On 5/28/24 5:39 AM, Christophe Kalt via Postfix-users wrote:
smtpd_delay_reject to no
I had it at yes.
Changed it.
--john
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
Greg Sims via Postfix-users:
> > On Mon, May 27, 2024 at 3:40?AM Viktor Dukhovni via Postfix-users <
> postfix-users@postfix.org> wrote:
>
> > You really should have posted "collate" output, which would have shown
> > the envelope sender address in the "qmgr active" log entry. Perhaps
> > the
I do see the "qmgr active" active with the from=<>. I added
mail01.raystedman.org SPF to DNS as a result.
Thanks again, Greg
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
> On Mon, May 27, 2024 at 3:40 AM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
> You really should have posted "collate" output, which would have shown
> the envelope sender address in the "qmgr active" log entry. Perhaps
> the actual domain used did not have the
On 28/05/2024 11:39, Christophe Kalt via Postfix-users wrote:
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users
wrote:
For submission I only use xbl (return code 127.0.0.4) excluding
other other data contained in zen like pbl that lists isp dynamic
ip ranges from
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users <
postfix-users@postfix.org> wrote:
For submission I only use xbl (return code 127.0.0.4) excluding other
other data contained in zen like pbl that lists isp dynamic ip ranges from
which you would normally expect to get connections
On Sun, May 26, 2024 at 5:57 AM John Fawcett via Postfix-users <
postfix-users@postfix.org> wrote:
> For submission I only use xbl (return code 127.0.0.4) excluding other
> other data contained in zen like pbl that lists isp dynamic ip ranges from
> which you would normally expect to get
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
John Hill via Postfix-users:
Is this the same thing?
On 25.05.24 15:54, Wietse Venema via Postfix-users wrote:
See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.
To block
On 27/05/2024 13:31, John Hill via Postfix-users wrote:
On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote:
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
John Hill via Postfix-users:
Is this the same thing?
On 25.05.24 15:54, Wietse Venema via
On Mon, May 27, 2024 at 3:40 AM Viktor Dukhovni via Postfix-users <
postfix-users@postfix.org> wrote:
>
> You really should have posted "collate" output, which would have shown
> the envelope sender address in the "qmgr active" log entry. Perhaps
> the actual domain used did not have the
On 5/27/24 4:13 AM, Matus UHLAR - fantomas via Postfix-users wrote:
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
John Hill via Postfix-users:
Is this the same thing?
On 25.05.24 15:54, Wietse Venema via Postfix-users wrote:
See
On Sun, May 26, 2024 at 08:22:53PM -0500, Greg Sims via Postfix-users wrote:
> May 26 00:35:57 mail01.raystedman.org postfix/t124/smtp[39065]:
> 0A7D630F1C7C:
> to==cecytebc.edu...@devotion.raystedman.org>,
> relay=aspmx.l.google.com[142.251.2.26]:25,
> delay=0.52, delays=0/0/0.21/0.31,
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
John Hill via Postfix-users:
Is this the same thing?
On 25.05.24 15:54, Wietse Venema via Postfix-users wrote:
See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.
To block
Greg Sims via Postfix-users:
> We found the following in our email log:
>
> May 26 00:35:57 mail01.raystedman.org postfix/t124/smtp[39065]:
> 0A7D630F1C7C: to==
> cecytebc.edu...@devotion.raystedman.org>,
> relay=aspmx.l.google.com[142.251.2.26]:25,
> delay=0.52, delays=0/0/0.21/0.31,
We found the following in our email log:
May 26 00:35:57 mail01.raystedman.org postfix/t124/smtp[39065]:
0A7D630F1C7C: to==
cecytebc.edu...@devotion.raystedman.org>,
relay=aspmx.l.google.com[142.251.2.26]:25,
delay=0.52, delays=0/0/0.21/0.31, dsn=5.7.26, status=bounced (host
This problem was resolved off-list.
