Re: 5 messages per second
On 03.06.20 11:52, Paul Martin wrote: I have many logs postfix/lmtp "deferred" like: Jun 2 11:38:21 mail331 postfix/lmtp[17386]: A2E3212C86D: to=, relay=none, delay=5930, delays=2879/2862/189/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:24: Connection timed out) do you have a solution ? what runs on port 24 of localhost? Shouldn't that be 10024? That port is common for amavis filter. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Architectural question for handing submission mail to a smarthost
Wietse asked: What should happen with local submissions via /usr/sbin/sendmail? On 01.06.20 19:06, Alexander Perlis wrote: Thanks, I forgot about those, they too should go to the separate smarthost. Your follow-up message passing options to pickup(8) would seem to take care of that. so, you can use "content_filter" in main.cf and disable it on port 25 inatead. I guess you process mail coming from other servers/users on port 25 different way (e.g. milter) /etc/postfix/master.cf submission .. .. .. .. .. .. smtpd -o ...usual submission options... -o content_filter=smtp:filterhost.example -o receive_override_options=no_header_body_checks Intriguing. To indulge my desire to better understand the internals, what is the difference between using -o content_filter=smtp:filterhost.example vs using -o relayhost=filterhost.example -o local_transport=smtp:filterhost.example the content_filter is explicitly designed to do what you want - submit all mail to filter, no matter where it belongs so. using relahhost and local_transport for the same reason are hacks to get the same, but they can be overridden by transport_maps. ? Naively reading the documentation, I expect either case should cause all messages to go via SMTP to filterhost.example, but the latter approach did not work for me, and I'm curious to understand why... there is much of mail processing, you would need to know about every possibilities. That's what content_filter is for, so you don't have to know and override tons of different options. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: 452 4.3.1 Insufficient system storage
On 01.06.20 09:09, Gabriele Bulfon wrote: That is impossible, there is more than 1TB of free space on the zfs pool where postfix queue is allocated. If I had so little space, I would have ran into other troubles long before this strange problem. This system is delivering continuously 24/7 thousands of email per day. This is something that started to happen sporadically in the last few months, after year of works. What may be misleading Postfix about my available space? are you sure there is no other filesystem involved? I don't know much about ZFS, aren't there any partitions limited in size? There's slight possibility that free size is understood incorrectly... On 29.05.20 15:42, Gabriele Bulfon wrote: This in mail.log: May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 197553 mail.info] connect from sender-host[*.*.*.*] May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 197553 mail.info] Anonymous TLS connection established from sender-host[*.*.*.*]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 197553 mail.info] NOQUEUE: reject: MAIL from sender-host[*.*.*.*]: 452 4.3.1 Insufficient system storage; proto=ESMTP helo= May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 947731 mail.warning] warning: not enough free space in mail queue: 38384640 bytes This last warning looks quite uncomprehensible, message size limit is 5000, and sure 38384640 is less than 1.5*msl, so what's the problem? _that_ is apparently the problem. you have 38384640 B (~38MB) of free space in queue, but message maximum size is 50MB, so you don't have enough of free space for maximum message size, not even for 1.5*maximum required by default: http://www.postfix.org/postconf.5.html#queue_minfree -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: setup issue -- debian /ubuntu 16.04.1 "bad string length 0 < 1: setgid_group ="
On 31.05.20 10:40, Gary Aitken wrote: Subject: setup issue -- debian /ubuntu 16.04.1 "bad string length 0 < 1: setgid_group =" 16.04 is ubuntu version I'm new to postfix and trying to administer a debian google-compute box, also new to me (coming from fbsd). So lots of opportunities for learning... I modified /etc/crontable to fire off some backup stuff (a shell script that does a "gcloud compute disks snapshot ...". Cron logs attempting to start the script, then logs: cron[1214]: sendmail: fatal: bad string length 0 < 1: setgid_group = postfix/sendmail[8628]: fatal: bad string length 0 < 1: setgid_group = As I did not set this system up, it's not clear to me what has been properly installed and what came as a result of other stuff. Initially, I was getting a "/etc/postfix/main.cf: No such file or directory" error. I copied main.cf.proto to main.cf without change, as it seemed to be ok as is. It appears postfix was installed as a result of a mysql installation: aptitude why postfix: i automysqlbackup Depends bsd-mailx | mailx i A bsd-mailx Depends default-mta | mail-transport-agent i A postfix Provides mail-transport-agent but the setup not completed? This machine is not intended to serve as a mail server; I only need it to post mail appropriately. I modified /etc/aliases to forward root, then tried sudo newaliases but I get the same error: newaliases: fatal: bad string length 0 < 1: setgid_group = you should try to run: dpkg --configure -a to configure all packages that aren't configured yet. however, so far this problem looks more like ubuntu than postfix problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: 452 4.3.1 Insufficient system storage
On 29.05.20 15:42, Gabriele Bulfon wrote: This in mail.log: May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 197553 mail.info] connect from sender-host[*.*.*.*] May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 197553 mail.info] Anonymous TLS connection established from sender-host[*.*.*.*]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 197553 mail.info] NOQUEUE: reject: MAIL from sender-host[*.*.*.*]: 452 4.3.1 Insufficient system storage; proto=ESMTP helo= May 28 20:09:45 cloudserver postfix/smtpd[21079]: [ID 947731 mail.warning] warning: not enough free space in mail queue: 38384640 bytes This last warning looks quite uncomprehensible, message size limit is 5000, and sure 38384640 is less than 1.5*msl, so what's the problem? _that_ is apparently the problem. you have 38384640 B (~38MB) of free space in queue, but message maximum size is 50MB, so you don't have enough of free space for maximum message size, not even for 1.5*maximum required by default: http://www.postfix.org/postconf.5.html#queue_minfree -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: Postfix gateway with per relayed host outgoing IP
Matus UHLAR - fantomas: >> how? >> >> if you define different smtp transports with different smtp_bind_address >> defined in master.cf, the sender_dependent_default_transport_maps should >> do >> what you want. On 29.05.20 15:17, George wrote: >Thanks for your response. My problem is that I do not know what to use in >the file where sender_dependent_default_transport_maps is defined. > >Do I set it like this: >@domain1_from_webserver1.com mastercf_transport1: >@domain2_from_webserver1.com mastercf_transport1: >@domain1_from_webserver2.com mastercf_transport2: >@domain1_from_webserver2.com mastercf_transport2: do you have mastercf_transport1 and mastercf_transport2 defined in master.cf? >Or is there any way for me to define the incoming webserver IP in >sender_dependent_default_transport_maps? http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps The tables are searched by the envelope sender address and @domain. so you can only configure sending user and sending domain there... On 29.05.20 09:44, Wietse Venema wrote: It is possible to use the 'filter' command for this. /etc/postfix/main.cf smtpd_client_restrictions = check_client_access hash:/etc/postfix/client_access /etc/postfix/client_access: 1.2.3.4 filter smtp-for-4: 1.2.3.5 filter smtp-for-5: /etc/postfix/master.cf: smtp-for-4 .. .. .. .. .. .. smtp -o smtp_bind_address=x.x.x.x smtp-for-5 .. .. .. .. .. .. smtp -o smtp_bind_address=y.y.y.y But this avoids local processing, doesn't it? wouldn't this cause troubles if the mail was to be delivered locally? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
Re: 452 4.3.1 Insufficient system storage
On 29.05.20 15:21, Gabriele Bulfon wrote: the spool directory is inside a custom direcotry: /sonicle/var/spool/mqueue, which is under the root zfs dataset with more than 1TB of free space, and it's always been there for years. Also the binaries are built 32bit with large files, and they also worked like this for years. does the system produce any kind of logs at the time problem happens? I have a system running for some years, recently started to send "452 4.3.1 Insufficient system storage" errors randomly. Sometimes 2-3 during the night, sometimes many more (20-30). Postfix is running under an illumos zone, over a zfs data pool with more than 1TB of free space. Size of emails with error is small enough to fit max message size. The error email shows this: Transcript of session follows. Out: 220 servername ESMTP Postfix In: EHLO mail1.ferrari.it Out: 250-servername Out: 250-SIZE 5000 Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH PLAIN Out: 250-AUTH=PLAIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: STARTTLS Out: 220 2.0.0 Ready to start TLS In: EHLO sendingservername Out: 250-servername Out: 250-SIZE 5000 Out: 250-VRFY Out: 250-ETRN Out: 250-AUTH PLAIN Out: 250-AUTH=PLAIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM: SIZE=85683 Out: 452 4.3.1 Insufficient system storage In: QUIT Out: 221 2.0.0 Bye -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Postfix gateway with per relayed host outgoing IP
how? if you define different smtp transports with different smtp_bind_address defined in master.cf, the sender_dependent_default_transport_maps should do what you want. On 29.05.20 15:17, George wrote: Thanks for your response. My problem is that I do not know what to use in the file where sender_dependent_default_transport_maps is defined. Do I set it like this: @domain1_from_webserver1.com mastercf_transport1: @domain2_from_webserver1.com mastercf_transport1: @domain1_from_webserver2.com mastercf_transport2: @domain1_from_webserver2.com mastercf_transport2: do you have mastercf_transport1 and mastercf_transport2 defined in master.cf? Or is there any way for me to define the incoming webserver IP in sender_dependent_default_transport_maps? http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps The tables are searched by the envelope sender address and @domain. so you can only configure sending user and sending domain there... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese.
Re: Postfix gateway with per relayed host outgoing IP
On 29.05.20 12:29, George wrote: I have an anti spam postfix gateway running on an Ubuntu server. Currently I use relayhost on multiple web servers for sending mail through the gateway. On the postfix gateway I have multiple secondary IPs. What I want to do is to configure the gateway so mail sent from a particular web server through the gateway to go out from a particular secondary IP from the gateway server like below: webserver1 -> gateway -> secondaryIP1 webserver2 -> gateway -> secondaryIP2 I tried to use sender_dependent_default_transport_maps but had no luck so far. how? if you define different smtp transports with different smtp_bind_address defined in master.cf, the sender_dependent_default_transport_maps should do what you want. Can someone please advise on how I can go with implementing this? Thanks in advance. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Re: Postfix relay to external and internal
On 29.05.20 10:14, Dino Edwards wrote: I have a postfix server that acts as a relay server for several domains and relays e-mail to several external e-mail servers based on the domain. This setup has been working for years with no problems. Now I have a need to install a local mailserver (dovecot?) server on this relay server and I'm trying to figure out the best way to accomplish that. So in the end, I want to maintain the relay ability for the several domains to outside e-mail servers but I also want to be able to deliver e-mail to local mailserver with ideally virtual users. Is this possible and what would be the best way to accomplish this? defining local domain should not affect other domains and other domains should not affect local domain, unless you break something horribly. I would simply define test domain, real or virtual, and try to deliver mail there. Should work. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: lost connection after HELO
On 28.05.20 09:36, Enrico Morelli wrote: I've an UPS that should send me email in case of problems. The email do not arrive because in the log I see "lost connection after HELO". I added debug_peer_list to my main.cf to debug the ups connection. Is there a way to solve the problem? May 28 09:13:15 genio postfix/smtpd[31295]: < ups-ced.domain.net[192.168.145.19]: EHLO May 28 09:13:15 genio postfix/smtpd[31295]: > ups-ced.domain.net[192.168.145.19]: 501 Syntax: EHLO hostname May 28 09:13:15 genio postfix/smtpd[31295]: watchdog_pat: 0x558d6b58d9f0 May 28 09:13:15 genio postfix/smtpd[31295]: < ups-ced.domain.net[192.168.145.19]: HELO May 28 09:13:15 genio postfix/smtpd[31295]: > ups-ced.domain.net[192.168.145.19]: 501 Syntax: HELO hostname May 28 09:13:15 genio postfix/smtpd[31295]: watchdog_pat: 0x558d6b58d9f0 May 28 09:13:15 genio postfix/smtpd[31295]: smtp_get: EOF looks like yout UPS does not provide hostname in EHLO/HELO message, which postfix doesn't accept. If you can't set up a hostname on your UPS, you'll have to accept such invalid helo, perhaps as described on: https://www.claudiokuenzler.com/blog/664/force-postfix-allow-empty-null-helo-ehlo-smtp-commands it would be better only to accept such helo from IP of the UPS, if possible -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: milter after queue
On 08.05.20 05:11, NBNabble wrote: Hi Wietse, I am not wietse but I hope it won't distract you. I have a question to your hint using a null SMTP based listener. I am Using Ciphermail as an encryption gateway. Pre-Queue mails are send to an external milter for Spam/Virus Checks. After that, post-queue, the encryption gateway is a content_filter. I am looking for a solution to resend the mails to the milter again, after the first content filter. So in case there is malware in a decrypted mail, I also get that. Do you have any idea, how I could recheck the mails again with the milter? Post queue? milter is SMTP-level option. However, if you need to check something again, your decryption gateway can return mail on a IP:port where milter will run too. Note that you must take care of what happend if the second milter will reject the mail - what will the decryption gateway do. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: Uninstalling postgrey
On 24.05.20 21:04, Ian Evans wrote: Based on another thread here, I want to move to using postscreen/postwhite and ditch postgrey. Just want to make sure I don't bungle stopping postgrey. So... - edit main.cf and remove "check_policy_service inet:127.0.0.1:10023" from smtpd_recipient_restrictions. - restart Postfix - purge the postgrey package. Then go about getting postscreen working. I'd set up postscreen before postgrey, that requires editing master.cf too. however, it's quite easy if you follow the docs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside...
