[pfx] Re: Do you reject DMARC failures?
Matus UHLAR - fantomas via Postfix-users wrote in : |>Matus UHLAR - fantomas via Postfix-users skrev den 2024-08-05 11:57: |>>So, even setting DMARC policy to "quarantine" or "reject" would not |>>cause problems. | |On 05.08.24 12:14, Benny Pedersen via Postfix-users wrote: |>i want to belive when ... if all dmarc policy is allowed what should |>happens on the time when subscribers got this with a dmarc fail ? |> |>mailman try imho to not make this happend, but imho all what mailman |>should have done it to tell subscriber not to post with a dmarc policy |>of quarantine or reject since mailman can break dkim and spf | |mailman can as well avoid modification of e-mail and require correct \ |DKIM. |But that all means less mail delivered to lists like this one. There are only two options: leave the message alone entirely, no footer (never saw header), no Subject: etc, or "create a new message", aka become the "author". Or not, aka become the sender, but leave the Author:, noone supports Author: but fewest, unfortunately. With SPF and thus one-hop-email, the latter may be necessary even without any modification. One can include the original, unchanged message as a RFC 822 attachments, mailman can do that. But i was told that many MUAs cannot properly deal with that, and one may hear complaints like "clicking on that icon this and that [sic]", etc. It is a pity there were no strong forces pushing applications towards support of and for the century old envelope-in-envelope- in-envelope way of layering, but this is where it is. Btw the (brute simple, long way to go) MUA i maintain can regulary "quote as attachment", i had seen this in the plan9 community, and liked it over there, and so i did it .. used it for quite some time, but then went away. I mean, yes, it is better than the top posting the giants were pushing through, practically, but what is ok in that minimal-header-all-text-message world of Plan9 is a terrible misfeature and nuisance with Gmail or Outlook header convulsions. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Matus UHLAR - fantomas via Postfix-users skrev den 2024-08-05 11:57: So, even setting DMARC policy to "quarantine" or "reject" would not cause problems. On 05.08.24 12:14, Benny Pedersen via Postfix-users wrote: i want to belive when ... if all dmarc policy is allowed what should happens on the time when subscribers got this with a dmarc fail ? mailman try imho to not make this happend, but imho all what mailman should have done it to tell subscriber not to post with a dmarc policy of quarantine or reject since mailman can break dkim and spf mailman can as well avoid modification of e-mail and require correct DKIM. But that all means less mail delivered to lists like this one. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar] ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Matus UHLAR - fantomas via Postfix-users skrev den 2024-08-05 11:57: So, even setting DMARC policy to "quarantine" or "reject" would not cause problems. i want to belive when ... if all dmarc policy is allowed what should happens on the time when subscribers got this with a dmarc fail ? mailman try imho to not make this happend, but imho all what mailman should have done it to tell subscriber not to post with a dmarc policy of quarantine or reject since mailman can break dkim and spf wonderfull world to live in thats why smtpd_milter_maps exists in postfix to avoid reject maillist client ips when postfix maillist runned on cloud9 it was well designed to not break dkim, and even if it sometimes happende it would not make majordome unsubscribe users we all lost now ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On Jul 31, 2024, at 1:19 AM, Matus UHLAR - fantomas via Postfix-users wrote: FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requirements only when DMARC policy is "quarantine" or "reject" On 01.08.24 12:12, Robert L Mathews via Postfix-users wrote: That's the "dmarc_moderation_action" option in the "Sender filters" section of the Mailman interface [1]. But there's also another option in the General Options section called "from_is_list" [2] that does it for all messages. If set to "Munge From", it "replaces the From: header address with the list's posting address to mitigate issues stemming from the original From: domain's DMARC or similar policies and puts the original From: address in a Reply-To: header". [1] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#Sender_filters [2] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#line-163 Yes, the latter applies generally for lists. But I consider this difference irelevant because the topic is related to DMARC errors, and mailman 2's dmarc_moderation_action applies when mail should be rejected because of DMARC failure. So, even setting DMARC policy to "quarantine" or "reject" would not cause problems. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Robert L Mathews via Postfix-users wrote in : |On Jul 31, 2024, at 1:19 AM, Matus UHLAR - fantomas via Postfix-users \ | wrote: |> FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requireme\ |> nts only when DMARC policy is "quarantine" or "reject" | |That's the "dmarc_moderation_action" option in the "Sender filters" \ |section of the Mailman interface [1]. | |But there's also another option in the General Options section called \ |"from_is_list" [2] that does it for all messages. If set to "Munge \ |From", it "replaces the From: header address with the list's posting \ |address to mitigate issues stemming from the original From: domain's \ |DMARC or similar policies and puts the original From: address in a \ |Reply-To: header". Yes, me too, mailman 2 here now has REMOVE_DKIM_HEADERS = 3 ^ (i feel bad on that, but for now it is like that) DEFAULT_FROM_IS_LIST = 1 #DEFAULT_DMARC_MODERATION_ACTION = 1 #DEFAULT_DMARC_NONE_MODERATION_ACTION = Yes .. MIME_DIGEST_KEEP_HEADERS += [ 'Mail-Followup-To' ] ALLOW_SENDER_OVERRIDES = No (But do not ask me no questions.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) | | Only during dog days: | On the 81st anniversary of the Goebbel's Sportpalast speech | von der Leyen gave an overlong hypocritical inauguration one. | The brew's essence of our civilizing advancement seems o be: | Total war - shortest war -> Permanent war - everlasting war ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On Jul 31, 2024, at 1:19 AM, Matus UHLAR - fantomas via Postfix-users wrote: > > FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requirements > only when DMARC policy is "quarantine" or "reject" That's the "dmarc_moderation_action" option in the "Sender filters" section of the Mailman interface [1]. But there's also another option in the General Options section called "from_is_list" [2] that does it for all messages. If set to "Munge From", it "replaces the From: header address with the list's posting address to mitigate issues stemming from the original From: domain's DMARC or similar policies and puts the original From: address in a Reply-To: header". [1] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#Sender_filters [2] https://wiki.list.org/DOC/Mailman%202.1%20List%20Administrators%20Manual#line-163 -- Robert L Mathews ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On 30.07.24 16:40, Gilgongo via Postfix-users wrote: Thanks for all the replies on this - food for thought! Seems the general consensus is that while in theory I should reject for p=reject (since that's what the sender wants me to do), in practice things like mailing lists and other forwarding conditions make that unsafe (and to a lesser extent the same applies to SPF and DKIM). At least in terms of a binary decision. So I think I'll stick with what I have and perhaps experiment with some SA scoring tweaks. FYI Mailman 2 claims to rewrite From: header to fullfill DMARC requirements only when DMARC policy is "quarantine" or "reject" - rejecting mail failing DMARC can be safe even with mailing lists which usually appear to break DKIM. https://wiki.list.org/DOC/Mailman 2.1 List Administrators Manual#Additional_settings -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Fr LLM based detection rspamd has a new a new GPT Plugin they introduced with version 3.9 https://rspamd.com/doc/modules/gpt.html https://rspamd.com/misc/2024/07/03/gpt.html Currently it’s based on OpenAI apis. but can be adapted for local LLMs or any LLM offering OpenAI type APIs. Cheers Chandan On 2024-07-30 18:07, Laura Smith wrote: I too am interested in experiences with rspamd and LLMs, so if there is anything people don't want to share on-list, please loop me in. :) Thanks ! Laura On Tuesday, 30 July 2024 at 18:51, Walt E via Postfix-users wrote: Can you share your experience on LLM for rspamd? Any links/resources are appreciated. Thank you On 2024-07-30 21:42, chandan via Postfix-users wrote: > In POSTSCREEN i use 12 blocklists and whitelists. each is given a > particular score based on a custom ML algorithm. The scores get > adjusted everyday based on the performance of the RBLs. I don’t reject > based on SPF, DMARC, or DKIM. > > However i do have spam detection powered by RSPAMD, which takes into > account SPF,DKIM,DMARC and host of other stuff. right now experimenting > with LLMs as tool to detect SPAM apart from the standard baye’s. > > On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: > > > Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via > > Postfix-users pisze: > > > > > > I filter messages only based on RBLs, manual blocklists and content > > > > filtering (SA + many custom rules). And as for the latter, the messages are > > > > sent to spam folder, never rejected. Rejections are based only on first two. > > > > > > Funny, since multiple people in the past recommended rejecting on > > > spamminess, not on the results of single DNSBL listing. > > > > I use only two DNSBLs that - at least for me - seem to give almost no > > false > > positives - bl.spamcop.net and zen.spamhaus.org. In the past I used > > three - > > instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and > > sbl-xbl.spamhaus.org. But because sorbs.net went down, and > > zen.spamhaus.org > > seems to effectively combine these two, I changed it. > > > > Of course I always have the option to manually override DNSBL listing > > in my > > manual access list, but I don't remember when I last had to use it. > > ___ > > Postfix-users mailing list -- postfix-users@postfix.org > > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
