[pfx] Re: question about postmaster account
* A. Schulze via Postfix-users: > https://datatracker.ietf.org/doc/html/rfc5321#section-4.5.1 > > 5321 btw... Indeed, that was an unfortunate typo on my end. Thanks, Andreas. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: question about postmaster account
* Walt E. via Postfix-users: > Is there any standard that, postmaster@domain is a required account > for this domain? Yes. The requirement has been specified as early as 1981 in RFC 822, and in its successors up to and including RFC 5322. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
* Steffen Nurpmeso: > >I think it is more than "a bit flakey". You ask Wietse to support > >something which introduces a significant security risk. > > Now you exaggerate a bit. Not really, the original example of invoking "iptables" directly requires root provileges. That could be mitigated by using sudo, but this step was not included in the example. Wietse could provide a security wrapper, but why should he bother? The core argument as far as I am concerned is that it is not part of Postfix's responsibilities to trigger external processes when a login error occurs or somebody targets a honeypot address. Postfix writes to a log, and I think that's enough. An interested party could hook into syslog, removing the need to scan log files (although the latter is easy enough). That would have the added benefit of also taking care of other software, like Dovecot or OpenLDAP. The analysis I require is not limited to Postfix logs, and I don't think I am alone in this regard. > Heck my mailing-lists still use mailman2 and python2 [...] Mailman2 was written for Python 2.x. That is different from people asking me to retroactively add Python 3.6 support for software I wrote for versions >= 3.7. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
* Bob via Postfix-users: > I get it might be a bit flakey from a security perspective and should > come with warnings but it is my box. I think it is more than "a bit flakey". You ask Wietse to support something which introduces a significant security risk. Plus, this particular something is not within Postfix's operational scope. This reminds me: I have had people ask me to support Python versions 3.6 and even earlier in some of my software; versions which have reached their respective end-of-life years ago. I could do it, but for security reasons alone I don't. People who want to play fast and loose with security can do so if they like, but I choose not to help them aim guns at their feet. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
* Jaroslaw Rafa via Postfix-users: > Despite what you say about your unsuccessful attempts with fail2ban, > it seems the best tool for the job. It's the whole idea of fail2ban > anyway - if "SOMETHING" appears in the logfile "SOME" number of times > (which can be 1), then stuff the IP address into iptables for > blocking. The concept is good. Whether the implementation of fail2ban "the best tool for the job", as you put it, is very much up to debate and depends on individual use cases. My personal take is that fail2ban has become too bloated over its 18 year history, and that it is trying to do too much. I prefer something smaller, less complex, so I wrote my own utility. Can my 137 line Go program do all that fail2ban can? Of course not. However, my little tool fits my personal requirements much better, and I can understand every detail of it. "The best tool" is simply not a universal concept. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Transport settings for mailing list transport
* Bill Cole via Postfix-users: > Some systems are configured to "oversign" headers, essentially signing > the non-existence. Shhh! We don't want to advertise that in this scenario, do we? ;-) Still, you are correct to point out that the DKIM spec allows for these kinds of shenanigans. > Any addition of headers that are oversigned will break a DKIM > signature. Some ill-advised systems oversign List-* headers on every > message. Ill-advised is putting it mildly. If one is messing with the headers which make mailing lists work, but allows their users to subscribe to mailing lists, one is more than a little cookoo. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: RFC logs_check
* Bob via Postfix-users: > I realise stuff like failtoban is available but when I look at it the > wrong way, or in any way, it falls over and it only looks at logfiles > every so often [...] I found fail2ban not to my taste, so like you I searched for possible alternatives. I finally came to terms with the prospect of having to write my own custom software if I wanted maximum control in a small, reasonably robust package. Also, I was looking for ideas for a Golang based software project at that time. Anyway, the idea was to have 1..n processes monitor existing syslog output files like /var/log/{mail,dovecot} by way of detecting any changes event-based, read the latest log file additions, and scan them using regular expressions. This means that I can detect a failed authentication attempt within seconds, extract the source IP address, and further process it however I want. This approach felt about as basic as I could get. There is no scheduler or master process involved, and I use cron jobs and logrotate hooks to (re)start monitoring processes as necessary, with a little bit of bash scripting added as wrappers. Perhaps it can serve as an idea for your own solution. Continuously observing the log files, sans interaction with existing software, seemed the easiest road to take. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Transport settings for mailing list transport
