your link matches the archived content in the wayback machine at https://web.archive.org/web/20140301224448/http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD It's a bit dated, but that is what we have. I have updated the link in Postfix documentation. it will show up on the website in a hour or so. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 2024-06-19 Ralph Seichter via Postfix-users wrote: > * Bjoern Franke via Postfix-users: > > > From: Ralph Seichter via Postfix-users > > Reply-To: Ralph Seichter > > Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of > using "nore...@foo.bar" type addresses remains unchanged, however. If > sender A sends mail to recipient B, A needs to be prepared to receive a > response from B. Proper email communiction is not a hit-and-run. Umm... yeah. Let's see ... | : host ra.horus-it.com[65.108.3.114] said: 451 4.7.1 | Policy violation; see https://www.horus-it.com/policy3/?S=5 (in reply to | end of DATA command) Quoting from that page: | What does it mean? | | The owner of address name@example.domain has decided to only accept | correspondence from a list of known contacts, which is usually done to | counter address harvesting, and your sender address was rejected | because it is not a member of said list. | | How can I register as a contact? | | If you have a legitimate reason to send email to this particular | recipient address, please write to postmaster@example.domain first. | State the full sender and recipient addresses, and explain why you | require clearance. If the recipient agrees to accept your request, you | will usually receive a notification within two working days. Oh, well. Guess what just happened to horus-it.com on my mail server. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Bjoern Franke via Postfix-users: > From: Ralph Seichter via Postfix-users > Reply-To: Ralph Seichter Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of using "nore...@foo.bar" type addresses remains unchanged, however. If sender A sends mail to recipient B, A needs to be prepared to receive a response from B. Proper email communiction is not a hit-and-run. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Gary R. Schmidt via Postfix-users: [reply-to header] > He didn't do it - it's being added by Mailman. Whether by default or > deliberately I do not know. This is damage control for DMARC. The mailing list address goes in the From: header, and the poster's email address goes in Reply-To: so that list members can still choose between replying to the poster or to the list. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] SASL_README correction
Hi, I was reading the SASL_README, "The ldapdb plugin" at: https://www.postfix.org/SASL_README.html#auxprop_ldapdb [quote] Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the LDAP database directly, with appropriate configuration in saslauthd.conf, as described here. [...snip...] [/quote] The link for "as described here" points to: http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD Which returns a "No page found" message. I guess it is currently hosted at: https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD -- Rob ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
Mornin' |# Error reporting error_notice_recipient = postmaster@email.broker #https://www.postfix.org/postconf.5.html#error_notice_recipient notify_classes = bounce, delay, policy, protocol, resource, software #https://www.postfix.org/postconf.5.html#notify_classes | The above will insure many errors are reported directly to the postmasters inbox. The default is to only notify of resource and software class errors, I have also included the bounce, delay, policy, and protocol classes in my config. There are about 20-40 emails a day depending on the tenacity of the bots. On 6/19/2024 4:27 AM, Matt Kinni via Postfix-users wrote: On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: smtpd_helo_restrictions = ... reject_non_fqdn_helo_hostname, ... I've found this to block some legitimate mails in the past from Bank of America, so you may want to grep your logs for "Helo command rejected: Host not found" just in case! ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
On 2024-06-19 Jeff Peng via Postfix-users wrote: > On 2024-06-19 17:29, Matt Kinni via Postfix-users wrote: >> On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote: >>> On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: smtpd_helo_restrictions = ... reject_non_fqdn_helo_hostname, ... >>> I've found this to block some legitimate mails in the past >> Sorry, I meant "reject_unknown_helo_hostname". > > what's unknown_helo_hostname? does it mean it has neither A nor mx record? >From `man 5 postconf`: | reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname) | Reject the request when the HELO or EHLO hostname has no DNS A or MX record. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
On 2024-06-19 17:29, Matt Kinni via Postfix-users wrote: On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote: On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: smtpd_helo_restrictions = ... reject_non_fqdn_helo_hostname, ... I've found this to block some legitimate mails in the past Sorry, I meant "reject_unknown_helo_hostname". what's unknown_helo_hostname? does it mean it has neither A nor mx record? regards. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote: > On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: >> smtpd_helo_restrictions = >> ... >> reject_non_fqdn_helo_hostname, >> ... > I've found this to block some legitimate mails in the past Sorry, I meant "reject_unknown_helo_hostname". I've been using "reject_non_fqdn_helo_hostname" for years without issue. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
On 2024-06-16 15:21, Cody Millard via Postfix-users wrote: > smtpd_helo_restrictions = > ... > reject_non_fqdn_helo_hostname, > ... I've found this to block some legitimate mails in the past from Bank of America, so you may want to grep your logs for "Helo command rejected: Host not found" just in case! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
