[pfx] Re: openarc and forwarding to gmail
Dnia 4.08.2024 o godz. 20:14:34 Peter via Postfix-users pisze: > My best advice when forwarding to gmail is to instead configure the > gmail account to fetch the mail. You will need to enable POP3 (in > dovecot or whatever your IMAP service is) as gmail will not fetch > from an IMAP server, then you can configure gmail to access your > server and fetch the mail from it. This has a number of advantages: Buit this has one HUGE disadvantage, that is so obvious that I always wonder how people who advise to do this can not mention it? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: openarc and forwarding to gmail
On 4/08/24 11:04, Alex via Postfix-users wrote: Hi, I'm using postfix-3.8.5 on fedora40 and having a problem with forwarding mail from our relay to gmail recipients. We have some users using ~/.forward files to individual gmail accounts. Obviously not ideal, but I hoped openarc could help alleviate some of those problems. My best advice when forwarding to gmail is to instead configure the gmail account to fetch the mail. You will need to enable POP3 (in dovecot or whatever your IMAP service is) as gmail will not fetch from an IMAP server, then you can configure gmail to access your server and fetch the mail from it. This has a number of advantages: * gmail forgoes it's normal anti-spam filtering when fetching mail in this manner meaning you won't have issues with mail landing in the Spam folder or being rejected or dropped. * You won't have the issue where forwarding SPAM can affect your IP reputation with gmail. Note that this only works with gmail, I'm not aware of other major ESPs that offer this feature. Further info and instructions: https://support.google.com/mail/answer/21289 Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: openarc and forwarding to gmail
It will not work. This DKIM signature will never authenticate because the key length must be of least 1024 bits. What you can do as a forwarder: 1. Rewrite envelope sender using a SPF enabled domain that you control. (SRS) 2. DKIM Sign message using a domain that you control, while keeping any existing signatures. > On 4. 8. 2024., at 01:08, Alex via Postfix-users > wrote: > > Gmail doesn't recognize the above as a forwarded email, so DKIM and SPF fail. > Will openarc solve the issue above with authentication failure? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: openarc and forwarding to gmail
Alex via Postfix-users: > Hi, > I'm using postfix-3.8.5 on fedora40 and having a problem with forwarding > mail from our relay to gmail recipients. We have some users using > ~/.forward files to individual gmail accounts. Obviously not ideal, but I > hoped openarc could help alleviate some of those problems. > > Aug 3 17:01:48 cipher postfix-gmail/smtp[478730]: 9415A3D59D: host > gmail-smtp-in.l.google.com[142.251.179.26] said: 421-4.7.26 Your email has > been rate limited because it is unauthenticated. Gmail 421-4.7.26 requires > all senders to authenticate with either SPF or DKIM. 421-4.7.26 > 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did not pass > 421-4.7.26 SPF [clclodging.com] with ip: [209.216.111.60] = did not pass > 421-4.7.26 421-4.7.26 For instructions on setting up authentication, go > to 421 4.7.26 https://support.google.com/mail/answer/81126#authentication > 6a1803df08f44-6bb9c83f500si53204456d6.247 - gsmtp (in reply to end of DATA > command) That looks familiar. > Gmail doesn't recognize the above as a forwarded email, so DKIM and SPF > fail. Will openarc solve the issue above with authentication failure? This is a receiver policy: they will severely limit mail that is forwarded even if the DKIM signature is intact. On my personal mail server I have a few aliases that forward messages unmodified to my gmail account, and I can get away with that only because 1) my own domain's SPF, DKIM and DMARC are squeaky clean (good server reputation) and 2) I forward very few messages and it does not work for all email. I forward other messages manually as a new message with an message/rfc822 attachment. So, I have no good solution for the forwarding problem. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] openarc and forwarding to gmail
Hi, I'm using postfix-3.8.5 on fedora40 and having a problem with forwarding mail from our relay to gmail recipients. We have some users using ~/.forward files to individual gmail accounts. Obviously not ideal, but I hoped openarc could help alleviate some of those problems. Aug 3 17:01:48 cipher postfix-gmail/smtp[478730]: 9415A3D59D: host gmail-smtp-in.l.google.com[142.251.179.26] said: 421-4.7.26 Your email has been rate limited because it is unauthenticated. Gmail 421-4.7.26 requires all senders to authenticate with either SPF or DKIM. 421-4.7.26 421-4.7.26 Authentication results: 421-4.7.26 DKIM = did not pass 421-4.7.26 SPF [clclodging.com] with ip: [209.216.111.60] = did not pass 421-4.7.26 421-4.7.26 For instructions on setting up authentication, go to 421 4.7.26 https://support.google.com/mail/answer/81126#authentication 6a1803df08f44-6bb9c83f500si53204456d6.247 - gsmtp (in reply to end of DATA command) Gmail doesn't recognize the above as a forwarded email, so DKIM and SPF fail. Will openarc solve the issue above with authentication failure? Here is my openarc.conf: PidFile /run/openarc/openarc.pid Syslog yes UserID openarc:openarc Socket local:/run/openarc/openarc.sock Modesv SignHeaders to,subject,message-id,date,from,mime-version,dkim-signature PeerList/etc/openarc/PeerList MilterDebug 1 AuthservID cipher.example.com Canonicalizationrelaxed/simple Domain mail.example.com InternalHosts /etc/openarc/TrustedHosts KeyFile /etc/openarc/keys/example.com/default FinalReceiver yes Selectordefault Here is a message like the one above. It says the DKIM signing key for hotelplanner.com was too small? The "cv=none" indicates my server ( mail.example.com) was unable to locate an ARC chain to validate? ARC-Seal: i=1; a=rsa-sha256; d=mail.example.com; s=default; t=1722724259; cv=none; b=fOYv8Kqb6qKgdKewEx25qkFRyWD9KtaUPDn7w59/sqLWtL1aNNQ6OJtn9baAeF512/zP0y8dCpk9O0WifqObfjOJqv+mekC2Zg6qUJeKV0vDcWAiUihZ8vzWJSWIprAUVogVHY/3KodK99EceZDqDGsRVI3lGQzx1s/3EN2PLWc= But it was able to add its own ARC message, it appears: ARC-Message-Signature: i=1; a=rsa-sha256; d=mail.example.com; s=default; t=1722724259; c=relaxed/simple; bh=RnZKEmC2EEAMNOzvw+eIxkLYVgp2xb6lRNdcxiooPwY=; h=DKIM-Signature:Date:From:To:Message-ID:Subject:MIME-Version; b=s9SviFMfjkc5O35u5m9bmB3M2cdpUoD+kewzbfREmir9zuIYX/R/i8VjwDvA6qsvinXTy25tZjork4PJLp5fPC5mYMMCFrGHbQeOR/YtBrj0uY7SWr7JeVax8/8VEmwxZN291AxJpRXufQOwRqrrperI17Fj+dJ8Db4vknnPuS4= ARC-Authentication-Results: i=1; cipher.example.com; dkim=policy (512-bit key, unprotected) header.d=hotelplanner.com header.i=@hotelplanner.com header.a=rsa-sha256 header.s=HotelPlanner header.b=Eh3MZYHI reason="signing key too small" As well as DKIM sign the message: DKIM-Filter: OpenDKIM Filter v2.11.0 cipher.example.com E73BC3F217 Authentication-Results: cipher.example.com; dkim=policy reason="signing key too small" (512-bit key, unprotected) header.d=hotelplanner.com header.i=@hotelplanner.com header.a=rsa-sha256 header.s=HotelPlanner header.b=Eh3MZYHI Thanks for any guidance. Alex ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
Wietse Venema via Postfix-users: > Arnie T via Postfix-users: > > main.cf: > > var_SHDQS=xxx > > postscreen_dnsbl_reply_map = > > texthash:/etc/postfix/postscreen_dnsbl_reply_map > > > > cat /etc/postfix/postscreen_dnsbl_reply_map > > ${var_SHDQS}.zen.dq.spamhaus.net=127.0.0.[2..11] 554 > > $rbl_class $rbl_what blocked using ZEN - see > > https://www.spamhaus.org/query/ip/$client_address for details > > Caution: postscreen_dnsbl_reply_map is searched without the =address-filter. > See my other mssage in this thread. > > Caution: ${foo} expansion happens only in main.cf or master.cf, and in > features > where this is explicitly promised such as rbl_reply_maps lookup results. > > If you must have ${foo} expansion in table lookup keys, you could > use an inline:{...} table. But then you must quote the $ on the > right-hand side: > > main.cf: > var_SHDQS = xxx > postscreen_dnsbl_reply_map = inline:{ > { ${var_SHDQS}.zen.dq.spamhaus.net 554 $$rbl_class $$rbl_what > blocked u sing ZEN - see https://www.spamhaus.org/query/ip/$$client_address > for details } > { ... } } This is a bad example, because postscreen_dnsbl_reply_map does not expand $name in its lookup result. rbl_reply_maps does that. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
Arnie T via Postfix-users: > main.cf: > var_SHDQS=xxx > postscreen_dnsbl_reply_map = > texthash:/etc/postfix/postscreen_dnsbl_reply_map > > cat /etc/postfix/postscreen_dnsbl_reply_map > ${var_SHDQS}.zen.dq.spamhaus.net=127.0.0.[2..11] 554 > $rbl_class $rbl_what blocked using ZEN - see > https://www.spamhaus.org/query/ip/$client_address for details Caution: postscreen_dnsbl_reply_map is searched without the =address-filter. See my other mssage in this thread. Caution: ${foo} expansion happens only in main.cf or master.cf, and in features where this is explicitly promised such as rbl_reply_maps lookup results. If you must have ${foo} expansion in table lookup keys, you could use an inline:{...} table. But then you must quote the $ on the right-hand side: main.cf: var_SHDQS = xxx postscreen_dnsbl_reply_map = inline:{ { ${var_SHDQS}.zen.dq.spamhaus.net 554 $$rbl_class $$rbl_what blocked u sing ZEN - see https://www.spamhaus.org/query/ip/$$client_address for details } { ... } } Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
Viktor Dukhovni via Postfix-users: > You need to use the same table for both smtpd(8) and postscreen(8). > That is: > > rbl_reply_maps = ... some table ... > postscreen_dnsbl_reply_map = ... same table ... > > And of course that table needs to match all the applicable keys. This is important: * postscreen_dnsbl_reply_map is searched with the domain name, but without the optional "=address-filter" and "*weight". * rbl_reply_maps is searched with the domain, including the optional "=address-filter" (reject_rbl_* do not support for *weight). It is only a few weeks ago that I added support to also search without the optional "=address-filter". Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
On Sat, Aug 03, 2024 at 04:54:57PM +, Arnie T via Postfix-users wrote: > > > It looks like it's using the "default_rbl_reply" instead of the match > > > from "postscreen_dnsbl_reply_map". > > > > That parameter is not applicable for connections passed to smtpd(8). > > I'm not clear on that. > It seems to be using the form in that map. As documented, "postscreen_dnsbl_reply_map" is used only by postscreen(8). > > And of course that table needs to match all the applicable keys. > > I guess that's the first question then. > Why DIDN'T it match+reject "@ postscreen", passing it through to the internal > smtpd instead? That's a distraction. It is sure to happen for various reasons from time to time. So you need to have a working table for both postscreen(8) and smtpd(8). You can study the documentation related to postscreen(8) some time later, once you've solved the problem at hand. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
Hello, > Why empty unless under stress??? I've no idea yet. I hadn't gotten that far. Was starting with 'first contact' -- at postscreen -- and working inwards. > > cat /etc/postfix/postscreen_dnsbl_reply_map > Only used by postscreen(8).! > This was not blocked by postscreen(8) and so was handled by smtpd(8), Aha, ok. I thought that was postscreen. I misunderstood the flow. Thanks. > > It looks like it's using the "default_rbl_reply" instead of the match from > > "postscreen_dnsbl_reply_map". > > That parameter is not applicable for connections passed to smtpd(8). I'm not clear on that. It seems to be using the form in that map. > You need to use the same table for both smtpd(8) and postscreen(8). > That is: > > rbl_reply_maps = ... some table ... > postscreen_dnsbl_reply_map = ... same table ... Ok that I can do. > And of course that table needs to match all the applicable keys. I guess that's the first question then. Why DIDN'T it match+reject "@ postscreen", passing it through to the internal smtpd instead? Thanks. -- Arnie ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen_dnsbl_reply_map not matching/replacing in replies ?
