[pfx] Re: discard message

[Matus UHLAR - fantomas via Postfix-users]

On 20.06.24 22:00, Benny Pedersen via Postfix-users wrote:
header checks in postfix is done before content filters, so you would 
love to reject spam on base of remote spammers own clasificaton ? :)


that's why we have milter_header_checks - they work after milter.

same reason that spamassassin also remove senders X-Spam-* so it only 
is local added results


you can do this by using header_checks

best is to use a milter to reject spam, such as rspamd or 
amavisd-milter, no forged header checks then


On 21.06.24 06:19, Jeff Peng via Postfix-users wrote:

i know rspamd is a milter, but spamassassin not working as milter?


spamass-milter can already REJECT the mail that scores too much.
It can't discard them though.

amavisd-milter can do either.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: question for a directive in master.cf

[Jeff Peng via Postfix-users]

If you want to enable them, you have to uncomment ALL lines for 
submission

service to work correctly.


That's good idea. Thanks Rafa.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: question for a directive in master.cf

[Jaroslaw Rafa via Postfix-users]

Dnia 21.06.2024 o godz. 07:54:40 Jeff Peng via Postfix-users pisze:
> for these options for submission in master.cf:
> 
> submission inet n   -   y   -   -   smtpd
> #  -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_tls_auth_only=yes
> #  -o smtpd_reject_unlisted_recipient=no
> #  -o smtpd_client_restrictions=$mua_client_restrictions
> #  -o smtpd_helo_restrictions=$mua_helo_restrictions
> #  -o smtpd_sender_restrictions=$mua_sender_restrictions
> #  -o smtpd_recipient_restrictions=
> #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> 
> Since "-o smtpd_sasl_auth_enable=yes" specify smtpd_sasl_auth_enable
> default enabled. Why I have to uncomment it out to make it become
> alive?

These commented out directives in master.cf are NOT defaults.
They are commented out because by default, submission services are NOT
enabled at all.
If you want to enable them, you have to uncomment ALL lines for submission
service to work correctly.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Jaroslaw Rafa via Postfix-users]

Dnia 21.06.2024 o godz. 18:45:15 Peter via Postfix-users pisze:
> SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your
> mail to be accepted:
> 
> 1.  HELO banner should pass SPF.
> 
> 2.  Envelope Sender should pass SPF.
> 
> 3.  Envelope Sender domain should align with the From: header domain.
> 
> 4.  Message should be DKIM signed.
> 
> 5.  Domain for the DKIM signature should align with the From: header domain.

Maybe it's obvious, but if it's meant to be a checklist, you should add
FCrDNS to that, and probably as the very first point.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: question for a directive in master.cf

[Jeff Peng via Postfix-users]

The default value is "no", as expected.

$ postconf -d smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = no

Best practice is to enable SASL auth only on the submission ports and
NOT on port 25.


I have changed the setting for submission to:

submission inet n   -   y   -   -   smtpd
#  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject

Thanks Victor.

regards.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Benny Pedersen via Postfix-users]

Peter via Postfix-users skrev den 2024-06-21 08:45:

On 21/06/24 07:13, Wietse Venema via Postfix-users wrote:


SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your mail 
to be accepted:


1.  HELO banner should pass SPF.

2.  Envelope Sender should pass SPF.

3.  Envelope Sender domain should align with the From: header domain.

4.  Message should be DKIM signed.

5.  Domain for the DKIM signature should align with the From: header 
domain.


Not all of the able are necessary (e.g. you can get away with SPF 
alignment only or DKIM alignment only) but the more of those boxes that 
you can successfully tick off the better chance you have for you 
message to be accepted when things go wrong, or when a destination 
doesn't implement one of the above checks properly.


3 would not be posssible when recipient forwards to another mta, basicly 
why maillist all breaks dkim, some says spf breaks mailforwards, nothing 
could be more fails, since nexthop gives new envelope sender, with will 
not align with header from:


stop breaking dkim, let maillist be unaligned, and direct mail be 
aligned pass


sadly maybe sys4.de knows better, but cloud9 was perfect not breaking 
dkim



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Peter via Postfix-users]

On 21/06/24 07:13, Wietse Venema via Postfix-users wrote:

Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).

This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.

DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).

If someone can come up with a simple checklist for how to do this
then that would be great.


SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your mail 
to be accepted:


1.  HELO banner should pass SPF.

2.  Envelope Sender should pass SPF.

3.  Envelope Sender domain should align with the From: header domain.

4.  Message should be DKIM signed.

5.  Domain for the DKIM signature should align with the From: header domain.

Not all of the able are necessary (e.g. you can get away with SPF 
alignment only or DKIM alignment only) but the more of those boxes that 
you can successfully tick off the better chance you have for you message 
to be accepted when things go wrong, or when a destination doesn't 
implement one of the above checks properly.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: question for a directive in master.cf

[Viktor Dukhovni via Postfix-users]

On Fri, Jun 21, 2024 at 07:54:40AM +0800, Jeff Peng via Postfix-users wrote:
> Hello
> 
> for these options for submission in master.cf:
> 
> submission inet n   -   y   -   -   smtpd
> #  -o syslog_name=postfix/submission
> #  -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_tls_auth_only=yes
> #  -o smtpd_reject_unlisted_recipient=no
> #  -o smtpd_client_restrictions=$mua_client_restrictions
> #  -o smtpd_helo_restrictions=$mua_helo_restrictions
> #  -o smtpd_sender_restrictions=$mua_sender_restrictions
> #  -o smtpd_recipient_restrictions=
> #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> 
> Since "-o smtpd_sasl_auth_enable=yes" specify smtpd_sasl_auth_enable default
> enabled. Why I have to uncomment it out to make it become alive?

The default value is "no", as expected.

$ postconf -d smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = no

Best practice is to enable SASL auth only on the submission ports and
NOT on port 25.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] question for a directive in master.cf

[Jeff Peng via Postfix-users]

Hello

for these options for submission in master.cf:

submission inet n   -   y   -   -   smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Since "-o smtpd_sasl_auth_enable=yes" specify smtpd_sasl_auth_enable 
default enabled. Why I have to uncomment it out to make it become alive?


Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Bill Cole via Postfix-users]

On 2024-06-20 at 15:59:25 UTC-0400 (Thu, 20 Jun 2024 15:59:25 -0400 
(EDT))

Wietse Venema via Postfix-users 
is rumored to have said:


If you use some Milter like rspamd then you need milter_header_checks.


You could do that, but if a milter is handling the filter it can just 
tell postfix to reject or discard it.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Emmanuel Fusté via Postfix-users]

Le 21/06/2024 à 00:13, John Levine a écrit :

It appears that Emmanuel Fusté via Postfix-users  said:

In the general case (not null sender), HELO SPF validation does not
interfere with DMARC as DMARC only use the MAIL FROM identity.
There was historically a bug in some DMARC implementation witch evaluate
whatever SPF identity check that pass.

That's not a bug, that's how it's supposed to work, SPF uses the HELO
if the return path is null. See section 2.4 of RFC 7208 and 4.1 of RFC
7489.

We're nearly done with some updates to the DMARC spec and that is not
changing.



Ok I'm not a native english but please reread what wrote. That is 
exactly what I said.

The bug was in the general case IE when the return path is not null.

Emmanuel.___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Jeff Peng via Postfix-users]

best is to use a milter to reject spam, such as rspamd or 
amavisd-milter, no forged header checks then




i know rspamd is a milter, but spamassassin not working as milter?
thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[John Levine via Postfix-users]

It appears that Emmanuel Fusté via Postfix-users  said:
>In the general case (not null sender), HELO SPF validation does not 
>interfere with DMARC as DMARC only use the MAIL FROM identity.
>There was historically a bug in some DMARC implementation witch evaluate 
>whatever SPF identity check that pass.

That's not a bug, that's how it's supposed to work, SPF uses the HELO
if the return path is null. See section 2.4 of RFC 7208 and 4.1 of RFC
7489.

We're nearly done with some updates to the DMARC spec and that is not
changing.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Bastian Blank via Postfix-users]

On Thu, Jun 20, 2024 at 01:02:36PM -0400, postfix--- via Postfix-users wrote:
> > Then you can not use this e-mail address as envelope sender.  People
> > will do sender callout and then reject all e-mail with this as sender.
> An option is to have noreply@ delivered to /dev/null. It's valid and a trash 
> can.

No, you need to handle bounces and those are sent to the envelope
sender.

Bastian

-- 
War is never imperative.
-- McCoy, "Balance of Terror", stardate 1709.2
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Benny Pedersen via Postfix-users]

Paul Schmehl via Postfix-users skrev den 2024-06-20 21:28:


If it’s header_checks, I would probably use something like
/^X-Spam-Status: Yes, score=[5-100[/ to catch everything above five.


header checks in postfix is done before content filters, so you would 
love to reject spam on base of remote spammers own clasificaton ? :)


same reason that spamassassin also remove senders X-Spam-* so it only is 
local added results


best is to use a milter to reject spam, such as rspamd or 
amavisd-milter, no forged header checks then


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 20, 2024, at 7:17?AM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> Is there a place in postfix where I could discard mail if it has
> >> a spam score higher than say 4 or 5? I know that postfix hands the
> >> mail off to spamassassin for processing and then receives it back
> >> for delivery, but I'm unclear what checks could be implemented to
> >> catch spam and discard it.
> >> 
> >> This is what I could match on: X-Spam-Status: Yes, score=2.1
> >> 
> >> If the score was higher than some number (e.g >4) than reject the mail.
> > 
> > One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
> 
> Would this be in header_checks? I confess, I?m not clear on how
> mail is handled after spamassassin returns it to Postfix. Does it
> go all the way through the process again, beginning with header_checks?