Greg Sims:
> Wietse & Viktor,
>
> All is not lost. Restarting BIND on Ray08 solved the problem of
> c=30!! I am sorry that I did not review/restart this service earlier.
> Your comments related to the 5 second intervals and DNS timeouts
> caused me to look
Dnia 24.05.2024 o godz. 20:41:57 Northwind via Postfix-users pisze:
> my guess, submission clients were using ehlo, and a mx client uses
> helo command. so postfix differ them based on this command?
They connect to different Postfix services. Submission clients connect to
port 587 or 465 (or any
On 25/05/2024 20:50, John Hill via Postfix-users wrote:
On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote:
On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up
with the conversation!
I had auth on ports I did
On 25/05/2024 23:58, Mike via Postfix-users wrote:
Hello,
My setup like below:
I have Postfix setup and use dovecot as SASL. Now, all email accounts
can use the smtp server to send emails. I want to allow only one email
account to send out emails and rest of others can only use POP3 or
great knowledge. thanks Wietse.
master.cf:
submission ... ... ... ... ... ... smtpd
-o { smtpd_client_restrictions =
check_sasl_access inline:{{ user@example = OK }}
static:{ REJECT this user is not allowed to send mail }
}
Mike via Postfix-users:
> Hello,
>
> My setup like below:
>
> I have Postfix setup and use dovecot as SASL. Now, all email accounts
> can use the smtp server to send emails. I want to allow only one email
> account to send out emails and rest of others can only use POP3 or IMAP.
>
> How can I
Mike via Postfix-users skrev den 2024-05-25 23:58:
How can I make that?
check_sasl_access https://wiki.zimbra.com/wiki/How-to-restrict-ssl-login
imho same you want ?
just replace reject with permit, and reject all remaining if sasl user
is not that user
On 26/05/24 09:58, Mike via Postfix-users wrote:
Hello,
My setup like below:
I have Postfix setup and use dovecot as SASL. Now, all email accounts
can use the smtp server to send emails. I want to allow only one email
account to send out emails and rest of others can only use POP3 or IMAP.
iptables?
I have Postfix setup and use dovecot as SASL. Now, all email accounts
can use the smtp server to send emails. I want to allow only one email
account to send out emails and rest of others can only use POP3 or IMAP.
___
Postfix-users
Hello,
My setup like below:
I have Postfix setup and use dovecot as SASL. Now, all email accounts
can use the smtp server to send emails. I want to allow only one email
account to send out emails and rest of others can only use POP3 or IMAP.
How can I make that?
Thanks
On 5/25/24 3:54 PM, Wietse Venema via Postfix-users wrote:
John Hill via Postfix-users:
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
Is this the same thing?
See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.
To block xbl
John Hill via Postfix-users:
> > postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
> Is this the same thing?
See https://www.spamhaus.org/faqs/dnsbl-usage/#200 for a table
with the purpose of different lookup results.
To block xbl listed clients with postscreen, one would configure
On 5/25/24 11:22 AM, John Fawcett via Postfix-users wrote:
On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up
with the conversation!
I had auth on ports I did not need. I use auth on submission port
587, for users
On 24/05/2024 03:03, John Hill via Postfix-users wrote:
I learn something every time I read this group, when I can keep up
with the conversation!
I had auth on ports I did not need. I use auth on submission port 587,
for users access.
I do get a boat load of failed login attempts on 587.
yes I am using smtps as service name indeed.
and smtps has -o smtpd_sasl_auth_enable=yes enabled.
Thanks peter.
On postfix 3.4 submissions was actually called smtps so you want to
enable it in the smtps section (there won't be a submissions entry in
your master.cf unless you added it).
On 25/05/24 01:37, Matus UHLAR - fantomas via Postfix-users wrote:
He mentioned that on postfix with "smtpd_tls_auth_only=yes" (the
default) authentication is only available when TLS is active
The default is no, but it is very common to have it set to yes.