* Austin Witmer via Postfix-users: > Will DMARC be broken if I only add the following headers to mailing > list messages? [...] Adding *new* headers can't break existing DKIM signatures, because these headers cannot have been signed before. New in this case means header names (not values) which have not been present before. > X-Mailinglist: > List-Id: > List-Unsubscribe: > List-Unsubscribe-Post: If, for example, a user sends any of his messages with X-Mailinglist: yes please! and also includes this header in his DKIM signature, you adding another header with the same name or replacing the value can break the existing signature. Headers with the 'X-' prefix are not standardised, so anybody can use them willy-nilly. Will they do that? Possibly. Remember that there are many weird people out there. ;-) -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: How to bounce e-mail when using catchall
* John Fawcett via Postfix-users: > On 12/07/2024 15:30, Ralph Seichter via Postfix-users wrote: > > > "My advice true, forget this!" (Alvina) > > I agree with the advice but have some doubts about the milter > solution. I don't dare call it a solution, nor was it meant as such. Like I wrote, this way madness lies. I am not even keen to speculate further how that milter idea would fare in the real world. To Francis I can only recommend to either accept mail, or reject mail. No playing silly buggers. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: How to bounce e-mail when using catchall
* Francis Augusto Medeiros-Logeay via Postfix-users: > I want that mail sent to users who do not have a valid address (like > when they are not on ldap) to bounce back, like it happens by default, > but I’d also like these mail to be delivered to an specific mailbox. > > As you said, if I use catchall, these addresses would be valid. But > I’d like the senders to get a bounce email so that they know they sent > the mail to an address that doesn’t exist or that the destination > mailbox wasn’t reached. There is a German phrase used to describe these kinds of conflicting requirements: "Wasch mich, aber mach mich nicht nass." (it means "clean me with water, but don't make me wet"). ;-) I can imagine a custom milter which stores message data, rejects the original SMTP delivery attempt after the end of the DATA phase, and later re-injects the captured data in some fashion (not necessarily using SMTP), but this way madness lies. "My advice true, forget this!" (Alvina) -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: sending email to FQDN address without DNS
* Adam Weremczuk via Postfix-users: > I have a highly isolated host (e.g. most outgoing traffic blocked, no > DNS) but I would like to use Postfix on that host to send certain emails > to a single address exam...@example.com. [...] You can use Postfix a transport table to direct mail for specific addresses or domains to designated targets, as shown in the examples of the following documentation page: https://www.postfix.org/transport.5.html -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Continuous deferral
* Katherine via Postfix-users: > Why doesn't the server just reject it (5xx code)? This deferral is > very confusing to our administrators. Confusing how? You did not provide enough information. What is the actual deferral message? -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Documentation Prefix
* Allen Coates via Postfix-users: > I am blocking 2001:db8::/32 (of course); it's the Teredo prefix > which I am allowing. I misunderstood the word "these" in your OP, and the subject line only referenced the documentation prefix, but no harm done. I don't have any numbers for connections from Teredo addresses at hand either, but the services I am hosting are not aimed at specific client platforms anyway. Similar to you I am mildly curious if Teredo has any relevance beyond Xbox and a smattering of remaining Windows 10 installations these days. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Documentation Prefix
* Allen Coates via Postfix-users: > I have just been perusing my firewall logs, and notice I have had > several "hits" using the documentation prefix (2001:db8::/32) as the > source address. [...] > > I have also had some hits (on my website) from Teredo addresses. I > am allowing these, because (arguably) we are still transitioning to > IPv6. "Still transitioning", are we? ;-) RFC 3849 is 20 years (!) old, almost to the day, and https://www.rfc-editor.org/rfc/rfc3849.html#section-3 is pretty clear: This assignment implies that IPv6 network operators should add this address prefix to the list of non-routeable IPv6 address space, and if packet filters are deployed, then this address prefix should be added to packet filters. Anybody using 2001:db8::/32 to connect over the internet is simply doing it wrong, and I don't think that attempts at enabling their erroneous efforts is helpful. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
* Curtis J. Blank via Postfix-users: > Everything except this that is: > mydestination = $myhostname, localhost.$mydomain, $mydomain, www.$mydomain > > Should this be set to: > mydestination = $myhostname, 127.0.0.1.$mydomain, $mydomain, www.$mydomain > > To keep ::1 from being used? No, that is not what 'mydestination' governs. In the above setting localhost is a string literal, so it means mydestination = ... localhost.example.com ... after variable expansion. That tells Postfix that recipients like j...@localhost.example.com designate "local delivery addresses." The Postfix documentation explains this better and in more detail, but changing to 127.0.0.1.example.com won't do you any good. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