I too am interested in experiences with rspamd and LLMs, so if there is anything people don't want to share on-list, please loop me in. :) Thanks ! Laura On Tuesday, 30 July 2024 at 18:51, Walt E via Postfix-users wrote: > Can you share your experience on LLM for rspamd? Any links/resources are > appreciated. > > Thank you > > On 2024-07-30 21:42, chandan via Postfix-users wrote: > > > In POSTSCREEN i use 12 blocklists and whitelists. each is given a > > particular score based on a custom ML algorithm. The scores get > > adjusted everyday based on the performance of the RBLs. I don’t reject > > based on SPF, DMARC, or DKIM. > > > > However i do have spam detection powered by RSPAMD, which takes into > > account SPF,DKIM,DMARC and host of other stuff. right now experimenting > > with LLMs as tool to detect SPAM apart from the standard baye’s. > > > > On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: > > > > > Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via > > > Postfix-users pisze: > > > > > > > > I filter messages only based on RBLs, manual blocklists and content > > > > > filtering (SA + many custom rules). And as for the latter, the > > > > > messages are > > > > > sent to spam folder, never rejected. Rejections are based only on > > > > > first two. > > > > > > > > Funny, since multiple people in the past recommended rejecting on > > > > spamminess, not on the results of single DNSBL listing. > > > > > > I use only two DNSBLs that - at least for me - seem to give almost no > > > false > > > positives - bl.spamcop.net and zen.spamhaus.org. In the past I used > > > three - > > > instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and > > > sbl-xbl.spamhaus.org. But because sorbs.net went down, and > > > zen.spamhaus.org > > > seems to effectively combine these two, I changed it. > > > > > > Of course I always have the option to manually override DNSBL listing > > > in my > > > manual access list, but I don't remember when I last had to use it. > > > ___ > > > Postfix-users mailing list -- postfix-users@postfix.org > > > To unsubscribe send an email to postfix-users-le...@postfix.org > > ___ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Can you share your experience on LLM for rspamd? Any links/resources are appreciated. Thank you On 2024-07-30 21:42, chandan via Postfix-users wrote: In POSTSCREEN i use 12 blocklists and whitelists. each is given a particular score based on a custom ML algorithm. The scores get adjusted everyday based on the performance of the RBLs. I don’t reject based on SPF, DMARC, or DKIM. However i do have spam detection powered by RSPAMD, which takes into account SPF,DKIM,DMARC and host of other stuff. right now experimenting with LLMs as tool to detect SPAM apart from the standard baye’s. On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: >I filter messages only based on RBLs, manual blocklists and content >filtering (SA + many custom rules). And as for the latter, the messages are >sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Thanks for all the replies on this - food for thought! Seems the general consensus is that while in theory I should reject for p=reject (since that's what the sender wants me to do), in practice things like mailing lists and other forwarding conditions make that unsafe (and to a lesser extent the same applies to SPF and DKIM). At least in terms of a binary decision. So I think I'll stick with what I have and perhaps experiment with some SA scoring tweaks. I should perhaps mention that I'm more concerned about spam coming out of our network via forwarding than I am about annoying our local recipients (and we use SRS). BTW various RBLs were mentioned - was going to ask a question on that, but will do so in a different thread. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Viktor Dukhovni via Postfix-users: > On Tue, Jul 30, 2024 at 10:23:28AM +0100, Gilgongo via Postfix-users wrote: > > > What do others do with DMARC? I'm inclined to just gradually turn up the SA > > scores on SPF/DKIM failures instead, if only because > > Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and > > presumably for a reason. > > My MTA ignores SPF and DKIM, and naturally also does not enforce DMARC. > Do what makes most sense for your users. If they're savvy enough to > not be easily phished via email, it makes sense to not risk rejecting > mail that fails for spurious reasons. My Postfix also ignores SPF, DKIM, and DMARC. I publish SPF, DKIM, and DMARC only to satisfy Gmail etc. requirements. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
In POSTSCREEN i use 12 blocklists and whitelists. each is given a particular score based on a custom ML algorithm. The scores get adjusted everyday based on the performance of the RBLs. I don’t reject based on SPF, DMARC, or DKIM. However i do have spam detection powered by RSPAMD, which takes into account SPF,DKIM,DMARC and host of other stuff. right now experimenting with LLMs as tool to detect SPAM apart from the standard baye’s. On 2024-07-30 11:52, Jaroslaw Rafa via Postfix-users wrote: Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: >I filter messages only based on RBLs, manual blocklists and content >filtering (SA + many custom rules). And as for the latter, the messages are >sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On 2024-07-30 at 05:23:28 UTC-0400 (Tue, 30 Jul 2024 10:23:28 +0100) Gilgongo via Postfix-users is rumored to have said: I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. I also see Spamassassin doesn't give particularly high scores for SPF/DKIM failures, That's because both SPF and DKIM failures DO NOT correlate strongly to a message being spam. They never have. I expect that they never will. and Mail::SpamAssassin::Plugin::DMARC (not that it comes as standard) seems to have quite low scores by default too. So I'm a bit wary of false positives if I tell openDMARC to reject. Whether you reject based on DMARC failure should be determined in large part by the policy expressed in the DMARC record. If it says "p=reject" then the domain owner WANTS DMARC failures to be rejected outright. You do not need to follow that but it is a clear expression of a policy choice unilaterally predefining DMARC-failed messages as invalid. I see no reason not to punish them for that choice by giving them what they want. However, that's a local policy decision that is not universally acceptable. SpamAssassin is about spam, not about policy enforcement, so if you want to reject messages solely for DMARC failure, you have to explicitly configure that yourself. What do others do with DMARC? I see it as only useful as the basis for local specific domain-based trust, e.g. welcomelist_auth (and for the related default welcomelist.) I'm inclined to just gradually turn up the SA scores on SPF/DKIM failures instead, if only because Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and presumably for a reason. It is included in v4, because it was built for v4. I'm mildly surprised that it works at all with v3.x. Take it up with your distro packager if you think they should become current or just update it yourself. CPAN can work to do the upgrade if you understand how to install but not not test as root, however this may not be wise on distros that do substantial customization of SA. (i.e. Debian-based) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: >I filter messages only based on RBLs, manual blocklists and content >filtering (SA + many custom rules). And as for the latter, the messages are >sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. On 30.07.24 13:52, Jaroslaw Rafa via Postfix-users wrote: I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. I use nearly the same combination, I just used zen for years (sbl-xml + pbl) and safe.dnsbl.sorbs.net (dul + others). I also use dnswl with negative score (postscreen) and on some servers I need more than one hit to reject mail, so one listing is not enough for rejection. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. The same. What I wanted to say is that some people in the past have recommended only using DNSBLs for content filtering, not at SMTP level, thust just the opposite as you - only reject based on content filtering, not just on DNSBL listings. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 12:38:15 Matus UHLAR - fantomas via Postfix-users pisze: > >I filter messages only based on RBLs, manual blocklists and content > >filtering (SA + many custom rules). And as for the latter, the messages are > >sent to spam folder, never rejected. Rejections are based only on first two. > > Funny, since multiple people in the past recommended rejecting on > spamminess, not on the results of single DNSBL listing. I use only two DNSBLs that - at least for me - seem to give almost no false positives - bl.spamcop.net and zen.spamhaus.org. In the past I used three - instead of zen.spamhaus.org I was using dul.dnsbl.sorbs.net and sbl-xbl.spamhaus.org. But because sorbs.net went down, and zen.spamhaus.org seems to effectively combine these two, I changed it. Of course I always have the option to manually override DNSBL listing in my manual access list, but I don't remember when I last had to use it. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On Tue, Jul 30, 2024 at 10:23:28AM +0100, Gilgongo via Postfix-users wrote: > What do others do with DMARC? I'm inclined to just gradually turn up the SA > scores on SPF/DKIM failures instead, if only because > Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and > presumably for a reason. My MTA ignores SPF and DKIM, and naturally also does not enforce DMARC. Do what makes most sense for your users. If they're savvy enough to not be easily phished via email, it makes sense to not risk rejecting mail that fails for spurious reasons. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 10:23:28 Gilgongo via Postfix-users pisze: What do others do with DMARC? I'm inclined to just gradually turn up the SA scores on SPF/DKIM failures instead, if only because Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and presumably for a reason. So far I only reject based on SPF. I was thinking about rejecting DMARC failures with policy reject, but not yet. On 30.07.24 12:06, Jaroslaw Rafa via Postfix-users wrote: I don't check neither SPF, DKIM nor DMARC on incoming mail and don't plan to. I use it only for outgoing mail and only because Google (and perhaps some other "big guys") de facto requires it. I filter messages only based on RBLs, manual blocklists and content filtering (SA + many custom rules). And as for the latter, the messages are sent to spam folder, never rejected. Rejections are based only on first two. Funny, since multiple people in the past recommended rejecting on spamminess, not on the results of single DNSBL listing. Of course, that's your policy. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
Dnia 30.07.2024 o godz. 10:23:28 Gilgongo via Postfix-users pisze: > What do others do with DMARC? I'm inclined to just gradually turn up the SA > scores on SPF/DKIM failures instead, if only because > Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and > presumably for a reason. I don't check neither SPF, DKIM nor DMARC on incoming mail and don't plan to. I use it only for outgoing mail and only because Google (and perhaps some other "big guys") de facto requires it. I filter messages only based on RBLs, manual blocklists and content filtering (SA + many custom rules). And as for the latter, the messages are sent to spam folder, never rejected. Rejections are based only on first two. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Do you reject DMARC failures?
On 2024-07-30 17:23, Gilgongo via Postfix-users wrote: I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. In our dmarc setup, we will reject the message if it fails (p=reject and dkim/spf verification fails). But this is just use case in our end, you should make your own policy. Thanks. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Do you reject DMARC failures?
For some mailing lists you have to be lax on DMARC failures because they overwrite email body and aren't rewriting header From. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Do you reject DMARC failures?