On Sat, Aug 03, 2024 at 04:23:33PM +, Arnie T via Postfix-users wrote: > postscreen_dnsbl_reply_map = > texthash:/etc/postfix/postscreen_dnsbl_reply_map > >>> rbl_reply_maps = > ${stress?lmdb:/etc/postfix/smtpd_dnsbl_reply_maps} > default_rbl_reply = $rbl_code Service unavailable; REJECT: ( > $rbl_class [$rbl_what] ) listed at $rbl_domain${rbl_reason?; $rbl_reason} Why empty unless under stress??? > cat /etc/postfix/postscreen_dnsbl_reply_map Only used by postscreen(8).! > Running tests from Spamhaus I get a > > 2024-08-02T07:30:14.710397-04:00 arizona postfix/ps-int/smtpd[52267]: > NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 > 5.7.1 Service unavailable; REJECT: ( Helo command [zrd-dqs.blt.spamhaus.net] > ) listed at xxx.zrd.dq.spamhaus.net; zrd-dqs.blt.spamhaus.net first > seen around 01-Aug-2024 15:00 UTC; from= > to= proto=ESMTP helo= This was not blocked by postscreen(8) and so was handled by smtpd(8), whose RBL reply map is empty! > Where you see > > xxx.zrd.dq.spamhaus.net > > being leaked in the 554 reply. As expected. > It looks like it's using the "default_rbl_reply" instead of the match from > "postscreen_dnsbl_reply_map". That parameter is not applicable for connections passed to smtpd(8). > I think maybe that's the actual problem -- using the wrong match? > Or is my texthash: file used incorrectly? You need to use the same table for both smtpd(8) and postscreen(8). That is: rbl_reply_maps = ... some table ... postscreen_dnsbl_reply_map = ... same table ... And of course that table needs to match all the applicable keys. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] postscreen_dnsbl_reply_map not matching/replacing in replies ?
Hello, I am working on upgrading an old and pretty broken Postfix setup I inherited. I managed to get it cleaned up, and running on Postfix v3.9. The server's using Spamhaus DQS dnsbls @ postscreen, and the policy it uses is reject on match. They're working like they should for postscreen, rejecting when there's a match. But it appears to be leaking the DQS password in the response. I read the Postfix docs a few times, and thought I got it right. But clearly, I'm missing something :-/ For example, with cat master.cf [mx.example.com]:25 inet n - n - 1 postscreen -o smtpd_service_name=ps-int ... ps-int pass - - n - - smtpd -o syslog_name=postfix/ps-int ... cat main.cf var_SHDQS=xxx postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map rbl_reply_maps = ${stress?lmdb:/etc/postfix/smtpd_dnsbl_reply_maps} default_rbl_reply = $rbl_code Service unavailable; REJECT: ( $rbl_class [$rbl_what] ) listed at $rbl_domain${rbl_reason?; $rbl_reason} cat /etc/postfix/postscreen_dnsbl_reply_map ${var_SHDQS}.zen.dq.spamhaus.net=127.0.0.[2..11] 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details ${var_SHDQS}.dbl.dq.spamhaus.net=127.0.1.[2..99] 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details ${var_SHDQS}.zrd.dq.spamhaus.net=127.0.2.[2..24] 554 $rbl_class $rbl_what blocked using ZRD - domain too young ${var_SHDQS}.zen.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZEN - see https://www.spamhaus.org/query/ip/$client_address for details ${var_SHDQS}.dbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using DBL - see $rbl_txt for details ${var_SHDQS}.zrd.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using ZRD - domain too young ${var_SHDQS}.sbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using SBL - see $rbl_txt for details ${var_SHDQS}.xbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using XBL - see $rbl_txt for details ${var_SHDQS}.pbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using PBL - see $rbl_txt for details ${var_SHDQS}.sbl-xbl.dq.spamhaus.net 554 $rbl_class $rbl_what blocked using SBL+XBL - see $rbl_txt for details Running tests from Spamhaus I get a 2024-08-02T07:30:14.710397-04:00 arizona postfix/ps-int/smtpd[52267]: NOQUEUE: reject: RCPT from unlisted.blt.spamhaus.net[199.168.89.101]: 554 5.7.1 Service unavailable; REJECT: ( Helo command [zrd-dqs.blt.spamhaus.net] ) listed at xxx.zrd.dq.spamhaus.net; zrd-dqs.blt.spamhaus.net first seen around 01-Aug-2024 15:00 UTC; from= to= proto=ESMTP helo= Where you see xxx.zrd.dq.spamhaus.net being leaked in the 554 reply. It looks like it's using the "default_rbl_reply" instead of the match from "postscreen_dnsbl_reply_map". I think maybe that's the actual problem -- using the wrong match? Or is my texthash: file used incorrectly? I'd appreciate any hints here! Thanks. -- Arnie ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Sat, Aug 03, 2024 at 10:54:46AM -0400, John Thorvald Wodder II via Postfix-users wrote: > > maybe this header_checks example works : > > /^(To|From|Cc|Reply-To):.*@stupidspammers\.example/ DISCARD > > postmap /etc/postfix/header_checks > > and in main.cf : > > header_checks = regexp:/etc/postfix/header_checks > > postfix reload > > should work.. > > I'll consider this solution. The proposed "solution" is clumsy at best. - One should not try to index "regexp" tables via postmap(1). - One should use "pcre" instead of "regexp" whenever available. - Headers are easily spoofed, and are optional (may be missing) - The proposed header_checks pattern is fragile. - It is best to avoid parsing RFC822 addresses with regular expressions, the syntax is difficult to get right. Somewhat closer (PCRE) would be: if /^From:/ # Rough check that "example" is the last domain part label /@spammer\.example\s*([>,(]|$) endif but the same spammer can choose many other domains, or not include a "From:" header at all. Despite your reluctance to filter by IP address, that (plus message content scoring) really is the best indication of whether a message is or isn't spam. Individual headers are low-quality signals. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Jul 30, 2024, at 16:52, Dimitris T. via Postfix-users wrote: > > not sure why you don't just block the ip/subnet of that client in firewall > (?) or just try postscreen + postscreen_access_list with client ip/subnet.. I wouldn't expect IP-based blocking to work for long, as servers can change IP addresses. That's one of the reasons for the domain name system in the first place, isn't it? > is it coming from gmail or another too-big-to-block sender? > >> The "access" file currently contains REJECT lines for both "spamgateway.nil" >> (no leading period) and ".spamgateway.nil" (leading period), and I did the >> postmap-and-restart dance after updating it, but the e-mails are still >> coming through. My understanding (see also Wietse's first response) is that >> adding "stupidspammers.example" won't accomplish anything, as that domain is >> only in the message headers and isn't the domain of the actual server the >> e-mails are coming from. >> > > maybe this header_checks example works : > /^(To|From|Cc|Reply-To):.*@stupidspammers\.example/ DISCARD > postmap /etc/postfix/header_checks > and in main.cf : > header_checks = regexp:/etc/postfix/header_checks > postfix reload > should work.. I'll consider this solution. -- John Wodder ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Jul 31, 2024, at 06:05, Jaroslaw Rafa via Postfix-users wrote: > > Dnia 30.07.2024 o godz. 16:19:01 John Thorvald Wodder II via Postfix-users > pisze: >> The "access" file currently contains REJECT lines for both >> "spamgateway.nil" (no leading period) and ".spamgateway.nil" (leading >> period), and I did the postmap-and-restart dance after updating it, but >> the e-mails are still coming through. My understanding (see also Wietse's >> first response) is that adding "stupidspammers.example" won't accomplish >> anything, as that domain is only in the message headers and isn't the >> domain of the actual server the e-mails are coming from. > >> From what I see in your config, your "access" file is referred to via > check_sender_access, so it will work if - and only if - the *envelope > sender* of the message is "someth...@spamgateway.nil" or > "someth...@subdomain.spamgateway.nil". Do you see that sender address in > your logs? No, I do not. > If it's only the *connecting client IP address* that resolves to > somehost.spamgateway.nil, and the sender's domain is different, then you > should use check_client_access, not check_sender_access. I see. I didn't deduce that from the documentation. That would explain why none of my attempts worked. If I never reply with any follow-up problems, assume this worked. -- John Wodder ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: local_login_sender_maps
Jesper Dybdal via Postfix-users: > I'm about to upgrade my Debian system to Bookworm, and thus to postfix 3.7. > > That will allow me to use "local_login_sender_maps". I have a few > stupid questions about that: > > * What is the precise syntax of the right-hand-side patterns? Does > ".example.com" match subdomains of example.com as it does in an access > table? https://www.postfix.org/postconf.5.html#local_login_sender_maps It has examples for normal users who can only send mail as themselves, and for special users who can impersonate others. If it is incomplete, suggestions are welcome. But I would describe only what local_login_sender_maps does, not spend words on the entire universe of things that local_login_sender_maps does not doe. > * Is it reasonable to assume that a normal user has no valid reason for > ever using a sender address that is not his own and does not belong to > his domain? So for a user with two Unix usernames and two separate > domains, I could configure it as: > /^(root|postfix)$/ * > /^(jd|jdmobile)$/ $1 $1...@mailserver.example.org > @mydomain1.example.com @mydomain2.example.com Where does the documetation prmise that? The documentation does not describe the universe of all the things that local_login_sender_maps does not do. > * Is it reasonable to assume that a normal user has no valid reason for > ever using the sender address "<>"? Yes and that is why the example does not suggest <> for "normal" users. > * is it correctly understood that with "local_login_sender_maps" in use, > "authorized_submit_users" becomes redundant? No. Where does the documentation promise that? > * I wonder why "local_login_sender_maps" and "smtpd_sender_login_maps" > work in opposite directions: they basically contain equivalent (or even > equal) information, but "local_login_sender_maps" looks up a username > to find allowed addresses, while "smtpd_sender_login_maps" looks up an > address to find users that may use that address. I have no doubt that > there is a good reason, but it escapes me for the moment - and I am curious. That was decided in Postfix 3.6. You can look up the discussion thread on-line (Octovber 2020, Subject "Accessing the sending user from a canonical(5) table"); Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] local_login_sender_maps
I'm about to upgrade my Debian system to Bookworm, and thus to postfix 3.7. That will allow me to use "local_login_sender_maps". I have a few stupid questions about that: * What is the precise syntax of the right-hand-side patterns? Does ".example.com" match subdomains of example.com as it does in an access table? * Is it reasonable to assume that a normal user has no valid reason for ever using a sender address that is not his own and does not belong to his domain? So for a user with two Unix usernames and two separate domains, I could configure it as: /^(root|postfix)$/ * /^(jd|jdmobile)$/ $1 $1...@mailserver.example.org @mydomain1.example.com @mydomain2.example.com ? * Is it reasonable to assume that a normal user has no valid reason for ever using the sender address "<>"? * is it correctly understood that with "local_login_sender_maps" in use, "authorized_submit_users" becomes redundant? * I wonder why "local_login_sender_maps" and "smtpd_sender_login_maps" work in opposite directions: they basically contain equivalent (or even equal) information, but "local_login_sender_maps" looks up a username to find allowed addresses, while "smtpd_sender_login_maps" looks up an address to find users that may use that address. I have no doubt that there is a good reason, but it escapes me for the moment - and I am curious. Thanks, Jesper -- Jesper Dybdal https://www.dybdal.dk ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Null MX or not?
