How can I in postfix add a header with the original client IP (like
“X-Original-IP”), such as, it cannot be forged, eg any incoming mail will have
such headers stripped out, before Postfix adds its own.
The intention of this header is to use it at a later processing step for
separating
Venema
Sent: Tuesday, March 24, 2015 12:33 AM
To: Postfix users
Subject: Re: Add header with original IP?
Sebastian Nielsen:
Can it be done without a policy service or milter? Eg with some header
checks? Or maybe a configuration option?
If it is not possible to use the address in Postfix's own
-
From: Viktor Dukhovni
Sent: Monday, March 09, 2015 7:34 AM
To: postfix-users@postfix.org
Subject: Re: Reversing order when mail is local (not relayed)?
On Mon, Mar 09, 2015 at 07:16:59AM +0100, Sebastian Nielsen wrote:
I understand. What I do with the SPF signature checker
I would instead suggest setting the relay access to:
check_sender_access hash:/etc/postfix/relay_auth, reject_unauth_destination
where /etc/postfix/relay_auth is:
YOUR_DOMAIN permit_mynetworks, reject
[EXTERNAL_IP_OF_SMTP_SERVER] permit_mynetworks, reject
This protects agains most malicious
on openSUSE 13.2
causes mail to local domain to be rejected
On Mon, Mar 09, 2015 at 05:56:20PM +0100, Sebastian Nielsen wrote:
I would instead suggest setting the relay access to:
check_sender_access hash:/etc/postfix/relay_auth,
reject_unauth_destination
where /etc/postfix/relay_auth
: smtpd_relay_restrictions in Postfix 2.11.3 on openSUSE 13.2
causes mail to local domain to be rejected
On Mon, Mar 09, 2015 at 06:53:21PM +0100, Sebastian Nielsen wrote:
I have noticed some automated open relay testing services do fail a
domain
if it rejects a relay too early (eg in MAIL FROM
, 2015 6:58 AM
To: postfix-users@postfix.org
Subject: Re: Reversing order when mail is local (not relayed)?
On Mon, Mar 09, 2015 at 05:27:21AM +0100, Sebastian Nielsen wrote:
Did split up the OpenDKIM process into 2 instances, one running as
verifier,
placed before any content modification, and one
at 12:43:14AM +0100, Sebastian Nielsen wrote:
How can this be accomplished?
Don't mix the relay and inbound services in the same Postfix.
Setup one Postfix to receive inbound mail from outside.
Setup another Postfix to handle outbound mail from inside.
For extra brownie points, arrange
Currently my master.cf looks like this:
192.168.1.10:25 inet n - - - - smtpd -o
myhostname=dns1.sebbe.eu -o smtpd_tls_cert_file=/etc/postfix/dns1.crt -o
content_filter=smtp-downconvert:127.0.0.1:10025
192.168.1.10:26 inet n - - -
Im validating with Windows Live Mail and Microsoft Office.
Chances are small that 2 of microsoft's validation tools are defective.
However, it seems that the problem solved when I switched to djignz (a
central S/MIME open source solution for signing, decrypting, verification
and encryption.
Done. Here is a mail right before signing, and then a mail right after
signing.
The mail are signed without -b parameter and it fails validation.
test.eml is just before its sent into signing-milter, and test2.eml is right
after. Both were extracted out of the queue.
-Ursprungligt
, March 04, 2015 9:42 PM
To: Postfix users
Subject: Re: Have tested lots of solutions now with signing-milter. What is
the problem?
Sebastian Nielsen:
its not DKIM that fails. Its S/MIME.
Does not matter (S/Mime signs body parts so there are no header issues).
But how can I retain a copy
Have tested lots of solutions to signing-milter to get rid of the –b parameter.
But still it fails validation.
I now run all mails through a null filter which does silent-discard on 8bitmime
so it downconverts the mail to 7bit before passing it through signing-milter.
I tried to run the
its not DKIM that fails. Its S/MIME.
But how can I retain a copy of message before milter? Could then remove the
hashcash milter and DKIM milter (since those does not change that -b does
succeed validation and no -b does fail validation) and send a test mail.
-Ursprungligt
, so I need some advice here. Also I can’t fix it at the source, since
I cannot change how Windows Live Mail encodes mails.
Best regards, Sebastian Nielsen---BeginMessage---
tsting
smime.p7s
Description: S/MIME cryptographic signature
---End Message---
mimeparser.pl
Description: Binary data
: Wietse Venema
Sent: Sunday, March 01, 2015 8:12 PM
To: Postfix users
Subject: Re: Milter: Is it possible to completely replace headers?