That depends. 

If you use the "content_filter" feature then header_checks shold do it.

If you use some Milter like rspamd then you need milter_header_checks.

> If it?s header_checks, I would probably use something like /^X-Spam-Status: 
> Yes, score=[5-100[/ to catch everything above five.

No. It's a regular expression, it does not compute that 5 is less than 100.
Use a pattern from Viktor's post.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Noel Jones via Postfix-users]

On 6/20/2024 2:28 PM, Paul Schmehl via Postfix-users wrote:
On Jun 20, 2024, at 7:17 AM, Wietse Venema via Postfix-users 
 wrote:


Paul Schmehl via Postfix-users:

Is there a place in postfix where I could discard mail if it has
a spam score higher than say 4 or 5? I know that postfix hands the
mail off to spamassassin for processing and then receives it back
for delivery, but I'm unclear what checks could be implemented to
catch spam and discard it.

This is what I could match on: X-Spam-Status: Yes, score=2.1

If the score was higher than some number (e.g >4) than reject the 
mail.


One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/


Would this be in header_checks? I confess, I’m not clear on how mail 
is handled after spamassassin returns it to Postfix. Does it go all 
the way through the process again, beginning with header_checks?


If it’s header_checks, I would probably use something like 
/^X-Spam-Status: Yes, score=[5-100[/ to catch everything above five.


Paul Schmehl
paul.schm...@gmail.com



Yeah, been there, done that.

Please resist the urge to discard mail that scores above some 
amount. The way Spamassassin works, a higher score does not 
necessarily indicate "more" spamminess.


Spamassassin has a non-zero error rate, and if a wanted mail is 
discarded, neither you nor the sender will ever know, nor will you 
have much in the way of evidence to adjust future scores. I can 
guarantee this will cause you a problem at some point.


The safe choices are limited.

If you use a pre-queue filter such as a milter, you can safely 
reject the mail. Legit senders will be notified their mail wasn't 
delivered and can take action.


If you use a post-queue filter such as your spamd script, it's too 
late to reject.  You can mark the mail and deliver it, or send it to 
a quarantine.


I know it can seem very satisfying to discard mail, but DISCARD 
should be reserved for very narrow use cases, such as a former lover 
or a very persistent spammer.



  -- Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Emmanuel Fusté via Postfix-users]

Le 20/06/2024 à 21:13, Wietse Venema via Postfix-users a écrit :

Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).

This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.

DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).

If someone can come up with a simple checklist for how to do this
then that would be great.

The HELO identity is used too in the general case to enforce HELO fqdn 
value matching the DNS published A record of the outbound server IP.

You generally want "v=spf1 a: -all" for your sending server.

In the general case (not null sender), HELO SPF validation does not 
interfere with DMARC as DMARC only use the MAIL FROM identity.
There was historically a bug in some DMARC implementation witch evaluate 
whatever SPF identity check that pass.


Emmanuel.___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Paul Schmehl via Postfix-users]

> On Jun 20, 2024, at 7:17 AM, Wietse Venema via Postfix-users 
>  wrote:
> 
> Paul Schmehl via Postfix-users:
>> Is there a place in postfix where I could discard mail if it has
>> a spam score higher than say 4 or 5? I know that postfix hands the
>> mail off to spamassassin for processing and then receives it back
>> for delivery, but I'm unclear what checks could be implemented to
>> catch spam and discard it.
>> 
>> This is what I could match on: X-Spam-Status: Yes, score=2.1
>> 
>> If the score was higher than some number (e.g >4) than reject the mail.
> 
> One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/

Would this be in header_checks? I confess, I’m not clear on how mail is handled 
after spamassassin returns it to Postfix. Does it go all the way through the 
process again, beginning with header_checks?

If it’s header_checks, I would probably use something like /^X-Spam-Status: 
Yes, score=[5-100[/ to catch everything above five.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Wietse Venema via Postfix-users]

Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).

This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.

DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).

If someone can come up with a simple checklist for how to do this
then that would be great.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[postfix--- via Postfix-users]

So there's a confusion between the hostname of the mailer and the
doamin to be used for the SPF check. Is anybody else seeing this ?


Yes, I had to recently add an "a:" record to an SPF (for the sending hostname) 
as I was seeing some of these I think.



Im confused by the language being used.

Isn't that the whole point of SPF records? To authorize the IP of the sending 
server? So by default shouldn't there already be an A record for the hostname 
of the sending server? And shouldn't there already be either that server's 
hostname or IP (or MX) in the SPF record? Otherwise what's in your SPF record 
if not those things?

I understand why there is potential confusion between hostname and domain. SPF 
says for this sending-address domain, these servers (identified by Hostname/IP) 
are authorized.

And while im at it, why are some admins insistent on having the HELO be 
something other than the hostname?
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Gilgongo via Postfix-users]

On Thu, 20 Jun 2024, 2:01 pm Emmanuel Seyman via Postfix-users, <
postfix-users@postfix.org> wrote:

>
> So there's a confusion between the hostname of the mailer and the
> doamin to be used for the SPF check. Is anybody else seeing this ?
>

Yes, I had to recently add an "a:" record to an SPF (for the sending
hostname) as I was seeing some of these I think.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[postfix--- via Postfix-users]

Is an automated/unattended email notifying the user about something,
providing proper ways of contacting. As this email is not read in any way,
rejecting the mail would be a better way to handle than an automatic
response. IMHO.


Then you can not use this e-mail address as envelope sender.  People
will do sender callout and then reject all e-mail with this as sender.



An option is to have noreply@ delivered to /dev/null. It's valid and a trash 
can.

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Varadi Gabor via Postfix-users]

2024. 06. 20. 14:33 keltezéssel, Michael Grimm via Postfix-users írta:

Wietse Venema via Postfix-users  wrote:

Paul Schmehl via Postfix-users:



This is what I could match on: X-Spam-Status: Yes, score=2.1

If the score was higher than some number (e.g >4) than reject the mail.


One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/


Please correct me if I am mistaken, but that won't catch scores >= 10?


/^X-Spam-Status: Yes, score=[1-9][0-9]/

--
  [Varadi Gabor]

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Jaroslaw Rafa via Postfix-users]

Dnia 20.06.2024 o godz. 09:08:39 Bastian Blank via Postfix-users pisze:
> Then you can not use this e-mail address as envelope sender.  People
> will do sender callout and then reject all e-mail with this as sender.

Sender callout is discouraged now, because it is considered aggressive
behavior by most mail providers, and if you routinely do sender callout, you
may end up being blacklisted and having trouble when sending email yourself.

I personally don't agree with this, but this is the position most mail
server operators are taking now.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Jaroslaw Rafa via Postfix-users]

Dnia 20.06.2024 o godz. 08:51:33 Alexander Leidinger via Postfix-users pisze:
> 
> This implies that the organization / company is willing to spend
> money on having someone available to actually respond / provide
> support. For a lot of the use cases I would say even a mail to
> ticket system gateway is out of the willingness to spend money on.
> So any technical solution you can propose here, will be way out of
> the area of interest of those people which will make those
> decisions.

They should not be *sending* any mail then. Simple enough?
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Ralph Seichter via Postfix-users]

* Tan Mientras via Postfix-users:

> Is an automated/unattended email notifying the user about something,
> providing proper ways of contacting.

"Proper" is for the recipients of your messages to be able to use the
reply function in their MUA, to ask for clarification/assistance in
regards to the message you sent to them.

> As this email is not read in any way, rejecting the mail would be a
> better way to handle than an automatic response. IMHO.

The better way, as you put it, would be a process where there is not
merely an automatic response, but having replies read/answered by
somebody in your organisation. Ticket tracking systems can be used if
scaling is an issue. In my opinion, rejecting replies to email
communication your organisation initiated shows similarities to a
drive-by-shooting, in the broad sense that your organisation hopes to
"get the message out" but avoid the consequences of their actions. This
is of course a dramatic comparison, not to be taken literally.

-Ralph
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Bill Cole via Postfix-users]

On 2024-06-20 at 09:00:35 UTC-0400 (Thu, 20 Jun 2024 15:00:35 +0200)
Emmanuel Seyman via Postfix-users 
is rumored to have said:


Hello, all.

Since yesterday, I've started seeing email from my servers getting
rejected due to SPF problems.

550 5.7.23 : Sender address rejected: Message 
rejected due to: SPF fail - not authorized. Please see 
http://spf.libraesva.com/Why?s=helo;id=mail01.my-company.com;ip=192.168.52.130;r=dounia.someth...@client.com 
(in reply to RCPT TO command))


That page states:
dounia.someth...@client.com received a message from 
mail01.my-company.com (192.168.52.130) that claimed to be 
mail01.my-company.com.
However, the domain mail01.my-company.com has declared using SPF that 
it does not send mail through mail01.my-company.com (192.168.52.130).

That is why the message was rejected.

So there's a confusion between the hostname of the mailer and the
doamin to be used for the SPF check. Is anybody else seeing this ?


Seeing WHAT?

You've obfuscated all details to the point that it is impossible to 
understand exactly what problem you are encountering.