It appears that Laura Smith via Postfix-users said: > > > >> My doubt is that since the outgoing email server identifies itself as >> host1.example.com in the EHLO, is there a requirement or even an >> expectation that postmas...@example.com will be able to receive email. > > >I think the reality is that we are in 2024, and the chances of a human reading >postmaster@ are about the same as a human reading abuse@ >i.e. nil. > >The whole null-MX thing is very much perceived as the gold standard in >security conscious environments, The reason we did null MX is to prevent fallback to A records. If you have a domain that accepts no mail, but has an A record because it has a web server, if you try and send it mail your mail server will try and fail to connect to the A record server until it times out, probably a day or two later and only then will you get the failure message. If you publish MX 0 . the mail will fail instantly and you'll know right away. I suppose there is some benefit in keeping probes away in case you screw up your config and enable a mail server by default, but the places that sweep the whole IP space will find them anyway. R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Use different transport map for submission
D?vis Mos?ns via Postfix-users: > ceturtd., 2024. g. 1. aug., plkst. 09:10 ? lietot?js Wietse Venema via > Postfix-users () rakst?ja: > > > > Davis Mosans via Postfix-users: > > > Hi, > > > > > > I'm trying to setup Postfix in a way that will forward/relay all mail > > > on SMTP port 25 but send out (don't forward) email when receiving on > > > submission port 465. > > > > You cant to receive email on port 465 and want to send that out to > > the internet? That requires that the SMTP clients have relay > > permission (permit_sasl_authenticated, reject). > > > > You want to receive email on port 25 from local systems, and forward > > their messages to the internet? That requires that local SMTP clients > > have relay permission (permit_mynetworks, reject_unauth_destination). > > > > You want to receive email on port 25 from the internet and want to > > forward messages for specific destinations? See Configuring Postfix > > as primary or backup MX host for a remote site", > > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup > > > > You want to receive email on port 25 from anywhere on the internet > > and want to forward messages to anywhere on the internet? Don't do > > that. > > > > None of that is what I want. Also it's not about permissions, those work fine. > What I want is forward incoming email on port 25 to internal email > server but at same time deliver outgoing email from port 465 and that > shouldn't be forwarded to internal server. You don't need two instances for that. One will do just fine. - Receive email on port 465 and to send that out to the internet. That is handled by the smtps or submissions example in master.cf. No transport map needed. Just remove the '#' from those lines. - Receive email on port 25 from the internet and forward messages for specific destinations? That involves a transport map and relay_domains as described in https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: QueueId for rcpt-to milter?
postfix--- via Postfix-users: > >> > Is there anyway to get postfix to assign the queueId before invoking > >> > the milters during the rcpt-to stage? > >> > >> smtpd_delay_open_until_valid_rcpt = no > > > > > > Almost: the RCPT TO is valid AFTER the Milter accepts it. That is the case with "smtpd_delay_open_until_valid_rcpt = yes". > I don't understand what you mean by that. > I did a test, set the delay to no, and the queueId was available > to the milter during RCPT-TO even when the milter 5xx rejected the > mail. Agreed, I was lookiong at the wrong code path. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: QueueId for rcpt-to milter?
> Is there anyway to get postfix to assign the queueId before invoking > the milters during the rcpt-to stage? smtpd_delay_open_until_valid_rcpt = no Almost: the RCPT TO is valid AFTER the Milter accepts it. Wietse I don't understand what you mean by that. I did a test, set the delay to no, and the queueId was available to the milter during RCPT-TO even when the milter 5xx rejected the mail. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: QueueId for rcpt-to milter?
Bill Cole via Postfix-users: > On 2024-08-01 at 16:04:59 UTC-0400 (Thu, 01 Aug 2024 16:04:59 -0400) > postfix--- via Postfix-users > is rumored to have said: > > > Im sure the answer is NO, but you don't know if you don't ask. > > You're wrong :) > > > Is there anyway to get postfix to assign the queueId before invoking > > the milters during the rcpt-to stage? > > smtpd_delay_open_until_valid_rcpt = no Almost: the RCPT TO is valid AFTER the Milter accepts it. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: QueueId for rcpt-to milter?
Is there anyway to get postfix to assign the queueId before invoking the milters during the rcpt-to stage? smtpd_delay_open_until_valid_rcpt = no Thanks. No wonder i couldn't find it by searching for Queue Id in the docs. I didn't think to search for NOQUEUE. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: QueueId for rcpt-to milter?
On 2024-08-01 at 16:04:59 UTC-0400 (Thu, 01 Aug 2024 16:04:59 -0400) postfix--- via Postfix-users is rumored to have said: Im sure the answer is NO, but you don't know if you don't ask. You're wrong :) Is there anyway to get postfix to assign the queueId before invoking the milters during the rcpt-to stage? smtpd_delay_open_until_valid_rcpt = no -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Robert L Mathews via Postfix-users wrote in : |On Jul 31, 2024, at 1:19 AM, Matus UHLAR - fantomas via Postfix-users \ | wrote: |> FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requireme\ |> nts only when DMARC policy is "quarantine" or "reject" | |That's the "dmarc_moderation_action" option in the "Sender filters" \ |section of the Mailman interface [1]. | |But there's also another option in the General Options section called \ |"from_is_list" [2] that does it for all messages. If set to "Munge \ |From", it "replaces the From: header address with the list's posting \ |address to mitigate issues stemming from the original From: domain's \ |DMARC or similar policies and puts the original From: address in a \ |Reply-To: header". Yes, me too, mailman 2 here now has REMOVE_DKIM_HEADERS = 3 ^ (i feel bad on that, but for now it is like that) DEFAULT_FROM_IS_LIST = 1 #DEFAULT_DMARC_MODERATION_ACTION = 1 #DEFAULT_DMARC_NONE_MODERATION_ACTION = Yes .. MIME_DIGEST_KEEP_HEADERS += [ 'Mail-Followup-To' ] ALLOW_SENDER_OVERRIDES = No (But do not ask me no questions.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] QueueId for rcpt-to milter?
Im sure the answer is NO, but you don't know if you don't ask. Is there anyway to get postfix to assign the queueId before invoking the milters during the rcpt-to stage? My end goal is trying to track the email, so logic in the milter during the rcpt-to stage can have a header added later in the data stage. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On Jul 31, 2024, at 1:19 AM, Matus UHLAR - fantomas via Postfix-users wrote: > > FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requirements > only when DMARC policy is "quarantine" or "reject" That's the "dmarc_moderation_action" option in the "Sender filters" section of the Mailman interface [1]. But there's also another option in the General Options section called "from_is_list" [2] that does it for all messages. If set to "Munge From", it "replaces the From: header address with the list's posting address to mitigate issues stemming from the original From: domain's DMARC or similar policies and puts the original From: address in a Reply-To: header". [1] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#Sender_filters [2] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#line-163 -- Robert L Mathews ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
Bill Cole via Postfix-users skrev den 2024-08-01 16:33: OMG, I am apparently non-human... Mail systems and their rates of abuse and/or technical trouble vary greatly. Yes, score=5.773 tagged_above=-999 required=5 tests=[AUTHRES_ARC_NONE=0.5, AUTHRES_DKIM_FAIL=0.5, AUTHRES_DMARC_NONE=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GREY_TLDS=0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-0.1, RELAYCOUNTRY_GREY=0.1, SPF_HELO_PASS=-0.1, SPF_SOFTFAIL=3.472] autolearn=no autolearn_force=no sys4.de please solve spf softfails ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
El jue, 01-08-2024 a las 07:32 +, Laura Smith via Postfix-users escribió: > > > > > My doubt is that since the outgoing email server identifies itself as > > host1.example.com in the EHLO, is there a requirement or even an > > expectation that postmas...@example.com will be able to receive email. > > > I think the reality is that we are in 2024, and the chances of a human > reading postmaster@ are about the same as a human reading abuse@ > i.e. nil. I have to digress, at our mid-sized university with over 35 /24 routeable IPv4 address blocks (plus one /48 IPv6 one) and over 100k active mail addresses, our teams take very seriously the postmaster and abuse inboxes, as do other sysadmins I know at other universities and some small ISPs. -- Victoriano Giralt Head of Systems Administration Service Central ICT ServicesUniversity of Malaga +34952131415SPAIN == Note: signature.asc is the electronic signature of present message A: Yes. > Q: Are you sure ? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting annoying in email ? signature.asc Description: This is a digitally signed message part ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Use different transport map for submission
ceturtd., 2024. g. 1. aug., plkst. 14:10 — lietotājs Viktor Dukhovni via Postfix-users () rakstīja: > > On Thu, Aug 01, 2024 at 12:54:16AM +0300, Dāvis Mosāns via Postfix-users > wrote: > > > and in master.cf I have: > > submissions inet n - n - - smtpd > >-o syslog_name=postfix/submissions > >-o smtpd_tls_wrappermode=yes > >-o smtpd_tls_security_level=encrypt > >-o smtpd_sasl_auth_enable=yes > >-o transport_maps=lmdb:/etc/postfix/submission_transport > > > > where submission_transport is empty file. > > This can't work, because the transport lookups that *matter* are > performed by qmgr(8) during delivery from the active queue, not smtpd(8) > while adding the message to the queue. There's only one shared qmgr(8), > so the transport(8) table is effectively global. > > If you want separate routing (transport table) of incoming and outgoing mail, > you need multiple Postfix instances. > > https://www.postfix.org/MULTI_INSTANCE_README.html > Nice! That works :) I created 2 instances where one master.cf has submissions inet n - n - - smtpd smtp unix - - n - - smtp without transport_maps and other has smtp inet n - n - - smtpd with transport_maps now it works exactly as I wanted. Also it turned out that I needed "smtp unix" otherwise it was failing with: postfix/qmgr[13862]: warning: connect to transport private/smtp: Connection refused Thanks! ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Use different transport map for submission
ceturtd., 2024. g. 1. aug., plkst. 09:10 — lietotājs Wietse Venema via Postfix-users () rakstīja: > > Davis Mosans via Postfix-users: > > Hi, > > > > I'm trying to setup Postfix in a way that will forward/relay all mail > > on SMTP port 25 but send out (don't forward) email when receiving on > > submission port 465. > > You cant to receive email on port 465 and want to send that out to > the internet? That requires that the SMTP clients have relay > permission (permit_sasl_authenticated, reject). > > You want to receive email on port 25 from local systems, and forward > their messages to the internet? That requires that local SMTP clients > have relay permission (permit_mynetworks, reject_unauth_destination). > > You want to receive email on port 25 from the internet and want to > forward messages for specific destinations? See Configuring Postfix > as primary or backup MX host for a remote site", > https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup > > You want to receive email on port 25 from anywhere on the internet > and want to forward messages to anywhere on the internet? Don't do > that. > None of that is what I want. Also it's not about permissions, those work fine. What I want is forward incoming email on port 25 to internal email server but at same time deliver outgoing email from port 465 and that shouldn't be forwarded to internal server. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
I concur. My domain is a personal one for the use of me and my family. As such, there should not be an issue with other users sending spam or the like which would trigger mail to postmaster or abuse so the mail to those addresses is miniscule. And internally, they’re just forwarding addresses to my own email address. Should there be mail to one of them (the annual volume can be easily counted on one hand), they just show up in my personal email. -- Larry Stone lston...@stonejongleux.com > On Aug 1, 2024, at 7:33 AM, Bill Cole via Postfix-users > wrote: > > On 2024-08-01 at 03:32:52 UTC-0400 (Thu, 01 Aug 2024 07:32:52 +) > Laura Smith via Postfix-users > is rumored to have said: > My doubt is that since the outgoing email server identifies itself as > host1.example.com in the EHLO, is there a requirement or even an > expectation that postmas...@example.com will be able to receive email. > I think the reality is that we are in 2024, and the chances of a human > reading postmaster@ are about the same as a human reading abuse@ i.e. > nil. > OMG, I am apparently non-human... > Mail systems and their rates of abuse and/or technical trouble vary greatly. > > > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
