Saturday morning I put my new postfix mail server into operation,
replacing a years-old previous incarnation (about 15 user domains). The
new one, which has been under test for a long time, seemed to work with
no problems.
Monday morning I had two user complaints - could not send mail from
Thunderbird. Panic! Then a pause for thought and analysis. The problem?
For some reason BOTH Thunderbirds had been set up to send authenticated
via port 25. The old server, unknown to me, was ok with that. I advised
them to change to port 587 and they were up and running again. Case
solved...
Sort of. I now have a problem where (it seems) ALL authenticated mail is
not being dkim signed and spamassassin is complaining that the only
Received: from header is the sender's dynamic sending address. When
testing, this did not show up because my own sending IP is static with a
fqdn and rdns. SPF and DMARC on the receiving mail server, after passing
through mine, show valid/pass, just no dkim.
I have cross-checked the new setup against the old one and cannot
discover the problem. Could someone here help, please?
postconf -n...
======================
2bounce_notice_recipient = boun...@ssph.org.uk
address_verify_map = proxy:btree:/var/lib/postfix/verify_cache
address_verify_sender_ttl = 237m
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_notice_recipient = ad...@ssph.org.uk
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
compatibility_level = 3.6
confirm_delay_cleared = no
delay_notice_recipient = ad...@ssph.org.uk
delay_warning_time = 2h
disable_vrfy_command = yes
error_notice_recipient = serv...@ssph.org.uk
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
DISPLAY LANG=C RESOLV_MULTI=on
inet_interfaces = all
inet_protocols = ipv4
internal_mail_filter_classes = bounce
mailbox_size_limit = 0
maximal_queue_lifetime = 5d
message_size_limit = 40960000
milter_connect_macros = j {daemon_name} {daemon_addr} v _
milter_default_action = accept
milter_mail_macros = i b
milter_protocol = 6
milter_rcpt_macros = i b
mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre
mua_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/clamav/clamav-milter.ctl
mydestination = $myhostname, localhost
mydomain = bristolweb.net
myhostname = mail.bristolweb.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 46.33.129.43
185.35.151.92 185.35.151.93 185.35.151.97 185.35.151.100 185.35.151.102
185.35.148.202
mynetworks_style = host
myorigin = $myhostname
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock
notify_classes = software, delay, bounce, 2bounce, resource, protocol, data
policy-spf_time_limit = 3600s
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-relay-domains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql_relay_recipients.cf
relayhost =
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks.pcre
smtp_host_lookup = dns
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unknown_client_hostname reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_hard_error_limit = 6
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
check_helo_access pcre:/etc/postfix/white_bypass.pcre check_helo_access
cidr:/etc/postfix/ip_check_whitelist reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
check_helo_access cidr:/etc/postfix/ip_check_blacklist check_helo_access
pcre:/etc/postfix/helo_checks.pcre reject_unauth_pipelining permit
smtpd_milters = unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/opendmarc/opendmarc.sock,
unix:/var/run/spamass/spamass.sock, unix:/var/run/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_mynetworks
permit_sasl_authenticated reject_unauth_destination
reject_non_fqdn_hostname reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_invalid_hostname
reject_unauth_pipelining reject_unverified_recipient
reject_unlisted_recipient check_recipient_access
pcre:/etc/postfix/recipient_checks.pcre check_policy_service
unix:private/policy-spf reject_rbl_client
zen.spamhaus.org=127.0.0.[2..11] reject_rhsbl_sender
dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_helo
dbl.spamhaus.org=127.0.1.[2..99] reject_rhsbl_reverse_client
dbl.spamhaus.org=127.0.1.[2..99] warn_if_reject reject_rbl_client
zen.spamhaus.org=127.255.255.[1..255] permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous nodictionary
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_pipelining check_sender_mx_access
cidr:/etc/postfix/sender_mx_access check_sender_access
pcre:/etc/postfix/sender_whitelist.pcre reject_non_fqdn_sender
reject_unknown_sender_domain reject_unlisted_sender check_sender_access
pcre:/etc/postfix/sender_checks.pcre
smtpd_soft_error_limit = 4
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.bristolweb.net/privkey.pem
/etc/letsencrypt/live/mail.bristolweb.net/fullchain.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtputf8_enable = no
strict_rfc821_envelopes = yes
transport_maps = mysql:/etc/postfix/mysql_transport.cf
unknown_address_reject_code = 553
unknown_client_reject_code = 571
unknown_hostname_reject_code = 571
unverified_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
======================
postconf -M
======================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd -o
syslog_name=postfix/submission -o smtpd_tls_wrappermode=no -o
smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o
smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o
smtpd_sasl_path=private/auth -o
receive_override_options=no_header_body_checks -o
smtpd_milters=$mua_milters -o tls_ssl_options=NO_RENEGOTIATION
pickup fifo n - n 60 1 pickup -o
content_filter= -o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o
syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe flags=DRhu
user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe flags=Fqhu
user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe flags=F
user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe flags=Fq.
user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe flags=R
user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop}
${user} ${extension}
mailman unix - n n - - pipe flags=FR
user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
policy-spf unix - n n - 0 spawn
user=nobody argv=/usr/bin/policyd-spf
clamsmtp unix - - n - 16 smtp -o
smtp_send_xforward_command=yes -o smtp_generic_maps= -o
disable_dns_lookups=yes -o smtp_enforce_tls=no
======================
A typical email routed internally as bcc to sender of a Sent email, is...
