[pfx] Re: Rejecting by top level domain?

[Thomas Cameron via Postfix-users]

On 9/6/24 7:58 AM, Anton Hofland via Postfix-users wrote:

To further fine-tune the management of TLD blocking, I should think
that the whole solution could benefit from using the capabilities of a
tool like amavis which technically allows users to specify user
specific black-, neutral & white-lists on full email addresses,
subdomains and domains.

What I do for those domains that may have some sub-domains that we may
want to receive mail from, is specifying the TLD as blacklisted in
Amavis, either for a user or systemwide, wait for emails to be
quarantined in Amavis and for those that I want to receive, specify a
neutral list entry which means in the amavis environment that it is
subject to normal virus and whatever other checking amavis may be doing
before it is forwarded to the user. I never whitelist an entry.

The challenge is that Amavis quarantine management and RBL list
management is a system admin feature. For my own purpose I have
enhanced/forked the "mailzu-ng" tool on github so that it easily allows
them to manage their own lists, as well as their own quarantine. The
tool can be found on github
(https://github.com/2024sight/mailzu-ng-da). I just wanted to offer
this as one of the many approaches to fine-tuning solutions to the TLD
blocking challenge.

-- Anton


That's awesome, Anton. I've been meaning to get SpamAssassin set up on 
my Postfix server, and I've been peripherally aware of Amavis for years, 
but never dug into it too deeply. It sounds really helpful.


I'm going to take this as my cue to spin up a development machine and 
start hammering on it.


With all my free time. ;-)

--
Thanks!
Thomas Cameron, RHCE, AWS SA-Pro

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rejecting by top level domain?

[Thomas Cameron via Postfix-users]

On 9/5/24 5:56 PM, LinuxMail.cc via Postfix-users wrote:


how about setup a whitelist domains list?
for instance, only allow .com, .net, .org, .de, .ca and some coutries 
TLD to be passed through.


That's not a bad idea. Unfortunately we DO get a decent amount of 
international email, so it's not practical for our use. But I like the 
idea a lot.

--
Thanks!
Thomas Cameron, RHCE, AWS SA-Pro

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rejecting by top level domain?

[Thomas Cameron via Postfix-users]

On 9/5/24 12:53 PM, Noel Jones via Postfix-users wrote:

On 9/5/2024 12:45 PM, Noel Jones via Postfix-users wrote:

On 9/5/2024 9:05 AM, Thomas Cameron via Postfix-users wrote:


smtpd_recipient_restrictions =
 check_sender_access regexp:/etc/postfix/sender_access
 permit_mynetworks
 permit_auth_destination


Note permit_auth_destination allows any mail addressed to you. This 
effectively bypasses all your nice rbl rules below.



 permit_sasl_authenticated



You should probably put
reject_unauth_destination
here.


That makes sense. Thank you, Noel!
--
Thanks!
Thomas Cameron, RHCE, AWS SA-Pro

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rejecting by top level domain?

[Thomas Cameron via Postfix-users]

On 9/5/24 12:19 PM, Bastian Blank via Postfix-users wrote:

Hi


  My sender_access file looks like this:
/@*.onmicrosoft\.com/ REJECT
/\.pro$/ REJECT We reject all .pro domains. Contact thomas dot cameron at
camerontech dot com from a trusted email service if you need assistance.


You could do that without regular expressions.  Depending on your
parent_domain_matches_subdomains, you need to list ".pro" or "pro" as
key.


Absolutely fair point, but I like the $ to make it *exactly* the domain 
I want to block.

--
Thanks!
Thomas Cameron, RHCE, AWS SA-Pro

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rejecting by top level domain?

[Thomas Cameron via Postfix-users]

On 9/5/24 10:20 AM, Serhii via Postfix-users wrote:

2024-09-05T14:07:05Z Thomas Cameron via Postfix-users 
:


Am I smoking crack? Or is this pretty reasonable? Or should I just knuckle down 
and set up Spamassassin or some other anti-spam tool (I'm totally open to 
suggestions, I just have experience with SA from a past life)

No, you are not. First of all, Spamassasin (and other antispam solutions, as 
well as paid services) have similar TLD blacklists or slam scoring metrics. 
Also, given that you are willing to manually whitelist legitimate senders, you 
should be fine to go.


Thanks so much for the confirmation, Serhii! I figured it was the least 
evil way of doing this, thanks for letting me know I'm not being a 
*total* moron (just *mostly* a moron). :-)


--
Thanks!
Thomas Cameron, RHCE, AWS SA-Pro

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Rejecting by top level domain?

[Thomas Cameron via Postfix-users]

Howdy, all!

I am using Postfix for a small business/family e-mail domain. It's 
pretty low volume, and I am really doing it as much to keep current on 
Postfix as anything. We're getting positively hammered by spam. I used 
to use Spamassassin when I was a Sendmail guy, but I have not had time 
to set it up for Postfix. It's definitely on my list, just... life.


For spam abatement, I am using Spamhaus, and it's helping a lot, but 
we're still getting a ton of spam.


So I have set up a rule:

check_sender_access regexp:/etc/postfix/sender_access

The sender_access file rejects everything from the "*.onmicrosoft.com" 
domain, as we've never received a single non-spam email from those domains.


I've also started rejecting everything from all emails from these domains:

.pro
.date
.science
.top
.download
.work
.click
.link
.diet
.review
.party
.zip
.xyz
.stream
.bid
.shop
.best
.world

It has TREMENDOUSLY lowered our spam load, but, naturally, I'm worried 
about the rare case where someone actually needs to receive email from 
someone dumb enough to use one of those domains.


Here is my main.cf, with some basic obfuscations:

compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/samples
readme_directory = /usr/share/doc/postfix/README_FILES
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain/privkey.pem
smtpd_tls_security_level = may
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
myhostname = [obfuscated].camerontech.com
mydomain = camerontech.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8, [obfuscated]/19
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP
disable_vrfy_command = yes
smtpd_helo_required = yes
message_size_limit = 20971520
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
rbl_reply_maps = hash:$config_directory/dnsbl-reply-map
smtpd_recipient_restrictions =
check_sender_access regexp:/etc/postfix/sender_access
permit_mynetworks
permit_auth_destination
permit_sasl_authenticated
reject_rbl_client [obfuscated].zen.dq.spamhaus.net=127.0.0.[2..11]
reject_rhsbl_sender [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_helo [obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]
reject_rhsbl_reverse_client 
[obfuscated].dbl.dq.spamhaus.net=127.0.1.[2..99]

reject_rhsbl_sender [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_helo [obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]
reject_rhsbl_reverse_client 
[obfuscated].zrd.dq.spamhaus.net=127.0.2.[2..24]

reject
smtpd_client_restrictions = permit_mynetworks, 
reject_unknown_client_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, 
reject_unknown_sender_domain, reject_non_fqdn_sender
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname, 
reject_non_fqdn_hostname, reject_invalid_hostname, permit

mynetworks_style = host
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
virtual_alias_domains = [obfuscated list]
virtual_alias_maps = hash:/etc/postfix/virtual
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

So my overarching question is, am I being dense by rejecting these 
spammy domains? My sender_access file looks like this:


/@*.onmicrosoft\.com/ REJECT
/\.pro$/ REJECT We reject all .pro domains. Contact thomas dot cameron 
at camerontech dot com from a trusted email service if you need assistance.
/\.date$/ REJECT We reject all .date domains. Contact thomas dot cameron 
at camerontech dot com from a trusted email service if you need assistance.
/\.science$/ REJECT We reject all .science domains. Contact thomas dot 
cameron at camerontech dot com from a trusted email service if you need 
assistance.
/\.top$/ REJECT We reject all .top domains. Contact thomas dot cameron 
at camerontech dot com from a trusted email service if you need assistance

[pfx] Re: Postfix ignores message id when threaded bounces are enabled if RFC-5322 header folding is used

[Thomas Mörbauer via Postfix-users]

>That's rather different than what you appeared to say.  Here there's
>folding whitespace *before* (not in the middle of) the Message-ID.
Sorry, could have been more clear about that. The folding can only 
occur after the header label according to the non obsolete RFCs.

>There are no clear cut rules on what to do with folding in the
>middle of the Message-ID payload, and it has long been obsolete,
>so just tolerating whitespace after the header label should
>be sufficient.
I agree on that.

Is there any fix for this special case in sight or would you accept
patches if provided?

Thomas.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix ignores message id when threaded bounces are enabled if RFC-5322 header folding is used

[Thomas Mörbauer via Postfix-users]

For example
Message-ID:
 
would not be written into the In-Reply-To.
So a simple crlf with space.

   Thomas

- Original Message -
From: "Wietse Venema via Postfix-users" 
To: "Postfix users" 
Sent: Thursday, 5 September, 2024 14:12:32
Subject: [pfx] Re: Postfix ignores message id when threaded bounces are enabled 
if RFC-5322 header folding is used

Thomas M?rbauer via Postfix-users:
> When sending a mail with a folded message-id header according to [ 
> https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.2%29 |  
> https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.2 ] and 
> [ https://www.postfix.org/postconf.5.html#enable_threaded_bounces | 
> https://www.postfix.org/postconf.5.html#enable_threaded_bounces ] is enabled, 
> then the message-id is ignored with the log message: 
> "ignoring malformed Message-ID". 
> 
> It seems that the issue is located in the bounce_notify_util.c "Extract 
> Message-ID for threaded bounces" else if block. 
> Especially it seems that the if (*cp == '<' && 
> vstring_end(bounce_info->buf)[-1] == '>') can never be true if provided a 
> folded header. 
> 
> Further it seems that the smtp smuggling fixes that replace the \r \n with 
> spaces did not change anything on that behavior. 
> This means that message-ids that are exceeding the 78 lines + crlf and are 
> therefore folded (as in [ 
> https://datatracker.ietf.org/doc/html/rfc5322#section-2.2.3 | 
> https://datatracker.ietf.org/doc/html/rfc5322#section-2.2.3 ] ) 
> will not generate any In-Reply-To Header in DSNs. 
> Is this a bug or is this an intended behavior to only allow single-line 
> message-ids? 

Which folding whitespace space in "Message-ID: " did you have in mind?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Postfix ignores message id when threaded bounces are enabled if RFC-5322 header folding is used

[Thomas Mörbauer via Postfix-users]

When sending a mail with a folded message-id header according to [ 
https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.2%29 |  
https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.2 ] and 
[ https://www.postfix.org/postconf.5.html#enable_threaded_bounces | 
https://www.postfix.org/postconf.5.html#enable_threaded_bounces ] is enabled, 
then the message-id is ignored with the log message: 
"ignoring malformed Message-ID". 

It seems that the issue is located in the bounce_notify_util.c "Extract 
Message-ID for threaded bounces" else if block. 
Especially it seems that the if (*cp == '<' && 
vstring_end(bounce_info->buf)[-1] == '>') can never be true if provided a 
folded header. 

Further it seems that the smtp smuggling fixes that replace the \r \n with 
spaces did not change anything on that behavior. 
This means that message-ids that are exceeding the 78 lines + crlf and are 
therefore folded (as in [ 
https://datatracker.ietf.org/doc/html/rfc5322#section-2.2.3 | 
https://datatracker.ietf.org/doc/html/rfc5322#section-2.2.3 ] ) 
will not generate any In-Reply-To Header in DSNs. 
Is this a bug or is this an intended behavior to only allow single-line 
message-ids? 

Kind regards, 

Thomas. 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4

[Thomas Wagner via Postfix-users]

> This can be verified on Solaris with:
> 
>   /usr/bin/elfdump -re 'dyn:' path/to/binary_or_library

sorry, this must read: (solaris elfedit in read-only-mode)

   /usr/bin/elfedit -re 'dyn:' path/to/binary_or_library

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix 3.8.2 compile problem in Solaris 11.4

[Thomas Wagner via Postfix-users]

On Thu, Nov 02, 2023 at 03:56:16AM -0400, Viktor Dukhovni via Postfix-users 
wrote:
> On Thu, Nov 02, 2023 at 09:35:47AM +0200, Jaco Lesch via Postfix-users wrote:
> 
> > > I would have tried instead:
> > > 
> > >   PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig \
> > >   make makefiles dynamicmaps=yes shared=yes \
> > >   openssl_path="/usr/openssl/3/bin/openssl" \
> > >   CC="/usr/bin/gcc -m64" \
> > >   CCARGS="-DUSE_DB -DUSE_TLS $(pkg-config --cflags libssl 
> > > libcrypto)" \
> > >   AUXLIBS="-ldb $(pkg-config --libs libssl libcrypto)" \
> > > 
> > > but, you may still also need an explicit "-R/usr/openssl/3/lib" option,
> > > if that's not part of what "pkg-config" returns for "--libs".
> > > 
> > And Viktor your options for make compile 100%, no need for the explicit
> > "-R/usr/openssl/3/lib" option. Have compiled both static and dynamic to
> > verify. Regards
> 
> Given the output of your 'pkg-config' command, the "-R" options *are*
> likely still needed.  They augment the *run-time* shared library search
> path.  The code will compile without them, but it may not run, unless
> that directly is on the system-wide search path (not expected).