On 2024-08-01 at 03:32:52 UTC-0400 (Thu, 01 Aug 2024 07:32:52 +) Laura Smith via Postfix-users is rumored to have said: My doubt is that since the outgoing email server identifies itself as host1.example.com in the EHLO, is there a requirement or even an expectation that postmas...@example.com will be able to receive email. I think the reality is that we are in 2024, and the chances of a human reading postmaster@ are about the same as a human reading abuse@ i.e. nil. OMG, I am apparently non-human... Mail systems and their rates of abuse and/or technical trouble vary greatly. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: always_bcc colliding with access(5) REDIRECT action
Viktor Dukhovni via Postfix-users: > On Wed, Jul 31, 2024 at 01:10:46PM -0400, Wietse Venema via Postfix-users > wrote: > > > > > Now I tried to redirect mails from my private address sent to anybody > > > > at charite.de to be redirected to someone else in the organisation, > > > > like this: > > > > > > > > rxlf.hildebra...@gmail.com REDIRECT toscx.hrn...@charite.de > > > > Added to the text for REDIRECT actions: > > > > Note 2: a REDIRECT address is subject to canonicalization (add > > missing domain) but NOT subject to canonical, masquerade, bcc, > > or virtual alias mapping. > > > > Note the difference with automatic BCC recipients. The reason for > > this difference is not obvious because it is purely technical. > > > > The excluded mappings are in the code path that generates ordinary > > recipient records, and the REDIRECT address is not in an ordinary > > recipient record. > > > > This could be fixed (reuse the code path) but it is a rare edge case. > > It would open the possibiliy to redirect to multiple recipients. > > Address rewriting of course happens in cleanup, while REDIRECT actions > are processed in qmgr(8), and is much simpler when it is just one > explicit address. > > Making REDIRECT match na?ve user expectations, means new rewriting of > REDIRECT in cleanup(8) potentially yielding multiple REDIRECT > recipients. And new logic in qmgr(8) to handle multiple redirect > recipients. > > And of course, we'd probably still want the last "REDIRECT" access(5) > action to replace any prior redirects, rather than append to a list, > which probably means buffering the REDIRECT recipient util EOM, and > sending just that last one to cleanup(8) as one of the post-message > envelope records. > > A non-trivial change, but perhaps something that most users would > reasonably expect? It's called 'technical debt' when a quick hack has non-obvious limitations. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: always_bcc colliding with access(5) REDIRECT action
* Viktor Dukhovni via Postfix-users : > Making REDIRECT match naïve user expectations, ey! :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
On Thu, Aug 01, 2024 at 07:32:52AM +, Laura Smith via Postfix-users wrote: > I think the reality is that we are in 2024, and the chances of a human > reading postmaster@ are about the same as a human reading abuse@ > i.e. nil. This may be true for the too-big-to-fail mail providers, but postmaster@ is in fact read (and should be read) by a human at a non-trivial fraction of smaller operators. That way, they get to receive useful reports about problems with their domains. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
On 01/08/2024 09:32, Laura Smith via Postfix-users wrote: My doubt is that since the outgoing email server identifies itself as host1.example.com in the EHLO, is there a requirement or even an expectation that postmas...@example.com will be able to receive email. I think the reality is that we are in 2024, and the chances of a human reading postmaster@ are about the same as a human reading abuse@ i.e. nil. The whole null-MX thing is very much perceived as the gold standard in security conscious environments, e.g. https://www.gov.uk/guidance/protect-domains-that-dont-send-email and https://en.internet.nl/article/x-xss-protection-removed-and-improvement-for-no-mx-domains/ etc. etc. etc. etc. etc. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org Thanks Laura, Victor and Wietse for your responses. This info is very helpful. Thanks for sharing your knowledge and insights. John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: always_bcc colliding with access(5) REDIRECT action
On Wed, Jul 31, 2024 at 01:10:46PM -0400, Wietse Venema via Postfix-users wrote: > > > Now I tried to redirect mails from my private address sent to anybody > > > at charite.de to be redirected to someone else in the organisation, > > > like this: > > > > > > rxlf.hildebra...@gmail.com REDIRECT toscx.hrn...@charite.de > > Added to the text for REDIRECT actions: > > Note 2: a REDIRECT address is subject to canonicalization (add > missing domain) but NOT subject to canonical, masquerade, bcc, > or virtual alias mapping. > > Note the difference with automatic BCC recipients. The reason for > this difference is not obvious because it is purely technical. > > The excluded mappings are in the code path that generates ordinary > recipient records, and the REDIRECT address is not in an ordinary > recipient record. > > This could be fixed (reuse the code path) but it is a rare edge case. > It would open the possibiliy to redirect to multiple recipients. Address rewriting of course happens in cleanup, while REDIRECT actions are processed in qmgr(8), and is much simpler when it is just one explicit address. Making REDIRECT match naïve user expectations, means new rewriting of REDIRECT in cleanup(8) potentially yielding multiple REDIRECT recipients. And new logic in qmgr(8) to handle multiple redirect recipients. And of course, we'd probably still want the last "REDIRECT" access(5) action to replace any prior redirects, rather than append to a list, which probably means buffering the REDIRECT recipient util EOM, and sending just that last one to cleanup(8) as one of the post-message envelope records. A non-trivial change, but perhaps something that most users would reasonably expect? -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: always_bcc colliding with access(5) REDIRECT action
* Wietse Venema via Postfix-users : > Is this an unexpanded virtual alias? Yes > The 'redirect' recipient is not subject > to canonical mapping, masquerading, or virtual alias mapping. That explains it. > There were two recipients: the BCC recipient that was found in > recipient_bcc_maps, and the RCPT TO recipient that was used to > search recipient_bcc_maps. Yes > Let's first see why toscx.hrn...@charite.de' is bounced. Probably, because no address expansion was made. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
> My doubt is that since the outgoing email server identifies itself as > host1.example.com in the EHLO, is there a requirement or even an > expectation that postmas...@example.com will be able to receive email. I think the reality is that we are in 2024, and the chances of a human reading postmaster@ are about the same as a human reading abuse@ i.e. nil. The whole null-MX thing is very much perceived as the gold standard in security conscious environments, e.g. https://www.gov.uk/guidance/protect-domains-that-dont-send-email and https://en.internet.nl/article/x-xss-protection-removed-and-improvement-for-no-mx-domains/ etc. etc. etc. etc. etc. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Use different transport map for submission
On Thu, Aug 01, 2024 at 12:54:16AM +0300, Dāvis Mosāns via Postfix-users wrote: > and in master.cf I have: > submissions inet n - n - - smtpd >-o syslog_name=postfix/submissions >-o smtpd_tls_wrappermode=yes >-o smtpd_tls_security_level=encrypt >-o smtpd_sasl_auth_enable=yes >-o transport_maps=lmdb:/etc/postfix/submission_transport > > where submission_transport is empty file. This can't work, because the transport lookups that *matter* are performed by qmgr(8) during delivery from the active queue, not smtpd(8) while adding the message to the queue. There's only one shared qmgr(8), so the transport(8) table is effectively global. If you want separate routing (transport table) of incoming and outgoing mail, you need multiple Postfix instances. https://www.postfix.org/MULTI_INSTANCE_README.html -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
On Wed, Jul 31, 2024 at 10:36:00PM +0200, John Fawcett via Postfix-users wrote: > My first thought was to follow RFC7505 and define null mx records for my > example.com that has no email accounts, so no server will bother to try and > deliver email to it. > > https://www.rfc-editor.org/rfc/rfc7505.html Nothing to worry about, just do it. There is no implication that hosts under that no host in that domain is an MTA for some other domain. > My doubt is that since the outgoing email server identifies itself as > host1.example.com in the EHLO, is there a requirement or even an expectation > that postmas...@example.com will be able to receive email. In that case I'd > need to define an incoming email server only for that purpose, since there > are no other email addresses in my example.com Not a concern. So long as the HELO name has an IP address that ideally resolves back to (just) that name, you're all set. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Use different transport map for submission
Davis Mosans via Postfix-users: > Hi, > > I'm trying to setup Postfix in a way that will forward/relay all mail > on SMTP port 25 but send out (don't forward) email when receiving on > submission port 465. You cant to receive email on port 465 and want to send that out to the internet? That requires that the SMTP clients have relay permission (permit_sasl_authenticated, reject). You want to receive email on port 25 from local systems, and forward their messages to the internet? That requires that local SMTP clients have relay permission (permit_mynetworks, reject_unauth_destination). You want to receive email on port 25 from the internet and want to forward messages for specific destinations? See Configuring Postfix as primary or backup MX host for a remote site", https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup You want to receive email on port 25 from anywhere on the internet and want to forward messages to anywhere on the internet? Don't do that. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Use different transport map for submission
Hi, I'm trying to setup Postfix in a way that will forward/relay all mail on SMTP port 25 but send out (don't forward) email when receiving on submission port 465. In main.cf I have: transport_maps = lmdb:/etc/postfix/transport and inside there I have * smtp:[internal.example.org]:2525 and in master.cf I have: submissions inet n - n - - smtpd -o syslog_name=postfix/submissions -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o transport_maps=lmdb:/etc/postfix/submission_transport where submission_transport is empty file. But when sent thru submission it still forwards those emails so it doesn't work. Any ideas how to configure setup like this? Thanks! Best regards, Dāvis ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
On 31/07/2024 23:34, Wietse Venema via Postfix-users wrote: I came across something that I have not seen before: a domain (call it example.com) that has no email addresses. No one sends or receives email for that domain. If there is no email from sen...@example.com, the domain should say so in SPF, DKIM, DMARC, and so on. Cloudflare has a webpage on how to protect domains that do not send email. Thanks Wietse I saw that My doubt is that since the outgoing email server identifies itself as host1.example.com in the EHLO, is there a requirement or even an expectation that postmas...@example.com will be able to receive email. Presumably those other domains list host1.example.com as an authorized sender. Is that enough? If you're concnerned that the messages would be flagged as suspicious, then RFC's aren't the whole story. Wietse Yes, exactly my doubt, more about pratice than standards I guess. Thanks John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [OT] Null MX or not?
> I came across something that I have not seen before: a domain (call it > example.com) that has no email addresses. No one sends or receives email > for that domain. If there is no email from sen...@example.com, the domain should say so in SPF, DKIM, DMARC, and so on. Cloudflare has a webpage on how to protect domains that do not send email. > My doubt is that since the outgoing email server identifies itself as > host1.example.com in the EHLO, is there a requirement or even an > expectation that postmas...@example.com will be able to receive email. Presumably those other domains list host1.example.com as an authorized sender. Is that enough? If you're concnerned that the messages would be flagged as suspicious, then RFC's aren't the whole story. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] [OT] Null MX or not?