Re: Preferred/maintained greylisting options?
On 21.05.20 14:49, Charles Sprickman wrote: I have a site with a very old domain that’s at the front of the alphabet. For some reason (age, alphabetical order, ???) that domain gets bombarded with spam before the senders make it onto any of the blacklists I use (even trialed a few for-profit blacklists). Literally some of these miss getting caught by 2-3 minutes. Aside from the general jaw-on-floor reaction I have to just how so many new “clean” IPs are enlisted in these spamming efforts on a daily basis, I was wondering if greylisting might be a good option here. One of the folks that runs the Abusix service suggested this since he pointed out that I’m really missing these spammers by minutes… What is your “go to” greylisting solution these days? My main concerns are that it’s something that’s well-maintained, does not need babysitting, and is here for the long haul. postscreen provides very similar functionality. If needed, I would try dcc https://www.dcc-servers.net/dcc/ for the greylisting functionality: https://www.dcc-servers.net/dcc/greylist.shtml I’ve been sort of opposed to greylisting in the past due to a userbase that’s sensitive to delays, but… the spam is worse. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete
Re: On-Hold instead of sending
On 19.05.20 11:43, Daniel Ryšlink wrote: Sorry for asking instead of researching and testing myself (time pressure), but can someone tell me how to define a transport that would move all mail from the IP x.y.z.q to the On-Hold queue instead of sending it normally? header_checks on Received: header and the IP with HOLD action. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Undefined Parameters
On 17.05.20 22:51, Geoff Jankowski wrote: I am using postfix 3.4.8 on Debian 10 (hostname xerxes) and am trying to set up my IPv6 interface on eth0. The last instruction in the guide is to run: service networking restart But it fails to bring up the interface (which is working on IPv4). It tries to run: ExecStart=/sbin/ifup -a --read-environment (code=exited, status=1/FAILURE) And the critical errors given are: May 17 23:15:45 xerxes ifup[5524]: ifup: failed to bring up eth0 May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions Reading /etc/network/Ifup it refers to using postconf which for Debian 10 is in /etc/sbin/ but it cannot be read as it appears to be a binary file(?). postconf is the program that complains, you don't have to see its content. It's complaining about content of /etc/postfix/master.cf, not /usr/sbin/postconf When I investigate my master.cf file these three elements mua_sender_restrictions, mua_client_restrictions and mua_helo_restrictions Are commented out so no definition is given and I assume that postconf is looking for them. Reading the postfix.org site I chose recommended settings for each of these items, uncommented the lines and inserted them. To be safe, I rebooted. They are default in master.cf but commented out for submission ans smtps services: # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions I usually leave them commented out. Immediately after reboot, I ran a status request and the output was as follows: May 17 23:15:45 xerxes ifup[5524]: ifup: failed to bring up eth0 May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_sender_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_client_restrictions May 17 23:15:45 xerxes ifup[5524]: postconf: warning: /etc/postfix/master.cf: undefined parameter: mua_helo_restrictions How and where did you define them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: Postfix error "501 5.5.4 Invalid domain name"
On 14.05.20 09:07, SysAdmin EM wrote: I have two servers running on Postfix, one of which runs version 2.10.1 and the other server runs version 3.4.7. On the server where I am running verion 3.4.7, I receive "501 5.5.4 Invalid domain name" errors in emails sent to different servers. Rhe mail is sent to postfix through exim from a relay connection. The reverse of the IP is configured correctly and the From domain is also responding. # Log example postfix-out/smtp[12931]: E30639204ED: to=, relay= hotmail-com.olc.protection.outlook.com[104.47.124.33]:25, delay=1.4, delays=0.08/0/1.4/0, dsn=5.5.4, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.124.33] refused to talk to me: 501 5.5.4 Invalid domain name [ HK2APC01FT037.eop-APC01.prod.protection.outlook.com]) is your hostname really "HK2APC01FT037.eop-APC01.prod.protection.outlook.com"? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: (Calling Kurt Roeckx, Postfix + OpenSSL on Debian buster) (was: "SSL_Shutdown:shutdown while in init" while sending and receiving)
>Is this the stock OpenSSL for your system, or your own build? There's just one OpenSSL library installed on the system, the stock version supplied by the OS's package manager. $ ldd | grep ssl libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x7f13e45fe000) $ strings /usr/lib/x86_64-linux-gnu/libssl.so.1.1 | grep 'OpenSSL' OpenSSL 1.1.1d 10 Sep 2019 >What OS are you running? On Wed, May 13, 2020 at 06:03:42PM -0700, Alexander Vasarab wrote: Debian GNU/Linux 10 (buster aka stable). Yesterday, I bumped libssl1.1 to the version available in the testing distribution, which is 1.1.1g, and noticed no change in the faulty behavior. Now I'm back to stable's 1.1.1d. On 13.05.20 21:32, Viktor Dukhovni wrote: At this point it becomes interesting what Debian-specific changes there may be in OpenSSL 1.1.1. Perhaps Kurt Roeckx (I believe he's on this list), might comment. The behaviour you're reporting exhibits issues below Postfix. Are any other Debian users seeing similar issues? none so far on those few debian 10 systems I checked. Can't that be kind of sender verification where the SMTP client doesn't cleanly close TLS connection? shouldn't we focus on failed client connections? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: null recipient "@example.com"@example.com accepted
On 07.05.20 12:26, Matus UHLAR - fantomas wrote: >I ust received mail where user specified destination address: >@example@example.com > >the mail was accepted and forwarded to "empty_address_recipient", > >which docs' say: > >"...Postfix does not accept such addresses in SMTP commands..." >http://www.postfix.org/postconf.5.html#empty_address_recipient On 13.05.20 10:14, Wietse Venema wrote: There was a malformed recipient that looked like "@some-local-domain"@some-local-damain See http://www.postfix.org/postconf.5.html#resolve_dequoted_address for why Postfix looks inside the quotes and tries to deliver to ""@some-local-domain. shouldn't this address be treated as empty and therefore rejected? at least when resolve_dequoted_address is set to yes (default) With empty_address_recipient=no, Postfix would reject the address with "unknown user", because there is no user named "@some-local-domain". isn't empty_address_recipient supposed to be the recipient, so empty_address_recipient=no just set it to local "no" user? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: null recipient "@example.com"@example.com accepted
Hello, Any idea if I can disable these attempts? On 07.05.20 12:26, Matus UHLAR - fantomas wrote: I ust received mail where user specified destination address: @example@example.com the mail was accepted and forwarded to "empty_address_recipient", which docs' say: "...Postfix does not accept such addresses in SMTP commands..." http://www.postfix.org/postconf.5.html#empty_address_recipient however, the address is accepted from remote sites, when I enter destination domain this way. Even newer postfix versions (3.4.8 checked) accept it. Should such destination addresses be accepted? postfix 2.11.3, Debian 8 smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that.
Re: "SSL_Shutdown:shutdown while in init" while sending and receiving
On 12/05/20 05:40 -0400, Viktor Dukhovni wrote: Indeed the server slams the TCP socket closed after receiving the client's RCPT command. Unclear why. You might try debug_peer_list next, to see whether the server can log enough cleartext traffic to expose the SMTP traffic inside TLS. On 12.05.20 15:08, Alexander Vasarab wrote: Thanks. Using debug_peer_list, I have a few more pieces of information. May 12 14:27:21 vasaconsulting postfix/smtpd[3482]: > []: 235 2.7.0 Authentication successful May 12 14:27:21 vasaconsulting postfix/smtpd[3482]: watchdog_pat: 0x55bec82e41e0 May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: < []: MAIL FROM:<> ...lots of debug info e.g. send attr, etc... May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: > []: 250 2.1.0 Ok May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: watchdog_pat: 0x55bec82e41e0 May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: < []: RCPT TO:<> ...lots of debug info e.g. config maps, etc... May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: > []: 250 2.1.5 Ok May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: watchdog_pat: 0x55bec82e41e0 May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: warning: TLS library problem: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init:../ssl/ssl_lib.c:2086: May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: smtp_get: EOF ...some match_hostname stuff, etc... May 12 14:27:22 vasaconsulting postfix/smtpd[3482]: lost connection after RCPT from [] maybe some form of address veriification? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759
Re: mail from external servers connecting but timing out after tls established. t.s.
On 08.05.20 13:01, Thomas Strike wrote: Subject: mail from external servers connecting but timing out after tls established. t.s. External smtp servers time out after tls v1.2 is established. the following is from the maillog; May 8 17:40:48 sleepyvalley postfix/smtps/smtpd[17534]: connect from unknown[185.50.149.12] On 08.05.20 20:57, Matus UHLAR - fantomas wrote: remote servers don't connect to smtps port. These are remote clients, guessing passwords. and this address block looks familiar to me, ... apparently abusers I set up certificates with letsincrypt. If these crets are wrong, would that cause this type of behavior? no. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
Re: mail from external servers connecting but timing out after tls established. t.s.
