[pfx] Re: #5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command) - how to repair?

[Wietse Venema via Postfix-users]

export--- via Postfix-users:
> Here is my Main.cf file ( I deleted   only  my network details).

For better support:

- Output from the command "postconf -nf"

- Output from the command "postconf -Mf"

- Postfix logging for the failing delivery.

You can edit email addresses and IP addresses, but must not remove
time stamps, program names, or edit logging in other ways.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: #5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command) - how to repair?

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Mon, Jul 29, 2024 at 03:48:42PM +0200, Jaroslaw Rafa via Postfix-users 
> wrote:
> 
> > Isn't there any possibility to use a dedicated transport to such a broken
> > server, with settings that force use of TLS to deliver the message
> > regardless of target server not advertising it?
> 
> No, because the servers in question not only don't offer STARTTLS in
> EHLO, but also refuse STARTTLS if you try.  There aren't many such
> systems, but they exist.  Perhaps not the OP's issue, but it is a
> remote possibility.

Would smtp_reply_filter do the job?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: #5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command) - how to repair?

[Wietse Venema via Postfix-users]

export--- via Postfix-users:
> Sent email returns with the error
> 
> #5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)
> 
> How can I correct  that error?
> Thank you for help

Assuming that the actual message was:

530 5.7.0 Must issue a STARTTLS command first

* If this happens while Postfix receives a message with the 'submission'
  service (TCP port 587) then the client is at fault.

  This should not be fixed on the Postfix side. The client should
  turn on TLS, or it should not use the submission service.

* If this happens while Postfix receives a message with the 'smtp'
  service (port 25) then the server is at fault. 

  This can be fixed on the Postfix side with:

  main.cf:
smtpd_tls_security_level = may

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: connect to pgsql server could not translate host name

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> Viktor Dukhovni via Postfix-users:
> > On Sun, Jul 28, 2024 at 09:37:19PM +1000, Viktor Dukhovni via Postfix-users 
> > wrote:
> > 
> > > Yes, but the chrooted smtpd(8) process reads:
> > > 
> > > /var/spool/postfix/etc/resolv.conf
> > > 
> > > rather than /etc/resolv.conf, because that's what chroot jails do.
> > > 
> > 
> > And the same applies to /etc/hosts, /etc/nsswitch.conf, ...  Your chroot
> > jail needs to faithfully mirror the corresponding configurations outside
> > the jail, and the most common problem with chroots is failure to keep
> > key configuration files in sync.
> 
> More advice: don't chroot smtpd, and see if that fixes the
> problem.
> 
> postconf -F smtp/inet/chroot=n
> postfix reload
> 
> Same story for other Postfix daemons.

Another tip: replace "pgsql:/path/to/file" with "proxymap:pgsql:/path/to/file".

Background: https://www.postfix.org/proxymap.8.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: connect to pgsql server could not translate host name

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Sun, Jul 28, 2024 at 09:37:19PM +1000, Viktor Dukhovni via Postfix-users 
> wrote:
> 
> > Yes, but the chrooted smtpd(8) process reads:
> > 
> > /var/spool/postfix/etc/resolv.conf
> > 
> > rather than /etc/resolv.conf, because that's what chroot jails do.
> > 
> 
> And the same applies to /etc/hosts, /etc/nsswitch.conf, ...  Your chroot
> jail needs to faithfully mirror the corresponding configurations outside
> the jail, and the most common problem with chroots is failure to keep
> key configuration files in sync.

More advice: don't chroot smtpd, and see if that fixes the
problem.

postconf -F smtp/inet/chroot=n
postfix reload

Same story for other Postfix daemons.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: connect to pgsql server could not translate host name

[Wietse Venema via Postfix-users]

Laura Smith via Postfix-users:
> I'm getting the following in my logs:
> 
> "warning: connect to pgsql server foo.example.com: could not
> translate host name "foo.example.com" to address: Temporary failure
> in name resolution?"

That is a text from the pgsql library.
 
> But I cannot understand why. Running, e.g. "dig foo.example.com"
> returns instantly with the IP address, no problems with resolution?

Are you typing that command as root? Most Postfix daemons don't.

This would be a good time to identify the program that logs
the warning, and to report output from the command "postconf -Mf".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Wietse Venema via Postfix-users]

Keith:
> If you are interested and I do not subsequently break your head can I
> ask some questions as to how to find snippets of your code that might
> do things related to those questions so I can fail to make sense of
> them and rob them to try and implement a/my thing?

I'm afraid that there is not enough time to bridge that gap. Instead
of coaching one person through the steps to add feature X to Postfix
safely, it would be more cost-effective to implement and document
a feature so that everyone can do X safely without having to write
code.

I think that there is no shame in letting other people worry about
how to translate an idea into working code.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Wietse Venema via Postfix-users]

Bob via Postfix-users:
> Having put my foot in it by suggesting that Postfix might make calls to
> external functions requiring root access, in particular IPTables, what
> if Postfix had its own version of IPtables.

It was decided long ago that Postfix will be extensible with different
tools from different manufacturers, allowing the system administrator
to choose the best tool for the job. This approach reflects that
the initial market was organizations, and that the initial audience
was system administrators.

Michael W. Lucas recently wrote a book for individuals who wish to
"run your own mail server". It covers a wide range of topics, and
I think it lowers the barrier for entrance (despite the claim that
it is for the hard-core Unix sysadmin, by a fellow hard-core sysadmin).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Wietse Venema via Postfix-users]

postfix--- via Postfix-users:
> > what's the main difference between a policy server and a milter?
> 
> 
> Policy Server:
>   - Coded quickly in scripting language
>   - Lightweight, simple, and fast to setup
>   - Is only provided limited header information by postfix for evaluating

No headers or body. 

Supports complex conditions on helo, client, recipient, and other
envelope information.

Example: postfwd, https://www.postfwd.org/

> 
> Milter:
>   - More complicated to setup and code
>   - Has access to the entire email (Headers, body, attachments)
>   - More robust for large volumes of email

Supports complex conditions on envelope (helo, client, recipient,
etc.) and message content.

Example: milter-regex, https://www.benzedrine.ch/milter-regex.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Wietse Venema via Postfix-users]

Steffen Nurpmeso via Postfix-users:
> Keith wrote in
>  :
>  |Hmm Policy Server. Do I have to install one and read the Man Pages?
>  |
>  |Then again I might take heart from the suggestion that this has been
>  |done before although the mention of blocklisting and coloured flags
>  |suggests others decided it was a bad idea.
>  |
>  |I get that cause for concern but, to me, it might arise because...
>  |
>  |//.burp\ -h -a --plorp -s 1038 ->./zed*\|+z furble
>  |
>  |would be nonsensical to a Facebook user. Also likely to apply to
>  |Mastodon users.
>  |
>  |Obviously we all copy and paste random stuff from the Web into our
>  |config files because that works until it doesn't and we kept a backup.
> 
> I must admit i do not truly grasp your message.
> The op wants to be able to reject the one emails, and to block IPs
> of others which match something, if i understood this correctly.
> This i think can be done with a "policy server" or a milter,
> parsing logs is too late.  I would say policy is much cheaper and
> easier than milter in terms of CPU cycles and usage.
> 
> So.. i do not know, actually, whether there exists an "easily
> accessible proxy" already, like say one that readily prepares the
> KEY=VALUE pairs of the protocol to make them accessible for
> example to a shell script, (or a shell function, ie, one shell
> instance from start to stop; i-should-go-more-lua, btw), and then
> supports things like postfix itself, for example "REJECT" or
> "RUN-SCRIPT" .. or whatever.  That would be cool.
> If so, it would be *cool* if that would become a postfix companion
> and part of it!  (RUN-SCRIPT would then change user and group id
> etc, likely.)

For policy delegation, it's already there. The example in
https://www.postfix.org/SMTPD_POLICY_README.html uses the Postfix
built-in spawn(8) daemon, to run a policy server on-demand and as
an unprivileged user.

The policy protocol is brain-dead simple (apart from %hex encoding
of weird strings). The script should run in a loop so that the same
process can be reused multiple times until the Postfix SMTP daemon
closes the connection.

For header_checks, one could use the tcp_table and socketmap
protocols, but the Postfix lookup table interface supports only one
query attribute per request.

For complex policies that require real-time responses and that look
at the envelope and message content, I still recommed using a milter.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Wietse Venema via Postfix-users]

Gary R. Schmidt via Postfix-users:
> I'm sure postfix can be configured to use normal log files, or is that 
> something that has to be made available at build-time?

https://www.postfix.org/MAILLOG_README.html

Available with Postfix version 3.4 or later. This includes logging
to stdout while running in a container.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: RFC logs_check

[Wietse Venema via Postfix-users]

Bob via Postfix-users:
> As a further ramble headers_checks, a line in mine, looks like this
> 
> /ional.co.uk/ REJECT No Spam Please.
> 
> At the eame time that Postfix triggers on the match it must know the IP
> address that was associated with the trigger. Instead of the above...
> 
> /ional.co.uk/ REJECT No Spam Please. ACTION iptables -A INPUT -s "$i" -
> j DROP
> 
> No need for an external script.

Running commands as root from a Postfix daemon process?
Why didn't I think of doing that 25 years ago.

With Postfix, this is done by tailing the log and running tools
like fail2ban. Postfix handles mail, fail2ban runs commands.
It's a division of responsibilities.

Wietse
, 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Transport settings for mailing list transport

[Wietse Venema via Postfix-users]

Austin Witmer via Postfix-users:
> On Jul 22, 2024, at 5:00?PM, Wietse Venema via Postfix-users 
>  wrote:
> > 
> > Austin Witmer via Postfix-users:
> >>> You will need SPF, DKIM, and DMARC with 'p=reject'.  If this is
> >>> an interactive list, you will need to replace list member's From:
> >>> headers with your mailing list address to satisfy DMARC.
> >> 
> >> I believe I have SPF, DKIM and DMARC setup with p=reject.
> >> 
> >> So the big list with 1500 members is not an interactive list and
> >> probably will just have one sending (gmail) address.
> > 
> > Your server is not gmail.com, so when you send BULK mail with a
> > From: addr...@gmail.com from a non-gmail server, then that can
> > be problematic.
> 
> Would it be better in your opinion to setup a dedicated address
> with a domain I own, on my server, for sending emails to a
> non-interactive list this big so that the sending address is
> "allowed" to send/relay mail through my server? That way I don't
> have the appearance of sending email on behalf of a gmail account
> from my server?

I was assuming that your Postfix server has a proper hostname with
reverse DNS that resolves to that hostname, and a domain name that
is under your control. That has been a requirement for 20 years
already. Then that would be an excellent choice for the From:
domain, and for SPF, DKIM, and DMARC policies.

> >> From what I was reading online, I thought "From munging" is not
> >> necessary if I am not modifying the subject, body or existing email
> >> headers. And thus the original senders DMARC won't be broken,
> >> right?
> > 
> > That may still work with low-volume PERSONAL mail, but the rules with
> > BULK mail are different.
> 
> Do you have any recommendations on how to accomplish this "From
> munging" without using something like mailman? Perhaps a milter
> of some kind?

If there is only one authorized sender, then you could pipe the
message through a script that replaces the authorized From: address
with the desired one, before feeding the message into mlmmj.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Transport settings for mailing list transport

[Wietse Venema via Postfix-users]

Austin Witmer via Postfix-users:
> > You will need SPF, DKIM, and DMARC with 'p=reject'.  If this is
> > an interactive list, you will need to replace list member's From:
> > headers with your mailing list address to satisfy DMARC.
> 
> I believe I have SPF, DKIM and DMARC setup with p=reject.
> 
> So the big list with 1500 members is not an interactive list and
> probably will just have one sending (gmail) address.

Your server is not gmail.com, so when you send BULK mail with a
From: addr...@gmail.com from a non-gmailk server, then that can
be problematic.

> Will DMARC be broken if I only add the following headers to mailing
> list messages?
> 
> X-Mailinglist:
> List-Id:
> List-Unsubscribe: 
> List-Unsubscribe-Post:

Unlikely. Note that the rules for BULK mail are defined by the
receiver.

