On 2018-10-11 04:08, pg...@dev-mail.net wrote:
I'm setting up outbound DKIM signing for a Postfix instance.
I'd prefer something other that OpenDKIM or Amavisd.
Other than DIY, is there a solid/stable milter for outbound signing
folks are successfully using with Postfix?
Appreciate any referen
Hi there. We just started using let's encrypt certs in our mail servers.
Since renewal of the certs is done automatically, will postfix cope well
with that or will we have to restart it after the renewal takes place?
Thanks so much in advance for your help!
Ignacio
On Thu, 11 Oct 2018 at 09:08, Ignacio Garcia wrote:
> Hi there. We just started using let's encrypt certs in our mail servers.
> Since renewal of the certs is done automatically, will postfix cope well
> with that or will we have to restart it after the renewal takes place?
>
Viktor answered thi
Hello,
> We just started using let's encrypt certs in our mail servers. Since renewal
> of the certs is
> done automatically, will postfix cope well with that or will we have to
> restart it after the renewal
> takes place?
I do restart postfix. In fact, I do reboot the mail server as other
pi
On Thu, 11 Oct 2018 at 08:49, B. Reino wrote:
> On 2018-10-11 04:08, pg...@dev-mail.net wrote:
> > I'm setting up outbound DKIM signing for a Postfix instance.
> >
> > I'd prefer something other that OpenDKIM or Amavisd.
> >
> > Other than DIY, is there a solid/stable milter for outbound signing
We just started using let's encrypt certs in our mail servers. Since renewal of
the certs is
done automatically, will postfix cope well with that or will we have to restart
it after the renewal
takes place?
On 11.10.18 15:14, Olivier wrote:
I do restart postfix. In fact, I do reboot the mail
we use opendkim (somehow it does not crash for us, yes, I seen many
unresolved issues).
however, I'd like to raise another question :)
opendkim is attached to postfix via milter. it is pain.
under high load (when lots of marketing letters are sent) we have to choose
between
1) if milter is unacce
On 11.10.18 13:35, Илья Шипицин wrote:
we use opendkim (somehow it does not crash for us, yes, I seen many
unresolved issues).
however, I'd like to raise another question :)
opendkim is attached to postfix via milter. it is pain.
under high load (when lots of marketing letters are sent) we have
Sorry I could not read that message posted by Viktor. Probably I was not
subscribed yet. Nevertheless, thanks for your answers.
El jue., 11 oct. 2018 a las 10:14, Dominic Raferd ()
escribió:
> On Thu, 11 Oct 2018 at 09:08, Ignacio Garcia wrote:
>
>> Hi there. We just started using let's encrypt
Am 11.10.2018 um 10:51 schrieb Matus UHLAR - fantomas:
On 11.10.18 13:35, Илья Шипицин wrote:
we use opendkim (somehow it does not crash for us, yes, I seen many
unresolved issues).
however, I'd like to raise another question :)
opendkim is attached to postfix via milter. it is pain.
under high
On 11.10.18 11:01, Ignacio Garcia wrote:
> Sorry I could not read that message posted by Viktor. Probably I was
> not subscribed yet.
The Postfix mailing list archives (http://www.postfix.org/lists.html)
are a treasure trove of information.
-Ralph
B. Reino skrev den 2018-10-11 09:48:
I can recommend rspamd. The DKIM module is very flexible, supports
multiple domains, etc.
rspamd is a bit of overkill for dkim signing
with well supported ucl its easy to configure it
xml was hard to manage
In case you've not seen this many other places, just a friendly
reminder that ICANN is rolling the DNSSEC root KSK today. Make
sure your resolver (if it is validating) is ready. If you're
forwarding queries to an upstream resolver, you might also check
that the upstream is ready.
--
V
On Thu, Oct 11, 2018, at 12:48 AM, B. Reino wrote:
> I can recommend rspamd. The DKIM module is very flexible, supports
> multiple domains, etc.
rspamd is in the same bucket as amavis from my perspective.
I prefer a single-function/focus tool rather than a 'swiss-army knife' approach
On Thu, Oct 11, 2018, at 2:37 AM, Robert Schetterer wrote:
> http://dkimproxy.sourceforge.net/ "may"
> help for this case
In principle. Tho, not clear yet on whether I want/prefer a milter or proxy.
Leaning to milter ...
But last release in 2010-11-14 sounds 'pretty dead' to me!
On Thu, Oct 11, 2018, at 1:21 AM, Dominic Raferd wrote:
> I have had no problems with opendkim
I didn't either. Do now. Consistent crashing whether distro-installed or
DIY-builds.