On 08.05.20 13:01, Thomas Strike wrote: Subject: mail from external servers connecting but timing out after tls established. t.s. External smtp servers time out after tls v1.2 is established. the following is from the maillog; May 8 17:40:48 sleepyvalley postfix/smtps/smtpd[17534]: connect from unknown[185.50.149.12] remote servers don't connect to smtps port. These are remote clients, guessing passwords. and this address block looks familiar to me, I set up certificates with letsincrypt. If these crets are wrong, would that cause this type of behavior? no. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: hostname in sasl/pam requests
Matus UHLAR - fantomas: I have set up pam_abl to automatically block hosts and users from logging. Unfortunately, the hostname seems not to be visible in pam logs: May 7 17:49:38 mail pam-abl[18692]: Blocking access from (null) to service smtp, user xxx is it possible to pass connecting hostname to pam somehow? On 07.05.20 13:07, Wietse Venema wrote: Is ths Cyrus SASL or dovecot SASL? Postfix passes the client info to Dovecot and Cyrus. On 07.05.20 19:20, Matus UHLAR - fantomas wrote: cyrus 2.1.27, postfix 3.4.8 (debian 10) I will look into it deeper. and there it is: https://github.com/cyrusimap/cyrus-sasl/pull/6 ksmurchison commented on Nov 23, 2016 I think I'd like to hold off on this until a 2.2 release. I don't want to change the wire protocol in a patch version -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: hostname in sasl/pam requests
Matus UHLAR - fantomas: I have set up pam_abl to automatically block hosts and users from logging. Unfortunately, the hostname seems not to be visible in pam logs: May 7 17:49:38 mail pam-abl[18692]: Blocking access from (null) to service smtp, user xxx is it possible to pass connecting hostname to pam somehow? On 07.05.20 13:07, Wietse Venema wrote: Is ths Cyrus SASL or dovecot SASL? Postfix passes the client info to Dovecot and Cyrus. cyrus 2.1.27, postfix 3.4.8 (debian 10) I will look into it deeper. smtpd_sasl_glue.c: #define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "") #define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0) if ((state->sasl_server = XSASL_SERVER_CREATE(smtpd_sasl_impl, _args, stream = state->client, addr_family = state->addr_family, server_addr = ADDR_OR_EMPTY(state->dest_addr, SERVER_ADDR_UNKNOWN), server_port = ADDR_OR_EMPTY(state->dest_port, SERVER_PORT_UNKNOWN), client_addr = ADDR_OR_EMPTY(state->addr, CLIENT_ADDR_UNKNOWN), client_port = ADDR_OR_EMPTY(state->port, CLIENT_PORT_UNKNOWN), service = var_smtpd_sasl_service, user_realm = REALM_OR_NULL(var_smtpd_sasl_realm), security_options = sasl_opts_val, tls_flag = tls_flag)) == 0) msg_fatal("SASL per-connection initialization failed"); xsasl_cyrus_server.c server_addr_port = (*args->server_addr && *args->server_port ? concatenate(args->server_addr, ";", args->server_port, (char *) 0) : 0); client_addr_port = (*args->client_addr && *args->client_port ? concatenate(args->client_addr, ";", args->client_port, (char *) 0) : 0); ... if ((sasl_status = SASL_SERVER_NEW(args->service, var_myhostname, args->user_realm ? args->user_realm : NO_AUTH_REALM, server_addr_port, client_addr_port, NO_SESSION_CALLBACKS, NO_SECURITY_LAYERS, _conn)) != SASL_OK) { msg_warn("SASL per-connection server initialization: %s", xsasl_cyrus_strerror(sasl_status)); XSASL_CYRUS_SERVER_CREATE_ERROR_RETURN(0); } xsasl_dovecot_server.c: server->client_addr = mystrdup(args->client_addr); vstream_fprintf(server->impl->sasl_stream, "AUTH\t%u\t%s\tservice=%s\tnologin\tlip=%s\trip=%s", server->last_request_id, sasl_method, server->service, server->server_addr, server->client_addr); -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
hostname in sasl/pam requests
Hello, I have set up pam_abl to automatically block hosts and users from logging. Unfortunately, the hostname seems not to be visible in pam logs: May 7 17:49:38 mail pam-abl[18692]: Blocking access from (null) to service smtp, user xxx is it possible to pass connecting hostname to pam somehow? (I would like to block hosts as well as users when possible) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: Illegal address syntax
On 06.05.20 23:51, Pedro David Marco wrote: Hi! Is it possible to make Postfix Reject instead of warn for "Illegal address syntax"? Thanks! doesn't it reject? I have rejections here although log says warn: May 7 08:22:43 mail postfix/smtps/smtpd[653]: connect from unknown[192.168.x.x] May 7 08:22:44 mail postfix/smtps/smtpd[653]: warning: Illegal address syntax from unknown[192.168.x.x] in RCPT command: May 7 08:22:47 mail postfix/smtps/smtpd[653]: disconnect from unknown[192.168.x.x] ehlo=1 auth=1 mail=1 rcpt=0/1 quit=1 commands=4/5 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
null recipient "@example.com"@example.com accepted
Hello, I ust received mail where user specified destination address: @example@example.com the mail was accepted and forwarded to "empty_address_recipient", which docs' say: "...Postfix does not accept such addresses in SMTP commands..." http://www.postfix.org/postconf.5.html#empty_address_recipient however, the address is accepted from remote sites, when I enter destination domain this way. Even newer postfix versions (3.4.8 checked) accept it. Should such destination addresses be accepted? postfix 2.11.3, Debian 8 smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Re: probably bug in postfix3-3.4
natan maciej milaszewski: Thenx for replay: May? 5 06:00:51 smtp1 postfix/smtpd[5939]: warning: Illegal address syntax from unknown[217.153.30.34] in RCPT command: <> ... May? 5 06:00:54 smtp1 postfix/smtpd[6444]: warning: unknown[111.72.195.23]: SASL LOGIN authentication failed: authentication failure May? 5 06:00:54 smtp1 postfix/submission/smtpd[6464]: warning: hostname zg-0428c-286.stretchoid.com does not resolve to address 162.243.138.183: Name or service not known nothing else On 06.05.20 09:07, Wietse Venema wrote: That is FOUR SECONDS of Postfix logging. That us even less than the Postfix timeout for delivering mail over SMTP. You need to collect logs over at least 5 minutes. ideally, check logs between reload and when you notice postfix not running. mail that enters queue active and qmgr that fints is there is expected. the question is why nothing happened to the mail later. see one some of queue ids in logs: May 6 14:14:45 server postfix/smtpd[10544]: connect from XXX[10.x.x.x] May 6 14:14:45 server postfix/smtpd[10544]: 56BD5280282: client=XXX[10.x.x.x] May 6 14:14:45 server postfix/cleanup[10678]: 56BD5280282: message-id=<1588767287@xxx.sk> May 6 14:14:45 server postfix/qmgr[2545]: 56BD5280282: from=, size=1035, nrcpt=2 (queue active) May 6 14:14:45 server postfix/smtpd[10544]: disconnect from XXX[10.x.x.x] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 May 6 14:14:45 server postfix/smtp[10680]: 56BD5280282: to=, relay=YYY[y.y.y.y]:25, delay=0.14, delays=0.07/0/0.06/0.01, dsn=2.0.0, status=sent (250 2.0.0 046CEjeo032470-046CEjeq032470 Message accepted for delivery) May 6 14:14:45 server postfix/qmgr[2545]: 56BD5280282: removed -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: filtering locally submitted emails / tidying up the config
Patrick Proniewski: It negates the benefit you were writing about as amavisd-milter will drop the message on the milter interface (postfix/cleanup[26401]: 87E5316135: milter-discard: END-OF-MESSAGE from localhost[127.0.0.1]: milter triggers DISCARD action) and re-inject it in an after-queue SMTP with no filtering. No big deal for me. On 02 mai 2020, at 14:19, Wietse Venema wrote: Well that is broken. It should NOT return a DISCARD to Postfix then re-inject the entire message over SMTP. Instead it should just return an OK for Postfix to deliver the message (after adding the headers). Once you turn off the re-inject-over-SMTP it might actually try to add headers to the message. On 02.05.20 17:46, Patrick Proniewski wrote: well in fact I've tried the default settings first ("client" as per <https://manpages.debian.org/testing/amavisd-milter/amavisd-milter.8.en.html#D>), the milter works as expected but won't add X-Spam-* headers. strange, were I run amavisd-milter, -D client is used and users get the header. Do you have $mydomains properly set up in amavis? I get SA headers added only to incoming mail using milter and "-D client". I get the headers I want if I let amavisd deliver the mail, instead of amavisd-milter. You suggest I disable the $forward method in amavisd.conf and keep "-D server" for amavisd-milter? I can try that. No. The " -D server" is what causes the milter to issue the DISCARD to postfix, and expect amavis to use $forward_method to send the mail. I guess using "-D server" and disabling $forward_method would discard your mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: why DMARC PASS even SPF got failed
Benny Pedersen wrote: if srs was used it will never get spf pass, since origal sender ip is outside of original sender ip allow, better let it die slowly On 29.04.20 08:16, Philip wrote: do you mean letting SRS die slowly? better not; still better to have SPF pass with unaligned (failed) DMARC than SPF fail (or softfail) with failed DMARC -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: why DMARC PASS even SPF got failed
Scott Kitterman wrote: Yes. If either passes and the relevant identifier is aligned, DMARC passes. On April 28, 2020 9:29:59 AM UTC, Philip wrote: Scott, I have another question. Given the case there is no DKIM signed in original message, when forwarding MTA implement a SRS in the outgoing forwarded email, the receiving MTA will think the envelop domain was not matched with From: domain in message header. In this case will DMARC fail? On 28.04.20 10:17, Scott Kitterman wrote: Yes. That fails the "if aligned" part of the test. however, SPF will not fail here. So, sender using DKIM and forwarder using SRS fill make both SPF and DMARC pass. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
Re: postfix + forwadgroup + external amavis with haproxy and no_address_mappings
On 28.04.20 10:15, natan maciej milaszewski wrote: I have debian 9 and postfix 3.1.14. Generally, I have distributed mail traffic over several machines #other go to amavis 0.0.0.0/0 FILTER smtp-amavis:[127.0.0.1]:10628 master.cf: smtp-amavis unix - - - - 80 smtp -o smtp_data_done_timeout=6000s -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes I believe you should use lmtp instead of smtp for amavis connections. #80 cosnnections - and in my amavis I have 90 (10+overtime ) #returns from amavis IP .199 86.xxx.xxx.199:10027 inet n - n - - smtpd -o smtpd_proxy_timeout=900s -o content_filter= -o mynetworks_style=host -o mynetworks=10.0.100.0/24,86.xxx.xxx.199/32, -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings All works fine but sometimes my "users" use a mial forwarding In that forwarding have (100-200 email) like forwarding how? u...@domain1.ltd ---> us...@domain1.ltd, us...@domain1.ltd, u...@domain2.ltd, us...@domainx.ltd And all forward e-mail was "releback" in smtp and go to amavis. do you want to say that users send the same mail to postfix, not from any of whitelisted addreses? Maybe you should whitelist localhost (127.0.0.1) too. sometimes i get delay=127.0.0.1[127.0.0.1]:10628, conn_use=3, delay=6773, delays=6517/5.8/0/250, dsn=4.4.2, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while sending end of data -- message may be sent more than once) lmtp should help here. "smtp_connection_reuse_time_limit" is default 300s connection reuse won't help here. timeouts and smtp are the problem here. I solve this problem by adding: in master.cf 1)smtp inet n - y - 100 smtpd -o receive_override_options=no_address_mappings 2)remove "no_address_mappings" in transport: .. 86.xxx.xxx.199:10027 inet n - n - - smtpd -o smtpd_proxy_timeout=900s .. No, you don't solve the problem, you work around the problem. and change map /etc/postfix/amavis_bypass ... #without amavis 86.xxx.xxx.0/24 FILTER smtp:10.0.100.5:10025 . and I add another local transport like: 10.0.100.5:10025 inet n - n - - smtpd you are only making this complicated. This working - My question is. Is there a simpler solution? Because now my "mail route" is: - incomming e-mail - if IP (whitlisted) go to: - local transport 10.0.100.5 and go to lmtp - if IP (from 0.0.0.0) go to: - local haproxy - local haproxy go to amavis - amavis scanned - amavis return to postfix - postfix local transport 10.0.100.5 and go to lmtp use LMTP for filtering. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: header_checks question
On 27.04.20 13:27, Juan Manuel P wrote: Hello Witse do you mean to use HOLD action on header_checks ? like this ? /^Subject:.*hacked*/ HOLD And that whats suppose to do ? if Wietse's message wasn't enough for you, I recommend looking at http://www.postfix.org/header_checks.5.html It is holded the email on the queue ? and I can check with mailq command ? and later detele from queue and email me a alert Sorry for ask and not try, because we have only enviroment on producction and dont make a misstake on the service. El lun., 27 abr. 2020 a las 12:59, Wietse Venema () escribió: jmpatagonia: > Hello I need help to using header_checks, I create a rule > > /^Subject:.*hacked*/ DISCARD An alternative is to use HOLD action, assuming you aren't using software that hijacks the HOLD feature for other purposes, such as mailscanner. Then you can review the email with "postcat -q" and delete it with "postsuper -d". > that work propertly, but a want to know it is posible to email me o to alert > me when this rule occur or is aplicated. For some way. Oviusly I see that on > the mail.log A logfile scanner such as fail2ban could do that for you. Ideally there is a rate limit so that you won't be email bombed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
Re: PATCH: Glibc-2.31 DNSSEC and GCC 10
Wietse Venema: Rich Felker: > > It would be a mistake to use TLSA records from an unsigned domain. > > That would be no more secure than accepting a random server > > certificate. All the pain of doing TLSA and none of the gain, just > > security theatre. > > It's not security theater. It (1) ensures that you do use records for > a signed domain even if you were unable to determine it was signed, > due to issues like lack of AD bit in musl or stripping of AD bit by > glibc default configuration, and (2) makes it so an attacker wanting > to MITM needs to be able to do so on DNS channel, not just route to > the MX. (For example this might be difficult or impossible for the > attacker if DNS is routed over DoH, or if attacker can sit somewhere > between client and MX but not between client and the nearest anycast > 8.8.8.8.) Congratulations! You just gave a new definition of security theatre: using an unauthenticated channel to distribute trust anchors. You can consider libc-musl as unsupported from now on. On 19.04.20 13:11, Wietse Venema wrote: Verified on alpine-3.11.5. alpine:~/postfix-3.6-20200419$ make makefiles ... Warning: libc-musl breaks DANE/TLSA security. Use a glibc-based Linux distribution instead. Remove this test to build unsupported Postfix. make: *** [Makefile:79: makefiles] Error 1 Isn't this contrary to what you have said before? https://marc.info/?l=postfix-users=158715103506366=2 However, if people want to shoot themselves in the foot, then Postfix won't stop them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux - It's now safe to turn on your computer. Linux - Teraz mozete pocitac bez obav zapnut.