> From what I was reading online, I thought "From munging" is not
> necessary if I am not modifying the subject, body or existing email
> headers. And thus the original senders DMARC won't be broken,
> right?

That may still work with low-volume PERSONAL mail, but the rules with
BULK mail are different.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Transport settings for mailing list transport

[Wietse Venema via Postfix-users]

Austin Witmer via Postfix-users:
> Hello all!
> 
> I recently added mlmmj as a mailing list manager to my postfix server.
> 
> My concern is that I don't overwhelm the big boys (yahoo, google,
> iCloud) and have them rate limit me because I am sending to too
> many addresses to quickly.
> 
> Here are my transport settings for mlmmj. 
> 
> mlmmj_destination_concurrency_limit = 5
> mlmmj_destination_concurrency_failed_cohort_limit = 10
> mlmmj_destination_rate_delay = 1s
> mlmmj_destination_recipient_limit = 1

Caution: with mlmmj_destination_recipient_limit=1, the unit of
concurrency is the recipient address, not the domain name. Postfix
will deliver up to 5 recipients in parallel assuming that your SMTP
client process limit is 5 or more.

> Are they sensible? Am I being overly cautious? Any suggestions for
> improvement? I have one mailing list I am setting up with over
> 1500 subscribers and so I want to get this right.

You will need SPF, DKIM, and DMARC with 'p=reject'.  If this is
an interactive list, you will need to replace list member's From:
headers with your mailing list address to satisfy DMARC.

You will need to start slow, and increase delivery rates in the course
of ~weeks.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "Recipient address rejected" on SMTP/25 - but port 587 relays properly

[Wietse Venema via Postfix-users]

Chris Wopat via Postfix-users:
> Thank you! changing from 'error' to 'smtp' did indeed do the trick.
> 
> Follow up, I clearly have a config ported over time, I see that
> `smtpd_relay_restrictions` is perhaps what I now want to use instead
> of `smtpd_recipient_restrictions`
> 
> It appears to be working with the above fix as well as:
> 
> smtpd_relay_restrictions = permit_mynetworks, check_client_access
> cidr:/etc/postfix/access, permit_sasl_authenticated,
> reject_unauth_destination
> smtpd_recipient_restrictions =
> 
> Just confirming this is valid? I simply inverted the contents of each
> of these - previously realy_restrictions was empty.

Yeah. But there is one remaining problem: your Postfix server is
sending bounce messages when a customer's SMTP server rejects a
non-existent recipient. That can be a lot when a spammer is doing
a dictionary attack.

That would not happen when you have a valid recipient list; then
Postfix would reject RCPT TO, and the spammer would move on.

You can build that list dynamically by chganging /etc/postfix/access:

Old:
example.com OK

New:
example.com reject_unverified_recipient OK

But that could be a slow process because it needs a remote SMTP
client (not in mynetworks or SASL authenticated) to contact your
server wile the customer's server is up.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "Recipient address rejected" on SMTP/25 - but port 587 relays properly

[Wietse Venema via Postfix-users]

Chris Wopat via Postfix-users:
> I'm in the process of rebuilding a mail relay server from Centos 7 (postfix
> 2.10.x) -> Ubuntu 22 (Postfix 3.6.x).
> 
> This is a mail relay server that will relay mail for our customers if their
> IP is whitelisted in /etc/postfix/access. We have no local users and are
> not doing any per-user authentication, just source IP. ISP style
> environment.
> 
> We've ported our config over, which works on port 587 but not on port 25 -
> we are getting "Recipient address rejected" on 25 only. I've stared at the
> config quite a bit and am not spotting the issue - curious if anyone else
> can?
> 
> Note that when i turned peer debugging on, it logs this section for SMTP/25
> but not for 587:
> 
> >>> CHECKING Recipient address VALIDATION MAPS <<<
> 
> and it fails here. Unsure what the proper workaround is, or if some default
> behaviour has changed between 2.x and 3.x causing this?
> 
> `postfinger` output attached

You have "default_transport = error". And, since your customer
domains aren't a member of relay_domains, virtual_xxx_domains, or
mydestination, that is the delivery transport that Postfix chooses
for the domain.

With the default "smtpd_reject_unlisted_recipient = yes" the Postfix
SMTP server rejects recipients during RCPT TO when they resolve to
the error transport.

It should be considered a bug in Postfix that the SMTP server fails
to do that error transport check with "smtpd_reject_unlisted_recipient
= no".

I suggest that you reconsider the setting "default_transport = error".
It creates problems by rejecting mail that should be delivered.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix and reproducible builds

[Wietse Venema via Postfix-users]

Scott Kitterman via Postfix-users:
> On a possibly related note, recent versions of man now produce a stack of 
> warnings for postconf.f (this is the first one, there are 244, one for each 
> line of the man page):
> 
> warning: cannot select font 'C' [usr/share/man/man5/postconf.5.gz:1]

I recall that this was widely supported on systems that had some
version of troff (not a clone like groff) but I am too lazy to
fire one up for a demonstration.

> That's the point at which I decided it was more than I cared to think about 
> over the weekend.  FYI (and I totally understand you might decide the same on 
> a longer term basis).

Eliminating the lines with ".ft C" (and the now redundant ".ft R")
is a simple edit in the mantools/postconf2man script. There are no
in-line "\fC" directives embedded in any Postfix documentation.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "Recipient address rejected" on SMTP/25 - but port 587 relays properly

[Wietse Venema via Postfix-users]

Chris Wopat via Postfix-users:
> Thanks for the replies, a few comments below from a few replies:
> 
> 
> On Mon, Jul 22, 2024 at 8:45?AM Matus UHLAR - fantomas via
> Postfix-users  wrote:
> >
> > "smtpd_reject_unlisted_recipient=no" is why recipient is not rejected on 
> > port 587.
> 
> Can this be added to port 25 somehow?
> 
> > What is the destination domain provided by sending IP and is it listed in
> > mydestination?
> 
> It is not in mydestination, it is in /etc/postfix/access in CIDR
> format - "1.2.3.4 OK".

If "Recipient address rejected" is followed by "user unknown in xxx
table" then you inadvertanly added their domain to that table.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "Recipient address rejected" on SMTP/25 - but port 587 relays properly

[Wietse Venema via Postfix-users]

Chris Wopat via Postfix-users:
> I'm in the process of rebuilding a mail relay server from Centos 7 (postfix
> 2.10.x) -> Ubuntu 22 (Postfix 3.6.x).
> 
> This is a mail relay server that will relay mail for our customers if their
> IP is whitelisted in /etc/postfix/access. We have no local users and are
> not doing any per-user authentication, just source IP. ISP style
> environment.
> 
> We've ported our config over, which works on port 587 but not on port 25 -
> we are getting "Recipient address rejected" on 25 only. I've stared at the
> config quite a bit and am not spotting the issue - curious if anyone else
> can?
> 
> Note that when i turned peer debugging on, it logs this section for SMTP/25
> but not for 587:
> 
> >>> CHECKING Recipient address VALIDATION MAPS <<<
> 
> and it fails here. Unsure what the proper workaround is, or if some default
> behaviour has changed between 2.x and 3.x causing this?

That behavior was introduced over 20 years ago in Postfix 2.0, and
that has not changed.

The proper workaround is to list relay destinatins in main.cf:relay_domains,
and to list valid relay recipients in main.cf:relay_recipient_maps.

Other documentation of interest:

* "Configuring Postfix as primary or backup MX host for a remote site"
  https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup

* "Recipient address verification" (if you can't populate relay_recipient_maps)
  https://www.postfix.org/ADDRESS_VERIFICATION_README.html#recipient

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix and reproducible builds

[Wietse Venema via Postfix-users]

Scott Kitterman via Postfix-users:
> Unfortunately, I got distracted from reporting back on this again.  Sorting 
> AUXLIBS is also needed to make things reproducible:
> 
> Index: postfix/makedefs
> ===
> --- postfix.orig/makedefs
> +++ postfix/makedefs
> @@ -215,7 +215,7 @@ echo "#-
>  echo "# Start of summary of user-configurable 'make makefiles' options."
>  echo "# CCARGS=$CCARGS"
>  echo "# AUXLIBS=$AUXLIBS"
> -env | grep '^AUXLIBS_' | sed 's/^/# /'
> +env | grep '^AUXLIBS_' | sed 's/^/# /' | sort
>  echo "# shared=$shared"
>  echo "# dynamicmaps=$dynamicmaps"
>  echo "# pie=$pie"
> 
> It would be great if you could apply this in a future release.

This is done. But I'm also trying to be proactive. What differences
should Postfix builds defend against?

For example, the output from 'env' may depend on process history,
so we defend against that by deterministcally sorting the output
(makedefs forces deterministic sort with an LC_ALL=C command).

But Postfix binaries also differ when I change LANG from, say,
en_US.UTF-8 to nl_NL.UTF-8. I see differences in how the compiler
orders (string) constants internally. I would not be surprised if
it also affects how the shell orders filenames as it expands a
wildcard pattern.

Should I worry about LANG/LC_ALL differences, or are those differences
eliminated by the tooling that invokes Postfix build commands?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Build error for PostFix 3.9.0 on MacOS with MySQL 8.3: missing mysql_ssl_set()

[Wietse Venema via Postfix-users]

Peter via Postfix-users:
> On 20/07/24 00:30, Wietse Venema via Postfix-users wrote:
> >> Just to throw another wrench in the works, MariaDB lists mysql_options()
> >> as deprecated in MariaDB Connector/C 3.0 and recommends mysql_optionsv()
> >> instead:
> >>
> >> https://mariadb.com/kb/en/mysql_options/
> >>
> >> For now it should work, but we may end up needing to patch postfix once
> >> again in the near future for this.
> > 
> > Do you happen to know a combination of MYSQL_VERSION_ID, MARIADB_VERSION_ID,
> > and/or MARIADB_BASE_VERSION that matches "MariaDB Connector/C 3.0" and 
> > later?
> 
> MARIADB_PACKAGE_VERSION_ID stores the MariaDB Connector/C version 
> number.  I don't know what version mysql_optionsv first appears in but 
> we do know it's in 3.0.0 at the very least which is where mysql_options 
> is deprecated so I would say MARIADB_PACKAGE_VERSION_ID is defined and 
>  >= 3 should be sufficient to allow this to keep working with 
> mariadb into the foreseeable future.  From what I can tell 
> mysql_optionsv can be called exactly the same as mysql_options and it 
> should work fine.

Thanks. I have updated the source, adding:

 /*
  * MariaDB Connector/C 3.0 lists mysql_options() as deprecated and
  * recommends using mysql_optionsv() instead. Option names and semantics
  * have not changed.
  */
#if defined(MARIADB_PACKAGE_VERSION_ID) && MARIADB_PACKAGE_VERSION_ID >= 3
#define mysql_options  mysql_optionsv
#endif

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Build error for PostFix 3.9.0 on MacOS with MySQL 8.3: missing mysql_ssl_set()

[Wietse Venema via Postfix-users]

Peter via Postfix-users:
> On 19/07/24 11:59, Robert Fuhrer via Postfix-users wrote:
> >> Where does that number come from? It needs to be a version that
> >> introduces all the the MYSQL_OPT_SSL_XXX features that Postfix
> >> needs. This is the preferred API, and it won't be removed in another
> >> 10 years.
> > 
> > The format of MYSQL_VERSION_ID seems to be Mmmss ("M" == "major", "mm" 
/ > == "minor version", "ss" == "sub-version").
> > 
> > According to the doc page 
> > ?I linked, 
> > the preferred API was introduced in v8.0.35.
> > 
> > It might be more hygienic to define a macro symbol like 
> > MYSQL_TLS_NEW_OPTIONS_API_VERSION, whose value is 80035. Of course that 
> > would have to be done in the PostFix source, but it might make clear 
> > what the #if test is dependent on.
> 
> Just to throw another wrench in the works, MariaDB lists mysql_options() 
> as deprecated in MariaDB Connector/C 3.0 and recommends mysql_optionsv() 
> instead:
> 
> https://mariadb.com/kb/en/mysql_options/
> 
> For now it should work, but we may end up needing to patch postfix once 
> again in the near future for this.