Peter
On 25/05/24 09:50, Northwind via Postfix-users wrote:
just to clarify, submissions is not required to set for enabling
sasl_auth on port 465/587. i have tested it, no need to set a separated
submissions.
Incorrect. submission is *only* port 587, submissions is port 465.
my postfix
On 25/05/24 01:12, Benny Pedersen via Postfix-users wrote:
Stephan Seitz via Postfix-users skrev den 2024-05-24 15:01:
Carefull, if you have „smtpd_tls_auth_only = yes” (I think), then
you’ll see AUTH after STARTTLS…
port 25 must not be tls only
Since authentication should never be done on
On 25/05/24 00:43, Benny Pedersen via Postfix-users wrote:
Northwind via Postfix-users skrev den 2024-05-24 14:37:
and restarted postfix.
now I think it should be working.
telnet localhost 25
ehlo localhost
if you see AUTH in ehlo results it not done yet
no AUTH results take another beer
On 25/05/24 00:29, Benny Pedersen via Postfix-users wrote:
Northwind via Postfix-users skrev den 2024-05-24 14:17:
so, in main.cf:
smtpd_sasl_auth_enable=no
comment this out in main.cf, it already default no
It's fine to have it, it's simply redundant.
Peter
On 25/05/24 00:17, Northwind via Postfix-users wrote:
so, in main.cf:
smtpd_sasl_auth_enable=no
Yes, although the setting is redundant here since it defaults to no
anyways it's fine to explicitly state it if you want.
then in master.cf:
submission inet n - y - -
On 24/05/24 21:32, Matus UHLAR - fantomas via Postfix-users wrote:
On 24.05.24 12:00, Peter via Postfix-users wrote:
And the OP is referring to SASL AUTH attacks which are for submission,
not MX connections.
But some of those log lines mention postfix/smtpd, which means they
happen on port
just to clarify, submissions is not required to set for enabling
sasl_auth on port 465/587. i have tested it, no need to set a separated
submissions.
my postfix version:
version 3.4.13
thanks
submissions inet n - y - - smtpd
On 5/24/24 9:33 AM, Matus UHLAR - fantomas via Postfix-users wrote:
On 24.05.24 07:36, John Hill via Postfix-users wrote:
What command do you use to reset the connection?
no command, just rule in OUTPUT chain:
1710 649K REJECT 6 -- * * 0.0.0.0/0
0.0.0.0/0
On 5/24/24 06:51, Benny Pedersen via Postfix-users wrote:
Authentication-Results list.sys4.de; dkim=pass header.d=junc.eu;
arc=none (Message is not ARC signed); dmarc=pass (Used From Domain
Record) header.from=junc.eu policy.dmarc=reject
where comes REJECT from ?
You might consider asking
On 2024-05-23 at 20:12:09 UTC-0400 (Fri, 24 May 2024 12:12:09 +1200)
Peter via Postfix-users
is rumored to have said:
On 24/05/24 01:42, Bill Cole via Postfix-users wrote:
[...]
It is also helpful as a matter of system design to decouple user
email addresses from their login usernames. For
Am Fr, Mai 24, 2024 at 15:12:31 +0200 schrieb Benny Pedersen via Postfix-users:
Stephan Seitz via Postfix-users skrev den 2024-05-24 15:01:
Carefull, if you have „smtpd_tls_auth_only = yes” (I think), then
you’ll see AUTH after STARTTLS…
port 25 must not be tls only
I didn’t say that, but
Stephan Seitz via Postfix-users skrev den 2024-05-24 15:01:
Carefull, if you have „smtpd_tls_auth_only = yes” (I think), then
you’ll see AUTH after STARTTLS…
On 24.05.24 15:12, Benny Pedersen via Postfix-users wrote:
port 25 must not be tls only
if its needed use another port for tls only
Thank you so much.
This is really important.
