Re: Send email to one @domain.com via authenticated relay?
On 2022-12-05 at 10:24:56 UTC-0500 (Mon, 5 Dec 2022 10:24:56 -0500) John Stoffel is rumored to have said: "Bill" == Bill Cole writes: On 2022-12-04 at 20:57:49 UTC-0500 (Sun, 4 Dec 2022 20:57:49 -0500) You are missing the point here. NO ONE running a serious mailserver will reject mail based on a UCEPROTECT level 3 listing. It is a waste of your energy to focus on that listing. I'd like to believe that. Obviously not true, as you seem fixated on it. Your problem is Linode. They have had a steady stream of spamming custromers that they have failed to deal with for extended periods. Some mail systems have responded by rejecting all mail from all machines on Linode networks. Sure, I can understand that, but I don't like it I'm not fond of it either, but there's the reality. You or me liking it has absolutely no effect unless we turn our dislike into action for change. The only way this fact will change is if Linode changes their behaviors and works to clear their reputation. and I don't really want to move to another hosting provider at this time, unless people have a good suggestion? And how long before that provider gets completely banned as well? How long will they tolerate hordes of spamming customers? It isn't an easily answered question, as the VPS hosters who do not tolerate spammers don't stand out in any way. I do not know how long it takes a hypothetical responsible VPS provider to become an adequately large nuisance to be broadly blocked relative to your becoming a customer. :) And what VPS provider do you recommend? I have no such recommendations, as I have never asked that question seriously, much less hunted down an answer. Linode is probably less shunned than many others, e.g. OVH, but if I had to site a new mail system today I do not have any idea if there is anyone in the Linode price range whose networks are not widely shunned for email. I'm not sure that one can host a robust mail system in any "VPS" environment today without insurmountable reputation issues. Everyone I know who has tried that in recent years has failed or has made compromises that I would not make to get deliverability. So right now I'm trying to learn how to write a milter to re-write email sent via a specific transport. If you're basically competent in Perl, the simple free way to do that would be to use MailMunge or MIMEDefang, 2 closely related milters that are configured by writing Perl subroutines for each phase of the SMTP transaction. That makes it easier than writing all the Milter interface parts yourself. They also have support for SpamAssassin and other filtering tools. So I have setup my transport like this: # Added to deliver mail to charter.net, 20221202 charter unix - - y - - smtp -o smtp_tls_wrappermode=yes -o smtp_tls_security_level=encrypt -o smtp_generic_maps=hash:/etc/postfix/sender_charter -o header_checks=pcre:/etc/postfix/charter_header_first -o smtp_header_checks=pcre:/etc/postfix/charter_header_second -o myorigin=charter.net And I have it properly trying to send the emails, but I get bounced with: : host mobile.charter.net[47.43.18.12] said: 550 5.1.0 sender rejected (in reply to MAIL FROM command) so I think I need a milter to re-write my From: header on my outgoing emails to be jstof...@charter.net. I don't think so. At MAIL FROM the remote server hasn't seen your headers. It cannot be rejecting something it has not seen yet. All the Charter machine knows at that point are your EHLO hostname, client IP & port, SASL authentication ID, and TLS status. You probably only need to change the envelope sender, which they probably are requiring to match your authentication identity. Should be simple, but how to tie it in isn't quite clearcut to me yet. Agreed, especially since headers are irrelevant and you just need to change the envelope sender. The easy solution is not coming to mind, since you're needing to change the sender based (ultimately) on the recipient, which is a bit outside of the norm for an MTA. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Send email to one @domain.com via authenticated relay?
> "Bill" == Bill Cole writes: > On 2022-12-04 at 20:57:49 UTC-0500 (Sun, 4 Dec 2022 20:57:49 -0500) > You are missing the point here. > NO ONE running a serious mailserver will reject mail based on a > UCEPROTECT level 3 listing. It is a waste of your energy to focus on > that listing. I'd like to believe that. > Your problem is Linode. They have had a steady stream of spamming > custromers that they have failed to deal with for extended periods. Some > mail systems have responded by rejecting all mail from all machines on > Linode networks. Sure, I can understand that, but I don't like it and I don't really want to move to another hosting provider at this time, unless people have a good suggestion? And how long before that provider gets completely banned as well? And what VPS provider do you recommend? So right now I'm trying to learn how to write a milter to re-write email sent via a specific transport. So I have setup my transport like this: # Added to deliver mail to charter.net, 20221202 charter unix - - y - - smtp -o smtp_tls_wrappermode=yes -o smtp_tls_security_level=encrypt -o smtp_generic_maps=hash:/etc/postfix/sender_charter -o header_checks=pcre:/etc/postfix/charter_header_first -o smtp_header_checks=pcre:/etc/postfix/charter_header_second -o myorigin=charter.net And I have it properly trying to send the emails, but I get bounced with: : host mobile.charter.net[47.43.18.12] said: 550 5.1.0 sender rejected (in reply to MAIL FROM command) so I think I need a milter to re-write my From: header on my outgoing emails to be jstof...@charter.net. Should be simple, but how to tie it in isn't quite clearcut to me yet.