Hi this is completely off topic for this list (there is only a marginal connection since Postfix is the MTA but it's not a Postfix question), but maybe someone has knowledge on this. I came across something that I have not seen before: a domain (call it example.com) that has no email addresses. No one sends or receives email for that domain. The domain has some hosts, e.g. host1.example.com etc which have webservers and postfix (null client configuration) used to send outgoing email for a domain which is NOT example.com. That other domain can receive email via its own incoming MX. My first thought was to follow RFC7505 and define null mx records for my example.com that has no email accounts, so no server will bother to try and deliver email to it. https://www.rfc-editor.org/rfc/rfc7505.html My doubt is that since the outgoing email server identifies itself as host1.example.com in the EHLO, is there a requirement or even an expectation that postmas...@example.com will be able to receive email. In that case I'd need to define an incoming email server only for that purpose, since there are no other email addresses in my example.com John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: always_bcc colliding with access(5) REDIRECT action
I have updated some documentation: > > We have an always_bcc setup in place for incoming mails: > > > > recipient_bcc_maps = pcre:/etc/postfix/backup_bcc.pcre > > > > /^(.*)@charite\.de$/backup+${1}=charite.de@backup.invalid Added to the text for always_bcc, sender_bcc_maps, recipient_bcc_maps: Note: automatic BCC recipients are subject to address canonicalization (add missing domain), canonical_maps, masquerade_domains, and virtual_alias_maps. I think that automatic BCC recipients should not generate BCC recipients, to avoid a program loop. > > Now I tried to redirect mails from my private address sent to anybody > > at charite.de to be redirected to someone else in the organisation, > > like this: > > > > rxlf.hildebra...@gmail.com REDIRECT toscx.hrn...@charite.de Added to the text for REDIRECT actions: Note 2: a REDIRECT address is subject to canonicalization (add missing domain) but NOT subject to canonical, masquerade, bcc, or virtual alias mapping. Note the difference with automatic BCC recipients. The reason for this difference is not obvious because it is purely technical. The excluded mappings are in the code path that generates ordinary recipient records, and the REDIRECT address is not in an ordinary recipient record. This could be fixed (reuse the code path) but it is a rare edge case. It would open the possibiliy to redirect to multiple recipients. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: always_bcc colliding with access(5) REDIRECT action
Ralf Hildebrandt via Postfix-users: > We have an always_bcc setup in place for incoming mails: > > recipient_bcc_maps = pcre:/etc/postfix/backup_bcc.pcre > > /^(.*)@charite\.de$/backup+${1}=charite.de@backup.invalid > > Now I tried to redirect mails from my private address sent to anybody > at charite.de to be redirected to someone else in the organisation, > like this: > > rxlf.hildebra...@gmail.com REDIRECT toscx.hrn...@charite.de > > Now the following happened: The mails was not sent to the original > recipient (that was expected), but it also wasn't sent to > toscx.hrn...@charite.de -- but instead it went the way of the > always_bcc, but wan't delivered but bounced (according to the logs > below). No. The 'redirect' recipient toscx.hrn...@charite.de was bounced. That is the only recipient that Postfix should attempt to deliver to. > But in fact it didn't bounce (at least I didn't get anything back). > > Jul 31 09:24:13 mail-cbf-int extern/smtpd[2663640]: NOQUEUE: redirect: RCPT > from mail-ej1-f49.google.com[209.85.218.49]: : > Sender address triggers REDIRECT toscx.hrn...@charite.de; > from= to= > proto=ESMTP helo= > Jul 31 09:24:13 mail-cbf-int extern/smtpd[2663640]: 4WYk9n2SK3z20ycy: > client=mail-ej1-f49.google.com[209.85.218.49] (skipping cleanup header logging) > Jul 31 09:24:13 mail-cbf-int postfix/qmgr[1615285]: 4WYk9n2SK3z20ycy: > from=, size=3810, nrcpt=2 (queue active) > Jul 31 09:24:13 mail-cbf-int postfix/error[2664442]: 4WYk9n2SK3z20ycy: > to=, > orig_to=, relay=none, > delay=0.62, delays=0.57/0.02/0/0.03, dsn=5.1.1, status=bounced (User unknown) > Jul 31 09:24:13 mail-cbf-int postfix/qmgr[1615285]: 4WYk9n2SK3z20ycy: removed Here, the 'redirect' recipient 'toscx.hrn...@charite.de' is bounced. Is this an unexpanded virtual alias? The 'redirect' recipient is not subject to canonical mapping, masquerading, or virtual alias mapping. > Also note that is says "nrcpt=2", but is only being delivered (sort > of) once. Postfix 3.10-20240724 There were two recipients: the BCC recipient that was found in recipient_bcc_maps, and the RCPT TO recipient that was used to search recipient_bcc_maps. As the queue manager delivers mail, it sorts the recipients, based on queue, transport, domain, and localpart. Apparently, the BCC recipient sorted before the RCPT TO recipient. The queue mamager enforced the redirect once (with the BCC recipient), and ignored the other address (the RCPT TO recipient). When the queue manager redirects a recipient, it still logs 'original recipient' information. Thus, toscx.hrn...@charite.de was logged with the BCC address as the original recipient. Maybe it should not log original recipients with redirect, as that could be confusing when a message has more than one recipient. > I'm aware that is is some sort of bizarre edge-case. Let's first see why toscx.hrn...@charite.de' is bounced. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On 2024-07-30 at 16:13:07 UTC-0400 (Tue, 30 Jul 2024 16:13:07 -0400) John Thorvald Wodder II via Postfix-users is rumored to have said: I'm not claiming that "spamgateway.nil" is the actual domain. I'm using a placeholder here because I don't want to draw attention to an actual, real domain. The DEBUG README you linked to even says to anonymize host names. Are you expecting the domains to be anonymized exactly like "A.AAA" as in the README? I believe that the README is only referring to your own domain and host names. You have no obligation to protect the identity of spammers or the resources they use. If anything, it is better for us all if you name them precisely. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On 2024-07-30 at 15:28:58 UTC-0400 (Tue, 30 Jul 2024 15:28:58 -0400) John Thorvald Wodder II via Postfix-users is rumored to have said: (I previously posted this request for help on ServerFault but got no responses, so I'm hoping the official Postfix mailing list will go better.) This has always been a better resource, and with the whole StackExchange world now selling their data to feed LLMs, many have stopped contributing. It has been reported that users who tried to delete their past contributions to escape the pseudo-AI maw had their accounts locked. Of course, I'm sure this list is also being ingested by that beast via its many archive sites. I have an Ubuntu 22.04 cloud VM with Postfix 3.6.4-1ubuntu1.3 installed that I largely use for receiving e-mails sent to addresses at my personal domain that I provide when signing up for less-important website accounts. In the past few months, one of these addresses has been receiving too many unsolicited e-mails from the same domain that are managing to get through the server's basic spam defenses. I would like to block these e-mails at the Postfix level, and I thought I set things up properly, but the e-mails are still coming through. The "From" addresses for the spam e-mails all share the same domain — here "stupidspammers.example" — and they are all sent (per both the "Received:" headers and the mail logs) from a subdomain of "spamgateway.nil". I tried to block the e-mails as follows: 1. I created /etc/postfix/access with the following contents: stupidspammers.example REJECT 2. I ran `sudo postmap hash:/etc/postfix/access` 3. I added the line "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access" to /etc/postfix/main.cf 4. I restarted Postfix with `sudo systemctl restart postfix` That would be the working solution IF the 'stupidspammers.example' domain name was used for the SMTP envelope sender. If it is only in the From header, Postfix won't see that as the sender. Postfix can filter individual headers with header_checks but that mechanism is very simplistic. Minimally redacted logs and samples (headers only) would illuminate the issue. There is no valid reason to "protect" spammer resources like domain names and client IPs by replacing them with garbage. Real FACTS are much better. There is normally nothing in Postfix's logs that needs redaction except for your own local recipient addresses. When this setup proved insufficient, I changed the contents of /etc/postfix/access to "spamgateway.nil REJECT" and repeated steps 2 & 4. But why did you do that that? We do not know. We don't know where you're getting those fake names... If the SMTP client connecting to you has a DNS-verifiable hostname, you can use that in a map with check_client_access. If it uses a specific HELO name, you can use a map with check_helo_access. The check_sender_access directive ONLY checks the envelope sender (the MAIL FROM argument in SMTP.) All of this is in the documentation. 'man 5 postconf' will provide most of the details and the various README files included in the distribution cover many specific topics more coherently than the giant man page. The e-mails still kept coming through, so I tried adding the line ".spamgateway.nil REJECT" (with a leading period), but that didn't help either. I can't figure out what I'm doing wrong. Logs and samples would help... For the record, my /etc/postfix/main.cf (with some details removed) is: The output of 'postconf -nf' would be easier to analyze, as it only includes non-defaults and formats nicely. However, I did not see anything definitively bad in your config, but it is hard to know what is going wrong as you've replaced domain names in your description with garbage and not supplied logs or spam samples which would explain where you got the domains you're actually using to filter. All I can do is shrug and say "I guess you did it wrong." -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: always_bcc colliding with access(5) REDIRECT action
Ralf Hildebrandt via Postfix-users: > > Jul 31 09:24:13 mail-cbf-int postfix/error[2664442]: 4WYk9n2SK3z20ycy: > > to=, > > orig_to=, relay=none, > > delay=0.62, delays=0.57/0.02/0/0.03, dsn=5.1.1, status=bounced (User > > unknown) > > It works, if I replace toscx.hrn...@charite.de with the actual mailbox > address after address expansion (thrn...@exchange.charite.de) I thought that the whole point of REDIRECT is to ignore the message recipients. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
Dnia 30.07.2024 o godz. 16:19:01 John Thorvald Wodder II via Postfix-users pisze: > The "access" file currently contains REJECT lines for both > "spamgateway.nil" (no leading period) and ".spamgateway.nil" (leading > period), and I did the postmap-and-restart dance after updating it, but > the e-mails are still coming through. My understanding (see also Wietse's > first response) is that adding "stupidspammers.example" won't accomplish > anything, as that domain is only in the message headers and isn't the > domain of the actual server the e-mails are coming from. >From what I see in your config, your "access" file is referred to via check_sender_access, so it will work if - and only if - the *envelope sender* of the message is "someth...@spamgateway.nil" or "someth...@subdomain.spamgateway.nil". Do you see that sender address in your logs? If it's only the *connecting client IP address* that resolves to somehost.spamgateway.nil, and the sender's domain is different, then you should use check_client_access, not check_sender_access. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: always_bcc colliding with access(5) REDIRECT action
> Jul 31 09:24:13 mail-cbf-int postfix/error[2664442]: 4WYk9n2SK3z20ycy: > to=, > orig_to=, relay=none, > delay=0.62, delays=0.57/0.02/0/0.03, dsn=5.1.1, status=bounced (User unknown) It works, if I replace toscx.hrn...@charite.de with the actual mailbox address after address expansion (thrn...@exchange.charite.de) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail.log and mail.info
Ok, thanks, yes, debian. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail.log and mail.info
Ah, thanks. Yes, of course. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Jul 30, 2024, at 15:58, Wietse Venema wrote: For actual support, you can reduce the detective work providing CONCRETE details as in https://www.postfix.org/DEBUG_README.html#mail Actual configuration as reported by Postfix. On 30.07.24 16:13, John Thorvald Wodder II via Postfix-users wrote: postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_spf_whitelist.cidr, [...] smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access Actual events as logged by Postfix. OK, a session from /var/log/mail.log, with domains & IPs censored over with A's and D's: Jul 30 18:42:21 firefly postfix/smtpd[2315370]: connect from AA-DD..AAA[DDD.DDD.DDD.DD] Jul 30 18:42:22 firefly postgrey[414604]: action=pass, reason=client AWL, client_name=AA-DD..AAA, client_address=DDD.DDD.DDD.DD/32, sender=aa.aaa...@aa.aa.aaa, recipient=a...@a.aaa Jul 30 18:42:22 firefly postgrey[414604]: cleaning up old logs... Jul 30 18:42:22 firefly postfix/smtpd[2315370]: C12C913B050: client=AA-DD..AAA[DDD.DDD.DDD.DD] Here, the mail would be rejected if you had DDD.DDD.DDD.DD in your /etc/postfix/postscreen_spf_whitelist.cidr with "reject" - I assume since it's named "whitelist", you only have "permit" there. Jul 30 18:42:22 firefly postfix/cleanup[2315373]: C12C913B050: message-id= Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: AA-DD..AAA [DDD.DDD.DDD.DD] not internal Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: not authenticated Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: DKIM verification successful Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: s=fm d=AAA-AA.AAA a=rsa-sha256 SSL Jul 30 18:42:23 firefly postfix/qmgr[2307335]: C12C913B050: from=, size=46479, nrcpt=1 (queue active) Here, the sender would be rejected if you had in /etc/postfix/access one of strings: 1. aa.aaa...@aa.aa.aaa AA.AA.AAA 2. .AA.AAA or AA.AAA 3. .AAA or AAA 4. AA.AA@ ...with REJECT or 5xx result .AAA or AAA depends on your setting of parent_domain_matches_subdomains (I don't know your default) Note that "sender" means the envelope from address. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On 30.07.24 16:40, Gilgongo via Postfix-users wrote: Thanks for all the replies on this - food for thought! Seems the general consensus is that while in theory I should reject for p=reject (since that's what the sender wants me to do), in practice things like mailing lists and other forwarding conditions make that unsafe (and to a lesser extent the same applies to SPF and DKIM). At least in terms of a binary decision. So I think I'll stick with what I have and perhaps experiment with some SA scoring tweaks. FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requirements only when DMARC policy is "quarantine" or "reject" - rejecting mail failing DMARC can be safe even with mailing lists which usually appear to break DKIM. https://wiki.list.org/DOC/Mailman 2.1 List Administrators Manual#Additional_settings -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] always_bcc colliding with access(5) REDIRECT action