Re: dumbest questions about limit
>On Thu, 16 Apr 2020 at 15:40, natan maciej milaszewski wrote: >> Sorry about probably dumbest questions. What does it really mean? >> >> 552 5.3.4 Message size exceeds fixed limit >> >> Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: NOQUEUE: reject: MAIL from >> mail-il1-f169.google.com[209.85.166.169]: 552 5.3.4 Message size exceeds >> fixed limit; proto=ESMTP helo= >> Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: too many errors after MAIL >> from mail-il1-f169.google.com[209.85.166.169] >> Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: disconnect from >> mail-il1-f169.google.com[209.85.166.169] ehlo=2 starttls=1 mail=0/1 >> commands=3/4 >> >> in postfix i set >> message_size_limit = 2324 >> mailbox_size_limit = 0 >> >> postconf -n |grep "_size_limit" >> mailbox_size_limit = 0 >> message_size_limit = 2324 On 16.04.20 16:07, Dominic Raferd wrote: >Pretty much what it says. An incoming mail will be refused if its size >exceeds message_size_limit (in bytes). It is undocumented (and not >recommended) to use message_size_limit=0 meaning 'no limit' - although >mailbox_size_limit=0 is valid/documented. > >Although your postconf is reporting 2324 (a little over 22MB), you >can (and may) have different settings in master.cf which override this >- for instance for authenticated vs non-authenticated incoming mails. On Thu, 16 Apr 2020 at 16:15, Matus UHLAR - fantomas wrote: note that some SMTP clients don't check SIZE option your SMTP server sends to them and some don't announce the SIZE in MAIL FROM command. You would not see this message otherwise :-) On 16.04.20 16:28, Dominic Raferd wrote: But I would expect that in this case (when client does not admit to smtpd at start that message will be over size limit) the message would still be rejected by smtpd (and with the same message) only it will happen once the amount of data received actually exceeds the limit rather than at the start? Otherwise it would be a way for clients to get round the size restriction, and send unlimited data. Yes. I just wanted to add that the client does not check for provided SIZE option and thus it's possible that oversized message was transferred. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: dumbest questions about limit
On Thu, 16 Apr 2020 at 15:40, natan maciej milaszewski wrote: Sorry about probably dumbest questions. What does it really mean? 552 5.3.4 Message size exceeds fixed limit Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: NOQUEUE: reject: MAIL from mail-il1-f169.google.com[209.85.166.169]: 552 5.3.4 Message size exceeds fixed limit; proto=ESMTP helo= Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: too many errors after MAIL from mail-il1-f169.google.com[209.85.166.169] Apr 16 16:03:48 thebe4 postfix/smtpd[11692]: disconnect from mail-il1-f169.google.com[209.85.166.169] ehlo=2 starttls=1 mail=0/1 commands=3/4 in postfix i set message_size_limit = 2324 mailbox_size_limit = 0 postconf -n |grep "_size_limit" mailbox_size_limit = 0 message_size_limit = 2324 On 16.04.20 16:07, Dominic Raferd wrote: Pretty much what it says. An incoming mail will be refused if its size exceeds message_size_limit (in bytes). It is undocumented (and not recommended) to use message_size_limit=0 meaning 'no limit' - although mailbox_size_limit=0 is valid/documented. Although your postconf is reporting 2324 (a little over 22MB), you can (and may) have different settings in master.cf which override this - for instance for authenticated vs non-authenticated incoming mails. note that some SMTP clients don't check SIZE option your SMTP server sends to them and some don't announce the SIZE in MAIL FROM command. You would not see this message otherwise :-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Possible header_check solution?
On 14/04/2020 18:42, Rick King wrote: We have a customer that occasionally receives messages like this... Return-Path: From: "Free iPad " To: Subject:Free iPad Any suggestions welcome! Thank you! On 15.04.20 11:09, Allen Coates wrote: I am no expert on pattern matching, but could you pick up on the "mydomain.tld, close-chevron, close-quotes, space, open-chevron" sequence? Is there any occasion where that would be legitimate? this is may be common e.g. with mailing lists that try to work around DMARC limitation, where they must not forward mail with original From: This was discussed in spamassassin mailing list recently. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site.
Re: modifying outbound email headers
On 06.04.20 11:01, Stefan Claas wrote: >my postfix mail server works perfectly so far. > >However, I am now facing the following problem and have tried as best as I >can to find a solution to this. > >I run an anonymous remailer, which also allows sending emails to mail2news >gateways for Usenet postings. So far so good. > >I would like to achieve the following: >postfix should modify outgoing email headers that *only* go to mail2news >gateways, using the email gateway addresses for parsing, so that the right >part of the message ID, after the @ charachter, will be modified with a >defined string. Matus UHLAR - fantomas wrote: your mail2news gateway should do that. On 06.04.20 12:43, Stefan Claas wrote: I thought that as well, but the problem would be when users send the same message to multiple mail2news gateways, which is often the case, the News articles would then arrive with different message-IDs. you can instruct your mail2news gateway to modify message-id in exactly the same way you described. In such case the result will be the same. However, Usenet news use Message-ID for duplicity deteaction and I see caveats: - if user sends the same message to multiple gateways (one on your system, one on other), duplicate news article will be created, one with original message-id, another with what you modify it to. - if user sends te same message multiple times to mail2news gateway, the article will be only created once and second post will be rejected. I recommend keeping the message-id to avoid duplicates. Multiple postings ave to be solved different way. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet.
Re: modifying outbound email headers
On 06.04.20 11:01, Stefan Claas wrote: my postfix mail server works perfectly so far. However, I am now facing the following problem and have tried as best as I can to find a solution to this. I run an anonymous remailer, which also allows sending emails to mail2news gateways for Usenet postings. So far so good. I would like to achieve the following: postfix should modify outgoing email headers that *only* go to mail2news gateways, using the email gateway addresses for parsing, so that the right part of the message ID, after the @ charachter, will be modified with a defined string. your mail2news gateway should do that. postfix must *not* change message IDs for regular emails. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: Postfix problem with Hotmail (501 5.5.4 Invalid domain name)
On 03.04.20 15:16, SysAdmin EM wrote: I am seeing the following error in some email directed to hotmail: : host hotmail-com.olc.protection.outlook.com[104.47.46.33] refused to talk to me: 501 5.5.4 Invalid domain name [BN3NAM04FT008.eop-NAM04.prod.protection.outlook.com]Return-Path: < facturac...@zonanet.com.ar> Please: 1. post whole log line 2. don't merge log with message headers. it's very hard to see what exactly was wrong there. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: pflogsumm error.
On 30.03.20 14:27, @lbutlr wrote: When running pflogsumm I am getting many error like this: Use of uninitialized value $domain in string eq at /usr/local/bin/pflogsumm line 1546, <> line 283375. Use of uninitialized value $domain in substitution (s///) at /usr/local/bin/pflogsumm line 1552, <> line 283375. # awk '{if(NR==283375) print $0}’ mail.log.combined Mar 29 23:14:45 mail.covisp.net postfix/postscreen[54597] NOQUEUE: reject: RCPT from [45.155.126.14]:47867: 550 5.7.1 Service unavailable; client [45.155.126.14] blocked using zen.spamhaus.org; from=, to=<*munged*covisp.net>, proto=ESMTP, helo= On 31 Mar 2020, at 07:43, Matus UHLAR - fantomas wrote: where do you have your pflogsumm version from? On 03.04.20 09:48, @lbutlr wrote: FreeBSD ports which FreeBSD, which perl? original pflogsumm does not support postscreen. OK, so postscreen normally logs into mail.log and I use rsyslogd to put it in its own file. Are these errors normal for pflogsumm on non-Debian systems then? checked with debian 8 pflogsumm, postscreen rejects are simply ignored. Since Postscreen blocks most of the mail, not having postscreen in poflogsumm means I get numbers like “accepted, 1234, delivered 214881, rejected 47” which is.. well, wrong. correct. However, original pflogsumm does not process postscreen logs... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes.
Re: Using Postfix as a Backup MX
On 31.03.20 16:59, Linda Pagillo wrote: Guys, I have another question. This is in reference to the response that Bob Proulx gave me. He said that, " One critical item is that the relay_recipient_maps must be kept in sync across all of the systems". Why is this critical? It's partly described at http://www.postfix.org/postconf.5.html#relay_recipient_maps many spammers try to use backup MX servers to deliver spam. If your backup MX accepts spam that your primary MX would rejects because of non-existent user, your backup MX would need to send back bounce, which whould make it spam source, and it could appear on blacklists. Dropping such mail is not a good thing, since that mail could get "lost" where sender believe mail was accepted (by backup MX), while recipient would not see it (because it was refused by primary MX). Thus, knowing users is crucial to have. I persinally believe that if you really need backup MX, you should do at least some kind of recipient verification. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: Using Postfix as a Backup MX
On 31.03.20 12:03, Linda Pagillo wrote: Hi gang. I could have swore I sent this to the list days ago, but no one responded and I can't find the email I sent in my sent folder which is completely weird. three people responsed and discussed. Check at https://marc.info/?t=15854488622=1=2 also check your spam folder. note that gmail sometimes drops mail without warning, we had similar problem at the end of last year, some people got our invoices, some did not. Anyway... I have a few Windows-based mail servers. I would like to set up Postfix as a backup MX server for the Windows servers. I have never done this with Postfix so I did a lot of research and what I believe to be the most complete instructions can be found at this link: https://www.linuxbabe.com/mail-server/how-to-set-up-a-backup-email-server-postfix-ubuntu. Have any of you used these instructions? If yes, how thorough are they? If not, do any of you have any instructions, tips or tricks that you would not mind sharing with me? All advice would be very much appreciated. I hope all of you are safe and healthy. Thanks. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N)
Re: pflogsumm error.
On 30.03.20 14:27, @lbutlr wrote: When running pflogsumm I am getting many error like this: Use of uninitialized value $domain in string eq at /usr/local/bin/pflogsumm line 1546, <> line 283375. Use of uninitialized value $domain in substitution (s///) at /usr/local/bin/pflogsumm line 1552, <> line 283375. # awk '{if(NR==283375) print $0}’ mail.log.combined Mar 29 23:14:45 mail.covisp.net postfix/postscreen[54597] NOQUEUE: reject: RCPT from [45.155.126.14]:47867: 550 5.7.1 Service unavailable; client [45.155.126.14] blocked using zen.spamhaus.org; from=, to=<*munged*covisp.net>, proto=ESMTP, helo= where do you have your pflogsumm version from? original pflogsumm does not support postscreen. Debian version 1.1.5-3 includes support for it, and should not generate this kind of errors -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors
Re: modify "User unknown" message
On 3/30/2020 8:18 AM, Matus UHLAR - fantomas wrote: * Matus UHLAR: remote senders don't understand the message too often. On 30.03.20 14:55, Ralph Seichter wrote: Using "show_user_unknown_table_name = no" will hide the table name. That might reduce some of the confusion. I'd prefer to add short translation of the default message. yes, the table name is not important. maybe append some catch-all reject to local_recipient_maps could help? On 30.03.20 12:00, Noel Jones wrote: This is what http://www.postfix.org/postconf.5.html#smtpd_reject_footer is for. Add additional text or point to a web page with further explanation. I have looked at smtpd_reject_footer, but I would prefer only to add text for non-existing users :) But it looks like smtpd_reject_footer_maps, indexed by the error message in pcre table. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: modify "User unknown" message
* Matus UHLAR: remote senders don't understand the message too often. On 30.03.20 14:55, Ralph Seichter wrote: Using "show_user_unknown_table_name = no" will hide the table name. That might reduce some of the confusion. I'd prefer to add short translation of the default message. yes, the table name is not important. maybe append some catch-all reject to local_recipient_maps could help? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton
modify "User unknown" message
Hello, can anyone advise me, what's the easiest way to modify error message: "User unknown in local recipient table" if we use: - virtual aliases - aliases - password file? remote senders don't understand the message too often. Thanks -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: Postfix Sign smtp from with DKIM
On 27.03.20 10:46, SysAdmin EM wrote: Is it possible to sign smtp from with DKIM? I clarify that I am not talking about the header from. no, only headers can be signed. Also, that would make forwarding impossible. Don't try to do that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: Invalid Sender (DNS)
Matteo Cazzador: Many of these servers haven't a fully qualified dns name or valid dns name, so i obtain the error "Invalid Sender (DNS)" while receiving mail from these remote servers. Il 19/03/2020 17:54, Wietse Venema ha scritto: That is NOT a POSTFIX error message. It you want to accept such email, then you need to find out what program is producing that error message. On 19.03.20 17:57, Matteo Cazzador wrote: Yes, Jeroen already answer me , excuse me the logged error is " Sender address rejected: Domain not found;" the whole log line from your system log would help much more. Now I can only guess you have DNS resolution problem or your mail server correctly refuses mail from invalid domain. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: Warning about non-existent MX for destination domain
On 10/03/2020 19:49, Dominic Raferd wrote: My responses seem like OP's: # host -t mx imake.ro 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: Host imake.ro not found: 2(SERVFAIL) # host -t mx sometotallyINVENTEDdomainTHATdoesNOTexist.com 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: Host sometotallyINVENTEDdomainTHATdoesNOTexist.com not found: 3(NXDOMAIN) I read this as: imake.ro exists but is not configured. On 10.03.20 20:07, Catalin Bucur wrote: Right. And for this type of domains (bad configured) I want that postfix warn me as soon as possbile, not after a few days. This is impossible. The error can e.g. mean that the zone is broken and admin as to fix it, which may be done within minutes. This kind of error can of course last for months or years, but we can't know that yet. Neither can postfix or DNS client. I have similar problems with long-term unreachable addresses, where I would prefer to block mail from/to such domains, when they are inaccessible for some time. Wietse advised policy service and log watcher that would extract info about such domains: https://marc.info/?l=postfix-users=157910384501532=2 I'm afraid I don't have enough of time to build it, otherwise I'd propose you to use it already :) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: Disabling TLSv1
On 06.03.20 00:11, Daniel Ryšlink wrote: I tried disabling TLSv1.0 and TLSv1.1 on our Postfix mailservers at the beginning of the year (since there were advisories that anything older than 1.2 is considered weak and broken), and it did not end well, there were numerous complaints from what turned out to be still supported LTS version of Windows 8 that is supported till 2023 whose Outlooks still uses the obsolete versions of TLS and their handshakes will fail. note that there's difference between disabling tls1.0 and tls1.1 on ports with mandatory encryption (smtps/465 and submission/587) and different on port 25 where mail servers will connect to. enabling older TLS versions might be better for old servers as low encryption may be better than no encryption on port 25, where fallback when TLS can't be established is common - you do want to receive mail from the internet, don't you? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: What is this?