Crashes appear malloc related; reported to upstream. Unfortunately, LOTS of
bugs there with very little, if a
Hello,
today I noticed a significant amount of TLS failures in my postfix log.
Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from
client.example[192.0.2.25]:34152: -1
I traced some sessions and found the problematic client is announcing
the special cipher "TLS_FALLBACK_SCSV"
Dear Users,
we have the following in place:
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
reject_unverified_recipient
unverified_recipient_reject_code = 550
unknown_address_reject_code = 550
today, we had an issue with our groupware so the following was happening:
NOQUEUE: rej
On Thu, Oct 11, 2018 at 11:24:13AM -0400, Viktor Dukhovni wrote:
> In case you've not seen this many other places, just a friendly
> reminder that ICANN is rolling the DNSSEC root KSK today. Make
> sure your resolver (if it is validating) is ready. If you're
> forwarding queries to an upstream r
On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:
> today I noticed a significant amount of TLS failures in my postfix log.
>
> Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from
> client.example[192.0.2.25]:34152: -1
>
> I traced some sessions and found the problematic
I've never seen this before, perhaps someone can throw light on it ?
Postfix 3.3.1
>openssl s_client -connect test.example.com:587 -starttls smtp
250 DSN
ehlo localhost
250-test.example.com
250-PIPELINING
250-SIZE 2048
250-ETRN
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH
Stefan Bauer:
> Dear Users,
>
> we have the following in place:
>
> smtpd_recipient_restrictions = reject_unknown_recipient_domain,
> reject_unverified_recipient
> unverified_recipient_reject_code = 550
> unknown_address_reject_code = 550
>
> today, we had an issue with our groupware so the foll
Laura Smith:
> RCPT TO:t...@example.com
> RENEGOTIATING
Don't enter commands that start with R into OpenSSL.
Wietse
We just noticed, that senders got several "550 5.1.0 Address rejected"
bounces even though postfix logs no permanent errors.
Oct 11 17:19:13 kop01 postfix/lmtp[5711]: E759E301412: to=,
relay=127.0.0.1[127.0.0.1]:2003, delay=13, delays=0/0.01/13/0, dsn=4.0.0,
status=undeliverable (host 127.0.0.1[12
On Thu, Oct 11, 2018 at 05:54:59PM +0200, A. Schulze wrote:
> Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from
> client.example[192.0.2.25]:34152: -1
>
> I traced some sessions and found the problematic client is announcing
> the special cipher "TLS_FALLBACK_SCSV"
> in a TLSv1.
On Thu, Oct 11, 2018, at 9:40 AM, Viktor Dukhovni wrote:
> On Thu, Oct 11, 2018 at 11:24:13AM -0400, Viktor Dukhovni wrote:
>
> > In case you've not seen this many other places, just a friendly
> > reminder that ICANN is rolling the DNSSEC root KSK today. Make
> > sure your resolver (if it is
On Thursday, October 11, 2018 6:15 PM, Wietse Venema
wrote:
> Laura Smith:
>
> > RCPT TO:t...@example.com
> > RENEGOTIATING
>
> Don't enter commands that start with R into OpenSSL.
>
> Wietse
Rats ! ;-)
Well, I guess that makes sense.
Stefan Bauer:
we have the following in place:
today, we had an issue with our groupware so the following was happening:
NOQUEUE: reject: RCPT from unknown[ip]: 450 4.1.1 :
Recipient address rejected: unverified address: Address verification in
progress; from= to=
proto=ESMTP helo=
Oct 11 17:1
Am 11.10.2018 um 17:47 schrieb pg...@dev-mail.net:
> On Thu, Oct 11, 2018, at 2:37 AM, Robert Schetterer wrote:
>> http://dkimproxy.sourceforge.net/ "may"
>> help for this case
>
> In principle. Tho, not clear yet on whether I want/prefer a milter or proxy.
> Leaning to milter ...
>
> But last
On Thu, Oct 11, 2018 at 01:15:02PM -0400, Wietse Venema wrote:
> Laura Smith:
> > RCPT TO:t...@example.com
> > RENEGOTIATING
>
> Don't enter commands that start with R into OpenSSL.
Lower-case 'r' works by the way. The OpenSSL 's_client' utility,
is diagnostic tool for debugging SSL issues, not
On 11 Oct 2018, at 18:27, pg...@dev-mail.net wrote:
>
> Changing my local dns (named) config to
>
> - dnssec-enable yes;
> + dnssec-enable no;
> dnssec-lookaside no;
> - dnssec-validation yes;
> + dnssec-validation no;
>
> ge
On Thu, Oct 11, 2018 at 10:27:57AM -0700, pg...@dev-mail.net wrote:
> Can you comment just a bit further on 'ready'?