We have an always_bcc setup in place for incoming mails: recipient_bcc_maps = pcre:/etc/postfix/backup_bcc.pcre /^(.*)@charite\.de$/backup+${1}=charite.de@backup.invalid Now I tried to redirect mails from my private address sent to anybody at charite.de to be redirected to someone else in the organisation, like this: rxlf.hildebra...@gmail.com REDIRECT toscx.hrn...@charite.de Now the following happened: The mails was not sent to the original recipient (that was expected), but it also wasn't sent to toscx.hrn...@charite.de -- but instead it went the way of the always_bcc, but wan't delivered but bounced (according to the logs below). But in fact it didn't bounce (at least I didn't get anything back). Jul 31 09:24:13 mail-cbf-int extern/smtpd[2663640]: NOQUEUE: redirect: RCPT from mail-ej1-f49.google.com[209.85.218.49]: : Sender address triggers REDIRECT toscx.hrn...@charite.de; from= to= proto=ESMTP helo= Jul 31 09:24:13 mail-cbf-int extern/smtpd[2663640]: 4WYk9n2SK3z20ycy: client=mail-ej1-f49.google.com[209.85.218.49] Jul 31 09:24:13 mail-cbf-int postfix/cleanup[2659314]: 4WYk9n2SK3z20ycy: info: header From: Ralf Hildebrandt from mail-ej1-f49.google.com[209.85.218.49]; from= to= proto=ESMTP helo= Jul 31 09:24:13 mail-cbf-int postfix/cleanup[2659314]: 4WYk9n2SK3z20ycy: info: header Date: Wed, 31 Jul 2024 09:24:01 +0200 from mail-ej1-f49.google.com[209.85.218.49]; from= to= proto=ESMTP helo= Jul 31 09:24:13 mail-cbf-int postfix/cleanup[2659314]: 4WYk9n2SK3z20ycy: message-id= Jul 31 09:24:13 mail-cbf-int postfix/cleanup[2659314]: 4WYk9n2SK3z20ycy: info: header Subject: Test an ralf.hildebra...@charite.de from mail-ej1-f49.google.com[209.85.218.49]; from= to= proto=ESMTP helo= Jul 31 09:24:13 mail-cbf-int postfix/cleanup[2659314]: 4WYk9n2SK3z20ycy: info: header To: "Ralf Hildebrandt (hildeb)" from mail-ej1-f49.google.com[209.85.218.49]; from= to= proto=ESMTP helo= Jul 31 09:24:13 mail-cbf-int postfix/qmgr[1615285]: 4WYk9n2SK3z20ycy: from=, size=3810, nrcpt=2 (queue active) Jul 31 09:24:13 mail-cbf-int postfix/error[2664442]: 4WYk9n2SK3z20ycy: to=, orig_to=, relay=none, delay=0.62, delays=0.57/0.02/0/0.03, dsn=5.1.1, status=bounced (User unknown) Jul 31 09:24:13 mail-cbf-int postfix/qmgr[1615285]: 4WYk9n2SK3z20ycy: removed Also note that is says "nrcpt=2", but is only being delivered (sort of) once. Postfix 3.10-20240724 I'm aware that is is some sort of bizarre edge-case. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
not sure why you don't just block the ip/subnet of that client in firewall (?) or just try postscreen + postscreen_access_list with client ip/subnet.. is it coming from gmail or another too-big-to-block sender? The "access" file currently contains REJECT lines for both "spamgateway.nil" (no leading period) and ".spamgateway.nil" (leading period), and I did the postmap-and-restart dance after updating it, but the e-mails are still coming through. My understanding (see also Wietse's first response) is that adding "stupidspammers.example" won't accomplish anything, as that domain is only in the message headers and isn't the domain of the actual server the e-mails are coming from. maybe this header_checks example works : /^(To|From|Cc|Reply-To):.*@stupidspammers\.example/ DISCARD postmap /etc/postfix/header_checks and in main.cf : header_checks = regexp:/etc/postfix/header_checks postfix reload should work.. d. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Fr LLM based detection rspamd has a new a new GPT Plugin they introduced with version 3.9 https://rspamd.com/doc/modules/gpt.html https://rspamd.com/misc/2024/07/03/gpt.html Currently it’s based on OpenAI apis. but can be adapted for local LLMs or any LLM offering OpenAI type APIs. Cheers Chandan On 2024-07-30 18:07, Laura Smith wrote: I too am interested in experiences with rspamd and LLMs, so if there is anything people don't want to share on-list, please loop me in. :) Thanks ! Laura On Tuesday, 30 July 2024 at 18:51, Walt E via Postfix-users wrote: Can you share your experience on LLM for rspamd? Any links/resources are appreciated. Thank you On 2024-07-30 21:42, chandan via Postfix-users wrote: > In POSTSCREEN i use 12 blocklists and whitelists. each is given a > particular score based on a custom ML algorithm. The scores get > adjusted everyday based on the performance of the RBLs. I don’t reject > based on SPF, DMARC, or DKIM. > > However i do have spam detection powered by RSPAMD, which takes into > account SPF,DKIM,DMARC and host of other stuff. right now experimenting > with LLMs as tool to detect SPAM apart from the standard baye’s. > > On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: > > > Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via > > Postfix-users pisze: > > > > > > I filter messages only based on RBLs, manual blocklists and content > > > > filtering (SA + many custom rules). And as for the latter, the messages are > > > > sent to spam folder, never rejected. Rejections are based only on first two. > > > > > > Funny, since multiple people in the past recommended rejecting on > > > spamminess, not on the results of single DNSBL listing. > > > > I use only two DNSBLs that - at least for me - seem to give almost no > > false > > positives - bl.spamcop.net and zen.spamhaus.org. In the past I used > > three - > > instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and > > sbl-xbl.spamhaus.org. But because sorbs.net went down, and > > zen.spamhaus.org > > seems to effectively combine these two, I changed it. > > > > Of course I always have the option to manually override DNSBL listing > > in my > > manual access list, but I don't remember when I last had to use it. > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Jul 30, 2024, at 16:13, Darren Rambaud via Postfix-users wrote: > In `/etc/postfix/access`, did you try adding all of these entries? > stupidspammers.example REJECT > .stupidspammers.example REJECT > spamgateway.nil REJECT > > .spamgateway.nil REJECT > Then re-run postmap and restart postfix? > Documentation for postfix indicate this should work to block all e-mails > originating from these domains. The "access" file currently contains REJECT lines for both "spamgateway.nil" (no leading period) and ".spamgateway.nil" (leading period), and I did the postmap-and-restart dance after updating it, but the e-mails are still coming through. My understanding (see also Wietse's first response) is that adding "stupidspammers.example" won't accomplish anything, as that domain is only in the message headers and isn't the domain of the actual server the e-mails are coming from. -- John Wodder ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
In `/etc/postfix/access`, did you try adding all of these entries? stupidspammers.example REJECT .stupidspammers.example REJECT spamgateway.nil REJECT .spamgateway.nil REJECT Then re-run postmap and restart postfix? Documentation for postfix indicate this should work to block all e-mails originating from these domains. On 7/30/24 14:28, John Thorvald Wodder II via Postfix-users wrote: (I previously posted this request for help on ServerFault but got no responses, so I'm hoping the official Postfix mailing list will go better.) I have an Ubuntu 22.04 cloud VM with Postfix 3.6.4-1ubuntu1.3 installed that I largely use for receiving e-mails sent to addresses at my personal domain that I provide when signing up for less-important website accounts. In the past few months, one of these addresses has been receiving too many unsolicited e-mails from the same domain that are managing to get through the server's basic spam defenses. I would like to block these e-mails at the Postfix level, and I thought I set things up properly, but the e-mails are still coming through. The "From" addresses for the spam e-mails all share the same domain — here "stupidspammers.example" — and they are all sent (per both the "Received:" headers and the mail logs) from a subdomain of "spamgateway.nil". I tried to block the e-mails as follows: 1. I created /etc/postfix/access with the following contents: stupidspammers.example REJECT 2. I ran `sudo postmap hash:/etc/postfix/access` 3. I added the line "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access" to /etc/postfix/main.cf 4. I restarted Postfix with `sudo systemctl restart postfix` When this setup proved insufficient, I changed the contents of /etc/postfix/access to "spamgateway.nil REJECT" and repeated steps 2 & 4. The e-mails still kept coming through, so I tried adding the line ".spamgateway.nil REJECT" (with a leading period), but that didn't help either. I can't figure out what I'm doing wrong. For the record, my /etc/postfix/main.cf (with some details removed) is: ### BEGIN main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no notify_classes = bounce, 2bounce, data, delay, resource, software # Do NOT include 'protocol' in 'notify_classes' unless you want to be flooded # with notifications from easily-defeated script-kiddie break-in attempts. # Also, don't include 'policy' unless you want you be notified possibly # multiple times whenever greylisting delays something. readme_directory = /usr/share/doc/postfix html_directory = /usr/share/doc/postfix/html # appending .domain is the MUA's job. append_dot_mydomain = no # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_tls_cert_file = REDACTED smtpd_tls_key_file = REDACTED smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, # Postgrey: check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access postscreen_access_list = permit_mynetworks, # Postwhite: cidr:/etc/postfix/postscreen_spf_whitelist.cidr, myhostname = REDACTED myorigin = REDACTED mydomain = REDACTED mydestination = REDACTED, localhost, localhost.$mydomain, localhost.localdomain mynetworks_style = host mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relayhost = inet_interfaces = all inet_protocols = all alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases local_recipient_maps = luser_relay = REDACTED mailbox_command = procmail -a "$EXTENSION" ORIGINAL_RECIPIENT="$ORIGINAL_RECIPIENT" mailbox_size_limit = 0 recipient_delimiter = + # DKIM: milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 ### END main.cf -- John Wodder ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Jul 30, 2024, at 15:58, Wietse Venema wrote: > > John Thorvald Wodder II via Postfix-users: >> On Jul 30, 2024, at 15:36, Wietse Venema via Postfix-users >> wrote: >>> >>> John Thorvald Wodder II via Postfix-users: (I previously posted this request for help on ServerFault but got no responses, so I'm hoping the official Postfix mailing list will go better.) >>> >>> Your access tables can only affect the client DNS domain name, and >>> domain names that appear in SMTP commmands such as HELO, MAIL FROM >>> and RCPT TO. >>> >>> Those tables have no effect on the content of message headers. For >>> that, the tables are called header_checks. >> >> I am aware of that. > > Then there was no need to spend so much text on that. I mentioned multiple attempted configurations in my original e-mail as I figured people would want to know everything I'd tried. >> That's why my original attempt to match against >> "stupidspammers.example" failed, but I would expect my subsequent >> attempt to instead match against "spamgateway.nil" (which the >> actual mail servers, per the logs, are subdomains of) to work. >> Why isn't it working? > > If the Postfix SMTP daemon logs spamgateway.nil as the client > hostname ("connect from something.spamgateway.nil"), then > check_client_access will match that. > > Of course it doesn't because spamgateway.nil does not exist. I'm not claiming that "spamgateway.nil" is the actual domain. I'm using a placeholder here because I don't want to draw attention to an actual, real domain. The DEBUG README you linked to even says to anonymize host names. Are you expecting the domains to be anonymized exactly like "A.AAA" as in the README? > For actual support, you can reduce the detective work providing > CONCRETE details as in https://www.postfix.org/DEBUG_README.html#mail > > Actual configuration as reported by Postfix. OK, `postconf -n` with domain names and cert paths replaced with "REDACTED": ### BEGIN alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all local_recipient_maps = luser_relay = REDACTED mailbox_command = procmail -a "$EXTENSION" ORIGINAL_RECIPIENT="$ORIGINAL_RECIPIENT" mailbox_size_limit = 0 milter_default_action = accept milter_protocol = 2 mydestination = REDACTED, localhost, localhost.$mydomain, localhost.localdomain mydomain = REDACTED myhostname = REDACTED mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mynetworks_style = host myorigin = REDACTED non_smtpd_milters = inet:localhost:12301 notify_classes = bounce, 2bounce, data, delay, resource, software postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_spf_whitelist.cidr, readme_directory = /usr/share/doc/postfix recipient_delimiter = + relayhost = smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_milters = inet:localhost:12301 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access smtpd_tls_cert_file = REDACTED smtpd_tls_key_file = REDACTED smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache ### END > Actual events as logged by Postfix. OK, a session from /var/log/mail.log, with domains & IPs censored over with A's and D's: ### BEGIN Jul 30 18:42:21 firefly postfix/smtpd[2315370]: connect from AA-DD..AAA[DDD.DDD.DDD.DD] Jul 30 18:42:22 firefly postgrey[414604]: action=pass, reason=client AWL, client_name=AA-DD..AAA, client_address=DDD.DDD.DDD.DD/32, sender=aa.aaa...@aa.aa.aaa, recipient=a...@a.aaa Jul 30 18:42:22 firefly postgrey[414604]: cleaning up old logs... Jul 30 18:42:22 firefly postfix/smtpd[2315370]: C12C913B050: client=AA-DD..AAA[DDD.DDD.DDD.DD] Jul 30 18:42:22 firefly postfix/cleanup[2315373]: C12C913B050: message-id= Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: AA-DD..AAA [DDD.DDD.DDD.DD] not internal Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: not authenticated Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: DKIM verification successful Jul 30 18:42:23 firefly opendkim[1215873]: C12C913B050: s=fm d=AAA-AA.AAA a=rsa-sha256 SSL Jul 30 18:42:23 firefly postfix/qmgr[2307335]: C12C913B050: from=, size=46479, nrcpt=1 (queue active) Jul 30 18:42:23 firefly postfix/smtpd[2315370]: disconnect from AA-DD..AAA[DDD.DDD.DDD.DD] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 Jul 30 18:42:24 firefly postfix/local[2315374]: C12C913B050: to=,
[pfx] Re: Trouble blocking spammer domain
Wietse Venema via Postfix-users skrev den 2024-07-30 21:36: Those tables have no effect on the content of message headers. For that, the tables are called header_checks. However, you may be better off with rspamd. or simple milter-regex rspamd is most of the time ok with default config, but ends in badness if changed, so i dropped rspamd, amavisd and amavisd-milter is better for me, with have rspamd aswell if needed, amavisd just miss arc-seal arc-sign arc-verify there is place for upgrades all places ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
John Thorvald Wodder II via Postfix-users: > On Jul 30, 2024, at 15:36, Wietse Venema via Postfix-users > wrote: > > > > John Thorvald Wodder II via Postfix-users: > >> (I previously posted this request for help on ServerFault but got > >> no responses, so I'm hoping the official Postfix mailing list will > >> go better.) > > > > Your access tables can only affect the client DNS domain name, and > > domain names that appear in SMTP commmands such as HELO, MAIL FROM > > and RCPT TO. > > > > Those tables have no effect on the content of message headers. For > > that, the tables are called header_checks. > > I am aware of that. Then there was no need to spend so much text on that. > That's why my original attempt to match against > "stupidspammers.example" failed, but I would expect my subsequent > attempt to instead match against "spamgateway.nil" (which the > actual mail servers, per the logs, are subdomains of) to work. > Why isn't it working? If the Postfix SMTP daemon logs spamgateway.nil as the client hostname ("connect from something.spamgateway.nil"), then check_client_access will match that. Of course it doesn't because spamgateway.nil does not exist. For actual support, you can reduce the detective work providing CONCRETE details as in https://www.postfix.org/DEBUG_README.html#mail Actual configuration as reported by Postfix. Actual events as logged by Postfix. Wietse > > However, you may be better off with rspamd. > > I'll look into that. > > -- John Wodder > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
On Jul 30, 2024, at 15:36, Wietse Venema via Postfix-users wrote: > > John Thorvald Wodder II via Postfix-users: >> (I previously posted this request for help on ServerFault but got >> no responses, so I'm hoping the official Postfix mailing list will >> go better.) > > Your access tables can only affect the client DNS domain name, and > domain names that appear in SMTP commmands such as HELO, MAIL FROM > and RCPT TO. > > Those tables have no effect on the content of message headers. For > that, the tables are called header_checks. I am aware of that. That's why my original attempt to match against "stupidspammers.example" failed, but I would expect my subsequent attempt to instead match against "spamgateway.nil" (which the actual mail servers, per the logs, are subdomains of) to work. Why isn't it working? > However, you may be better off with rspamd. I'll look into that. -- John Wodder ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Trouble blocking spammer domain