* Curtis J. Blank via Postfix-users: > What I am looking for is pretty simple. How to get it to work with > "inet_protocols = all" like my existing server is currently set up to do > and not be limited to ipv4 only. Well, you seem to be in a good mood. ;-) > And it is already set to use 127.0.0.1 so why it is using [::1] instead > when the old server uses 127.0.01, that is part of the mystery. The > configs are exactly the same yet they operate differently. Like I wrote, localhost is not the same as 127.0.0.1 or ::1. It is just a name that your server needs to resolve into an IP address, which is a possible source of two servers behaving differently. If you explicitly use IP addresses instead of localhost in your configuration (Postfix, SpamAssassin, etc., both for binding and connecting), as I suggested, you can avoid DNS related problems. This technique was old 20 years ago, but it still works today. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Handing off via localhost:10025 to spamassassin for scanning failure
* Curtis J. Blank via Postfix-users: > I would like to get some insight as to the cause and correct > configuration to use. [...] Maybe it is simply too early in the morning for me to get your point, but what insight are you looking for, exactly? You already found out that localhost does not necessarily resolve to 127.0.0.1 if both IPv4 and IPv6 are used. That's not a problem. If you do need to make the distinction, you can be explicit by using either [127.0.0.1] or [::1] in your settings. Does this help? -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Tan Mientras via Postfix-users: > Is an automated/unattended email notifying the user about something, > providing proper ways of contacting. "Proper" is for the recipients of your messages to be able to use the reply function in their MUA, to ask for clarification/assistance in regards to the message you sent to them. > As this email is not read in any way, rejecting the mail would be a > better way to handle than an automatic response. IMHO. The better way, as you put it, would be a process where there is not merely an automatic response, but having replies read/answered by somebody in your organisation. Ticket tracking systems can be used if scaling is an issue. In my opinion, rejecting replies to email communication your organisation initiated shows similarities to a drive-by-shooting, in the broad sense that your organisation hopes to "get the message out" but avoid the consequences of their actions. This is of course a dramatic comparison, not to be taken literally. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Ansgar Wiechers via Postfix-users: > [...] Did I ever send mail to you using the mailing list address you got barred from targeting, or send mail to you at all from my servers? No, I did not. You tried to initiate communication by sending mail to an address you had no reason to contact, this being a mailing list, and you were thus redirected to a page explaining how you could ask for permission to send to said protected address in case you had a legitimate reason to (which you don't). I have also provided an unrestricted email address so anybody can send mail to in order to ask for clearance for the protected address, something which you didn't do. All this is nothing like using a no-reply address, which is easy enough to understand. TL;DR: Apples and oranges. > Guess what just happened to horus-it.com on my mail server. Go on, guess if I care. :-) -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Bjoern Franke via Postfix-users: > From: Ralph Seichter via Postfix-users > Reply-To: Ralph Seichter Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of using "nore...@foo.bar" type addresses remains unchanged, however. If sender A sends mail to recipient B, A needs to be prepared to receive a response from B. Proper email communiction is not a hit-and-run. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Tan Mientras via Postfix-users: > Trying to setup email REJECT when users try to send to a no-reply > email. Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Forward mail
* Peng via Postfix-users: > Gmail/fastmail rely more on DKIM than SPF. What makes you assume that? Sending mail to f...@gmail.com works with SPF alone, in the absense of DKIM. I have not tried the reverse (DKIM without SPF) yet. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix stable release 3.9.0
* Wietse Venema via Postfix-users: > Postfix stable release 3.9.0 is available. Postfix 3.5 - 3.8 were > updated earlier this week; after that, Postfix 3.5 will no longer > be updated. Thank you for your continued work. By "you" I mean not only Wietse, but also the other contributors who collaborate to provide us with the best MTA experience possible. Respect! -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: filter header from on forwarded mail
* Juerg Reimann via Postfix-users: > So, but now I still have to filter such incoming mail in a way that I'd be > able to block certain senders by their *header* From: on a user basis. I heartily recommend milter-regex [1]. It serves me well by allowing me to configure all kinds of complex antispam rules. [1] https://www.benzedrine.ch/milter-regex.html -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A functional lightweight reverse alias?