Re: Send email to one @domain.com via authenticated relay?
On 2022-12-04 at 20:57:49 UTC-0500 (Sun, 4 Dec 2022 20:57:49 -0500) John Stoffel is rumored to have said: "Rob" == Rob McGee writes: On 12/3/2022 9:37 AM, John Stoffel wrote: "Jim" == Jim Popovitch writes: On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote: I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 spam list. Nothing I can do about it. I doubt that many sites block by using UCEPROTECH-3 alone, but you can use www.whitelisted.org to be excluded from it. I'm not going to pay those scum to get my IP whitelisted, that's just blackmail. How does paying some extortionate third party make my email problems go away? Like Jim said, it's very unlikely that a UCEPROTECT listing would be the cause of any delivery problems. Do you have some evidence that your target site (charter.net?) is using UCEPROTECT for blocking? If so, please share that evidence. If not, assume your listing has nothing to do with your problem. It surely does not. I'm not sure honestly, and charter isn't saying. You are missing the point here. NO ONE running a serious mailserver will reject mail based on a UCEPROTECT level 3 listing. It is a waste of your energy to focus on that listing. Your problem is Linode. They have had a steady stream of spamming custromers that they have failed to deal with for extended periods. Some mail systems have responded by rejecting all mail from all machines on Linode networks. I was on a chat with a 1st level support guy for over an hour, and each time he came with an RBL to check, or some other setting, I was able ot show that my IP/hostname was clean, without any entries. The only entry I could find was in the UCEPROTECT-3 list, which blocks entire chunks. Which means nothing. The existence of a DNSBL does not imply in any way that it is used by anyone anywhere to block mail. UCEPROTECT is and always has been an unserious operation with a little bit of extortion mixed in. They are not the reason your mail is being shunned. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Send email to one @domain.com via authenticated relay?
> "Rob" == Rob McGee writes: > On 12/3/2022 9:37 AM, John Stoffel wrote: >>> "Jim" == Jim Popovitch writes: >> >>> On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote: >>> I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 >>> spam list. Nothing I can do about it. >> >> >>> I doubt that many sites block by using UCEPROTECH-3 alone, but you can >>> use www.whitelisted.org to be excluded from it. >> >> I'm not going to pay those scum to get my IP whitelisted, that's just >> blackmail. How does paying some extortionate third party make my >> email problems go away? > Like Jim said, it's very unlikely that a UCEPROTECT listing would be the > cause of any delivery problems. Do you have some evidence that your > target site (charter.net?) is using UCEPROTECT for blocking? > If so, please share that evidence. If not, assume your listing has > nothing to do with your problem. It surely does not. I'm not sure honestly, and charter isn't saying. I was on a chat with a 1st level support guy for over an hour, and each time he came with an RBL to check, or some other setting, I was able ot show that my IP/hostname was clean, without any entries. The only entry I could find was in the UCEPROTECT-3 list, which blocks entire chunks. So now my option is to setup a special transport which would be used to submit emails to charter.net, but now I need to setup a milter because I need to replace the From: *@stoffel.org with From: jstof...@charter.net Reply-to: *@stoffel.org so that it all gets handled nicely. It's not a critical need, but it's an opportunity to learn how to write a milter and how to tie it into just a specific transport for outgoing emails. I don't want/need a full fledged mailman like setup either. John
Re: Send email to one @domain.com via authenticated relay?
On 12/3/2022 9:37 AM, John Stoffel wrote: "Jim" == Jim Popovitch writes: On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote: I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 spam list. Nothing I can do about it. I doubt that many sites block by using UCEPROTECH-3 alone, but you can use www.whitelisted.org to be excluded from it. I'm not going to pay those scum to get my IP whitelisted, that's just blackmail. How does paying some extortionate third party make my email problems go away? Like Jim said, it's very unlikely that a UCEPROTECT listing would be the cause of any delivery problems. Do you have some evidence that your target site (charter.net?) is using UCEPROTECT for blocking? If so, please share that evidence. If not, assume your listing has nothing to do with your problem. It surely does not. I'm going to be looking into the transport maps solution that I was pointed to. -- http://rob0.nodns4.us/
Re: Send email to one @domain.com via authenticated relay?