Do you happen to know a combination of MYSQL_VERSION_ID, MARIADB_VERSION_ID,
and/or MARIADB_BASE_VERSION that matches "MariaDB Connector/C 3.0" and later?

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Build error for PostFix 3.9.0 on MacOS with MySQL 8.3: missing mysql_ssl_set()

[Wietse Venema via Postfix-users]

Robert Fuhrer via Postfix-users:
> > I couldn't find a suitable "capability macro", i.e., something
> >> that signals at the preprocessor level that the new options API
> >> is available.
> >> 
> >> Instead, I replaced the #if-test in your patch with just:
> >> 
> >> #if MYSQL_VERSION_ID >= 80035
> > 
> > Where does that number come from? It needs to be a version that
> > introduces all the the MYSQL_OPT_SSL_XXX features that Postfix
> > needs. This is the preferred API, and it won't be removed in another
> > 10 years.
> 
> The format of MYSQL_VERSION_ID seems to be Mmmss ("M" == "major",
> "mm" == "minor version", "ss" == "sub-version").
>
> According to the doc page
>  I
> linked, the preferred API was introduced in v8.0.35.

Then that is the appropriate version. Thanks.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: Build error for PostFix 3.9.0 on MacOS with MySQL 8.3: missing mysql_ssl_set()

[Wietse Venema via Postfix-users]

> Unfortunately, it doesn't work as is, b/c one can't use the C
> preprocessor "defined()" operator on enum symbols, which the various
> MYSQL_OPT_SSL_* symbols all are. You can basically only reference
> preprocessor macro symbols in the #if-test.
> 
> (BTW, the patch you inlined didn't have a leading space on the
> common-context lines, so `patch` barfed on it until I fixed that.)

This is "diff -u" output which has +, -,  or space prepended to
each source line. If MacOS email mis-handles leading space, then
that is too bad.

> I couldn't find a suitable "capability macro", i.e., something
> that signals at the preprocessor level that the new options API
> is available.
> 
> Instead, I replaced the #if-test in your patch with just:
> 
> #if MYSQL_VERSION_ID >= 80035

Where does that number come from? It needs to be a version that
introduces all the the MYSQL_OPT_SSL_XXX features that Postfix
needs. This is the preferred API, and it won't be removed in another
10 years.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Build error for PostFix 3.9.0 on MacOS with MySQL 8.3: missing mysql_ssl_set()

[Wietse Venema via Postfix-users]

Robert Fuhrer via Postfix-users:
> Hi,
> 
> MacOS ships with an ancient version of PostFix (3.2.2!).
> 
> I already have PostFix running nicely, but I have no idea when Apple will 
> update PostFix, or worse, remove it altogether (!), so I'm building PostFix 
> 3.9.0 from source. 
> 
> The only error I'm running into is in compiling the MySQL support. The latest 
> MySQL that Homebrew provides is 8.3.0, which doesn't define the function 
> mysql_ssl_set(), referenced at src/global/dict_mysql.c:603.
> 
> Interestingly, that function was deprecated as of MySQL 8.0.35, removed in 
> 8.3.0, and reinstated in 8.4.0 
>  (see the C 
> API Notes section of that page), but it's still deprecated. Apparently it was 
> deprecated in the first place b/c its functionality is available via 
> mysql_options() -- see this doc page 
> , and the Note at 
> the top.
> 
> Again, though, I don't know how long it will be before Homebrew updates their 
> MySQL, so I may be stuck this way for a good while.
> 
> Also, since the function's still deprecated, MySQL might remove it again in a 
> future release.
> 
> For now, I can just disable MySQL support (I'm only *thinking* of using it in 
> the future), but perhaps others might be more interested.
> 

I guess that we could make the build conditional. See patch below.

Would be good if you could find out if that works. I have only very
old and very new implementations at hand.

Wietse

diff '--exclude=man' '--exclude=html' '--exclude=README_FILES' 
'--exclude=INSTALL' '--exclude=.indent.pro' -r -ur 
/var/tmp/postfix-3.10-20240622/src/global/dict_mysql.c ./src/global/dict_mysql.c
--- /var/tmp/postfix-3.10-20240622/src/global/dict_mysql.c  2024-01-29 
18:46:48.0 -0500
+++ ./src/global/dict_mysql.c   2024-07-18 13:25:49.885661224 -0400
@@ -598,12 +598,29 @@
mysql_options(host->db, MYSQL_READ_DEFAULT_FILE, 
dict_mysql->option_file);
 if (dict_mysql->option_group && dict_mysql->option_group[0])
mysql_options(host->db, MYSQL_READ_DEFAULT_GROUP, 
dict_mysql->option_group);
+#if defined(MYSQL_OPT_SSL_KEY) && defined(MYSQL_OPT_SSL_CERT) \
+&& defined(MYSQL_OPT_SSL_CA) && defined(MYSQL_OPT_SSL_CAPATH) \
+&& defined(MYSQL_OPT_SSL_CIPHER)
+/* Preferred API. */
+if (dict_mysql->tls_key_file)
+   mysql_options(host->db, MYSQL_OPT_SSL_KEY, dict_mysql->tls_key_file);
+if (dict_mysql->tls_cert_file)
+   mysql_options(host->db, MYSQL_OPT_SSL_CERT, dict_mysql->tls_cert_file);
+if (dict_mysql->tls_CAfile)
+   mysql_options(host->db, MYSQL_OPT_SSL_CA, dict_mysql->tls_CAfile);
+if (dict_mysql->tls_CApath)
+   mysql_options(host->db, MYSQL_OPT_SSL_CAPATH, dict_mysql->tls_CApath);
+if (dict_mysql->tls_ciphers)
+   mysql_options(host->db, MYSQL_OPT_SSL_CIPHER, dict_mysql->tls_ciphers);
+#else
+/* Deprecated API. */
 if (dict_mysql->tls_key_file || dict_mysql->tls_cert_file ||
dict_mysql->tls_CAfile || dict_mysql->tls_CApath || 
dict_mysql->tls_ciphers)
mysql_ssl_set(host->db,
  dict_mysql->tls_key_file, dict_mysql->tls_cert_file,
  dict_mysql->tls_CAfile, dict_mysql->tls_CApath,
  dict_mysql->tls_ciphers);
+#endif
 #if defined(DICT_MYSQL_SSL_VERIFY_SERVER_CERT)
 if (dict_mysql->tls_verify_cert != -1)
mysql_options(host->db, DICT_MYSQL_SSL_VERIFY_SERVER_CERT,
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Per-domain recipient_delimiter (plussed addressing)

[Wietse Venema via Postfix-users]

Kenneth Porter via Postfix-users:
> I'm tasked with serving a new domain (taking over a subsidiary's mail) 
> where the usernames are first initial, dot, and last name (eg. k.porter) 
> so I need to disable dot as a recipient delimiter for just that domain.

Two options:

- Disable the recipient_delimiter feature, and use PCRE tables for
  domain-dependent email address rewriting and routing.

- Use separate Postfix instances (on separate IP addresses) for
  domains with conflicting recipient_delimiter settings.

Note that recipient_delimiter is a set: "recipient_delimiter = +-"
will try the "+" before trying the "-".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postfix to other mta

[Wietse Venema via Postfix-users]

Jeff Pang via Postfix-users:
> 
> In default setup when postfix deliver messages to other MTA, is it going 
> by ssl/tls or plaintext?

https://www.postfix.org/postconf.5.html#smtp_tls_security_level

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: When is recipent_delimiter applied?

[Wietse Venema via Postfix-users]

Kenneth Porter via Postfix-users:
> I'm reading through this document and don't see recipient_delimiter 
> mentioned. Where is it applied to the incoming addresses? (It's 
> otherwise a great, detailed document. I just don't see this one feature 
> discussed, and I use it a lot as a user.)
> 
> https://www.postfix.org/ADDRESS_REWRITING_README.html

Look in

https://www.postfix.org/canonical.5.html
https://www.postfix.org/virtual.5.html
https://www.postfix.org/aliases.5.html
https://www.postfix.org/generic.5.html
https://www.postfix.org/pipe.8.html
https://www.postfix.org/local.8.html
https://www.postfix.org/postconf.5.html#forward_path
https://www.postfix.org/postconf.5.html#propagate_unmatched_extensions

It's sometimes called "address extension".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Preserve client ip when using haproxy load balancer in front of postfix relay

[Wietse Venema via Postfix-users]

sandeep pawar via Postfix-users:
> Planning to add Haproxy server for resiliency to better control backend
> postfix relay servers for some of the clients like Java/GO
> Java clients -> Haproxy -> Postfix relays with policy service -> other SMTP
> servers -> internet

With that configuration, HAproxy will send the Java client IP address
to the Postfix relays. 

There is no need to use postscreen. The non-postscreen SMTP daemons
support the HAproxy protocol when they are configured with
"smtpd_upstream_proxy_protocol = haproxy", and the check_policy_service
feature will provide the Jave client IP address to the policy server.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Preserve client ip when using haproxy load balancer in front of postfix relay

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> sandeep pawar via Postfix-users:
> > Some of the Java mail client libraries don't support MX record and don't
> > have a good retry mechanism and therefore want to run a group of relay
> > behind load-balancer so that when relays are patched, no mails are lost by
> > ensuring a right health check.
> > 
> > These relays are authenticated and also have policy service configured
> > which also take decisions based on client IP.
> > 
> > Want to understand how I can preserve client IP in Postfix and use it
> > further in logging and policy service if possible. Found some reference
> > around sendproxy protocol.
> 
> The picture is
> 
> Java clients -> Postfix relays with policy service -> other SMTP servers -> 
> internet
> 
> and you want to know the Java client IP address in the other SMTP
> servers?  Postfix SMTP servers and clients implement the XFORWARD
> protocol for doing that, but it requires that the other servers
> support that protocol.

Unfortunately, there is an omission in the code: When XFORWARD support
was added, I forgot to add it to the check_policy_service policy
delegation feature.

Wietse

> > Open to any other suggestion to make relays highly available for client and
> > save against edge case with small downtime.
> 
>   Wietse
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Preserve client ip when using haproxy load balancer in front of postfix relay

[Wietse Venema via Postfix-users]

sandeep pawar via Postfix-users:
> Some of the Java mail client libraries don't support MX record and don't
> have a good retry mechanism and therefore want to run a group of relay
> behind load-balancer so that when relays are patched, no mails are lost by
> ensuring a right health check.
> 
> These relays are authenticated and also have policy service configured
> which also take decisions based on client IP.
> 
> Want to understand how I can preserve client IP in Postfix and use it
> further in logging and policy service if possible. Found some reference
> around sendproxy protocol.

The picture is

Java clients -> Postfix relays with policy service -> other SMTP servers -> 
internet

and you want to know the Java client IP address in the other SMTP
servers?  Postfix SMTP servers and clients implement the XFORWARD
protocol for doing that, but it requires that the other servers
support that protocol.

> Open to any other suggestion to make relays highly available for client and
> save against edge case with small downtime.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Returning email from relay-only server on bounce

[Wietse Venema via Postfix-users]

Samer Afach via Postfix-users:
> postfix/smtp[299]: C0A3C9F906D0: to=, 
> relay=10.10.100.100[10.10.100.100]:25, delay=957, delays=950/0.02/6.4/0, 
> dsn=5.4.6, status=bounced (mail for 10.10.100.100 loops back to myself)
> 

And that comes after these warnings:

postfix/smtp[289]: warning: host 10.10.100.100[10.10.100.100]:25 greeted
me with my own hostname example.com

postfix/smtp[289]: warning: host 10.10.100.100[10.10.100.100]:25 replied
to HELO/EHLO with my own hostname example.com

So give Postfix a proper hostname instead of the mail domain (and
stop ignoring Postfix warning messages).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Enough! ("Variable" message_size_limit?)

[Wietse Venema via Postfix-users]

Children, play nice, or go off-list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Mysteries of user semi-banning

[Wietse Venema via Postfix-users]

John R. Levine via Postfix-users:
>   In:  RCPT To:
>   Out: 451 4.3.5 Server configuration error
> 
> Well, that's strange.  Mail from people not on the restricted list was

You will find more detailed info in the logs.