* mattpr via Postfix-users: > Adding email aliases to an email client doesn't make sense because > there are just too many and I wouldn't want to have to pick one. Pick one what? Pick an alias, I presume, or pick a mail client (MUA)? > Last count I had ~2500 records in my password manager (not all > emails/logins...but most). Not a problem, it just requires a setup which scales. I use a large number of aliases myself, easily in the three digit numbers. Whenever I need a fresh alias, I simply add it to my LDAP server. That only takes seconds. Postfix and Dovecot are both configured to perform LDAP lookups, so neither of them need to be touched. As for MUAs: It was already mentioned that Thunderbird supports multiple identities for multiple accounts (n:m relationship). When composing replies, TB will automatically pick the correct account-identity-pair, but if an identity is used very rarely, it is also possible to change the From-Header manually on an ad-hoc basis. One /can/ add identities, but one doesn't have to; a brief manual override suffices. Additionally, I use Notmuch (https://notmuchmail.org) for mailing lists, which offers even greater flexibility. The complete message header is pre-generated and available for any modification I desire right there in my text editor. All this works fine for me, and it has proven both robust and flexible enuough for my personal needs over the course of many years. Your mileage may vary. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postfix repo
* Viktor Dukhovni via Postfix-users: > On Thu, Jan 11, 2024 at 07:29:40PM +0100, Benny Pedersen via Postfix-users > wrote: > >> so next is gentoo ebuilds ? :) > > No. There is no Postfix binary release build farm, and nobody has > volunteered to coördinate binary release engineering at the Postfix > project level for all supported platforms. It's a nonsensical remark by B.P. anyway. Official Gentoo ebuilds for Postfix exist, as they have for many years. This includes both stable and experimental Postfix releases (versions 3.8.4 and 3.9_pre20240109 at the time of me writing this). These ebuilds are very well maintained and usually follow Wietse's releases within 1-3 days. Let's also not forget that Gentoo Linux is a source-based distribution anyway. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: WTF X-ANONYMOUSTLS ???
* Viktor Dukhovni via Postfix-users: > Microsoft ESMTP MAIL Service [...] Gee, who woulda thunk? ;-) That being said, perhaps somebody on the "mailop" mailing list would be able to offer more insight? Some exotic extension, perhaps, or a weird application level firewall? I sure hope it is not a part of a M$ core product. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: 25 years today
* Wietse Venema via Postfix-users: > As a few on this list may recall, it is 25 years ago today that the > "IBM secure mailer" had its public beta release. Time flies, no doubt about that. I find it comforting that Postfix has earned its place as a cornerstone of e-mail around the globe, based on an emphasis on quality and reliability over flashy marketing antics. Not all software is created equal. Thank you, Wietse. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: How to temporarily pause virtual mail delivery?
