[pfx] Re: DANE and STS

[Michael Grimm via Postfix-users]

Michael Grimm  wrote:


> [see Viktors link: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html] 
> 

correction: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

Regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and STS

[Michael Grimm via Postfix-users]

Gerd Hoerst via Postfix-users  wrote:

> I checked my cert and it related to R10 , but i will also publish the rest 
> regarding you advice

I do recommend investigating '3 1 1' records, instead.

"Hence, my best advice is to not play Let's Encrypt whack-a-mole, and use "3 1 
1" records with stable keys (not automatically replaced with every renewal)."
[see Viktors link: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html] 



And have a look at a thread in this ML starting with 
https://www.mail-archive.com/postfix-users@postfix.org/msg92488.html 


I have followed that advice and publish one RSA and ECC record for both of my 
mail servers, each. I am using LE certificates with a stable private key that I 
revoke once in a while.


(This is not one of Viktor's recommendations: I publish a '3 1 1' record 
derived from a self-signed certificate in addition, mainly for manually 
interventions in potential LE disaster recovery purposes.)

Regards,
Michael

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Michael Grimm via Postfix-users]

Viktor Dukhovni via Postfix-users  wrote:
> On Thu, Jun 20, 2024 at 02:33:08PM +0200, Michael Grimm via Postfix-users 
> wrote:

>>> One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
>> 
>> Please correct me if I am mistaken, but that won't catch scores >= 10?
> 
> Yes, but easily adapted.
> 
>> But I don't know how such a regex should be defined.

Thanks for the examples, highly appreciated.

Regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Michael Grimm via Postfix-users]

Wietse Venema via Postfix-users  wrote:
> Paul Schmehl via Postfix-users:

>> This is what I could match on: X-Spam-Status: Yes, score=2.1
>> 
>> If the score was higher than some number (e.g >4) than reject the mail.
> 
> One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/

Please correct me if I am mistaken, but that won't catch scores >= 10?

But I don't know how such a regex should be defined.

Regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: postfix 3.8.4, missing inet_protocols setting in main.cf, and postfix' post-install script

[Michael Grimm via Postfix-users]

Wietse Venema via Postfix-users  wrote
> Michael Grimm via Postfix-users:

>> Very recently I re-enabled IPv6 on my servers, and removed my 
>> 'inet_protocols=ipv4' from main.cf and did *not* add 'inet_protocols=all' 
>> because I checked for the default setting:
>> 
>> mail> postconf -d inet_protocols
>> inet_protocols = all
>> 
>> Thus, my main.cf lacks *any* inet_protocols setting!
> 
> THAT CLAIM IS FALSE.

Sorry. What I meant is: I did remove 'inet_protocols=ipv4', thus no 
inet_protocols setting in my main.cf

> No, that is not what "postconf -d" does.

Ok, understood.

> If you want to know what inet_protocols setting is in effect
> 
>postconf inet_protocols

Current setting:

mail> grep inet_protocols main.cf
inet_protocols = all

mail> postconf inet_protocols
inet_protocols = all

Now, I removed this line from main.cf, thus no more settings regarding 
inet_protocols:

mail> grep inet_protocols main.cf

mail> postconf inet_protocols
inet_protocols = all

Now, I do reinstall postfix:

mail> pkg install -f -y postfix 
(FreeBSD's package compiled by poudriere)

After reinstallation:

mail> grep inet_protocols main.cf
inet_protocols = ipv4

mail> postconf inet_protocols
inet_protocols = ipv4

That is what I meant, the line 'inet_protocols = ipv4' had been added.


>> Today, I had to recompile and reinstall all of my ports (ABI change), and 
>> found, that 'inet_protocols=ipv4' has been added to main.cf?!
> 
> Indeed, many sites don't have IPv6 connectivity, and trying to connect to 
> IPv6 sites is 
> not useful.

Yes I do understand that.

Ok, I will keep 'inet_protocols = all' until IPv6 will be enabled by default.

Thanks for your explanations.

Regards,
Michael


___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] postfix 3.8.4, missing inet_protocols setting in main.cf, and postfix' post-install script

[Michael Grimm via Postfix-users]

Hi,

I am running postfix 3.8.4 on FreeBSD 14.0-STABLE and recompile postfix (and 
all my other ports) on a regular basis (by poudriere).


