Le 21/06/2024 à 00:13, John Levine a écrit :
It appears that Emmanuel Fusté via Postfix-users said:
In the general case (not null sender), HELO SPF validation does not
interfere with DMARC as DMARC only use the MAIL FROM identity.
There was historically a bug in some DMARC implementation witch
Le 20/06/2024 à 21:13, Wietse Venema via Postfix-users a écrit :
Bounces are sent with the null envelope.from address which has no
domain. Therefore, SPF applies policy to a surrogate: the hostname
in the SMTP client's HELO/EHLO command (as if the envelope.from
address was postmaster@helo-argumen
defined in single-wild.porcupine.org zone.
Thus, when A record for mail01-t122.raystedman.org already exists,
the *.raystedman.org TXT record will not cover it and explicit TXT
for mail01-t122.raystedman.org must be created (I see it's been done)
On 05.06.24 14:55, Emmanuel Fusté via Po
Le 05/06/2024 à 14:01, Matus UHLAR - fantomas via Postfix-users a écrit :
Matus UHLAR - fantomas via Postfix-users:
>- Create a wild-card SPF policy for *.raystedman.org that permits
>all your SMTP client IP addresses.
Sorry: wildcard in DNS only applied for non-existing names and since
the hos
Le 04/06/2024 à 17:02, Wietse Venema via Postfix-users a écrit :
Greg Sims via Postfix-users:
We had another DMARC Failure last night. The email ended up at the gmail level.
X-Original-Authentication-Results: mx.google.com;
spf=none (google.com: mail01-t122.raystedman.org does not
Le 22/05/2024 à 12:35, Greg Sims via Postfix-users a écrit :
Thank you again for your feedback on this issue.
I watched the workload in real time this morning and now have more
insight into what is happening. It appears the large ISPs are using
TLS connection as a way to throttle incoming traff
Le 21/12/2023 à 10:03, Joachim Lindenberg via Postfix-users a écrit :
Emmanuel,
please read the thread
https://www.mail-archive.com/postfix-users@postfix.org/msg100852.html from the
beginning. SOCKS5 was already considered as an alternative to proxy protocol.
If you want to bash nginx then ple
Le 20/12/2023 à 21:25, Joachim Lindenberg via Postfix-users a écrit :
Emmanuel :
That's crazy, If you're able to run a dedicated proxy instance, you're able to
run an outboud postfix instance too: the perfect proxy software for
smtp/postfix is postfix.
Otherwise it means that you're trying to
Le 20/12/2023 à 20:53, Joachim Lindenberg via Postfix-users a écrit :
Wietse:
Obviously, nginx will not know the Postfix SMTP client protocol stage, and the
nginx settings will have to match the largest
Postfix timeouts to avoid persistent mail delivery problems with some sites.
Settings optima
Le 15/08/2023 à 23:12, Viktor Dukhovni via Postfix-users a écrit :
On Tue, Aug 15, 2023 at 04:14:58PM -0400, pgnd via Postfix-users wrote:
2023-08-14T13:11:53.782611-04:00 svr01 postfix/postscreen[27910]: CONNECT from
[52.101.56.17]:32607 to [209.123.234.54]:25
2023-08-14T13:11:59.860098-04:00
Le 30/05/2023 à 16:07, Benny Pedersen via Postfix-users a écrit :
Viktor Dukhovni via Postfix-users skrev den 2023-05-30 14:30:
There's no good reason to have mail sent to mx2 unless mx1 is down.
and subject says load balancing, not backup mx
imho OP asked not to have mx backup, but load bal
Le 06/04/2023 à 16:44, Emmanuel Fusté a écrit :
Le 06/04/2023 à 14:09, Emmanuel Fusté a écrit :
Le 06/04/2023 à 13:35, Ken Peng via Postfix-users a écrit :
On 2023-04-06 19:07, Jaroslaw Rafa via Postfix-users wrote:
I just now learned about the UTF8 thing, I would never think of using
non
Le 06/04/2023 à 14:09, Emmanuel Fusté a écrit :
Le 06/04/2023 à 13:35, Ken Peng via Postfix-users a écrit :
On 2023-04-06 19:07, Jaroslaw Rafa via Postfix-users wrote:
I just now learned about the UTF8 thing, I would never think of using
non-ASCII characters in host/domain names :)
You can
Le 06/04/2023 à 13:35, Ken Peng via Postfix-users a écrit :
On 2023-04-06 19:07, Jaroslaw Rafa via Postfix-users wrote:
I just now learned about the UTF8 thing, I would never think of using
non-ASCII characters in host/domain names :)
You can dig the UTF8 hostname, they are valid for query.