By design Postfix won't disclose configuration mistakes in SMTP replies.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: sending email to FQDN address without DNS

[Wietse Venema via Postfix-users]

Adam Weremczuk via Postfix-users:
> Hi all,
> 
> I have a highly isolated host (e.g. most outgoing traffic blocked, no 
> DNS) but I would like to use Postfix on that host to send certain emails 
> to a single address exam...@example.com.
> 
> I've already allowed 25 TCP traffic to the email server of example.com, 
> which is normally sufficient.
> 
> How about telling Postfix that this server is the MX record of example.com?
> 
> With DNS working that's how Postfix normally figures it out, by 
> requesting MX records and trying them by priority order, right?
> 
> Without DNS, can I hardcode it somewhere?

With 

main.cf:
disable_dns_lookups = yes
smtp_host_lookup = native

the Postfix SMTP client will usually look in /etc/hosts.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "Variable" message_size_limit?

[Wietse Venema via Postfix-users]

Steffen Nurpmeso via Postfix-users:
> That looks doable, but it seems to me that i then have to use
> a very high limit which postfix announces via "250-SIZE", and
> reject many (practically all) emails because of size restrictions

You can suppress the SIZE announcement with

smtpd_discard_ehlo_keywords = size, silent_discard

but you'd still have to configure message_size_limit as the maximal
upperbound of the allowed message sizes.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: "Variable" message_size_limit?

[Wietse Venema via Postfix-users]

The Postfix message size limit is an MTA property, not something
that varies with the sender. Or client. Or recipient address. If
you want to allow a larger size, increase message_size_limit, and
use postfwd or the like to enforce a lower limit in
smtpd_end_of_data_restrictions.

In the polocy delegation protocol,

  * The "size" attribute value specifies the message size that the client
specified in the MAIL FROM command (zero if none was specified). With
Postfix 2.2 and later, it specifies the actual message size after the
client sends the END-OF-MESSAGE.


Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Need help debugging Python in Postfix

[Wietse Venema via Postfix-users]

Simon Thorpe (PST) via Postfix-users:
> Hi
> 
> I am working on a Postfix server which accepts email for the domain it's
> authoritative for (e.g. mydomain.com) and then duplicates each email to a
> configurable list of other domains, i.e. an email to al...@mydomain.com is
> forwarded onto al...@anotherdomain.com and al...@whatdomain.com.
> 
> This server is being used for the demonstration of our own email security
> systems, where different sales people can get a steady flow of email to
> populate their own email inboxes.
> 
> So far I have successfully built a Postfix server, configured it to accept
> mail and then I have a Python script which runs for each email received and
> enumerates through each domain I want to send to. So far, an initial
> prototype shows it is working. However, I want to now add a lot more
> logging and have the domain configuration come from a database.
> 
> Ideally I want to be writing the Python in VSCode and running Postfix in a
> debug environment where I can step through code and develop quickly.
> 
> I've tried searching, but I cannot find a way to debug Python scripts
> running in Postfix. I don't like the idea of writing out a lot of logging
> lines, that's a slow way to develop the code.
> 
> Anyone have experience with debugging Python scripts in Postfix? I'm
> running version 3.6.4

It depends on how a Python script is controlled by a debugger.

By design, Postfix isolates progreams from the user who sends email.
That eliminates a huge number of privilege escalation exploits.

This means that Postfix does not propagate your debugging file
handles and environment variables to programs that Postfix runs.

You can configure Postfix to export environment settings to programs
that it runs. The default exports are:

main.cf:
export_environment = TZ MAIL_CONFIG LANG

You can add to this like so:

main.cf:
export_environment = TZ MAIL_CONFIG LANG foo=bar

Maybe you can modify the python code, and somehow import the remote
contrils that you need for debugging.

Wietse

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Cyrus SASL summary

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> > * Both postfix and the daemon need to be able to open and read and
> > write the socket. The sasl package adds a sasl group but not a sasl
> > user, so I added postfix to the users for the sasl group, and run the
> > daemon as postfix:sasl. The user/group for the daemon is set in
> > /etc/systemd/system/saslauthd.service.d/user.conf
> 
> I don't recommend running "saslauthd" as the "postfix" user, better to
> create a suitable dedicated user instead.

+1. Please don't run other programs with the 'postfix' uid or
'postdrop' gid. These are part of a multi-layer defense.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Still no luck with Cyrus SASL

[Wietse Venema via Postfix-users]

Use strace to find out what pathname Postfix (through libsasl) is
trying to connect to.

1 - Connect to Postfix with gnutls-cli or "openssl s_client".

2 - Run "strace -p pid-of-smtpd -o output-file".

3 - Send EHLO, AUTH, QUIT.

4 - Look in the trace created in [2] and populated in [3].

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Still no luck with Cyrus SASL

[Wietse Venema via Postfix-users]

John R. Levine via Postfix-users:
> The daemon works fine either way, per the test above, but postfix
> doesn't talk to it.

I can't share first-hand experiences, but I know that is Postfix
never talks to saslauthd. Instead, libsasl does the talking.

It may be instructive to compare strace outputs for the Postfix
smtpd process with strace for the testsaslauthd command. If Postfix
is barking up the wrong tree, then strace should reveal that.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how to reject a domain delivery

[Wietse Venema via Postfix-users]

Corey Hickman via Postfix-users:
> Hello
> 
> I have basic postfix/dovecot installation.
> How can I setup postfix or dovecot to reject the specified domain in sender?
> I know I can setup sieve script to discard messages from that
> domain, but this method sounds rather rigid.

If the list is short, it can go in main.cf:

/etc/postfix/main.cf:
smtpd_sender_restrictions = inline:{
{ example.com = reject }
{ other.example = reject} }

Otherwise some external file will do:

/etc/postfix/main.cf:
   smtpd_sender_restrictions = hash:/etc/postfix/sender-access

/etc/postfix/sender-access:
example.com reject
other.example reject

Run "postmap /etc/postfix/sender-access" after editing the file.

> Or shall I install rspamd etc to make a reject policy for that?

That would work too, as long as rspamd etc care called from a Postfix
SMTP daemon that receives mail directly from the network (not from
a Postfix SMTP daemon that receives mail from a content filter).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DANE and STS

[Wietse Venema via Postfix-users]

Jeff Pang via Postfix-users:
> 
> I asked the question "what's smtp dane in modern email system?" to 
> chatgpt. Here is gpt's answer which I think to be valueful. so I share here.
 
I see similarities with 
https://www.nccoe.nist.gov/publication/1800-6/VolB/index.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Bounces are disappearing

[Wietse Venema via Postfix-users]

Nico Hoffmann via Postfix-users:
>Jun 23 22:50:02 schubert postfix/qmgr[26673]: 60970354BC3:
>from=, size=471, nrcpt=1 (queue active)

This message was sent from x...@lewonzelewonze.de, therefore
a non-delivery notification will be sent to that address. This is
defined in the SMTP protocol, also known as RFC 5321.

>Jun 23 22:50:12 schubert postfix/bounce[7837]: 60970354BC3: sender
>non-delivery notification: 3DBEA354BC8
>...dialup...
>Jun 23 22:50:27 schubert postfix/qmgr[26673]: 3DBEA354BC8: from=<>, 
> size=2533,
>nrcpt=1 (queue active)
>Jun 23 22:50:27 schubert postfix/smtp[7836]: 3DBEA354BC8:
>to=, relay=mail.gmx.de[212.227.17.168]:25, delay=16,
>delays=15/0/0.76/0.05, dsn=5.0.0, status=bounced (host

As required by RFC 5321 the non-delivery notification is sent to
x...@lewonze.de.

Also as required by RFC 5321 the non-delivery notification has a
null sender address. After a delivery failure the MTA MUST NOT send
another non-delivery notification.

You can configure Postfix to send you some information
about undeliverbale mail:

main.cf:
notify_classes = resource, software, bounce
bounce_notice_recipient = you@localhost

This is not a backup mechanism, you only receive the message header.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how to implement this route

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> On 2024-06-23 20:24, Wietse Venema via Postfix-users wrote:
> > Jeff Peng via Postfix-users:
> >> Hello
> >> 
> >> I saw gmx.de/web.de have a policy that, if the submission IP is not 
> >> from
> >> DE/EU, messages will be routed to a different gateway which is listed 
> >> in
> >> spamhaus already. Otherwise if submission client's IP is in DE/EU,
> >> messages will be routed out via the normal gateway whose IP is clean.
> >> How to customized my own transport for that?
> > 
> > You can configure customized SMTP clients in master.cf, each with
> > an appropriate smtp_bind_address setting, and use transport_maps
> > to choose between those clients.
> 
> Thanks Wietse. other than binding multi-IP on a same host, is it better 
> to have multi-geobased-MTAs for incoming messages?

My response was a joke. It's the kind of useless answer that an AI
would produce.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Bill Cole via Postfix-users:
> On 2024-06-23 at 08:30:53 UTC-0400 (Sun, 23 Jun 2024 08:30:53 -0400 (EDT))
> Wietse Venema via Postfix-users 
> is rumored to have said:
> 
> > Wietse Venema via Postfix-users:
> >> If you specify
> >>
> >> reject_rbl_client string-with-complex-syntax
> >>
> >> Then the rbl_reply_maps seach key will be that
> >> string-with-complex-syntax.
> > ...
> >> Unlike rbl_reply_maps, postscreen strips the filter (and weight)
> >> before searching the reply table. There are merits to both approaches.
> >> Zen is a combination of XBL, PBL, and other lists. In some cases
> >> one might want to handle XBL, PBL, etc. differently.
> >
> > It may be helpful to update rbl_reply_maps, so that it will query
> > with the domain, after a query with domain=filter returns 'not
> > found'.
> >
> > That's a backwards compatible change that can simplify configuration.
> 
> Yes, that would help a bit.

I have some code for Postfix 3.10. rbl_reply_maps will first search
the table with the reject_rbl_* or reject_rhsbl_* argument.

If the argument result is not found, and the argument has the form
domain=address, then rbl_reply_maps will also search with the
domain.

That still allows different responses for different addreess filters,
but most sites won't need that flexibility.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Precision of time in Postfix log files

[Wietse Venema via Postfix-users]

Peter Uetrecht via Postfix-users:
> Hello list,
> 
> is the precision of time in Postfix log files (version 3.8.4) configurable
> (microseconds or milliseconds)?

Postfix does not generate the timestamp for logfiles written by
syslogd or equivalent. That is done by the syslog(3) system library
function.

To group related records together, see the collate script in the
Postfix source tarball in the auxiliary/collate directory.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how to implement this route

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> Jeff Peng via Postfix-users:
> > Hello
> > 
> > I saw gmx.de/web.de have a policy that, if the submission IP is not from 
> > DE/EU, messages will be routed to a different gateway which is listed in 
> > spamhaus already. Otherwise if submission client's IP is in DE/EU, 
> > messages will be routed out via the normal gateway whose IP is clean. 
> > How to customized my own transport for that?
> 
> You can configure customized SMTP clients in master.cf, each with
> an appropriate smtp_bind_address setting, and use transport_maps
> to choose between those clients.
> 
> References:
> https://www.postfix.org/postconf.5.html#smtp_bind_address
> https://www.postfix.org/transport.5.html
> 
> AI is an experimental feature of this mailing list.

A small improvement: instead of transport_maps, one could use a
FILTER action in check_policy_service, SMTP server acccess table,
or in header/body_checks.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> If you specify
>
> reject_rbl_client string-with-complex-syntax
>
> Then the rbl_reply_maps seach key will be that 
> string-with-complex-syntax.
...
> Unlike rbl_reply_maps, postscreen strips the filter (and weight)
> before searching the reply table. There are merits to both approaches.
> Zen is a combination of XBL, PBL, and other lists. In some cases
> one might want to handle XBL, PBL, etc. differently.

It may be helpful to update rbl_reply_maps, so that it will query
with the domain, after a query with domain=filter returns 'not
found'.