Very recently I re-enabled IPv6 on my servers, and removed my 
'inet_protocols=ipv4' from main.cf and did *not* add 'inet_protocols=all' 
because I checked for the default setting:

 mail> postconf -d inet_protocols
 inet_protocols = all

Thus, my main.cf lacks *any* inet_protocols setting!


Today, I had to recompile and reinstall all of my ports (ABI change), and 
found, that 'inet_protocols=ipv4' has been added to main.cf?!

I found https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263813 and there 
https://github.com/vdukhovni/postfix/blob/master/postfix/conf/post-install

'post-install' tells me:

# Postfix 2.9.
# Safety net for incompatible changes in IPv6 defaults.
# PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO AVOID AN
# UNEXPECTED DROP IN PERFORMANCE AFTER UPGRADING FROM POSTFIX
# BEFORE 2.9.
# This code assumes that the default is "inet_protocols = ipv4"
# when IPv6 support is not compiled in. See util/sys_defs.h.

test "`$POSTCONF -dh inet_protocols`" = "ipv4" ||
test -n "`$POSTCONF -c $config_directory -n inet_protocols`" || {
cat <

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

[Michael Grimm via Postfix-users]

Viktor Dukhovni via Postfix-users  wrote:
> 
> On Mon, Jan 08, 2024 at 07:36:37PM +0100, Michael Grimm via Postfix-users 
> wrote:

>> But will that work, once a mail has been deferred and is sitting in the 
>> queue already? 
>> Meaning, if a 'postqueue -f' will retry with smtpv4, instead sticking to the 
>> old IPv4 address?
> 
> Transport resolution is not "sticky", it is performed de novo, each time
> a message enters the active queue.

Good to know, that answers all my questions, thanks.

And sorry: I could have answered my question by myself. Modifying 
inet_protocols, restating postfix, and 'postqueue -f' should have taught me 
that, already ;-)

Regards,
Michael

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

[Michael Grimm via Postfix-users]

Viktor Dukhovni via Postfix-users  wrote:
> On Mon, Jan 08, 2024 at 04:02:48PM +0100, Michael Grimm via Postfix-users 
> wrote:

>> Sometimes outgoing mail is deferred due to "reputational issues" at
>> the receiving side. These "reputational issues" mostly concerned my
>> IP6 addresses, thus I removed IP6 mailing completely. But now, I do
>> want to give it a try, again.
>> 
>> In the past, whenever a mail has been deferred, I manually modified
>> inet_protocols to the protocol *not* involved, restarted postfix and
>> ran 'postqueue -f'. After having the "reputational issue" solved, I
>> returned to inet_protocols=all.
> 
> You shouldn't need anything nearly so complex.
> 
> I have in master.cf:
> 
>smtp   unix  -   -   n   -   -   smtp
>smtpv4 unix  -   -   n   -   -   smtp
>-o inet_protocols=ipv4
>smtpv6 unix  -   -   n   -   -   smtp
>-o inet_protocols=ipv6
> 
> For destination domains found to have issues with IPv6 (or conversely
> with IPv4) just specify one of the alternative transports.
> 
>gmail.com   smtpv4:gmail.com
>example.com smtpv6:example.com

Thanks, this is a good solution in my case, especially due to the fact, that 
those "reputational issues" are not that very often to solve.

But will that work, once a mail has been deferred and is sitting in the queue 
already? 
Meaning, if a 'postqueue -f' will retry with smtpv4, instead sticking to the 
old IPv4 address?

> Of course, as noted by Wietse, when MX-hosts for a myriad (not possible
> to explicitly list) domains need a specific transport, the DNS reply
> filter comes in handy.  Between that, and explicit transports you should
> be able to have IPv4+IPv6 as a default with appropriate work-arounds.
> 
> Or perhaps IPv4 as a default, with IPv6 or both for domains where those
> work better.