Le 12/01/2023 à 19:45, post...@ptld.com a écrit :
No SPF is OK, but as long as the domain of RFC822 MAIL FROM address
has a SPF, this SPF must pass.
DMARC will pass as long as either SPF or DMARC passes.
DMARC will still pass if SPF fails and DKIM passes.
I think you might be misinterpreting w
Le 12/01/2023 à 18:17, Emmanuel Fusté a écrit :
Le 12/01/2023 à 17:51, Wietse Venema a écrit :
Emmanuel Fust?:
Le jeu. 12 janv. 2023, 17:15, a ?crit :
Since I am using SPF as a validation method, the non-srs messages
from
those big providers will have possibility to break SPF and be
Le 12/01/2023 à 17:51, Wietse Venema a écrit :
Emmanuel Fust?:
Le jeu. 12 janv. 2023, 17:15, a ?crit :
Since I am using SPF as a validation method, the non-srs messages from
those big providers will have possibility to break SPF and be rejected by
our systems.
Do you reject based on solely
Le jeu. 12 janv. 2023, 17:15, a écrit :
> > Since I am using SPF as a validation method, the non-srs messages from
> those big providers will have possibility to break SPF and be rejected by
> our systems.
>
> Do you reject based on solely the SPF result? It would be better to use
> DMARC, have S
Le 06/01/2023 à 21:03, Demi Marie Obenour a écrit :
On 1/6/23 07:15, Wietse Venema wrote:
Peter Wienemann:
Hi,
is there a way to dump the effective postfix configuration rather than
the one specified in main.cf/master.cf? It seems that changes to
main.cf/master.cf have an immediate impact on t
Le 02/01/2023 à 20:38, Laurent Frigault a écrit :
Hi,
Is there any way to have some smtpd_access_maps with
parent_domain_matches_subdomains and some other without it ?
I have :
smtpd_recipient_restrictions =
permit_mynetworks
reject_non_fqdn_sender
reject_unknown_sender_domain
Le 02/10/2022 à 11:51, Matus UHLAR - fantomas a écrit :
On 10/1/22 16:16, Viktor Dukhovni wrote:
4096-bit RSA certificates mostly work, but are pointless crypto
exhibitionism, waste CPU, can run into client implementation
limitations, and so are not a good idea.
On 01.10.22 17:20, Shawn Heisey
Le 26/08/2022 à 16:54, Emmanuel Fusté a écrit :
Le 26/08/2022 à 15:52, post...@ptld.com a écrit :
Check RFC5322, section 2.2.1 "Unstructured Header Field Bodies".
Semantically, unstructured field bodies are simply to be treated as a
single line of characters with no further
Le 26/08/2022 à 15:52, post...@ptld.com a écrit :
Check RFC5322, section 2.2.1 "Unstructured Header Field Bodies".
Semantically, unstructured field bodies are simply to be treated as a
single line of characters with no further processing (except for
"folding" and "unfolding" as described in
Le 30/03/2022 à 18:36, Viktor Dukhovni a écrit :
On Wed, Mar 30, 2022 at 06:11:33PM +0200, Michael Ströder wrote:
Or simply set in /etc/systemd/journald.conf:
[Journal]
Storage=none
ForwardToSyslog=yes
That does not fully solve the problem, since IIRC rate limits and
performance limitations s
Le 03/12/2021 à 14:48, Yves-Marie Le Pors Chauvel a écrit :
Hi folks,
I moved from Postfix 3.1.15 to 3.5.6... It was mandatory to upgrade it
in order to remove any legacy version (OS and Postfix) !