On 27.02.20 08:09, Phil Biggs wrote: A friend and I experienced this in October last year. I believe these SYNs have forged source addresses. The objectives being one or more of: - a DOS attack on the legit owner of the IP, - create a state table size issue for you, - to have you block legitimate sources. The last of these certainly happened here. per my last e-mail... https://marc.info/?l=postfix-users=158272022625515=2 SYN with forged address can not cause this kind of error. This error requires connection be made (until then postfix does not know about it) and then closed. Thus it requires SYN - SYN+ACK - ACK which does not work with forged address. I set up a fail2ban rule to pick these up and, after one day, nearly 9,500 sources had been blocked at the firewall. However, the pf table included addresses that belonged to the likes of MessageLabs. I dropped the rule and unbanned them after realizing that. It's more likely that messagelabs scan the internet for open relays, mailservers features to gather statistics about the internet. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity...
Re: What is this?
On 26 February 2020, at 02:54, Jaroslaw Rafa wrote: My Postfix log is full of repeated connections and disconnections from the same machine: Feb 26 11:43:41 rafa postfix/submission/smtpd[13829]: connect from unknown[92.118.38.42] Feb 26 11:43:52 rafa postfix/submission/smtpd[13829]: disconnect from unknown[92.118.38.42] Feb 26 11:44:04 rafa postfix/submission/smtpd[13829]: warning: hostname ip-38-42.ZervDNS does not resolve to address 92.118.38.42: Name or service not known This repeats over and over (I already blocked this IP on firewall). I wonder what this attacker(?) is trying to do - the client doesn't attempt AUTH or anything (it would be logged). It just connects and disconnects. And so on and on... welcome to the internet. Can be misconfigured client, spamware somewhere, scan, whatever. Firewalling those automatically is the only way to limit those messages. On 26.02.20 03:04, Doug Hardie wrote: One of my mail servers showed the same thing. Tcpdump showed they are sending SYN after SYN, nothing else. You didn't indicate which firewall you are using, but when I went to block them with pf I found that they send often enough that pf's state stays active. I had to manually remove that state entry to stop the logging. That won't stop their sending the SYNs though. It almost appears to be a really poor attempt at a denial of service. I did find 2 other sites sending the same thing. SYN after SYN will not cause this error. For this kind of error the connection must be made by SYN,SYN+ACK,ACK and then FIN. If you block data/SYN by any firewll, you won't see those messages. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller
Re: From header local mail
On 07.02.20 12:01, xegr...@gmail.com wrote: Hi. In a new install of Postfix 3.4.7-0+deb10u1 on Debian buster, I would like Postfix to append $myhostname instead of $myorigin to local mail That is the point of myorigin, why you want it else? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Re: message-id empty
On 05.02.20 04:25, mami64 wrote: >Some times i found in logs (smtp outgoing) empty message-id like > >Feb 5 12:20:18 smtp1 postfix/cleanup[21270]: 48CJy70T20z3xcS: message-id=<> >Feb 5 12:20:20 smtp1 postfix/cleanup[21265]: 48CJyD3tzNz3y0m: message-id=<> >Feb 5 12:20:20 smtp1 postfix/cleanup[19334]: 48CJyD4yKCz3xvB: message-id=<> >Feb 5 12:20:23 smtp1 postfix/cleanup[19285]: 48CJyH2nYjz3y1b: message-id=<> >Feb 5 12:20:24 smtp1 postfix/cleanup[17592]: 48CJyH6tV0z3xNL: message-id=<> >Feb 5 12:20:25 smtp1 postfix/cleanup[19334]: 48CJyK1Yg7z3y2C: message-id=<> > >In rfc 822 message-id is not required but I dont known why some times i get >message-id and sometimes not and what it depends on On Wed, Feb 5, 2020 at 12:41 PM Matus UHLAR - fantomas wrote: apparently the client did not create Message-Id: header. it's up to the client to generate it. On 06.02.20 09:31, Luca Fornasari wrote: You can use "always_add_missing_headers = yes" in main.cf in case you need to reproduce older Postfix behaviour note that this can break DKIM, spam scanning etc. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: Multiple after-queue content filters
On 05.02.20 11:47, Sig Pam wrote: The current documentation <http://www.postfix.org/FILTER_README.html> states: The "-o content_filter" line causes Postfix to add one content filter request record to each incoming mail message ... Q1: Is it still true you can not give a list of content filters which are processed one after the other? it doesn't make sense. content filter is expected to push mail back to postfix other way, so message can't get to second filter. Q2: Assuming this is still true and content_filter does not take a list of filters, is there a better technique than creating a "wrapper script" to call the multiple filters one after the other? you can create filter chain in postfix by pushing mail to multiple ports each having own filter. Background: I currently pipe my mail to spamassassin, but I also want to call a program adding a boilerplate for each outgoing mail (legal reason), and I think about a script which modifies incoming mails to strip html links to prevent my users clicking on them. These are three filters which should run on each mail. Bonus question: I can configure a content_filter for each service defined in master.cf, but there is also a parameter content_filter in main.cf. What does the latter refer to, and in which order are they processed? I'm confused ... options in master.cf are used to override those in main.cf. if you don't override it in master.cf for a service, that service uses main.cf value. smtp inet n - y - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=spamd argv=/usr/bin/spamc --max-size 5242880 -d 127.0.0.1 -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} main.cf: content_filter = smtp-amavis:127.0.0.1:10024 apparently amavis is only used when receiving mail other way than smtp (on port 25). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: message-id empty
On 05.02.20 04:25, mami64 wrote: Some times i found in logs (smtp outgoing) empty message-id like Feb 5 12:20:18 smtp1 postfix/cleanup[21270]: 48CJy70T20z3xcS: message-id=<> Feb 5 12:20:20 smtp1 postfix/cleanup[21265]: 48CJyD3tzNz3y0m: message-id=<> Feb 5 12:20:20 smtp1 postfix/cleanup[19334]: 48CJyD4yKCz3xvB: message-id=<> Feb 5 12:20:23 smtp1 postfix/cleanup[19285]: 48CJyH2nYjz3y1b: message-id=<> Feb 5 12:20:24 smtp1 postfix/cleanup[17592]: 48CJyH6tV0z3xNL: message-id=<> Feb 5 12:20:25 smtp1 postfix/cleanup[19334]: 48CJyK1Yg7z3y2C: message-id=<> In rfc 822 message-id is not required but I dont known why some times i get message-id and sometimes not and what it depends on apparently the client did not create Message-Id: header. it's up to the client to generate it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
Re: Forwarding email as attachment instead of relaying it
Dnia 31.01.2020 o godz. 10:52:28 Msd pisze: The problem doing that is that some emails are rejected by external.example.net mail servers because of SPF, for example : "550 SPF Hard Fail: Following sender domain's SPF record v=spf1 [...] -all does not designate a.b.c.d as permitted sender." On 31.01.20 11:06, Jaroslaw Rafa wrote: BTW, whoever rejects mail based on failed SPF alone is doing an extremely stupid thing, as SPF is a poor idea in general and is known not to work eg. with mail forwarding. forwarding without changing sender is broken and was since the beginning, SPF just made it visible. If you are forwarding to invalid address, the reports should go to you, not to someone whose mail you have forwarded. They sent it to you, why should they care that you decided to pass it further? It's your business now. Maybe you should explain to your user that he/she can lose legitimate emails if he/she is using mail account at such an incompetent provider. maybe the OP should configure forwarding properly. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
Re: Forwarding email as attachment instead of relaying it
On 31.01.20 10:52, Msd wrote: I have a user on my postfix example.com server that want all emails sent to u...@example.com to be "relayed" to u...@external.example.net. In main.cf I have set : virtual_alias_maps = hash:/etc/postfix/virtual # cat /etc/postfix/virtual u...@example.com u...@external.example.net The problem doing that is that some emails are rejected by external.example.net mail servers because of SPF, for example : "550 SPF Hard Fail: Following sender domain's SPF record v=spf1 [...] -all does not designate a.b.c.d as permitted sender." Is there a way to transfer the email as an attachment to avoid that ? Or just a way to rewrite the envelope sender to u...@example.com ? What do you advise for this case ? you need to rewrite envelope from, e.g. by using postsrs. Note that you can't do that from virtual maps, you must use aliases or .forward. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have.
Re: easy way to forward all root mail to devnull?
On Jan 29, 2020, at 4:16 AM, Eero Volotinen wrote: Is there easy way to forward all root mail to devnull? On 29.01.20 04:37, Viktor Dukhovni wrote: Assuming it is not unwise: aliases: root: root@discard.invalid virtual: rootroot@discard.invalid r...@example.orgroot@discard.invalid transport: discard.invalid discard:silently Instead arrange for less noisy cron jobs, that inform you of only unexpected events, or useful metrics. much better approach. You never know which process sends important mail to you about e.g. disk failing. And perhaps refuse mail to root from external sources. much better. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: Postscreen response to client - which rbl is named?
On 25.01.20 08:44, Dominic Raferd wrote: >When postscreen rejects an incoming email because it exceeds the dnsbl/rbl >score, how does it decide which rbl to report back to client as the cause >of the rejection - since it only reports one? Is it just the first one to >respond? Or random? On Sat, 25 Jan 2020 at 09:08, Matus UHLAR - fantomas wrote: it is the first onw that responds. if it's a whitelist (scoringnegatively), it's reported anyway. that's where postscreen_dnsbl_reply_map is to be used. On 25.01.20 09:18, Dominic Raferd wrote: Thanks for clearing that up. My whitelists always cause a pass so for me the whitelist reporting issue doesn't arise; for systems where it does, I suppose the idea is to substitute the name of a blacklisting rbl (or some generic text such as 'unidentified_blacklist') if the response would otherwise show the whitelist? i guess the original idea was to hide dnsbl secret from clients (http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map) but replacing message by e.g. "blocked by multiple dnsbl lists" is also possible. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: Postscreen response to client - which rbl is named?
