[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

> On 31 May 2024, at 16:13, Wietse Venema via Postfix-users > wrote: > > Gerben Wierda via Postfix-users: >>> On 31 May 2024, at 14:53, Wietse Venema wrote: >>> >>> Gerben Wierda via Postfix-users: >>>> >>>>> On

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

> On 31 May 2024, at 14:53, Wietse Venema wrote: > > Gerben Wierda via Postfix-users: >> >>> On 31 May 2024, at 13:20, pat...@patpro.net wrote: >>> >>> Hello, >>> >>> Any sign of postfix 3.9 blacklisting HAproxy because of SMTP >

[pfx] whitelisting and greylisting

ta=0/1 rset=1 quit=1 commands=7/8 What am I doing wrong? Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>, Mastodon <https://newsie.social/@gctwnl>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https:

[pfx] Re: HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

is sent before 220 is received? G > > May 31, 2024 1:06 PM, "Gerben Wierda via Postfix-users" > <mailto:postfix-users@postfix.org?to=%22gerben%20wierda%20via%20postfix-users%22%20%3cpostfix-us...@postfix.org%3E>> > wrote: > Hmm, I just noticed (all outgoing s

[pfx] HAproxy 4.3 thinks one of my postfixes (3.9) is down on SMTP, but it sees another (3.8.6) as up on SMTP (SMTPD/postscreen are OK on both sides)

exclude that I updated HAproxy too, so I am not 100% certain. What should I do? Revert to postfix 3.8? I rather not, I rather would upgrade the other to 3.9 (but if I do that, I probably lose all smtp behind HAproxy for now) Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwie

[pfx] Re: A functional lightweight reverse alias?

, but I also think this will be too complex for me having not enough daily practice with creating milters. Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R Enterprise Architecture <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <

[pfx] A functional lightweight reverse alias?

from meatevilcomp...@mydomain.tld to marketingt...@evilcompany.com, but only for marketingt...@evilcompany.com or for @evilcompany.com? Thx, Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>, Mastodon <https://newsie.social/@gctwnl>) R IT Strategy <https://ea.rna.

[pfx] CVE-2023-51764

Is smtpd_data_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce enough to stop this small(?) risk (before I manage to upgrade)? Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwie

Re: A user is unknown, but I can't find out why

> On 18 Feb 2023, at 14:49, Wietse Venema wrote: > > Gerben Wierda: >> Feb 18 12:18:44 snape smtp/smtpd[15128]: NOQUEUE: reject: RCPT from >> ms11p00im-qufo17282001.me.com >> <http://ms11p00im-qufo17282001.me.com/>[17.58.38.57]: 550 5.1.1 >> mailto:van

A user is unknown, but I can't find out why

/var/mail/nl.rna.mail/users/vanroodewierda mailmaildir:/var/mail/nl.rna.mail/users/vanroodewierda I’m kind of lost, how do I find out why I’m getting ‘User unknown’ here from postfix? Is there a way to run a test with more verbose output that I cans why one works and another not? Gerben

Re: Health check of postfix without the logging noise

> On 28 Jan 2023, at 17:26, post...@ptld.com wrote: > >> Currently, every time haproxy checks if postfix is still alive, e.g. on port >> 587, I see this in my logging: >> Jan 28 13:13:20 albus submission/smtpd[97331]: warning: haproxy read: EOF >> Jan 28 13:13:20 albus submission/smtpd[97331]:

Re: Health check of postfix without the logging noise

> On 28 Jan 2023, at 14:53, Wietse Venema wrote: > > Gerben Wierda: >>> A proper health check verifies that a service actually responds. >> >> True. >> >>> You can find more with "haproxy health check script". For example, >&g

Re: Health check of postfix without the logging noise

> On 28 Jan 2023, at 13:40, Wietse Venema wrote: > > Gerben Wierda: >> Currently, every time haproxy checks if postfix is still alive, >> e.g. on port 587, I see this in my logging: >> >> Jan 28 13:13:20 albus submission/smtpd[97331]: warning: haproxy r

Health check of postfix without the logging noise

think of is set up a separate port in master.cf for postfix to listen to and make sure logging disappears in a black hole. But maybe I am missing something and there is a better way to do an external health check to see if postfix is running? Gerben Wierda (LinkedIn <https://www.linkedin.