My best *guess* based on how the error description is phrased is that 
the receiving side is unwisely enforcing SPF against your HELO argument. 
Doing that is deeply unwise for mail systems that want to generally 
receive legitimate email, but there are sites that do it anyway. Because 
of that, it is generally a good idea to include an 'a' directive in your 
SPF record and make sure that the IP which you appear to be coming from 
and the name you use in HELO/EHLO have simply symmetric DNS.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SPF hostname and domainname

[Emmanuel Seyman via Postfix-users]

Hello, all.

Since yesterday, I've started seeing email from my servers getting
rejected due to SPF problems.

550 5.7.23 : Sender address rejected: Message rejected 
due to: SPF fail - not authorized. Please see 
http://spf.libraesva.com/Why?s=helo;id=mail01.my-company.com;ip=192.168.52.130;r=dounia.someth...@client.com
 (in reply to RCPT TO command))

That page states:
dounia.someth...@client.com received a message from mail01.my-company.com 
(192.168.52.130) that claimed to be mail01.my-company.com.
However, the domain mail01.my-company.com has declared using SPF that it does 
not send mail through mail01.my-company.com (192.168.52.130).
That is why the message was rejected.

So there's a confusion between the hostname of the mailer and the
doamin to be used for the SPF check. Is anybody else seeing this ?

Regards,
Emmanuel
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Michael Grimm via Postfix-users]

Viktor Dukhovni via Postfix-users  wrote:
> On Thu, Jun 20, 2024 at 02:33:08PM +0200, Michael Grimm via Postfix-users 
> wrote:

>>> One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
>> 
>> Please correct me if I am mistaken, but that won't catch scores >= 10?
> 
> Yes, but easily adapted.
> 
>> But I don't know how such a regex should be defined.

Thanks for the examples, highly appreciated.

Regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Viktor Dukhovni via Postfix-users]

On Thu, Jun 20, 2024 at 02:33:08PM +0200, Michael Grimm via Postfix-users wrote:

> > One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
> 
> Please correct me if I am mistaken, but that won't catch scores >= 10?

Yes, but easily adapted.

> But I don't know how such a regex should be defined.

PCRE:

/^X-Spam-Status: Yes, score=(?:[5-9]|[1-9]\d)/ ...

ARE:

/^X-Spam-Status: Yes, score=([5-9]|[1-9][0-9])/ ...

Or, simpler, two tests, be it slightly less efficient:

/^X-Spam-Status: Yes, score=[5-9]/  ...
/^X-Spam-Status: Yes, score=[1-9][0-9]/  ...

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Michael Grimm via Postfix-users]

Wietse Venema via Postfix-users  wrote:
> Paul Schmehl via Postfix-users:

>> This is what I could match on: X-Spam-Status: Yes, score=2.1
>> 
>> If the score was higher than some number (e.g >4) than reject the mail.
> 
> One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/

Please correct me if I am mistaken, but that won't catch scores >= 10?

But I don't know how such a regex should be defined.

Regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> Is there a place in postfix where I could discard mail if it has
> a spam score higher than say 4 or 5? I know that postfix hands the
> mail off to spamassassin for processing and then receives it back
> for delivery, but I'm unclear what checks could be implemented to
> catch spam and discard it.
> 
> This is what I could match on: X-Spam-Status: Yes, score=2.1
> 
> If the score was higher than some number (e.g >4) than reject the mail.

One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Matus UHLAR - fantomas via Postfix-users]

Then you can not use this e-mail address as envelope sender.  People
will do sender callout and then reject all e-mail with this as sender.


On 20.06.24 11:22, Tan Mientras via Postfix-users wrote:

Sorry. Im lost in translation. Could you elaborate/ELI5?

This address is not and will never receiveread any messages. Is an
automated message to notify users they must change their password.


there are servers that do sender verification.

They will join your server and if you reject mail for that address, they 
will reject mail from that address.


If you want to send mail from an address, make sure that address is 
deliverable.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Tan Mientras via Postfix-users]

>
> Then you can not use this e-mail address as envelope sender.  People
> will do sender callout and then reject all e-mail with this as sender.
>

Sorry. Im lost in translation. Could you elaborate/ELI5?

This address is not and will never receiveread any messages. Is an
automated message to notify users they must change their password.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Bastian Blank via Postfix-users]

On Thu, Jun 20, 2024 at 07:47:19AM +0200, Tan Mientras via Postfix-users wrote:
> @Ralph
> Is an automated/unattended email notifying the user about something,
> providing proper ways of contacting. As this email is not read in any way,
> rejecting the mail would be a better way to handle than an automatic
> response. IMHO.

Then you can not use this e-mail address as envelope sender.  People
will do sender callout and then reject all e-mail with this as sender.

Bastian

-- 
Witch!  Witch!  They'll burn ya!
-- Hag, "Tomorrow is Yesterday", stardate unknown
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Alexander Leidinger via Postfix-users]

Am 2024-06-20 08:21, schrieb Peter via Postfix-users:

On 20/06/24 17:47, Tan Mientras via Postfix-users wrote:

So many replies!

@Ralph
Is an automated/unattended email notifying the user about something, 
providing proper ways of contacting. As this email is not read in any 
way, rejecting the mail would be a better way to handle than an 
automatic response. IMHO.


A better way would be to set the From: address to someone that will 
actually respond from your organization (e.g. info@, help@, etc).


This implies that the organization / company is willing to spend money 
on having someone available to actually respond / provide support. For a 
lot of the use cases I would say even a mail to ticket system gateway is 
out of the willingness to spend money on. So any technical solution you 
can propose here, will be way out of the area of interest of those 
people which will make those decisions.


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Peter via Postfix-users]

On 20/06/24 17:47, Tan Mientras via Postfix-users wrote:

So many replies!

@Ralph
Is an automated/unattended email notifying the user about something, 
providing proper ways of contacting. As this email is not read in any 
way, rejecting the mail would be a better way to handle than an 
automatic response. IMHO.


A better way would be to set the From: address to someone that will 
actually respond from your organization (e.g. info@, help@, etc).



@Peter
My /etc/postfix/no-reply_reject contains lines like:
do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not 
reply to this email.


This should work unless you have ldap users that return a permit or OK 
action.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Tan Mientras via Postfix-users]

Got some news!

When sending emails from my domain (to my domain), rejection IS applied
(and message displayed to the client MUA)

When sending emails from Office365, rejection is shown in the logs, but
message is considered sent for the client (no message)

Is this meaningful for you?


On Thu, Jun 20, 2024 at 7:47 AM Tan Mientras  wrote:

> So many replies!
>
> @Ralph
> Is an automated/unattended email notifying the user about something,
> providing proper ways of contacting. As this email is not read in any way,
> rejecting the mail would be a better way to handle than an automatic
> response. IMHO.
>
> @Peter
> My /etc/postfix/no-reply_reject contains lines like:
> do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not
> reply to this email.
>
> Regards
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Tan Mientras via Postfix-users]

So many replies!

@Ralph
Is an automated/unattended email notifying the user about something,
providing proper ways of contacting. As this email is not read in any way,
rejecting the mail would be a better way to handle than an automatic
response. IMHO.

@Peter
My /etc/postfix/no-reply_reject contains lines like:
do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not
reply to this email.

Regards
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Paul Schmehl via Postfix-users]

> On Jun 19, 2024, at 7:13 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> postfix--- via Postfix-users:
>>> does smtp have an action "discard"? if so where messages will be discarded?
>>> I see smtp code has "reject" while sieve has "discard". So I am asking this 
>>> question.
>> 
>> http://www.postfix.org/header_checks.5.html
>> There is a DISCARD action.
> 
> Also in http://www.postfix.org/access.5.html

This discussion raises a question for me. I use spamassassin: in master.cf:
spamassassin unix -  n   n   -   -  pipe
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} 
${recipient}

Is there a place in postfix where I could discard mail if it has a spam score 
higher than say 4 or 5? I know that postfix hands the mail off to spamassassin 
for processing and then receives it back for delivery, but I’m unclear what 
checks could be implemented to catch spam and discard it.

This is what I could match on: X-Spam-Status: Yes, score=2.1

If the score was higher than some number (e.g >4) than reject the mail.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

postfix--- via Postfix-users:
> > does smtp have an action "discard"? if so where messages will be discarded?
> > I see smtp code has "reject" while sieve has "discard". So I am asking this 
> > question.
> 
> http://www.postfix.org/header_checks.5.html
> There is a DISCARD action.

Also in http://www.postfix.org/access.5.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[postfix--- via Postfix-users]

does smtp have an action "discard"? if so where messages will be discarded?
I see smtp code has "reject" while sieve has "discard". So I am asking this 
question.



http://www.postfix.org/header_checks.5.html
There is a DISCARD action.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Peter via Postfix-users]

On 20/06/24 04:35, John Levine via Postfix-users wrote:

It appears that Peter via Postfix-users  said:

On 19/06/24 18:51, Tan Mientras via Postfix-users wrote:

Hi

*Trying to setup email REJECT when users try to send to a no-reply email.*


There is no such thing as a no-reply email, there is no part of the
email specification that allows a message to be marked as unable to be
replied to.


You might want to take a look at RFCs 7504 and 7505.


Those discuss means by which an entire domain or server can be set to 
not accept mail.  I'm referring to setting the envelope sender and/or 
From: header in a message to an invalid address which is questionable at 
best and disallowed by RFC at worst.