That's a backwards compatible change that can simplify configuration.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: how to implement this route

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello
> 
> I saw gmx.de/web.de have a policy that, if the submission IP is not from 
> DE/EU, messages will be routed to a different gateway which is listed in 
> spamhaus already. Otherwise if submission client's IP is in DE/EU, 
> messages will be routed out via the normal gateway whose IP is clean. 
> How to customized my own transport for that?

You can configure customized SMTP clients in master.cf, each with
an appropriate smtp_bind_address setting, and use transport_maps
to choose between those clients.

References:
https://www.postfix.org/postconf.5.html#smtp_bind_address
https://www.postfix.org/transport.5.html

AI is an experimental feature of this mailing list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Cody Millard via Postfix-users:
> Check out this link showing a example postfix configuration.
> 
> https://portal.spamhaus.com/dqs/#3.1.2
> 
> I found it to be very helpful in displaying the ranged syntax that 
> spamhaus supports.

For a web page that does not require logging in, see:

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Bill Cole via Postfix-users:
> > Absolutely. If you specify
> >
> > reject_rbl_client string-with-complex-syntax
> >
> > Then the rbl_reply_maps seach key will be that 
> > string-with-complex-syntax.
> 
> OK. Right now I have multiple items like this in 
> smtpd_recipient_retrictions
> 
>  reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.2
>  reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.3
>  [... etc.]

In that case you need two table entries like

KEY.zen.dq.spamhaus.net=127.0.0.2   reply text...
KEY.zen.dq.spamhaus.net=127.0.0.3   reply text...

Or a pcre: table with a pattern that matches both.

/^\QKEY.(zen.dq.spamhaus.net)\E(=.*)/ 554 $rbl_class $rbl_what Blocked by 
$1...

But no-one should be doing that.

> So the string being searched is 'KEY.zen.dq.spamhaus.net=127.0.0.2', but 
> if I consolidated those into a single restriction:
> 
>   reject_rbl_client KEY.zen.dq.spamhaus.net=127.0.0.[2..11]
> 
> that would then search for 'KEY.zen.dq.spamhaus.net=127.0.0.[2..11]', 
> matching the existing map entry.

Indeed. Mind you, I had to do some digging myself because address
filters were added 10+ years ago, and their impact on then 10-year
old existing features was not fully documented.

Unlike rbl_reply_maps, postscreen strips the filter (and weight)
before searching the reply table. There are merits to both approaches.
Zen is a combination of XBL, PBL, and other lists. In some cases
one might want to handle XBL, PBL, etc. differently.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> The rbl_reply_maps are searched with the domain specified with
> reject_rbl_client. 
> 
> That includes the optional "=address" portion, added in Postfix
> 2.8, but that was not added to the much older rbl_reply_maps
> documentation.

I have added documentation for how rbl_reply_maps handles reject_rbl_*
or reject_rhsbl_* arguments with an address filter. That text should
hjave been added in Postfix 2.8.

Wietse

rbl_reply_maps (default: empty)

Optional lookup tables with RBL or RHSBL response templates.
The table search key is the reject_rbl_* or reject_rhsbl_*
argument, including any optional "=address-pattern" filter. By
default, Postfix uses the default template as specified with
the default_rbl_reply configuration parameter. See there for a
discussion of the response template syntax.

(Example omitted)

NOTE: This feature differs from postscreen_dnsbl_reply_map where
the table search key is a domain name (no "=address" filter,
no "*weight" factor) and where the lookup result should be a
domain name (no free text, no $name variables).

This feature is available in Postfix 2.0 and later. The
"=address-pattern" filter is available in Postfix 2.8 and later.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Bill Cole via Postfix-users:
> On 2024-06-22 at 15:19:42 UTC-0400 (Sat, 22 Jun 2024 15:19:42 -0400 
> (EDT))
> Wietse Venema via Postfix-users 
> is rumored to have said:
> 
> [...]
> > The rbl_reply_maps are searched with the domain specified with
> > reject_rbl_client.
> >
> > That includes the optional "=address" portion, added in Postfix
> > 2.8, but that was not added to the much older rbl_reply_maps
> > documentation.
> >
> > There is an rbl_reply_maps example (a hash map) at
> > https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html
> >
> > your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]
> > 554 $rbl_class $rbl_what blocked using ZEN - see ... for details
> 
> Are you certain that the range syntax works?

Absolutely. If you specify

reject_rbl_client string-with-complex-syntax

Then the rbl_reply_maps seach key will be that string-with-complex-syntax.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: DQS key in error responses

[Wietse Venema via Postfix-users]

Cody Millard via Postfix-users:
> |Hello list.|
> 
> |
> |
> 
> |I included Spamhaus XBL in client restrictions for my server. An error 
> is supplied to the individual/bot that is trying to connect that looks 
> like the follow:
> 
> |
> 
> |Transcript of session follows. Out: 
554 5.7.1 Service unavailable; 
> Client host [57.152.56.248] blocked using .xbl.dq.spamhaus.net; 
> Listed by XBL, see https://check.spamhaus.org/query/ip/57.152.56.248 In: 
> ??? Out: 500 5.5.2 Error: bad UTF-8 syntax In: Out: 500 5.5.2 Error: bad 
> UTF-8 syntax In: ? Out: 221 2.7.0 Error: I can break rules, too. 
> Goodbye. For other details, see the local mail logfile *You can see my 
> dqs key in the err*|*or send to the client. Is this a problem? If so, how 
> could I remove the 
> DQS key from the response? *

The rbl_reply_maps are searched with the domain specified with
reject_rbl_client. 

That includes the optional "=address" portion, added in Postfix
2.8, but that was not added to the much older rbl_reply_maps
documentation.

There is an rbl_reply_maps example (a hash map) at
https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/MTAs/020-Postfix.html

your_DQS_key.zen.dq.spamhaus.net=127.0.0.[2..11]
554 $rbl_class $rbl_what blocked using ZEN - see ... for details
...
your_DQS_key.zen.dq.spamhaus.net
554 $rbl_class $rbl_what blocked using ZEN - see ... for details
...

This behavior is different from postscreen; that program searches
the reply table with the service domain (your_DQS_key.zen.dq.spamhaus.net),
i.e. without the optional "=address" or "*weight".

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: non_smtpd relayhost ?

[Wietse Venema via Postfix-users]

Geert Hendrickx via Postfix-users:
> Hi
> 
> We have few different sets of Postfix mailservers with different roles;
> inbound servers, outbound servers that DKIM sign outgoing mail with a
> milter, and some other servers that just relay mail that is already signed
> elsewhere.
> 
> The first and third types of mailservers don't need to sign mail passing
> through them, but we are looking for a way to sign their locally generated
> mail (bounces or DSN's), preferably without having to setup and maintain
> DKIM milters (and corresponding private keys) on all those servers.

So you're looking at setting up a host that will sign bounces that were
generated on those machines and not elsewhere.

And "those machines" could be back-end hosts that deliver to a
message store.

Fortunately, there is a way to distinguish between locally- and
remotely-generated bounces.

Locally-generated bounces are generated by the Postfix bounce daemon
which talks to a cleanup service to queue a message. One could run
bounce daemons with a cleanup_service override in master.cf:

(Postfix 3.0 long parameter syntax)

bounce ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
defer ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }
trace ... ... ... ... ... ... ... bounce
-o { cleanup_service = ndr-cleanup }

This approach is reatively safe, because it is unlikely to clash
with bounce parameter settings in main.cf. Such main.cf settings
are extremely rare.

To queue the messages, configure a clone of the cleanup service
with a content_filter override that forces delivery to an ndr-signer
host.

ndr-cleanup ... ... ... ... ... ... ... cleanup
-o {content_filter = smtp:[ndr-signer] }

This approach may conflict with main.cf parameters that target the
"normal" cleanup service. If that is the case then you can override
the conflicting main.cf setting with a ndr-cleanup master.cf override
for that parameter.

A long list is at https://www.postfix.org/cleanup.8.html.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Wietse Venema via Postfix-users]

Peter via Postfix-users:
> On 21/06/24 07:13, Wietse Venema via Postfix-users wrote:
> > Bounces are sent with the null envelope.from address which has no
> > domain. Therefore, SPF applies policy to a surrogate: the hostname
> > in the SMTP client's HELO/EHLO command (as if the envelope.from
> > address was postmaster@helo-argument).
> > 
> > This helo-argument is by default the value of the Postfix myhostname
> > parameter, which depending on myorigin setting may appear in the
> > header.from address mailer-daemon@whatever.
> > 
> > DMARC wants that the dmain in envelope.from address (or its surrogate
> > in the case of <>) in some way align with the domain in the header.from
> > address (in this case mailer-daemon@whatever).
> > 
> > If someone can come up with a simple checklist for how to do this
> > then that would be great.
> 
> SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your mail 
> to be accepted:
> 
> 1.  HELO banner should pass SPF.
> 
> 2.  Envelope Sender should pass SPF.
> 
> 3.  Envelope Sender domain should align with the From: header domain.
> 
> 4.  Message should be DKIM signed.
> 
> 5.  Domain for the DKIM signature should align with the From: header domain.
> 
> Not all of the able are necessary (e.g. you can get away with SPF 
> alignment only or DKIM alignment only) but the more of those boxes that 
> you can successfully tick off the better chance you have for you message 
> to be accepted when things go wrong, or when a destination doesn't 
> implement one of the above checks properly.

Thanks. For completeness, in the case of bounce messages, items 2-3
apply as if the sender was postmaster@HELO-argument.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 20, 2024, at 7:17?AM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> Is there a place in postfix where I could discard mail if it has
> >> a spam score higher than say 4 or 5? I know that postfix hands the
> >> mail off to spamassassin for processing and then receives it back
> >> for delivery, but I'm unclear what checks could be implemented to
> >> catch spam and discard it.
> >> 
> >> This is what I could match on: X-Spam-Status: Yes, score=2.1
> >> 
> >> If the score was higher than some number (e.g >4) than reject the mail.
> > 
> > One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/
> 
> Would this be in header_checks? I confess, I?m not clear on how
> mail is handled after spamassassin returns it to Postfix. Does it
> go all the way through the process again, beginning with header_checks?

That depends. 

If you use the "content_filter" feature then header_checks shold do it.

If you use some Milter like rspamd then you need milter_header_checks.

> If it?s header_checks, I would probably use something like /^X-Spam-Status: 
> Yes, score=[5-100[/ to catch everything above five.

No. It's a regular expression, it does not compute that 5 is less than 100.
Use a pattern from Viktor's post.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SPF hostname and domainname

[Wietse Venema via Postfix-users]

Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argument).

This helo-argument is by default the value of the Postfix myhostname
parameter, which depending on myorigin setting may appear in the
header.from address mailer-daemon@whatever.

DMARC wants that the dmain in envelope.from address (or its surrogate
in the case of <>) in some way align with the domain in the header.from
address (in this case mailer-daemon@whatever).

If someone can come up with a simple checklist for how to do this
then that would be great.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> Is there a place in postfix where I could discard mail if it has
> a spam score higher than say 4 or 5? I know that postfix hands the
> mail off to spamassassin for processing and then receives it back
> for delivery, but I'm unclear what checks could be implemented to
> catch spam and discard it.
> 
> This is what I could match on: X-Spam-Status: Yes, score=2.1
> 
> If the score was higher than some number (e.g >4) than reject the mail.

One could try some variant of /^X-Spam-Status: Yes, score=[5-9]/

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: discard message

[Wietse Venema via Postfix-users]

postfix--- via Postfix-users:
> > does smtp have an action "discard"? if so where messages will be discarded?
> > I see smtp code has "reject" while sieve has "discard". So I am asking this 
> > question.
> 
> http://www.postfix.org/header_checks.5.html
> There is a DISCARD action.