======================
X-Envelope-From: <(sender)@(senderdomain)>
X-Envelope-To: <(recipient)@(recipdomain)>
Received: from [192.168.1.210] (host-92-23-39-40.as13285.net [92.23.39.40])
by mail.bristolweb.net (Postfix 3.7.6/8.13.0) with SMTP id unknown
Tue, 19 Dec 2023 08:34:00 +0000
(envelope-from <(sender)@(senderdomain)>);
X-Envelope-To: <(sender)@(senderdomain)>
Authentication-Results: mail.bristolweb.net; dmarc=fail (p=reject
dis=none) header.from=(senderdomain)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.bristolweb.net D804C3F77D
Content-Type: multipart/alternative;
boundary="------------hz8jAM90skIlDhYbU5J03r9l"
Message-ID: <ec20330a-fc72-4c39-99de-0cf542eaed5b@(senderdomain)>
Date: Tue, 19 Dec 2023 08:33:59 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Reply-To: (sender)@(senderdomain)
Content-Language: en-GB
To: "(recipient)" <(recipient)@(recipdomain)>
From: (sender) <(sender)@(senderdomain)>
Subject: Greetings!
======================
Full email sent to protonmail (excluding protonmail's headers)
======================
Return-Path: <(sender)@(senderdomain)>
X-Original-To: (me)@protonmail.com
Delivered-To: (me)@protonmail.com
Received: from mail.bristolweb.net (mail2.bristolweb.net
[185.35.148.156]) (using TLSv1.3
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits)
server-digest SHA256) (No
client certificate requested) by mailin012.protonmail.ch (Postfix)
with ESMTPS id
4Sv2P63nbJz9vss2 for <(me)@protonmail.com>; Mon, 18 Dec 2023 14:33:14
+0000 (UTC)
Received: from [192.168.1.150] (host-92-23-39-40.as13285.net
[92.23.39.40]) by
mail.bristolweb.net (Postfix) with ESMTPA id 765783F64D; Mon, 18 Dec
2023 14:33:05 +0000
(GMT)
Authentication-Results: mail.protonmail.ch; dmarc=pass (p=reject dis=none)
header.from=(senderdomain)
Authentication-Results: mail.protonmail.ch; spf=pass
smtp.mailfrom=@(senderdomain)
Authentication-Results: mail.protonmail.ch; arc=none
smtp.remote-ip=185.35.148.156
Authentication-Results: mail.protonmail.ch; dkim=none
Authentication-Results: mail.bristolweb.net; dmarc=fail (p=reject dis=none)
header.from=(senderdomain)
Dkim-Filter: OpenDKIM Filter v2.11.0 mail.bristolweb.net 765783F64D
Content-Type: text/plain
Message-Id: <7db185a4-928c-4d78-bc1a-b68f5d666bdf@(senderdomain)>
Date: Mon, 18 Dec 2023 14:33:02 +0000
Mime-Version: 1.0
User-Agent: Mozilla Thunderbird
To: (me)@protonmail.com
Reply-To: (sender)@(senderdomain)
Content-Language: en-GB
From: (sender) <(sender)@(senderdomain)>
Subject: *[SPAM]* (14.4) Here's the mail you asked for
X-Spam-Flag: YES
X-Spam-Status: Yes, score=14.4 required=5.0
tests=DKIM_ADSP_ALL,DMARC_REJECT,
HELO_MISC_IP,HTML_MESSAGE,KHOP_HELO_FCRDNS,NO_FM_NAME_IP_HOSTN,
PFSA_DKIM_NONE,PFSA_DMARC_FAIL,PFSA_NO_SPF_DKIM_DMARC,
PFSA_RECEIVED_DYNAMIC_LOCAL,PFSA_SPF_NOTEXIST,RCVD_IN_PBL,RDNS_DYNAMIC,
SPF_FAIL,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=disabled
version=4.0.0
X-Spam-Report: *
3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL *
[92.23.39.40 listed in zen.spamhaus.org] *
1.0 DKIM_ADSP_ALL No valid author signature, domain signs all mail *
2.5 SPF_FAIL SPF: sender does not match SPF record (fail) *
[SPF failed: Rejected by SPF record] * -4.0
PFSA_RECEIVED_DYNAMIC_LOCAL
Dynamic-type Received but really a local *
IP *
1.5 PFSA_DMARC_FAIL Failed DMARC *
0.5 HTML_MESSAGE BODY: HTML included in message *
3.5 RDNS_DYNAMIC Delivered to internal network by host with *
dynamic-looking rDNS * -0.0 T_SCC_BODY_TEXT_LINE No description
available. *
0.2 HELO_MISC_IP Looking for more Dynamic IP Relays *
1.8 DMARC_REJECT DMARC reject policy *
0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS *
0.5 PFSA_DKIM_NONE No (ARC-)DKIM and no bypass *
1.0 PFSA_SPF_NOTEXIST (ARC-)SPF does not exist and no bypass *
2.0 PFSA_NO_SPF_DKIM_DMARC No (ARC-)authentication and not bypass *
0.0 NO_FM_NAME_IP_HOSTN No From name + hostname using IP address
X-Spam-Level: **************
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on
bristolmail.bristolmail.bristolweb.net
X-Virus-Scanned: clamav-milter 1.0.3 at bristolmail
X-Virus-Status: Clean
======================
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org