IRT the Envelope sender see RFC 5321 4.5.5 where it says:

"All other types of messages (i.e., any message which is not required by 
a Standards-Track RFC to have a null reverse-path) SHOULD be sent with a 
*valid* (emphasis added), non-null reverse-path."


In this case "reverse-path" is a reference to the envelope sender.

For the From: header RFC5322 3.6.2 says:

"In all cases, the "From:" field SHOULD NOT contain any mailbox that 
does not belong to the author(s) of the message."


...which at the very least strongly suggests that the mailbox should be 
valid.



I do agree that sending mail you can't reply to is rude, regardless
of the technical details.


Indeed, and how difficult is it for these companies to set it to a help@ 
or info@ mailbox anyways?



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] discard message

[Jeff Peng via Postfix-users]

Hello

does smtp have an action "discard"? if so where messages will be 
discarded?


I see smtp code has "reject" while sieve has "discard". So I am asking 
this question.


Thank you.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Wietse Venema via Postfix-users]

Ralph Seichter via Postfix-users:
> * Ansgar Wiechers via Postfix-users:
> 
> > [...]
> 
> Did I ever send mail to you using the mailing list address you got
> barred from targeting, or send mail to you at all from my servers? No,
> I did not.
> 
> You tried to initiate communication by sending mail to an address you
> had no reason to contact, this being a mailing list, and you were thus
> redirected to a page explaining how you could ask for permission to send
> to said protected address in case you had a legitimate reason to (which
> you don't). I have also provided an unrestricted email address so
> anybody can send mail to in order to ask for clearance for the protected
> address, something which you didn't do.
> 
> All this is nothing like using a no-reply address, which is easy enough
> to understand. TL;DR: Apples and oranges.
> 
> > Guess what just happened to horus-it.com on my mail server.
> 
> Go on, guess if I care. :-)

No, don't. Please take this off-list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Ralph Seichter via Postfix-users]

* Ansgar Wiechers via Postfix-users:

> [...]

Did I ever send mail to you using the mailing list address you got
barred from targeting, or send mail to you at all from my servers? No,
I did not.

You tried to initiate communication by sending mail to an address you
had no reason to contact, this being a mailing list, and you were thus
redirected to a page explaining how you could ask for permission to send
to said protected address in case you had a legitimate reason to (which
you don't). I have also provided an unrestricted email address so
anybody can send mail to in order to ask for clearance for the protected
address, something which you didn't do.

All this is nothing like using a no-reply address, which is easy enough
to understand. TL;DR: Apples and oranges.

> Guess what just happened to horus-it.com on my mail server.

Go on, guess if I care. :-)

-Ralph
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[John Levine via Postfix-users]

It appears that Peter via Postfix-users  said:
>On 19/06/24 18:51, Tan Mientras via Postfix-users wrote:
>> Hi
>> 
>> *Trying to setup email REJECT when users try to send to a no-reply email.*
>
>There is no such thing as a no-reply email, there is no part of the 
>email specification that allows a message to be marked as unable to be 
>replied to.

You might want to take a look at RFCs 7504 and 7505.

I do agree that sending mail you can't reply to is rude, regardless
of the technical details.

R's,
John
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL_README correction

[Wietse Venema via Postfix-users]

Rob Sterenborg (Lists) via Postfix-users:
> Hi,
> 
> I was reading the SASL_README, "The ldapdb plugin" at:
> 
>  https://www.postfix.org/SASL_README.html#auxprop_ldapdb
> 
> [quote]
> Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the 
> LDAP database directly, with appropriate configuration in 
> saslauthd.conf, as described here. [...snip...]
> [/quote]
> 
> The link for "as described here" points to:
> 
>  http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD
> 
> Which returns a "No page found" message.
> 
> I guess it is currently hosted at:
>  
> https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD

Confirmed, your link matches the archived content in the wayback machine at
https://web.archive.org/web/20140301224448/http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD

It's a bit dated, but that is what we have.

I have updated the link in Postfix documentation. it will show up
on the website in a hour or so.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Ansgar Wiechers via Postfix-users]

On 2024-06-19 Ralph Seichter via Postfix-users wrote:
> * Bjoern Franke via Postfix-users:
> 
> > From: Ralph Seichter via Postfix-users 
> > Reply-To: Ralph Seichter 
> 
> Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of
> using "nore...@foo.bar" type addresses remains unchanged, however. If
> sender A sends mail to recipient B, A needs to be prepared to receive a
> response from B. Proper email communiction is not a hit-and-run.

Umm... yeah. Let's see ...

| : host ra.horus-it.com[65.108.3.114] said: 451 4.7.1
| Policy violation; see https://www.horus-it.com/policy3/?S=5 (in reply to
| end of DATA command)

Quoting from that page:

| What does it mean?
|
| The owner of address name@example.domain has decided to only accept
| correspondence from a list of known contacts, which is usually done to
| counter address harvesting, and your sender address was rejected
| because it is not a member of said list.
|
| How can I register as a contact?
|
| If you have a legitimate reason to send email to this particular
| recipient address, please write to postmaster@example.domain first.
| State the full sender and recipient addresses, and explain why you
| require clearance. If the recipient agrees to accept your request, you
| will usually receive a notification within two working days.

Oh, well. Guess what just happened to horus-it.com on my mail server.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Ralph Seichter via Postfix-users]

* Bjoern Franke via Postfix-users:

> From: Ralph Seichter via Postfix-users 
> Reply-To: Ralph Seichter 

Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of
using "nore...@foo.bar" type addresses remains unchanged, however. If
sender A sends mail to recipient B, A needs to be prepared to receive a
response from B. Proper email communiction is not a hit-and-run.

-Ralph
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Wietse Venema via Postfix-users]

Gary R. Schmidt via Postfix-users:
[reply-to header]
> He didn't do it - it's being added by Mailman.  Whether by default or
> deliberately I do not know.

This is damage control for DMARC. The mailing list address goes in
the From: header, and the poster's email address goes in Reply-To:
so that list members can still choose between replying to the poster
or to the list.

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] SASL_README correction

[Rob Sterenborg (Lists) via Postfix-users]

Hi,

I was reading the SASL_README, "The ldapdb plugin" at:

https://www.postfix.org/SASL_README.html#auxprop_ldapdb

[quote]
Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the 
LDAP database directly, with appropriate configuration in 
saslauthd.conf, as described here. [...snip...]

[/quote]

The link for "as described here" points to:

http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD

Which returns a "No page found" message.

I guess it is currently hosted at:


https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD


--
Rob
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Cody Millard via Postfix-users]

Mornin'

|# Error reporting
error_notice_recipient = postmaster@email.broker 
#https://www.postfix.org/postconf.5.html#error_notice_recipient
notify_classes = bounce, delay, policy, protocol, resource, software 
#https://www.postfix.org/postconf.5.html#notify_classes

|

The above will insure many errors are reported directly to the 
postmasters inbox. The default is to only notify of resource and 
software class errors, I have also included the bounce, delay, policy, 
and protocol classes in my config. There are about 20-40 emails a day 
depending on the tenacity of the bots.



On 6/19/2024 4:27 AM, Matt Kinni via Postfix-users wrote:

On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:

smtpd_helo_restrictions =
 ...
 reject_non_fqdn_helo_hostname,
 ...

I've found this to block some legitimate mails in the past from Bank of
America, so you may want to grep your logs for "Helo command rejected:
Host not found" just in case!

___
Postfix-users mailing list --postfix-users@postfix.org
To unsubscribe send an email topostfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Ansgar Wiechers via Postfix-users]

On 2024-06-19 Jeff Peng via Postfix-users wrote:
> On 2024-06-19 17:29, Matt Kinni via Postfix-users wrote:
>> On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote:
>>> On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:
 smtpd_helo_restrictions =
 ...
 reject_non_fqdn_helo_hostname,
 ...
>>> I've found this to block some legitimate mails in the past
>> Sorry, I meant "reject_unknown_helo_hostname".
>
> what's unknown_helo_hostname? does it mean it has neither A nor mx record?

>From `man 5 postconf`:

| reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
| Reject the request when the HELO or EHLO hostname has no DNS A or MX 
record.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Jeff Peng via Postfix-users]

On 2024-06-19 17:29, Matt Kinni via Postfix-users wrote:

On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote:

On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:

smtpd_helo_restrictions =
...
reject_non_fqdn_helo_hostname,
...

I've found this to block some legitimate mails in the past

Sorry, I meant "reject_unknown_helo_hostname".


what's unknown_helo_hostname? does it mean it has neither A nor mx 
record?


regards.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Matt Kinni via Postfix-users]

On 2024-06-19 02:27, Matt Kinni via Postfix-users wrote:
> On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:
>> smtpd_helo_restrictions =
>> ...
>> reject_non_fqdn_helo_hostname,
>> ...
> I've found this to block some legitimate mails in the past 
Sorry, I meant "reject_unknown_helo_hostname".
I've been using "reject_non_fqdn_helo_hostname" for years without issue.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Matt Kinni via Postfix-users]

On 2024-06-16 15:21, Cody Millard via Postfix-users wrote:
> smtpd_helo_restrictions =
> ...
> reject_non_fqdn_helo_hostname,
> ...

I've found this to block some legitimate mails in the past from Bank of
America, so you may want to grep your logs for "Helo command rejected:
Host not found" just in case!