This can be verified on Solaris with:

  /usr/bin/elfdump -re 'dyn:' path/to/binary_or_library

watch for lines "NEEDED" and "RUNPATH".
If missing the runpath /usr/openssl/3/lib/64/ and needed library
files libssl.so and libcrypto.so then yes, a "-R/usr/openssl/3/lib/64/" 
should be needed.


or check what the actual run would load with:
  ldd -r path/to/binary_or_library

or watch the whole lengthy search-and-load process the runtime linker
does:
  LD_DEBUG=files,libs path/to/binary

  (or even: LD_DEBUG=files,libs,bindings path/to/binary)

Even a daemon not normally called by the user should output useful
information to verify linking to correct library entities.

Regards,
Thomas

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Re: I got an email from "myself?" what the heck!

[Thomas Anderson]

The IP it came from was outside my network.

I think it's just a spoofing email. I had not actually seen on, so that 
raised my alarm, but I think it's ok. I need to go through and make sure 
my SFP and DMARC are sound. I just checked my DKIM couple days ago, so 
that's good.


Thanks for the replies.

On 10/25/21 4:59 AM, post...@ptld.com wrote:
My concern is that the email APPEARED to come from me! I was listed 
as the sender.


Any email server can send any email claiming to come from anyone. DKIM 
Signatures and SPF records working together with DMARC provides a way 
to verify if a sending email server is authorized to send an email on 
behalf of the address used. If your server is not using, checking and 
validating DMARC then anyone can easily send you or send someone else 
an email claiming to be from you. Doesn't mean they compromised or got 
inside of your system or account. They just slapped your name on the 
"outside of the envelope".


Was the connecting client server IP your servers IP? The IP of the 
connecting client in the logs is who really sent the message, not the 
arbitrary email address slapped in the Envelope-From, From header or 
Sender header.

I got an email from "myself?" what the heck!

[Thomas Anderson]

Yes, it was spam, and it was caught by SpamAssassin. It was some bitcoin 
plot or something.


The characters were not anything I could read, and the few I could make 
out were of a south-east asian descent.


My concern is that the email APPEARED to come from me! I was listed as 
the sender.


I examined the message source, against other valid emails sent by this 
user, and there wasn't anything that I could clearly see as the reason 
or how this was done. I have checked against password hacked sites, and 
the email password of the user doesn't seem to be compromised. I have 
only received maybe 2-3 of these emails in the past year, and only on 
this user--all caught by spam assassin.


I guess I am concerned, because I don't how this happened.

Here is my best stab at where the problem could be.

Here is a clean email:

Received: from example.net (unknown [192.168.1.10])
by mail.example.com (Postfix) with ESMTPSA id D7C3F1980059
for ; Mon, 25 Oct 2021 03:42:29 +0200 (CEST)

Here is a non-clean email:

Received: by mail.example.com (Postfix, from userid 1005)
id F1E621982CA9; Sun, 13 Jun 2021 15:32:28 +0200 (CEST)

Just trying to figure out if my system is compromised, thanks!

Re: can't send to GSuite mailserver via IPv6 protocol

[Thomas]

Please see this description which is similar to mine:
https://serverfault.com/questions/655250/gmail-bouncing-mail-sent-over-ipv6-ipv4-working

And the answers look interesting.

Regards.

Re: can't send to GSuite mailserver via IPv6 protocol

[Thomas]

No I don't have reverse DNS record for IPv6. I will try that. thank you.


On Mon, Mar 1, 2021, at 4:44 PM, Erwan David wrote:
> Le 01/03/2021 à 07:01, Philip a écrit :
> >
> > If IPv4 works then maybe IPv6 isn't set up?
> >
> > ping6 ipv6.google.com
> >
> > On 01/03/2021 18:24, Thomas wrote:
> >
> >> Postfix can't send email to gsuite's MTA via IPV6 interface.
> >> But if I change this item to:
> >>
> >> inet_protocols = ipv4
> >>
> >>
> >> It works.
> >> Can you help explain this?
> >> Thank you.
> >>
> Google demands a reverse in IPv6, Thomas, does your server have one ?
> 
> 

can't send to GSuite mailserver via IPv6 protocol

[Thomas]

Postfix can't send email to gsuite's MTA via IPV6 interface.
But if I change this item to:
inet_protocols = ipv4


It works.
Can you help explain this?
Thank you.

Re: Question about nested LDAP queries

[Thomas GUIRRIEC]

Thank you for your reply and for the tip with virtual_alias.

So, if i understand, virtual_alias and canonical  always do recursive 
lookup until the key equals the value (with LDAP table) :


A -> A (STOP)

A -> B; B -> B (STOP)

A -> B; B -> C; C-> C (STOP)

Is that correct ?

Best regards.

Le 07/01/2021 à 23:04, Viktor Dukhovni a écrit :

On Thu, Jan 07, 2021 at 10:24:23PM +0100, Thomas GUIRRIEC wrote:


I have configured Postfix  (3.5.8 from Alpine Linux) with
"recipient_canonical_classes = envelope_recipient" &
"recipient_canonical_maps = ldap:/etc/postfix/recipient_canonical" to

Why would you do this?   Envelope recipient rewriting is already done
automatically by "virtual_alias_maps".  There's no need to shoehorn
recipient_canonical_maps into this role.


When i inspect my OpenLDAP Logs, i see that there is two nested LDAP
Search Queries coming from Postfix during the cleanup service.

Both recipient_canonical_maps and virtual_alias_maps are recursive.

 http://www.postfix.org/postconf.5.html#canonical_maps

  Specify zero or more "type:name" lookup tables, separated by
  whitespace or comma. Tables will be searched in the specified order
  until a match is found. Note: these lookups are recursive.

Question about nested LDAP queries

[Thomas GUIRRIEC]

ec.fr
  =bob-recipi...@guirriec.fr
cleanup[86]: mail_addr_find:b...@guirriec.fr  ->bob-recipi...@guirriec.fr
cleanup[86]: send attr request = rewrite
cleanup[86]: send attr rule = local
cleanup[86]: send attr address =bob-recipi...@guirriec.fr
trivial-rewrite[85]: master_notify: status 0
trivial-rewrite[85]: rewrite socket: wanted attribute: request
trivial-rewrite[85]: input attribute name: request
trivial-rewrite[85]: input attribute value: rewrite
trivial-rewrite[85]: rewrite socket: wanted attribute: rule
trivial-rewrite[85]: input attribute name: rule
trivial-rewrite[85]: input attribute value: local
trivial-rewrite[85]: rewrite socket: wanted attribute: address
trivial-rewrite[85]: input attribute name: address
trivial-rewrite[85]: input attribute value:bob-recipi...@guirriec.fr
trivial-rewrite[85]: rewrite socket: wanted attribute: (list terminator)
trivial-rewrite[85]: input attribute name: (end)
trivial-rewrite[85]: `local' `bob-recipi...@guirriec.fr' -> 
`bob-recipi...@guirriec.fr'
trivial-rewrite[85]: send attr flags = 0
trivial-rewrite[85]: send attr address =bob-recipi...@guirriec.fr
trivial-rewrite[85]: master_notify: status 1
cleanup[86]: private/rewrite socket: wanted attribute: flags
cleanup[86]: input attribute name: flags
cleanup[86]: input attribute value: 0
cleanup[86]: private/rewrite socket: wanted attribute: address
cleanup[86]: input attribute name: address
cleanup[86]: input attribute value:bob-recipi...@guirriec.fr
cleanup[86]: private/rewrite socket: wanted attribute: (list terminator)
cleanup[86]: input attribute name: (end)
cleanup[86]: rewrite_clnt: local:bob-recipi...@guirriec.fr  
->bob-recipi...@guirriec.fr
cleanup[86]: mail_addr_map:b...@guirriec.fr  -> 0:bob-recipi...@guirriec.fr
cleanup[86]: dict_ldap_lookup: In dict_ldap_lookup
cleanup[86]: match_string: /etc/postfix/recipient_canonical: guirriec.fr ~? 
guirriec.fr
cleanup[86]: dict_ldap_lookup: Using existing connection for LDAP source 
/etc/postfix/recipient_canonical
cleanup[86]: dict_ldap_lookup: /etc/postfix/recipient_canonical: Searching with 
filter*(mail=bob-recipi...@guirriec.fr)*
cleanup[86]: dict_ldap_get_values[1]: Search found 1 match(es)
cleanup[86]: dict_ldap_get_values[1]: search returned 1 value(s) for requested 
result attribute preferredRFC822recipient
cleanup[86]: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
cleanup[86]: dict_ldap_lookup: Search returnedbob-recipi...@guirriec.fr
cleanup[86]: maps_find: 
recipient_canonical_maps:ldap:/etc/postfix/recipient_canonical(0,lock|fold_fix|utf8_request):bob-recipi...@guirriec.fr
  =bob-recipi...@guirriec.fr
cleanup[86]: mail_addr_find:bob-recipi...@guirriec.fr  
->bob-recipi...@guirriec.fr
cleanup[86]: rewrite_clnt: cached: local:bob-recipi...@guirriec.fr  
->bob-recipi...@guirriec.fr
cleanup[86]: mail_addr_map:bob-recipi...@guirriec.fr  -> 
0:bob-recipi...@guirriec.fr
cleanup[86]: 
been_here:rfc822;b...@guirriec.fr?0?b...@guirriec.fr?bob-recipi...@guirriec.fr: 0
cleanup[86]: initial envelope M

I don't understand why Postix does the second LDAP Query with 
(mail=bob-recipi...@guirriec.fr) filter .


Can someone explain me ?

Best regards.

Thomas

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Am 23.05.20 um 18:00 schrieb Ralph Seichter:



   From: Thomas Mustermann 

with the address nore...@domain.tld being *unknown* on your MX. That
should result in a generic 5xx rejection. If you want more control over
the rejection message, you can use something like the following:

   # /etc/postfix/main.cf
   smtpd_recipient_restrictions =
 ...
 check_recipient_access pcre:/etc/postfix/recipient_access
 ...


Hi,
thanks, that I will try.
Thomas

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Am 28.05.20 um 23:48 schrieb @lbutlr:

On 28 May 2020, at 15:29, Thomas  wrote:

I of cource use my own domain where I pay for.


Yes, but read the rest of what I wrote, especially the parts I've highlighted:

Do not create a fake address with someone else's domain. Do not use 
mudomain.com because you neither own nor control mydomain.com


Of cource I will not do! Iam using my own domains I have paid before and 
only I control.


mydomain.com was only an example for this discussion.

thanks Thomas

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Am 25.05.20 um 16:17 schrieb Jaroslaw Rafa:

Dnia 25.05.2020 o godz. 14:33:36 Thomas pisze:


FAX is much better because FAX is same as letter and working
digital, nearly 100% yes or no. Email I did not know if it is
arrived,

[...]

What do you actually want to achieve? Because from your messages it's hard
to understand what do you actually want.


Its legal thing

Again, today I print out sign and fax.
I got an paper with send OK, date, time and recipient fax number
The signed paper will send with postage.

So for normal business fax arrived one working day before. Today form 
legal point fax is OK for due date.

Letter can be arrive later.

I dont care if recipient has such an bad organisation that fax an/or 
letter will throw away. Thats not my problem.


I dont have an fax number, so recipient has to use letter and stamp.
Thats what I want.

Same I want to have nearly with Email and so I have to find an way that 
he could not answer with Email, So the solution seemed to be use sender 
address nor...@myworkingdomain.com

and NORPLY is unkown.
His mess
age will/can not leave  his server, he got only 5XX.

Hopefully I have explained it a little better then before.

best regards Thomas











When you send an email and you get a 250 response, it means your message has
been delivered (of course it does not mean the recipient has actually read it
- it may have been put to spam, but you said you don't care about that; BTW.
the same applies also for fax or paper letter; someone may receive it, but
throw it immediately to trash without reading). 250 reply code is basically
the same as fax confirmation - fax also doesn't give you any guarantee that
anybody has actually read your message. If you get another reply, like 4xx
or 5xx, that means your message hasn't been delivered.

If you'd use a working return email address, you would receive rejection
messages in case your message hasn't been delivered. Rejection messages are
"negative confirmations", ie. you get them only when your message HASN'T
been delivered. If you get nothing in return, you may assume your message
has been delivered.

If you explictly DON'T want to have a working return address, you decided
yourself that you don't want these "negative confirmations". So you have to
check logs, that's your only option.

It's as simple as that. What else do you want?

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Am 27.05.20 um 17:20 schrieb @lbutlr:


As I said, use a valid domain THAT YOU CONTROL.