I've recently installed and configured openDMARC. I see it marks perhaps 20-30% of domains as "fail" but I've not set it to reject those yet. I also see Spamassassin doesn't give particularly high scores for SPF/DKIM failures, and Mail::SpamAssassin::Plugin::DMARC (not that it comes as standard) seems to have quite low scores by default too. So I'm a bit wary of false positives if I tell openDMARC to reject. What do others do with DMARC? I'm inclined to just gradually turn up the SA scores on SPF/DKIM failures instead, if only because Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default - and presumably for a reason. Jonathan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: how to reject a domain delivery
that's the nice solution. thanks.
>
> Corey Hickman via Postfix-users:
>
> >
> > Hello
> >
> >
> >
> > I have basic postfix/dovecot installation.
> >
> > How can I setup postfix or dovecot to reject the specified domain in
> > sender?
> >
> > I know I can setup sieve script to discard messages from that
> >
> > domain, but this method sounds rather rigid.
> >
>
> If the list is short, it can go in main.cf:
>
> /etc/postfix/main.cf:
>
> smtpd_sender_restrictions = inline:{
>
> { example.com = reject }
>
> { other.example = reject} }
>
> Otherwise some external file will do:
>
> /etc/postfix/main.cf:
>
> smtpd_sender_restrictions = hash:/etc/postfix/sender-access
>
> /etc/postfix/sender-access:
>
> example.com reject
>
> other.example reject
>
> Run "postmap /etc/postfix/sender-access" after editing the file.
>
> >
> > Or shall I install rspamd etc to make a reject policy for that?
> >
>
> That would work too, as long as rspamd etc care called from a Postfix
>
> SMTP daemon that receives mail directly from the network (not from
>
> a Postfix SMTP daemon that receives mail from a content filter).
>
> Wietse
>
> ___
>
> Postfix-users mailing list -- postfix-users@postfix.org
>
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: how to reject a domain delivery
Corey Hickman via Postfix-users:
> Hello
>
> I have basic postfix/dovecot installation.
> How can I setup postfix or dovecot to reject the specified domain in sender?
> I know I can setup sieve script to discard messages from that
> domain, but this method sounds rather rigid.
If the list is short, it can go in main.cf:
/etc/postfix/main.cf:
smtpd_sender_restrictions = inline:{
{ example.com = reject }
{ other.example = reject} }
Otherwise some external file will do:
/etc/postfix/main.cf:
smtpd_sender_restrictions = hash:/etc/postfix/sender-access
/etc/postfix/sender-access:
example.com reject
other.example reject
Run "postmap /etc/postfix/sender-access" after editing the file.
> Or shall I install rspamd etc to make a reject policy for that?
That would work too, as long as rspamd etc care called from a Postfix
SMTP daemon that receives mail directly from the network (not from
a Postfix SMTP daemon that receives mail from a content filter).
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] how to reject a domain delivery
Hello I have basic postfix/dovecot installation. How can I setup postfix or dovecot to reject the specified domain in sender? I know I can setup sieve script to discard messages from that domain, but this method sounds rather rigid. Or shall I install rspamd etc to make a reject policy for that? Thanks & regards. Corey H ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On Thu, Jun 20, 2024 at 01:02:36PM -0400, postfix--- via Postfix-users wrote: > > Then you can not use this e-mail address as envelope sender. People > > will do sender callout and then reject all e-mail with this as sender. > An option is to have noreply@ delivered to /dev/null. It's valid and a trash > can. No, you need to handle bounces and those are sent to the envelope sender. Bastian -- War is never imperative. -- McCoy, "Balance of Terror", stardate 1709.2 ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Is an automated/unattended email notifying the user about something, providing proper ways of contacting. As this email is not read in any way, rejecting the mail would be a better way to handle than an automatic response. IMHO. Then you can not use this e-mail address as envelope sender. People will do sender callout and then reject all e-mail with this as sender. An option is to have noreply@ delivered to /dev/null. It's valid and a trash can. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Dnia 20.06.2024 o godz. 09:08:39 Bastian Blank via Postfix-users pisze: > Then you can not use this e-mail address as envelope sender. People > will do sender callout and then reject all e-mail with this as sender. Sender callout is discouraged now, because it is considered aggressive behavior by most mail providers, and if you routinely do sender callout, you may end up being blacklisted and having trouble when sending email yourself. I personally don't agree with this, but this is the position most mail server operators are taking now. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Dnia 20.06.2024 o godz. 08:51:33 Alexander Leidinger via Postfix-users pisze: > > This implies that the organization / company is willing to spend > money on having someone available to actually respond / provide > support. For a lot of the use cases I would say even a mail to > ticket system gateway is out of the willingness to spend money on. > So any technical solution you can propose here, will be way out of > the area of interest of those people which will make those > decisions. They should not be *sending* any mail then. Simple enough? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Tan Mientras via Postfix-users: > Is an automated/unattended email notifying the user about something, > providing proper ways of contacting. "Proper" is for the recipients of your messages to be able to use the reply function in their MUA, to ask for clarification/assistance in regards to the message you sent to them. > As this email is not read in any way, rejecting the mail would be a > better way to handle than an automatic response. IMHO. The better way, as you put it, would be a process where there is not merely an automatic response, but having replies read/answered by somebody in your organisation. Ticket tracking systems can be used if scaling is an issue. In my opinion, rejecting replies to email communication your organisation initiated shows similarities to a drive-by-shooting, in the broad sense that your organisation hopes to "get the message out" but avoid the consequences of their actions. This is of course a dramatic comparison, not to be taken literally. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Then you can not use this e-mail address as envelope sender. People will do sender callout and then reject all e-mail with this as sender. On 20.06.24 11:22, Tan Mientras via Postfix-users wrote: Sorry. Im lost in translation. Could you elaborate/ELI5? This address is not and will never receiveread any messages. Is an automated message to notify users they must change their password. there are servers that do sender verification. They will join your server and if you reject mail for that address, they will reject mail from that address. If you want to send mail from an address, make sure that address is deliverable. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. There's a long-standing bug relating to the x86 architecture that allows you to install Windows. -- Matthew D. Fuller ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
> > Then you can not use this e-mail address as envelope sender. People > will do sender callout and then reject all e-mail with this as sender. > Sorry. Im lost in translation. Could you elaborate/ELI5? This address is not and will never receiveread any messages. Is an automated message to notify users they must change their password. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On Thu, Jun 20, 2024 at 07:47:19AM +0200, Tan Mientras via Postfix-users wrote: > @Ralph > Is an automated/unattended email notifying the user about something, > providing proper ways of contacting. As this email is not read in any way, > rejecting the mail would be a better way to handle than an automatic > response. IMHO. Then you can not use this e-mail address as envelope sender. People will do sender callout and then reject all e-mail with this as sender. Bastian -- Witch! Witch! They'll burn ya! -- Hag, "Tomorrow is Yesterday", stardate unknown ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Am 2024-06-20 08:21, schrieb Peter via Postfix-users: On 20/06/24 17:47, Tan Mientras via Postfix-users wrote: So many replies! @Ralph Is an automated/unattended email notifying the user about something, providing proper ways of contacting. As this email is not read in any way, rejecting the mail would be a better way to handle than an automatic response. IMHO. A better way would be to set the From: address to someone that will actually respond from your organization (e.g. info@, help@, etc). This implies that the organization / company is willing to spend money on having someone available to actually respond / provide support. For a lot of the use cases I would say even a mail to ticket system gateway is out of the willingness to spend money on. So any technical solution you can propose here, will be way out of the area of interest of those people which will make those decisions. Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 20/06/24 17:47, Tan Mientras via Postfix-users wrote: So many replies! @Ralph Is an automated/unattended email notifying the user about something, providing proper ways of contacting. As this email is not read in any way, rejecting the mail would be a better way to handle than an automatic response. IMHO. A better way would be to set the From: address to someone that will actually respond from your organization (e.g. info@, help@, etc). @Peter My /etc/postfix/no-reply_reject contains lines like: do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not reply to this email. This should work unless you have ldap users that return a permit or OK action. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Got some news! When sending emails from my domain (to my domain), rejection IS applied (and message displayed to the client MUA) When sending emails from Office365, rejection is shown in the logs, but message is considered sent for the client (no message) Is this meaningful for you? On Thu, Jun 20, 2024 at 7:47 AM Tan Mientras wrote: > So many replies! > > @Ralph > Is an automated/unattended email notifying the user about something, > providing proper ways of contacting. As this email is not read in any way, > rejecting the mail would be a better way to handle than an automatic > response. IMHO. > > @Peter > My /etc/postfix/no-reply_reject contains lines like: > do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not > reply to this email. > > Regards > ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