Also in http://www.postfix.org/access.5.html

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Wietse Venema via Postfix-users]

Ralph Seichter via Postfix-users:
> * Ansgar Wiechers via Postfix-users:
> 
> > [...]
> 
> Did I ever send mail to you using the mailing list address you got
> barred from targeting, or send mail to you at all from my servers? No,
> I did not.
> 
> You tried to initiate communication by sending mail to an address you
> had no reason to contact, this being a mailing list, and you were thus
> redirected to a page explaining how you could ask for permission to send
> to said protected address in case you had a legitimate reason to (which
> you don't). I have also provided an unrestricted email address so
> anybody can send mail to in order to ask for clearance for the protected
> address, something which you didn't do.
> 
> All this is nothing like using a no-reply address, which is easy enough
> to understand. TL;DR: Apples and oranges.
> 
> > Guess what just happened to horus-it.com on my mail server.
> 
> Go on, guess if I care. :-)

No, don't. Please take this off-list.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL_README correction

[Wietse Venema via Postfix-users]

Rob Sterenborg (Lists) via Postfix-users:
> Hi,
> 
> I was reading the SASL_README, "The ldapdb plugin" at:
> 
>  https://www.postfix.org/SASL_README.html#auxprop_ldapdb
> 
> [quote]
> Tip: [...snip...] Instead, you can use "saslauthd -a ldap" to query the 
> LDAP database directly, with appropriate configuration in 
> saslauthd.conf, as described here. [...snip...]
> [/quote]
> 
> The link for "as described here" points to:
> 
>  http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD
> 
> Which returns a "No page found" message.
> 
> I guess it is currently hosted at:
>  
> https://github.com/cyrusimap/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD

Confirmed, your link matches the archived content in the wayback machine at
https://web.archive.org/web/20140301224448/http://git.cyrusimap.org/cyrus-sasl/tree/saslauthd/LDAP_SASLAUTHD

It's a bit dated, but that is what we have.

I have updated the link in Postfix documentation. it will show up
on the website in a hour or so.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: REJECT sending mails to no-reply accounts

[Wietse Venema via Postfix-users]

Gary R. Schmidt via Postfix-users:
[reply-to header]
> He didn't do it - it's being added by Mailman.  Whether by default or
> deliberately I do not know.

This is damage control for DMARC. The mailing list address goes in
the From: header, and the poster's email address goes in Reply-To:
so that list members can still choose between replying to the poster
or to the list.

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Rate limiting a group of domains

[Wietse Venema via Postfix-users]

785 243 via Postfix-users:
> I want to implement rate limiting based on the target server rather
> than by recipient domain. Specifically, I want to rate limit email
> sent to domains like yahoo.com, ymail.com, aol.com, myyahoo.com, and
> verizon.net as a group, since these domains appears to be handled by
> the same servers. This grouping should be done in case the receiving
> server does not discriminate based on domain for rate limiting
> purposes.

/etc/postfix/main.cf:
smtpd_recipient_restrictions = 
check_recipient_mx_access hash:/etc/postfix/mx_access
...
# Also reduces concurreny to 1.
smtp-yahoodns_destination_rate_delay =1
# Don't declare yahoo dead after a single failure.
smtp-yahoodns_destination_concurrency_failed_cohort_limit = 5

/etc/postfix/mx_access:
# For yahoo.com, ymail.com, myyahoo.com.
yahoodns.netFILTER smtp-yahoodns:

/postfix/master.cf
smtp-yahoodns unix .. .. .. .. .. .. smtp

This sends one message per second.


Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 18, 2024, at 3:33?PM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
> >> support authentication (POST 
> >> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)
> > 
> > Indeed, you have
> > 
> > smtps  inet  n   -   n   -   -   smtpd
> >-o smtpd_tls_wrappermode=yes
> >-o smtpd_sasl_auth_enable=no
> > 
> > Try: smtpd_sasl_auth_enable=yes
> > 
> 
> Doh! After fixing that and restarting postfix, I am successfully sending mail 
> from RC with $config['smtp_host'] = 'ssl://mail.stovebolt.com:465';
> 
> Thanks for your patience with this old man.

Congrats. I also have made progress with the migration from vintage
to present.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> [18-Jun-2024 14:53:32 -0500]:  PHP Error: SMTP server does not 
> support authentication (POST 
> /webmail/?_task=mail&_unlock=loading1718740412272&_framed=1&_action=send)

Indeed, you have

smtps  inet  n   -   n   -   -   smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=no

Try: smtpd_sasl_auth_enable=yes

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Resetting the discussion

[Wietse Venema via Postfix-users]

What about providing Postfix logs? As long as you can't provide
the Postfix perspective, finding help here will be difficult.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] always_add_missing_headers / local_header_rewrite_clients

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> 465inet  n   -   n   -   -   smtpd
> -o smtpd_tls_wrappermode=yes
...
> -o smtpd_milters=$mua_milters
> -o always_add_missing_headers=yes

Nit: always_add_missing_headers is a cleanup(8) daemon feature.  It
has no effect in the above configuration. To append headers from
submission(s) clients, one could configure

local_header_rewrite_clients =
permit_sasl_authenticated, permit_inet_interfaces

Should we change the existing default, "local_header_rewrite_clients =
permit_inet_interfaces"?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> Both apps on on the same server and *should* be using the same clock.
> > 
> I don't want to waste any more of your time. It?s working, so I?m happy.

You can make your life easier by fixing the program that is losing
Postfix logging. systemd has been implicated in such problems.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> >>> - Did the client send starttls? That is logged in the "disconnect
> >>> from" line.
> >>> 
> >> 
> >> I don't see anything in the postfix logs (/var/log/maillog) from 
> >> roundcube. I guess I need to enable debug.
> > 
> > No debug logging needed. This information is ALWAYS logged:
> > 
> > Example of client that sends starttls:
> >disconnect from host[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 
> > commands=7
> 
> When I grep for 'disconnect from' I get 118,816 entries in the
> log. 20,297 of those are from one IP.
> 
> When I look in the logs for the timestamp that is in the roundcube
> smtp log, I find nothing.

Yeah. Are your clocks properly synchronized, like NTP? Or do you
use whatever the clock on the motherboard says?

> [17-Jun-2024 15:24:58 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
> Postfix
[successsful auth, mail, rcpt, data and so on.]

Clearly you solved a problem by June 17.

> So, that's one session in Roundcube. There should be a corresponding entry in 
> the maillog, right?
> 
> grep "15:24:5" /var/log/maillog

You can do that only if your clocks are accurate to within two seconds,
otherwise it could already be 15:25:0* on the host that runs Postfix.

> Jun 16 15:24:57 ded602 postfix/smtpd[11420]: disconnect from 
> unknown[80.244.11.148] ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4

That was on June 16, an example of a client that did not send
STARTTLS, and that sent AUTH but failed (0 successful of 1 attempts).
It then sent RSET and QUIT.

Clearly, a different session than the successful one above.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Troubleshooting roundcube connections to postfix

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 17, 2024, at 4:43?AM, Jaroslaw Rafa via Postfix-users 
> >  wrote:
> > 
> > Dnia 16.06.2024 o godz. 20:54:34 Paul Schmehl via Postfix-users pisze:
> >> 
> >> The odd thing is, I don't see any connection attempts at all in the mail
> >> logs.
> > 
> > May seem a strange question, but it's always first thing I check in case I
> > don't see any connection attempt in logs: Is your Roundcube really
> > connecting to the correct server? It's worth to double-check this.
> 
> It is: 
> 
> [17-Jun-2024 14:54:50 -0500]:  Connecting to 
> mail.stovebolt.com:25...
> [17-Jun-2024 14:54:50 -0500]:  Recv: 220 mail.stovebolt.com ESMTP 
> Postfix
> [17-Jun-2024 14:54:50 -0500]:  Send: EHLO www.stovebolt.com
> [17-Jun-2024 14:54:50 -0500]:  Recv: 250-mail.stovebolt.com

In that case you must also have Postfix logging.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: End of Data from client or postfix

[Wietse Venema via Postfix-users]

a49093915 via Postfix-users:
> Thank you very much for your detailed response.
> 
> So as far as I understand Postfix can receive "." or 
> "." or even other "End of DATA's",
> but will always strip them and add its own "." "End of DATA" 
> for outgoing SMTP.
> (Additionally it also strips and adds parts of the DATA itself.)
> 
> Is there a ways to verify this on the postfix server? Or would it
> be required to setup another SMTP server and somehow watch the
> incoming mails on that one?

Please upgrade to Postfix stable release 3.8.5, 3.7.10, 3.6.14,
3.5.24 and read the announcement for how to configure Postfix.

https://www.postfix.org/announcements/postfix-3.8.5.html

To verify, use a network sniffer (for example, tcpdump or wireshark).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> > On Jun 16, 2024, at 5:02?PM, Wietse Venema via Postfix-users 
> >  wrote:
> > 
> > Paul Schmehl via Postfix-users:
> >> I?m trying to sort out a problem with Roundcube failing to send email with 
> >> an error message that says SMTP Error(): authentication failed. In the 
> >> roundcube error log I find this:
> >> 
> >> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
> >> support authentication (POST 
> >> /webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
> >> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication 
> >> failure: mail.stovebolt.com <http://mail.stovebolt.com/>
> > 
> > Look in Your logs.
> > 
> > - Did the client connect to port 25 or 578?
> > 
> 
> 578
> 
> > - Did the client send starttls? That is logged in the "disconnect
> > from" line.
> > 
> 
> I don't see anything in the postfix logs (/var/log/maillog) from roundcube. I 
> guess I need to enable debug.

No debug logging needed. This information is ALWAYS logged:

Example of client that sends starttls:
disconnect from host[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 
commands=7

Example of client that does not send starttls:
disconnect from host[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

In your case there may be only ehlo but no mail, rcpt, and so on.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Do I have sals authentication properly configured?

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> I?m trying to sort out a problem with Roundcube failing to send email with an 
> error message that says SMTP Error(): authentication failed. In the roundcube 
> error log I find this:
> 
> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> PHP Error: SMTP server does not 
> support authentication (POST 
> /webmail/?_task=mail&_unlock=loading1718564304121&_framed=1&_action=send)
> [16-Jun-2024 13:58:24 -0500]: <5s9tomcd> SMTP Error: Authentication failure: 
> mail.stovebolt.com 

Look in Your logs.

- Did the client connect to port 25 or 578?

- Did the client send starttls? That is logged in the "disconnect
from" line.

Do you have any "smtpd_tls_auth_only=yes" override in effect?

For main.cf:
postconf -n smtpd_tls_auth_only

For master.cf:
postconf -P '*/*/smtpd_tls_auth_only'

If that is set to 'yes', Postfix will ananounce AUTH only after 
the client sends STARTTLS. 

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to mostly reject unwanted sender

[Wietse Venema via Postfix-users]

John Levine via Postfix-users:
> Turns out it's more complicated than I thought, they want a restricted
> sending address to be able to send only to particular recipients.
> Suggestions?

Here is a non-intuitive solution, based on
https://www.postfix.org/RESTRICTION_CLASS_README.html

/etc/postfix/main.cf:
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/restricted_senders

smtpd_restriction_classes = joe_user_acl
joe_user_acl = 
check_recipient_access hash:/etc/postfix/joe_user_recipients, reject

/etc/postfix/restricted_senders:
joe_user@some.example  joe_user_acl

/etc/postfix/joe_user_recipients:
foo@one.example OK
bar@two.example OK

But this is non-intuitive and gives me a headache.

If milter-regex or postfwd can handle your use case, then that would
be more intuitive.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users 
> wrote:
> > John R. Levine via Postfix-users:
> > > On Sat, 15 Jun 2024, Jeff Peng wrote:
> > > > I think postscreen can block them easily.
> > > 
> > > I'm looking at the postscreen man page and I don't see anything about 
> > > mail 
> > > addresses.  Am I missing something?
> > 
> > That is a bad suggestion, please ignore.
> > 
> > > I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> > > QUIT?
> > 
> > That would do the job. With regexp: or pcre: tables you may save
> > some CPU cycles with:
> > 
> > # Don't indent text between IF and ENDIF.
> > IF /^MAIL FROM:/
> > /^MAIL FROM:/ QUIT
> > /^MAIL FROM:/ QUIT
> > ...
> > ENDIF
> 
> What's wrong with simple literall access(5) checks on the envelope
> sender, one then also gets to log the rejected recipients assuming the
> default setting of "smtpd_delay_reject = yes".