Sebastian Nielsen:
How can I completely replace the headers in a milter? The replaced
header data contains both added and changed headers.
As of the last
How can I completely replace the headers in a milter? The replaced header data
contains both added and changed headers.
Here is the code im working with:
sub eom_callback {
$ctx = shift;
$senderunsafe = $ctx-getsymval('{mail_addr}');
($suser, $sdomain) = split(\@,
Have anyone tried signing-milter along with Windows Live Mail? (with no MTA
between WLM and the MTA doing the signing milter) Yes I downloaded the milter
from the new page.
I cannot do anything to WLM seemingly generating garbage since I dont have
any reverse engiinering skills and I dont
in question does NOT allow relaying, but keeps this “NOT relaying”
policy a secret. Note that you need patience because servers might batch-run
email nightly. But if nothing in 48 hours, you can be sure its not an open
relay.
Best regards, Sebastian Nielsen
From: Roger Walters
Sent: Friday
why I like when people put Email signing, Email verification and such
duties at the MTA level, so the MUA does not need to care or support
whatever its about.
Best regards, Sebastian Nielsen
-Ursprungligt meddelande-
From: Wietse Venema
Sent: Wednesday, February 25, 2015 2:40 PM
in
some way?
The only milter after is OpenDKIM, but I have also tested with the OpenDKIM
milter removed (so the signing-milter comes last in chain), but still same
validation error (Message is tampered) comes up in both outlook and windows
live mail when no “-b” flag is used.
Best regards, Sebastian
meddelande-
From: Wietse Venema
Sent: Tuesday, February 17, 2015 11:39 PM
To: Postfix users
Subject: Re: How I do to add headers by command?
Sebastian Nielsen:
I have a postfix server.
On the server, on mail put in outgoing queue (to be relayed), I
want to run the following command: /usr/bin
Sent: Wednesday, February 18, 2015 1:29 AM
To: Postfix users
Subject: Re: How I do to add headers by command?
Sebastian Nielsen:
On the server, on mail put in outgoing queue (to be relayed), I
want to run the following command: /usr/bin/hashcash -mXb 26
[recipient01] [recipient02] .. [recipientNN
I have a postfix server.
On the server, on mail put in outgoing queue (to be relayed), I want to run the
following command:
/usr/bin/hashcash -mXb 26 [recipient01] [recipient02] .. [recipientNN]
The output of the command (STDOUT) should be put somewhere in the MIME headers.
My first idea would
, Wietse Venema wrote:
Sebastian Nielsen:
I want to reject senders, that are relaying, using a domain not
on a approved list. eg all sender domains that aren?t @sebbe.eu
but are relaying, should be rejected.
Postfix restrictions are not a Turing-complete access control
language. For complex
Dukhovni
Sent: Wednesday, May 07, 2014 8:10 PM
To: postfix-users@postfix.org
Subject: Re: Configure postfix to reject forged mail?
On Wed, May 07, 2014 at 07:58:26PM +0200, Sebastian Nielsen wrote:
Works EXCELLENTLY. Did fine-tune it a little bit, but then it works
excellently now.
The fine
mail?
On Wed, May 07, 2014 at 08:33:18PM +0200, Sebastian Nielsen wrote:
I know. check_sender_access does always check MAIL_FROM, regardless of
in
which access context they are in. (else it would be check_recipient_access
or check_client_access)
When using check_sender_access use a separate
, May 07, 2014 8:51 PM
To: postfix-users@postfix.org
Subject: Re: Configure postfix to reject forged mail?
On Wed, May 07, 2014 at 08:33:18PM +0200, Sebastian Nielsen wrote:
I know. check_sender_access does always check MAIL_FROM, regardless of
in
which access context they are in. (else it would
)
-Ursprungligt meddelande-
From: Viktor Dukhovni
Sent: Wednesday, May 07, 2014 9:15 PM
To: postfix-users@postfix.org
Subject: Re: Configure postfix to reject forged mail?
On Wed, May 07, 2014 at 09:04:37PM +0200, Sebastian Nielsen wrote:
About the forgetting of the purpose of the access file:
Did
I tried with the following:
smtpd_relay_restrictions = reject_unlisted_sender, permit_mynetworks,
reject_unauth_destination
But didnt work, mail from “unlisted” domains are accepted through. My domain is
sebbe.eu
The result Im out after, is the following:
MAIL FROM: t...@test.com
RCPT TO:
101 - 130 of 130 matches
Mail list logo