Before that everything was perfect : respecting the limit of
connections for a specific route
Hello,
Le 01/10/2021 à 16:17, Sam R a écrit :
Hello,
I want to set up a Postfix SMTP server with cyrus-sasl in GSSAPI mode.
I have two Samba4 servers in AD mode, and my clients are in windows 10.
I removed the execution of Posfix in chroot to simplify.
I added two keytab in /etc/krb5.keytab s
Le 05/08/2021 à 16:48, Matteo Cazzador a écrit :
Hi everybody, i've this configuration active in postfix:
smtp_dns_support_level=dnssec
smtp_tls_security_level = dane
Is it possible to exclude some check for specific domain name ?
Something like whitelist domain name and lookup.
I use a loc
Le 07/07/2021 à 15:41, Emmanuel Fusté a écrit :
Le 07/07/2021 à 15:36, Emmanuel Fusté a écrit :
Le 07/07/2021 à 15:26, Wietse Venema a écrit :
Emmanuel Fust?:
Le 07/07/2021 ? 15:06, Wietse Venema a ?crit?:
Viktor Dukhovni:
On Tue, Jul 06, 2021 at 12:56:50PM +0200, Xavier Beaudouin wrote
Le 07/07/2021 à 15:36, Emmanuel Fusté a écrit :
Le 07/07/2021 à 15:26, Wietse Venema a écrit :
Emmanuel Fust?:
Le 07/07/2021 ? 15:06, Wietse Venema a ?crit?:
Viktor Dukhovni:
On Tue, Jul 06, 2021 at 12:56:50PM +0200, Xavier Beaudouin wrote:
I currently have an appliance that misuse the
Le 07/07/2021 à 15:26, Wietse Venema a écrit :
Emmanuel Fust?:
Le 07/07/2021 ? 15:06, Wietse Venema a ?crit?:
Viktor Dukhovni:
On Tue, Jul 06, 2021 at 12:56:50PM +0200, Xavier Beaudouin wrote:
I currently have an appliance that misuse the null sender (mail
from:<>) to send mail.
Unfortunatl
Le 07/07/2021 à 15:06, Wietse Venema a écrit :
Viktor Dukhovni:
On Tue, Jul 06, 2021 at 12:56:50PM +0200, Xavier Beaudouin wrote:
I currently have an appliance that misuse the null sender (mail
from:<>) to send mail.
Unfortunatly, this appliance is closed source
and we can only setup : fixed
Le 24/08/2020 à 21:14, Steffen Nurpmeso a écrit :
Something else, maybe.
I do not understand why my (stupid) config
smtpd_sender_restrictions =
check_ccert_access hash:/etc/postfix/relay_clientcert,
permit_tls_clientcerts,
reject_unknown_sender_domain,
#reject_sender
Le 27/09/2019 à 17:01, Emmanuel Fusté a écrit :
Hello,
I started to deploy TLS connection reuse on some non trivial outboud
gateway setups.
First I was hit by an non obvious configuration behavior:
On my gateway I have:
smtpd_tls_security_level=none
smtp_tls_security_level=dane
If I switch
Le 27/09/2019 à 18:07, Viktor Dukhovni a écrit :
On Fri, Sep 27, 2019 at 05:01:03PM +0200, Emmanuel Fusté wrote:
Next, more a feature request: I have some custom transports defined for
different/custom client side TLS certs and conf.
Client-side TLS certs typically have private keys that only
Le 27/09/2019 à 17:39, Wietse Venema a écrit :
Emmanuel Fust?:
I have some custom transports defined for different/custom client side
TLS certs and conf.
But we presently have no way to specify a different tlsproxy instance
for smtp as for cleanup for smtpd. So for now I must disable TLS
connect
Hello,
I started to deploy TLS connection reuse on some non trivial outboud
gateway setups.