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Viktor Dukhovni via Postfix-users]

> On 19 Jun 2024, at 4:29 PM, Gilgongo via Postfix-users 
>  wrote:
> 
> > The defaults for those settings, as far as postfix is concerned, are as
> > follows:
> > 
> > smtpd_tls_auth_only = no
> 
> Why? Surely, "yes" is the better choice...
> 
> You need to set this to "yes" if you plan to have accounts sending mail out 
> through your mail server. Because that's potentially a security risk, Postfix 
> doesn't set this to "yes" by default.
> 
> As to smtpd_tls_security_level, you are right that (for port 25 smtp) it is 
> better as "may", but the reason the default is none is that you will need to 
> set up TLS certificate first, which isn't in the scope of what Postfix does. 
> So that's why it sets none as the default.

It seemed to me at the time, per the thread subject, that your post was 
recommending best-practice settings,
rather than showing Postfix default settings.  If the latter, OK, but I don’t 
need them explained, and not all
the explanations are correct.

— 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Gary R. Schmidt via Postfix-users]

On 19/06/2024 18:19, Bjoern Franke via Postfix-users wrote:

Hi,



Personally, I find this type of one-way communication annoying and
impolite. The same goes for setting Reply-To to your personal email
address after asking for help on a public mailing list.



Like you did yourself?

From: Ralph Seichter via Postfix-users 
Reply-To: Ralph Seichter 

He didn't do it - it's being added by Mailman.  Whether by default or 
deliberately I do not know.


And I have to apologise to whoever it was I told off previously for 
doing it, sorry.


Cheers,
GaryB-)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Bjoern Franke via Postfix-users]

Hi,



Personally, I find this type of one-way communication annoying and
impolite. The same goes for setting Reply-To to your personal email
address after asking for help on a public mailing list.



Like you did yourself?

From: Ralph Seichter via Postfix-users 
Reply-To: Ralph Seichter 

Regards
Bjoern
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Peter via Postfix-users]

On 19/06/24 18:51, Tan Mientras via Postfix-users wrote:

Hi

*Trying to setup email REJECT when users try to send to a no-reply email.*


There is no such thing as a no-reply email, there is no part of the 
email specification that allows a message to be marked as unable to be 
replied to.  Many people think they can send a no-reply message by 
setting the localpart of the From: header to "no-reply" "noreply" or 
similar but this is not part of any official specification, nor does it 
prevent someone from replying to that email address.


All that is said because no-re...@example.com could be a perfectly valid 
email address fully capable of accepting messages, and as such you might 
want to re-think your policy of blocking messages to such addresses. 
Note that if the mailbox is truly invalid then the receiving MX should 
issue an appropriate rejection which your server can then pass back to 
the user in the form of a DSN (bounce message).


AFAIK, this should be configuren on smtpd_recipient_restrictions using 
check_recipient_access. Please, let me know if I'm wrong.


Yes that can be used to reject messages to recipients that match a 
certain pattern in the recipient's address, one such pattern being any 
address with a local part of "noreply".


It's not working, so maybe it's because I don't know if rules are 
applied on first match or combined (ie: if a reject is found, is 
immediately rejected or it might be permited by another rule).


Rules are checked in the order they are encountered with the first 
permit or reject stopping the checks of that particular restrictions.



This is /approximately/ my configuration:

smtpd_recipient_restrictions =
     check_recipient_access ldap:ext2int, #allows any ldap account


If this returns OK or permit then the following rule will not be checked.

     check_recipient_access hash:/etc/postfix/no-reply_reject, #reject 
no-reply


What this does will depend on the content of 
/etc/postfix/no-reply_reject (which you did not show).



     reject_authenticated_sender_login_mismatch,
     permit_sasl_authenticated,


This will stop processing if the user is authenticated and permit the 
message.



     reject_unauth_destination,


This rule is redundant, because it can only either reject or fall down 
to the next rule



     reject


...which will always reject, so the last two rules will always reject 
regardless.



Peter
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Ralph Seichter via Postfix-users]

* Tan Mientras via Postfix-users:

> Trying to setup email REJECT when users try to send to a no-reply
> email.

Personally, I find this type of one-way communication annoying and
impolite. The same goes for setting Reply-To to your personal email
address after asking for help on a public mailing list.

-Ralph
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] REJECT sending mails to no-reply accounts

[Tan Mientras via Postfix-users]

Hi

*Trying to setup email REJECT when users try to send to a no-reply email.*

AFAIK, this should be configuren on smtpd_recipient_restrictions using
check_recipient_access. Please, let me know if I'm wrong.

It's not working, so maybe it's because I don't know if rules are applied
on first match or combined (ie: if a reject is found, is immediately
rejected or it might be permited by another rule).

This is *approximately* my configuration:

smtpd_recipient_restrictions =
check_recipient_access ldap:ext2int, #allows any ldap account
check_recipient_access hash:/etc/postfix/no-reply_reject, #reject
no-reply
reject_authenticated_sender_login_mismatch,
permit_sasl_authenticated,
reject_unauth_destination,
reject

Thanks
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Gilgongo via Postfix-users]

On Wed, 19 Jun 2024 at 03:57, Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:

> On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users
> wrote:
>
> > The defaults for those settings, as far as postfix is concerned, are as
> > follows:
> >
> > smtpd_tls_auth_only = no
>
> Why? Surely, "yes" is the better choice...


You need to set this to "yes" if you plan to have accounts sending mail out
through your mail server. Because that's potentially a security risk,
Postfix doesn't set this to "yes" by default.

As to smtpd_tls_security_level, you are right that (for port 25 smtp) it is
better as "may", but the reason the default is none is that you will need
to set up TLS certificate first, which isn't in the scope of what Postfix
does. So that's why it sets none as the default.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Viktor Dukhovni via Postfix-users]

On Tue, Jun 18, 2024 at 10:02:20PM -0500, Cody Millard via Postfix-users wrote:

> as for why I set these explicitly, I figured that more random bits means
> more secure.
> 
> tls_random_bytes = 64
> tls_daemon_random_bytes = 64

No need to clutter the configuration with overzealous low-level
settings.  32 bytes (default) of random seed is quite sufficient.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Cody Millard via Postfix-users]

Hi Viktor.

Please check my original post. Your comments are on the postfix defaults 
and not my current settings.


as for why I set these explicitly, I figured that more random bits means 
more secure.


tls_random_bytes = 64
tls_daemon_random_bytes = 64

On 6/18/2024 9:56 PM, Viktor Dukhovni via Postfix-users wrote:

On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users wrote:


The defaults for those settings, as far as postfix is concerned, are as
follows:

smtpd_tls_auth_only = no

Why? Surely, "yes" is the better choice...


smtpd_tls_security_level =

Why empty?  Surely "may" is the better choice, with suitable settings
for the certificate chain file and key file?


tls_random_bytes = 32
tls_daemon_random_bytes = 32

Why set these explicitly?


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Viktor Dukhovni via Postfix-users]

On Tue, Jun 18, 2024 at 04:15:33PM -0500, Cody Millard via Postfix-users wrote:

> The defaults for those settings, as far as postfix is concerned, are as
> follows:
> 
> smtpd_tls_auth_only = no

Why? Surely, "yes" is the better choice...

> smtpd_tls_security_level =

Why empty?  Surely "may" is the better choice, with suitable settings
for the certificate chain file and key file?

> tls_random_bytes = 32
> tls_daemon_random_bytes = 32

Why set these explicitly?

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Jeff Peng via Postfix-users]

On 2024-06-19 05:15, Cody Millard via Postfix-users wrote:

I am not sure what SRS or AUC are right now.



I saw Dr. Lindenberg has a similar test suite like your site.
https://blog.lindenberg.one/EmailSecurityTest
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rate limiting a group of domains

[Wietse Venema via Postfix-users]

785 243 via Postfix-users:
> I want to implement rate limiting based on the target server rather
> than by recipient domain. Specifically, I want to rate limit email
> sent to domains like yahoo.com, ymail.com, aol.com, myyahoo.com, and
> verizon.net as a group, since these domains appears to be handled by
> the same servers. This grouping should be done in case the receiving
> server does not discriminate based on domain for rate limiting
> purposes.

/etc/postfix/main.cf:
smtpd_recipient_restrictions = 
check_recipient_mx_access hash:/etc/postfix/mx_access
...
# Also reduces concurreny to 1.
smtp-yahoodns_destination_rate_delay =1
# Don't declare yahoo dead after a single failure.
smtp-yahoodns_destination_concurrency_failed_cohort_limit = 5

/etc/postfix/mx_access:
# For yahoo.com, ymail.com, myyahoo.com.
yahoodns.netFILTER smtp-yahoodns:

/postfix/master.cf
smtp-yahoodns unix .. .. .. .. .. .. smtp

This sends one message per second.


Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Rate limiting a group of domains

[785 243 via Postfix-users]

I want to implement rate limiting based on the target server rather
than by recipient domain. Specifically, I want to rate limit email
sent to domains like yahoo.com, ymail.com, aol.com, myyahoo.com, and
verizon.net as a group, since these domains appears to be handled by
the same servers. This grouping should be done in case the receiving
server does not discriminate based on domain for rate limiting
purposes.

(I'm not sure how yahoo works in this respect. I also want to do this
for google, for which there can be a large group of related domains
(eg gmail, googlemail, and users using their own domain with google
workspace?).