* Wietse Venema via Postfix-users: >> Now that I think of it again, I wonder if the reload command is even >> necessary? > > Yes, because it is implemented in the queue manager which is a > long-running process. Thank you. I have been using the reload step for so long, but I could not recall why I did it. It might have been a belt-and-suspenders kind of situation. ;-) > If you use defer_transports to freeze mail deliveries, then some > messages may get close to the bounce_queue_lifetime, meaning that > Postfix will try to deliver them only once. Interesting. Given the default bounce_queue_lifetime of five days, a value I rarely touch in Postfix setups, I would not intuitively consider this a possible reason for concern? -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: How to temporarily pause virtual mail delivery?
* Viktor Dukhovni via Postfix-users: > https://www.postfix.org/postconf.5.html#defer_transports Indeed. In my backup scripts, I like to use something like the following (from memory only, beware of possible typos): postconf -e defer_transports=lmtp,local,virtual && postfix reload Now that I think of it again, I wonder if the reload command is even necessary? -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: www.postfix.org outage
* Bill Cole via Postfix-users: >> I am positive that I personally rebooted this server a number of times >> following Kernel updates, the last of which happened not long ago. ;-) > > If there's a virtualization layer, they are likely to be referring to > the real physical host rather than the VM running the Postfix site. I rent physical hardware for this particular server. At least that is what I see on my monthly bill. ;-) There are steps in the boot process over which I have no direct control, and rightly so. Those provide, for example, the option to boot a so-called rescue system over the hoster's internal network. Local boot from the server's storage drives happens later, or does not happen, as was the case yesterday. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: www.postfix.org outage
* Jaroslaw Rafa via Postfix-users: > Maybe it wasn't rebooted until now? (as PXE is a boot-related feature) :) I am positive that I personally rebooted this server a number of times following Kernel updates, the last of which happened not long ago. ;-) My guess is that the hosting company made changes to their boot process, possibly not tested fully with all of the older server models. I cannot be certain, but it would match what I have seen using a remote console. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: www.postfix.org outage
The Postfix website is available again. The company hosting the server hardware informed me that there are "some issues with the PXE feature with this server model", whatever that means exactly, which their staff was able to fix in the meantime. I find it interesting how this particular server has been running for years without these issues manifesting, until yesterday. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain
* Byung-Hee HWANG via Postfix-users: > Honestly, 311 it was not easy to set up to me. These days, one is a bit spoiled for choice when it comes to software which handles this automatically. LetsDNS (https://letsdns.org) is what I use and recommend, unsurprisingly, because it is robust and easy to use. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filters
* Viktor Dukhovni via Postfix-users: > Relax, that wasn't an attack on you. There's no need to defend your > honour... :-) That's not always easy to determine, especially given the constraints of non-verbal communication. I'll take your word for it, of course. ;-) > I would like to suggest that sometimes answering the question the OP > asked isn't the most helpful response. Fair enough. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filters
* Viktor Dukhovni via Postfix-users: > The requested filter is much too crude. How would the OP, for example, > have participated in this thread with that filter in place! I agree that the filter the OP asked for is a dumb idea, but milter- regex can nonetheless provide the functionality that was asked for. I believe that if the OP implements the crude filter they wanted, they will learn from personal experience that there is much more to spam filtering than simple text matching. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: content filters
* true kernel via Postfix-users: > What are the plugins or filters for postfix to stop sending a special > message body? You could try milter-regex (https://www.benzedrine.ch/milter-regex.html). -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix Site Hosting Tor Node = Blocked Access For Some
* Viktor Dukhovni via Postfix-users: >> The server hosting the Postfix website, run by yours truly, is neither >> located in Germany, nor is it a Tor exit node. > > As for TOR, some sites may have stale or inaccurate data: > > https://www.ipqualityscore.com/tor-ip-address-check/lookup/65.108.3.114 Yeah, admins need to be careful about the queried source. The Tor project publishes official data for all participating server nodes on the Tor Metrics website [1] several times per day. There are also fundamental differences between "guard", "middle" and "exit" type Tor nodes. Only the latter type routes traffic from within the Tor network to the outside world, hence the name "exit". I have been donating bandwidth and computational resources to the Tor project for many years now, but sadly the general level of awareness about what Tor actully is and how it operates has not increased all that much during that time. -Ralph [1] https://metrics.torproject.org/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix Site Hosting Tor Node = Blocked Access For Some