True as a more general solution, but I don't think
that is required here.

> Regular expressions are much too fragile in the hands of most users.

I think that John has the competence to make that decision.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fastest way to reject unwanted sender

[Wietse Venema via Postfix-users]

John R. Levine via Postfix-users:
> On Sat, 15 Jun 2024, Jeff Peng wrote:
> > I think postscreen can block them easily.
> 
> I'm looking at the postscreen man page and I don't see anything about mail 
> addresses.  Am I missing something?

That is a bad suggestion, please ignore.

> I do see smtpd_command_filter.  How about if I map MAIL FROM: to 
> QUIT?

That would do the job. With regexp: or pcre: tables you may save
some CPU cycles with:

# Don't indent text between IF and ENDIF.
IF /^MAIL FROM:/
/^MAIL FROM:/ QUIT
/^MAIL FROM:/ QUIT
...
ENDIF

If the list is short, this 'optimization' won't be worthwhile.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> On 2024-06-15 21:35, Wietse Venema via Postfix-users wrote:
> 
> > 
> > This is a bit off topic for Postfix, but a comnmon approach is to
> > shard a global database into regional ones and limit the impact of
> > outages. Some database systems support sharding out of the box (for
> > example, MongoDB, supported by Postfix 3.9 and later).
> > 
> 
> Hi Wietse,
> 
> what does it mean "sharding out of the box"?

"X supports Y out of the box" means epression that X has support
for Y built in.

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: myorigin usage for ONLY unqualified addresses

[Wietse Venema via Postfix-users]

One addendum about how to distinguish from root@mydomain
from different hosts.

Dan Mahoney via Postfix-users:
> > Use a virtual alias mapping from "r...@dayjob.org" to the collector
> > email address.  This is a variation on
> > 
> > /usr/local/etc/postfix/main.cf:
> > virtual_alias_maps = hash:/local/etc/postfix/virtual-for-root
> > 
> > /local/etc/postfix/virtual-for-root:
> >r...@dayjob.org collector-u...@collector-host.dayjob.org
> > 
> > Run "postmap hash:/local/etc/postfix/virtual-for-root" after
> > editing the file.
> > 
> > Instead of a hash: map you could use a networked table such as *SQL
> > or LDAP.
> 
> This would still result in rootmail being from root@mydomain, not
> root@myhostname -- regardless of the destination, which makes it
> way more confusing to read.

I forgot to mention that FreeBSD daily/security/weekly/monthly email
messages have the hostname in the Subject. Like this:

Subject: hostname.porcupine.org weekly run output
Subject: hostname.porcupine.org daily run output
Subject: hostname.porcupine.org daily security run output

They arrive in the same mailbox, and there is confusion about their
provenance.

> However, we would like our rootmail to respect our aliases file,
> which tells root to go to a specific mail destination on a specific
> box.

Set up a virtual alias

r...@dayjob.org root@localhost

or

r...@host.dayjob.orgroot@localhost

(which one depends on myorgin and masquerade_xxx settings).

The Postfix local delivery agent will then respect the local
aliases database.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: myorigin usage for ONLY unqualified addresses

[Wietse Venema via Postfix-users]

Dan Mahoney via Postfix-users:
> > Use a virtual alias mapping from "r...@dayjob.org" to the collector
> > email address.  This is a variation on
> > 
> > /usr/local/etc/postfix/main.cf:
> > virtual_alias_maps = hash:/local/etc/postfix/virtual-for-root
> > 
> > /local/etc/postfix/virtual-for-root:
> >r...@dayjob.org collector-u...@collector-host.dayjob.org
> > 
> > Run "postmap hash:/local/etc/postfix/virtual-for-root" after
> > editing the file.
> > 
> > Instead of a hash: map you could use a networked table such as *SQL
> > or LDAP.
> 
> This would still result in rootmail being from root@mydomain, not
> root@myhostname -- regardless of the destination, which makes it
> way more confusing to read.

> However, we would like our rootmail to respect our aliases file,
> which tells root to go to a specific mail destination on a specific
> box.

Set up a virtual alias

r...@dayjob.org root@localhost

or

r...@host.dayjob.orgroot@localhost

(which one depends on myorgin and masquerade_xxx settings).

The Postfix local delivery agent will then respect the local
aliases database.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Joachim Lindenberg via Postfix-users:
> sql databases optimize for consistency instead of availability.
> And even if you design your data model not to rely on joins, to
> use unique ids per node, and to replicate both directions or
> disallow writes on the slave, at least MariaDB failed on partitioning,
> and I didn't want or tried to use an database not supported by the
> application.
> Obviously you may get by without encountering issues for quite
> some time, and this unfortunately is true for many replication
> scenario recommendations.

This is a bit off topic for Postfix, but a comnmon approach is to
shard a global database into regional ones and limit the impact of
outages. Some database systems support sharding out of the box (for
example, MongoDB, supported by Postfix 3.9 and later).

Reportedly, 

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: myorigin usage for ONLY unqualified addresses

[Wietse Venema via Postfix-users]

Dan Mahoney via Postfix-users:
> Hello,
> 
> We currently have myorigin = $mydomain, and mydomain = dayjob.org
> on one of our border MXes, which is also the outbound MX for our
> whole organization.  We are a fairly large site with mxes in two
> locations and many machines which send mail which may relay through
> here.  Mydomain feels like the *correct* origin answer.
> 
> However, we would like our rootmail to respect our aliases file,
> which tells root to go to a specific mail destination on a specific
> box.

Use virtual_alias_maps, as shown below.

> FreeBSD by default sends all its nightly security checks and the
> like to "root" (bareword), and we globally deploy an alias file
> that reroutes this to a collector on a single machine, both for
> our machines that run postfix, as well as our machines that run
> more simple mailers like dma.  We'd like the expectations consistent
> across the board.

Use a virtual alias mapping from "r...@dayjob.org" to the collector
email address.  This is a variation on

/usr/local/etc/postfix/main.cf:
 virtual_alias_maps = hash:/local/etc/postfix/virtual-for-root

/local/etc/postfix/virtual-for-root:
r...@dayjob.org collector-u...@collector-host.dayjob.org

Run "postmap hash:/local/etc/postfix/virtual-for-root" after
editing the file.

Instead of a hash: map you could use a networked table such as *SQL
or LDAP.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> On 2024-06-14 22:31, Wietse Venema via Postfix-users wrote:
> > Jeff Peng via Postfix-users:
> >> Hello,
> >> 
> >> Is there any guide to setup a distributed email system? there should 
> >> be
> >> multiple MX, multiple IMAP/storage servers, and sasl server cluster 
> >> etc.
> > 
> > That could be a job interview question.
> > 
> > The easier part is setting up a pool of dataless Postfix SMTP
> > servers; sharding the users across a pool of replicated Dovecot
> > POP/IMAP servers; and nginx proxies.
> 
> Are IMAP and smtp stateful protocols? If so I have to use hashes based 
> on src IP etc.

There is a difference between IMAP/POP and SMTP. With IMAP/POP a
front end proxy needs to connect each user to the right message
store instance. With SMTP, different sessions can be handled by
different servers. The servers can figure where to deliver mail.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: End of Data from client or postfix

[Wietse Venema via Postfix-users]

a49093915 via Postfix-users:
> Hello,
> 
> Unfortunately I was unable to find this information myself, so I am now 
> asking here:
> 
> Does postfix forward the end of data characters from the client or does it 
> replace them?
> Is there any way to influence this behavior?

Line endings depends on context. UNIX files and commands use ,
whereas SMTP and LMTP use . Instead of picking a specific
line ending, Postfix uses none. Instead it stores a length and text.

When delivering mail, Postfix ADDS the line endings that are appropriate.

- The delivery agents for UNIX files and commands add  line endings.
  The pipe daemon can also be configured to prepend "." and append
  .

- The Postfix SMTP and LMTP clients add the SMTP encapsulation:
  they append  at the end of a line, and prepend "." to to
  lines that start with ".". This behavior is required by the
  protocol and is not configurable.

For completeness, when receiving mail, Postfix strips line endings.

- The Postfix SMTP server REMOVES the SMTP encapsulation: the
   line endings and "." at the start of a line. 

  (for compatiility with poorly written apps, it may also permit
  bare  depending on "smtpd_forbid_bare_newline" configuration).

- The Postfix sendmail command REMOVES the UNIX-style  line
  ending. 

  (for compatibility with poorly written apps, it may also remove
   depending on "sendmail_fix_line_endings" cxonfiguration)

Additionally, the latest Postfix 3.5..2.9 versions will replace
 or  in the middle of a line with the SPACE character.
This neutraslizes any attempts to inject false line endings.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: distributed email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello,
> 
> Is there any guide to setup a distributed email system? there should be 
> multiple MX, multiple IMAP/storage servers, and sasl server cluster etc.

That could be a job interview question.

The easier part is setting up a pool of dataless Postfix SMTP
servers; sharding the users across a pool of replicated Dovecot
POP/IMAP servers; and nginx proxies.

The harder part is implementing the databases and (web) applications
to manage the above.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secure the email system

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello Wietse,
> 
> I have added this line:
>  smtpd_reject_unlisted_sender = yes
> 
> into main.cf.
> May I ask, this option is for submission request, or for MX request?

All services that use smtpd.

Wietse

> On 2024-06-14 04:14, Wietse Venema via Postfix-users wrote:
> > Wietse Venema via Postfix-users:
> >> A paranoid configuration could add:
> >> 
> >> smtpd_reject_unlisted_sender = yes
> >> 
> >> That is, do not send mail with a sender address that is known to
> >> be invalid (the SMTP server would reject mail for the address with
> >> "user unknown").
> >> 
> >> For more details (what is valid, why reject invalid senders) see
> >> https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender
> > 
> > This will respect address extensions, because it reuses the logic for
> > rejecting unknown recipients. Less code, more functionality.
> > 
> > Wietse
> > ___
> > Postfix-users mailing list -- postfix-users@postfix.org
> > To unsubscribe send an email to postfix-users-le...@postfix.org
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
> 
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secure the email system

[Wietse Venema via Postfix-users]

Wietse Venema via Postfix-users:
> A paranoid configuration could add:
> 
> smtpd_reject_unlisted_sender = yes
> 
> That is, do not send mail with a sender address that is known to
> be invalid (the SMTP server would reject mail for the address with
> "user unknown").
> 
> For more details (what is valid, why reject invalid senders) see
> https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

This will respect address extensions, because it reuses the logic for
rejecting unknown recipients. Less code, more functionality.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Need help with postfix

[Wietse Venema via Postfix-users]

Paul Schmehl via Postfix-users:
> I'm 77. I've been retired for 10 years. Now I'm struggling trying
> to get postfix working with Dovecot and Spamasassin on a CentOS 7
> server. I manage a small hobby domain for some friends (for free),
> and the changes in systems are so dramatic that I feel I'm losing
> touch.

Welcome back. I'm also updating some different infrastructure from
a similar vintage, and translating configurations from the past to
the present can be challenging.

> I read this doc to help me understand the new setup:
> https://samhobbs.co.uk/2014/03/raspberry-pi-email-server-part-4-spam-detection-spamassassin
> 
> I used to use filter.sh and didn't run the spamd daemon, but I
> thought that using the daemon would be the best way to go now.
> 
> I uninstalled postfix 2.10 and installed postfix 3.9. I installed
> spamassassin 3.4. I copied my old 2.1 master.cf and main.cf to the
> new configs (after backing those up) and started up both daemons.
> (I don't know if that's a mistake.
> 
> I can send and receive email, including remotely using saslauth.
> But, I'm not gettting headers altered by spamassassin and I'm
> seeing some warnings in the logs that bother me.
> 
> Here's the spamassassin bits in master.cf:
> 
> smtp  inet  n   -   n   -   -   smtpd
> -o content_filter=spamassassin
> 
> spamassassin unix -  n   n   -   -  pipe
>user=spamd argv=/usr/local/bin/spamc -f -e
>/usr/sbin/sendmail -oi -f ${sender} ${recipient}

So that one seems to be failing.