Hi,
I of cource use my own domain where I pay for.

thanks

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Am 24.05.20 um 17:19 schrieb @lbutlr:

On 23 May 2020, at 08:52, Thomas  wrote:

or 


The norm is to use an address along the lines you describe there. I use 
no-reply@. Emails to that address are accepted and discarded. Do not 
use a fake domain or someone else's domain, of course. You can certainly have the 
address be invalid so it generates a rejection, but which you chose is really just up 
to you.


OK, I use now unkńown user NOREPLY
NOREPLY 
Domain must be valid, otherwise lots of Email server will not accept:

Sender address rejected: Domain not found (in reply to RCPT TO command))

Same as my server:)

smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,

thanks
Thomas

Re: noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Am 24.05.20 um 17:19 schrieb @lbutlr:

On 23 May 2020, at 08:52, Thomas  wrote:

or 


The norm is to use an address along the lines you describe there. I use 
no-reply@. Emails to that address are accepted and discarded. Do not 
use a fake domain or someone else's domain, of course. You can certainly have the 
address be invalid so it generates a rejection, but which you chose is really just up 
to you.



Hi,
my FAX did not have an valid FAX sender number, that is no problem. but 
I got an confirmation that my fax is arrived with date/time and content 
first page. Letter will send additional.


Email I have to use an attachment.

FAX is much better because FAX is same as letter and working digital, 
nearly 100% yes or no. Email I did not know if it is arrived,


Automatic Email conformation is not working until today or did changed? 
Or is accepted that I look into my log file to find an 2XX confirmation. No.



I will try using norp...@mydomian.tld <>

I do not care if recipient think my email is SPAM, that is not my 
problem. I do not want have recipient Emails on my server, because then 
I have confirmed with 2XX that I have accepted the Email and I have the 
problem. 5XX is much better for me.


If I send Friday 11:00 AM my FAX is arrived Friday! Letter will arrive 
Monday or Tuesday. Of course depends on business if FAX is "point of 
legal" arrived. Of course only used for business what is usual.


It has needed lots of years that FAX is accepted as an way to send an 
letter with confirmation date/time/content arrived.


I do not want that recipient can send me in 30 sec an Email. He should 
use letter and stamp if I want.


If letter head has postage, FAX and Email I can think Email is working 
same as FAX. Iam not an profesionell and surprised that recipient might 
be throwing away my Emails or did not read:) Funny if used on an officel 
letter head:)



Of course Iam using Email, but I have the possibilty on an upper level 
to accept Email to mistersm...@office123.com	 or I can stop Emails to 
this address with 5XX


/etc/postfix/access_sender
mistersm...@office123.com   differentEmails

Or stop an complete domain sending me Emails
/etc/postfix/virtual
office123   REJECT use letter and stamp

But standard should be my sended Email could not rply and Email server 
of recipient is not trying to connect my Email server.

Thomas

Re: noreply email technisch und f??r Empf??nger zum Ausdruck bringen

[Thomas]

Am 23.05.20 um 14:17 schrieb Claus Assmann:

Please use an address for which you can receive at least non delivery
status information.

And if you really don't care: just alias the address to /dev/null.




I dont care, because an organisation that has address, fax oder email 
communicated I can expect that there Email is working. For there 5XX and 
my used Email address is correct thats not my problem.

Again, Email is send and arrive before letter will arrive.

this was my question, now in english:
Its an legal thing, until today Iam using fax, I have confirmation thats 
recieved and i personal do not have fax number. So nobody can send me an 
fax:)
Email is more and popular. The recipient should receive an Email before 
the letter.

He should not answer with Email, he should use letter and stamp:)

So question is what should used

<> NORPLY
or <> NO ANSWER
or <> USE LETTER AND STAMP
or 

that her understand if he receive my Email, and second I should use 5XX 
if he answer if he will not understand?


best regards
Thomas

Re: noreply email technisch und f??r Empf??nger zum Ausdruck bringen

[Thomas]

oh, sorry, I wanted to send my question to german mailing list.

Thomas

Am 23.05.20 um 14:17 schrieb Claus Assmann:

Please use an address for which you can receive at least non delivery
status information.

Otherwise, why do you expect the recipient to handle your non-replyable
address in any other way than you do, e.g., also rejecting it with
an error?

And if you really don't care: just alias the address to /dev/null.

noreply email technisch und für Empfänger zum Ausdruck bringen

[Thomas]

Hallo,

ich sende ab und an etwas an Ämter vorab. Die kommen mittlerweile sogar 
mit pdf zurecht!
Vorab per Email (früher vorab per FAX), steht auch so im Briefkopf und 
dann zusätzlich als normalen Brief. Manchmal eben auch per Einschreiben 
statt Brief, kommt auf die Üblichkeit/Wichtigkeit an.


Wie soll ich dann als Absenderadresse zum Ausdruck bringen das ich keine 
Email rply wünsche.


norp...@mydomian.tld <>

und dann auf meinen Mailserver 4XX oder 5XX wenn da was zurückkommen sollte.

Bitte keine Diskussionen über Fristwahrung, wirksam zugestellt, etc. da 
gibt es Doktorarbeiten drüber.


Gruß

Re: Postfix is trying to access the aliases table in my db with a wrong file name and directory. t.s.

[Thomas Strike]

On 5/14/20 3:08 PM, Wietse Venema wrote:

Wietse Venema:

Thomas Strike:

Thought: I am assuming that Postfix is only reading from the main.cf and
master.cf files. Could it be possible that Postfix is trying to use
main.cf* and master.cf*?

On 5/14/20 12:28 PM, Wietse Venema wrote:

Type "postfix reload" and report the main.cf filename in the logs.

Thomas Strike:

Which logs are you talking about. After setting up Postfix and Dovcot,
everything reports to var/log/maillog. Postfix doesn't report it's conf
files that it loaded from there, only that it reloaded. Is there other

It reports the main.cf file in that line.

May 14 16:07:50 spike postfix/master[1225]: reload -- version 3.6-20200316, 
configuration /etc/postfix


May 15 09:46:46 sleepyvalley postfix/master[20463]: reload -- version 
3.3.1, configuration /etc/postfix


This is the version that still exists in the CentOS 8 repositories.

I was looking for the c0nfig file name(s). That just shows the c0nfig 
file path.

Re: I am having an email I'm trying to post here bounce for no apparent reason.

[Thomas Strike]

On 5/14/20 2:51 PM, Wietse Venema wrote:

Thomas Strike:

The following cryptic line is given as the reason;

.

.

.

.

BOUNCE postfix-users@postfix.org: Admin request of type /^\s*config\b/i
at line 3


How do I correct this?

Look at line 3 of the rejected email message.

Wietse
Thanks. I finally got it. Line 3 was throwing me. My original message 
was all one line because Thunderbird double lines any line breaks as a 
new paragraph. I found the word c0nfig on that 1st line.

Re: Postfix is trying to access the aliases table in my db with a wrong file name and directory. t.s.

[Thomas Strike]

Which logs are you talking about. After setting up Postfix and Dovcot, 
everything reports to var/log/maillog. Postfix doesn't report it's conf 
files that it loaded from there, only that it reloaded. Is there other 
logs hidden somewhere?


On 5/14/20 12:28 PM, Wietse Venema wrote:

Thomas Strike:

Thought: I am assuming that Postfix is only reading from the main.cf and
master.cf files. Could it be possible that Postfix is trying to use
main.cf* and master.cf*?

Type "postfix reload" and report the main.cf filename in the logs.

Wietse
.

Re: I am having an email I'm trying to post here bounce for no apparent reason.

[Thomas Strike]

On 5/14/20 2:33 PM, Ralph Seichter wrote:

* Thomas Strike:


The following cryptic line is given as the reason

Not quite cryptic, just a regular expression. ;-) Make sure your subject
line does not match this expression (the first case-insensitive word of
the subject, after 0-n optional consecutive spaces, must not be "config").

-Ralph


Thanks for your response. Regex is cryptic to me. I depend on others to 
create regular expressions. I am 74 years old now and regex is more 
complicated to me than any of the programming languages that I've 
learned. With every year passing, it is getting harder to learn 
something like regular expressions. So, when someone throws a regExp at 
me, I might as well be looking at Russian. So, If the problem was on the 
subject line, it's the same subject line that other emails have that 
went through.


Tom

I am having an email I'm trying to post here bounce for no apparent reason.

[Thomas Strike]

The following cryptic line is given as the reason;

.

.

.

.

BOUNCE postfix-users@postfix.org: Admin request of type /^\s*config\b/i 
at line 3



How do I correct this?

Re: Postfix is trying to access the aliases table in my db with a wrong file name and directory. t.s.

[Thomas Strike]

I am a novice to Postfix and only have to deal with setting up a new 
mail server every couple of years or so. This is only my 3rd time 
setting Postfix up in the past 10 years. Over time things change and 
every time I do this I have to learn it all over again. With all the 
extensive configurations and interactions with other associated service 
add-ons such as Dovecot and PostfixAdmin, and the mysql database 
(mariadb), I think that I am doing pretty good since I am alone and 
don't have any help accept for you guys. So, when I add a comment like 
"I looked in  postconf -d ..." It is not imagination, it's just not 
knowing what this is all about and concern that I am not putting an open 
SMTP relay on line like I did the first time trying to set up a mail server.


1. egrep -r 'mysql-aliases\.cf' /etc/postfix
nothing found.
2. postconf -x | egrep 'mysql-aliases.cf'
nothing found.
3. postconf -M | egrep 'mysql-aliases.cf'
nothing found.

By the way, I do appreciate all the help I can get. Thanks, Tom

On 5/14/20 12:37 PM, Viktor Dukhovni wrote:

On Thu, May 14, 2020 at 12:06:34PM -0500, Thomas Strike wrote:


This error is still showing up in the log but it doesn't appear to be
causing any problems that I have detected.

"May 12 14:21:44 sleepyvalley postfix/smtpd[16326]: error: open
/etc/postfix/mysql-aliases.cf: No such file or directory"
"May 12 13:07:28 sleepyvalley postfix/smtps/smtpd[15107]: error: open
/etc/postfix/mysql-aliases.cf: No such file or directory"
"May 12 13:14:26 sleepyvalley postfix/submission/smtpd[15196]: error:
open /etc/postfix/mysql-aliases.cf: No such file or directory"

That was two days ago now, is it still happening today?

Post the outputs each of:

 1. egrep -r 'mysql-aliases\.cf' /etc/postfix

 2. postconf -x | egrep 'mysql-aliases.cf'

 3. postconf -M | egrep 'mysql-aliases.cf'

And any similar log messages *today*.


I looked in  postconf -d | grep 'mynetworks ' and the following came up.
Could this error be caused by any of this stuff? Does Postfix really use
all of this or is it superfluous and widening the SMTPd server for attach?

You're letting your imaging run wild.

Re: Postfix is trying to access the aliases table in my db with a wrong file name and directory. t.s.

[Thomas Strike]

On 5/14/20 2:18 AM, Viktor Dukhovni wrote:

Have you looked in master.cf?  Are you looking at the right main.cf
file?

Look in the output of "postconf -n" and "postconf -M".


Yes. and postconf doesn't list this path/file in any -n, -m, -M, -p, or 
-d.  I have only one main.cf and one master.cf file. Both of these 
files, I copied and renamed *.cf.orig. to make working config files.


Thought: I am assuming that Postfix is only reading from the main.cf and 
master.cf files. Could it be possible that Postfix is trying to use 
main.cf* and master.cf*?


This error is still showing up in the log but it doesn't appear to be 
causing any problems that I have detected.


"May 12 14:21:44 sleepyvalley postfix/smtpd[16326]: error: open 
/etc/postfix/mysql-aliases.cf: No such file or directory"
"May 12 13:07:28 sleepyvalley postfix/smtps/smtpd[15107]: error: open 
/etc/postfix/mysql-aliases.cf: No such file or directory"
"May 12 13:14:26 sleepyvalley postfix/submission/smtpd[15196]: error: 
open /etc/postfix/mysql-aliases.cf: No such file or directory"


I have mynetworks = 127.0.0.0/8 in my main.cf file.

I looked in  postconf -d | grep 'mynetworks ' and the following came up. 
Could this error be caused by any of this stuff? Does Postfix really use 
all of this or is it superfluous and widening the SMTPd server for attach?


mynetworks = 127.0.0.0/8 54.39.19.0/24 [::1]/128 
[2607:5300:203:2a80::]/57 [fe80::]/64
proxy_read_maps = $local_recipient_maps $mydestination 
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps 
$virtual_mailbox_domains $relay_recipient_maps $relay_domains 
$canonical_maps $sender_canonical_maps $recipient_canonical_maps 
$relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps 
$sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps 
$lmtp_generic_maps $alias_maps $smtpd_client_restrictions 
$smtpd_helo_restrictions $smtpd_sender_restrictions 
$smtpd_relay_restrictions $smtpd_recipient_restrictions 
$address_verify_sender_dependent_default_transport_maps 
$address_verify_sender_dependent_relayhost_maps 
$address_verify_transport_maps $fallback_transport_maps 
$lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps 
$lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps 
$mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps 
$rbl_reply_maps $sender_dependent_default_transport_maps 
$sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps 
$smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps 
$smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps 
$virtual_gid_maps $virtual_uid_maps


Tom


Did you do that?  I am quite sure that "mysql-aliases.cf" is not
hard-coded into Postfix, so if it is reported as expected, then it is
part of your configuration in some manner, either via main.cf or
via master.cf settings for the "smtps" service.