Re: postscreen_cache: unable to get exclusive lock

> On 15 Jan 2023, at 22:09, Wietse Venema wrote: > > It would resolve the exclusive lock. However, it make no sense to > have two postscreen services on the same physical machine exposed > to clients on the internet. Not in stable production, agreed. But it brings me quick changes of my

Re: postscreen_cache: unable to get exclusive lock

postscreen_cache_map=btree:$data_directory/postscreen_haproxy_cache So, they now both can handle postscreen side-by-side on two ports where one port required haproxy and the other does not. G > On 15 Jan 2023, at 21:03, Benny Pedersen wrote: > > Gerben Wierda skrev den 2023-01

Re: postscreen_cache: unable to get exclusive lock

Let me guess: my two postscreen instances side by side on different ports?GSent from my iPhoneOn 15 Jan 2023, at 19:26, Gerben Wierda wrote:For some reason, one of my postfix servers says this:Jan 15 19:18:30 mail postfix/postscreen[1057]: fatal: btree:/opt/local/var/lib/postfix/postscreen_cache

postscreen_cache: unable to get exclusive lock

/libexec/postfix/postscreen pid 1057 exit status 1 Jan 15 19:18:31 mail postfix/master[658]: warning: /opt/local/libexec/postfix/postscreen: bad command startup -- throttling Should I just stop postfix, remove /opt/local/var/lib/postfix/postscreen_cache.db (which is there) and restart? Gerben

Re: postscreen_upstream_proxy_protocol and smtpd_upstream_proxy_protocol

> On 15 Jan 2023, at 17:09, Wietse Venema wrote: > > In that case, use two SMTP services, one that is proxied and one > that is not. Yes, in the meantime I had gathered that that was the obvious solution (should have realised that earlier). So, I added this in master.cf: smtp inet n

Re: postscreen_upstream_proxy_protocol and smtpd_upstream_proxy_protocol

> On 15 Jan 2023, at 15:47, Wietse Venema wrote: > > "The name of the proxy protocol used by a before-postscreen proxy agent." That still doesn't tell you what the effect is of entering a value for that setting while the traffic is not coming from a proxy. Normally, when you enter config data

Re: postscreen_upstream_proxy_protocol and smtpd_upstream_proxy_protocol

> On 15 Jan 2023, at 02:55, Viktor Dukhovni wrote: > > On Sun, Jan 15, 2023 at 01:47:10AM +0100, Gerben Wierda wrote: > >> I am looking at putting HAproxy between the internet and my two inside >> postfix MTA's > > Is there a good reason to do that?

postscreen_upstream_proxy_protocol and smtpd_upstream_proxy_protocol

no haproxy is used. Is that a correct interpretation? Because it is ambiguous. Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Book

Re: Two internal servers, two inside fqdns, one outside fqdn

> On 13 Jan 2023, at 16:22, Gerben Wierda wrote: > > I have created a second postfix server in my LAN. The idea is to use both in > a failover/loadbalancing setting for now. At the back are two dovecots that > replicate to each other. > > When mail is sent out via m

Two internal servers, two inside fqdns, one outside fqdn

both configured like this: main.cf:myhostname = mail.rna.nl or I can have both configured like this: main.cf:myhostname = a.rna.nl main.cf:smtp_helo_name = mail.rna.nl is there a reason to do one or the other? Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy

Re: postfix connects to dovecot lmtp socket, but nothing is delivered

nostic-Code: smtp; 550-5.7.1 (ISO:NL) Client blocked by policy rules 550 5.7.1 TRACE(Server=smtp.ptld.com <http://smtp.ptld.com/>, Client=213.125.118.53, Jan 05 12:20:24) From: Gerben Wierda mailto:gerben.wie...@rna.nl>> Subject: Re: postfix connects to dovecot lmtp socket, but nothing is delivered Date: 5 January 2023 at 18:20:19 CET To: dove...@ptld.com <mailto:dove...@ptld.com> Cc: dove...@dovecot.org <mailto:dove...@dovecot.org>

Re: postfix connects to dovecot lmtp socket, but nothing is delivered

> On 5 Jan 2023, at 18:02, Wietse Venema wrote: > > Gerben Wierda: >> Jan 05 16:16:59 snape postfix/lmtp[126]: C71B3D1262: to=, >> relay=snape.rna.nl[private/lmtp], delay=300, delays=0.02/0/300/0, dsn=4.4.2, >> status=deferred (conversation with snape.rna.nl[privat

postfix connects to dovecot lmtp socket, but nothing is delivered

= postfix } } service lmtp { executable = lmtp -L } protocol lmtp { info_log_path = /var/log/mail/dovecot-lmtp.log } Any other tips? Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of E

Re: Planning my migration: preventing open relay

> On 24 Dec 2022, at 09:35, David Bürgin wrote: > > raf: >> On Fri, Dec 23, 2022 at 06:20:08PM +0100, Gerben Wierda >> wrote: >>> What is the best way to do this? Or is it too troublesome and should >>> I just use postfix outside of docker, installi

Planning my migration: preventing open relay

want postscreen to be the doorman on port 25 traffic. Thanks for tips and suggestions. Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/&g

Re: What is happening here? (TLS Library Problem)

> On 10 Jun 2022, at 13:17, Wietse Venema wrote: > > Wietse Venema: >> Gerben Wierda: >>> >>>> On 10 Jun 2022, at 02:30, Wietse Venema wrote: >>>> >>>> Gerben Wierda: >>>>> What is happening here? (mail is delivered,

Re: What is happening here? (TLS Library Problem)

> On 10 Jun 2022, at 02:30, Wietse Venema wrote: > > Gerben Wierda: >> What is happening here? (mail is delivered, I?m just curious) >> >> Jun 09 23:37:39 mail postfix/postscreen[4294]: CONNECT from >> [146.185.52.133]:10400 to [192.168.2.66]:25 >>

What is happening here? (TLS Library Problem)

What is happening here? (mail is delivered, I’m just curious) Jun 09 23:37:39 mail postfix/postscreen[4294]: CONNECT from [146.185.52.133]:10400 to [192.168.2.66]:25 Jun 09 23:37:45 mail postfix/postscreen[4294]: PASS NEW [146.185.52.133]:10400 Jun 09 23:37:45 mail smtp/smtpd[4296]: connect from

Heb jij ooit gedacht om SPF in te bouwen in postfix?

Ik zat me af te vragen of jij ooit had gedacht om SPF in te bouwen in Postfix (native). Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/

Solved sort of: postfix 3.7.0 port 25 listening stops at some point (after max a few days), no error messages

2, at 12:44, daniel Azuelos wrote: > > [ Rédigé dans le sens de lecture professionnel. > Written in the professional reading direction. ] > > Le (on) 04/03/2022, Gerben Wierda a écrit (wrote): > > | I have upgraded my postfix 3.6 to postfix 3.7.0 as well as having upgr

Re: Trying to understand this DNSBL blocking issue

> On 5 Mar 2022, at 18:23, Matus UHLAR - fantomas wrote: > > On 05.03.22 12:43, Gerben Wierda wrote: >> A forward zone without a forward address gives SERVFAIL >> >> But I was able to use >> >> forward-zone: >> name: "spamhaus.org"

Cleaning/resetting the postscreen cache

What is the correct way to clean out (make a fresh start) with the postscreen cache? Can I clean the postscreen cache while postfix is running? Thanks, Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess

Re: Trying to understand this DNSBL blocking issue

o provide information (such as DNSBL) for domains). Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Book: Mastering ArchiMate <https:/

Re: postfix 3.7.0 port 25 listening stops at some point (after max a few days), no error messages\

Indeed. The problem is almost certainly most likely my macOS setup in some way. I will try to use 3.6 but I do not expect it will make a difference. Gerben > On 5 Mar 2022, at 04:00, Wietse Venema wrote: > > Gerben Wierda: >> >>> On 4 Mar 2022, at 20:0

Re: Trying to understand this DNSBL blocking issue

nother resolver than the default one. Or I must forego the use of 9.9.9.9 and lose its DNS blocking of ‘evil’ hosts. G > On 4 Mar 2022, at 19:57, Noel Jones wrote: > > > On 3/4/2022 11:58 AM, Gerben Wierda wrote: > >> Feb 27 06:02:19 mail postfix/dnsblog[46930]: addr 113.197.

Re: Trying to understand this DNSBL blocking issue

On 4 Mar 2022, at 19:13, Bastian Blank wrote: > > On Fri, Mar 04, 2022 at 06:58:33PM +0100, Gerben Wierda wrote: >> Feb 27 06:02:19 mail postfix/dnsblog[46930]: addr 113.197.35.193 listed by >> domain zen.spamhaus.org as 127.255.255.254 >> The 254 response means: the

Trying to understand this DNSBL blocking issue

: EHLO mega.nz\r\n Mar 04 18:44:26 mail postfix/postscreen[88228]: DISCONNECT [189.51.96.252]:38442 These responses mean the DNSBL works ok, How do I fix the former one? Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R IT Strategy <https://ea.rna.nl/> (main site)

postfix 3.7.0 port 25 listening stops at some point (after max a few days), no error messages

talled: postfix @3.7.0_0+dovecot_sasl+pcre+smtputf8+tls What is the best way to hunt down why postfix stops working on port 25 (that is: no more postfix/postscreen gets started) at some moment? What kind of debugging/logging should I turn on to try to find out what happens? Gerben Wierda (Linke

Re: Using a different DNS to ask zen.spamhaus.org for DNSBL info?

On 22 Oct 2021, at 01:09, Gerben Wierda wrote: > >> >> On 21 Oct 2021, at 14:35, Wietse Venema > <mailto:wie...@porcupine.org>> wrote: >> >> Gerben Wierda: >>> My standard DNS forwards to cloud9 (9.9.9.9) because cloud9 blocks bad >>>

Re: Using a different DNS to ask zen.spamhaus.org for DNSBL info?

> On 21 Oct 2021, at 14:35, Wietse Venema wrote: > > Gerben Wierda: >> My standard DNS forwards to cloud9 (9.9.9.9) because cloud9 blocks bad >> actors. But that means that DNSBL from spamhaus doesn?t work as the query to >> comes from a public DNS server. >&g

Using a different DNS to ask zen.spamhaus.org for DNSBL info?

= drop # Drop any SMTP client that is in the DNSBL postscreen_dnsbl_sites = zen.spamhaus.org*2 postscreen_dnsbl_action = drop I have a secondary resolver that doesn’t forward to cloud9. Can I use that local DNS instead of the standard one in postfix, preferably for postscreen DNSBL only? Gerben

Rate limit exception?

] commands=0/0 Is there a way I could except that server from the rate limit? And could that be misused (a lot of spammers already send to the backup MX anyway) Yours, Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R Enterprise Architecture <https://ea.rna.nl/>

Re: Address rewrite and DKIM (was: sender rewrite for specific receiver domain)

ance postfix was interesting. G > On 1 Feb 2021, at 22:59, Viktor Dukhovni wrote: > > On Mon, Feb 01, 2021 at 10:21:32PM +0100, Gerben Wierda wrote: > >> What I suspect here is that DKIM is the problem. As trivial-rewrite >> changes the message, the DKIM signature is

Address rewrite and DKIM (was: sender rewrite for specific receiver domain)

What I am trying to do is create a ‘reverse alias’ (next to an alias). The alias must be used when mail is sent to a specific domain. > On 1 Feb 2021, at 17:59, Gerben Wierda wrote: > > master.cf gets: > > mycanon unix - - y - -

Re: Reverse canonical for a certain receiver domain only?

> On 1 Feb 2021, at 16:12, Viktor Dukhovni wrote: > > On Mon, Feb 01, 2021 at 03:43:55PM +0100, Gerben Wierda wrote: > >>> Yes, at the cost of a dedicated transport whose master.cf entry contains >>> an override for smtp_generic_maps: >>> >>&

Re: Reverse canonical for a certain receiver domain only?

Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R Enterprise Architecture <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-ii

Reverse canonical for a certain receiver domain only?

...@externaldomain.net From/sender are rewritten to myal...@mydomain.net Is that possible? Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>) R Enterprise Architecture <https://ea.rna.nl/> (main site) Book: Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/&g

Re: 4xx on rejected host. Why?

> On 21 Nov 2020, at 15:53, Wietse Venema wrote: > > Gerben Wierda: >> I think I am using postfix defaults here. >> >> WHen a client is rejected because of a mssing reverse hostname, I see: >> >> Nov 21 15:37:02 mail smtp/smtpd[2168]: NOQUEUE: reject:

4xx on rejected host. Why?

I think I am using postfix defaults here. WHen a client is rejected because of a mssing reverse hostname, I see: Nov 21 15:37:02 mail smtp/smtpd[2168]: NOQUEUE: reject: RCPT from unknown[46.221.40.2]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [46.221.40.2]; from= to=

Re: ISP open relay

at mail.rna.nl”. Of course this went wrong as soon as authentication was started. Gerben Wierda Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/> Architecture for Real Enterprises <https://www.inf

Re: postfix fails to start during macOS with fatal: message about port 25 in use

> On 10 Jan 2020, at 19:01, Bill Cole > wrote: > > On 10 Jan 2020, at 12:28, Gerben Wierda wrote: > >> postfix is started during boot on my macOS system. This fails with: >> >> Jan 10 18:00:08 mail postfix/master[488]: fatal: bind 0.0.0.0 port 25: >>

Re: postfix fails to start during macOS with fatal: message about port 25 in use

> On 10 Jan 2020, at 19:01, Bill Cole > wrote: > > On 10 Jan 2020, at 12:28, Gerben Wierda wrote: > >> postfix is started during boot on my macOS system. This fails with: >> >> Jan 10 18:00:08 mail postfix/master[488]: fatal: bind 0.0.0.0 port 25: >>

postfix fails to start during macOS with fatal: message about port 25 in use

postfix is started during boot on my macOS system. This fails with: Jan 10 18:00:08 mail postfix/master[488]: fatal: bind 0.0.0.0 port 25: Address already in use Jan 10 18:00:10 mail /postfix-script[511]: fatal: mail system startup failed but when I shortly thereafter launch it it just starts

Re: How to get successful delivery reported in miy log?

> On 31 Dec 2019, at 01:57, Wietse Venema wrote: > > I remember that you reported a bug where a program cant talk to > postlogd if it opens the postlog socked after dropping privileges. > > I posted a patch for that, but I never heard back if that worked, > and therefore that patch is not

Re: What are these types trying to do?

> On 31 Dec 2019, at 00:24, Wietse Venema wrote: > >> These bots are very stupid and very persistent. My maillog file for >> today has 3500 of these, and that is with 6 more hours to go. > 9500 in 13 hours here. With the new settings (ENFORCE) smtpd is spared but I still have this junk in my

How to get successful delivery reported in miy log?

that it was successfully handed to another smtp-server. I’ve tried adding -v to the smtpd commands in master.cf but that doesn’t really help. I can’t use syslog on my system so I’m using postlog. Gerben Wierda Chess and the Art of Enterprise Architecture <https://ea.rna.nl/the-book/> Mas

Re: What are these types trying to do?

> On 31 Dec 2019, at 00:11, Allen Coates wrote: > > > > On 30/12/2019 22:32, Gerben Wierda wrote: >> Now that Finally have a postfix back with actual logging, I noticed this in >> my log: >> >> Dec 30 23:26:09 mail postfix/postscreen[16020]

Re: What are these types trying to do?

> On 30 Dec 2019, at 23:46, Viktor Dukhovni <mailto:postfix-us...@dukhovni.org>> wrote: > > On Mon, Dec 30, 2019 at 11:32:11PM +0100, Gerben Wierda wrote: > >> Now that Finally have a postfix back with actual logging, I noticed this in >> my log: >> >

What are these types trying to do?

Now that Finally have a postfix back with actual logging, I noticed this in my log: Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from [182.99.42.88]:49546 to [192.168.2.66]:25 Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after 0.26 from [182.99.42.88]:49546: EHLO

Re: Aliases/.forward/virtual_users confusion

> On 20 Dec 2019, at 22:06, Matus UHLAR - fantomas wrote: > > On 20.12.19 17:25, Gerben Wierda wrote: >> I am trying to understand how my aliases/virtual_users/etc interact. >> >> postfix setup has virtual domains and virtual users, but all users (also >

Aliases/.forward/virtual_users confusion

made things overly complex. Am I correct? And what is preferred? An /etc/aliases file that is in use (next to the one I am using) or a ~root/.forward file? Gerben Wierda Chess and the Art of Enterprise Architecture <http://enterprisechess.com/> Mastering ArchiMate <http://masteringarch

Re: Only logging from a connection when an unrelated error is forced in main.cf

> On 7 Oct 2019, at 15:50, Wietse Venema wrote: > > Wietse Venema: >> Gerben Wierda: >>>> If it is chroot related, try turning off smtpd chroot in master.cf, >>>> and do "postfix reload?. >>> >>> Indeed, it is. If I turn chr

Re: Only logging from a connection when an unrelated error is forced in main.cf

And I forgot to mention, now that it isn’t running chroot-ed, the DNS reverse lookups suddenly also work. Apparently, running chrooted is somewhat more difficult that imagined. > Oct 07 01:26:20 mail postfix/master[18890]: daemon started -- version 3.4.6, > configuration /opt/local/etc/postfix

Is this a good smtpd restrictions set?

, permit_mynetworks, permit_sasl_authenticated, reject_multi_recipient_bounce Gerben Wierda Chess and the Art of Enterprise Architecture <http://enterprisechess.com/> Mastering ArchiMate <http://masteringarchimate.com/> Architecture for Real Enterprises <https://ww

Re: Only logging from a connection when an unrelated error is forced in main.cf

> On 7 Oct 2019, at 01:10, Wietse Venema wrote: > > Gerben Wierda: >> For some reason, I don?t get smtpd logging at all. E.g. when sending a mail >> from Apple Mail.app MUA, this is all I see: >> >> Oct 06 22:42:21 mail postfix/cleanup[1020]: AE6C5504A6F:

Only logging from a connection when an unrelated error is forced in main.cf

in my maillog (including debug_peer) when I introduce an unrelated error in main.cf? I’d like to see logging for each mail delivery. Gerben Wierda Chess and the Art of Enterprise Architecture <http://enterprisechess.com/> Mastering ArchiMate <http://masteringarchimate.com/>

Re: Understanding master.cf

> On 5 Oct 2019, at 18:43, Viktor Dukhovni wrote: Thank you. That helped (more to point out I had made a stupid mistake). > On Sat, Oct 05, 2019 at 11:51:24AM +0200, Gerben Wierda wrote: > >> [...], my log says: >> >> Oct 05 11:35:21 mail postfix/smtpd[2218]

Understanding master.cf

t to smtpd? (Note, syslog is completely broken on macOS, so I depend on logging to mail log files). I’m running postfix 3.4.6. Gerben Wierda Chess and the Art of Enterprise Architecture <http://enterprisechess.com/> Mastering ArchiMate <http://masteringarchimate.com/> Architectur

Is it possible to run postfix in a container (e.g. docker, red-hot)?

to facilitate more easy migration in the future. Hence the question. Gerben Wierda Chess and the Art of Enterprise Architecture <http://enterprisechess.com/> Mastering ArchiMate <http://masteringarchimate.com/> Architecture for Real Enterprises <https://www.infoworld.com/blog/archit

Blocking mail from clients who

for that domain. But an outside, non SASL-authenticated client that says it wants to deliver mail From my domain is illegal. Apparently, that one still gets through (though is generally blocked by greylisting). Anyway, is there a way to block that without blocking legitimate mail? Gerben Wierda Chess

Re: What does this log message mean?

arting. /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd at Dumbledore.local amavisd-new-2.11.0 (20160426), Unicode aware which suggests to me that the warm restart of amavisd fixes the BerkelyDB issue. This is getting off topic for postfix, I’ll move elsewhere. G > On 23 Mar 2017,

Re: What does this log message mean?

> On 23 Mar 2017, at 21:59, Noel Jones wrote: > > >> >> maybe up the loglevel, or use tcpdump to capture some packets and >> see if the postfix logs are correct. >> > > Increasing the postfix log level is unlikely to give any further > useful information -- the other

Re: What does this log message mean?

p later? G > > -ALF > > -Angelo Fazzina > Operating Systems Programmer / Analyst > University of Connecticut, UITS, SSG, Server Systems > 860-486-9075 > > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Gerben Wierda

What does this log message mean?

I’m using the postfix that is part of mac OS Sierra with Server 5.2. Apple has kind of damaged the logging system, so getting logs from sptmd/smtp has become a lot more difficult. I’ve now found a way to get the logs. While investigating something else, I’ve noticed entries like these in the

Small question: how do I see in the log on which port the connection is made?

If I am open on 25 and 587, how can I see in the log on which port a connection has been established? G

Rate-limiting access to postfix on the firewall, what are decent numbers (depending on overall traffic)?

My postfix MTA has been under a lot of DOS-like attention. Such as a botnet sending many EHLO-requests, then password attempts: First a lot of: 2017-01-03 10:09:54.964765+0100 0x6254a9 Info0x0 12992 smtpd: connect from unknown[95.183.220.2] 2017-01-03

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

up before ssl_authenticated to protect my own users against errors. G > > W dniu 2016-11-22 o 12:38, Mariusz Piasecki pisze: >> You should check master.cf, maybe you have some commands below services >> which overrides main.cf. >> >> >> W dniu 2016-11-

In the real world: how many legitimate mail is blocked under these client and/or help restrictions?

I was wondering, how many legitimate email (i.e. poorly configured but legit MTA’s out there) would be blocked with either of these? unknown_client_reject_code = 550 # Hmm, should this be another value in the 5xx range? smtpd_recipient_restrictions = …,

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

> On 22 Nov 2016, at 01:58, Wietse Venema <wie...@porcupine.org> wrote: > > Gerben Wierda: >> I did another test. I changed the recipient restrictions to: >> >> smtpd_recipient_restrictions = >> reject_unauth_pipelining, >> reject_non_fqdn

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

non-fqdn (orig_to=), reject_non_fqdn_recipient, but delivered nonetheless. G > On 21 Nov 2016, at 21:17, Wietse Venema <wie...@porcupine.org> wrote: > > Gerben Wierda: >> >>> On 21 Nov 2016, at 17:33, Wietse Venema <wie...@porcupine.org> wrote: >>> >>> Gerben Wierd

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

Wietse, sorry, please bear with me here, but this is not easy to understand (given the complexity of all the settings). And I’m afraid to damage my mail in the sense that I start refusing legitimate mail. > On 21 Nov 2016, at 21:17, Wietse Venema <wie...@porcupine.org> wrote: > >

Re: Question about reject_unverified_recipient in smtpd_recipient_restrictions

> On 21 Nov 2016, at 17:33, Wietse Venema <wie...@porcupine.org> wrote: > > Gerben Wierda: >> smtpd_recipient_restrictions = >> permit_sasl_authenticated >> permit_mynetworks >> reject_unauth_destination >> reject_unknown_recipie

Question about reject_unverified_recipient in smtpd_recipient_restrictions

Hello, In my setup, I’m using the greylisting policy. Now, a spammer tries to send mail to a nonexistent address. But he still gets the greylisting temp failure sent: Nov 21 16:35:42 vanroodewierda.rna.nl postfix/smtpd[21832]: connect from unknown[186.1.16.66] Nov 21 16:35:43 vanroodewierda

Creating exceptions to greylisting

I have set up my smtpd restrictions as follows: smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_sender_access hash:/etc/postfix/whitelist reject_rbl_client zen.spamhaus.org permit smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks

Re: Creating exceptions to greylisting

messagelabs, e.g. apg.nl or apg-am.nl. So not so much the client but the from, e.g. @apg.nl permit how do I do that? G On 2 Feb 2013, at 17:48, Wietse Venema wrote: Gerben Wierda: smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination

Re: Creating exceptions to greylisting

Actually, I'm still on /usr/libexec/postfix/greylist.pl as I am using Mac OS X Server 10.6.8 and I haven't dared to upgrade to a higher version of OS X Server as they were busy crippling it in many respects. G On 2 Feb 2013, at 18:51, John Allen wrote: On 02/02/2013 11:25 AM, Gerben

Re: Creating exceptions to greylisting

experienced people: is this OK? Does macports overwrite what Apple has provided or does it have its own separate tree (like fink used to have, which means you get another job that is: keeping the second tree up to date)? G On 2 Feb 2013, at 20:36, James Griffin wrote: -- Gerben Wierda