[pfx] Re: RFC logs_check

2024-07-24 Thread Allen Coates via Postfix-users
On 24/07/2024 13:11, Jaroslaw Rafa via Postfix-users wrote: >> I want "Kill on Sight".  >> >> Fastest way to me would be Postfix says it logged a connection from >> fluffy.cuddly.port.raping.internet-measurement.com calls my script with >> the IP address and they get stuffed up IPTables. These

[pfx] Re: Documentation Prefix

2024-07-07 Thread Allen Coates via Postfix-users
On 07/07/2024 16:13, Ralph Seichter via Postfix-users wrote: > * Allen Coates via Postfix-users: > >> I have just been perusing my firewall logs, and notice I have had >> several "hits" using the documentation prefix (2001:db8::/32) as the >> source address. [..

[pfx] Documentation Prefix

2024-07-07 Thread Allen Coates via Postfix-users
I have just been perusing my firewall logs, and notice I have had several "hits" using the documentation prefix (2001:db8::/32) as the source address.   Eleven in a fortnight or so. I have also had some hits (on my website) from  Teredo addresses.  I am allowing these, because (arguably) we are

[pfx] Re: dnsbl submissions

2024-07-07 Thread Allen Coates via Postfix-users
On 07/07/2024 05:18, Nick Edwards via Postfix-users wrote: > > Main: > submission_recipient_restrictions = >         reject_rbl_client cbl.abuseat.org > =127.0.0.[2..255] >         reject_unknown_sender_domain >         reject_unknown_recipient_domain >        

[pfx] Re: disable authentication on port 25

2024-05-24 Thread Allen Coates via Postfix-users
On 24/05/2024 03:15, Peter via Postfix-users wrote: No you definately should disable auth on port 25 regardless.  It is possible for postscreen to pass a connection to smtpd and smtpd can *then* offer auth. To answer your original question, you can just set   -o smtpd_sasl_auth_enable=no in

[pfx] Re: Strengthen email system security

2024-05-24 Thread Allen Coates via Postfix-users
On 23/05/2024 14:45, Bill Cole via Postfix-users wrote: is rumored to have said: Don't accept mail from home networks. For example, use "reject_dbl_client zen.spamhaus.org".  For this you must use your own DNS resolver, not the DNSresolver from your ISP. On 23.05.24 07:00, Northwind via

[pfx] Re: Feature request

2024-03-20 Thread Allen Coates via Postfix-users
On 20/03/2024 13:17, Viktor Dukhovni via Postfix-users wrote: > On Wed, Mar 20, 2024 at 01:42:16PM +0100, Ralf Hildebrandt via Postfix-users > wrote: >> Hi! >> >> I wonder if this is possible: >> >> If a PCRE/regexp style map is triggering, it can be quite hard to >> find out WHICH pattern

[pfx] Re: SMTP Smuggling, workarounds and fix

2023-12-28 Thread Allen Coates via Postfix-users
In the past, I have had messages coming in (via port 25) claiming to be Helpdesk, Personnel, etc So I had incorporated into my sender_access file the line:- cidercounty.org.uk   permit_sasl_authenticated, reject Do you think something like this would be beneficial WRT the smuggling

[pfx] Re: IPv6 and Cloud server CPU

2023-11-26 Thread Allen Coates via Postfix-users
On 22/11/2023 22:16, DL Neil via Postfix-users wrote: > Have been offered choice of more-modern Cloud-VPS systems, and two addressing > options: > > Q1: > can an email server be run off IPv6 (exclusively) these days, or are IPv4 + > v6 alternatives necessary? Realistically, you still need to

[pfx] Re: Filterring out invalidu...@mydomain.com

2023-10-05 Thread Allen Coates via Postfix-users
On 05/10/2023 04:44, Olivier via Postfix-users wrote: Hi, How is it possible to configure Postfix to filter messages of the form: from invalidu...@mydomain.com to validu...@mydomain.com I have been receiving quite a lot recently and they are trash. Best regasrds, Olivier From the top of

[pfx] Re: Postfix: running a script on authentication failure

2023-06-22 Thread Allen Coates via Postfix-users
On 22/06/2023 16:09, Viktor Dukhovni via Postfix-users wrote: > So, at least in my case, geofencing is not an option. Of course not - there is never a universal solution. In the matter of multi-factor authentication, discussions are increasingly quoting a fourth factor:  "WHERE you are". 

[pfx] Re: Postfix: running a script on authentication failure

2023-06-22 Thread Allen Coates via Postfix-users
On 22/06/2023 12:58, André Rodier via Postfix-users wrote: > > What are you using on your side ? > > - Do you know any service, that I could use, to get the network to ban from > an IP address reputation, something like > crowdsec, for instance ? > - Anyone has success with Suricata, Snort, or

[pfx] Re: postfix ports questions

2023-05-14 Thread Allen Coates via Postfix-users
On 14/05/2023 01:09, Tom Reed via Postfix-users wrote: >> On Sat, May 13, 2023 at 06:51:30PM +0800, Tom Reed via Postfix-users >> wrote: >> >>> Can I setup only port 25 open to the world? If port 465/587 are filtered >>> by iptables which only permit internal users to connect, does this make >>>

[pfx] Re: Deny any sender address with subdomain

2023-04-29 Thread Allen Coates via Postfix-users
On 28/04/2023 14:59, Gerd Hoerst via Postfix-users wrote: > Hi ! > > question 1st : is it a good idea to reject any email which is not sent from a > domain  (means sen...@domain.tld) any > other like sen...@sub.domain.tld or sub.sub.domain.tld is rejected ? Any ideas on the opposite - i.e.

[pfx] Re: postscreen question

2023-04-29 Thread Allen Coates via Postfix-users
The code 450 is the "deep tests"  doing their stuff. When a a remote host calls for the first time, it sees a temp-fail (code 450). When the host  calls back, *USING THE SAME IP ADDRESS*,  it will be passed through to the mail server.   The host has to call twice to get through. With  gmail