Re: Postfix is trying to access the aliases table in my db with a wrong file name and directory. t.s.

[Thomas Strike]

On 5/13/20 4:29 PM, Viktor Dukhovni wrote:

On Wed, May 13, 2020 at 03:42:47PM -0500, Thomas Strike wrote:


Postfix is trying to access the aliases table in the postfix db with a
wrong file name and directory. I thought I had this fixed yesterday but
it is showing up again today.
I changed the property, alias_maps = /etc/postfix/mysql-aliases.cf
Yes, that needs a table type prefix.
to: mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
Oops, my bad again. Yes, I left out "mysql:" in my statement when I last 
posted. It is actually declared the way you suggested right now.

This fails the sniff test, the lookup keys in virtual alias tables are
fully-qualified (user@domain) and the RHS values support only lists
of addresses, while "alias_maps" has bare keys (user) and supports
a different RHS syntax with ":include:/path", "|command", ...

So I would not expect virtual alias tables to be appropriate as alias
tables.  What problem are you actually trying to solve?
I'm hosting multiple domains and I'm using virtual host tables. I am not 
sure that I have a problem since I can send SMTP mail with TLS and 
receive all the spam as fast as I can delete it. I am just a little 
concerned about that path/filename that popped up in the mail log since 
it's declaration doesn't exist in ether config file or show up in the 
postconf -n, -m, or -d lists. What evil lurks deep in the bowels of my 
server that would be attempting to use a file that isn't specified and 
doesn't exist.
*May 12 07:50:57 sleepyvalley postfix/smtps/smtpd[9495]: error: open 
/etc/postfix/mysql-aliases.cf: No such file or directory *

Look in the output of "postconf -n" and "postconf -M".

Postfix is trying to access the aliases table in my db with a wrong file name and directory. t.s.

[Thomas Strike]

Postfix is trying to access the aliases table in the postfix db with a 
wrong file name and directory. I thought I had this fixed yesterday but 
it is showing up again today. I changed the property, alias_maps = 
/etc/postfix/mysql-aliases.cf to 
mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, the actual access 
file to my aliases table. I searched the main.cf and master.cf files and 
that file and directory is no longer there. What could be possibly 
trying to use the wrong file?


May 12 07:50:57 sleepyvalley postfix/smtps/smtpd[9495]: error: open 
/etc/postfix/mysql-aliases.cf: No such file or directory


Tom S.

Re: check_ccert_access search order support (was: TLS client certificates and auth external)

[Thomas Quinot]

* Wietse Venema, 2020-05-09 :

> It was implemented in and removed from the un_stable Postfix release.

Thanks for confirming this!
 
> If you want to avoid incompatible changes, use a stable Postfix
> release instead.

Sure, that's perfectly fair, and I'm not complaining about the
removal of the feature from the unstable release; what I was wondering
was whether the use of an external policy server was the
appropriate/recommended approach.

Thomas.

Re: BCC on local delivery agent?

[Thomas Strike]

Me to. There is something about writing out your problem in detail that 
provides a moment of clarity.


On 5/9/20 1:40 AM, @lbutlr wrote:

On 08 May 2020, at 02:54, Admin Beckspaced  wrote:

ups ... I think I can answer my own question?
Why is it that the answer mostly comes once the email has been sent ;)

Because if it came before, you wouldn’t sent the message! (90% of the email 
questions I write are never sent, hard to believe, but true).

Re: check_ccert_access search order support (was: TLS client certificates and auth external)

[Thomas Quinot]

* Wietse Venema, 2020-05-08 :

> > As far as I can tell, support for issuer and subject CN lookup
> > was removed on 20200316. Is my understanding correct that support
> 
> As far as I know it was never implemented.

Sorry, I probably misunderstood the code while reading it.
For the record, the change I was referring to is the following:

20200316

Removed the issuer_cn and subject_cn matches from
check_ccert_access. Files: smtpd/smtpd_check.c,
proto/postconf.proto.

Thomas.

mysql postfix table "alias_domain" was created PostfixAdmin but it is empty. t.s.

[Thomas Strike]

I installed PostfixAdmin with postfix and mariadb. After PostfixAdmin 
set up the database, I populated it with adding domains and users 
through the PostfixAdmin web interface. It seemed to write all the data 
required to all the tables except the alias_domain table which is empty. 
Does Postfix use this table? Is it Postfix that populates this table or 
did PostfixAdmin not do this when it should have? The alias table looks 
like it is used for all the user name and domain name mapping.


T.S.

Re: mail from external servers connecting but timing out after tls established. t.s.

[Thomas Strike]

>On postfix itself you can use regular blocklists to prevent such 
obvious IPs.



For the other services like imap etc. it helps to use fail2ban.


I have all filtering that I know of off right now. I am just trying to 
establish incoming communication with other SMTP clients right now. Once I get 
SMTPD services running and delivering incoming messages to the virtual 
mailboxes, I will work on fetching the mail through dovecot. Then at last I'll 
address blacklisting and spam after I get my server basically working.

Re: mail from external servers connecting but timing out after tls established. t.s.

[Thomas Strike]

Matus: your right. I misused the word server. I thought that this was the test 
message being sent with gmail because every time I sent a new test, this IP 
came up in the maillog.
This turns out to be a Russian IP. Geez, Louise! I have Russia trying to hack 
me.

mail from external servers connecting but timing out after tls established. t.s.

[Thomas Strike]

External smtp servers time out after tls v1.2 is established. the 
following is from the maillog;


May  8 17:40:48 sleepyvalley postfix/smtps/smtpd[17534]: connect from 
unknown[185.50.149.12]
May  8 17:40:50 sleepyvalley postfix/smtps/smtpd[17534]: Anonymous TLS 
connection established from unknown[185.50.149.12]: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
May  8 17:40:56 sleepyvalley postfix/smtps/smtpd[17534]: lost connection 
after EHLO from unknown[185.50.149.12]
May  8 17:40:56 sleepyvalley postfix/smtps/smtpd[17534]: disconnect from 
unknown[185.50.149.12] ehlo=1 commands=1


I set up certificates with letsincrypt. If these crets are wrong, would 
that cause this type of behavior?



Thanks, Tom

Re: check_ccert_access search order support (was: TLS client certificates and auth external)

[Thomas Quinot]

* Wietse Venema, 2019-05-18 :

> smtpd_mumble_restrictions =
> ...
> check_ccert_access {
> maptype:mapname, { search_order = cert_fingerprint,
>   pubkey_fingerprint, subject, issuer }
> }
> ...
> 
> Where subject (or issuer) will search maptype:mapname for a match
> with the client certificate's subject (or issuer) DN. The commas
> are optional.

As far as I can tell, support for issuer and subject CN lookup
was removed on 20200316. Is my understanding correct that support
for granting access based on these aspects of the client certificate
is no longer built-in? Should this use case be handled using an
external policy server?

Thomas.

Is it necessary to declare "alias_maps" in the main.cf? t.s.

[Thomas Strike]

With all the problems that I'm having with my Postfix setup, I am taking a 
deeper dive into the meaning of each parameter declaration.
Is it necessary to declare "alias_maps" in the main.cf or does it have a 
default file path that it looks to or does it just not look at alias_maps if not declared?
Thanks, T.S.

Is it necessary to declare "alias_maps" in the main.cf? t.s.

[Thomas Strike]

With all the problems that I'm having with my Postfix setup, I am taking a 
deeper dive into the meaning of each parameter declaration.
Is it necessary to declare "alias_maps" in the main.cf or does it have a 
default file path that it looks to or does it just not look at alias_maps if not declared?
Thanks, T.S.

function difference between and access_recipient

[Thomas]

Hello,
I habe a problem to understand function of

# /etc/aliases

# /etc/postfix/access_recipient

It seemed to be that aliases is OK for receive emails for recipients.

But what it make sence to use additional access_recipient or whats 
function of access_recipient.


thanks
Thomas

email server secured data communication state of the art

[Thomas]

Hello,
how can I check whether the recipient / operator of an email server 
where I send email also operates one that offers it at all?

Respectively. what is the state of the art that he should use / offer?

Comments are e.g. that look more like "make me important" from the 
manager "from such operators:
" matter that communication has chosen the unencrypted e-mail 
communication with all its dangers ..."


Thanks
Thomas

Re: Postfix on docker

[Christopher Thomas]

Ok davide,

does docker run on old cpu's, or how compatible is it with arm cpu's? 
ever run an alpha dec?


postfix just provide the code, which compiles into binaries, postfix 
don't get involved with packaging, thats the job of vendors.


thats why there are no official postfix docker images, cause this team 
(that I've never contributed to), only produce the source code.


then people like me use the versions which run on debian, package it 
into docker images and provide it like I did beforehand.


does that answer the question?

chris

On 26.09.19 18:34, Davide Perini wrote:


Don't want to argue, but this is the kind of answers that shows that 
you never used docker,

if so, why answer to the question?

Il 2019-09-26 18:13 Wietse Venema ha scritto:


Davide Perini:

Thanks for the answer but what are the "official vendors" for this
purpose?
Docker hub does not work like this exactly. Most devs provides their own
binaries in "official images".

Why it's not the same for postfix?


Because not all the world is LINUX? Postfix is a cross-platform
product. It is not practical to distribute binaries for every
environment. That's the job of the vendors.

Wietse

Re: Postfix on docker

[Christopher Thomas]

I have a dockerised set of images and kubernetes deployments for you to 
look at if you're interested. They work well and serve my domains 
without much problem


https://github.com/orgs/kubernetes-mail-server/dashboard

Take a look, maybe there is some contribution you want to make.

Chris

On 26.09.19 18:11, Davide Perini wrote:


Thanks for the answer but what are the "official vendors" for this 
purpose?
Docker hub does not work like this exactly. Most devs provides their 
own binaries in "official images".


Why it's not the same for postfix?

In any case is there some good image I can trust or that you can suggest?


Thanks,
Davide


Il 2019-09-26 18:01 Wietse Venema ha scritto:


Davide Perini:

Hi all,
is there an official image of postfix on docker hub?

I can't find it, why?


Postfix developers provide Postfix source.

Vendors provide binaries (and redistribute source).

Wietse

unknown tls certificate problem: EVP_MD_size:message digest is null

[Chris Thomas]

Hi,

I am using a letsencrypt tls cert and whenever I receive email, I get
the following error. Is this a problem with my certificate? Or with
the configuration or something??

postfix/smtpd[526]: warning: TLS library problem:
error:060A209F:digital envelope routines:EVP_MD_size:message digest is
null:crypto/evp/evp_lib.c:316:

I have tried to search google for this error, but I haven't been able
to find anything. Can anybody explain it or knows what it means?

Chris

Re: Postfix 3.4.4 compile problems on Solaris 11

[Thomas Wagner]

oh, right.

reading your reply, I re-discovered my local fix I use for the
SFE packaging project:

==
#fix unlucky selection of name for struct (introduced in some 3.4.x
version)
grep "struct sockaddr_un sun;" src/util/unix_dgram_connect.c \
   && gsed -i.bak_undef_sun -e '/struct sockaddr_un sun;/ i\
   #undef sun' src/util/unix_dgram_connect.c
==

@tomww


On Mon, Apr 01, 2019 at 06:52:20PM +0300, Andrew Evdokimov wrote:
> On 01/04/2019 14:14, Wietse Venema wrote:
> > > unix_dgram_connect.c: In function 'unix_dgram_connect':
> > > unix_dgram_connect.c:63:24: error: expected identifier or '(' before
> > > numeric constant
> > >struct sockaddr_un sun;
> > >   ^
> > 
> > Any idea why identical code in src/util/unix_listen.c compiles
> > without error?
> 
> Because it undefs 'sun' macro while unix_dgram_connect.c does not.
> 
> ...
> int unix_connect(const char *addr, int block_mode, int timeout)
> {
> #undef sun
> struct sockaddr_un sun;
> ...
> 
> builder@builder2:~$ gcc -dM -E - < /dev/null | grep sun
> #define __sun 1
> #define sun 1
> #define __sun__ 1
> builder@builder2:~$ uname -a
> SunOS builder2 5.11 11.4.5.3.0 i86pc i386 i86pc
> 
> 
> -- 
> Andrew Evdokimov
> +7 910 450 83 33
> mail a...@elahi.ru
> xmpp a...@elahi.ru

-- 

Re: Unexpected directories in virtual_mailbox_base

[Thomas Seilund]

On 03/03/2019 21.31, Bill Cole wrote:

On 1 Mar 2019, at 9:21, Thomas Seilund wrote:


On 01/03/2019 08.39, Andrey Repin wrote:

Greetings, Thomas Seilund!



smtp  inet  n   - n   -   -   smtpd -o
content_filter=spamfilter -o 
receive_override_options=no_address_mappings

spamfilter    unix  -   n   n   -   - pipe
flags=Rq user=vmail argv=/usr/bin/spamfilter.sh -oi -f ${sender}
${recipient}


Apparently, the reason you're filtering outbound mail is that you are 
having local users submit mail on port 25, using the same 
configuration of the smtpd daemon that is used for mail coming in from 
the Internet.
Your are right. The local users are now using port 587 for outbound 
mail. And I have added "-o smtpd_sasl_auth_enable=no" to smtp entry in 
master.cf as my default value for smtpd_sasl_auth_enable is yes. This 
way I hope that new users will not by accident set up port 25 for 
outbound mail. Thanks a lot for the tip!