So many replies! @Ralph Is an automated/unattended email notifying the user about something, providing proper ways of contacting. As this email is not read in any way, rejecting the mail would be a better way to handle than an automatic response. IMHO. @Peter My /etc/postfix/no-reply_reject contains lines like: do-not-re...@domain.tld REJECT This mailbox is not attended/read. Do not reply to this email. Regards ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 20/06/24 04:35, John Levine via Postfix-users wrote: It appears that Peter via Postfix-users said: On 19/06/24 18:51, Tan Mientras via Postfix-users wrote: Hi *Trying to setup email REJECT when users try to send to a no-reply email.* There is no such thing as a no-reply email, there is no part of the email specification that allows a message to be marked as unable to be replied to. You might want to take a look at RFCs 7504 and 7505. Those discuss means by which an entire domain or server can be set to not accept mail. I'm referring to setting the envelope sender and/or From: header in a message to an invalid address which is questionable at best and disallowed by RFC at worst. IRT the Envelope sender see RFC 5321 4.5.5 where it says: "All other types of messages (i.e., any message which is not required by a Standards-Track RFC to have a null reverse-path) SHOULD be sent with a *valid* (emphasis added), non-null reverse-path." In this case "reverse-path" is a reference to the envelope sender. For the From: header RFC5322 3.6.2 says: "In all cases, the "From:" field SHOULD NOT contain any mailbox that does not belong to the author(s) of the message." ...which at the very least strongly suggests that the mailbox should be valid. I do agree that sending mail you can't reply to is rude, regardless of the technical details. Indeed, and how difficult is it for these companies to set it to a help@ or info@ mailbox anyways? Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Ralph Seichter via Postfix-users: > * Ansgar Wiechers via Postfix-users: > > > [...] > > Did I ever send mail to you using the mailing list address you got > barred from targeting, or send mail to you at all from my servers? No, > I did not. > > You tried to initiate communication by sending mail to an address you > had no reason to contact, this being a mailing list, and you were thus > redirected to a page explaining how you could ask for permission to send > to said protected address in case you had a legitimate reason to (which > you don't). I have also provided an unrestricted email address so > anybody can send mail to in order to ask for clearance for the protected > address, something which you didn't do. > > All this is nothing like using a no-reply address, which is easy enough > to understand. TL;DR: Apples and oranges. > > > Guess what just happened to horus-it.com on my mail server. > > Go on, guess if I care. :-) No, don't. Please take this off-list. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Ansgar Wiechers via Postfix-users: > [...] Did I ever send mail to you using the mailing list address you got barred from targeting, or send mail to you at all from my servers? No, I did not. You tried to initiate communication by sending mail to an address you had no reason to contact, this being a mailing list, and you were thus redirected to a page explaining how you could ask for permission to send to said protected address in case you had a legitimate reason to (which you don't). I have also provided an unrestricted email address so anybody can send mail to in order to ask for clearance for the protected address, something which you didn't do. All this is nothing like using a no-reply address, which is easy enough to understand. TL;DR: Apples and oranges. > Guess what just happened to horus-it.com on my mail server. Go on, guess if I care. :-) -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
It appears that Peter via Postfix-users said: >On 19/06/24 18:51, Tan Mientras via Postfix-users wrote: >> Hi >> >> *Trying to setup email REJECT when users try to send to a no-reply email.* > >There is no such thing as a no-reply email, there is no part of the >email specification that allows a message to be marked as unable to be >replied to. You might want to take a look at RFCs 7504 and 7505. I do agree that sending mail you can't reply to is rude, regardless of the technical details. R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 2024-06-19 Ralph Seichter via Postfix-users wrote: > * Bjoern Franke via Postfix-users: > > > From: Ralph Seichter via Postfix-users > > Reply-To: Ralph Seichter > > Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of > using "nore...@foo.bar" type addresses remains unchanged, however. If > sender A sends mail to recipient B, A needs to be prepared to receive a > response from B. Proper email communiction is not a hit-and-run. Umm... yeah. Let's see ... | : host ra.horus-it.com[65.108.3.114] said: 451 4.7.1 | Policy violation; see https://www.horus-it.com/policy3/?S=5 (in reply to | end of DATA command) Quoting from that page: | What does it mean? | | The owner of address name@example.domain has decided to only accept | correspondence from a list of known contacts, which is usually done to | counter address harvesting, and your sender address was rejected | because it is not a member of said list. | | How can I register as a contact? | | If you have a legitimate reason to send email to this particular | recipient address, please write to postmaster@example.domain first. | State the full sender and recipient addresses, and explain why you | require clearance. If the recipient agrees to accept your request, you | will usually receive a notification within two working days. Oh, well. Guess what just happened to horus-it.com on my mail server. Regards Ansgar Wiechers -- "Abstractions save us time working, but they don't save us time learning." --Joel Spolsky ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Bjoern Franke via Postfix-users: > From: Ralph Seichter via Postfix-users > Reply-To: Ralph Seichter Dang, blindsided by Mailman 3, sorry. What I wrote about my dislike of using "nore...@foo.bar" type addresses remains unchanged, however. If sender A sends mail to recipient B, A needs to be prepared to receive a response from B. Proper email communiction is not a hit-and-run. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Gary R. Schmidt via Postfix-users: [reply-to header] > He didn't do it - it's being added by Mailman. Whether by default or > deliberately I do not know. This is damage control for DMARC. The mailing list address goes in the From: header, and the poster's email address goes in Reply-To: so that list members can still choose between replying to the poster or to the list. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 19/06/2024 18:19, Bjoern Franke via Postfix-users wrote: Hi, Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. Like you did yourself? From: Ralph Seichter via Postfix-users Reply-To: Ralph Seichter He didn't do it - it's being added by Mailman. Whether by default or deliberately I do not know. And I have to apologise to whoever it was I told off previously for doing it, sorry. Cheers, GaryB-) ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
Hi, Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. Like you did yourself? From: Ralph Seichter via Postfix-users Reply-To: Ralph Seichter Regards Bjoern ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
On 19/06/24 18:51, Tan Mientras via Postfix-users wrote: Hi *Trying to setup email REJECT when users try to send to a no-reply email.* There is no such thing as a no-reply email, there is no part of the email specification that allows a message to be marked as unable to be replied to. Many people think they can send a no-reply message by setting the localpart of the From: header to "no-reply" "noreply" or similar but this is not part of any official specification, nor does it prevent someone from replying to that email address. All that is said because no-re...@example.com could be a perfectly valid email address fully capable of accepting messages, and as such you might want to re-think your policy of blocking messages to such addresses. Note that if the mailbox is truly invalid then the receiving MX should issue an appropriate rejection which your server can then pass back to the user in the form of a DSN (bounce message). AFAIK, this should be configuren on smtpd_recipient_restrictions using check_recipient_access. Please, let me know if I'm wrong. Yes that can be used to reject messages to recipients that match a certain pattern in the recipient's address, one such pattern being any address with a local part of "noreply". It's not working, so maybe it's because I don't know if rules are applied on first match or combined (ie: if a reject is found, is immediately rejected or it might be permited by another rule). Rules are checked in the order they are encountered with the first permit or reject stopping the checks of that particular restrictions. This is /approximately/ my configuration: smtpd_recipient_restrictions = check_recipient_access ldap:ext2int, #allows any ldap account If this returns OK or permit then the following rule will not be checked. check_recipient_access hash:/etc/postfix/no-reply_reject, #reject no-reply What this does will depend on the content of /etc/postfix/no-reply_reject (which you did not show). reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, This will stop processing if the user is authenticated and permit the message. reject_unauth_destination, This rule is redundant, because it can only either reject or fall down to the next rule reject ...which will always reject, so the last two rules will always reject regardless. Peter ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: REJECT sending mails to no-reply accounts
* Tan Mientras via Postfix-users: > Trying to setup email REJECT when users try to send to a no-reply > email. Personally, I find this type of one-way communication annoying and impolite. The same goes for setting Reply-To to your personal email address after asking for help on a public mailing list. -Ralph ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] REJECT sending mails to no-reply accounts
Hi *Trying to setup email REJECT when users try to send to a no-reply email.* AFAIK, this should be configuren on smtpd_recipient_restrictions using check_recipient_access. Please, let me know if I'm wrong. It's not working, so maybe it's because I don't know if rules are applied on first match or combined (ie: if a reject is found, is immediately rejected or it might be permited by another rule). This is *approximately* my configuration: smtpd_recipient_restrictions = check_recipient_access ldap:ext2int, #allows any ldap account check_recipient_access hash:/etc/postfix/no-reply_reject, #reject no-reply reject_authenticated_sender_login_mismatch, permit_sasl_authenticated, reject_unauth_destination, reject Thanks ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to mostly reject unwanted sender
On Sun, Jun 16, 2024 at 01:41:44PM -0400, John Levine via Postfix-users wrote: > Turns out it's more complicated than I thought, they want a restricted > sending address to be able to send only to particular recipients. > Suggestions? If the allowed recipients are the same for all restricted senders, this fits reasonably well within existing built-in Postfix access(5) facilities. > Can I do something like put check_recipient_access as the action in the > check_sender_access table? As noted by others, http://www.postfix.org/RESTRICTION_CLASS_README.html but only if there aren't too many distinct product sets of sender+recipient policies. Otherwise a custom policy service can consult a database keyed by sender and recipient and barring a hit, just by sender to find a default action. http://www.postfix.org/SMTPD_POLICY_README.html -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to mostly reject unwanted sender