I do still have sooo much to learn, even after 10+ years of using postfix ;-)

Thanks to both of you and regards,
Michael

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

[Michael Grimm via Postfix-users]

Wietse Venema via Postfix-users  wrote:
> Michael Grimm via Postfix-users:

>>> Postfix has a "rule based language" for receiving mail, but there
>>> is no such thing for outbound deliveries.
>> 
>> I am only curious of how much functionality would be needed for
>> that?
> 
> There is zero code, so that would be a lot of work. To give an
> example, The SMTP server policy consists of a list of simple actions
> (mostly allow or deny), and simple actions looked up in a table or
> service. Changing delivery protocols is not a simple allow/deny action.

Understood.

> It might be more practical to temporarily defer hard rejects. That
> would give a receiver multiple opportunities to receive your message.
> 
> The smtp_pix_workarounds are an example of time-dependent behavior
> to work around buggy receivers.

Yes, I will use these workarounds.

Thanks again and regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Redirect deferred mails via IP4 or IP6 addresses (automatically)

[Michael Grimm via Postfix-users]

Wietse Venema via Postfix-users  wrote:
> Michael Grimm via Postfix-users:

>> Sometimes outgoing mail is deferred due to "reputational issues"
>> at the receiving side. These "reputational issues" mostly concerned
>> my IP6 addresses, thus I removed IP6 mailing completely. But now,
>> I do want to give it a try, again.
> 
> If it's just Google related, then you can try this to avoid
> their IPv6 addresses.

No, not only. All major Mail providers in Germany once in a while complained 
about my IP6 addresses. But I always succeeded in getting them whitelisted 
again. But this normally takes some time.

> /etc/postfix/main.cf:
>smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
> 
> /etc/postfix/smtp_dns_reply_filter:
># /domain ttl IN  address/ action, all case-insensitive.
># Note: the domain name ends in ".".
>/^\S+\.google.com\.\s+\S+\s+\S+\s+\s+/ IGNORE
> 
> That's what I have been using for the past 10 years.

Wow! I would have never ever had a look at smtp_dns_reply_filter. Thanks.

>> In the past, whenever a mail has been deferred, I manually modified
>> inet_protocols to the protocol *not* involved, restarted postfix
>> and ran 'postqueue -f'. After having the "reputational issue"
>> solved, I returned to inet_protocols=all.
>> 
>> Question: Is there a better way to achieve this (automatically)
>> what I call "fallback to another protocol if receiver provides
>> both"?
> 
> Perhaps you can use smtp_delivery_status_filter to turn rputation
> related 5XX (reject) replies into into 4XX (defer) replies.
> 
> /etc/postfix/main.cf:
>smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
> 
> /etc/postfix/smtp_dsn_filter:
>/^5(\.\d+\.\d+ .+ blah reputation blah .+)/ 4$1
> 
> With that, Postfix will try other IP addresses.

Thanks again. I will need to understand that first, but I will definitely give 
it a try.

> Postfix has a "rule based language" for receiving mail, but there
> is no such thing for outbound deliveries.

Just out of curiosity: I do assume that implementing such a thing would be a 
major effort?
Please, don't get me wrong, this isn't a feature request of mine. I am only 
curious of how much functionality would be needed for that?

Thanks again and regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Redirect deferred mails via IP4 or IP6 addresses (automatically)

[Michael Grimm via Postfix-users]

[FreeBSD 14-STABLE, postfix 3.8.4, dovecot 2.3.21, rspamd 3.7.5]

Hi

Sometimes outgoing mail is deferred due to "reputational issues" at the 
receiving side. These "reputational issues" mostly concerned my IP6 addresses, 
thus I removed IP6 mailing completely. But now, I do want to give it a try, 
again.

In the past, whenever a mail has been deferred, I manually modified 
inet_protocols to the protocol *not* involved, restarted postfix and ran 
'postqueue -f'. After having the "reputational issue" solved, I returned to 
inet_protocols=all.

Question: Is there a better way to achieve this (automatically) what I call 
"fallback to another protocol if receiver provides both"?

Thanks and regards,
Michael

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: 25 years today

[Michael Grimm via Postfix-users]

Wietse Venema via Postfix-users  wrote:

> As a few on this list may recall, it is 25 years ago today that the
> "IBM secure mailer" had its public beta release.

[…]

> That was a long time ago. Postfix has evolved as the Internet has
> changed. I am continuing the overhaul of this software, motivated
> by people like you on this mailing list.