Best practice is to have port 587 "submission" (plaintext with 
STARTTLS support) and/or port 465 "smtps" ("wrappermode" TLS) 
transports, using smtpd with settings suited only for initial message 
submission. By splitting initial message submission from inbound 
message transport, you can make both services better and safer. This 
includes the options to not scan mail from your own users OR to scan 
it differently so that you don't create useless and unwanted 
directories for random remote recipients.

It was intention to follow this best practice!



Furthermore, I have this script in /usr/bin/spamfilter:
#!/bin/bash
SENDMAIL=/usr/sbin/sendmail
SPAMASSASSIN=/usr/bin/spamc
RECEIVER=`echo $4 | tr '[:upper:]' '[:lower:]'`
${SPAMASSASSIN} -u $RECEIVER | ${SENDMAIL} "$@"
exit $?


That's almost the simplest shim possible between Postfix and 
SpamAssassin. To make it not try to use per-user configurations, just 
remove the "-u $RECEIVER" on the 5th line. That would be an 
appropriate script for use as the pipe target of an additional 
transport used as the content_filter of a submission or smtps service.
The reason I use per-user configuration is because I want each user to 
have his or her own bayes-filter. Is that the correct way to get to that 
situation?




Finally, this is the parameters I have for SA in file
/etc/sysconfig/spamassassin:
SPAMDOPTIONS="--daemonize --create-prefs --max-children=5
--helper-home-dir=/mnt/ebs01/vmail/%d/%l/SpamAssassin --username=vmail
--nouser-config 
--virtual-config-dir=/mnt/ebs01/vmail/%d/%l/SpamAssassin"

export PYTHONPATH=/usr/lib/python2.6/site-packages


Easiest way to stop creating the unwanted directories: remove 
"--create-prefs" there. It won't solve the root cause, but it will fix 
the symptom.
As you mentioned above the root cause is that users submit mail on port 
25. That has been fixed!


If your users are not using personal spamassasin lists, you can just 
tell it

to use same user for all server works.


I assume I do use personal SA lists as I run like this:

-- Each user has a LearnAsSpam and LearnAsHam mailfolder.

-- I instruct users to move mails that SA falsely did not tag as spam 
to the LearnAsSpam folder


-- I instruct users to have at least 10 not spam messages in LearnAsHam

-- Once a day for each user I clear the bayes files and rebuild bayes 
files with:


-- sudo -u vmail sa-learn --username vmail --spam --dbpath 
$SUBDIR/SpamAssassin $SUBDIR/mail/LearnAsSpam/cur


-- sudo -u vmail sa-learn --username vmail --ham  --dbpath 
$SUBDIR/SpamAssassin $SUBDIR/mail/LearnAsHam/cur


-- $SUBDIR evaluates to each users vmail directory, ie. 
/mnt/ebs01/vmail/netmaster.dk/tps


If there is a better way to keep bayes upto date I would be happy to 
know.


Your users are unlikely to be actually using Bayes if you're clearing 
the databases daily. SA Bayes will not score messages AT ALL if its 
database doesn't have enough messages learned to have a statistically 
valid sample size, set by default to 200 each of spam and ham. That's 
high enough to avoid most cases of Bayes being actively bad, but Bayes 
doesn't really work *well* until it has about a thousand messages 
analyzed.


I am confused about Bayes-files. What is the best strategy to fight 
spam? Is Bayes-files a good idea at all and if so how do I organize 
spam-fighting using SA Bayes?

Re: Unexpected directories in virtual_mailbox_base

[Thomas Seilund]

On 02/03/2019 13.38, @lbutlr wrote:

On 01 Mar 2019, at 07:21, Thomas Seilund  wrote:

-- Once a day for each user I clear the bayes files and rebuild bayes files 
with:

You are removing the bases entries daily and rebuilding them based on a very 
few (if any) messages in your LaernAs folders?

That’s the same as not using bayes at all.


Thanks for your reply

Each user has a ham mail folder and a spam mail folder.

I instruct user to have at least 10 not spam mails in the ham folder.

And I instruct the users to move spam that make it to the inbox to the 
spam folder.


In most cases users have +10 mails in the ham folder and +100 mails in 
the spam folder.


How should SA learn from the two folders if not by running sa-learn on 
each of the two folders regularly?


I use SA by integrating SpamAssassin into Postfix using spamd and I 
wrote a bash script to rewrite spam method


as described in 
https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix


Any advice would be wellcome

Re: Unexpected directories in virtual_mailbox_base

[Thomas Seilund]

On 01/03/2019 08.39, Andrey Repin wrote:

Greetings, Thomas Seilund!



smtp  inet  n   -   n   -   -   smtpd -o
content_filter=spamfilter -o receive_override_options=no_address_mappings
spamfilter    unix  -   n   n   -   -   pipe
flags=Rq user=vmail argv=/usr/bin/spamfilter.sh -oi -f ${sender}
${recipient}
Furthermore, I have this script in /usr/bin/spamfilter:
#!/bin/bash
SENDMAIL=/usr/sbin/sendmail
SPAMASSASSIN=/usr/bin/spamc
RECEIVER=`echo $4 | tr '[:upper:]' '[:lower:]'`
${SPAMASSASSIN} -u $RECEIVER | ${SENDMAIL} "$@"
exit $?
Finally, this is the parameters I have for SA in file
/etc/sysconfig/spamassassin:
SPAMDOPTIONS="--daemonize --create-prefs --max-children=5
--helper-home-dir=/mnt/ebs01/vmail/%d/%l/SpamAssassin --username=vmail
--nouser-config --virtual-config-dir=/mnt/ebs01/vmail/%d/%l/SpamAssassin"
export PYTHONPATH=/usr/lib/python2.6/site-packages

If your users are not using personal spamassasin lists, you can just tell it
to use same user for all server works.


I assume I do use personal SA lists as I run like this:

-- Each user has a LearnAsSpam and LearnAsHam mailfolder.

-- I instruct users to move mails that SA falsely did not tag as spam to 
the LearnAsSpam folder


-- I instruct users to have at least 10 not spam messages in LearnAsHam

-- Once a day for each user I clear the bayes files and rebuild bayes 
files with:


-- sudo -u vmail sa-learn --username vmail --spam --dbpath 
$SUBDIR/SpamAssassin $SUBDIR/mail/LearnAsSpam/cur


-- sudo -u vmail sa-learn --username vmail --ham  --dbpath 
$SUBDIR/SpamAssassin $SUBDIR/mail/LearnAsHam/cur


-- $SUBDIR evaluates to each users vmail directory, ie. 
/mnt/ebs01/vmail/netmaster.dk/tps


If there is a better way to keep bayes upto date I would be happy to know.

BTW, thanks for all the help

Re: Unexpected directories in virtual_mailbox_base

[Thomas Seilund]

On 28/02/2019 22.38, Bill Cole wrote:

On 28 Feb 2019, at 0:55, Thomas Seilund wrote:


On 27/02/2019 23.50, John Fawcett wrote:

On 27/02/2019 17:56, Thomas Seilund wrote:

Hi All,

I run a mail server with Postfix (version 2.6.6), Dovecot and
Spamassassin.

The first time I saw an unexpected directory in virtual_mailbox_base
what medio dec. 2018. The mail server has been running for 5+ years.

There are more directories than the six directories I expect. I expect
one directory for each of the domains that the mail server handles.

What were the directories that you did not expect?


/mnt/ebs01/vmail/landplan.dk is one if the directories that I do not 
expect.


Because landsplan.dk is not a local domain on the the mail server


I'm guessing: is it the domain of the intended (non-local) recipient?

Yes, you are right



Looking at the /var/log/maillog it seems as if:

1. An user that is handled by the mail server logs in and sends a mail
to an address that is not handled by the mail server

2. The mail is queued

3. Spamassassin kicks in and scans the mail. I don't understand that
as the mail is outgoing.

You can scan outgoing mail if you want to make sure your users don't
send viruses. Even though I trust all my users I do it as a precaution
in case some users clients get infected and start sending viruses.

Perhaps Spamassassin creates the unexpected directory as the
Spamassassin line in /var/log/maillog refers to an unexpected file,
ie. /mnt/ebs01/vmail/landplan.dk/XXX/SpamAssassin/user_prefs. By the
way, that file does not exist.


Guessing: XXX is the local part of the intended recipient?

Yes, you are right


Depending on its configuration, SpamAssassin may create a per-user 
configuration directory (by default, ~/.spamassassin/, but it can be 
set to ~/SpamAssassin/ or anything else you choose) for whatever user 
for whom it believes it is scanning a message. For virtual users, the 
expansion of "~" is configurable as well and typically looks like


What I THINK is happening is that you have hooked into SpamAssassin in 
such a way that it is being told unconditionally that it should use 
the per-user preferences of the recipient of the message.  I think 
your goal should be to either make SA scan outbound without per-user 
configurations or to  not scan outbound at all. Because the plumbing 
between Postfix and SA can vary greatly (standalone milter, 
MIMEDefang, Amavis as a milter, Amavis as a SMTP proxy, 
content_filter, pipe to spamc...) I won't try to guess what your 
specific fix is. How have you configured Postfix to pass messages to 
SpamAssassin?


It might be useful to also ask this question on the SpamAssassin-Users 
mailing list, as the actual directory creation is almost certainly 
being done by SA. However, how exactly you fix it is very much a 
Postfix question because Postfix is giving SA the recipient address as 
a user who needs a preferences directory of their own.


It was never my intention to let SA scan outgoing messages.

I followed this guide when I set up SA - 
https://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix


I have added these two lines to postfix master.cf:

smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=spamfilter -o receive_override_options=no_address_mappings
spamfilter    unix  -   n   n   -   -   pipe 
flags=Rq user=vmail argv=/usr/bin/spamfilter.sh -oi -f ${sender} 
${recipient}


Furthermore, I have this script in /usr/bin/spamfilter:

#!/bin/bash
SENDMAIL=/usr/sbin/sendmail
SPAMASSASSIN=/usr/bin/spamc
RECEIVER=`echo $4 | tr '[:upper:]' '[:lower:]'`
${SPAMASSASSIN} -u $RECEIVER | ${SENDMAIL} "$@"
exit $?

Finally, this is the parameters I have for SA in file 
/etc/sysconfig/spamassassin:


SPAMDOPTIONS="--daemonize --create-prefs --max-children=5 
--helper-home-dir=/mnt/ebs01/vmail/%d/%l/SpamAssassin --username=vmail 
--nouser-config --virtual-config-dir=/mnt/ebs01/vmail/%d/%l/SpamAssassin"

export PYTHONPATH=/usr/lib/python2.6/site-packages



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Re: Unexpected directories in virtual_mailbox_base

[Thomas Seilund]

On 27/02/2019 23.50, John Fawcett wrote:

On 27/02/2019 17:56, Thomas Seilund wrote:

Hi All,

I run a mail server with Postfix (version 2.6.6), Dovecot and
Spamassassin.

The first time I saw an unexpected directory in virtual_mailbox_base
what medio dec. 2018. The mail server has been running for 5+ years.

There are more directories than the six directories I expect. I expect
one directory for each of the domains that the mail server handles.

What were the directories that you did not expect?


/mnt/ebs01/vmail/landplan.dk is one if the directories that I do not expect.

Because landsplan.dk is not a local domain on the the mail server

 




Looking at the /var/log/maillog it seems as if:

1. An user that is handled by the mail server logs in and sends a mail
to an address that is not handled by the mail server

2. The mail is queued

3. Spamassassin kicks in and scans the mail. I don't understand that
as the mail is outgoing.

You can scan outgoing mail if you want to make sure your users don't
send viruses. Even though I trust all my users I do it as a precaution
in case some users clients get infected and start sending viruses.