Currently, I have grouped the domains under the same transport, but if
i'm not mistaken this approach rate limits each domain independently.
Is there a way to group domains as a single entity for rate limiting
purposes? iow i think i might want a particular transport to rate
limit all the traffic it handles regardless of the domain
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Best practices?

[Cody Millard via Postfix-users]

I am not sure what SRS or AUC are right now.

The defaults for those settings, as far as postfix is concerned, are as 
follows:


|smtpd_sasl_auth_enable = no
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = no
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = >=TLSv1
smtpd_tls_security_level =
tls_random_bytes = 32
tls_daemon_random_bytes = 32|


As for which is better.. couldn't say. I have configured these to the 
more secure according to my understanding of 
https://www.postfix.org/postconf.5.html

AND tbh, its probably overkill. I'm not hiding state secrets.


On 6/16/2024 8:20 PM, Jeff Peng via Postfix-users wrote:




# SMTPd SERVER TLS/SSL Settings
tls_daemon_random_bytes = 64
tls_random_bytes = 64
smtpd_tls_cert_file = /etc/letsencrypt/live/email.broker/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/email.broker/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = >=TLSv1.2
# SASL settings
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
# Moved to master.cf
#smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = no



for ssl stuff. is it better to use the system defaults?
I am also the postmaster of tls-mail.com. I have a suggestion that, 
for your homepage, can you add the protocol of SRS and AUC?


regards.
Jeff


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 18, 2024, at 3:33?PM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
> >> support authentication (POST 
> >> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)
> > 
> > Indeed, you have
> > 
> > smtps  inet  n   -   n   -   -   smtpd
> >-o smtpd_tls_wrappermode=yes
> >-o smtpd_sasl_auth_enable=no
> > 
> > Try: smtpd_sasl_auth_enable=yes
> > 
> 
> Doh! After fixing that and restarting postfix, I am successfully sending mail 
> from RC with $config['smtp_host'] = 'ssl://mail.stovebolt.com:465';
> 
> Thanks for your patience with this old man.

Congrats. I also have made progress with the migration from vintage
to present.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Paul Schmehl via Postfix-users]

> On Jun 18, 2024, at 3:33 PM, Wietse Venema via Postfix-users 
>  wrote:
> 
> Paul Schmehl via Postfix-users:
>> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
>> support authentication (POST 
>> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)
> 
> Indeed, you have
> 
> smtps  inet  n   -   n   -   -   smtpd
>-o smtpd_tls_wrappermode=yes
>-o smtpd_sasl_auth_enable=no
> 
> Try: smtpd_sasl_auth_enable=yes
> 

Doh! After fixing that and restarting postfix, I am successfully sending mail 
from RC with $config['smtp_host'] = 'ssl://mail.stovebolt.com:465';

Thanks for your patience with this old man.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
> support authentication (POST 
> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)

Indeed, you have

smtps  inet  n   -   n   -   -   smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=no

Try: smtpd_sasl_auth_enable=yes

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Paul Schmehl via Postfix-users]

> On Jun 18, 2024, at 2:45 PM, Noel Jones via Postfix-users 
>  wrote:
> 
> 
>> On Jun 18, 2024, at 2:30 PM, Paul Schmehl via Postfix-users 
>>  wrote:
>> 
>> So, here is what I now have configued in roundcube:
>> 
>> $config['smtp_host'] = 'tls://mail.stovebolt.com:465';
>> $config['smtp_auth_type'] = 'PLAIN';
>> $config['smtp_user'] = '%u';
>> $config['smtp_pass'] = '%p’;
>> 
> 
> When sending to port 465 with wrapper mode, you need to use 
> ssl://mail.stovebolt.com:465
> 
> ie. ssl: instead of tls:

I changed the config like this:

>> $config['smtp_host'] = 'tls://mail.stovebolt.com:587';

And sent mail successfully.

So, I guess we can mark this one as solved.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Paul Schmehl via Postfix-users]

> On Jun 18, 2024, at 2:45 PM, Noel Jones via Postfix-users 
>  wrote:
> 
> 
>> On Jun 18, 2024, at 2:30 PM, Paul Schmehl via Postfix-users 
>>  wrote:
>> 
>> So, here is what I now have configued in roundcube:
>> 
>> $config['smtp_host'] = 'tls://mail.stovebolt.com:465';
>> $config['smtp_auth_type'] = 'PLAIN';
>> $config['smtp_user'] = '%u';
>> $config['smtp_pass'] = '%p’;
>> 
> 
> When sending to port 465 with wrapper mode, you need to use 
> ssl://mail.stovebolt.com:465
> 
> ie. ssl: instead of tls:

When I change it to ssl:// I get Authentication failed

RC smtp log

[18-Jun-2024 14:53:32 -0500]:  Connecting to 
ssl://mail.stovebolt.com:465...
[18-Jun-2024 14:53:32 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
Postfix
[18-Jun-2024 14:53:32 -0500]:  Send: EHLO www.stovebolt.com
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-mail.stovebolt.com
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-PIPELINING
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-SIZE 9
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-VRFY
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-ETRN
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-ENHANCEDSTATUSCODES
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-8BITMIME
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-DSN
[18-Jun-2024 14:53:32 -0500]:  Recv: 250-SMTPUTF8
[18-Jun-2024 14:53:32 -0500]:  Recv: 250 CHUNKING
[18-Jun-2024 14:53:32 -0500]:  Send: QUIT
[18-Jun-2024 14:53:32 -0500]:  Recv: 221 2.0.0 Bye

RC errors log

[18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
support authentication (POST 
/webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)
[18-Jun-2024 14:53:32 -0500]:  SMTP Error: Authentication failure: 
mail.stovebolt.com
PIPELINING
SIZE 9
VRFY
ETRN
ENHANCEDSTATUSCODES
8BITMIME
DSN
SMTPUTF8
CHUNKING (Code: 250) in /var/www/html/webmail/program/lib/Roundcube/rcube.php 
on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)

Postfix log

Jun 18 15:53:32 ded602 postfix/smtpd[12598]: connect from 
stovebolt.com[108.174.193.28]
Jun 18 15:53:32 ded602 postfix/smtpd[12598]: setting up TLS connection from 
stovebolt.com[108.174.193.28]
Jun 18 15:53:32 ded602 postfix/smtpd[12598]: stovebolt.com[108.174.193.28]: TLS 
cipher list 
"aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH"
Jun 18 15:53:32 ded602 postfix/smtpd[12598]: stovebolt.com[108.174.193.28]: 
Issuing session ticket, key expiration: 1718742211
Jun 18 15:53:32 ded602 postfix/smtpd[12598]: Anonymous TLS connection 
established from stovebolt.com[108.174.193.28]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 18 15:53:32 ded602 postfix/smtpd[12598]: disconnect from 
stovebolt.com[108.174.193.28] ehlo=1 quit=1 commands=2

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

What about providing Postfix logs? As long as you can't provide
the Postfix perspective, finding help here will be difficult.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Noel Jones via Postfix-users]

> On Jun 18, 2024, at 2:30 PM, Paul Schmehl via Postfix-users 
>  wrote:
> 
> So, here is what I now have configued in roundcube:
> 
> $config['smtp_host'] = 'tls://mail.stovebolt.com:465';
> $config['smtp_auth_type'] = 'PLAIN';
> $config['smtp_user'] = '%u';
> $config['smtp_pass'] = '%p’;
> 

When sending to port 465 with wrapper mode, you need to use 
ssl://mail.stovebolt.com:465

ie. ssl: instead of tls:



   — Noel Jones
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Resetting the discussion

[Paul Schmehl via Postfix-users]

I’ve posted several times about the problems that I’m having getting roundcube 
to send mail through postfix. I think you can throw out all the previous posts 
and start anew.

In one exchange, Victor pointed out that I did not have -o 
smtpd_tls_wrappermode=yes set in master. (It was commented out. No idea why.) 
So, I uncommented that and restarted postfix.

Immediately, I was unable to send mail to postfix, but the behavior of 
roundcube had changed. Instead of saying unable to connect to server, it said 
sending and then eventually timed out.

So, here is what I now have configued in roundcube:

$config['smtp_host'] = 'tls://mail.stovebolt.com:465';
$config['smtp_auth_type'] = 'PLAIN';
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p’;

When I attempt to send mail, this is what appears in the roundcube smtp log:

[18-Jun-2024 02:57:41 -0500]:  Connecting to 
tls://mail.stovebolt.com:465…

And this is what appears in the roundcube errors log

[18-Jun-2024 03:02:41 -0500]:  PHP Error: Invalid response code 
received from server (POST 
/webmail/?_task=mail&_unlock=loading1718697460941&_framed=1&_action=send)
[18-Jun-2024 03:02:41 -0500]:  SMTP Error: Connection failed:  (Code: 
-1) in /var/www/html/webmail/program/lib/Roundcube/rcube.php on line 1794 (POST 
/webmail/?_task=mail&_unlock=loading1718697460941&_framed=1&_action=send)

Does this invalid response code mean that I still don’t have something 
configured correctly in postfix?

Here is my postconf -nf: https://www.stovebolt.com/postconfnf.txt
Here is my postconf -Mf: https://www.stovebolt.com/postconfMf.txt

It’s mystifying to me that postfix seems to be working fine, and I can send 
mail from my laptop but not directly from the server. Meanwhile, our forum 
software (UBBThreads) is having no problems at all sending mail to the same 
server.