> On 19 Jun 2024, at 4:29 PM, Gilgongo via Postfix-users > wrote: > > > The defaults for those settings, as far as postfix is concerned, are as > > follows: > > > > smtpd_tls_auth_only = no > > Why? Surely, "yes" is the better choice... > > You need to set this to "yes" if you plan to have accounts sending mail out > through your mail server. Because that's potentially a security risk, Postfix > doesn't set this to "yes" by default. > > As to smtpd_tls_security_level, you are right that (for port 25 smtp) it is > better as "may", but the reason the default is none is that you will need to > set up TLS certificate first, which isn't in the scope of what Postfix does. > So that's why it sets none as the default. It seemed to me at the time, per the thread subject, that your post was recommending best-practice settings, rather than showing Postfix default settings. If the latter, OK, but I don’t need them explained, and not all the explanations are correct. — Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 19/06/2024 18:19, Bjoern Franke via Postfix-users wrote: Hi, Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. Like you did yourself? From: Ralph Seichter via Postfix-users Reply-To: Ralph Seichter He didn't do it - it's being added by Mailman. Whether by default or deliberately I do not know. And I have to apologise to whoever it was I told off previously for doing it, sorry. Cheers, GaryB-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Hi, Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. Like you did yourself? From: Ralph Seichter via Postfix-users Reply-To: Ralph Seichter Regards Bjoern ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 19/06/24 18:51, Tan Mientras via Postfix-users wrote: Hi *Trying to setup email REJECT when users try to send to a no-reply email.* There is no such thing as a no-reply email, there is no part of the email specification that allows a message to be marked as unable to be replied to. Many people think they can send a no-reply message by setting the localpart of the From: header to "no-reply" "noreply" or similar but this is not part of any official specification, nor does it prevent someone from replying to that email address. All that is said because no-re...@example.com could be a perfectly valid email address fully capable of accepting messages, and as such you might want to re-think your policy of blocking messages to such addresses. Note that if the mailbox is truly invalid then the receiving MX should issue an appropriate rejection which your server can then pass back to the user in the form of a DSN (bounce message). AFAIK, this should be configuren on smtpd_recipient_restrictions using check_recipient_access. Please, let me know if I'm wrong. Yes that can be used to reject messages to recipients that match a certain pattern in the recipient's address, one such pattern being any address with a local part of "noreply". It's not working, so maybe it's because I don't know if rules are applied on first match or combined (ie: if a reject is found, is immediately rejected or it might be permited by another rule). Rules are checked in the order they are encountered with the first permit or reject stopping the checks of that particular restrictions. This is /approximately/ my configuration: smtpd_recipient_restrictions = check_recipient_access ldap:ext2int, #allows any ldap account If this returns OK or permit then the following rule will not be checked. check_recipient_access hash:/etc/postfix/no-reply_reject, #reject no-reply What this does will depend on the content of /etc/postfix/no-reply_reject (which you did not show). reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, This will stop processing if the user is authenticated and permit the message. reject_unauth_destination, This rule is redundant, because it can only either reject or fall down to the next rule reject ...which will always reject, so the last two rules will always reject regardless. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Tan Mientras via Postfix-users: > Trying to setup email REJECT when users try to send to a no-reply > email. Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] REJECT sending mails to no-reply accounts
Hi *Trying to setup email REJECT when users try to send to a no-reply email.* AFAIK, this should be configuren on smtpd_recipient_restrictions using check_recipient_access. Please, let me know if I'm wrong. It's not working, so maybe it's because I don't know if rules are applied on first match or combined (ie: if a reject is found, is immediately rejected or it might be permited by another rule). This is *approximately* my configuration: smtpd_recipient_restrictions = check_recipient_access ldap:ext2int, #allows any ldap account check_recipient_access hash:/etc/postfix/no-reply_reject, #reject no-reply reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination, reject Thanks ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Best practices?
On Wed, 19 Jun 2024 at 03:57, Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users > wrote: > > > The defaults for those settings, as far as postfix is concerned, are as > > follows: > > > > smtpd_tls_auth_only = no > > Why? Surely, "yes" is the better choice... You need to set this to "yes" if you plan to have accounts sending mail out through your mail server. Because that's potentially a security risk, Postfix doesn't set this to "yes" by default. As to smtpd_tls_security_level, you are right that (for port 25 smtp) it is better as "may", but the reason the default is none is that you will need to set up TLS certificate first, which isn't in the scope of what Postfix does. So that's why it sets none as the default. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org