John Levine via Postfix-users: > Turns out it's more complicated than I thought, they want a restricted > sending address to be able to send only to particular recipients. > Suggestions? Here is a non-intuitive solution, based on https://www.postfix.org/RESTRICTION_CLASS_README.html /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/restricted_senders smtpd_restriction_classes = joe_user_acl joe_user_acl = check_recipient_access hash:/etc/postfix/joe_user_recipients, reject /etc/postfix/restricted_senders: joe_user@some.example joe_user_acl /etc/postfix/joe_user_recipients: foo@one.example OK bar@two.example OK But this is non-intuitive and gives me a headache. If milter-regex or postfwd can handle your use case, then that would be more intuitive. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to mostly reject unwanted sender
It appears that Matus UHLAR - fantomas via Postfix-users said: If one of recipients wants to accept mail from a sender while another recipient doesn't, teoretically you can reject that sender at recipient level, but that complicates configuration (but it's possible). This would mean that for single mail to more recipients, sendes gets accepted and different recipients get refused. On 16.06.24 13:41, John Levine via Postfix-users wrote: Turns out it's more complicated than I thought, they want a restricted sending address to be able to send only to particular recipients. Suggestions? Can I do something like put check_recipient_access as the action in the check_sender_access table? you can use smtpd_restriction_classes to define class for each such sender and disable recipients in those classes: http://www.postfix.org/RESTRICTION_CLASS_README.html However that lists should be maintained by you, so I would think twice before providing users such service. I advise you doing this at spam filter level. Other possibilities are using separate milters or policy filters that would make this work - I don't know any -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to mostly reject unwanted sender
It appears that Matus UHLAR - fantomas via Postfix-users said: >If one of recipients wants to accept mail from a sender while another >recipient doesn't, teoretically you can reject that sender at recipient >level, but that complicates configuration (but it's possible). >This would mean that for single mail to more recipients, sendes gets >accepted and different recipients get refused. Turns out it's more complicated than I thought, they want a restricted sending address to be able to send only to particular recipients. Suggestions? Can I do something like put check_recipient_access as the action in the check_sender_access table? R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On 6/16/2024 9:06 AM, Wietse Venema via Postfix-users wrote: # Don't indent text between IF and ENDIF. IF /^MAIL FROM:/ /^MAIL FROM:/ QUIT /^MAIL FROM:/ QUIT ... ENDIF Seems like if this is talking to a real MTA this would be a connection amplifier. The sending MTA would see this as a non-fatal error and keep retrying until their queue expires, possibly hundreds of times over several days. In that case a regular old access table, maybe with smtpd_delay_reject=no, would be a better choice. -- Noel Jones ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
Viktor Dukhovni via Postfix-users: > On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users > wrote: > > John R. Levine via Postfix-users: > > > On Sat, 15 Jun 2024, Jeff Peng wrote: > > > > I think postscreen can block them easily. > > > > > > I'm looking at the postscreen man page and I don't see anything about > > > mail > > > addresses. Am I missing something? > > > > That is a bad suggestion, please ignore. > > > > > I do see smtpd_command_filter. How about if I map MAIL FROM: to > > > QUIT? > > > > That would do the job. With regexp: or pcre: tables you may save > > some CPU cycles with: > > > > # Don't indent text between IF and ENDIF. > > IF /^MAIL FROM:/ > > /^MAIL FROM:/ QUIT > > /^MAIL FROM:/ QUIT > > ... > > ENDIF > > What's wrong with simple literall access(5) checks on the envelope > sender, one then also gets to log the rejected recipients assuming the > default setting of "smtpd_delay_reject = yes". True as a more general solution, but I don't think that is required here. > Regular expressions are much too fragile in the hands of most users. I think that John has the competence to make that decision. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On Sun, Jun 16, 2024 at 10:06:41AM -0400, Wietse Venema via Postfix-users wrote: > John R. Levine via Postfix-users: > > On Sat, 15 Jun 2024, Jeff Peng wrote: > > > I think postscreen can block them easily. > > > > I'm looking at the postscreen man page and I don't see anything about mail > > addresses. Am I missing something? > > That is a bad suggestion, please ignore. > > > I do see smtpd_command_filter. How about if I map MAIL FROM: to > > QUIT? > > That would do the job. With regexp: or pcre: tables you may save > some CPU cycles with: > > # Don't indent text between IF and ENDIF. > IF /^MAIL FROM:/ > /^MAIL FROM:/ QUIT > /^MAIL FROM:/ QUIT > ... > ENDIF What's wrong with simple literall access(5) checks on the envelope sender, one then also gets to log the rejected recipients assuming the default setting of "smtpd_delay_reject = yes". Regular expressions are much too fragile in the hands of most users. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
John R. Levine via Postfix-users: > On Sat, 15 Jun 2024, Jeff Peng wrote: > > I think postscreen can block them easily. > > I'm looking at the postscreen man page and I don't see anything about mail > addresses. Am I missing something? That is a bad suggestion, please ignore. > I do see smtpd_command_filter. How about if I map MAIL FROM: to > QUIT? That would do the job. With regexp: or pcre: tables you may save some CPU cycles with: # Don't indent text between IF and ENDIF. IF /^MAIL FROM:/ /^MAIL FROM:/ QUIT /^MAIL FROM:/ QUIT ... ENDIF If the list is short, this 'optimization' won't be worthwhile. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
John R. Levine via Postfix-users skrev den 2024-06-16 15:18: I'm looking at the postscreen man page and I don't see anything about mail addresses. Am I missing something? postscreen is not smtpd I do see smtpd_command_filter. How about if I map MAIL FROM: to QUIT? so this needs smtpd milter-regex is your friend ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On Sat, 15 Jun 2024, Jeff Peng wrote: I think postscreen can block them easily. I'm looking at the postscreen man page and I don't see anything about mail addresses. Am I missing something? I do see smtpd_command_filter. How about if I map MAIL FROM: to QUIT? Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On Sat, Jun 15, 2024 at 07:06:43PM +0800, Jeff Peng via Postfix-users wrote: > On 2024-06-15 18:14, John Levine via Postfix-users wrote: > > People I'm working with have a short list of addresses from which they > > don't want to accept mail at all, and they'd like to reject as early > > as possible without running it through anti-spam milters, ideally by > > rejecting the SMTP MAIL FROM command. What's the best way to do this? > > The list is short so if it has to be hand-edited into config files, > > that's OK. > > > > I'm not sure exactly why they want to do it this way but they have > > been running mail systems for a long time (some of you surely know > > them) and I assume they have sensible reasons. > > I think postscreen can block them easily. Actually, no, because postscreen typically does not look at the sender address, generally, just the client IP address is considered. No reason to post a vague guess, when a concrete approach was requested. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On 15.06.24 12:14, John Levine via Postfix-users wrote: People I'm working with have a short list of addresses from which they don't want to accept mail at all, and they'd like to reject as early as possible without running it through anti-spam milters, ideally by rejecting the SMTP MAIL FROM command. What's the best way to do this? The list is short so if it has to be hand-edited into config files, that's OK. I'm not sure exactly why they want to do it this way but they have been running mail systems for a long time (some of you surely know them) and I assume they have sensible reasons. Note that at SMTP level, you can reject senders globally, and recipients individually. Thus, if you reject mail from any sender, none of recipients will be able to get mail from that user. If one of recipients wants to accept mail from a sender while another recipient doesn't, teoretically you can reject that sender at recipient level, but that complicates configuration (but it's possible). This would mean that for single mail to more recipients, sendes gets accepted and different recipients get refused. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On 2024-06-15 18:14, John Levine via Postfix-users wrote: People I'm working with have a short list of addresses from which they don't want to accept mail at all, and they'd like to reject as early as possible without running it through anti-spam milters, ideally by rejecting the SMTP MAIL FROM command. What's the best way to do this? The list is short so if it has to be hand-edited into config files, that's OK. I'm not sure exactly why they want to do it this way but they have been running mail systems for a long time (some of you surely know them) and I assume they have sensible reasons. I think postscreen can block them easily. regards. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Fastest way to reject unwanted sender
On Sat, Jun 15, 2024 at 12:14:01PM +0200, John Levine via Postfix-users wrote:
> People I'm working with have a short list of addresses from which they
> don't want to accept mail at all, and they'd like to reject as early
> as possible without running it through anti-spam milters, ideally by
> rejecting the SMTP MAIL FROM command. What's the best way to do this?
> The list is short so if it has to be hand-edited into config files,
> that's OK.
>
> I'm not sure exactly why they want to do it this way but they have
> been running mail systems for a long time (some of you surely know
> them) and I assume they have sensible reasons.
For very short lists, the simplest is:
main.cf:
thash = texthash:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${thash}blocked-senders
blocked-senders:
m...@example.com REJECT Stooges not accepted here
la...@example.com REJECT Stooges not accepted here
cu...@example.com REJECT Stooges not accepted here
This admits occasional editing of the list without having to touch
main.cf. If the list is sufficiently static that bolting it into
main.cf is a sensible tradeoff, then:
main.cf:
smtpd_sender_restrictions =
check_sender_access inline:{
{ m...@example.com = REJECT Stooges not accepted here },
{ la...@example.com = REJECT Stooges not accepted here },
{ cu...@example.com = REJECT Stooges not accepted here },
}
Of course you can also use any of the fancier dictionary types, putting
the data in LDAP, a SQL database, a CDB table, LMDB, ...