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] always_add_missing_headers / local_header_rewrite_clients

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> 465inet  n   -   n   -   -   smtpd
> -o smtpd_tls_wrappermode=yes
...
> -o smtpd_milters=$mua_milters
> -o always_add_missing_headers=yes

Nit: always_add_missing_headers is a cleanup(8) daemon feature.  It
has no effect in the above configuration. To append headers from
submission(s) clients, one could configure

local_header_rewrite_clients =
permit_sasl_authenticated, permit_inet_interfaces

Should we change the existing default, "local_header_rewrite_clients =
permit_inet_interfaces"?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Benny Pedersen via Postfix-users]

Viktor Dukhovni via Postfix-users skrev den 2024-06-18 15:27:
On Tue, Jun 18, 2024 at 03:20:46PM +0200, Benny Pedersen via 
Postfix-users wrote:


xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465" 
"www.stovebolt.com"

posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
posttls-finger: server certificate verification failed for 
www.stovebolt.com[108.174.193.28]:465: num=62:hostname mismatch


issue new cert to fix it

certbot --apache -d *.stovebolt.com -d stovebolt.com


There's nothing to fix, you're using the wrong hostname.


good, is why i use

$config['imap_host'] = 'ssl://localhost:993';
$config['imap_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );


port 465 is not tls

$config['smtp_conn_options'] = array ( 'ssl' => array ( 'verify_peer' => 
false, 'verify_peer_name' => false, ), );

$config['smtp_host'] = 'tls://localhost:587';

op had imho

$config['smtp_host'] = 'tls://hostname:465';

with will fail








___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Benny Pedersen via Postfix-users]

Paul Schmehl via Postfix-users skrev den 2024-06-18 08:04:


posttls-finger: server certificate verification failed for
mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch



This looks like it’s working correctly now, right?


hostname mismatch means still need to reissue new cert

mail is not www :=)

xpoint@tux ~ $ posttls-finger -w -lsecure -C "mail.stovebolt.com:465" 
"mail.stovebolt.com"

posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
posttls-finger: certificate verification failed for 
mail.stovebolt.com[108.174.193.29]:465: untrusted issuer 
/C=US/O=Internet Security Research Group/CN=ISRG Root X1


unsure why with it

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Viktor Dukhovni via Postfix-users]

On Tue, Jun 18, 2024 at 03:20:46PM +0200, Benny Pedersen via Postfix-users 
wrote:

> xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465" 
> "www.stovebolt.com"
> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
> posttls-finger: server certificate verification failed for 
> www.stovebolt.com[108.174.193.28]:465: num=62:hostname mismatch
> 
> issue new cert to fix it
> 
> certbot --apache -d *.stovebolt.com -d stovebolt.com

There's nothing to fix, you're using the wrong hostname.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Benny Pedersen via Postfix-users]

Paul Schmehl via Postfix-users skrev den 2024-06-18 06:39:

On Jun 17, 2024, at 10:14 PM, Cowbay via Postfix-users
 wrote:
On 2024/6/18 10:43, Paul Schmehl via Postfix-users wrote:



The problem is neither tls nor ssl worked. No matter what config I
used, roundcube would always through an error. If I used
$config['smtp_host'] = ‘tls;//www.stovebolt.com'; or I used
$config['smtp_host'] = ’ssl;//www.stovebolt.com'; roundcube would


typo tls; ssl; its not valid, must be ssl: and tls:

xpoint@tux ~ $ posttls-finger -w -lsecure -C "www.stovebolt.com:465" 
"www.stovebolt.com"

posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
posttls-finger: server certificate verification failed for 
www.stovebolt.com[108.174.193.28]:465: num=62:hostname mismatch


issue new cert to fix it

certbot --apache -d *.stovebolt.com -d stovebolt.com

if * is to be avoided add all valid hostnames with -d




___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Benny Pedersen via Postfix-users]

Jeff Peng via Postfix-users skrev den 2024-06-18 09:30:


smtps inet  n   -   y   -   -   smtpd
  -o 
smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject


order matters, first wins

-o 
smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject



Can you help further? Thanks.


join roundcube maillist ?

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Benny Pedersen via Postfix-users]

Peter via Postfix-users skrev den 2024-06-18 04:08:

On 18/06/24 13:00, Jeff Peng via Postfix-users wrote:

On 2024-06-18 07:30, Peter via Postfix-users wrote:

On 17/06/2024 17:28, Paul Schmehl wrote:


though it's a big offtopic, may I ask that, for roundcube, how to stop 
users adding their own sender identity? for example, when user login 
as u...@domain.com, they can add the identity in roundcube interface 
as f...@bar.com.


I don't know off the top of my head but roundcube is not necessarily 
the right place to do this.  Consider that someone can bypass roundcube 
and connect to the submission port directly then any limitations you 
put in roundcube won't matter.  It's better to put the limitations in 
postfix and dovecot so that no matter how the user connects they will 
be limited.


// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email 
address

// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email 
address

// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 0;

is what is possible in roundcube

this is just not make any limit when there is other muas then roundcube

for solving in roundcube it could be identities confimed with send a 
email to new email, its just not worth



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Jeff Peng via Postfix-users]

Thanks for all the kind helps. I have resolved the issue and wrote a 
note for it.

https://notes.postno.de/how-to-use-reject-sender-login-mismatch-in-postfix.html

if you find any issue in this note, please let me know.

Thanks.




Oh, sorry I didn't see you weren't using smtpd_sender_login_maps. I'm
pretty sure you'll need that to list the allowed logins (and/or their
aliases if needed). See https://www.postfix.org/postconf.5.html for how
that works.


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Gilgongo via Postfix-users]

On Tue, 18 Jun 2024 at 08:55, Jeff Peng  wrote:

> I did have tried this line (with just one value
> reject_sender_login_mismatch).
> But then I even can't send mail from the valid user (the user who login
> into RC).
>

Oh, sorry I didn't see you weren't using smtpd_sender_login_maps. I'm
pretty sure you'll need that to list the allowed logins (and/or their
aliases if needed). See https://www.postfix.org/postconf.5.html for how
that works.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Gilgongo via Postfix-users]

On Tue, 18 Jun 2024 at 08:31, Jeff Peng via Postfix-users <
postfix-users@postfix.org> wrote:

> Hello,
>
> I have this section in master.cf:
>
> smtps inet  n   -   y   -   -   smtpd
>-o syslog_name=postfix/smtps
>-o smtpd_tls_wrappermode=yes
>-o smtpd_sasl_auth_enable=yes
>-o
>
> smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject
>-o smtpd_relay_restrictions=permit_sasl_authenticated,reject


I think all you need is:

-o smtpd_sender_restrictions=reject_sender_login_mismatch

Right now you're letting sasl-auth clients in without that check since
postfix evaluates left to right.

(By chance I was just looking at this when I saw your mail:
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help with reject_sender_login_mismatch

[Jeff Peng via Postfix-users]

On 2024-06-18 15:51, Gilgongo wrote:

On Tue, 18 Jun 2024 at 08:31, Jeff Peng via Postfix-users <
postfix-users@postfix.org> wrote:


Hello,

I have this section in master.cf:

smtps inet  n   -   y   -   -   smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o

smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject



I think all you need is:

-o smtpd_sender_restrictions=reject_sender_login_mismatch



I did have tried this line (with just one value 
reject_sender_login_mismatch).
But then I even can't send mail from the valid user (the user who login 
into RC).


so how?

Thanks.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Help with reject_sender_login_mismatch

[Jeff Peng via Postfix-users]

Hello,

I have this section in master.cf:

smtps inet  n   -   y   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o 
smtpd_sender_restrictions=permit_sasl_authenticated,reject_sender_login_mismatch,reject

  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o 
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

As you see, reject_sender_login_mismatch is added for 
smtpd_sender_restrictions.


And i restarted postfix.

But in webmail (RC), I still can send email with the from address of 
another identity in the same domain. (for instance, i login with 
u...@domain.com, but i can send email with the identity of 
us...@domain.com).


Can you help further? Thanks.

regards.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Paul Schmehl via Postfix-users]

> On Jun 18, 2024, at 1:34 AM, Viktor Dukhovni via Postfix-users 
>  wrote:
> 
> On Tue, Jun 18, 2024 at 01:04:25AM -0500, Paul Schmehl via Postfix-users 
> wrote:
> 
>> # posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"
> 
> Why the "www.stovebolt.com"???  What hostname is roundcube configured to
> connect to?  The certificate is for "mail.stovebolt.com".

This is what I have in roundcube presently:

$config['smtp_host'] = 'tls://mail.stovebolt.com:465’;

> 
> Correctly configured, wrapper-mode TLS is working on port 465, but one
> of the subject alternative DNS names in the certificate needs to match
> the hostname used by roundcube, or conversely, roundcube needs to be
> configured to connect to one of those names.
> 
I think I’ve done that correctly now.

I have posted both postconf -nf and postconf -Mf to the web. You can view them 
here:

https://www.stovebolt.com/postconfnf.txt
https://www.stovebolt.com/postconfMf.txt

I’ve been using postfix for a long, long time. It’s entirely possible to I have 
out-of-date config stuff. I’m running 3.9.0-1 now.

Paul Schmehl
paul.schm...@gmail.com
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Viktor Dukhovni via Postfix-users]

On Tue, Jun 18, 2024 at 01:04:25AM -0500, Paul Schmehl via Postfix-users wrote:

> >> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
> >> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> > 
> > Your port 465 "smtps" service is misconfigured, it is missing the
> > "-o smtpd_tls_wrapper_mode=yes" option.
>
> OK. wrappermode was commented out. I uncommented it, restarted the
> daemon, and ran finger again.

