[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 16:14, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > If you need permit_mx_backup, that means postfix doesn't have a > clear idea of domains it is responsible for. > > Please read and study: > http://www.postfix.org/BASIC_CONFIGURATION_README.html > > my

[pfx] Re: Sanity check/suggestions appreciated

On 6/11/2024 4:05 AM, Gilgongo via Postfix-users wrote: On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users mailto:postfix-users@postfix.org>> wrote: You should remove permit_mx_backup. This feature is intended for ISP-scale users that may not have a complete list of domains

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 11:52, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > On 11.06.24 11:02, Gilgongo via Postfix-users wrote: > >OK so I assume I can use the IP address of the primary and secondary MX > >servers, since all our domains are hosted on those IPs. >

[pfx] Re: Sanity check/suggestions appreciated

>BTW in the meantime, if I add this (where mx2.mydomain.com is our >secondary MX hostname), I take it that would be a good idea: > >permit_mx_backup_networks = $mynetworks mx2. mydomain.com On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrot

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 10:36, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > >BTW in the meantime, if I add this (where mx2.mydomain.com is our > secondary > >MX hostname), I take it that would be a good idea: > > > >permit_mx_backup_networks = $mynetworks mx2. my

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: You should remove permit_mx_backup. This feature is intended for ISP-scale users that may not have a complete list of domains that use their server as a backup MX. In this case, permit_mx_backup_netwo

[pfx] Re: Sanity check/suggestions appreciated

On Tue, 11 Jun 2024 at 05:17, Noel Jones via Postfix-users < postfix-users@postfix.org> wrote: > You should remove permit_mx_backup. > > This feature is intended for ISP-scale users that may not have a > complete list of domains that use their server as a backup MX. In > this case, permit_mx_backu

[pfx] Re: Sanity check/suggestions appreciated

On 6/10/2024 12:10 PM, Gilgongo via Postfix-users wrote: On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users > wrote: 3. smtpd_recipient_restrictions = permit_mx_backup avoid this whenever possible. Or at least define permit

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024 at 12:58, Matus UHLAR - fantomas via Postfix-users < postfix-users@postfix.org> wrote: > > 3. > smtpd_recipient_restrictions = permit_mx_backup > > avoid this whenever possible. Or at least define permit_mx_backup_networks > > Thanks - I forgot to ask about this. Am I right in

[pfx] Re: Sanity check/suggestions appreciated

On 2024-06-10 at 10:34:09 UTC-0400 (Mon, 10 Jun 2024 16:34:09 +0200) Matus UHLAR - fantomas via Postfix-users is rumored to have said: >>> On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < >>> postfix-users@postfix.org> wrote: why not postscreen for this purpose? > >> On 2024-06-1

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: why not postscreen for this purpose? On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100) Gilgongo via Postfix-users is rumored to have said: Thanks - I thought about postscreen, bu

[pfx] Re: Sanity check/suggestions appreciated

On 2024-06-10 at 09:35:25 UTC-0400 (Mon, 10 Jun 2024 14:35:25 +0100) Gilgongo via Postfix-users is rumored to have said: On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: why not postscreen for this purpose? Thanks - I thought about postscreen,

[pfx] Re: Sanity check/suggestions appreciated

On Mon, 10 Jun 2024, 12:37 pm Jeff Peng via Postfix-users, < postfix-users@postfix.org> wrote: > why not postscreen for this purpose? > Thanks - I thought about postscreen, but wasn't sure if it would be overkill for such a small server? Could look again though. __

[pfx] Re: Sanity check/suggestions appreciated

On 10.06.24 12:27, Gilgongo via Postfix-users wrote: Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4) config is pretty old and confusing, and may not be doing things we want. So I'd like to re-jig it. Here's how I think I'd like to have it: 1. Incoming mail (not from $mynetw

[pfx] Re: Sanity check/suggestions appreciated

why not postscreen for this purpose? BTW I'm using a script (policyd.pl ) that does weighted scoring for RBLs (as well as SPF), which I'd prefer rather than doing that with Postfix directly. ___ Postfix-users mailing list -- post

[pfx] Sanity check/suggestions appreciated

Hi - I've got a small mail server (~50 users) and our Postfix (3.6.4) config is pretty old and confusing, and may not be doing things we want. So I'd like to re-jig it. Here's how I think I'd like to have it: 1. Incoming mail (not from $mynetworks or sasl auth): RBL, SPF/DKIM verification and SA (