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Fastest way to reject unwanted sender
People I'm working with have a short list of addresses from which they don't want to accept mail at all, and they'd like to reject as early as possible without running it through anti-spam milters, ideally by rejecting the SMTP MAIL FROM command. What's the best way to do this? The list is short so if it has to be hand-edited into config files, that's OK. I'm not sure exactly why they want to do it this way but they have been running mail systems for a long time (some of you surely know them) and I assume they have sensible reasons. TIA, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 5/28/24 5:39 AM, Christophe Kalt via Postfix-users wrote: smtpd_delay_reject to no I had it at yes. Changed it. --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 28/05/2024 11:39, Christophe Kalt via Postfix-users wrote: On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users wrote: For submission I only use xbl (return code 127.0.0.4) excluding other other data contained in zen like pbl that lists isp dynamic ip ranges from which you would normally expect to get connections to submission. For me it's safe to use xbl for submission since I don't want connections from exploited machines and it cuts out most of the noise and some of the risk from people hammering smtp auth. It won't fit everyone's use case though. For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org yes, I set it in master.cf just for submission service. John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users < postfix-users@postfix.org> wrote: For submission I only use xbl (return code 127.0.0.4) excluding other other data contained in zen like pbl that lists isp dynamic ip ranges from which you would normally expect to get connections to submission. For me it's safe to use xbl for submission since I don't want connections from exploited machines and it cuts out most of the noise and some of the risk from people hammering smtp auth. It won't fit everyone's use case though. On 28.05.24 05:39, Christophe Kalt via Postfix-users wrote: For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? Good point. But only on smtps/submission level, so in master.cf services. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users < postfix-users@postfix.org> wrote: > For submission I only use xbl (return code 127.0.0.4) excluding other > other data contained in zen like pbl that lists isp dynamic ip ranges from > which you would normally expect to get connections to submission. For me > it's safe to use xbl for submission since I don't want connections from > exploited machines and it cuts out most of the noise and some of the risk > from people hammering smtp auth. It won't fit everyone's use case though. > For this to be worthwhile, I assume you also set smtpd_delay_reject to no ? ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote: While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. On 27.05.24 07:31, John Hill via Postfix-users wrote: I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings in master.cf. Worked, but it blocked my AT&T mobile block. Go figure! The discussion was "xbl.spamhaus.org" vs. "zen.spamhaus.org=127.0.0.4" If you configured zen.spamhaus.org with different combination, no wonder you got unexpected result. I changed it to 127.0.0.4 to be more specific. It turns out AT&T mobile has numbers is in the XBL database. I tried bl.spamcop.net, and it does nothing. No, they are in PBL database which is designed to contain home networks. I'm not sure about spamcop, but zen.spamhaus.org=127.0.0.4 should be safe at submission level. Last night I logged "81 SASL authentication failed." That's about average. Seems I have a lot of new friends. I'm still thankful to learn more about master.cf, I had ignored it for the most part. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 27/05/2024 13:31, John Hill via Postfix-users wrote: On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote: > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings in master.cf. Worked, but it blocked my AT&T mobile block. Go figure! That's to be expected. The zen.spamhaus.org list also contains isp dynamic ip ranges which can be users that need to access submission. I changed it to 127.0.0.4 to be more specific. It turns out AT&T mobile has numbers is in the XBL database. I tried bl.spamcop.net, and it does nothing. If AT&T is blocked when checking specifically for 127.0.0.4 then the ip is in XBL, but that would mean there is a likely to be an exploited device on that ip. I would not recommend using spamcop or other general purpose spam blocking lists for this purpose. XBL is specific for compromised hosts. Last night I logged "81 SASL authentication failed." That's about average. Seems I have a lot of new friends. I'm still thankful to learn more about master.cf, I had ignored it for the most part. --john ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote: > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. I added the zen,spamhaus,org=127.0.0.[2..11 to my submission settings in master.cf. Worked, but it blocked my AT&T mobile block. Go figure! I changed it to 127.0.0.4 to be more specific. It turns out AT&T mobile has numbers is in the XBL database. I tried bl.spamcop.net, and it does nothing. Last night I logged "81 SASL authentication failed." That's about average. Seems I have a lot of new friends. I'm still thankful to learn more about master.cf, I had ignored it for the most part. --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] John Hill via Postfix-users: Is this the same thing? On 25.05.24 15:54, Wietse Venema via Postfix-users wrote: See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 While they are the same, I recommend using the latter, so you can benefit from caching DNS results in case the same source IP connects to smtp and submission/submissions(=smtps) services. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 25/05/2024 20:50, John Hill via Postfix-users wrote: On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote: On 24/05/2024 03:03, John Hill via Postfix-users wrote: I learn something every time I read this group, when I can keep up with the conversation! I had auth on ports I did not need. I use auth on submission port 587, for users access. I do get a boat load of failed login attempts on 587. Funny how a China, US, Argentina, you name it, hosts, will try the same failed username password at nearly the same time. Small world. I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I did search the man page and the docs, sorry if I missed it. Thanks --john Hi John maybe controversial for use on the submission service, but a while back I started using spamhaus xbl (the exploits data only, not the PBL or spammer data) as the first check (reject_rbl_client) in smtpd_client_restrictions for the submission service (on which I have AUTH enabled only after STARTTLS). I saw two results 1. there are few illegitimate smtp auth attempts that aren't blocked by XBL and end up trying the credentials 2. even the blocked traffic has fallen off to a small number of tries per day (usually < 20). Point 2 tends to indicate that the hacker scripts only start hammering when they find an AUTH command enabled. Fail2ban can still be used for the ips that get through, since then they start hammering, but the cases are so limited I haven't bothered. John I use zen.spamhaus.net in postscreen. postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] Is this the same thing? --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list --postfix-users@postfix.org To unsubscribe send an email topostfix-users-le...@postfix.org postscreen is protecting the smtp service (port 25). I also use the zen configuration you have above in postscreen, (i.e. including the other data not just xbl) since I am more aggressive for smtp. For submission I only use xbl (return code 127.0.0.4) excluding other other data contained in zen like pbl that lists isp dynamic ip ranges from which you would normally expect to get connections to submission. For me it's safe to use xbl for submission since I don't want connections from exploited machines and it cuts out most of the noise and some of the risk from people hammering smtp auth. It won't fit everyone's use case though. John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 5/25/24 3:54 PM, Wietse Venema via Postfix-users wrote: John Hill via Postfix-users: postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] Is this the same thing? See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 Wietse I checked. Postscreen blocked 2 127.0.0.4 sites. I do appreciate postscreen. A lock on the front door!!! Thanks --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
John Hill via Postfix-users: > > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] > Is this the same thing? See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table with the purpose of different lookup results. To block xbl listed clients with postscreen, one would configure xbl.spamhaus.org or zen.spamhaus.org=127.0.0.4 Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote: On 24/05/2024 03:03, John Hill via Postfix-users wrote: I learn something every time I read this group, when I can keep up with the conversation! I had auth on ports I did not need. I use auth on submission port 587, for users access. I do get a boat load of failed login attempts on 587. Funny how a China, US, Argentina, you name it, hosts, will try the same failed username password at nearly the same time. Small world. I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I did search the man page and the docs, sorry if I missed it. Thanks --john Hi John maybe controversial for use on the submission service, but a while back I started using spamhaus xbl (the exploits data only, not the PBL or spammer data) as the first check (reject_rbl_client) in smtpd_client_restrictions for the submission service (on which I have AUTH enabled only after STARTTLS). I saw two results 1. there are few illegitimate smtp auth attempts that aren't blocked by XBL and end up trying the credentials 2. even the blocked traffic has fallen off to a small number of tries per day (usually < 20). Point 2 tends to indicate that the hacker scripts only start hammering when they find an AUTH command enabled. Fail2ban can still be used for the ips that get through, since then they start hammering, but the cases are so limited I haven't bothered. John I use zen.spamhaus.net in postscreen. postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11] Is this the same thing? --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 24/05/2024 03:03, John Hill via Postfix-users wrote: I learn something every time I read this group, when I can keep up with the conversation! I had auth on ports I did not need. I use auth on submission port 587, for users access. I do get a boat load of failed login attempts on 587. Funny how a China, US, Argentina, you name it, hosts, will try the same failed username password at nearly the same time. Small world. I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I did search the man page and the docs, sorry if I missed it. Thanks --john Hi John maybe controversial for use on the submission service, but a while back I started using spamhaus xbl (the exploits data only, not the PBL or spammer data) as the first check (reject_rbl_client) in smtpd_client_restrictions for the submission service (on which I have AUTH enabled only after STARTTLS). I saw two results 1. there are few illegitimate smtp auth attempts that aren't blocked by XBL and end up trying the credentials 2. even the blocked traffic has fallen off to a small number of tries per day (usually < 20). Point 2 tends to indicate that the hacker scripts only start hammering when they find an AUTH command enabled. Fail2ban can still be used for the ips that get through, since then they start hammering, but the cases are so limited I haven't bothered. John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 5/24/24 9:33 AM, Matus UHLAR - fantomas via Postfix-users wrote: On 24.05.24 07:36, John Hill via Postfix-users wrote: What command do you use to reset the connection? no command, just rule in OUTPUT chain: 1710 649K REJECT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25 match-set block-smtp dst reject-with icmp-port-unreachable so any outgoing (dst) packet from TCP port 25 to IP address in ipset "block-smtp" will result in icmp port unreachable. It can be changed to tcp-reset. I use NFtables. This is near what I use in the active table. I was having so many multiple attempts, I had to block it immediately. I'm not sure It would kill the current connection. But the change to Postfix timing did. --john On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote: On 23.05.24 21:03, John Hill via Postfix-users wrote: I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I use fail2ban a way where incoming packets to port 25 get dropped and outgoing packets from port 25 get reset, so smtpd should receive info to close connection when first packet leaves. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 24.05.24 07:36, John Hill via Postfix-users wrote: What command do you use to reset the connection? no command, just rule in OUTPUT chain: 1710 649K REJECT 6-- * * 0.0.0.0/00.0.0.0/0 tcp spt:25 match-set block-smtp dst reject-with icmp-port-unreachable so any outgoing (dst) packet from TCP port 25 to IP address in ipset "block-smtp" will result in icmp port unreachable. It can be changed to tcp-reset. On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote: On 23.05.24 21:03, John Hill via Postfix-users wrote: I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I use fail2ban a way where incoming packets to port 25 get dropped and outgoing packets from port 25 get reset, so smtpd should receive info to close connection when first packet leaves. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
What command do you use to reset the connection? On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote: On 23.05.24 21:03, John Hill via Postfix-users wrote: I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I use fail2ban a way where incoming packets to port 25 get dropped and outgoing packets from port 25 get reset, so smtpd should receive info to close connection when first packet leaves. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
On 23.05.24 21:03, John Hill via Postfix-users wrote: I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I use fail2ban a way where incoming packets to port 25 get dropped and outgoing packets from port 25 get reset, so smtpd should receive info to close connection when first packet leaves. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
Will do it. Tonight.