[ For future drawn-out threads, we really should not let these go on
  quite so long without requesting the "postconf -nf" and "postconf -Mf"
  outputs. ]

> # posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"

Why the "www.stovebolt.com"???  What hostname is roundcube configured to
connect to?  The certificate is for "mail.stovebolt.com".

> posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
> posttls-finger: server certificate verification failed for 
> mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch
> posttls-finger: mail.stovebolt.com[108.174.193.29]:465: 
> subject_CN=mail.stovebolt.com, issuer=R10, cert 
> fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5,
>  pkey 
> fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D
> posttls-finger: Untrusted TLS connection established to 
> mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher 
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
> RSA-PSS (4096 bits) server-digest SHA256

> This looks like it’s working correctly now, right?

Correctly configured, wrapper-mode TLS is working on port 465, but one
of the subject alternative DNS names in the certificate needs to match
the hostname used by roundcube, or conversely, roundcube needs to be
configured to connect to one of those names.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Paul Schmehl via Postfix-users]

> On Jun 18, 2024, at 12:38 AM, Viktor Dukhovni via Postfix-users 
>  wrote:
> 
> On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users 
> wrote:
> 
>> That might have uncovered a problem.
>> 
>> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"
>> 
>> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
>> posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: 
>> -1
>> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
>> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
> 
> Your port 465 "smtps" service is misconfigured, it is missing the
> "-o smtpd_tls_wrapper_mode=yes" option.  For example:
> 
>465inet  n   -   n   -   -   smtpd
>-o smtpd_tls_wrappermode=yes
>-o smtpd_milters=
>-o syslog_name=postfix/smtps
>-o smtpd_sasl_auth_enable=yes
>-o {smtpd_client_restrictions=reject_rbl_client 
> zen.spamhaus.org=127.0.0.4}
>-o smtpd_helo_restrictions=
>-o smtpd_sender_restrictions=
>-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>-o smtpd_recipient_restrictions=
>-o smtpd_data_restrictions=
>-o smtpd_end_of_data_restrictions=
>-o milter_macro_daemon_name=ORIGINATING
>-o smtpd_milters=$mua_milters
>-o always_add_missing_headers=yes
> 
OK. wrappermode was commented out. I uncommented it, restarted the daemon, and 
ran finger again.

# posttls-finger -w -lsecure -C "mail.stovebolt.com:465" "www.stovebolt.com"
posttls-finger: Connected to mail.stovebolt.com[108.174.193.29]:465
posttls-finger: server certificate verification failed for 
mail.stovebolt.com[108.174.193.29]:465: num=62:Hostname mismatch
posttls-finger: mail.stovebolt.com[108.174.193.29]:465: 
subject_CN=mail.stovebolt.com, issuer=R10, cert 
fingerprint=B6:E5:61:8F:1D:B3:98:54:36:CF:09:A1:04:96:E4:14:21:8C:59:91:AB:C5:60:27:34:E5:61:66:68:1E:83:D5,
 pkey 
fingerprint=26:05:FB:BB:A6:40:3D:66:16:B3:85:3A:23:9F:97:42:7E:BA:E2:BA:FF:DB:DA:67:B2:87:9B:16:A7:83:3D:0D
posttls-finger: Untrusted TLS connection established to 
mail.stovebolt.com[108.174.193.29]:465: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
RSA-PSS (4096 bits) server-digest SHA256
posttls-finger: < 220 mail.stovebolt.com ESMTP Postfix
posttls-finger: > EHLO mail.stovebolt.com
posttls-finger: < 250-mail.stovebolt.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 9
posttls-finger: < 250-VRFY
posttls-finger: < 250-ETRN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250-SMTPUTF8
posttls-finger: < 250 CHUNKING

---
Certificate chain
(I deleted all the cert stuff)

posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye

This looks like it’s working correctly now, right?

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Viktor Dukhovni via Postfix-users]

On Mon, Jun 17, 2024 at 11:39:27PM -0500, Paul Schmehl via Postfix-users wrote:

> That might have uncovered a problem.
> 
> # posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"
> 
> posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
> posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: -1
> posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
> routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:

Your port 465 "smtps" service is misconfigured, it is missing the
"-o smtpd_tls_wrapper_mode=yes" option.  For example:

465inet  n   -   n   -   -   smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_milters=
-o syslog_name=postfix/smtps
-o smtpd_sasl_auth_enable=yes
-o {smtpd_client_restrictions=reject_rbl_client 
zen.spamhaus.org=127.0.0.4}
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=$mua_milters
-o always_add_missing_headers=yes

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Paul Schmehl via Postfix-users]

> On Jun 17, 2024, at 10:14 PM, Cowbay via Postfix-users 
>  wrote:
> 
> On 2024/6/18 10:43, Paul Schmehl via Postfix-users wrote:

> The problem is neither tls nor ssl worked. No matter what config I used, 
> roundcube would always through an error. If I used $config['smtp_host'] = 
> ‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
> ’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t 
> connect to the server. If I removed them and used only the FQHN, it errored 
> out saying the postfix doesn’t support authentication.
>> 
>> I thought maybe it might be a cert issue (I was using a self-signed cert), 
>> so I switched to a letsencrypt cert, but that made no difference. No matter 
>> what I did, roundcube refused to send mail.
> I learned a tool to check this problem. You can try below command and check 
> the output:
> 
> posttls-finger -w -lsecure -C "www.stovebolt.com:465 
> " “www.stovebolt.com 
> ”

That might have uncovered a problem.

# posttls-finger -w -lsecure -C "www.stovebolt.com:465" “www.stovebolt.com"

posttls-finger: Connected to www.stovebolt.com[108.174.193.28]:465
posttls-finger: SSL_connect error to www.stovebolt.com[108.174.193.28]:465: -1
posttls-finger: warning: TLS library problem: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:

Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Jeff Peng via Postfix-users]

On 2024-06-18 10:40, postfix--- via Postfix-users wrote:
To be honest, you still likely want authentication.  Keep in mind 
that you don't need to authenticate as a single user for roundcube 
but rather you can have roundcube pass authentication through from 
it's own user login and therefore support multiple users while also 
allowing postfix to support those same multiple users and see their 
individual logins. The point of this is that you can then use 
settings such as smtpd_sender_login_maps and 
reject_sender_login_mismatch in postfix to control individual users 
from roundcube.


though it's a big offtopic, may I ask that, for roundcube, how to stop 
users adding their own sender identity? for example, when user login 
as u...@domain.com, they can add the identity in roundcube interface 
as f...@bar.com.


It is what the previous poster was explaining to you. It isn't turn key 
and requires some custom SQL queries or config if using flat files. But 
you use permit_sasl_authenticated on submission to make sure only 
authenticated users can send email, then you use 
reject_sender_login_mismatch to make sure they can only send email that 
has a from address belonging to whomever is logged in through 
permit_sasl_authenticated.


Postfix will not accept email through submission they are not 
authorized to send. When the user clicks the send email button they 
will see an error message to the effect they are not the owner of the 
address they are trying to use.


Another less secure option is roundcube has a setting that disables the 
ability of users to create or edit identities in the web interface 
keeping them stuck using only the From: address their roundcube account 
was created with.


  $config['identities_level'] = 3;
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org


Great to know the info.
Thanks Peter!
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Gary R. Schmidt via Postfix-users]

On 18/06/2024 12:43, Paul Schmehl via Postfix-users wrote:
[SNIP]

roundcube would always through an error. If I used $config['smtp_host'] 
= ‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t 

I hope the semi-colon characters above are a typo, not the actual lines!

Cheers,
GaryB-)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Cowbay via Postfix-users]

On 2024/6/18 10:43, Paul Schmehl via Postfix-users wrote:

On Jun 17, 2024, at 6:30 PM, Peter via Postfix-users 
 wrote:


On 17/06/2024 17:28, Paul Schmehl wrote:

How do you set up roundcube to not use authentication? I really don’t need it 
since it’s on the same machine as the mail server. What config options do I 
need to use?


To be honest, you still likely want authentication.  Keep in mind that you 
don't need to authenticate as a single user for roundcube but rather you can 
have roundcube pass authentication through from it's own user login and 
therefore support multiple users while also allowing postfix to support those 
same multiple users and see their individual logins. The point of this is that 
you can then use settings such as smtpd_sender_login_maps and 
reject_sender_login_mismatch in postfix to control individual users from 
roundcube.

http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch


The problem is neither tls nor ssl worked. No matter what config I used, 
roundcube would always through an error. If I used $config['smtp_host'] = 
‘tls;//www.stovebolt.com'; or I used $config['smtp_host'] = 
’ssl;//www.stovebolt.com'; roundcube would error out saying it couldn’t connect 
to the server. If I removed them and used only the FQHN, it errored out saying 
the postfix doesn’t support authentication.

I thought maybe it might be a cert issue (I was using a self-signed cert), so I 
switched to a letsencrypt cert, but that made no difference. No matter what I 
did, roundcube refused to send mail.


I learned a tool to check this problem. You can try below command and check the 
output:

posttls-finger -w -lsecure -C "www.stovebolt.com:465" "www.stovebolt.com"



Paul Schmehl
paul.schm...@gmail.com



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org