Perhaps Spamassassin creates the unexpected directory as the
Spamassassin line in /var/log/maillog refers to an unexpected file,
ie. /mnt/ebs01/vmail/landplan.dk/XXX/SpamAssassin/user_prefs. By the
way, that file does not exist.

Below is my postfix configuration

[ec2-user@ec2 ~]$ postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
debug_peer_list = 85.191.189.106
disable_vrfy_command = yes
message_size_limit = 2048
myhostname = ec2.netmaster.dk
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
smtp_tls_loglevel = 1
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,    reject_unauth_destination,
reject_invalid_hostname,    reject_unauth_pipelining,
reject_non_fqdn_sender,    reject_unknown_sender_domain,
reject_non_fqdn_recipient,    reject_unknown_recipient_domain, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/etc/letsencrypt/live/mail.netmaster.dk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.netmaster.dk/privkey.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /mnt/ebs01/vmail
virtual_mailbox_domains =
mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:2000
[ec2-user@ec2 ~]$

Any help would be appreciated

Thomas S


You deliver mail to dovecot, so dovecot is responsible for writing to
the mail store. Could it be dovecot that is creating the unexpected
directories?

John

Unexpected directories in virtual_mailbox_base

[Thomas Seilund]

Hi All,

I run a mail server with Postfix (version 2.6.6), Dovecot and Spamassassin.

The first time I saw an unexpected directory in virtual_mailbox_base 
what medio dec. 2018. The mail server has been running for 5+ years.


There are more directories than the six directories I expect. I expect 
one directory for each of the domains that the mail server handles.


Looking at the /var/log/maillog it seems as if:

1. An user that is handled by the mail server logs in and sends a mail 
to an address that is not handled by the mail server


2. The mail is queued

3. Spamassassin kicks in and scans the mail. I don't understand that as 
the mail is outgoing.


Perhaps Spamassassin creates the unexpected directory as the 
Spamassassin line in /var/log/maillog refers to an unexpected file, ie. 
/mnt/ebs01/vmail/landplan.dk/XXX/SpamAssassin/user_prefs. By the way, 
that file does not exist.


Below is my postfix configuration

[ec2-user@ec2 ~]$ postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
debug_peer_list = 85.191.189.106
disable_vrfy_command = yes
message_size_limit = 2048
myhostname = ec2.netmaster.dk
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
smtp_tls_loglevel = 1
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated,    reject_unauth_destination, 
reject_invalid_hostname,    reject_unauth_pipelining, 
reject_non_fqdn_sender,    reject_unknown_sender_domain, 
reject_non_fqdn_recipient,    reject_unknown_recipient_domain, permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.netmaster.dk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.netmaster.dk/privkey.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual_alias_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /mnt/ebs01/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:2000
[ec2-user@ec2 ~]$

Any help would be appreciated

Thomas S

Re: TLSv1.2 only for auth connection

[Thomas Bourdon]

That's what I do, it works perfectly.
Thanks.

Le 25.10.2018 19:39, Wietse Venema a écrit :

Thomas Bourdon:

Hi,

First of all, I apologize for my bad english.

I use postfix-3.3.1 and openssl-1.0.2.

Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2
minimum is set for submission/starttls.

My goal : All auth connections must be done with tlsv1.2 minimum. 
Others

connections can be done with tlsv1.0 minimum.

If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from
mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum. But 
I

want to allow auth connections from users of my smtp/imap server with
tlsv1.2 minimum.

I already set up tlsv1.2 minimum for submission/starttls. I thought
about disable auth connection using 465 port but I don't want to force
my users to strictly use starttls.

Is there a way to allow tlsv1.0 minimum for unauth connection and 
allow

tlsv1.2 minimum for auth connection on port 465 ?


Usually, AUTH is done on the submission or smtps ports, and non-AUTH
on port 25. If you want different TLS policies for different inbound
SMTP connections, you can specify different settings in master.cf.

    Wietse


--
Thomas Bourdon

Re: TLSv1.2 only for auth connection

[Thomas Bourdon]

Thank you guys to explain me how works smtp<->smtp. I set up tlsv1.0 
minimum for smtp<->smtp and tlsv1.2 minimum for auth connections, it 
seems working. :)

Thanks again !

Le 25.10.2018 15:10, B. Reino a écrit :

On Thu, 25 Oct 2018, Thomas Bourdon wrote:

Because mail providers send mail to my smtp server through this port, 
don't they ?


Le 25.10.2018 15:00, B. Reino a écrit :

On Thu, 25 Oct 2018, Thomas Bourdon wrote:

Is there a way to allow tlsv1.0 minimum for unauth connection and 
allow tlsv1.2 minimum for auth connection on port 465 ?


Why would you want unauthenticated connections on port 465? (smtps).
It's AFAIK a submission port.


SMTP<->SMTP is (should be) always on port 25, with or without STARTTLS.
Port 465 is submission with TLS wrapper-mode, and port 587 is
submission (with or without STARTTLS).

I don't know if there are any smtp clients (in the sense of postfix
smtp "client") using 465 for sending to a smtp server (in the sense of
postfix smtpd..)


--
Thomas Bourdon

Re: TLSv1.2 only for auth connection

[Thomas Bourdon]

Because mail providers send mail to my smtp server through this port, 
don't they ?


Le 25.10.2018 15:00, B. Reino a écrit :

On Thu, 25 Oct 2018, Thomas Bourdon wrote:

Is there a way to allow tlsv1.0 minimum for unauth connection and 
allow tlsv1.2 minimum for auth connection on port 465 ?


Why would you want unauthenticated connections on port 465? (smtps).
It's AFAIK a submission port.


--
Thomas Bourdon

TLSv1.2 only for auth connection

[Thomas Bourdon]

Hi,

First of all, I apologize for my bad english.

I use postfix-3.3.1 and openssl-1.0.2.

Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2 
minimum is set for submission/starttls.


My goal : All auth connections must be done with tlsv1.2 minimum. Others 
connections can be done with tlsv1.0 minimum.


If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from 
mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum. But I 
want to allow auth connections from users of my smtp/imap server with 
tlsv1.2 minimum.


I already set up tlsv1.2 minimum for submission/starttls. I thought 
about disable auth connection using 465 port but I don't want to force 
my users to strictly use starttls.


Is there a way to allow tlsv1.0 minimum for unauth connection and allow 
tlsv1.2 minimum for auth connection on port 465 ?


Have a nice day!

--
Thomas Bourdon

Re: Reject mails coming from mailservers whos reverse DNS resolution match a certain pattern

[Thomas Glanzmann]

Hello Matus,

> for blocking .artegic.net you don't need to use pcre.
> simple hash table containing ".artegic.net" would be faster.

I see. Thanks a lot.

Cheers,
Thomas

Re: Reject mails coming from mailservers whos reverse DNS resolution match a certain pattern

[Thomas Glanzmann]

Hello Ansgar,

> smtpd_recipient_restrictions =
>   ...
>   check_client_access pcre:/etc/postfix/client_access.pcre

> /\.artegic\.net$/ REJECT Not accepting mail from your domain.

thank you. I put that in my configuration. I already had
check_client_access under smtpd_client_restrictions but as hash. Thank
you for helping me block these spammers.

Cheers,
    Thomas

Reject mails coming from mailservers whos reverse DNS resolution match a certain pattern

[Thomas Glanzmann]

Hello,
my bank ing-diba is using a marketing company to spam me. They have many
outgoing mail servers and I would like to block them all.

> Received: from mout-1605.artegic.net (mout-1605.artegic.net [144.76.159.198])
> (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by infra.glanzmann.de (Postfix) with ESMTPS id 379A527D0A8A
> for ; Mon,  6 Aug 2018 20:23:32 +0200 (CEST)

So basically I would like to reject email from all mailservers having a reverse
name lookup matching the pattern *.artegic.net How can I obtain that?

Cheers,
Thomas

Timed out while sending end of data -- message may be sent more than once

[Thomas Kristensen]

Hey

I got this strange problem with postfix 3.1.0.
I got this one server that doesn't get all the mails, queued for it. Some mails 
gets the error in subject. 
And if I do a tcpdump on the tcp stream I see this everytime:

(the content has been wiped for some information)

220 [794178adb94846f8975ac93c9a320e4a] SMTP Version: 1.3.1.34773 21:18:18 12. 
august 2018
EHLO (removed)
250 [794178adb94846f8975ac93c9a320e4a] OK
MAIL FROM: (removed)
250 [794178adb94846f8975ac93c9a320e4a] OK
RCPT TO: (removed)
250 [794178adb94846f8975ac93c9a320e4a] OK
DATA
354 [794178adb94846f8975ac93c9a320e4a] Start mail input; end with .
Received: from Server (unknown [(removed)])
by Server (Postfix) with ESMTP id 41pBtg5rKGzqYnC
for (removed); Sun, 12 Aug 2018 10:32:27 +0200 (CEST)
MIMEVersion: 1.0
MIME-Version: 1.0
From: (removed)
To: (removed)
Date: 12 Aug 2018 10:32:27 +0200
Subject: (removed)
Content-Type: multipart/mixed;
 boundary=--boundary_274246_f400b577-4e93-4ffd-b5ec-355c7a0b5059


boundary_274246_f400b577-4e93-4ffd-b5ec-355c7a0b5059
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable


boundary_274246_f400b577-4e93-4ffd-b5ec-355c7a0b5059
Content-Type: application
.


As you can see the stream stops before the last mimepart is done. This is 
captured with tcpdump on the server with postfix 3.1.0
We use SMTP protocol to transport small files, so the body of the mail is not 
importen but the attachment is the actual message we want to transport.

This is only a problem with about 5-10% of the delivers to this one host. We 
got about 40-5 messages in and out, to many servers, everyday and only see 
this problem with one host we try to deliver to. 

If I do a postqueue -I on the queueid It still fails, but if I make the sender 
resend it, so it is a whole new message in postfix, it goes fine without 
problems. 
So the question is, why does some of the mails fail on the server, with no 
option to requeue them? 

Med venlig hilsen
Thomas Kristensen

Storhaven 12 - 7100 Vejle
Tlf: 75 72 54 99 - Fax: 75 72 65 33
E-mail: t...@multimed.dk

Re: How to autoreply with "Undelivered Mail Returned to Sender" unknown user for user+doesnotex...@domain.org

[Thomas Nyberg]

On 07/11/2018 08:03 AM, Wietse Venema wrote:

Alternative: use a transport map; that works for all domains.

/etc/postfix/main.cf
 transport_maps = hash:/etc/postfix/transport

/etc/postfix/transport:
 user+doesnotex...@example.com  error:5.1.1 User does not receive mail.

Requires "postmap hash:/etc/postfix/transport".

Wietse


Thank you very much this worked perfectly!

Cheers,
Thomas

How to autoreply with "Undelivered Mail Returned to Sender" unknown user for user+doesnotex...@domain.org

[Thomas Nyberg]

Hello,

Let's say that I do have a user "user" on my system, but I would like 
for emails sent to "user+doesnotex...@domain.org" to bounce back the 
"Undelivered mail" message with something like:


: unknown user: "user+doesnotexist"

How would I do this? I naively tried adding

user+doesnotexist: doesnoteixst

to my /etc/aliases file, but it was still delivered to my user account.

Thanks for any help.

Cheers,
Thomas

real life reasons not to use reject_unknown_client_hostname

[Thomas Smith]

The documentation[1] and several e-mails here mention that 
reject_unknown_client_hostname can reject legitimate e-mails.


What exactly are these scenarios? When do they occur in real life? Are 
there really legitimate mail servers that don't have a reverse DNS 
record that resolves to their IP?


I would like to know so that I can decide whether I should care and 
whether I can use this option for my setup. I would only use this option 
for port 25 (not submission) and make sure that sasl_authenticated 
clients are exempt from it.


[1]http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname

    Thomas

Re: policyd-spf and temperrors

[Thomas Leuxner]

* James B. Byrne  2017.03.17 17:44:

> Mar 17 12:31:22 inet08 postfix/spawn[14598]: warning: command
> /usr/libexec/postfix/policyd-spf exit status 1

It is spawned per mail in my configuration:

$ postconf -nf | grep -A1 private/policyd
check_policy_service { unix:private/policyd-spf, timeout=10s,
default_action=DUNNO }

$ postconf -Mf | grep policyd
policyd-spf unix -   n   n   -   0   spawn user=policyd-spf
argv=/usr/bin/policyd-spf

As its written in Python it depends on a working environment. Any chance this 
recently has been updated on this machine?

Regards
Thomas


signature.asc
Description: Digital signature

Re: policyd-spf and temperrors

[Thomas Leuxner]

* James B. Byrne  2017.03.17 17:20:

> Mar 17 12:16:58 inet08 postfix-p25/smtpd[14495]: connect from
> russian-caravan.cloud9.net[168.100.1.4]
> Mar 17 12:16:59 inet08 postfix-p25/smtpd[14529]: warning: problem
> talking to server private/policyd-spf: Connection timed out

It means Postfix is unable to communicate with the UNIX socket policy-spf is 
supposed to listen on.