>
> Le 24/05/2024 à 14:17, Northwind via Postfix-users a écrit :
>
> >
> > so, in main.cf:
> >
> > smtpd_sasl_auth_enable=no
> >
> > then in master.cf:
> >
> > submission inet n - y - - smtpd
> >
> > -o
On 24.05.24 20:41, Northwind via Postfix-users wrote:
my guess, submission clients were using ehlo, and a mx client uses
helo command. so postfix differ them based on this command?
EHLO is the extended HELO, supports SMTP extensions. Mail clients just like
servers may use either, but nowadays
On 24.05.24 07:36, John Hill via Postfix-users wrote:
What command do you use to reset the connection?
no command, just rule in OUTPUT chain:
1710 649K REJECT 6-- * * 0.0.0.0/00.0.0.0/0
tcp spt:25 match-set block-smtp dst reject-with
Le 24/05/2024 à 14:17, Northwind via Postfix-users a écrit :
so, in main.cf:
smtpd_sasl_auth_enable=no
then in master.cf:
submission inet n - y - - smtpd
-o smtpd_sasl_auth_enable=yes
Am I right? does this disable sasl_auth for port 25, but still
authorize
Stephan Seitz via Postfix-users skrev den 2024-05-24 15:01:
Carefull, if you have „smtpd_tls_auth_only = yes” (I think), then
you’ll see AUTH after STARTTLS…
port 25 must not be tls only
if its needed use another port for tls only
___
Am Fr, Mai 24, 2024 at 20:48:16 +0800 schrieb Northwind via Postfix-users:
ehlo localhost.localdomain
250-mx.domain.xyz
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
no AUTH was there. so it should be working. :)
Carefull, if
ehlo localhost.localdomain
250-mx.domain.xyz
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
no AUTH was there. so it should be working. :)
if you see AUTH in ehlo results it not done yet
Northwind via Postfix-users skrev den 2024-05-24 14:37:
and restarted postfix.
now I think it should be working.
telnet localhost 25
ehlo localhost
if you see AUTH in ehlo results it not done yet
no AUTH results take another beer :)
___
my guess, submission clients were using ehlo, and a mx client uses helo
command. so postfix differ them based on this command?
regards.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to
root@mx:/etc/postfix# vi main.cf
root@mx:/etc/postfix# vi master.cf
root@mx:/etc/postfix# service postfix restart
i have comment out this line in main.cf:
#smtpd_sasl_auth_enable = yes
And enable this in master.cf:
submission inet n - y - - smtpd
-o
Northwind via Postfix-users skrev den 2024-05-24 14:17:
so, in main.cf:
smtpd_sasl_auth_enable=no
comment this out in main.cf, it already default no
then in master.cf:
submission inet n - y - - smtpd
-o smtpd_sasl_auth_enable=yes
Am I right?
yes
does
so, in main.cf:
smtpd_sasl_auth_enable=no
then in master.cf:
submission inet n - y - - smtpd
-o smtpd_sasl_auth_enable=yes
Am I right? does this disable sasl_auth for port 25, but still authorize
users on port 587/465?
Thanks a lot.
Many moons ago I was
What command do you use to reset the connection?
On 5/24/24 6:18 AM, Matus UHLAR - fantomas via Postfix-users wrote:
On 23.05.24 21:03, John Hill via Postfix-users wrote:
I use Fail2Ban to block the failed IP. The script writes it into the
nftables table immediately.
I think this keeps
Authentication-Results list.sys4.de; dkim=pass header.d=junc.eu;
arc=none (Message is not ARC signed); dmarc=pass (Used From Domain
Record) header.from=junc.eu policy.dmarc=reject
where comes REJECT from ?
___
Postfix-users mailing list --
Allen Coates via Postfix-users skrev den 2024-05-24 11:51:
Many moons ago I was told to put "smtpd_sasl_auth_enable=no" in
main.cf, blocking the function everywhere, and then put "-o
smtpd_sasl_auth_enable=yes" in the submission stanza(s) in master.cf,
expressly enabling it *just* there.