> "Wietse" == Wietse Venema writes: > Viktor Dukhovni: >> On Fri, Dec 02, 2022 at 11:36:30AM -0500, John Stoffel wrote: >> >> > I tried setting up /etc/postfix/transport_maps like this: >> > >> >charter.net [mobile.charter.net]:587 > The right-hand side should be > transport:nexthop > or > transport:nexthop:service-or-port > Where transport is the name of a mail delivery service in master.cf, > like 'smtp' or 'relay'. Thanks, this was just the nudge I needed to make this work. But... it turns out that charter.net deliveries to port 587 requires that I change the following two configs: smtp_tls_wrappermode = yes smtp_tls_security_level = encrypt where I used to just have smtp_tls_security_level = may before. So I strongly suspect I need to setup a new transport in master.cf called "charter" which will overridge those two settings for deliveries, so I added this: # Added to deliver mail to charter.net, 20221202 charter unix n - y - - smtp -o smtp_tls_wrappermode=yes -o smtp_tls_security_level=encrypt And this works, but now I need to tweak the transport so that when it logs in, the MAIL FROM uses the proper name of jstof...@charter.net, but I haven't been able to make it work quite yet. I've also setup two pcre maps, and now my transport looks like this: # Added to deliver mail to charter.net, 20221202 charter unix - - y - - smtp -o smtp_tls_wrappermode=yes -o smtp_tls_security_level=encrypt -o smtp_generic_maps=hash:/etc/postfix/sender_charter -o header_checks=pcre:/etc/postfix/charter_header_first -o smtp_header_checks=pcre:/etc/postfix/charter_header_second And the two maps are: # cat charter_header_first /^From:(.*)/ PREPEND X-Original-From: $1 # cat charter_header_second /^From:(.*)/ REPLACE From: Note: Of course I want this to work properly if I have multiple recipients in an email but only one of them is in an @charter.net address, only that single email should be re-written to have the new From: header. Anyway, when I do the above, I get the following in the logs, which tells me I proably need to tweak the masquerade setting for the charter transport: Dec 3 16:47:21 localhost postfix/smtp[548460]: Untrusted TLS connection established to mobile.charter.net[47.43.18.12]:587: TLSv1.2 with cipher AES256-SHA256 (256/256 bits) Dec 3 16:47:26 localhost postfix/smtp[548460]: EE29D275BF: to=, relay=mobile.charter.net[47.43.18.12]:587, delay=5.3, delays=0.05/0.01/0.17/5.1, dsn=5.1.0, status=bounced (host mobile.charter.net[47.43.18.12] said: 550 5.1.0 sender rejected (in reply to MAIL FROM command)) So I'm getting there, but not quite. Would it be smarter to just setup two instances of postfix, and use the transport map from the main instance to only send to the second when needed, and then do all the header re-writing there? Thanks, John
Re: Send email to one @domain.com via authenticated relay?
On Sat, 2022-12-03 at 10:37 -0500, John Stoffel wrote: > > > > > > "Jim" == Jim Popovitch writes: > > > On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote: > > I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 > > spam list. Nothing I can do about it. > > > > I doubt that many sites block by using UCEPROTECH-3 alone, but you > > can > > use www.whitelisted.org to be excluded from it. > > I'm not going to pay those scum to get my IP whitelisted, that's just > blackmail. How does paying some extortionate third party make my > email problems go away? > That's cool and all, I was just offering you advice on how you can be excluded from the UCEPROTECT-3 listing. That is all. I am subscribed to the postfix-users@postfix.org mailinglist, no need to also email me a copy of your posts. -Jim P.
Re: Send email to one @domain.com via authenticated relay?
> "Jim" == Jim Popovitch writes: > On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote: > I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 > spam list. Nothing I can do about it. > I doubt that many sites block by using UCEPROTECH-3 alone, but you can > use www.whitelisted.org to be excluded from it. I'm not going to pay those scum to get my IP whitelisted, that's just blackmail. How does paying some extortionate third party make my email problems go away? I'm going to be looking into the transport maps solution that I was pointed to.
Re: Send email to one @domain.com via authenticated relay?
On Fri, 2022-12-02 at 11:36 -0500, John Stoffel wrote: I check, but I find my IP for mail.stoffel.org in the UCEPROTECT-3 spam list. Nothing I can do about it. I doubt that many sites block by using UCEPROTECH-3 alone, but you can use www.whitelisted.org to be excluded from it. -Jim P.
Re: Send email to one @domain.com via authenticated relay?
Viktor Dukhovni: > On Fri, Dec 02, 2022 at 11:36:30AM -0500, John Stoffel wrote: > > > I tried setting up /etc/postfix/transport_maps like this: > > > >charter.net [mobile.charter.net]:587 The right-hand side should be transport:nexthop or transport:nexthop:service-or-port Where transport is the name of a mail delivery service in master.cf, like 'smtp' or 'relay'. > > But it started routing all my outgoing email through them, which isn't > > going to work. > > That's not the way the transport table work. That particular entry > affects only message recipients at that particular domain. > > > So I'm missing something here. Do I need to setup a seperate instance > > for sending email to @charter.net through an authenticated connection? > > No, you can route specific domains to specific transport+nexthop > combinations by using the transport(5) table. > > -- > Viktor. >
Re: Send email to one @domain.com via authenticated relay?
On Fri, Dec 02, 2022 at 11:36:30AM -0500, John Stoffel wrote: > I tried setting up /etc/postfix/transport_maps like this: > >charter.net [mobile.charter.net]:587 > > But it started routing all my outgoing email through them, which isn't > going to work. That's not the way the transport table work. That particular entry affects only message recipients at that particular domain. > So I'm missing something here. Do I need to setup a seperate instance > for sending email to @charter.net through an authenticated connection? No, you can route specific domains to specific transport+nexthop combinations by using the transport(5) table. -- Viktor.