Thank you for your dedication to postfix, and thank you for your patience over 
all those years helping newbies to understand postfix.

I started 16 years ago in running postfix, and I do have to admit, that setting 
up a MTA server without disturbing all others out there has been the most 
difficult task in my career as a hobby sysadmin ;-)

With kind regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: body_checks not catching all backscatter

[Michael Grimm via Postfix-users]

Sebastian Wiesinger via Postfix-users  wrote

> Thanks Peter but I will never ever, as long as I live, use anything
> connected to UCEProtect.

+1

Regards,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: E-mail problem

[Michael Grimm via Postfix-users]

Kolusion K via Postfix-users  wrote:

> So I have a bizarre problem. I can't send e-mail to some servers but I can to 
> others. The e-mail that doesn't get sent is due to the connection timing out 
> to the remote server.
> 
> Another strange problem is that some people can e-mail me while others can't.
> 
> This is how my e-mail server is setup off the top of my head:
> 
> E-mail server has a CG-NAT IP address.

Citating https://en.wikipedia.org/wiki/Carrier-grade_NAT

Disadvantages
Critics of carrier-grade NAT argue the following aspects:
• Like any form of NAT, it breaks the end-to-end principle.[6]
• It has significant security, scalability, and reliability problems, by 
virtue of being stateful.
• It does not solve the IPv4 address exhaustion problem when a public IP 
address is needed, such as in web hosting.
Carrier-grade NAT usually prevents the ISP customers from using port 
forwarding, because the network address translation (NAT) is usually 
implemented by mapping ports of the NAT devices in the network to other ports 
in the external interface. This is done so the router will be able to map the 
responses to the correct device; in carrier-grade NAT networks, even though the 
router at the consumer end might be configured for port forwarding, the "master 
router" of the ISP, which runs the CGN, will block this port forwarding because 
the actual port would not be the port configured by the consumer.[7] In order 
to overcome the former disadvantage, the Port Control Protocol (PCP) has been 
standardized in the RFC 6887.
In cases of banning traffic based on IP addresses, the system might block the 
traffic of a spamming user by banning the user's IP address. If that user 
happens to be behind carrier-grade NAT, other users sharing the same public 
address with the spammer will be mistakenly blocked.[7] This can create serious 
problems for forum and wiki administrators attempting to address disruptive 
actions from a single user sharing an IP address with legitimate users.

FYI,
Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Painful Postfix

[Michael Grimm via Postfix-users]

Kolusion K via Postfix-users  wrote:

> When I open a raw socket to the remote server on port 25 using telnet, I am 
> able to connect and see the server announce itself […]

Then, do continue to provide all essential *FURTHER* commands via telnet and 
see and report what happens.

Michael
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: sys4 is listed in Abusix

[Michael Grimm via Postfix-users]

Patrick Ben Koetter via Postfix-users  wrote:

> * Michael Grimm via Postfix-users :
>> toganm--- via Postfix-users  wrote:
>> 
>>> Maybe it would have been a better idea to check if the mail server is listed
>>> in any rbl sites.
>> 
>> If you really were in mailing business for some time you would know how RBLs
>> work: They react, they do not read crystal balls!
> 
> Nope. There are burned IPs that had been previously been used by spammers and
> there are even complete ASes, owned by hosters that just don't seem to be
> able / willing to get control over outbound abuse from their networks.

True, and I have been bitten by that in the past, since I am running 
mailservers on OVH infrastructure  

> Regarding this it *does* make sense to check an IPs reputation *before* you
> run a mail service using that IP.

Yes, see above.

> Besides that: I'd like to keep it classy. I don't see any reason to offend
> anyone for a discussion over IP.

I really didn't intend to offend anyone. 

But even after checking an IPs reputation one might end at a RBL after starting 
(out of a sudden a significant amount of) new mail traffic on a formerly clean 
IP. Happened to me before.

Regards,
Michael



___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[P-U] Re: sys4 is listed in Abusix

[Michael Grimm via Postfix-users]

toganm--- via Postfix-users  wrote:

> Maybe it would have been a better idea to check if the mail server is listed
> in any rbl sites.

If you really were in mailing business for some time you would know how RBLs 
work: They react, they do not read crystal balls!

Regards,
Michael

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org