Regards
Thomas


signature.asc
Description: Digital signature

Re: Problems with lmtp

[Thomas Leuxner]

* chaouche yacine  2017.03.17 14:52:

> Thank you Thomas, so if I understand correctly in Viktor's config dovecot is 
> only used by postfix as a backend to query for valid virtual email addresses ?

Hi Yassine,

one of the benefits of using Dovecot's MDAs besides Sieve, is that they update 
the metadata and indexes upon delivery which improves its IMAP performance. You 
also get a broader choice of mailstorage formats which offer new features 
compared to the older maildir format.

Regards
Thomas


signature.asc
Description: Digital signature

Re: Problems with lmtp

[Thomas Leuxner]

* chaouche yacine  2017.03.17 10:25:

> > Or similar, yes.  I have:
> >
> >userdb {
> >args = uid=500 gid=500 home=/var/spool/virtual 
> > mail=maildir:/var/spool/virtual/%n
> >driver = static
> >}
> 
> 
> Sorry for asking this on a postfix list but Viktor it seems all your users 
> share the same home directory ? what about sieve scripts ? 
> 
> -- Yassine.

The example used by Viktor does not invoke Dovecot's LDA/LMTP as MDA. Postfix 
performs final delivery, thus Sieve scripts can't be used.

 vmbox:
user1@virtual.invalid   user1/
user2@virtual.invalid   user2/

Regards
Thomas


signature.asc
Description: Digital signature

Re: smtp-cache problem

[Thomas Minor]

Hi Viktor,


thanks for the answer. I'll try to suggest this to the other servers admin team.
Since I do not know if they consider this, I'll stick to disabled default 
connection reuse.

I'm interested which end of the connection is responsible of the problem, I'll 
setup a test
for this sometime.

--Thomas


Am 27.02.2017 um 00:15 schrieb Viktor Dukhovni:
>> On Feb 26, 2017, at 5:56 PM, Thomas Minor  wrote:
>>
>> And, on the other side, postfix as a client
>> should not reuse a dead connection.
> Postfix (somewhat obviously) cannot "reuse" a closed connection.
> The other server must have kept open.
>
> It is in principle possible to add a feature to limit re-use of
> connections exceed a given count of consecutive re-use attempts
> without delivering a single message.
>
> However, as Wietse pointed out, rather similar symptoms occur
> with multi-recipient mail, the real issue is that greylisting
> generates many self-inflicted "errors" on the receiving side,
> and the best solution is for sites that use greylisting to not
> impose error count limits.
>

-- 

  Thomas Minor, Development

  H & R Netzwerk GmbH
  Am Königsweg 9
  48599 Gronau-Epe

  Sitz:Gronau / Westf.
  Handelsregister: Amtsgericht Coesfeld, HRB 5886
  Geschäftsführer: Harald Beine

--

Re: smtp-cache problem

[Thomas Minor]

Ahh, ok, now i got it.

I thought, a similar question was already answered but it seems I missed the 
answer
on my own question, sorry. It stayed in my outgoing box an I assumed, there was 
a
delivery problem. That's why I sent it twice.


Back to the problem, as I pointed out, the delivery attempts to the other 
postfix system
from my server started to fail after hitting the hard error limit so it refused 
to accept any
further message on this connection. It seems either the other server did not 
close the
connection or my server did nod recognize the connection end, since my server 
tried
to send mail across the old connection.

After I disabled the connection cache, sending mails worked as supposed. They 
got greylisted
first and could be delivered at the second attempt. Due to earlier problems 
with this particular
server i configured my server in a way, that it splits a mail with multiple 
recipients in separate
mails btw.

I think, that postfix as a server should close the connection after its hard 
error limit is hit, since it
won't accept any mails on this connection anyway. And, on the other side, 
postfix as a client
should not reuse a dead connection.

Yours,


--Thomas


Am 24.02.2017 um 12:31 schrieb Alex JOST:
> Am 24.02.2017 um 09:03 schrieb Thomas Minor:
>> Hmm, ok,
>>
>> I did search but found nothing. I'll check again.
>
> http://marc.info/?t=14876316702&r=1&w=2
>

-- 

  Thomas Minor, Development

  H & R Netzwerk GmbH
  Am Königsweg 9
  48599 Gronau-Epe

  Sitz:Gronau / Westf.
  Handelsregister: Amtsgericht Coesfeld, HRB 5886
  Geschäftsführer: Harald Beine

--

Re: smtp-cache problem

[Thomas Minor]

Hmm, ok,

I did search but found nothing. I'll check again.


--Thomas


Am 22.02.2017 um 21:51 schrieb Wietse Venema:
> Thomas Minor:
>> Hello,
>>
>> I might have a problem with the smtp_connection cache.
>> Regarding documentation, the cache is enabled on demand by default.
> This question was already answered. Use youe search engine.
>
>   Wietse

-- 

  Thomas Minor, Development

  H & R Netzwerk GmbH
  Am Königsweg 9
  48599 Gronau-Epe

  Sitz:Gronau / Westf.
  Handelsregister: Amtsgericht Coesfeld, HRB 5886
  Geschäftsführer: Harald Beine

--

smtp-cache problem

[Thomas Minor]

Hello,

I might have a problem with the smtp_connection cache.
Regarding documentation, the cache is enabled on demand by default.

I found a peer site, which is also driven by postfix, with uses greylisting.
I have some 3000 mails to send to this particular server, which starts the 
session
by greylisting my server. Since postfix uses the smtp_connection_cache by 
default,
it reuses the connection which receives one greylisting temp fail after the 
other.
This seems to triggers the $smtpd_hard_error_limit on the other site. My server
continues to use now dead connection until the cache limits take effect.

I tend to assume, that this is a bug and maybe a configurable amount of errors 
should
trigger the sending postfix to abandon a connection.

Did i miss any configuration options here or do you agree?

Yours,

--Thomas


-- 

  Thomas Minor, Development

  H & R Netzwerk GmbH
  Am Königsweg 9
  48599 Gronau-Epe

  Sitz:Gronau / Westf.
  Handelsregister: Amtsgericht Coesfeld, HRB 5886
  Geschäftsführer: Harald Beine

--

smtp-cache problem

[Thomas Minor]

Hello,

I might have a problem with the smtp_connection cache.
Regarding documentation, the cache is enabled on demand by default.

I found a peer site, which is also driven by postfix, with uses greylisting.
I have some 3000 mails to send to this particular server, which starts the 
session
by greylisting my server. Since postfix uses the smtp_connection_cache by 
default,
it reuses the connection which receives one greylisting temp fail after the 
other.
This seems to triggers the $smtpd_hard_error_limit on the other site. My server
continues to use now dead connection until the cache limits take effect.

I tend to assume, that this is a bug and maybe a configurable amount of errors 
should
trigger the sending postfix to abandon a connection.

Did i miss any configuration options here or do you agree?

Yours,

--Thomas


-- 

  Thomas Minor, Development

  H & R Netzwerk GmbH
  Am Königsweg 9
  48599 Gronau-Epe

  Sitz:Gronau / Westf.
  Handelsregister: Amtsgericht Coesfeld, HRB 5886
  Geschäftsführer: Harald Beine

--

Re: Domain loops to itself

[Thomas Leuxner]

* Nikolaos Milas  2017.02.17 15:59:

>hesperia-space.eu   relay:[vmail.noa.gr]
> 
> line, but even when I added it and restarted postfix (service postfix
> restart), it wouldn't work.

transport_maps = hash:/etc/postfix/transportmap

You need to run postmap on a hashed map for it to take effect.

Regards
Thomas


signature.asc
Description: Digital signature

Re: Expanding aliases before forwarding mail to milter

[Thomas Leuxner]

* Niklaas Baudet von Gersdorff  2016.11.24 12:28:

> I appreciate any ideas or hints.

You should be able to workaround this with a restriction class. Although the 
example is not LDAP specific it should provide general direction:

# We will query for quotas on real mailboxes only via 
smtpd_recipient_restrictions
smtpd_restriction_classes =
 quota_users
quota_users =
 check_policy_service { unix:private/quota-status, timeout=10s, 
default_action=DUNNO }

smtpd_recipient_restrictions =
 [...]
 check_recipient_access lmdb:$config_directory/quota_users

The real accounts are listed here:

$ cat /etc/postfix/quota_users
u...@example.com quota_users

failed AUTH LOGIN not being logged

[Thomas Keller]

In my logs, I have thousands of:

  postfix/smtpd: connect from unknown [186.225.115.62]
  postfix/smtpd: disconnect from unknown [186.225.115.62]

when I watch the traffic on port 25, I see that the client tried AUTH
LOGIN and was rejected:

  220 mail..com ESMTP
  HELO mail..com
  250 mail..com
  AUTH LOGIN
  503 5.5.1 Error: authentication not enabled
  QUIT
  221 2.0.0 Bye

but I don't see the failed AUTH LOGIN in my logs (neither mail.log, nor
mail.err)

I am using a custom script to block offending IPs (similar to fail2ban),
but I cannot block these IPs when I don't see them in the logs.

How can I make sure failed AUTH LOGIN is being logged ?

thousands of "lost connection after AUTH"

[Thomas Keller]

This is not a real problem, but I am curious to understand what is
happening here.

I am running a small postfix server for personal use. One thing that I
observe over and over again is thousands of "lost connection after AUTH"
connections, such as these:

  08:23:19 postfix/smtpd[4925]: connect from unknown [155.133.38.30]
  08:23:19 postfix/smtpd[4925]: lost connection after AUTH from unknown
[155.133.38.30]
  08:23:19 postfix/smtpd[4925]: disconnect from unknown [155.133.38.30]

now, these are not causing much trouble for me (other than flooding my
logs), and I know I can tweak the anvil rate limits (I am using these
below and since these "lost connection after auth" happen every 1 - 2
minutes, they are not caught by my anvil filter.):

  anvil_rate_time_unit= 60s
  smtpd_client_connection_rate_limit  = 10
  smtpd_client_message_rate_limit = 10
  smtpd_client_new_tls_session_rate_limit = 10

I am curious to know, who are these agents connecting to my server, and
what are they trying to achieve ?

AFAICT, they don't even attempt to send spam, or use me as relay. What
do they want?

reject emails with empty subject

[Thomas Keller]

Hello list,

what would be the easiest way to block emails with no subject ?

thanks,
Thomas

Re: Client not sending EHLO for certain server banner

[Thomas Zäch]

> I just remember from years ago that some CISCOS in fixup mode will
> reject EHLO, and some will reject STARTTLS, depending on configuration.
>
> On the upside, one does not have to worry about TLS downgrade atttacks.
>
> Wietse

Thanks for your background information, advice - and postfix. As
suggested by you i found
postconf -e 'smtp_pix_workarounds = delay_dotcrlf'
working for me.

Thomas

Client not sending EHLO for certain server banner

[Thomas Zäch]

Hi All,

when attempting to enforce TLS with a remote server i saw it failing.
The reason turned out to be with the remote server-banner consisting
of '*'-characters only. The local postfix-smtp in this case insisted
to send "HELO".
I'ld like to understand if i can override/force postfix-smtp to send
"EHLO" in all cases instead (... postfix configured with
"smtp_always_send_ehlo = yes" ...) or in which RFC i could find more
information about the expectation on the server-banner.

Brief tests with local postfix client <= 3.1.0:
remote banner= "220 *" - HELO sent
remote banner= "220 a" - EHLO sent
remote banner= "220 0" - HELO sent
(--> remote banner must start with alpha?)

Thanks for any hint,
Regards,

Thomas

Re: too many connections

[Thomas kinghorn]

Thank you Wietse & Viktor for the response.

Much appreciated.

Regards
Tom

On Mon, Apr 18, 2016 at 5:52 PM, Viktor Dukhovni  wrote:

> On Mon, Apr 18, 2016 at 12:15:13PM +0200, Thomas kinghorn wrote:
>
> > In master.cf
> >
> > transport_maps = hash:/etc/postfix/vox_transport
> > vox_destination_concurrency_limit = 20
> > vox_destination_rate_delay = 2s
>
> Setting a rate delay reduces the concurrency to 1.
>
> > vox_destination_recipient_limit = 6
>
> Setting a low recipient limit causes multi-recipient mesages to
> split into more parts and consume more connections.
>
> So if the destination accepts more than 6 recipients at a time,
> use a larger limit.
>
> The best way to resolve your issue is to get whitelisted by the
> receiving system.
>
> You may be able to reduce the impact of downstream connection limits
> by slowing down positive and negative feedback:
>
> smtp_destination_initial_concurrency = 2
> smtp_destination_concurrency_positive_feedback = 0.2 / concurrency
> smtp_destination_concurrency_negative_feedback = 0.5 / concurrency
>
> This will grow the concurrency for each destination more slowly
> and and will avoid throttling too quickly.
>
> --
> Viktor.
>

Re: Content Filter only for incoming mails

[Thomas Leuxner]

* BP20  2016.04.18 10:41:

> Thank you, can you please explain it a bit more with an example?
> What do you mean with "dedicated submission instance"?