> Jun 13 13:10:34 ded602 postfix/master[31118]: warning: 
> /usr/libexec/postfix/pipe: bad command startup -- throttling
> Jun 13 13:10:34 ded602 postfix/master[31118]: warning: process 
> /usr/libexec/postfix/pipe pid 2404 exit status 1

This is the exist status when the pipe daemon detects a bad
configuration.  I suspect that the pipe daemon is logging some
details along the linesof:

unknown flag:
unknown username
unknown group

> Jun 13 13:10:34 ded602 postfix/qmgr[31120]: warning: private/spamassassin 
> socket: malformed response

That is to be expected when the pipe daemon detects a configuyration problem.

> [root@ded602 etc]# postconf -n

Skipping that for now.

> I'm not sure if all these parameters are still in use or if I even need them.

> I'm seeing a lot of these, but I assume this is just a nefarious actor:
> Jun 13 13:16:18 ded602 postfix/smtpd[2438]: warning: non-SMTP command from 
> unknown[80.244.11.148]: 
> \026\003\001\000\342\001\000\000\336\003\003iRf+\246d\261&]\303\034/;\315\213\372\t4\005L\253\250

That's a TLS handshake. If this is on port 25 or 587 that is the
client's mistake. With modern master.cf files, Postfix will log
the service name for user mail user agents as postfix/submission/smtpd,
postfix/smtps/smtpd, or postfix/submissions/smtpd.

> Please be gentle. I'm far from a pro, and I've been out of the game for a 
> decade.

No problem. Could you be so kind not to include a 80 kilobyte
HTML attachment?

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: secure the email system

[Wietse Venema via Postfix-users]

A paranoid configuration could add:

smtpd_reject_unlisted_sender = yes

That is, do not send mail with a sender address that is known to
be invalid (the SMTP server would reject mail for the address with
"user unknown").

For more details (what is valid, why reject invalid senders) see
https://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

Wietse

___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Working around load balancers

[Wietse Venema via Postfix-users]

On second consideration, if an *SQL "server_hosts" setting specifies
only one target (host or IP address), then Postfix has little to
lose if it pretends that the name is given twice, and retries once
immediately, especially of it turns off the logic to avoid a failed
*SQL server for 60 seconds.

The logic for LMTP and SMTP can be similar: if a next-hop destination
resolves to exactly one IP address, pretend that it is given twice,
and retry once immediately. If both attempts fail, defer mail as usual.

Bulk mailers may want to skip the immediate SMTP retry if the error
was at the network-level (no connection) because an SMTP client
that is retrying a "down" host cannot be used to deliver mail.

This retry logic does not aply to milters, where a failure in the
middle of an SMTP conversation is not immediately recoverable.
Commands would have to be replayed and message changes would have
to be undone. Instead, the remote SMTP client has to retry the
entire transaction later.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: milter round robin

[Wietse Venema via Postfix-users]

Christian Zoffoli via Postfix-users:
> Using a load balancer like HAProxy for MySQL connections allows 
> balancing only on servers that are synchronized. Direct use of multiple 
> MySQL hosts in Postfix does not allow for any checks.

If you want to load balance N mysql servers behind 1 load balancer,
you can specify that server N times in the Postfix's "hosts" drective.
That will end the "mysterious delays".

The alternative, retry immediately on a single IP address, would
require configuration changes (it cannot be the default) and some
code to implement that.

> Given this, the 
> example of MySQL, which could also be the balancing of multiple LMTP 
> connections to IMAP servers, 

If you present only one server IP address to the Postfix LMTP client,
then that client will not immediately retry that IP address after
error, because that would normally be rude behavior. Thus there
will be delays.

If you present multiple IP addresses to the Postfix LMTP client,
then it will try them in random order until delivery succeeds. There
will be no delays. I'm not sure if the client deduplicates IP
addresses; a quick code search suggests it does not.

As with mysql, making the Postfix LMTP client retry immediately on
a single IP address would require configuration changes (it cannot
be the default) and some code to implement that.

It gets messy if we want to do this with every network dependency.

> occur with the use of the balancer under some load conditions. I am 
> looking for information to address the problem since Postfix does not 
> natively support clustered milters.

Clustered or otherwise, the Postfix Milter client isn't going to
retry after a failure mid-session. There is no way to 'replay' the
Postfix-to-Milter conversation. The SMTP server does not control
what happens, it has to respond in real time to events from a remote
SMTP client and relay any responses from the Milter.

The SMTP and LMTP clients can handle mid-session failures because
they are in complete control.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: milter round robin

[Wietse Venema via Postfix-users]

Christian Zoffoli via Postfix-users:
> I'm asking because I was using it with HAProxy, and with the load 
> balancer between Postfix and the two Rspamd machines, I often have 
> unexplainable timeouts. In general, I see that Postfix does not like 
> interacting with load balancers; I've had similar issues with MySQL 
> connections always balanced with HAProxy

By design Postfix DOES NOT immediately retry connecting to the
same host. In many contexts that would be considered rude.

That of course has consequences when a service "host" is in fact
a load balancer.

If you MUST use a load balancer for the MySQL service, specify the
"host" multiple times in the Postfix MySQL client configuration.

Or stop playing load balancer games and specify the real server
hosts in the Postfix MySQL client configuration. That is how it is
supposed to be used.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: milter round robin

[Wietse Venema via Postfix-users]

Christian Zoffoli via Postfix-users:
> Hello,
> is there a way to use multiple milters in round-robin without using a 
> load balancer? From what I can see in version 3.9, using multiple 
> milters separated by commas results in them being used in sequence.

This is not built into Postfix. 

If you specify a hostname that has multiple IP addresses, then
Postfix will try the IP addresses in the order returned by the
getaddrinfo() system library function. If the order is the same
with each call, then that sucks.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SSL_accept error for smtpd

[Wietse Venema via Postfix-users]

Jeff Peng via Postfix-users:
> Hello
> 
> what's this error in mail.log?
> 
> Jun 11 01:52:15 tls-mail postfix/smtpd[67409]: connect from 
> unknown[172.210.47.140]
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: SSL_accept error from 
> unknown[172.210.47.140]: -1
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: warning: TLS library 
> problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no  <<
> shared cipher:../ssl/statem/statem_srvr.c:2283: <
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: lost connection after 
> STARTTLS from unknown[172.210.47.140]
> Jun 11 01:52:16 tls-mail postfix/smtpd[67409]: disconnect from 
> unknown[172.210.47.140] ehlo=1 starttls=0/1 commands=1/2
> 
> I have only port 465 opened for sending mail. port 587 is shutdown.

The lines with  show the error message (no shared cipher).

If this does not happen with a legitimate client, then this could
be someone who is looking for trouble (they failed) and you can
ignore the problem.

If this does happen with a legitimate client, then the client or
server needs to adjust their TLS settings.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: Re: ssl update needs rebuilds

[Wietse Venema via Postfix-users]

>  ...
>  |>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
>  |>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
>  |>   be compatible with OpenSSL 3.2.0
>  ...
>  |[.] OpenSSL 3.2.0 and 3.3.0
>  |are ABI and API compatible. I would not expect to see a warning or
>  |error. See   |tml>.

Some irrelevant background: that document covers OpenSSL 3.0 and
later (earlier releases use a different versioning scheme).

>  |From the document under Minor Release:
>  |
>  |A minor release is indicated by changing the second number of the
>  |version. A minor release can, and generally will, introduce new
>  |features. However both the API and ABI will be preserved.

That same document says under "Patch release":

A patch release is indicated by changing the final number of
the version. A patch release will only contain bug and security
fixes. Both the API and ABI will remain compatible across patch
releases.

Note that only the text for "Patch release" promises that the "Both
the API and ABI will remain compatible".

Based on that, Postfix will not complain when the build-time and
run-time versions differ only in the Patch release number.

> This is postfix.  I must say, out of my head i have no idea
> whether it has always been like that for minor releases for one,
> and whether that is also true for LibreSSL, and the other SSL
> libraries that postfix possibly works with.  And AlpineLinux did
> use LibreSSL for some time in the past.

Postfix 3.6 and later prety-much require OpenSSL.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Looking for a neat way to determine the time a mail sits in active queue

[Wietse Venema via Postfix-users]

Tobi via Postfix-users:
> Hi list
> 
> maybe someone has a good idea :-)
> 
> I'm looking for a way to reliably determine how long a message sits in
> active queue. Currently I use postqueue -j and pipe it to jq, get only
> hits from queue_id==active and then get arrival time, sort it by
> arrival time, take the oldest and calculate the difference to current
> time

Postfix already logs the (last) time spent in the active queue as
well as the time spent in any queue before that. Details are in

https://www.postfix.org/postconf.5.html#delay_logging_resolution_limit

A message may move in and out of the active queue multiple times,
and the above information will be logged each time the message
leaves the active queue.

If you want a per-domain time distribution of how long messages are
in the queue at a given point in time, perhaps the qshape tool may
be useful. It is included with Postfix source code under the
auxuliary/qshape directory. This is good for bottleneck analysis.

https://www.postfix.org/qshape.1.html

> Or would it be possible in future postfix releases to teach the
> postqueue command to return the "last time taken into active queue"
> for each message in active?

Where would it get that information from? A completely new RPC
interface in the queue manager? That goes against the principle
that the queue manager must be highly available and must do as
little as possible, delegating all work to disposable processes.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: localhost.com in the logs

[Wietse Venema via Postfix-users]

Viktor Dukhovni via Postfix-users:
> On Thu, Jun 06, 2024 at 04:01:06PM -0400, Wietse Venema via Postfix-users 
> wrote:
> > GDS via Postfix-users:
> > > Hello, I am seeing hundreds of lines like the one below in my mail.log 
> > > from this specific IP address, which belongs to Google. 
> > > Jun  5 19:09:32 arthemis postfix/error[86771]: 5D9D148296D: 
> > > to=, orig_to=, relay=none, 
> > > delay=4099, delays=4099/0.02/0/0, dsn=4.4.1, status=deferred (delivery 
> > > temporarily suspended: connect to localhost.com[74.125.224.72]:25: 
> > > Connection timed out)
> > > 
> > 
> > Maybe you have  "myhostname = something.com" and Postfix infers $mydomain 
> > from that.
> 
> Indeed, when "mydomain" is not explicitly specified, one label is
> dropped even if only two were present in $myhostname.
> 
> $ postconf -o myhostname=foo.com mydomain
> mydomain = com
> 
> which, in combination with "append_dot_mydomain = yes", would match the
> OP's report/observations.

The problem is fixed by adopting the 10-year old "new" default
setting "append_dot_mydomain = no", or by setting the compatibility_level
to a value > 1.

> It might be reasonable to infer "mydomain = $myhostname" when the latter
> has two or fewer labels.

There are top-level domains with more than 2 components.

Doing this "correctly" (there can be TLDs with more than 2 components)
would require a domain suffix list (with the registrar portions of
domain names).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Help to debug smtp_sasl_password_maps usage via hash or mysql

[Wietse Venema via Postfix-users]

Roy Bellingan via Postfix-users:
> Good evening, I am not able to use this parameter.
> 
> My current version is the 3.9.2, I already have many other entity 
> configured to use mysql, but some reason this one is silently ignored 
> and produces no error.
> 
> If I use the hash metod and follow https://www.postfix.org/SASL_README.html
> I should write the config file like
> 
> /etc/postfix/sasl_passwd:
>  # Per-sender authentication; see also /etc/postfix/sender_relay.
>  us...@example.comusername1:password1
>  us...@example.netusername2:password2
>  # Login information for the defaultrelayhost  
> .
>  [mail.isp.example]  username:password
>  # Alternative form:
>  # [mail.isp.example]:submission username:password
> 
> Therefore I wrote
> [smtp-relay.brevo.com]:587 x@y.z:123
> 
> But this will NOT work, I have instead write
> 
> smtp-relay.brevo.com:587 x@y.z:123

That form turns on MX record lookup. Postfix should not do such
lookups for smtp-relay.brevo.com.

Specify [smtp-relay.brevo.com]:587 in main.cf:relayhost (or whatever
you are getting the relay from).

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org