On 25.01.20 08:44, Dominic Raferd wrote: When postscreen rejects an incoming email because it exceeds the dnsbl/rbl score, how does it decide which rbl to report back to client as the cause of the rejection - since it only reports one? Is it just the first one to respond? Or random? it is the first onw that responds. if it's a whitelist (scoringnegatively), it's reported anyway. that's where postscreen_dnsbl_reply_map is to be used. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: Graphing
Le 24/01/2020 à 07:09, Ed a écrit : What do people use for simple throughput/relay/bounce graphing? RRD based would be nice. January 24, 2020 9:47 AM, "Cédric Gallo" wrote: Munin server and munin nodes with standards and home-made plugins (for bounces). http://munin-monitoring.org On 24.01.20 11:58, pat...@patpro.net wrote: Like Cédric I would recommend Munin if your need is very basic. It's RRD inside and pretty straightforward to setup. I do use a Munin master/Munin Node setup for basic stuff including graphing postfix queues/thoughput, but it's just static and I think email flow monitoring requires something more agile/interactive. If you have a low volume of daily logs (less than 500 MB) you could just install a free version of Splunk Enterprise and create your own dashboards. I personally would be more interested in how are the data collected. There are many wayt to put data to RRD. Looks like the munin plugins only counts how many mails there are in different queues https://github.com/cmur2/munin-postfix/blob/master/postfix_mailqueue That data you can use with nagios, cacti and other monitoring systems. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: What does check_sender_access checks?
On 21.01.20 07:08, rdquiterio wrote: In this case the Return-Path is kinda random, so there's no use to it. return-path is header where the MDA uses to store original envelope from, but usually not a real header. On the other hand, looking to the headers_checks examples I cannot see how could I allow all mail from a specific "Mail From:" to be relayed? Is it possible? no. the "mail from:" is not a header, but an envelope from address, so you must use check_sender_access instead. However, you should not allow relaying based on envelope from address. Maybe on SMTP authentication or source IP address. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Re: Bounce mails manually
Dnia 16.01.2020 o godz. 15:46:31 @lbutlr pisze: Recheck? What do you mean> there is no rechecking the VALID domain is looked up, it does not have an MX record, so postfix does not attempt to deliver it and immediately bounces the message back to the user. On 17.01.20 10:02, Jaroslaw Rafa wrote: But it is wrong approach. It is a perfectly correct setup to not have an MX record for a domain, but to have an A record and receive email under that address. There is no requirement (and never was) that to receive email you must have an MX record. correct, however I've already noticed discussions about such requirements. Most of them comes out of problems we are discussing in this thread. While it would take years to implement (afaik MX took years to implement, too), it would be cleaner than current wild situation. The nullmx (IN MX .) is one of approaches but must be supported by mailservers (luckily it is supported by postfix) but I find it cleaner to only accept mail for domains with MX than for everyone with A records. MX record is only a nice shortcut to avoid specifying the full domain name of the mailserver in the e-mail address, and instead use only the mailserver's domain part. Instead of "u...@mailserver.domain.com" you type only "u...@domain.com" - that's what MX record is for. But "u...@mailserver.domain.com" is still perfectly valid and mail to such address *has to be* be delivered. It might be refused, but delivery will still be tried, which leads to our problem (this thread). I was recently forced to add a ridiculous MX record to my domain, pointing back to the same name (eg. "rafa.eu.org MX 10 rafa.eu.org") I've seen recommendation to do this (just for sure) long ago. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Bounce mails manually
On 16.01.20 17:48, Daniel Ryšlink wrote: As someone already mentioned, that's what the Postfix limits are for, namely smtpd_recipient_limit smtpd_client_recipient_rate_limit smtpd_client_connection_rate_limit smtpd_client_message_rate_limit smtpd_soft_error_limit smtpd_hard_error_limit Even if it is a "spammer sending slowly", there will be still characteristics that will make it possible to identify the incident automatically - suddenly unusual number of unique recipients, unusual number of errors, etc. The automatic solution allows you to cull the spam wave as it happen, potentially limiting the impact. unfortunately, I have meet spam attach where spammer was sending too slowly to notice, not hitting any of those limits. It was slower than ordinary users of said server, who ocasionally send more mail and faster. If you reactively, manually start to look for a problem because your queue suddenly starts filling up because you have been blacklisted downstream for forwarding spam, the damage was already done and you will have to suffer the consequences for some time (legitimate mail of your users will be rejected). And if a queue is filled with spam from a hacked account, then it's IMO proper to delete all the queued mail from that account via postsuper -d - the user compromised his/her auth information somehow, so he/she cannot expect any of his/her mail to be delivered, and millions of bounces won't help anything anyway. This thread discusses different problem that can have different solution. let's not mix all kind of problems with all kinds of ssolutions. On 15 Jan 2020, at 15:12, Noel Jones wrote: We've had problems with users mistyping domain names, such as hotmal.com or aoil.com. And they ignore the delay warning message because they still don't notice their typo. Citát "@lbutlr" : Then they get the bounce when the max queue expires. The messages in the queue are not hurting anything and unless there are millions and millions of them, they are not worth manually handling (nor adding custom transport maps to “fix” user’s tyops). On 16. 01. 20 8:02, azu...@pobox.sk wrote: I don't agree with this. Yes, technically it isn't a problem but we (and for sure not alone) are using message queue size as a sign of a problem - if there are much more messages then usual, our monitoring software is notifying us. In most cases it is a sign of hacked account which is spamming - in about 50% of such cases, spammers are sending spam very slowly, so you cannot simply note it, that's why we monitor it. And that's why it is a problem when there are lots of messages which you cannot get rid of by any means. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: Bounce mails manually
On 15.01.20 16:55, Emanuel wrote: my question arose because of a user on my server who sent to many recipients without MX, then the mail was queued until the expiration time: bounce_queue_lifetime = 5h the idea was to reject emails manually with the error message that returned: Example: │Message: 06CB318005A26 │ │From..: "Rene Alvarado" │ │To: │ │Subj..: SALDO PENDIENTE │ │Status: connect to impresosms.com[45.204.127.107]:25: No route to host would something like this help? http://postfix.1071664.n5.nabble.com/handling-long-term-unreachable-addresses-domains-td104336.html if such mail stayed in queue for some time, further mail to (and from) the domain could be refused, which would lower amount of such mail in queue. That should help not only against spammers, but against ignorrant bulk mail senders. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: Bounce mails manually
On 15 Jan 2020, at 15:12, Noel Jones wrote: We've had problems with users mistyping domain names, such as hotmal.com or aoil.com. And they ignore the delay warning message because they still don't notice their typo. Citát "@lbutlr" : Then they get the bounce when the max queue expires. The messages in the queue are not hurting anything and unless there are millions and millions of them, they are not worth manually handling (nor adding custom transport maps to “fix” user’s tyops). On 16.01.20 08:02, azu...@pobox.sk wrote: I don't agree with this. Yes, technically it isn't a problem but we (and for sure not alone) are using message queue size as a sign of a problem - if there are much more messages then usual, our monitoring software is notifying us. In most cases it is a sign of hacked account which is spamming - in about 50% of such cases, spammers are sending spam very slowly, so you cannot simply note it, that's why we monitor it. And that's why it is a problem when there are lots of messages which you cannot get rid of by any means. I have the same and one similar problem, mentioned in this list a few days ago. I have an idea to stop mail from/to long-term undelivable domains, so when there's mail lingering in queue for such domain for some time, further mail from/to that domain would temporarily be refused. It whould work similar to sender/recipient address verification, but not per-address but per-domain, without explicit verification requests. Wietse advised policy script: http://postfix.1071664.n5.nabble.com/handling-long-term-unreachable-addresses-domains-td104336.html -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
Re: Postfix HELO checks
On Wed, 15 Jan 2020 at 17:43, Jaroslaw Rafa wrote: > Does Amavis actually connect to 127.0.0.1 when injecting mail back to > Postfix? If yes, then maybe you don't have 127.0.0.1 in $mynetworks > > It can also be that Amavis doesn't connect to 127.0.0.1, but to some other > IP on your server - then you need to put that IP in $mynetworks too, or > reconfigure Amavis so that it connects to 127.0.0.1 On Wed, 15 Jan 2020 at 16:50, Simon B wrote: I don't know where else it could connect... In master.cf it is defined 119 #The amavis reciever 120 127.0.0.1:10025 inet n - - - - smtpd I would temporarily add: -o syslog_name=postfix/amavis to verify in logs that the mail was received via this port (localhost:10025 is the builtin default in amavis). > If it works with "permit", it should also work with "permit_mynetworks", > provided that the value of $mynetworks includes the actual IP Amavis is > connecting to. it should, but it isn't - hence the reason I have asked here for help. # postconf -n | grep -n mynetworks 36:mynetworks = 127.0.0.0/8, [::1]/128 37:mynetworks_style = host note that mynetworks is overridden by -o option in master.cf: 118 #The amavis reciever 119 127.0.0.1:10025 inet n - - - - smtpd 120 -o content_filter= 121 -o local_recipient_maps= 122 -o relay_recipient_maps= 123 -o smtpd_restriction_classes= 124 -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session 125 -o smtpd_helo_restrictions=permit_mynetworks 126 -o smtpd_sender_restrictions= 127 -o smtpd_recipient_restrictions=permit_mynetworks,reject 128 -o mynetworks=127.0.0.0/8 129 -o strict_rfc821_envelopes=yes 130 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks 131 -o smtp_bind_address=127.0.0.1 so, either this config does not apply (e.g. you forgot whitespace at the beginninf of one of those lines), or there's something strange On Wed, 15 Jan 2020 at 18:00, Dominic Raferd wrote: Try removing 'mynetworks' from definitions since it overwrites 'mynetworks_style=host' which should already restrict the definition of mynetworks to the local machine (and might do so in a more correct way?) yes, however that should be completely irelevant since only localhost can connect to 127.0.0.1:10025 Try adding 'reject' after 'permit_mynetworks' at the end of one of the restriction lists (for smtpd-from-amavis) e.g. smtpd_client_restrictions - this gives you the full protection irelevant because of the same reason. On 15.01.20 18:32, Simon B wrote: Thanks. That works and meets our objectives. the downside is we still don't know what is (or was) wrong. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: phising attacks
On 15.01.20 15:20, Adam Barnett wrote: The from address will be, for example From: Jo Blogs But the return address and return path would be and different address from what Jo Blogs is I am 99% sure it is a user error, but just wondering if there was anything else to be done unless there's only one Jo Blogs in the world, there's possibility a real Jo Blogs is sending the mail, just not the one you may think. Blocking the mail might be bad. This is why I recommend to verify strange/suspicious requests. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: phising attacks
On 15.01.20 15:08, Adam Barnett wrote: We seem to be getting more phishing attacks that are being clever. The address looks like it someone internal but the from address is not that person. Any suggestions postfix or otherwise to help with these except standard anti-spam and anti-spoofing measures? Hardly any. Is possible, teach you users to verify strange requests. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: handling long-term unreachable addresses/domains
On 09.01.20 17:09, Matus UHLAR - fantomas wrote: on a few mail servers/gateways, we receive mail from domains that are unreachable for mail delivery on a long-term basis. besides spammers, there are companies that send mail from domains which don't have MX records, and A records point to servers without mail service running. I would like to detect this kind of domains and block them. Ideally, not immediately, but when e.g. domain is inaccessible for a given time, e.g. when mail starts being returned. Is something similar possible now? I was thinking about something very similar that address verification does: - applied on domains, not individual addresses - applied softly, without explicit verification checks This would require database of mail domains, and if mail to any domain is unreachable for interval longer than maximal_queue_lifetime, mail for/from that domain would get rejected and or deferred. Until then, mail would be accepted as reachable. Any idea if this could be implemented? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: Port 25 closed on bulk sending servers
On 15.01.20 12:56, Sam Tuke wrote: I noticed that newsletters which I receive from large firms are typically sent from servers which have port 25 closed. I guess they are not mail servers. Not all servers have to receive mail. Many companies have different servers for incoming mail than for outgoing mail, webservers or whatever. Is it common practice to close port 25 on bulk sending servers? Should we do this for Postfix servers which serve the same role? What's the advantage? Maybe the MTAs that such senders use are so customised as to be capable of only sending, not receiving, mail? I have asked about very similar issue a week ago. Will bump. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question!