1.2.3.4:submission inet n   -   -   -   -   smtpd
-o syslog_name=postfix/submission
...


signature.asc
Description: Digital signature

too many connections

[Thomas kinghorn]

Good morning List.

I have a problem where Vox Telecoms is temp rejecting our mail stating "too
many connections".

I was thinking of a transport_map to delay control the connection rate but
Vox hosts the email for many domains, so it would be impossible to create
an accurate list.

Is there an easier way?

My current solution is:

In master.cf

transport_maps = hash:/etc/postfix/vox_transport
vox_destination_concurrency_limit = 20
vox_destination_rate_delay = 2s
vox_destination_recipient_limit = 6

In *master.cf *

vox unix  -   -   n   -   -   smtp -o
syslog_name=postfix-vox

in vox_transport


domain1vox:
domain2vox:
domain3vox:
...
...
domain100vox:


The problem is that there are hundreds of domains and its impossible to
keep track of which domains deliver to vox.

Many thanks
Tom

Re: header re-write not working - message-id

[Thomas kinghorn]

Thank you Wietse.

On Mon, Apr 11, 2016 at 4:29 PM, Wietse Venema  wrote:

> Thomas kinghorn:
> > Good morning list.
> >
> > I hope someone can assist with a problem.
> >
> > We have a device which uses a GSM sim and a non-configurable device
> setting.
> > It is currently sending data relating to water flow.
> >
> > The problem occurring is that Amavisd-new (SpamAssassin) is tagging the
> > mail as spam due to the message-id not having a TLD.
>
> If it runs as an smtpd_proxy_filter, then there are no header_checks
> before the filter.
>
> The flow is:
>
> network -> smtpd -> smtpd proxy filter -> smtpd -> cleanup -> queue
> file
>
> header_checks are implemented in the cleanup daemon.
>
> The smtpd_proxy_filter feature breaks a number of assumptions about
> how Postfix works. This affects header_checks, milters, and address
> rewriting among others.  That is not easily fixed by moving
> smtpd_proxy_filter to the end of the cleanup daemon.
>
> Wietse
>

header re-write not working - message-id

[Thomas kinghorn]

Good morning list.

I hope someone can assist with a problem.

We have a device which uses a GSM sim and a non-configurable device setting.
It is currently sending data relating to water flow.

The problem occurring is that Amavisd-new (SpamAssassin) is tagging the
mail as spam due to the message-id not having a TLD.

I have setup the following in header_checks

/Message-Id:\s+<(.*?)\.TXT>/ REPLACE Message-Id: <$1...@domain.tld>

However, the messages still get relayed with the invalid message-id.


All tests show that the REPLACE is working but when I check the next hop
server (relay server); the message-id still says ".TXT", not " @domain.tld"

test output on sample blocked mails:

postmap -q - regexp:/etc/postfix/regexp < spam-mzWaYWwQ3Py9

Message-Id:  REPLACE Message-Id:


however, SpamAssassin still triggers:

* 3.8 MSGID_NOFQDN1  Message-ID with no domain name*

* 0.6 INVALID_MSGID  Message-Id is not valid, according to RFC 2822*


It would appear that postfix is not replacing the message-id even though
the tests work.


Thanks

Tom

Re: header rewrite not working

[Thomas kinghorn]

Please disregard.

It would appear that a certain unnamed-user changed the header_check file
in the main.cf

That will teach me to use postconf -n more often.

On Fri, Apr 8, 2016 at 9:58 AM, Thomas kinghorn 
wrote:

> Good morning list.
>
> I hope someone can assist with a problem.
>
> We have a device which uses a GSM sim and a non-configurable device
> setting.
> It is currently sending data relating to water flow.
>
> The problem occurring is that Amavisd-new (SpamAssassin) is tagging the
> mail as spam due to the message-id not having a TLD.
>
> I have setup the following in header_checks
>
> /Message-Id:\s+<(.*?)\.TXT>/ REPLACE Message-Id: <$1...@domain.tld>
>
> However, the messages still get relayed with the invalid message-id.
>
>
> All tests show that the REPLACE is working but when I check the next hop
> server (relay server); the message-id still says ".TXT", not " @domain.tld"
>
> test output on sample blocked mails:
>
> postmap -q - regexp:/etc/postfix/header_checks < spam-mzWaYWwQ3Py9
>
> Message-Id:  REPLACE Message-Id:
> 
>
> however, SpamAssassin still triggers:
>
> * 3.8 MSGID_NOFQDN1  Message-ID with no domain name*
>
> * 0.6 INVALID_MSGID  Message-Id is not valid, according to RFC
> 2822*
>
>
> It would appear that postfix is not replacing the message-id even though
> the tests work.
>
>
> Thanks
>
> Tom
>
>
>
>

header rewrite not working

[Thomas kinghorn]

Good morning list.

I hope someone can assist with a problem.

We have a device which uses a GSM sim and a non-configurable device setting.
It is currently sending data relating to water flow.

The problem occurring is that Amavisd-new (SpamAssassin) is tagging the
mail as spam due to the message-id not having a TLD.

I have setup the following in header_checks

/Message-Id:\s+<(.*?)\.TXT>/ REPLACE Message-Id: <$1...@domain.tld>

However, the messages still get relayed with the invalid message-id.


All tests show that the REPLACE is working but when I check the next hop
server (relay server); the message-id still says ".TXT", not " @domain.tld"

test output on sample blocked mails:

postmap -q - regexp:/etc/postfix/header_checks < spam-mzWaYWwQ3Py9

Message-Id:  REPLACE Message-Id:


however, SpamAssassin still triggers:

* 3.8 MSGID_NOFQDN1  Message-ID with no domain name*

* 0.6 INVALID_MSGID  Message-Id is not valid, according to RFC 2822*


It would appear that postfix is not replacing the message-id even though
the tests work.


Thanks

Tom

rewrite domain

[Thomas kinghorn]

Good afternoon list.

It hs been a while since i worked on a postfix problem , so I apologise if
this is a trivial post.

I have an outbound mail server where senders are mistyping the recipient
domains due to the "O" & "P" being next to each other.

The recipient domain is local.

Is there a way to re-write the domain so that I do not get the "Domain not
found" error.

I added it to generic but I am still getting "Domain not found".

Thanks
Tom

SSL_accept error/TLS library problem

[Thomas Keller]

could somebody please explain what these errors mean ?

postfix/smtpd[2608]: connect from
61-216-2-13.HINET-IP.hinet.net[61.216.2.13]
postfix/smtpd[2608]: SSL_accept error from
61-216-2-13.HINET-IP.hinet.net[61.216.2.13]: -1
postfix/smtpd[2608]: warning: TLS library problem:
2608:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:340:
postfix/smtpd[2608]: lost connection after STARTTLS from
61-216-2-13.HINET-IP.hinet.net[61.216.2.13]

I am running Postfix 2.9.6 and I am using TLS settings as recomended by
Viktor Dukhovni recently in "Mitigating DROWN"

thanks,
Thomas

smtpd_helo restrictions no permanent error? Can we change it?

[Thomas Nagel]

Hi,

we implemented a smtpd_helo_restrictions check with this configuration:

smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
# check_client_access hash:/etc/postfix/
  check_helo_access hash:/etc/postfix/check_helo_access
  reject_invalid_helo_hostname
# reject_non_fqdn_helo_hostname
# reject_invalid_helo_hostname
  reject_unknown_helo_hostname

when implemting this, we had some problems with some sending mailservers 
that used HELOs which hat invalid or unknown HELOs - but needed to be 
let through - so we populated a whitelist. Since then - once a month a 
customer complains about not getting a mail from an external sender - we 
look those HELOs up in the log file and put it in the whitelist and 
inform the postmaster of the sending server about the configuration failure.


Spam has reduced  a lot since this measure.

But: since we only have reject_unknown_helo_hostname - there we send 
only temp (450) errors back even for adresses that don't even exist. How 
can we cope with this?
Is it okay to change the error code in unknown_hostname_reject_code from 
the default (450) to some permanent 5xx code? In the manual it says "Do 
not change this unless you have a complete understanding of RFC 2821." - 
so I am careful and ask for help.


There are some servers that try and keep sending mail to non existent 
adresses - I think it has something today with the temp error code they 
are getting.


Advice will be much appreciated.

Thanks,

Thomas.

fine-tuning smtpd_client_*_rate_limit

[Thomas Keller]

I am using Postfix as personal mailserver, with very light traffic.

I do, however, get a lot of open-relay attacks.
Often, these attacks come in bursts, tens of attacks within couple of
seconds, from the same IP.

Would this situation be a good use of "rate_limits" ?

Any suggestion how I should fine-tune the limits ?
Would the following settings make sense ?

anvil_rate_time_unit= 60s
smtpd_client_connection_rate_limit  = 10
smtpd_client_message_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
smtpd_client_recipient_rate_limit   = 10

Can somebody with more experience advise, please?

thanks
Thomas

fetchmail-postfix-relay and filter

[Thomas]

Hi,

i am pretty new to postfix,

i have set up a postfix sever that forwards mail over a relay host
(gmail.com), which comes from another external server with fetchmail.

That all works, but what i want to do is to forward only mail from
certain sender adresses(whitelist).
So where do i have to dig?
The smptd_recipient_restrictions  check sender_access doesn't seem to
work. I am still getting all the mail

Thanks

toby

fetchmail-postfix-relay and filter

[Thomas]

Hi,

i am pretty new to postfix,

i have set up a postfix sever that forwards mail over a relay host
(gmail.com), which comes from another external server with fetchmail.

That all works, but what i want to do is to forward only mail from
certain sender adresses(whitelist).
So where do i have to dig?
The smptd_recipient_restrictions  check sender_access doesn't seem to
work. I am still getting all the mail

Thanks

toby

Re: Postfix on a system with RBAC/grsecurity

[Thomas Keller]

On 2015-08-23 15:40, Wietse Venema wrote:
> 
> The resolver(3) system library uses connected UDP sockets. Other
> system library functions introduce their own system calls. Even if
> you think you have discovered all "normal" behavior, you can expect
> random failures, because the normal behavior does not cover all
> unusual scenarios. For example, Viktor already mentioned the need
> for DNS over TCP when a response is too large for UDP.
> 
>   Wietse
> 

thanks to both for the help. I have enabled tcp port 53 as well, but I
still get the same errors.

I have noticed that I only get this error, when the hostname resolves to
multiple IP addresses, as in

  $ host 74.208.4.197
  197.4.208.74.in-addr.arpa domain name pointer mout.perfora.net.

  $ host mout.perfora.net
  mout.perfora.net has address 74.208.4.195
  mout.perfora.net has address 74.208.4.196
  mout.perfora.net has address 74.208.4.197
  mout.perfora.net has address 74.208.4.194

I then get the errors for all IPs listed

I understand that this is done by the resolver library and not Postfix.
But since we are already talking here about this, can you perhaps see
what is happening ?
Is it possible resolve is trying to ping the IPs?

thanks,
Thomas

Postfix on a system with RBAC/grsecurity

[Thomas Keller]

Hello,
This is a rather specific question, but I could not think of a better
place to ask than this list.

I am running Postfix on a system with RBAC/grsecurity. In RBAC, every
Postfix process (subject) has its rules, for files which it can
read/write, ports to open, etc

For example, /usr/lib/postfix/smtpd running as user postfix has
following rules:

subject /usr/lib/postfix/smtpd o {
/   h
/etc/   h
/etc/gai.conf   r
/etc/host.conf  r
/etc/hosts  r
/etc/ld.so.cacher
/etc/localtime  r
/etc/resolv.confr
/lib/x86_64-linux-gnu/  rx
/var/spool/postfix/ rw
-CAP_ALL
bind 0.0.0.0/32:25  stream tcp
bind 0.0.0.0/32:465 stream tcp
connect 0.0.0.0/0:53dgram udp
sock_allow_family   netlink ipv4
}

The only remote connections allowed are to udp port 53. Now RBAC is
logging following error messages:

  postfix:U:/usr/lib/postfix/smtpd denied connect() to 74.208.4.197 port
0 sock type dgram protocol udp

In postfix logs, I can see that email was successfully delivered at the
same time, from 74.208.4.197, and there are no errors in the postfix
logs. So whatever was denied, it was not essential for email delivery.

Can somebody please explain what smtpd is trying to do? Why does it try
to connect to "port 0". What is port 0, anyway - is it raw socket? Is
smtpd supposed to connect to anything other than udp 53 ?

I have seen this error repeatedly from the same sender. Other senders/IP
addresses do not generate this error.

regards,
Thomas