On Wed, May 07, 2014 at 12:26:09AM -0400, Sahil Tandon wrote:
I cannot say definitively without more complete log analysis, but that
is my hunch. And, the issue does not seem to occur as a result of the
initial cleartext fallback, but later ... once on-demand caching has
kicked in.
I
Viktor Dukhovni:
-#define HAVE_NEXTHOP_STATE(state) (STR((state)-iterator-request_nexthop)
!= 0)
+#define HAVE_NEXTHOP_STATE(state)
(STR((state)-iterator-request_nexthop)[0] != 0)
That is clearly a bug, considering the semantics of the *_NEXTHOP_STATE()
primitives:
FREE_NEXTHOP_STATE()
Sebastian Nielsen:
[ Charset UTF-8 unsupported, converting... ]
I tried with the following:
smtpd_relay_restrictions = reject_unlisted_sender, permit_mynetworks,
reject_unauth_destination
But didnt work, mail from ?unlisted? domains are accepted through.
My domain is sebbe.eu
Hi all,
with postfix + sasl scenario, it’s possible to permit a user who is
authenticated with his credentials can send emails only if the mail from field
is the same one used for authentication?
Have you any idea?
Best regards
--
Stefano
Hi,
Is there any way to skip header_checks only for messages destined to a
specific domain? I searched the web and tried playing with extra
services in master.cf and transport maps and whatnot, but failed to
come up with a working configuration...
On 5/7/2014 9:04 AM, Leonardo Boiko wrote:
Hi,
Is there any way to skip header_checks only for messages destined to a
specific domain? I searched the web and tried playing with extra
services in master.cf and transport maps and whatnot, but failed to
come up with a working configuration...
On Wed, May 07, 2014 at 04:03:31PM +0200, stefano.rube...@iit.cnr.it wrote:
Hi all,
with postfix + sasl scenario, it?s possible to permit a user who is
authenticated with his credentials can send emails only if the mail from
field is the same one used for authentication?
Have you any
Sebastian Nielsen:
I want to reject senders, that are relaying, using a domain not
on a approved list. eg all sender domains that aren?t @sebbe.eu
but are relaying, should be rejected.
Postfix restrictions are not a Turing-complete access control
language. For complex policies use a policy
On Wed, May 07, 2014 at 10:28:46AM -0400, Wietse Venema wrote:
Sebastian Nielsen:
I want to reject senders, that are relaying, using a domain not
on a approved list. eg all sender domains that aren?t @sebbe.eu
but are relaying, should be rejected.
Postfix restrictions are not a
Hello,
I'm running postscreen and I'm wondering about a setting. For
postscreen_dnsbl_action, and postscreen_greet_action I've got them set
to enforce. My problem is while it works I get clients that are repeat
customers after they've already been dealt with. Should I change these
to drop?
# For
David Mehler:
Hello,
I'm running postscreen and I'm wondering about a setting. For
postscreen_dnsbl_action, and postscreen_greet_action I've got them set
to enforce. My problem is while it works I get clients that are repeat
customers after they've already been dealt with. Should I change
--On May 7, 2014 at 9:52:10 AM -0400 Wietse Venema wie...@porcupine.org
wrote:
Thanks to Viktor for finding the cause, to Sahil for discovering
that there was a problem, and to myself for structuring Postfix
code such that I made this mistake in only one place.
Does this imply an
On Tue, May 6, 2014 10:53, Wietse Venema wrote:
master.cf:
127.0.0.1:26 inet n - n - - smtpd
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o
THANKS!
Works EXCELLENTLY. Did fine-tune it a little bit, but then it works
excellently now.
smtpd_relay_restrictions = check_sender_access hash:/etc/postfix/access,
reject_unauth_destination
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain,
On Wed, May 07, 2014 at 07:58:26PM +0200, Sebastian Nielsen wrote:
Works EXCELLENTLY. Did fine-tune it a little bit, but then it works
excellently now.
The fine-tuning makes it likely that your system will be an open
relay some day. I chose smtpd_sender_restrictions for this
deliberately. Do
I know. check_sender_access does always check MAIL_FROM, regardless of in
which access context they are in. (else it would be check_recipient_access
or check_client_access)
smtpd_recipient_restrictions can contain sender rejections too, like
reject_unknown_sender_domain.
But a sender access
On Wed, May 07, 2014 at 08:33:18PM +0200, Sebastian Nielsen wrote:
I know. check_sender_access does always check MAIL_FROM, regardless of in
which access context they are in. (else it would be check_recipient_access
or check_client_access)
When using check_sender_access use a separate lookup
aaah now I understand. You did not like the _naming_ of the access file.
I of course do not use any client maps or recipient maps, only sender maps.
So I found it wise to call the file just access.
Of course, if I start using client maps or recipient maps, files will be
renamed accordingly.
meant this:
outside mynetworks, known sender, known recipient (did fail as it should)
outside mynetworks, unknown sender, known recipient (did success as it
should)
outside mynetworks, known sender, unknown recipient (did fail as it should)
(successing this would make the server open relay)
On Wed, May 07, 2014 at 09:04:37PM +0200, Sebastian Nielsen wrote:
About the forgetting of the purpose of the access file:
Did put a comment block in the access file:
#NEVER EVER PUT ANYTHING YOU DONT WANT TO BE OPEN RELAY FOR IN THIS FILE#
#ONLY USE PERMIT_MYNETWORKS OR SIMILIAR
yep know. It is a dedicated access file. Renamed it to relay_auth, to make
it more clear what the file is for.
But a question: Why do you like sasl authentication? Isn't it more secure to
have no authentication at all and instead
rely on client IP?
Then theres no authentication to hack.
I
Am 07.05.2014 21:27, schrieb Sebastian Nielsen:
But a question: Why do you like sasl authentication?
Isn't it more secure to have no authentication at all and instead
rely on client IP?
how can it be more secure to blindly trust an IP address
comapred to a combination of username +
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-2.11.1.html]
Postfix stable release 2.11.1 is available. This release provides
two bugfixes that affect Postfix 2.11 and later, and some
code/documentation cleanup.
Bugfixes (fixed in
Hello,
I published TLS DANE Records for my mailserver and now I am wondering
if there is a way to verify that these records are okay/matching the
cert. Is there a tool/site where I can test this? I suppose it would
be possible with the right openssl s_client commands but I can't
figure them out.
rolled out snapshot 20140507, to
which we will upgrade soon.
Thank you both.
--
Sahil Tandon
On Thu, May 08, 2014 at 01:14:09AM +0200, Sebastian Wiesinger wrote:
I published TLS DANE Records for my mailserver and now I am wondering
if there is a way to verify that these records are okay/matching the
cert. Is there a tool/site where I can test this? I suppose it would
be possible with
26 matches
Mail list logo