John Thorvald Wodder II via Postfix-users: > (I previously posted this request for help on ServerFault but got > no responses, so I'm hoping the official Postfix mailing list will > go better.) Your access tables can only affect the client DNS domain name, and domain names that appear in SMTP commmands such as HELO, MAIL FROM and RCPT TO. Those tables have no effect on the content of message headers. For that, the tables are called header_checks. However, you may be better off with rspamd. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Trouble blocking spammer domain
(I previously posted this request for help on ServerFault but got no responses, so I'm hoping the official Postfix mailing list will go better.) I have an Ubuntu 22.04 cloud VM with Postfix 3.6.4-1ubuntu1.3 installed that I largely use for receiving e-mails sent to addresses at my personal domain that I provide when signing up for less-important website accounts. In the past few months, one of these addresses has been receiving too many unsolicited e-mails from the same domain that are managing to get through the server's basic spam defenses. I would like to block these e-mails at the Postfix level, and I thought I set things up properly, but the e-mails are still coming through. The "From" addresses for the spam e-mails all share the same domain — here "stupidspammers.example" — and they are all sent (per both the "Received:" headers and the mail logs) from a subdomain of "spamgateway.nil". I tried to block the e-mails as follows: 1. I created /etc/postfix/access with the following contents: stupidspammers.example REJECT 2. I ran `sudo postmap hash:/etc/postfix/access` 3. I added the line "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access" to /etc/postfix/main.cf 4. I restarted Postfix with `sudo systemctl restart postfix` When this setup proved insufficient, I changed the contents of /etc/postfix/access to "spamgateway.nil REJECT" and repeated steps 2 & 4. The e-mails still kept coming through, so I tried adding the line ".spamgateway.nil REJECT" (with a leading period), but that didn't help either. I can't figure out what I'm doing wrong. For the record, my /etc/postfix/main.cf (with some details removed) is: ### BEGIN main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no notify_classes = bounce, 2bounce, data, delay, resource, software # Do NOT include 'protocol' in 'notify_classes' unless you want to be flooded # with notifications from easily-defeated script-kiddie break-in attempts. # Also, don't include 'policy' unless you want you be notified possibly # multiple times whenever greylisting delays something. readme_directory = /usr/share/doc/postfix html_directory = /usr/share/doc/postfix/html # appending .domain is the MUA's job. append_dot_mydomain = no # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. smtpd_tls_cert_file = REDACTED smtpd_tls_key_file = REDACTED smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_security_level = may smtpd_tls_protocols = !SSLv2, !SSLv3 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = may smtp_tls_protocols = !SSLv2, !SSLv3 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, # Postgrey: check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access postscreen_access_list = permit_mynetworks, # Postwhite: cidr:/etc/postfix/postscreen_spf_whitelist.cidr, myhostname = REDACTED myorigin = REDACTED mydomain = REDACTED mydestination = REDACTED, localhost, localhost.$mydomain, localhost.localdomain mynetworks_style = host mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 relayhost = inet_interfaces = all inet_protocols = all alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases local_recipient_maps = luser_relay = REDACTED mailbox_command = procmail -a "$EXTENSION" ORIGINAL_RECIPIENT="$ORIGINAL_RECIPIENT" mailbox_size_limit = 0 recipient_delimiter = + # DKIM: milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301 ### END main.cf -- John Wodder ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
I too am interested in experiences with rspamd and LLMs, so if there is anything people don't want to share on-list, please loop me in. :) Thanks ! Laura On Tuesday, 30 July 2024 at 18:51, Walt E via Postfix-users wrote: > Can you share your experience on LLM for rspamd? Any links/resources are > appreciated. > > Thank you > > On 2024-07-30 21:42, chandan via Postfix-users wrote: > > > In POSTSCREEN i use 12 blocklists and whitelists. each is given a > > particular score based on a custom ML algorithm. The scores get > > adjusted everyday based on the performance of the RBLs. I don’t reject > > based on SPF, DMARC, or DKIM. > > > > However i do have spam detection powered by RSPAMD, which takes into > > account SPF,DKIM,DMARC and host of other stuff. right now experimenting > > with LLMs as tool to detect SPAM apart from the standard baye’s. > > > > On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: > > > > > Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via > > > Postfix-users pisze: > > > > > > > > I filter messages only based on RBLs, manual blocklists and content > > > > > filtering (SA + many custom rules). And as for the latter, the > > > > > messages are > > > > > sent to spam folder, never rejected. Rejections are based only on > > > > > first two. > > > > > > > > Funny, since multiple people in the past recommended rejecting on > > > > spamminess, not on the results of single DNSBL listing. > > > > > > I use only two DNSBLs that - at least for me - seem to give almost no > > > false > > > positives - bl.spamcop.net and zen.spamhaus.org. In the past I used > > > three - > > > instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and > > > sbl-xbl.spamhaus.org. But because sorbs.net went down, and > > > zen.spamhaus.org > > > seems to effectively combine these two, I changed it. > > > > > > Of course I always have the option to manually override DNSBL listing > > > in my > > > manual access list, but I don't remember when I last had to use it. > > > ___ > > > Postfix-users mailing list -- postfix-users@postfix.org > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Can you share your experience on LLM for rspamd? Any links/resources are appreciated. Thank you On 2024-07-30 21:42, chandan via Postfix-users wrote: In POSTSCREEN i use 12 blocklists and whitelists. each is given a particular score based on a custom ML algorithm. The scores get adjusted everyday based on the performance of the RBLs. I don’t reject based on SPF, DMARC, or DKIM. However i do have spam detection powered by RSPAMD, which takes into account SPF,DKIM,DMARC and host of other stuff. right now experimenting with LLMs as tool to detect SPAM apart from the standard baye’s. On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: >I filter messages only based on RBLs, manual blocklists and content >filtering (SA + many custom rules). And as for the latter, the messages are >sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Thanks for all the replies on this - food for thought! Seems the general consensus is that while in theory I should reject for p=reject (since that's what the sender wants me to do), in practice things like mailing lists and other forwarding conditions make that unsafe (and to a lesser extent the same applies to SPF and DKIM). At least in terms of a binary decision. So I think I'll stick with what I have and perhaps experiment with some SA scoring tweaks. I should perhaps mention that I'm more concerned about spam coming out of our network via forwarding than I am about annoying our local recipients (and we use SRS). BTW various RBLs were mentioned - was going to ask a question on that, but will do so in a different thread. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Viktor Dukhovni via Postfix-users: > On Tue, Jul 30, 2024 at 10:23:28AM +0100, Gilgongo via Postfix-users wrote: > > > What do others do with DMARC? I'm inclined to just gradually turn up the SA > > scores on SPF/DKIM failures instead, if only because > > Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and > > presumably for a reason. > > My MTA ignores SPF and DKIM, and naturally also does not enforce DMARC. > Do what makes most sense for your users. If they're savvy enough to > not be easily phished via email, it makes sense to not risk rejecting > mail that fails for spurious reasons. My Postfix also ignores SPF, DKIM, and DMARC. I publish SPF, DKIM, and DMARC only to satisfy Gmail etc. requirements. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
In POSTSCREEN i use 12 blocklists and whitelists. each is given a particular score based on a custom ML algorithm. The scores get adjusted everyday based on the performance of the RBLs. I don’t reject based on SPF, DMARC, or DKIM. However i do have spam detection powered by RSPAMD, which takes into account SPF,DKIM,DMARC and host of other stuff. right now experimenting with LLMs as tool to detect SPAM apart from the standard baye’s. On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: >I filter messages only based on RBLs, manual blocklists and content >filtering (SA + many custom rules). And as for the latter, the messages are >sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On 2024-07-30 at 05:23:28 UTC-0400 (Tue, 30 Jul 2024 10:23:28 +0100) Gilgongo via Postfix-users is rumored to have said: I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. I also see Spamassassin doesn't give particularly high scores for SPF/DKIM failures, That's because both SPF and DKIM failures DO NOT correlate strongly to a message being spam. They never have. I expect that they never will. and Mail::SpamAssassin::Plugin::DMARC (not that it comes as standard) seems to have quite low scores by default too. So I'm a bit wary of false positives if I tell openDMARC to reject. Whether you reject based on DMARC failure should be determined in large part by the policy expressed in the DMARC record. If it says "p=reject" then the domain owner WANTS DMARC failures to be rejected outright. You do not need to follow that but it is a clear expression of a policy choice unilaterally predefining DMARC-failed messages as invalid. I see no reason not to punish them for that choice by giving them what they want. However, that's a local policy decision that is not universally acceptable. SpamAssassin is about spam, not about policy enforcement, so if you want to reject messages solely for DMARC failure, you have to explicitly configure that yourself. What do others do with DMARC? I see it as only useful as the basis for local specific domain-based trust, e.g. welcomelist_auth (and for the related default welcomelist.) I'm inclined to just gradually turn up the SA scores on SPF/DKIM failures instead, if only because Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and presumably for a reason. It is included in v4, because it was built for v4. I'm mildly surprised that it works at all with v3.x. Take it up with your distro packager if you think they should become current or just update it yourself. CPAN can work to do the upgrade if you understand how to install but not not test as root, however this may not be wise on distros that do substantial customization of SA. (i.e. Debian-based) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: >I filter messages only based on RBLs, manual blocklists and content >filtering (SA + many custom rules). And as for the latter, the messages are >sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. On 30.07.24 13:52, Jaroslaw Rafa via Postfix-users wrote: I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. I use nearly the same combination, I just used zen for years (sbl-xml + pbl) and safe.dnsbl.sorbs.net (dul + others). I also use dnswl with negative score (postscreen) and on some servers I need more than one hit to reject mail, so one listing is not enough for rejection. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. The same. What I wanted to say is that some people in the past have recommended only using DNSBLs for content filtering, not at SMTP level, thust just the opposite as you - only reject based on content filtering, not just on DNSBL listings. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: > >I filter messages only based on RBLs, manual blocklists and content > >filtering (SA + many custom rules). And as for the latter, the messages are > >sent to spam folder, never rejected. Rejections are based only on first two. > > Funny, since multiple people in the past recommended rejecting on > spamminess, not on the results of single DNSBL listing. I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On Tue, Jul 30, 2024 at 10:23:28AM +0100, Gilgongo via Postfix-users wrote: > What do others do with DMARC? I'm inclined to just gradually turn up the SA > scores on SPF/DKIM failures instead, if only because > Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and > presumably for a reason. My MTA ignores SPF and DKIM, and naturally also does not enforce DMARC. Do what makes most sense for your users. If they're savvy enough to not be easily phished via email, it makes sense to not risk rejecting mail that fails for spurious reasons. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail.log and mail.info
On 30/07/24 22:18, Linkcheck via Postfix-users wrote: I am recently seeing an almost exact similarity between mail.log and mail.info, to the extent I am now querying the usefulness of looking at mail.info at all. Am I missing something? This is a Debian thing, you can safely ignore mail.info and mail.err and just look at mail.log. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 10:23:28 Gilgongo via Postfix-users pisze: What do others do with DMARC? I'm inclined to just gradually turn up the SA scores on SPF/DKIM failures instead, if only because Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and presumably for a reason. So far I only reject based on SPF. I was thinking about rejecting DMARC failures with policy reject, but not yet. On 30.07.24 12:06, Jaroslaw Rafa via Postfix-users wrote: I don't check neither SPF, DKIM nor DMARC on incoming mail and don't plan to. I use it only for outgoing mail and only because Google (and perhaps some other "big guys") de facto requires it. I filter messages only based on RBLs, manual blocklists and content filtering (SA + many custom rules). And as for the latter, the messages are sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. Of course, that's your policy. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: mail.log and mail.info
this is probably due to syslog facility/daemon, not postfix. eg. personal rsyslog.conf : #mail.info -/var/log/mail.info #mail.warn -/var/log/mail.warn #mail.err /var/log/mail.err mail.* -/var/log/mail.log so, comment out whatever you don't want and just keep one (eg mail.log) for everything. or split as you like between log files. d. Στις 30/7/24 13:18, ο/η Linkcheck via Postfix-users έγραψε: I am recently seeing an almost exact similarity between mail.log and mail.info, to the extent I am now querying the usefulness of looking at mail.info at all. Am I missing something? In main.cf I have smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 and no other obvious log control. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] mail.log and mail.info
I am recently seeing an almost exact similarity between mail.log and mail.info, to the extent I am now querying the usefulness of looking at mail.info at all. Am I missing something? In main.cf I have smtp_tls_loglevel = 1 smtpd_tls_loglevel = 1 and no other obvious log control. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 10:23:28 Gilgongo via Postfix-users pisze: > What do others do with DMARC? I'm inclined to just gradually turn up the SA > scores on SPF/DKIM failures instead, if only because > Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and > presumably for a reason. I don't check neither SPF, DKIM nor DMARC on incoming mail and don't plan to. I use it only for outgoing mail and only because Google (and perhaps some other "big guys") de facto requires it. I filter messages only based on RBLs, manual blocklists and content filtering (SA + many custom rules). And as for the latter, the messages are sent to spam folder, never rejected. Rejections are based only on first two. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On 2024-07-30 17:23, Gilgongo via Postfix-users wrote: I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. In our dmarc setup, we will reject the message if it fails (p=reject and dkim/spf verification fails). But this is just use case in our end, you should make your own policy. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Do you reject DMARC failures?