On 24/05/2024 03:15, Peter via Postfix-users wrote:
No you definately should disable auth on port 25 regardless. It is
possible for postscreen to pass a connection to smtpd and smtpd can
*then* offer auth.
To answer your original question, you can just set -o
smtpd_sasl_auth_enable=no in
On 23.05.24 21:03, John Hill via Postfix-users wrote:
I use Fail2Ban to block the failed IP. The script writes it into the
nftables table immediately.
I think this keeps Postfix waiting and times out, not a big deal. Is
there a cli that my bash script could force disconnect the ip from
On 24/05/2024 03:15, Peter via Postfix-users wrote:
No you definately should disable auth on port 25 regardless. It is possible for postscreen to pass a connection to
smtpd and smtpd can *then* offer auth.
To answer your original question, you can just set -o smtpd_sasl_auth_enable=no in
On 23/05/2024 14:45, Bill Cole via Postfix-users wrote:
is rumored to have said:
Don't accept mail from home networks. For example, use "reject_dbl_client
zen.spamhaus.org". For this you must use your own DNS resolver,
not the DNSresolver from your ISP.
On 23.05.24 07:00, Northwind via
Zen includes the "PBL" component, which consists largely of
residential and mobile consumer IPs.
On 24/05/24 02:12, Matus UHLAR - fantomas via Postfix-users wrote:
Yes, but these are (usually) not considered valid clients, these
should use submission/submissions(smtps) ports where
On 24/05/24 13:08, Northwind via Postfix-users wrote:
do you mean since I have been using postscreen, there is no need to
manually disable authentication on port 25? since postscreen doesn't
have auth support.
No you definately should disable auth on port 25 regardless. It is
possible for
Will do it. Tonight.
Thanks
On May 23, 2024 9:11 PM, Wietse Venema via Postfix-users
wrote:
John Hill via Postfix-users:
> I learn something every time I read this group, when I can keep up with
> the conversation!
>
> I had auth on ports I did not need. I use auth on submission port
John Hill via Postfix-users:
> I learn something every time I read this group, when I can keep up with
> the conversation!
>
> I had auth on ports I did not need. I use auth on submission port 587,
> for users access.
>
> I do get a boat load of failed login attempts on 587. Funny how a China,
do you mean since I have been using postscreen, there is no need to
manually disable authentication on port 25? since postscreen doesn't
have auth support.
Thanks Wietse.
As documnented somewhere, postscreen never announces AUTH support.
___
I learn something every time I read this group, when I can keep up with
the conversation!
I had auth on ports I did not need. I use auth on submission port 587,
for users access.
I do get a boat load of failed login attempts on 587. Funny how a China,
US, Argentina, you name it, hosts, will
Northwind via Postfix-users:
> Hello,
>
> since my smtp instance is postscreen as showing the follow,
>
> smtp inet n - y - 1 postscreen
>
>
> How can I disable authentication on port 25 then?
>
> I know if the smtp instance is smtpd, this option should
On 24/05/24 01:42, Bill Cole via Postfix-users wrote:
Likely brute force.
Not exactly.
"Brute force" password cracking is almost never seen today, as it has
been replaced by a practice commonly called "credential stuffing" where
the attacker has some large collection of known-good
Hello,
since my smtp instance is postscreen as showing the follow,
smtp inet n - y - 1 postscreen
How can I disable authentication on port 25 then?
I know if the smtp instance is smtpd, this option should work:
-o smtpd_sasl_auth_enable=no
Thank you.
On 24/05/24 02:12, Matus UHLAR - fantomas via Postfix-users wrote:
Zen includes the "PBL" component, which consists largely of
residential and mobile consumer IPs.