First I was hit by an non obvious configuration behavior:
On my gateway I have:
smtpd_tls_security_level=none
smtp_tls_security_level=dane
If I switch to TLS session reuse with
smtp_tls_connection_reus
Le 17/06/2019 à 20:29, Wietse Venema a écrit :
Emmanuel Fust?:
Le 17/06/2019 ? 12:05, Emmanuel Fust? a ?crit?:
Le 16/06/2019 ? 22:37, Viktor Dukhovni a ?crit?:
On Sun, Jun 16, 2019 at 05:46:52PM +0200, Stefan Bauer wrote:
Some of our users use o365 but would like to use our service for
outgo
Le 17/06/2019 à 21:31, Wietse Venema a écrit :
Viktor Dukhovni:
On Mon, Jun 17, 2019 at 02:29:05PM -0400, Wietse Venema wrote:
I suppose that Postfix will need to forward the OORG information
that it received from the Microsoft server, not a name that is
hard-coded in main.cf, and that Postfix
Le 17/06/2019 à 13:08, Stefan Bauer a écrit :
Emmanuel,
thank you. That was of great help to see, that others have same isses
with o365.
Do you have any more infos how you do the experimental certificate
matching part with postifx?
In the official experimental release from Wietse.
Emman
Le 17/06/2019 à 12:05, Emmanuel Fusté a écrit :
Le 16/06/2019 à 22:37, Viktor Dukhovni a écrit :
On Sun, Jun 16, 2019 at 05:46:52PM +0200, Stefan Bauer wrote:
Some of our users use o365 but would like to use our service for
outgoing
mails. We are offering smtp sending services. Integrating
Le 17/06/2019 à 13:14, Wietse Venema a écrit :
Emmanuel Fust?:
The "proper" Microsoft way is to use their proprietary XOORG SMTP
extension used in their hybrid cloud scenario.
- Is there a protocol definition for this, or is there only
implementation by trial and error?
The only official statem
Le 16/06/2019 à 22:37, Viktor Dukhovni a écrit :
On Sun, Jun 16, 2019 at 05:46:52PM +0200, Stefan Bauer wrote:
Some of our users use o365 but would like to use our service for outgoing
mails. We are offering smtp sending services. Integrating our service in
o365 is tricky, as one can only spe
Le 18/04/2019 à 21:45, Viktor Dukhovni a écrit :
On Apr 18, 2019, at 12:01 PM, Wietse Venema wrote:
Eventually there will be a postfix--nonprod release that combines
all the code (jay) and none of the guarantees (bleh).
I am not convinced that stuffing arbitrary PKI identities into a
SASL
Le 18/04/2019 à 12:05, lst_ho...@kwsoft.de a écrit :
Zitat von Emmanuel Fusté :
Hello,
Great piece of work ! It solve a big part of my problem, but sadly I
need to go deeper.
Le 18/03/2019 à 22:45, Bastian Schmidt a écrit :
In the meantime I have completed a patch and sent it to Wietse
Le 27/03/2019 à 18:10, Emmanuel Fusté a écrit :
Le 27/03/2019 à 17:14, Viktor Dukhovni a écrit :
On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:
The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client
Le 27/03/2019 à 17:14, Viktor Dukhovni a écrit :
On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:
The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client is found in the relay_clientcerts, no longer
Hello,
Great piece of work ! It solve a big part of my problem, but sadly I
need to go deeper.
Le 18/03/2019 à 22:45, Bastian Schmidt a écrit :
In the meantime I have completed a patch and sent it to Wietse and
Victor, which adds an option smtpd_sasl_tls_ccert_username.
As the patch is rathe
Le 27/03/2019 à 15:15, Wietse Venema a écrit :
lst_ho...@kwsoft.de:
Hello,
we need to authenticate a SMTP client connection base on the CN of the
(trusted) client certificate. The client is not under our control
(O365 connector), so we will get no notification if the key
fingerprint will change
Le 08/02/2019 à 15:58, Harald Koch a écrit :
On Fri, Feb 8, 2019, at 06:40, Emmanuel Fusté wrote:
Never use shared storage. It will be your main source of problems.
Recognizing that shared storage is always a headache:
How do you handle the situation where your active node crashes with queued
Le 08/02/2019 à 11:35, De Petter Mattheas a écrit :
Hello
Which work method do you guys prefer for ha with postfix?
2 postfix nodes with f5 load balancer active passive and shared
storage for the que
How can you share config between active and passive ? can we use my
sql cluster for config
Le 19/03/2018 à 17:32, Msd a écrit :
Le 19/03/2018 à 16:28, Wietse Venema a écrit :
Please provide quantitative evidence that connection reuse is
necessary to get mail into the 'big providers' (i.e. they punish
connection rate and message rate differently).