Re: Postfix HELO checks
On Mon, Jan 13, 2020 at 06:25:27PM +0100, Simon B wrote: > > > >> >Since upgrading to 2.11 yesterday (yes, I am on a path to move up > > > >> >through debian versions), all mail coming in on > > > >> >postfix/submission/smtpd is being rejected by the domain check in that > > > >> >file, even though the user is sasl authenticated. On Mon, 13 Jan 2020 at 18:44, Viktor Dukhovni wrote: Note, Postfix 2.11 (actually 2.10 IIRC) adds "smtpd_relay_restrictions", which you don't override in the submission service definition: On 15.01.20 13:19, Simon B wrote: Cause and effect in one simple sentence - thanks Viktor! if you use debian, the default smtpd_relay_restrictions should contain: smtpd_relay_restrictions=permit_mynetworks permit_sasl_authenticated defer_unauth_destination which is the default value. It's added in postfix postinst script. ...unless you have overridden it, in such case it contains what you put there. Now looks like this... 10 submission inet n - n - - smtpd 11 -o syslog_name=postfix/submission Which seems to have solved the problem - or at least just kicked it down the road. Now there's a slightly different format of the error when receiving mail from the amavis filter... Jan 15 11:39:31 mail postfix/smtpd[31588]: connect from localhost[127.0.0.1] Jan 15 11:39:31 mail postfix/smtpd[31588]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 : Helo command rejected: Host not found; from= to=< simo...@example.com> proto=ESMTP helo= note that this says "postfix/smtpd" and thus it's not related to master.cf definition of submission above, then would say "postfix/submission/smtpd" Jan 15 11:39:31 mail amavisd-new[2303]: (02303-14) smtp resp to RCPT (pip) (): 554 5.7.1 : Helo command rejected: Host not found Despite the fact that I changed those receiver settings in master.cf to: 118 #The amavis reciever 119 127.0.0.1:10025 inet n - - - - smtpd 120 -o content_filter= 121 -o local_recipient_maps= 122 -o relay_recipient_maps= 123 -o smtpd_restriction_classes= 124 -o smtpd_client_restrictions=permit_mynetworks,reject_plaintext_session 125 -o smtpd_helo_restrictions=permit_mynetworks 126 -o smtpd_sender_restrictions= 127 -o smtpd_recipient_restrictions=permit_mynetworks,reject 128 -o mynetworks=127.0.0.0/8 129 -o strict_rfc821_envelopes=yes 130 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks 131 -o smtp_bind_address=127.0.0.1 At the moment nothing is going through amavis in either direction, so that's a problem... are you sure amavis sends mail through port 10025? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
Re: Postfix HELO checks
Hello, Now I have notices inconsistency: On 10.01.20 12:42, Simon B wrote: For as long as I can I remember, I have blocked connections purporting to be my own domain/IP address using a postmapped file called helo_checks. [...] Since upgrading to 2.11 yesterday (yes, I am on a path to move up through debian versions), all mail coming in on postfix/submission/smtpd is being rejected by the domain check in that file, even though the user is sasl authenticated. Can someone help me figure out why? On 10.01.20 14:50, Simon B wrote: Quite difficult to get logs off the production environment onto my office client, hence the redacted smtpd_recipient_restrictions I'm afrasid that to resolve this issue you will help either to look up properly or post the real main.cf and logs content. Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from localhost [127.0.0.1]: 550 5.7.1. : Helo command rejected: Your server is misconfigured as you are not a member of this domain; from= to= proto=ESMTP helo= On 10.01.20 15:52, Matus UHLAR - fantomas wrote: ok, this looks like recipient rejection, because of helo checks. If this is the proper log, this looks like to be reject in smtpd_recipient_restrictions ("rejectRCPT") based on helo check (Helo command rejected). according to what you have paster before, it should work properly either your postfix does not use the configuration file - did you build postfix or do you use one provided in your OS/distro? or you have missed something, like duplicate smtpd_recipient_restrictions -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watkins. -- Daffy Duck & Porky Pig
Re: Postfix HELO checks
On 10.01.20 12:42, Simon B wrote: >For as long as I can I remember, I have blocked connections purporting >to be my own domain/IP address using a postmapped file called >helo_checks. > >This is checked AFTER permit_sasl_authenticated. > >smtpd_recipient_restrictions = >reject_non_fqdn_sender, >reject_non_fqdn_recipient, >permit_sasl_authenticated, >reject_sender_login_mismatch, >rejected_authenticated_sender_login_mismatch, >check_helo_access hash:/etc/postfix/helo_checks, >. >. >. >permit_mynetworks, >reject_unauth_destination, >a bunch more RBLs, >permit > >Since upgrading to 2.11 yesterday (yes, I am on a path to move up >through debian versions), all mail coming in on >postfix/submission/smtpd is being rejected by the domain check in that >file, even though the user is sasl authenticated. > >Can someone help me figure out why? > >I can probably remove/comment the offending line and rely on other >rejection parameters, but it still rejects a significant of spam >attempts, so I'd prefer to keep it. On Fri, 10 Jan 2020 at 13:39, Matus UHLAR - fantomas wrote: logs? On 10.01.20 14:50, Simon B wrote: Quite difficult to get logs off the production environment onto my office client, hence the redacted smtpd_recipient_restrictions Jan 10 13:42:22 mail postfix/smtpd[18730] : NOQUEUE: rejectRCPT from localhost [127.0.0.1]: 550 5.7.1. : Helo command rejected: Your server is misconfigured as you are not a member of this domain; from= to= proto=ESMTP helo= ok, this looks like recipient rejection, because of helo checks. Are you sure those clients did authenticate successfully? don't you have check_helo_access at different place in any chance? Good shout. it is also in smtpd_relay_restrictions, but that is functionally a one-to-one copy of smtpd_recipient_restrictions I'm not sure what smtpd_relay_restrictions debian adds to main.cf by default. nothing in my main.cf is default by debian. It's been painstakingly constructed over hears with contributions from this list. I guess that upgrade script configured smtpd_recipient_restrictions to smtpd_relay_restrictions. Since it's postfix/submission/smtpd, isn't there anything strange in master.cf ? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: Postfix HELO checks
On 10.01.20 12:42, Simon B wrote: For as long as I can I remember, I have blocked connections purporting to be my own domain/IP address using a postmapped file called helo_checks. This is checked AFTER permit_sasl_authenticated. smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_sasl_authenticated, reject_sender_login_mismatch, rejected_authenticated_sender_login_mismatch, check_helo_access hash:/etc/postfix/helo_checks, . . . permit_mynetworks, reject_unauth_destination, a bunch more RBLs, permit Since upgrading to 2.11 yesterday (yes, I am on a path to move up through debian versions), all mail coming in on postfix/submission/smtpd is being rejected by the domain check in that file, even though the user is sasl authenticated. Can someone help me figure out why? I can probably remove/comment the offending line and rely on other rejection parameters, but it still rejects a significant of spam attempts, so I'd prefer to keep it. logs? don't you have check_helo_access at different place in any chance? I'm not sure what smtpd_relay_restrictions debian adds to main.cf by default. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
handling long-term unreachable addresses/domains
Hello, on a few mail servers/gateways, we receive mail from domains that are unreachable for mail delivery on a long-term basis. besides spammers, there are companies that send mail from domains which don't have MX records, and A records point to servers without mail service running. I would like to detect this kind of domains and block them. Ideally, not immediately, but when e.g. domain is inaccessible for a given time, e.g. when mail starts being returned. Is something similar possible now? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse
Re: SEMDMAIL Error message
On 08.01.20 11:31, Jason Hirsh wrote: Shouldn’t be a permission issue as sendmail isn’t supposed to be running.. Is there some hidden pasty off sendmail I could have missed when converting to postfix? /var/spool/clientmqueue/ belongs to tue sendmail. you apparently did not properly configure mailwrapper and /usr/sbin/sendmail still points to sendmail's sendmail binary My rc.conf dumpdev="AUTO" named_enable="YES" mysql_enable="YES" dovecot_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" postfix_enable="YES" apache24_http_accept_enable="YES" apache24_enable="YES" clamav_freshclam_enable="YES" clamav_clamd_enable="YES" maiad_enable="YES" lookup_domain_enable="YES" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules" firewall_logging="YES" sshguard_enable="YES" gateway_enable="YES" natd_enable="YES" natd_interface="em1" natd_flags="-dynamic -m" openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server/server.conf" On Jan 8, 2020, at 11:25 AM, Pintér Tibor wrote: permission On 1/8/20 4:19 PM, Jason Hirsh wrote: I am getting the following error message even though I am using postfix and no longer start SENDMAIL is rc. <http://rc.com/>conf sendmail[92919]: NOQUEUE: SYSERR(root): can not chdir(/var/spool/clientmqueue/): Permission denied Can anyone tell me what I am missing? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages.
Re: Aliases/.forward/virtual_users confusion
On 20.12.19 17:25, Gerben Wierda wrote: I am trying to understand how my aliases/virtual_users/etc interact. postfix setup has virtual domains and virtual users, but all users (also those from different domains) are local dovecot IMAP mailboxes (“separate domains, unix system accounts”) main.cf says it is the destination for: mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, $myorigin mydomain = rna.nl mydomain_fallback = localhost myhostname = mail.rna.nl mynetworks = 127.0.0.0/8, 192.168.2.0/24, [::1]/128 myorigin = dumbledore.rna.nl Aliases maps are defined in main.cf as follows: alias_maps = hash:/Library/Server/Mail/Config/postfix/aliases hash:/Library/Server/Mail/Data/listserver/aliases/list_server_aliases virtual_alias_maps = $virtual_maps hash:/Library/Server/Mail/Config/postfix/virtual_users hash:/Library/Server/Mail/Config/postfix/rna_virtual_users hash:/Library/Server/Mail/Data/listserver/aliases/list_server_virtual don't you have dumbledore.rna.nl defined in /Library/Server/Mail/Config/postfix/virtual_users /Library/Server/Mail/Config/postfix/rna_virtual_users or /Library/Server/Mail/Data/listserver/aliases/list_server_virtual by any chance? My /Library/Server/Mail/Config/postfix/aliases file contains: # Person who should get root's mail. Don't receive mail as root! root: gerben # Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster postmaster: root postfix:root gerben is an existing local user with a dovecot IMAP mailbox who can receive mail. The result of trying to mail to r...@rna.nl or r...@dumbledore.rna.nl using SMTP from another system was originally: The server response was: : Recipient address rejected: User unknown in local recipient table The server’s name internally is dumbledore.rna.nl (presents itself as mail.rna.nl on the outside) and the same happened with the r...@rna.nl address or with ger...@dumbledore.rna.nl, but ger...@rna.nl worked. And postmas...@rna.nl worked and delivered to gerben’s dovecot mailbox. Why doesn’t this work? E.g. the server is the final destination for $myorigin which is dumbledore.rna.nl, but ger...@dumbledore.rna.nl doesn’t work. With the following in virtual_users: r...@rna.nl r...@rna.nl I can receive mail for root from another system via SMTP to r...@rna.nl, but I still cannot receive local mail to root from the local /usr/bin/mail or crontab to ‘root'. It seems that I must have a ~root/.forward with in it: ger...@rna.nl or I have to put the following in another /etc/aliases file (not the one postfix uses): root: ger...@rna.nl And not ‘gerben’ as otherwise, the mail ends up in /var/mail/gerben instead of in dovecot And I must enter the r...@dumbledore.rna.nl in my virtual_users as well: r...@rna.nl r...@rna.nl r...@dumbledore.rna.nl r...@rna.nl to have it covered, I have it working but it seems all a little complex to me and I get the feeling that I have made things overly complex. Am I correct? And what is preferred? An /etc/aliases file that is in use (next to the one I am using) or a ~root/.forward file? alias_maps are processed before .forward, virtual_alias_maps before alias_maps. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. It's now safe to throw off your computer.