Yes, but these are (usually) not considered valid clients, these should
use submission/submissions(smtps) ports where
On Thu, May 23, 2024 at 05:48:29PM -0400, Wietse Venema via Postfix-users wrote:
> Greg Sims via Postfix-users:
> > We see conn_use about 24% of the time:
>
> But none of the sessions shown in your message have that.
>
> Do they also have multiple-of-5-second type 'c' delays?
Indeed those
Greg Sims via Postfix-users:
> We see conn_use about 24% of the time:
But none of the sessions shown in your message have that.
Do they also have multiple-of-5-second type 'c' delays?
Wietse
___
Postfix-users mailing list --
Pedro David Marco via Postfix-users:
> Hi all,
> is it possible to have several Postfix instances to use a centralized
> Postfix server for address verification probes when this centralized
> server is NOT an MDA but a relay to external MDAs?
You can specify address_verify_relayhost and the like,
You have been perfectly clear. As outlined in DSN_README, the RFC
does not support a way to selectively disable SUCCESS notification.
Postfix is not just a bunch of random hacks thrown together. You
are free to use a different mail system.
Wietse
On Thu, May 23, 2024 at 7:07 AM Greg Sims wrote:
>
> Thank you Viktor. All recommended changes have been made. I hope to
> collect useful "collate" data with our next distribution at Noon today
> pacific.
>
Still having problems with the inbound smtpd from our private network
flooding
Hi all,
is it possible to have several Postfix instances to use a centralized Postfix
server for address verification probes when this centralized server is NOT an
MDA but a relay to external MDAs?
Thanks in advance!
Pete.
___
Postfix-users mailing
On 23.05.24 20:51, Alexander Kolesnikov via Postfix-users wrote:
23.05.2024 19:06, Wietse Venema via Postfix-users пишет:
Aleksandr Kolesnikov via Postfix-users:
if the user requests a DSN, he receives a delivery message via the
...
how to prohibit the sending of such DSN?
Perhaps:
Don't accept mail from home networks. For example, use
"reject_dbl_client
zen.spamhaus.org". For this you must use your own DNS resolver,
not the DNSresolver from your ISP.
On 23.05.24 07:00, Northwind via Postfix-users wrote:
will this also stop the valid client's SMTP connection? thank you
23.05.2024 15:38, Kevin Cousin via
Postfix-users пишет:
Le 2024-05-21T22:50:48.000+02:00, Wietse Venema via
Postfix-users a écrit :
Kevin Cousin via Postfix-users:
23.05.2024 19:06, Wietse Venema via
Postfix-users пишет:
Aleksandr Kolesnikov via Postfix-users:
if the user requests a DSN, he receives a delivery message via the
...
how to prohibit the sending of such DSN?
On 2024-05-23 at 02:31:05 UTC-0400 (Thu, 23 May 2024 08:31:05 +0200)
Matus UHLAR - fantomas via Postfix-users
is rumored to have said:
Don't accept mail from home networks. For example, use
"reject_dbl_client
zen.spamhaus.org". For this you must use your own DNS resolver,
not the DNSresolver
On 2024-05-22 at 19:03:48 UTC-0400 (Thu, 23 May 2024 11:03:48 +1200)
Peter via Postfix-users
is rumored to have said:
On 23/05/24 10:33, Northwind via Postfix-users wrote:
[...]
The attack continues at this time.
My questions are:
1. what's the purpose of this kind of attack? Brute force
Thank you Viktor. All recommended changes have been made. I hope to
collect useful "collate" data with our next distribution at Noon today
pacific.
I hope you have a great day! Greg
> [root@mail01 postfix]# postconf -nf
>
> [root@mail01 postfix]# postconf -Mf
Aleksandr Kolesnikov via Postfix-users:
> if the user requests a DSN, he receives a delivery message via the
...
> how to prohibit the sending of such DSN?
Perhaps: https://www.postfix.org/DSN_README.html
Wietse
___
Postfix-users mailing
That's great info from all you people. many thanks!