Hi Wietse,
The biggest email service
Le 19/03/2018 à 16:42, Emmanuel Fusté a écrit :
Le 19/03/2018 à 16:28, Wietse Venema a écrit :
Emmanuel Fust?:
Is there any document that describe how interprocess notification is
done in postfix ? More precisely the scheduler -> delivery agent
notification ?
There is no public documentat
Le 19/03/2018 à 16:28, Wietse Venema a écrit :
Emmanuel Fust?:
Is there any document that describe how interprocess notification is
done in postfix ? More precisely the scheduler -> delivery agent
notification ?
There is no public documentation for *internal* Postfix interfaces,
so that I can c
Le 18/03/2018 à 19:23, Viktor Dukhovni a écrit :
On Mar 18, 2018, at 1:55 PM, Matus UHLAR - fantomas wrote:
* Caching open TLS connections in the smtp(8) delivery agent for
reuse by scheduling repeated deliveries to the same delivery
agent runs into complex scheduling difficulties. Th
Matus UHLAR - fantomas:
a smtp client that able to process multiple mails in a single run is not
planned, correct?
On 15.03.18 09:22, Wietse Venema wrote:
Wasn't a dedicated per-destination delivery agent one of the possible
solutions?
if you mean this one:
- For each destination, use dedi
Le 07/01/2018 à 02:49, Wietse Venema a écrit :
Quick update: I've done a brain-dead simple, but correct, implementation
that always quotes the name (just like qmail, BTW). If needed, it
can be made smarter later.
There 's some draft documentation below.
Wietse
header_from_format (defau
Le 29/06/2016 17:02, Chip a écrit :
If Return-path is added by receiving MTA, as you say, below, and that it
contains the MAIL FROM, then why do I see the following in source code
of received message in which return-path does not match From?
X-Mozilla-Status: 0001
X-Mozilla-Status2:
X-
Le 14/03/2015 09:15, Viktor Dukhovni a écrit :
On Fri, Mar 13, 2015 at 06:13:56PM +0100, Emmanuel Fust? wrote:
Ok, what do you think about this one ?
I added XSASL_AUTH_TEMP in case of crashed / stopped dovecot auth server
too.
Looks fine to me.
What SMTP client is it by the way that treats a
Le 13/03/2015 17:14, Emmanuel Fusté a écrit :
Le 11/03/2015 16:54, Emmanuel Fusté a écrit :
Le 11/03/2015 16:39, Viktor Dukhovni a écrit :
On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:
Hello,
On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:
535
Le 11/03/2015 16:54, Emmanuel Fusté a écrit :
Le 11/03/2015 16:39, Viktor Dukhovni a écrit :
On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:
Hello,
On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:
535 5.7.8 Error: authentication failed: Connection
Le 11/03/2015 16:39, Viktor Dukhovni a écrit :
On Wed, Mar 11, 2015 at 01:41:00PM +0100, Emmanuel Fust? wrote:
Hello,
On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:
535 5.7.8 Error: authentication failed: Connection lost to authentication server
Mar 10 16:37:08 xxx
Hello,
On a heavy i/o loaded Postfix (2.11.0) server, i've got this behavior:
=== Connected to x.x.x.x.
<- 220 xx.xx.xx ESMTP Postfix
-> EHLO localhost
<- 250-xx.xx.xx
<- 250-PIPELINING
<- 250-SIZE 1024
<- 250-VRFY
<- 250-ETRN
<- 250-STARTTLS
<- 250-AUTH CRAM-MD5 DIGEST-MD5
<- 250
Le 14/11/2014 18:47, Viktor Dukhovni a écrit :
On Fri, Nov 14, 2014 at 05:20:14PM +, Viktor Dukhovni wrote:
So gmail.com and postfix.org offer and actually reuses sessions, On the
other hand, storing hotmail, AOL or Yahoo sessions is just a waste
of I/O, since they are rarely if ever reusa
Le 10/10/2014 06:40, Ronald F. Guilmette a écrit :
In message <20141010030256.gw13...@mournblade.imrryr.org>,
Viktor Dukhovni wrote:
On Thu, Oct 09, 2014 at 10:28:52AM -0700, Ronald F. Guilmette wrote:
What happens if in fact the matching rules specified in the access(5)
man page resulted in
Le 09/10/2014 07:43, Ronald F. Guilmette a écrit :
This is a request for a very minor change to the semantics of the
PREPEND result that can be returned from policy servers
and/or from specific entries within an access(5) lookup table.