[pfx] Re: Requesting A Sanity Check, Please, + A Couple Of Qs

On Thu, Mar 23, 2023 at 05:58:13PM +1100, duluxoz via Postfix-users wrote: > Hi All, > > TL:DR: Could someone(s) please have a look-see at our config as a sanity > check for us, and also answer the questions at the end of this post - > thanks. Hi, I probably can't help

[pfx] Requesting A Sanity Check, Please, + A Couple Of Qs

Hi All, TL:DR: Could someone(s) please have a look-see at our config as a sanity check for us, and also answer the questions at the end of this post - thanks. So we're finally putting in an email stack and while I've read just about every tutorial I can find on the web - and rea

Re: Sanity Check Request: smtpd_*_restrictions

On 5/17/2022 9:14 AM, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the se

Re: [EXTERNAL] Re: Sanity Check Request: smtpd_*_restrictions

Excellent points. And thanks for the access list tip. I will lose the final reject from client and relay and exclude the MX servers from mynetworks Thanks. On 5/17/22, 11:54, "owner-postfix-us...@postfix.org on behalf of Matus UHLAR - fantomas" wrote: >> > smtpd_client_restrictions =

Re: Sanity Check Request: smtpd_*_restrictions

> smtpd_client_restrictions = you'll block incoming mail with last reject. This is right off of http://www.postfix.org/SMTPD_ACCESS_README.html#lists /etc/postfix/main.cf: # Allow connections from trusted networks only. smtpd_client_restrictions = permit_mynetworks, reject On 17.05.22 1

Re: Sanity Check Request: smtpd_*_restrictions

> > smtpd_client_restrictions = > you'll block incoming mail with last reject. This is right off of http://www.postfix.org/SMTPD_ACCESS_README.html#lists /etc/postfix/main.cf: # Allow connections from trusted networks only. smtpd_client_restrictions = permit_mynetworks, reject I only per

Re: Sanity Check Request: smtpd_*_restrictions

On 17.05.22 15:14, White, Daniel E. (GSFC-770.0)[AEGIS] wrote: This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the sende

Sanity Check Request: smtpd_*_restrictions

This is part of what I plan to put on our new MTA (Postfix only) and MDA (Postfix/Dovecot) servers. Please tell me if I am doing anything foolish / dangerous. My concern is whether I should put "permit_mynetworks" higher in the sender and recipient restrictions. smtpd_client_restrictions =

Re: blocking attachments. Sanity check and testing

Joe Acquisto-j4: > I have read some discussions on DISCARD and, for my purpose, it suits. I > think. > > Is the action logged anywhere? I have not seen it. If not, can it be done? It is syslogged with the same syslog facility and severity "info" as routine Postfix logging. If you don't see l

Re: blocking attachments. Sanity check and testing

> I'm revisiting blocking certain attachments. A multi part question: > Implementation, logging, testing. > > Seems the accepted way to do attachment blocking is something like this: > > in /etc/postfix/main.cf added, without quotes: "mime_header_checks = > regexp:/etc/postfix/block_attachm

blocking attachments. Sanity check and testing

I'm revisiting blocking certain attachments. A multi part question: Implementation, logging, testing. Seems the accepted way to do attachment blocking is something like this: in /etc/postfix/main.cf added, without quotes: "mime_header_checks = regexp:/etc/postfix/block_attachments" in /etc

Re: DMARC and security (was: sanity-check postfix XCLIENT usage ?)

On Fri, Oct 23, 2020 at 3:26 PM Demi M. Obenour wrote: > >> "p=quarantine" might be a better choice, but I do consider lack of > >> DMARC to be a security hole. I certainly don't want someone to be > >> able to forge mail that claims to be from me. There are all sorts of > >> nasty social engin

Re: sanity-check postfix XCLIENT usage ?

On 23/10/2020 09:27, Nick Tait wrote: On 22/10/20 6:13 am, PGNet Dev wrote: Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the

Re: sanity-check postfix XCLIENT usage ?

On 23/10/20 2:26 pm, Bob Proulx wrote: The tragicomical thing is that Gmail does follow policy and when the policy of the sending site is strict DMARC and the mailing list does not rewrite then Gmail subscribers to mailing lists will get automatically unsubscribed when/if the bounce ratio exceeds

Re: sanity-check postfix XCLIENT usage ?