By "ready" I mean that it has a working "rfc5011" key rollover
implementation, and so has already long added KSK2017 to its list
of root trust anchors. Or alternatively, that some
This may help
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
Jamie
October 11, 2018 11:59 AM, "Viktor Dukhovni" wrote:
> On Thu, Oct 11, 2018 at 10:27:57AM -0700, pg...@dev-mail.net wrote:
>
>> Can you comment just a bit further on 'ready'?
>
> By "ready" I mean that it
On Thu, Oct 11, 2018, at 10:53 AM, Jim Reid wrote:
> Although switching off DNSSEC validation will keep the mail flowing, it
> only kludges around the underlying problem. Which might or might not be
> related to the rollover of the root KSK a few hours ago. It’s hard to
> tell from the inform
On Thu, Oct 11, 2018, at 10:58 AM, Viktor Dukhovni wrote:
> This does not look like a forwarder problem, your own trusted key
> list is not up to date. Either it is manually maintained, or
> automated updates are failing (perhaps permission problems to update
> the files, the keys need to be wr
On Thu, Oct 11, 2018, at 11:03 AM, Jamie Nelson wrote:
> https://www.icann.org/dns-resolvers-checking-current-trust-anchors
was JUST looking for that! thx.
On Thu, 11 Oct 2018, Benny Pedersen wrote:
B. Reino skrev den 2018-10-11 09:48:
I can recommend rspamd. The DKIM module is very flexible, supports
multiple domains, etc.
rspamd is a bit of overkill for dkim signing
If you only want DKIM signing, then yes.
In my case, rspamd does DKIM sign
> On 11 Oct 2018, at 19:07, pg...@dev-mail.net wrote:
>
>> The switch to the new KSK seems the most likely cause, assuming DNSSEC
>> validation always worked for you before then.
>
> It's been 'working' for ages. Yes, I could have been 'just lucky for a long
> time'.
DNSSEC is very brittl
Stefan Bauer:
> We just noticed, that senders got several "550 5.1.0 Address rejected"
> bounces even though postfix logs no permanent errors.
>
> Oct 11 17:19:13 kop01 postfix/lmtp[5711]: E759E301412: to=,
> relay=127.0.0.1[127.0.0.1]:2003, delay=13, delays=0/0.01/13/0, dsn=4.0.0,
> status=undeli
On Thursday, October 11, 2018 6:51 PM, Viktor Dukhovni
wrote:
> On Thu, Oct 11, 2018 at 01:15:02PM -0400, Wietse Venema wrote:
>
> > Laura Smith:
> >
> > > RCPT TO:t...@example.com
> > > RENEGOTIATING
> >
> > Don't enter commands that start with R into OpenSSL.
>
> Lower-case 'r' works by the wa
On 11 Oct 2018, at 14:07, pg...@dev-mail.net wrote:
Isn't 'hardwired' here afaict. Looking at the ICANN site -- again --
is probably best advice.
Since you're running BIND, https://kb.isc.org/docs/aa-01182 might be
more specifically helpful, although I'm not sure that you can recover
from t
On Thu, Oct 11, 2018, at 2:33 PM, Bill Cole wrote:
> > Isn't 'hardwired' here afaict. Looking at the ICANN site -- again --
> > is probably best advice.
>
> Since you're running BIND, https://kb.isc.org/docs/aa-01182 might be
> more specifically helpful, although I'm not sure that you can recov
On Thu, Oct 11, 2018 at 03:44:56PM -0700, pg...@dev-mail.net wrote:
> resolver's up, running & working now, as least as verified with the usual
>
> dig @127.0.0.1 dnssec-failed.org a +dnssec
>
> not clear if all of that^ was needed, but it apparently did the trick.
>
> thanks all.
Check the
On Thu, Oct 11, 2018, at 3:51 PM, Viktor Dukhovni wrote:
> Check the user "named" runs as after chroot and dropping privs has
> write permissions to update the root trust-anchor file (may need
> write permissions to the containing directory to make the update
> atomic).
thanks! I _think_ I'm set
But what was postfix reporting to the Appliance that tried to deliver to
postfix?
The 421 is what postfix got from the groupware. Not what it was reporting
to the deliverer.
Our setup is appliance -> Postfix -> Groupware.
The appliance bounced several mails with a 550 5.1.0 Address rejected.
Am
Is it by using debug? How do I set it best to get the smtp statements and their
responses?
46 matches
Mail list logo