It would be maximally convenient if the subject could be
i
Le 18/09/2013 12:48, Wietse Venema a écrit :
Wietse Venema:
Emmanuel Fust?:
In an "access" table, could I use any postfix "reject_xxx" and
"permit_xxx" directive ?
I did not find it in the documentation. It could be very powerfull.
It *is* documented.
OTHER ACTIONS
restriction...
Le 18/09/2013 05:40, Viktor Dukhovni a écrit :
On Wed, Sep 18, 2013 at 01:00:48PM +1000, li...@sbt.net.au wrote:
Return-Path:
...
Received: from p2p (unknown [124.11.170.87])
by geko.domain.tld (Postfix) with SMTP id 9E40A3827C6
for ; Wed, 18 Sep 2013 08:13:25 +1000 (EST)
Everythi
Le 16/09/2013 18:43, Viktor Dukhovni a écrit :
On Mon, Sep 16, 2013 at 11:24:12AM -0400, Wietse Venema wrote:
So I think putting "sender" first and indicating that *only*
listed senders are in scope makes sense:
reject_restricted_sender_wrong_login
this should likely automatically imp
Le 16/09/2013 14:35, Wietse Venema a écrit :
Emmanuel Fust?:
But in either case, I want to accept the email if the envelope address
is not in the map.
Given that "reject_sender_login_mismatch" is implemented internally
as an alias for "reject_authenticated_sender_login_mismatch,
reject_unauthen
Le 16/09/2013 12:41, Wietse Venema a écrit :
Emmanuel Fust?:
Hello,
I did not find a way to "emulate" the behavior of
reject_sender_login_mismatch for authenticated connexions as for
unauthenticated connexions.
reject_authenticated_sender_login_mismatch
Enforces the reject_sender_log
Hello,
I did not find a way to "emulate" the behavior of
reject_sender_login_mismatch for authenticated connexions as for
unauthenticated connexions.
I need that as in the unauthenticated case, if the envelope sender is
not in the smtpd_sender_login_maps maps, the request is accepted.
Is ther
Le 04/11/2010 05:24, Noel Jones a écrit :
On 11/3/2010 11:07 PM, Vincent Lefevre wrote:
BTW, so, there is no way to match only subdomains (by that, I mean
all possible subdomains, but not the domain itself) without changing
parent_domain_matches_subdomains?
That's correct with indexed tables.
Le 01/04/2010 15:20, Wietse Venema a écrit :
Emmanuel Fust�:
relay_relayhost = [a.b.c.d]
As always, use "postconf -n" output when reporting a problem. This
would have revealed immediately that relay_relayhost is a mistake.
Wietse
Ok so "transport"_"postfix-conf-parameter" is no long
Hello,
Relevant config parameters:
parent_domain_matches_subdomains =
relay_domains = hash:some_relay_domains_map
relay_relayhost = [a.b.c.d]
some_relay_domains_map contain:
xxx.comx
yyy.comx
aaa.xxx.comx
bbb.yyy.comx
symptom:
messages for xxx.com and yyy.com are correctly rel
Ralf Hildebrandt a écrit :
* Emmanuel Fusté :
In corporate environment, it is now a big pain for us to provide
accurate realtime metrics, reliable weekly statistics which are
mandatory things requested by our bosses. Big piles of pearl scripts
to post process logs, or parse them as they
Wietse Venema a écrit :
Ralf Hildebrandt:
* no7find - :
Hi list !
I want to know if there is any implementation of MTA-MIB (defined @ RFC
2789) for the Postfix.
The answer is: type SNMP into the search window at http://www.postfix.org.
Sounds like something qmgr would keep
76 matches
Mail list logo