On 22/10/20 6:13 am, PGNet Dev wrote: Before I take this up as an opendmarc question (my config &/or bug), & do more thorough digging re: intuit's published records, (1) Is there anything obviously wrong/missing in that^ XCLIENT usage generally, or in the specific intuit.com case above, that w

Re: sanity-check postfix XCLIENT usage ?

et of message headers in this ordering, From: Reply-To: Resent-From: To: Cc: Mail-Followup-To: Subject: Date:) Date: Thu, 22 Oct 2020 19:17:35 -0400 (EDT) From: Wietse Venema To: Postfix users Subject: Re: sanity-check postfix XCLIENT usage ? Reply-To: Postfix users :-) > W

Re: sanity-check postfix XCLIENT usage ?

On 22 Oct 2020, at 17:17, Wietse Venema wrote:= > > Demi M. Obenour: >> That's because MUAs display the From: header, not the envelope address. >> DMARC is aimed at preventing spoofing. If someone sends a message >> that claims to be from me, but is not, that could damage my reputation >> or wor

Re: sanity-check postfix XCLIENT usage ?

Demi M. Obenour: > That's because MUAs display the From: header, not the envelope address. > DMARC is aimed at preventing spoofing. If someone sends a message > that claims to be from me, but is not, that could damage my reputation > or worse. If GMail had p=reject, such a message would be droppe

Re: sanity-check postfix XCLIENT usage ?

On 10/22/20 3:35 PM, Bob Proulx wrote: > Demi M. Obenour wrote: >> Viktor Dukhovni wrote: Demi M. Obenour wrote: This is really a security hole in gmail. Given the popularity of gmail, however, I seriously suggest somehow treating gmail as if it had p=reject, as it should. >>>

Re: sanity-check postfix XCLIENT usage ?

Demi M. Obenour wrote: > Viktor Dukhovni wrote: > >> Demi M. Obenour wrote: > >> This is really a security hole in gmail. Given the popularity of > >> gmail, however, I seriously suggest somehow treating gmail as if it > >> had p=reject, as it should. > > No it should not have "p=reject" that's o

Re: sanity-check postfix XCLIENT usage ?

On 10/22/20 12:25 PM, Viktor Dukhovni wrote: >> On Oct 22, 2020, at 2:11 PM, Demi M. Obenour wrote: >> >> I know :( >> >> This is really a security hole in gmail. Given the popularity of >> gmail, however, I seriously suggest somehow treating gmail as if it >> had p=reject, as it should. > No it

Re: sanity-check postfix XCLIENT usage ?

> On Oct 22, 2020, at 2:11 PM, Demi M. Obenour wrote: > > I know :( > > This is really a security hole in gmail. Given the popularity of > gmail, however, I seriously suggest somehow treating gmail as if it > had p=reject, as it should. No it should not have "p=reject" that's only for sites th

Re: sanity-check postfix XCLIENT usage ?

On 10/22/20 3:23 AM, Bastian Blank wrote: > Hi name less > > On Wed, Oct 21, 2020 at 10:13:54AM -0700, PGNet Dev wrote: >> I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok. >> I've cranked up opendmarc logging level to >> MilterDebug 5 >> with that, on failed attem

Re: sanity-check postfix XCLIENT usage ?

Hi name less On Wed, Oct 21, 2020 at 10:13:54AM -0700, PGNet Dev wrote: > I've online-checked SPF/DMARC records for 'intuit.com'; all _seems_ to be ok. > I've cranked up opendmarc logging level to > MilterDebug 5 > with that, on failed attempt, I see only an unhelpful > Oct 21 09:43:39

Re: sanity-check postfix XCLIENT usage ?

On 22/10/2020 00:39, PGNet Dev wrote: On 10/21/20 4:31 PM, Wietse Venema wrote: PGNet Dev: Two questions: clear. i'll focus just on just the dmarc bits. both debugging opendmarc, and replacing it with another option to see if behavior changes. xclient's extremely helpful in any case.

Re: sanity-check postfix XCLIENT usage ?

On 10/21/20 4:31 PM, Wietse Venema wrote: PGNet Dev: Two questions: clear. i'll focus just on just the dmarc bits. both debugging opendmarc, and replacing it with another option to see if behavior changes. xclient's extremely helpful in any case.

Re: sanity-check postfix XCLIENT usage ?

PGNet Dev: > Two questions: > > (1) my postfix config includes, > > strict_rfc821_envelopes = yes > > the FROM: & RCPT TO: addressed i inject, as well as those in the originally > sent mail, appear to be compliant. > > is there _more_ that strict restriction that might be relevant? Post

Re: sanity-check postfix XCLIENT usage ?