>
> On 23/05/24 19:02, Jaroslaw Rafa via Postfix-users wrote:
>
> >
> > In addition I can add one idea:
> >
> > I have had quite a success with a policy server that rejects all
> > connections
> >
> > on submission ports IF it doesn't
On 23/05/24 19:02, Jaroslaw Rafa via Postfix-users wrote:
In addition I can add one idea:
I have had quite a success with a policy server that rejects all connections
on submission ports IF it doesn't find a currently established IMAP session
from the same IP address. All "normal" mail clients
On 23/05/24 16:51, Viktor Dukhovni via Postfix-users wrote:
Dovecot has its own mechanism list, while Postfix has a mechanism list
filter. You should be able to set:
smtp_sasl_mechanism_filter = plain
He's trying to prevent login on smtpd, so the setting should be
Dnia 23.05.2024 o godz. 15:18:36 Northwind via Postfix-users pisze:
> how to implement that a policy server? thanks.
My script is very simple, I just took a sample policy server script in Perl
included with Postfix distribution and added code to ask Dovecot about
currently active IMAP sessions.
Le 2024-05-21T22:50:48.000+02:00, Wietse Venema via Postfix-users
a écrit :
> Kevin Cousin via Postfix-users:
>> Hi,
>>
>> We are using Postfix as relay for our internal apps. This apps
>> are
>>
>> sending mails to final users with from nore...@example.net, but
>>
>> sometimes,
how to implement that a policy server? thanks.
In addition I can add one idea:
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
Dnia 23.05.2024 o godz. 11:03:48 Peter via Postfix-users pisze:
>
> You can implement a policy daemon (such as postfwd) which can add
> limits to help in case a password does get found. This can shut
> down a user account before it gets used to send too much SPAM.
>
> If you know that all of
Don't accept mail from home networks. For example, use "reject_dbl_client
zen.spamhaus.org". For this you must use your own DNS resolver,
not the DNSresolver from your ISP.
On 23.05.24 07:00, Northwind via Postfix-users wrote:
will this also stop the valid client's SMTP connection? thank you
On 23/05/2024 14:27, Scott Techlist via Postfix-users wrote:
All of these entries are using the LOGIN mech. Unless you have an
extremely old outlook express MUA (or similar) you xan and should be
using the PLAIN mech. You can eliminate all of the above attacks by
removing LOGIN from the list
On Wed, May 22, 2024 at 11:27:15PM -0500, Scott Techlist via Postfix-users
wrote:
> >All of these entries are using the LOGIN mech. Unless you have an
> >extremely old outlook express MUA (or similar) you xan and should be
> >using the PLAIN mech. You can eliminate all of the above attacks by
>All of these entries are using the LOGIN mech. Unless you have an
>extremely old outlook express MUA (or similar) you xan and should be
>using the PLAIN mech. You can eliminate all of the above attacks by
>removing LOGIN from the list of mechs you accept.
Peter:
I too see a lot of these so I
Hi All,
the resubmit service is configured in master.cf:
resubmit unix - n n - 10 pipe
flags=Rq user=nobody null_sender=
argv=/usr/local/libexec/resubmit_mail.sh -N success --
${recipient}
if the user requests a DSN,
On Wed, May 22, 2024 at 12:19:03PM -0500, Greg Sims wrote:
> [root@mail01 postfix]# postconf -nf
> maximal_backoff_time = 16m
> minimal_backoff_time = 2m
> queue_run_delay = 2m
FWIW (not related to your immediate issue) I would not recommend such a
short maximal backoff, you're
On 23/05/2024 08:33, Northwind via Postfix-users wrote:
Hello list,
In the last two days, my mail system (small size) met attacks.
mail.log shows a lot of this stuff:
May 23 06:24:29 mx postfix/smtpd[2655149]: warning:
unknown[194.169.175.17]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
601 - 700 of 96910 matches
Mail list logo