* Eddie Rowe via Postfix-users: > I have been cutoff from the Postfix web site due to it apparently > being a TOR exit node in Germany. The server hosting the Postfix website, run by yours truly, is neither located in Germany, nor is it a Tor exit node. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: stop bulk messages
* Corey Hickman via Postfix-users: > Some clients abuse the outgoing smtp server for sending bulk messages. > [...] Do you know how to stop this behavior? There is 'default_destination_recipient_limit' to limit the number of recipients per message delivery. If however the abuser uses only a few recipients for each message, perhaps even generating one message per recipient, more processing is required. A custom milter can count and limit the number of messages sent by authenticated users in a given time interval. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: postscreen question
* Ken Peng via Postfix-users: > Using rspamd instead of postscreen? I'm not quite sure what you mean by that. If you suggest relying on rspamd only, and forgo postscreen, I have to disagree. In my experience, postscreen has proven highly useful in spam prevention, in particular when DNSBL lookups are configured in addition to the standard tests. The latter already catch many spammers in a hurry, though. According to logs of the mail servers I maintain, a large number of connection attempts are nipped in the bud by postscreen. Rspamd sure has its uses, but setting up postscreen as the first line of defense is a Smart Move™ in my book. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: www.postfix.org certificate expired
* Viktor Dukhovni via Postfix-users: > The "post hooks" in certbot are not *reliable*. For the curious among you: I use dehydrated [1], which integrates nicely with my other automation, including Ansible [2]. An Ansible handler is used to restart the web server if certificates were updated, and that has worked without a hitch so far. Why there was a hiccup on 2023-03-31, the only one so far I know of, I cannot say. It *might* have to do with a Python update for Gentoo Linux, Ansible being Python-based. [1] https://dehydrated.io [2] https://www.ansible.com -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: www.postfix.org certificate expired
* Peter Ajamian via Postfix-users: > Verify return code: 10 (certificate has expired) Thanks. For some reason, the web server had not been restarted after the last certificate update, which normally happens automatically. I just restarted the server process manually. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: The joke writes itself.
* Robert A. via Postfix-users Cooper: > Some of us don't have a choice and are stuck with MS mail products due > to work policies. while OWA does now support header filtering, that > has not always been the case. So you are saying that even Microsoft has finally seen the light. Good, it took them long enough. Which mailing-list-unfriendly MUAs are left to consider, then? If any? > Other may be in similar situations with required clients that don't > have all the features you want for a power user. Maybe there are MUAs unsuitable for mailing list out in the wild, but frankly, I don't see why the 99% of us who use decent software should suffer for the affected 1% of mailing list subscribers. Some may call that selfish, but I say: Keep the pressure up to push crappy policies and crappy MUAs out, there are good alternatives available. Perhaps that's just me being rebellious, but hey, fight the system. ;-) -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Postfix lists are migrating to a new list server
* Jim Popovitch via Postfix-users: > On Fri, 2023-03-10 at 17:35 +0200, mailmary--- via Postfix-users wrote: > >> Looking at the opendkim/opendmarc right now, they appear dead over >> the past 2 years or so, which is sad really. > > It's not sad at all. It's a testament to the stability of the project. > Sure, both projects could use some polishing maybe, but that is not > something that is "sad" Looking at the number of open issues and pull requests on GitHub for both OpenDKIM and OpenDMARC, the assessment "He's dead, Jim." seems fitting to me. To give just one example, Michael Orlitzky and I opened a pull request adding OpenRC support (required for Gentoo Linux) to OpenDKIM in April 2019 [1], and that PR is still stuck in limbo, as are many other enhancements and bugfixes. To me, these are not signs of maturity or stability, but of abandonment and death. -Ralph [1] https://github.com/trusteddomainproject/OpenDKIM/pull/41 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: The joke writes itself.
* Patrick Ben Koetter via Postfix-users: > I don't need tags. Seconded. Do we really need to cater for software that's unable to use the "List-Id" headers? These are mailing lists for Postfix users and devs, not for a knitting circle, so I think it is fair to assume we subscribers all use decent software. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org