Re: Advice: NFS, hardware, SATA vs SAS etc
> > > Yes. Do any Postfix administrators with busy systems rely on NFS? > > > That seems like a really bad idea, honestly. > So NFS is a poor, outdated choice for mail storage in 2020 for a small/medium > enterprise? On any large number of users some kind of hash is used to distribute email storage across multiple nodes. On 17.12.19 22:32, venbian wrote: Oh that's the obvious answer I didn't think of (but everyone else was thinking, right?). Let IMAP proxy LDA and IMAP traffic to a few file servers. Then those servers won't need expensive SAN as long as they have respectable SATA/RAID. Just FYI, proxy won't help you whe one of the storage hosts fails. We have used NFS cluster because of that. Mails were processed locally, only delivered to the NFS storage. Having queue on NFS would not be very efficient but would be safe against outage of host with postfix. However, this is off-topic in this queue. hopefully proposed solutions will be enough for you, good luck. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie)
Re: Postfix: Sender address rejected: Domain not found
On 17.12.19 08:03, Emanuel wrote: still not work, i put in there into the file sender_bloqueados this rule: ferozo-admin.com.ar dunno Dec 17 07:57:40 smarthost01-ded postfix/smtp[20790]: 30AF44882E: to=, relay=none, delay=0.02, delays=0.02/0/0/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=ferozo-admin.com.ar type=: Host not found) smtpd doesn't know where to send that message to, since the domain does not exist. If you know a server that will accept mail for the ferozo-admin.com.ar domain, you must add it to transport_maps - as I have told you in my previous mail. smtpd_recipient_restrictions = check_recipient_access mysql:/etc/postfix/mysql-virtual-recipient-access.cf regexp:/etc/postfix/regex_destinatarios_bloquea and this looks like invalid setting. If you have multiple databses with recipient access, you must specify check_recipient_access for each table. The domain to which I am trying to deliver mail is not a local domain, it is a domain hosted on another server in my network. I assumed that adding the line in the / etc / hosts would work but isn't it, any other ideas? don't assume. As Wietse already pointed out, postfix uses DNS/MX lookups and and since you can't put MX to /etc/hosts, you must use DNS or explicit transport map. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watkins. -- Daffy Duck & Porky Pig
Re: Whitelisting refuses to work
On 17.12.19 16:24, Ieva Dav wrote: smtpd_client_restrictions = check_client_access hash:$conf_dir/whitelist, reject_rbl_client blah reject_rbl_client blahblah etc And it still blocks the domains i put in the whitelist. Google says to have this in recipient restrictions instead, but that doesn't work either. What did i miss? how does the rejection look like in logs? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Postfix: Sender address rejected: Domain not found
On 16.12.19 15:58, Emanuel wrote: The idea is that postfix delivers the emails to the IP directed to a temporary domain which has no DNS. you can configure sending mail to that particular domain in transport_maps. Emanuel: I use the option reject_unknown_recipient_domain, if you don't want to allow sending mail to any non-existing domains (which I don't recommend), I recommend explicit whitelisting of particular domain. El 16/12/19 a las 15:51, Wietse Venema escribió: That uses DNS lookups, not /etc/hosts, because it requires MX lookups, and MX records cannot be found in /etc/hosts. Dec 16 15:41:10 smarthost01-ded postfix/smtp[30826]: B0C15488B4: to=, relay=none, delay=0.05, delays=0.01/0/0.04/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=ferozo-admin.com.ar type=: Host not found) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: configuration postscreen
>I would avoid unduly short postscreen cache times, that can lead to >legitimate clients not getting through at all. On Fri, Dec 13, 2019 at 05:40:33PM +0100, Matus UHLAR - fantomas wrote: I'm not sure if that would help. Apparently, both postscreen and smtpd will use the same nameserver for dnsbl lookup, and if it's cached from previous postscreen lookup, it will probably give the same result. On 13.12.19 16:19, Viktor Dukhovni wrote: The negative TTLs on SpamHaus RBL replies are not very long: zen.spamhaus.org. 10 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1912132118 3600 600 432000 10 presently just 10 seconds. the time difference between postscreen blacklist check and smtpd blacklist check should be lower than 10 seconds. yes, with postscreen_dnsbl_min_ttl there's another ~50 seconds where potscreen passes the IP while smtpd would blacklist it. However, I consider postscreen's weighed black/whitelisting more safe than whitelisting/blacklisting at smtpd level maybe unless there's exactly one whitelist and one blacklist used. of course, I'm willing to learn if there's something I have missed -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK]
Re: configuration postscreen
On Fri, Dec 13, 2019 at 11:03:49AM +0100, Claus R. Wickinghoff wrote: Dec 13 09:16:27 mole postfix/postscreen[1771]: PASS OLD [45.146.203.135]:49121 Now it reconnects and with the cache entry it's calssified as "PASS OLD" and got redirected to smtpd... Dec 13 09:16:27 mole postfix/smtpd[1839]: 369B040088: client=tremble.sckenz.com[45.146.203.135] tremble.sckenz.com[45.146.203.135] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 ...and delivers its spam. If I check some blacklists now, I got hits: LISTEDSpamhaus ZEN45.146.203.135 was listed 60 0 Ignore On 13.12.19 11:30, Viktor Dukhovni wrote: My advice would be to enable zen.spamhaus.org (or similar mainstream low FP rate RBL) on a per-message basis in smtpd(8): smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org The purpose of postscreen is to try to keep botnets from consuming all your SMTP connection slots. You should have anti-spam measures in place for the clients that get through. I would avoid unduly short postscreen cache times, that can lead to legitimate clients not getting through at all. I'm not sure if that would help. Apparently, both postscreen and smtpd will use the same nameserver for dnsbl lookup, and if it's cached from previous postscreen lookup, it will probably give the same result. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!".
Re: rejections after limiting access to smtp auth
lists skrev den 2019-12-12 03:08: Seriously is there ever a case not to use port 587? On 12.12.19 08:29, Benny Pedersen wrote: depends on content filtering, if all clients is local all can use port 25 even in this case separation of submission port can help much. I prefer postscreen and milters on port 25, so spam is refused at SMTP level. Clients don't like that because sending mail takes time. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: Relay and Sender Restrictions
On 07.12.19 15:08, spaceman wrote: I have a destination and a relay postfix. Both have the following (with a few extra for the destination): smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, permit The destination rejects emails as it is supposed to, however the relay does not. This means that the destination rejects emails from the relay. the destination? If you are talking about recipient, you must put reject_non_fqdn_recipient and reject_unknown_recipient_domain into smtpd_recipient_restrictions -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor.
Re: how to configure backup MX to relay messages to primary MX
On 06.12.19 19:22, e...@chinabuckets.com wrote: given a domain has two mx servers: domain.com. 5 mx1.domain.com. domain.com. 10 mx2.domain.com. when someone's delivery agent can't talk to mx1 due to network issues, he may retry to deliver messages to mx2. if mx2 get the messages successfully, how does it relay the mssages to mx1 for mail store? it will follow the MX records. You need to configure domains postfix will relay mail to, either using relay_domains or permit_mx_backup_networks also, if your mailserver is behind NAT, you may need to configure proxy_interfaces to contain public IP address(ed) that map to it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states.
Re: Recipient address rejected for recipient address in virtual
On 02.12.19 05:21, @lbutlr wrote: I have an email address listed in virtual in the form ama...@kreme.com. kreme+ama...@kreme.com it that a trailing dot? But when an email comes in to that address, I get Recipient address rejected: unverified address: Address lookup failed; # postmap -q ama...@kreme.com hash:/etc/postfix/virtual kreme+ama...@kreme.com (Not that actual addresses, but the form is @localdomain => localuser+@localdomain) I assume I can eliminate this by taking out the reject_unverified_recipient from my smtpd_recipient_restrictions but shouldn’t this address be verified? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Bounce spam configuration.
Am Wed, 27 Nov 2019 09:17:36 +0100 schrieb Postfix users : Looks like I get listed (again) becouse my conf recjects spam messages with full body. I don't fully understand this, can you rephrase? What to change in postfix configuration to get reject with my message only and SPAM message added as eml attachment ? this looks like job for spam filter like spamassassin or amavis, not postfix. On 27.11.19 09:35, Julian Kippels wrote: maybe you should look into rejecting Spam pre-queue with smtpd_proxy_filter I recommend milter over using smtpd proxy. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them
Re: Forwarding mail without breaking SPF?
Den 26-11-2019 kl. 17:59 skrev Marek Kozlowski: OK. I do not insist on postsrsd. I'd really appreciate any suggestion: what can I use instaed of it - what do you recommend? On 11/26/19 2:07 PM, Benny Pedersen wrote: no one uses spf anymore incorrect. since it breaks mailling lists very badly ?, postfix maillist have not even spf helo pass :) They don't have SPF helo fail. "No SPF" is correct result. spf works only on direkt mail, not mailling lists since envelope sender changes on maillists spf can work on any mail, even mailing list. so if you add spf to your domain it would not make bad things ever dmarc is another storry not to try On 26.11.19 23:20, Richard Damon wrote: SPF does NOT break from a properly configured mailinglist, as SPF doesn't check just from, but can also use sender/envelope-from, incorrect. SPF is only supposed to check envelope from:, not any headers. Checking header From: was stupid microsoft attempt for spf/2 that failed. Once again, SPF does not apply to mail headers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. LSD will make your ECS screen display 16.7 million colors
Re: how to setup a privacy oriented mailserver
on 2019/11/26 19:27, Matus UHLAR - fantomas wrote: ...and there's no "starttls" on 465, that's what I meant "implicit". while port 465 was assigned for SMTPS in January 2018, it's been used this way on many sites/services for years (even decades) On 26.11.19 20:50, Wesley Peng wrote: How the traffic between big one's MTAs get through? port 25 as always/before For example, gmail send messages to web.de via port 465 by SSL, this was the original intent of port 465, but it was deprecated 20 years ago and never user. Port 465 was used for smtp with implicit SSL since. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself.
Re: how to setup a privacy oriented mailserver
on 2019/11/26 17:02, Matus UHLAR - fantomas wrote: I would set up port 465 also. Note that TLS on 465 is implicit, while on 587 is explicit, so it's easier to allow unencrypted connections by a mistake on 587. On Tue, 26 Nov 2019, Wesley Peng wrote: 587 is also used for StartTLS, am I right? On 26.11.19 11:50, Bernardo Reino wrote: Yup, that's what Matus meant with "explicit". Connection starts in clear text and is then (explicitly :) "upgraded" to TLS. ...and there's no "starttls" on 465, that's what I meant "implicit". while port 465 was assigned for SMTPS in January 2018, it's been used this way on many sites/services for years (even decades) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: how to setup a privacy oriented mailserver
On 25.11.19 18:22, lists wrote: At a minimum, I would set it up to use port 587. I would set up port 465 also. Note that TLS on 465 is implicit, while on 587 is explicit, so it's easier to allow unencrypted connections by a mistake on 587. Then block via firewall all the email ports other than port 25 all countries from which you will not be using the server. you apparently mean, from countries client won't be able to receive mail from. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Question about DMARC
On 22.11.19 07:24, Richard Damon wrote: Base SPF works through a traditional forwarder, because the base rules for SPF allow the message to pass based on the domain of the Sender: header, not just the From:. A proper forwarder will add a Sender: header for itself, to indicate that while it was not the originator of the message, it was the last one to send it. DMARC changes the rules for SPF, and says that the message must align with the From: header, based on the idea that most mail readers don't show you that sender does not equal from. SPF is designed to work with envelope addresses, not headers. Any forwarder that keeps envelope address (which is common for .forward files or MTA-level mail aliases) thus breaks spf unless measures are made. And this it the main problem with SPF enforcement. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
Re: Question about DMARC
On 22.11.19 06:15, Richard Damon wrote: Normal forwarding will break SPF, note that by "normal forwarding" Richard meant the old-school "re-send mail to new recipient, keep its contents and the envelope sender" where the keeping envelope sender is what breaks SPF. This is imho valid, because at forwarding time, it's already not the original envelope sender who sends the mail - in fact it's the original recipient who forwards it. So, if an error occurs after forwardins, it's not the original sender who should get notification, but the recipient who has forwarded it. The SRS method was designed to avoid this problem, add the original sender to the envelope address, so forwarding MTA (or whoever) This mailing list does not break SPF, because it re-sends mail using envelope sender "owner-postfix-us...@postfix.org". The issue is that many mailing list will break DKIM by slightly modifing the message, like adding a signal word to the subject or a footer with information like unsubscribing instructions (this can be a legal requirement in some jurisdictions). Note, this list does NOT do this sort of modification, so doesn't cause that sort of problem. ...and even adding this information to list mail doesn't prevent some subscribed users from complaining about getting the mail. Unfortunately, MUA support of maling lists is not very common. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: transport clash with mydestination
On 21.11.19 12:16, Matus UHLAR - fantomas wrote: I run "proxy.example.com" server with ".example.com" in transport_maps, to direct all example.com subdomains to internal server my $mydestination contains proxy.example.com and some other names, however all domain to proxy.example.com is directed to internal servers. What should I to to exempt $mydestination from being looked up in transport_maps? seems I found it: http://postfix.1071664.n5.nabble.com/Mydestination-and-transport-maps-td85665.html so for every subdomain of .example.com, override must be done in transport_maps: proxy.example.com local: Now I'm just curious if those domains are still required in $mydestination... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
transport clash with mydestination
Hello, I run "proxy.example.com" server with ".example.com" in transport_maps, to direct all example.com subdomains to internal server my $mydestination contains proxy.example.com and some other names, however all domain to proxy.example.com is directed to internal servers. What should I to to exempt $mydestination from being looked up in transport_maps? Thank you -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept.