Re: Outlook TLS errors after Microsoft Windows Update

2022-10-17 Thread Nick Tait
La da da da... Original message From: Phil Stracchino Date: 18/10/22 9:51 AM (GMT+12:00) To: postfix-users@postfix.org Subject: Re: Outlook TLS errors after Microsoft Windows Update On 10/17/22 16:08, Jaroslaw Rafa wrote:> Dnia 17.10.2022 o godz. 20:35:11 Gerald Galster pisze

Re: submission configuration and RFC 6409

2022-10-12 Thread Nick Tait
On 13/10/2022 8:04 am, Geert Hendrickx wrote: The HISTORY file says it is: 20041014-23 Postfix still appends $@myorigin or .$mydomain to headers from the Postfix sendmail command, or from clients listed with the new local_header_rewrite_clients parameter (default:

submission configuration and RFC 6409

2022-10-12 Thread Nick Tait
Hi list. A couple of months ago an email I sent from my phone was bounced by the recipient's SMTP server because the email had no Message-ID header. It turns out the email app that I've been using on my phone for years doesn't generate a Message-ID, but this was the first time that this had b

Re: no shared cipher revisited

2022-10-04 Thread Nick Tait
On 2/10/2022 10:51 pm, Matus UHLAR - fantomas wrote: yes, Let's Encrypt clients generate 4096 keys by default, which is silly because intermediate R3 certificate is only 2048-bit. I configure let's encrypt clients to create 2048 keys. AFAICT Certbot still uses 2048-bit keys by default. Nick

Re: Catch-all that pipes to script

2022-06-24 Thread Nick Tait
On 25/06/22 11:17, Luc GMail wrote: echo 'mailbot unix - n n - 50 pipe' >> master.cf echo 'flags=R user=dropbox argv=/etc/postfix/script.sh -o SENDER=${sender} -m USER=${user} EXTENSION=${extension}' >> master.cf Hi Luc. I think you need some whitespace

Re: smtpd_recipient_restrictions usage question.

2022-06-24 Thread Nick Tait
On 25/06/22 10:50, Gary Smith wrote: Would it be better to add IPs to an access hash list and use check_recipient_a_access so we can use update it when we need to on the fly?  If so can I add subnets (10.20.30.0/24) or just single IPs?  I’m usinghttps://www.postfix.org/postconf.5.html#smtpd_re

Re: Mail looping issue

2022-05-21 Thread Nick Tait
On 22/05/22 17:42, Jeremy Hansen wrote: So what am I breaking by not having localhost defined in mynetworks.  I tested typical mail and it still delivers…. Hmm. Hi Jeremy. Removing localhost from mynetworks means that if any local process sent emails through this MTA using SMTP to 127.x.x.x,

Re: Mail looping issue

2022-05-21 Thread Nick Tait
On 21/05/22 19:09, Jeremy Hansen wrote: Two MTAs, one is running Ciphermail.  The ciphermail host relays mail to the “permanent home” MTA where mail gets delivered to users and dovecot runs for retrieval of mail.  The hosts are internal only hosts.  SSH port forwarding is being used to basicall

Re: milter_header_checks, pcre, chroot

2022-03-22 Thread Nick Tait
On 19/03/22 01:46, Jesper Dybdal wrote: However, opendmarc milter requires those Authentication-Results headers for SPF and DKIM to be already present.  so you need spf/dkim milter(s) before opendmarc. I use Amavis to generate and verify DKIM signatures, and policyd-spf-python to perform SPF ch

Re: SASL hacking ?

2022-02-22 Thread Nick Tait
On 20/02/22 05:35, Bill Cole wrote: We have listed all IPs. We can use a FW rule, but its heavy and hard to manage. A Postfix list may be easier. On Linux, using ipsets instead of putting IPs directly in rules helps a lot with managing large lists. Fail2ban can do its work via ipsets. An alt

Re: Adding a header on incoming mail, unintended consequences?

2022-02-13 Thread Nick Tait
On 14/02/22 15:27, John Levine wrote: It appears that joea- lists said: So, back to my pondering. If I were, via some means, to add "Reply-To: The-right-list" this should solve the problem described above. However my "email foo (as distinct from "email fu" stops well short of knowing what t

Re: Advanced content filter with Unix sockets

2022-02-05 Thread Nick Tait
On 31/01/22 07:36, Wietse Venema wrote: Viktor Dukhovni: So I was wondering whether the directory currently named "public" should remain (permission-wise) protected, with the new (permission-wise) unprotected directly named something else? It could become mode 755, with dedicated per-app subdir

Re: Getting Delivered-To when using LDAP?

2021-11-14 Thread Nick Tait
On 12/11/21 00:46, Wietse Venema wrote: Jorgen Lundman: I suppose there is probably nothing I can do about it? http://www.postfix.org/postconf.5.html#prepend_delivered_header currenly immplements (and detects loops) with delivery to "|command", /file/name, or !$HOME/.forward. Doing this also

Re: Conditional milter_header_checks?

2021-07-15 Thread Nick Tait
On 15/07/21 1:07 am, Bill Cole wrote: If you want to post to discussion mailing lists, you should either use a From address in a domain without any DMARC record or publish one with a p=none policy and sign your messages with DKIM, even though they are likely to be broken by the mailing list.

Re: Looking for examples of separated MTA / MDA pairs

2021-06-10 Thread Nick Tait
On 10/06/21 1:11 am, Dan White wrote: I am trying to rebuild a very old and very neglected set of mail servers. The basic design has a mail relay (MTA) “out front” for incoming traffic (SMTP, I think) If the incoming message gets past amazes, spam assassin and clamp, it is then sent to another

Re: Want to configure domain localhost to support root

2021-04-29 Thread Nick Tait
On 27/04/21 3:38 am, Michael White wrote: So updating mailer.conf got rid of sendmail.  So now I need to move to the next step which is to understand what the resulting messages are telling me: Apr 26 11:22:57 white-home postfix/pickup[23008]: DE94263846: uid=1002 from= Apr 26 11:22:57 white-

Re: Milters and policy

2021-04-23 Thread Nick Tait
On 3/04/21 3:14 pm, Simon Wilson wrote: Pypolicyd-spf then tags what has driven the result for later use: E.g. Apr  3 11:19:23 emp87 policyd-spf[1336326]: prepend Authentication-Results: mail.simonandkate.net; spf=pass (mailfrom) Apr  2 12:32:51 emp87 policyd-spf[1255235]: prepend Authenticatio

Re: Certificate Postfix.org missing?

2021-04-21 Thread Nick Tait
On 22/04/2021 10:32 am, Gary Smith wrote: -Original Message- From: owner-postfix-us...@postfix.org On Behalf Of Viktor Dukhovni Sent: Wednesday, April 21, 2021 3:02 PM To: Postfix users Subject: Re: Certificate Postfix.org missing? On Apr 21, 2021, at 4:34 PM, Gary Smith wrote: Chr

Re: connect then disconnect; backscatter?

2021-04-18 Thread Nick Tait
On 18/04/21 7:32 pm, li...@lazygranch.com wrote: And so it goes. I suppose if this really bugs me I can block the server in firewalld. I've yet to see it actually deliver mail. Or complain to the data center. https://serveroffer.lt Firewalling is definitely the best solution to the problem you'

RE: Problem with starttls / orange.fr

2021-03-29 Thread Nick Tait
Original message  > smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2You have several issues in the line above. I suggest removing this line and using the default setting?Nick.

Re: Milter Behavior

2021-03-11 Thread Nick Tait
On 11/03/21 11:37 am, Dan Mahoney wrote: This fix has been merged to the opendmarc “Develop” branch as of a few minutes ago and will likely be in a 1.4.1 that comes out in the next few weeks, and will default to *not* quaranting the mail. The option will be called HoldQuarantinedMessages (boo

Re: ways to process HOLD queue

2021-02-24 Thread Nick Tait
On 24/02/21 11:47 am, Joe Acquisto-j4 wrote: Added Virus scanning to a SOHO stetup. clamav-milter is directing (?) "infected" mail to postfix HOLD queue. Perhaps rather than having clamav-milter put the message on hold, it might be possible to have clamav-milter simply flag the message (by

Re: client and ehlo hostname mismatch

2021-02-11 Thread Nick Tait
On 12/02/21 7:12 pm, Bill Cole wrote: Mail transport often involves MTAs not under the control of the original sender or ultimate recipient or the authorities for the sender's domain. Traditional forwarding (e.g. ~/.forward) still exists and many systems supporting it run Sendmail, which will m

Re: client and ehlo hostname mismatch

2021-02-11 Thread Nick Tait
On 12/02/21 6:57 pm, Bob Proulx wrote: Nick Tait wrote: Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then

Re: client and ehlo hostname mismatch

2021-02-11 Thread Nick Tait
On 12/02/2021 5:49 pm, Nick Tait wrote: Perhaps the advice should be: If you are using Sendmail, then (a) you shouldn't publish a DMARC policy and (b) you shouldn't reject emails based on failed DMARC check; but if you aren't using Sendmail then as long as you don't mind r

Re: client and ehlo hostname mismatch

2021-02-11 Thread Nick Tait
On 12/02/2021 8:50 am, Bill Cole wrote: On 11 Feb 2021, at 10:25, Benny Pedersen wrote: On 2021-02-11 15:12, Bill Cole wrote: On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote: Is it safe enough nowadays to drop dmarc failed incoming mail with opendmarc? No. It very likely never will be, p

Re: Cloud9.net related responses

2021-02-11 Thread Nick Tait
On 12/02/2021 7:09 am, Jos Chrispijn wrote: Hi team, can it be that responses in this mailinglist are also send by cloud9.net instead of only postfix.org? Just asking to prevent contermination by importing parallel newsgroup source. All mail that I receive from this mailing list is relayed to

Re: Catch a forged Return Path

2021-02-06 Thread Nick Tait
On 6/02/21 2:23 am, Matus UHLAR - fantomas wrote: while I support using postscreen, I'm not sure it would be able to catch backscatter, becsuse backscatter often comes from servers who properly follow SMTP RFCs. The question here is whether this is really backscatter, or just spam taking adva

Re: AW: Controlling MS Azure Cloud Spam

2020-12-29 Thread Nick Tait
On 30/12/2020 2:38 am, ludic...@gmail.com wrote: @Nick A check for a valid FQDN in From is in smtpd_sender_restrictions. At the point where it got to bounce message, SPF was skipped. Would OpenDMARC then still work? The smtpd_sender_restrictions that you specify are applied to the /envelope

Re: Controlling MS Azure Cloud Spam

2020-12-27 Thread Nick Tait
Hi Ludi. One option might be to add OpenDMARC to your implementation? The reason for mentioning this is because in addition to checking DMARC policies, OpenDMARC also has an option to reject any message that doesn't have the mandatory headers according to RFC 5322: /RequiredHeaders (Boolean)

Re: Can a more useful bounce message be provided - correction

2020-11-15 Thread Nick Tait
On 14/11/20 7:30 am, Phil Stracchino wrote: I think what the OP is asking here is, can Yahoo/Oath be compelled to provide a more useful failure message relaying the informative response provided by OP's Postfix instance. And the answer to that, unfortunately, is no. But by the look of things t

Re: Limiting HELO spoofing in Postfix?

2020-10-23 Thread Nick Tait
On 23/10/20 6:26 pm, Nick Tait wrote: In summary, you'd want to create a script in a language of your choice, which in the simplest case does this: 1. Reads in lines until a blank line. 2. Then sees if the lines that it read included the line "client_address=127.0.0.1"

Re: sanity-check postfix XCLIENT usage ?

2020-10-23 Thread Nick Tait
On 23/10/20 2:26 pm, Bob Proulx wrote: The tragicomical thing is that Gmail does follow policy and when the policy of the sending site is strict DMARC and the mailing list does not rewrite then Gmail subscribers to mailing lists will get automatically unsubscribed when/if the bounce ratio exceeds

Re: sanity-check postfix XCLIENT usage ?

2020-10-23 Thread Nick Tait
On 22/10/20 6:13 am, PGNet Dev wrote: Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the specific intuit.com case above, that w

Re: Forward mail and obey SPF and DKIM

2020-10-22 Thread Nick Tait
On 18/10/20 7:10 am, IL Ka wrote: Thank you all. This is how I fixed it (after Bill Cole's email): I needed to substitute envelope (MAIL FROM:) to match my address, but the message (along with it's headers) shouldn't be touched. sender_canonical_classes = envelope_sender  # Only change envelop

Re: Limiting HELO spoofing in Postfix?

2020-10-22 Thread Nick Tait
On 22/10/20 7:24 am, Rich Wales wrote: I would still like to figure out a way, btw, to catch locally generated spam of this sort in Postfix. I've already asked here about rejecting HELO/EHLO when the client is localhost but the HELO/EHLO host is not localhost -- I still think this would make sen

Re: Accessing the sending user from a canonical(5) table

2020-10-22 Thread Nick Tait
On 18/10/20 11:54 am, Demi M. Obenour wrote: To elaborate, my understanding is that site.net should use MAIL FROM:, but leave the body unchanged. domain.com will then accept the message, as it is from an IP in site.net's SPF record, and DKIM ignores the envelope. Demi Don't forget that in do

Re: How to allow relaying per domain?

2020-09-26 Thread Nick Tait
Hi Hans. I'm not sure if there is an easier way, but one way to achieve this is with a restriction class per server. (BTW I don't know much about LDAP so the example below is based on files...) main.cf: indexed = ${default_database_type}:${config_directory}/ smtpd_restriction_

Re: Forward mail and obey SPF and DKIM

2020-09-16 Thread Nick Tait
> Thank you. > I see "SPF: SOFTFAIL" in my gmail message. > > Authentication results: > spf=softfail (google.com : domain of transitioning some_user@sender_domain does not designate MY_IP_ADDR as permitted sender) > > While the message is not blocked, it is still not good to

Re: Unable to receive emails from btinternet.com

2020-06-19 Thread Nick Tait
On 19/06/20 8:28 pm, @lbutlr wrote: On 19 Jun 2020, at 02:18, Nick Tait wrote: 1. My server was using the default MTU of 1500 bytes. 2. My connection to my ISP uses PPPoE, which adds an 8-byte header onto all packets travelling between my home to my ISP, effectively reducing the maximum

Re: Unable to receive emails from btinternet.com

2020-06-19 Thread Nick Tait
Hi David. I think I can guess what your problem is, because I had exactly the same symptom with a different bulk email provider... Basically this sounds like an MTU issue: The SMTP client (mailomta12-sa.btinternet.com[213.120.69.18] in your case) is able to establish the TCP connection to yo