Thanks
On May 23, 2024 9:11 PM, Wietse Venema via Postfix-users
wrote:
John Hill via Postfix-users:
> I learn something every time I read this group, when I can keep up with
> the conversation!
>
> I had auth on ports I did not need. I use auth on submission port 587,
> for users access.
>
> I do get a boat load of failed login attempts on 587. Funny how a China,
> US, Argentina, you name it, hosts, will try the same failed username
> password at nearly the same time.
>
> Small world.
>
> I use Fail2Ban to block the failed IP. The script writes it into the
> nftables table immediately.
>
> I think this keeps Postfix waiting and times out, not a big deal. Is
> there a cli that my bash script could force disconnect the ip from Postfix?
>
> I did search the man page and the docs, sorry if I missed it.
On port 587? setting "smtpd_hard_error_limit=1" might do it.
masster.cf:
submission .. .. .. .. .. .. .. smtpd
-o { smtpd_hard_error_limit = 1 }
...other -o options...
You need to "postfix reload" after editing master.cf,
This assumes that a good user makes no mistakes.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: SASL reject force disconnect
John Hill via Postfix-users:
> I learn something every time I read this group, when I can keep up with
> the conversation!
>
> I had auth on ports I did not need. I use auth on submission port 587,
> for users access.
>
> I do get a boat load of failed login attempts on 587. Funny how a China,
> US, Argentina, you name it, hosts, will try the same failed username
> password at nearly the same time.
>
> Small world.
>
> I use Fail2Ban to block the failed IP. The script writes it into the
> nftables table immediately.
>
> I think this keeps Postfix waiting and times out, not a big deal. Is
> there a cli that my bash script could force disconnect the ip from Postfix?
>
> I did search the man page and the docs, sorry if I missed it.
On port 587? setting "smtpd_hard_error_limit=1" might do it.
masster.cf:
submission .. .. .. .. .. .. .. smtpd
-o { smtpd_hard_error_limit = 1 }
...other -o options...
You need to "postfix reload" after editing master.cf,
This assumes that a good user makes no mistakes.
Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] SASL reject force disconnect
I learn something every time I read this group, when I can keep up with the conversation! I had auth on ports I did not need. I use auth on submission port 587, for users access. I do get a boat load of failed login attempts on 587. Funny how a China, US, Argentina, you name it, hosts, will try the same failed username password at nearly the same time. Small world. I use Fail2Ban to block the failed IP. The script writes it into the nftables table immediately. I think this keeps Postfix waiting and times out, not a big deal. Is there a cli that my bash script could force disconnect the ip from Postfix? I did search the man page and the docs, sorry if I missed it. Thanks --john ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
Dnia 4.02.2024 o godz. 11:00:39 Viktor Dukhovni via Postfix-users pisze: > > Well, I'm an old school type... :) I prefer to ssh to the server and launch > > mutt or something similar to access my mail :) > > That's fine, I also use mutt (in fact when replying to this message), > but for me mutt is accessing the mailstore via IMAP. I don't want to bother with additional configuration of Postfix/Dovecot/mutt for this, if local(8) works just out of the box. The simpler the better - at least this is my view... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
On Sat, Feb 03, 2024 at 10:17:45PM +0100, Jaroslaw Rafa via Postfix-users wrote: > Dnia 3.02.2024 o godz. 12:59:27 Viktor Dukhovni via Postfix-users pisze: > > > > These days, users are far better off with delivery to an IMAP store that > > is not tied directly to any login account they may or may not have. > > Perhaps they authenticate to Dovecot via PAM, but the mail store should > > own the mailbox, not the user. > > Well, I'm an old school type... :) I prefer to ssh to the server and launch > mutt or something similar to access my mail :) That's fine, I also use mutt (in fact when replying to this message), but for me mutt is accessing the mailstore via IMAP. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
Hellow Jaroslaw, On Sat, 2024-02-03 at 22:17 +0100, Jaroslaw Rafa via Postfix-users wrote: > Dnia 3.02.2024 o godz. 12:59:27 Viktor Dukhovni via Postfix-users > pisze: > > > > These days, users are far better off with delivery to an IMAP store > > that > > is not tied directly to any login account they may or may not have. > > Perhaps they authenticate to Dovecot via PAM, but the mail store > > should > > own the mailbox, not the user. > > Well, I'm an old school type... :) I prefer to ssh to the server and > launch > mutt or something similar to access my mail :) Me, too. Sometimes, i do like you. The yw-0919.doraji.xyz is spam filtering server. At there i check spam folder with Mutt (Mutt/1.9.4 (2018-02- 28)) every week! Usually, i see normal emails from Gmail IMAP with GNOME Evolution. Sincerely, Byunghee -- ^고맙습니다 _布德天下_ 감사합니다_^))// ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
Dnia 3.02.2024 o godz. 12:59:27 Viktor Dukhovni via Postfix-users pisze: > > These days, users are far better off with delivery to an IMAP store that > is not tied directly to any login account they may or may not have. > Perhaps they authenticate to Dovecot via PAM, but the mail store should > own the mailbox, not the user. Well, I'm an old school type... :) I prefer to ssh to the server and launch mutt or something similar to access my mail :) -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
On Sat, Feb 03, 2024 at 04:57:05PM +0100, Jaroslaw Rafa via Postfix-users wrote: > > The "local" transport is a legacy Sendmail-compatibilty interface, > > and should generally be avoided. > > Why avoided? If you have local Unix users on your server, and you want those > users to receive mail, this is the most easy and natural way to go... Because it has too many features (is complex), between aliases, .forward files, procmail, ... it gives both the user and the administrator "too much rope". Sendmail compatibility also imposes fragile loop detection logic, less efficient single-recipient per-envelope processing. When aliases expand to multiple recipients, and one soft-fails mail delivery to the others can happen multiple times... These days, users are far better off with delivery to an IMAP store that is not tied directly to any login account they may or may not have. Perhaps they authenticate to Dovecot via PAM, but the mail store should own the mailbox, not the user. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
On 2024-02-03 at 08:52:17 UTC-0500 (Sat, 3 Feb 2024 05:52:17 -0800)
Dan Mahoney via Postfix-users
is rumored to have said:
> All,
>
> Pretty simple question:
>
> We have an internal domain, zimbra.example.org, but it's only used for
> internal routing of our corporate mail (there's a master delivery map that
> controls what addresses at example.org route to zimbra.example.org). We have
> other domains under example.org such as list servers, ticket systems, and the
> like, many of which have example.org addresses pointing at them.
>
> In no case should anything on the outside be directing mail directly to
> zimbra.example.org, and it is firewalled so only our border MXes can talk to
> it.
>
> Is there a way to reject mail destined to an internal domain (like
> zimbra.example.org) such that only our internal machines can deliver to it,
> but that any host on the outside gets an immediate reject notice from our
> border MXes?
There are ways to do almost anything...
One way to implement this is to use restriction classes. I do this for some of
my list-specific addresses that get scraped for spam, but it would work just as
well for a domain e.g.:
main.cf:
smtpd_restriction_classes = privdom
smtpd_recipient_restrictions = ...,check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre,...
privdom = check_client_access hash:/etc/postfix/privdom-allow, reject
recipient_checks.pcre:
[...]
/^.*@zimbra.example.org$/ privdom
[...]
privdom-allow:
.example.orgDUNNO
192.0.2 DUNNO
Where 192.0.2.0/24 is your privileged network and you want to allow anyone on
that network or any client with a verified hostname under example.org.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
Dnia 3.02.2024 o godz. 10:33:58 Viktor Dukhovni via Postfix-users pisze: > The "local" transport is a legacy Sendmail-compatibilty interface, > and should generally be avoided. Why avoided? If you have local Unix users on your server, and you want those users to receive mail, this is the most easy and natural way to go... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Is there a way to reject an internal domain on our border MXes
On Sat, Feb 03, 2024 at 05:52:17AM -0800, Dan Mahoney via Postfix-users wrote:
> We have an internal domain, zimbra.example.org, but it's only used for
> internal routing of our corporate mail (there's a master delivery map
> that controls what addresses at example.org route to
> zimbra.example.org). We have other domains under example.org such as
> list servers, ticket systems, and the like, many of which have
> example.org addresses pointing at them.
>
> Is there a way to reject mail destined to an internal domain (like
> zimbra.example.org) such that only our internal machines can deliver
> to it, but that any host on the outside gets an immediate reject
> notice from our border MXes?