For some mailing lists you have to be lax on DMARC failures because they overwrite email body and aren't rewriting header From. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Do you reject DMARC failures?
I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. I also see Spamassassin doesn't give particularly high scores for SPF/DKIM failures, and Mail::SpamAssassin::Plugin::DMARC (not that it comes as standard) seems to have quite low scores by default too. So I'm a bit wary of false positives if I tell openDMARC to reject. What do others do with DMARC? I'm inclined to just gradually turn up the SA scores on SPF/DKIM failures instead, if only because Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and presumably for a reason. Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
Tuesday, July 30, 2024, 5:24:53 PM, Gary R. Schmidt via Postfix-users wrote: > You need to look into what ban-lists your host subscribes to, blocking a > fairly well-known e-mail source but letting a TPG residential IP address > (that's me!) through is a bit whiffy. I was about to ask a similar question. I only use list.dnswl.org (for good ones) and zen.spamhaus.org (bad) in postscreen. Very effective but I did, just once, see an IP simultaneously listed in both. -- Cheers, yet another Phil ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Fwd: Welcome to the "Postfix-users" mailing list
Thanks again guys excellent work. Welcome to the "Postfix-users" mailing list! To post to this list, send your message to: postfix-users@postfix.org You can unsubscribe or make adjustments to your options via email by sending a message to: postfix-users-requ...@postfix.org with the word 'help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You will need your password to change your options, but for security purposes, this password is not included here. If you have forgotten your password you will need to reset it via the web UI. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Cant join postfix users mailing list
Yay thanks to all who helped, i just got a confirmation in my inbox Cheers Phil On 30/7/24 17:26, Ralf Hildebrandt via Postfix-users wrote: * Philthy Steel via Postfix-users : Thanks Ralf I run f2b - ill put something on the ignore list and try again. I'm able to connect now. The mail should have been delivered. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Cant join postfix users mailing list
* Philthy Steel via Postfix-users : > > Thanks Ralf > > I run f2b - ill put something on the ignore list and try again. I'm able to connect now. The mail should have been delivered. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
On 30/07/2024 17:18, Philthy Steel via Postfix-users wrote: Thanks Ralf I run f2b - ill put something on the ignore list and try again. You need to look into what ban-lists your host subscribes to, blocking a fairly well-known e-mail source but letting a TPG residential IP address (that's me!) through is a bit whiffy. Cheers, GaryB-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
Thanks Ralf I run f2b - ill put something on the ignore list and try again. Cheers Phil On 30/7/24 15:31, Ralf Hildebrandt via Postfix-users wrote: * Ralf Hildebrandt via Postfix-users : however i dont get a message from the mail list and checking syslog shows there was no contact to the server ? 4WY0w161l3z1018 1994 Tue Jul 30 05:24:49 postfix-users-boun...@postfix.org (connect to mail.philfixit.com.au[203.45.14.55]:25: Connection refused) p...@philfixit.com.au >From list.sys4.de: # telnet mail.philfixit.com.au 25 Trying 203.45.14.55... telnet: connect to address 203.45.14.55: Connection refused So check your firewalling/fail2ban or whatever evil trickery you're running :) 188.68.34.52 == list.sys4.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Cant join postfix users mailing list
* Gary R. Schmidt via Postfix-users : > Hmm, I was able to probe it using smtp2go, so I thought I'd see what telnet > does for me here in Oz... So was I (from charite.de), but not from list.sys4.de There must be some selective blocking in place! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
On 30/07/2024 15:31, Ralf Hildebrandt via Postfix-users wrote: * Ralf Hildebrandt via Postfix-users : however i dont get a message from the mail list and checking syslog shows there was no contact to the server ? 4WY0w161l3z1018 1994 Tue Jul 30 05:24:49 postfix-users-boun...@postfix.org (connect to mail.philfixit.com.au[203.45.14.55]:25: Connection refused) p...@philfixit.com.au >From list.sys4.de: # telnet mail.philfixit.com.au 25 Trying 203.45.14.55... telnet: connect to address 203.45.14.55: Connection refused So check your firewalling/fail2ban or whatever evil trickery you're running :) 188.68.34.52 == list.sys4.de Hmm, I was able to probe it using smtp2go, so I thought I'd see what telnet does for me here in Oz... $ telnet mail.philfixit.com.au 25 Trying 203.45.14.55... Connected to mail.philfixit.com.au. Escape character is '^]'. 220-mail.shopmagic.com.au ESMTP Postfix (Ubuntu) 220 mail.shopmagic.com.au ESMTP Postfix (Ubuntu) ehlo mcleod-schmidt.id.au 250-mail.shopmagic.com.au 250-PIPELINING 250-SIZE 34952534 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 SMTPUTF8 quit 221 2.0.0 Bye Connection to mail.philfixit.com.au closed by foreign host. Cheers, GaryB-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
* Ralf Hildebrandt via Postfix-users : > > however i dont get a message from the mail list and checking syslog shows > > there was no contact to the server ? > > 4WY0w161l3z1018 1994 Tue Jul 30 05:24:49 > postfix-users-boun...@postfix.org >(connect to mail.philfixit.com.au[203.45.14.55]:25: Connection refused) >p...@philfixit.com.au > > >From list.sys4.de: > > # telnet mail.philfixit.com.au 25 > Trying 203.45.14.55... > telnet: connect to address 203.45.14.55: Connection refused > > So check your firewalling/fail2ban or whatever evil trickery you're > running :) 188.68.34.52 == list.sys4.de -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: [ext] Re: Cant join postfix users mailing list
> however i dont get a message from the mail list and checking syslog shows > there was no contact to the server ? 4WY0w161l3z1018 1994 Tue Jul 30 05:24:49 postfix-users-boun...@postfix.org (connect to mail.philfixit.com.au[203.45.14.55]:25: Connection refused) p...@philfixit.com.au >From list.sys4.de: # telnet mail.philfixit.com.au 25 Trying 203.45.14.55... telnet: connect to address 203.45.14.55: Connection refused So check your firewalling/fail2ban or whatever evil trickery you're running :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
On 30/07/24 15:29, Phil Steel-Wilson via Postfix-users wrote: I was subscribed fro many years under p...@philfixit.info but now i want to use p...@philfixit.com.au which i dutifully entered into the form at https://list.sys4.de/postorius/lists/postfix-users.postfix.org/ however i dont get a message from the mail list and checking syslog shows there was no contact to the server ? There should at least be a connect line. Im unsure where the problem is as i can send and receive gmail hotmail etc etc but not the postfix mail list . . . Your server is not offering STARTTLS. While sending servers should fall back to plain text this is not a given and an increasing number of MTAs are now enforcing TLS encryption. I would start by fixing this. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
Thanks Victor, I was subscribed fro many years under p...@philfixit.info but now i want to use p...@philfixit.com.au which i dutifully entered into the form at https://list.sys4.de/postorius/lists/postfix-users.postfix.org/ however i dont get a message from the mail list and checking syslog shows there was no contact to the server ? Im unsure where the problem is as i can send and receive gmail hotmail etc etc but not the postfix mail list . . . Cheers Phil On 30/07/2024 1:23 pm, Viktor Dukhovni via Postfix-users wrote: On Tue, Jul 30, 2024 at 01:14:15PM +1000, Phil Steel-Wilson via Postfix-users wrote: Copy and paste from the email gave top...@philfixit.info however the email address is actually p...@philfixit.info and i can send and receive mail to google . . . Cheers Phil Eliding essential spaces from the original post wasn't helpful. :-( The amended address does look deliverable. Make sure your subscription requests have the correct address in the "From:" line. Or initiate subscription via the "info" page: https://list.sys4.de/postorius/lists/postfix-users.postfix.org/ You'll still need to be able to send a "confirmation" response. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
On Tue, Jul 30, 2024 at 01:14:15PM +1000, Phil Steel-Wilson via Postfix-users wrote: > Copy and paste from the email gave top...@philfixit.info however the email > address is actually p...@philfixit.info and i can send and receive mail to > google . . . Cheers Phil Eliding essential spaces from the original post wasn't helpful. :-( The amended address does look deliverable. Make sure your subscription requests have the correct address in the "From:" line. Or initiate subscription via the "info" page: https://list.sys4.de/postorius/lists/postfix-users.postfix.org/ You'll still need to be able to send a "confirmation" response. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Cant join postfix users mailing list
Copy and paste from the email gave top...@philfixit.info however the email address is actually p...@philfixit.info and i can send and receive mail to google . . . Cheers Phil On 30/07/2024 12:53 pm, Viktor Dukhovni via Postfix-users wrote: On Tue, Jul 30, 2024 at 12:23:43PM +1000, Phil Steel-Wilson via Postfix-users wrote: because it has received a number of bounces indicating that there may be a problem delivering messages top...@philfixit.info. Trying "sendmail -bv top...@philfixit.info" to verifying your address, I see: On Tue, Jul 30, 2024 at 12:50:13PM +1000, Mail Delivery System wrote: : delivery via mail.philfixit.info[203.45.14.55]:25: host mail.philfixit.info[203.45.14.55] said: 554 5.1.1 : Recipient address rejected: User unknown in virtual alias table (in reply to RCPT TO command) So your server is misconfigured, and rejects the address you're attempting to subscribe with. Final-Recipient: rfc822; top...@philfixit.info Original-Recipient: rfc822;top...@philfixit.info Action: undeliverable Status: 5.1.1 Remote-MTA: dns; mail.philfixit.info Diagnostic-Code: smtp; 554 5.1.1 : Recipient address rejected: User unknown in virtual alias table ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org