That's the default behaviour, unless you list zimbra.example.org
in one of:
- mydestination ("local" address class)
- relay_domains ("relay" address class)
- virtual_mailbox_domains ("virtual" address class)
- virtual_alias_domains ("virtual_alias" address class)
A "generic" domain is (soft) rejected by default:
$ postconf -df smtpd_relay_restrictions
smtpd_relay_restrictions = ${{$compatibility_level}
[pfx] Is there a way to reject an internal domain on our border MXes
All, Pretty simple question: We have an internal domain, zimbra.example.org, but it's only used for internal routing of our corporate mail (there's a master delivery map that controls what addresses at example.org route to zimbra.example.org). We have other domains under example.org such as list servers, ticket systems, and the like, many of which have example.org addresses pointing at them. In no case should anything on the outside be directing mail directly to zimbra.example.org, and it is firewalled so only our border MXes can talk to it. Is there a way to reject mail destined to an internal domain (like zimbra.example.org) such that only our internal machines can deliver to it, but that any host on the outside gets an immediate reject notice from our border MXes? -Dan ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
Matthias Schneider via Postfix-users: > Hi Jaroslaw, > > In this context, it's not about the ability to recognize the > message, as unique IDs and postfix long queue IDs can handle that > effectively within the 200-character limit. The primary concern > is having the capability to log full header values. As Gerald > illustrated with the example of logging Subject as INFO using > header_check, this feature is currently restricted by the static > 200-character limit. > > While this particular use case might not be applicable in your > scenario, it's worth noting that others find it beneficial for > various reasons. Having the flexibility to configure this limit > would cater to a broader range of user requirements. Postfix can already be configured to provide 'full headers' and much more: use a Milter. There is an endless list of things that might be useful in some niche scenario that serves 1% of the population. I am drawing the line where it currently stands. Wietse ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
Hi Jaroslaw, In this context, it's not about the ability to recognize the message, as unique IDs and postfix long queue IDs can handle that effectively within the 200-character limit. The primary concern is having the capability to log full header values. As Gerald illustrated with the example of logging Subject as INFO using header_check, this feature is currently restricted by the static 200-character limit. While this particular use case might not be applicable in your scenario, it's worth noting that others find it beneficial for various reasons. Having the flexibility to configure this limit would cater to a broader range of user requirements. Your understanding is much appreciated. Best regards, Matthias Schneider - Ursprüngliche Mail - Von: "Jaroslaw Rafa via Postfix-users" An: "postfix-users" Gesendet: Donnerstag, 25. Januar 2024 10:01:49 Betreff: [pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check Dnia 24.01.2024 o godz. 23:21:10 Gerald Galster via Postfix-users pisze: > > As the amount of email increases it can be difficult to distinguish mails > to or from a correspondent. In this case it would help a lot to display > the subject as well but that's not part of envelope data. Therefore it's > convenient to log it using a header_check like /^Subject: / -> INFO, which > is subject to the 200 bytes limit. As headers consist of 7-bit ASCII > only, UTF8-Characters like Umlauts or Emojis must be encoded (qp/base64), > so 200 bytes sometimes is not equal to 200 chars and might result in > truncated subject lines. Even if every character is encoded as two bytes, does ANYBODY who sends an email use a subject so long that first 100 characters are not enough to recognize the message? It seems a completely unreal scenario to me. If somebody used so long subject lines, with the LAST characters being the most meaningful, then the recipients themselves wouldn't be able to recognize the messages properly, because most email clients don't display as many characters in the subject when displaying a list of messages in the inbox. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
Dnia 24.01.2024 o godz. 23:21:10 Gerald Galster via Postfix-users pisze: > > As the amount of email increases it can be difficult to distinguish mails > to or from a correspondent. In this case it would help a lot to display > the subject as well but that's not part of envelope data. Therefore it's > convenient to log it using a header_check like /^Subject: / -> INFO, which > is subject to the 200 bytes limit. As headers consist of 7-bit ASCII > only, UTF8-Characters like Umlauts or Emojis must be encoded (qp/base64), > so 200 bytes sometimes is not equal to 200 chars and might result in > truncated subject lines. Even if every character is encoded as two bytes, does ANYBODY who sends an email use a subject so long that first 100 characters are not enough to recognize the message? It seems a completely unreal scenario to me. If somebody used so long subject lines, with the LAST characters being the most meaningful, then the recipients themselves wouldn't be able to recognize the messages properly, because most email clients don't display as many characters in the subject when displaying a list of messages in the inbox. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
Hi Gerald, Thank you for providing an insightful perspective on the matter, and you've hit the nail on the head. Indeed, the 200-byte limit not only impacts the display of subjects but also affects headers with security content, such as Authentication-Results. A Milter cannot get any information about the smtp delivery attempts, only the TLS infomation from the recieving smtpd process. To obtain a full picture, we end up having to join the in-session information from the Milter to the log, which is asynchronous and can delay final delivery status for several days. In light of this, a higher or configurable limit in the log would simplify the process, eliminating the need for complex join operations between two separate logs. Considering the various use cases and scenarios, maintaining the 200-char limit as the default while allowing users to configure it based on their specific needs sounds like a pragmatic solution. This approach would provide flexibility for users who wish to log extensive information, such as antispam symbols in headers. Best regards, Matthias Schneider - Ursprüngliche Mail - Von: "Gerald Galster via Postfix-users" An: "postfix-users" Gesendet: Mittwoch, 24. Januar 2024 23:21:10 Betreff: [pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check > Viktor Dukhovni via Postfix-users : > > On Wed, Jan 24, 2024 at 08:27:53PM +0100, Matthias Schneider via > Postfix-users wrote: > >> Using a Milter is an option, but it often involves correlating >> information from both the milter process and the log for a >> comprehensive view. > > Everything of interest can be added as a message header. Just to add another view, I guess the op wants to solve a problem like this: Consider a mailflow utility that correlates postfix logs according to queue ids and stores them to a database. A webinterface allows users to retrieve delivery information for their email addresses themselves. Postfix logging is sufficient to see if a delivery succeeded (250 OK - often including some form of queue-id) or bounced and sometimes this functionality is very convenient for users, that normally do not have access to maillogs. As the amount of email increases it can be difficult to distinguish mails to or from a correspondent. In this case it would help a lot to display the subject as well but that's not part of envelope data. Therefore it's convenient to log it using a header_check like /^Subject: / -> INFO, which is subject to the 200 bytes limit. As headers consist of 7-bit ASCII only, UTF8-Characters like Umlauts or Emojis must be encoded (qp/base64), so 200 bytes sometimes is not equal to 200 chars and might result in truncated subject lines. Programming a milter just to display a complete subject line would be quite time-consuming. Therefore I think the op considers a higher or configurable limit helpful. Best regards, Gerald ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
> Viktor Dukhovni via Postfix-users : > > On Wed, Jan 24, 2024 at 08:27:53PM +0100, Matthias Schneider via > Postfix-users wrote: > >> Using a Milter is an option, but it often involves correlating >> information from both the milter process and the log for a >> comprehensive view. > > Everything of interest can be added as a message header. Just to add another view, I guess the op wants to solve a problem like this: Consider a mailflow utility that correlates postfix logs according to queue ids and stores them to a database. A webinterface allows users to retrieve delivery information for their email addresses themselves. Postfix logging is sufficient to see if a delivery succeeded (250 OK - often including some form of queue-id) or bounced and sometimes this functionality is very convenient for users, that normally do not have access to maillogs. As the amount of email increases it can be difficult to distinguish mails to or from a correspondent. In this case it would help a lot to display the subject as well but that's not part of envelope data. Therefore it's convenient to log it using a header_check like /^Subject: / -> INFO, which is subject to the 200 bytes limit. As headers consist of 7-bit ASCII only, UTF8-Characters like Umlauts or Emojis must be encoded (qp/base64), so 200 bytes sometimes is not equal to 200 chars and might result in truncated subject lines. Programming a milter just to display a complete subject line would be quite time-consuming. Therefore I think the op considers a higher or configurable limit helpful. Best regards, Gerald ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
On Wed, Jan 24, 2024 at 08:27:53PM +0100, Matthias Schneider via Postfix-users wrote: > Using a Milter is an option, but it often involves correlating > information from both the milter process and the log for a > comprehensive view. Everything of interest can be added as a message header. > For example, capturing TLS details from both the smtp client process > and smtpd pid, along with recipient information and specific Headers > is crucial. You can PREPEND the TLS details for inspection by a milter. Why is this "crucial"? Postfix SMTP server TLS logging is fairly terse. Other than that TLS was used, what is so crucial to correlate with message headers? > As far as I know, there are currently no other supported protocols for > event streaming. Therefore, relying on syslog (nearly real-time) or > reading logs from a file (with some delay) remains the most effective > solution for obtaining delivery information. A milter can stream its findings to some central collection point using any protocol of its choice, including syslog. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check
Hi Victor, Thank you for diving into this topic. Using a Milter is an option, but it often involves correlating information from both the milter process and the log for a comprehensive view. For example, capturing TLS details from both the smtp client process and smtpd pid, along with recipient information and specific Headers is crucial. The proposed configurable header key/value limit would simplyfy this process. As far as I know, there are currently no other supported protocols for event streaming. Therefore, relying on syslog (nearly real-time) or reading logs from a file (with some delay) remains the most effective solution for obtaining delivery information. Best regards, Matthias Schneider - Ursprüngliche Mail - Von: Viktor Dukhovni via Postfix-users An: postfix-users@postfix.org Gesendet: Wed, 24 Jan 2024 16:38:05 +0100 (CET) Betreff: [pfx] Re: Feature Request: Adjustable Header Log Size Limit in INFO/WARN/REJECT Header_Check On Wed, Jan 24, 2024 at 03:10:03PM +0100, Matthias Schneider via Postfix-users wrote: > Initially, I experimented with a Milter for logging the required > headers, but I found that employing a larger %s printf value proved to > be a more efficient solution. However, I'd like to point out that the > default configuration for MaxMessageSize in rsyslog is often set to > 8k, with the potential to increase it to 64k when using TCP. > Therefore, the syslog aspect can handle larger messages effectively. Why is syslog the right medium for accurate message header recording? What sort of key/value pairs are you looking to extract from headers? When ~2 decades ago I implemented header logging (actually MIME-skeleton logging, that recorded also the header of all nested MIME parts), I recorded the MIME skeletons of each message (separated by blank lines) to a daily disk file. Syslog was not a good vehicle for faithful recording of message metadata. -- Viktor. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