On 10/21/20 11:13 AM, Wietse Venema wrote: If your XCLIENT arguments match Postfix logging, including the name and IP address info they do and you used HELO or EHLO depending on Postfix's proto= logging proto=ESMTP, so I used EHLO then I think that the Postfix SMTP daemon cannot distingui

Re: sanity-check postfix XCLIENT usage ?

If your XCLIENT arguments match Postfix logging, including the name and IP address info and you used HELO or EHLO depending on Postfix's proto= logging, then I think that the Postfix SMTP daemon cannot distinguish between a real intuit.com connection and one made with XCLIENT. That leaves the poss

sanity-check postfix XCLIENT usage ?

I'm using Postfix's XCLIENT to synthesize/inject a test email into my postfix->filter/milter->delivery chain. I'd like to verify that my XCLIENT usage isn't the cause of the delivery failure I see below ... @ this postfix instance, mail flows as -> postscreen (@ IP = 203.0.113.1) |

RE: Sanity check - of my postfix setup.

: Tuesday, May 09, 2017 9:40 AM To: postfix users Subject: Re: Sanity check - of my postfix setup. I had similar issues and my Maildir was misnamed. I solved it by making a link from the existing name to the correct name. On 05/09/2017 07:36 AM, Noel Jones wrote: > On 5/9/2017 6:59 AM, John wr

Re: Sanity check - of my postfix setup.

I had similar issues and my Maildir was misnamed. I solved it by making a link from the existing name to the correct name. On 05/09/2017 07:36 AM, Noel Jones wrote: On 5/9/2017 6:59 AM, John wrote: As Andreas pointed out it might help is I outlined the problem. I am losing mail, it just disa

Re: Sanity check - of my postfix setup.

On 5/9/2017 6:59 AM, John wrote: > As Andreas pointed out it might help is I outlined the problem. > > I am losing mail, it just disappears. Postfix seems to deliver it, > hands it off the dovecot LMTP and then shows "removed" > > Dovecot shows ... : saved to INBOX. Both postfix and dovecot are

Re: Sanity check - of my postfix setup.

As Andreas pointed out it might help is I outlined the problem. I am losing mail, it just disappears. Postfix seems to deliver it, hands it off the dovecot LMTP and then shows "removed" Dovecot shows ... : saved to INBOX. But messages disappear. I am deeply suspicious of the Dovecot/Thunderb

Sanity check - of my postfix setup.

I am trying to debug a problem with my mail system. I think the problem is with Dovecot, or Thunderbird. However, just to make sure i am not missing something really stupid could I get a check on my postfix setup. TIA John A alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no

RE: auth/tls combinations sanity check

> > I can make up any variable name I want and assign a value to > > it main.cf, and then reference its value in main.cf and master.cf? > > Yes. > > -- > Viktor. Ah. That is indeed powerful. And now I understand your suggested solution, Viktor. It even solves a problem I didn't mentio

Re: auth/tls combinations sanity check

On 2016-07-13 19:47, Michael Fox wrote: Are you saying I can make up any variable name I want and assign a value to it main.cf, and then reference its value in main.cf and master.cf? indeed yes

Re: auth/tls combinations sanity check

On Wed, Jul 13, 2016 at 10:47:37AM -0700, Michael Fox wrote: > I can make up any variable name I want and assign a value to > it main.cf, and then reference its value in main.cf and master.cf? Yes. -- Viktor.

RE: auth/tls combinations sanity check

> > But looking at http://www.postfix.org/postconf.5.html, I don't find > > mua_discard_ehlo_keyword_address_maps or mua_sender_restrictions. Are > > those > > literal names? Where can I find documentation? > > trick here is that we only ask for postconf -n, this will not display > postconf -Mf

Re: auth/tls combinations sanity check

On 2016-07-13 18:45, Michael Fox wrote: But looking at http://www.postfix.org/postconf.5.html, I don't find mua_discard_ehlo_keyword_address_maps or mua_sender_restrictions. Are those literal names? Where can I find documentation? trick here is that we only ask for postconf -n, this will n

RE: auth/tls combinations sanity check

> > So, I'm thinking I need three submission ports: > > * one for AUTH but no TLS > > * one for AUTH with opportunistic TLS > > * one for AUTH with enforced TLS > > You can combine these into just one service by using: > > main.cf: > mua_discard_ehlo_keyword_address_maps = > cidr:${conf

Re: auth/tls combinations sanity check

> On Jul 13, 2016, at 10:33 AM, Viktor Dukhovni > wrote: > >tlsclient.cidr: > 192.0.2.0/24 DUNNO > 0.0.0.0 reject_plaintext_session That would be 0.0.0.0/0 of course. -- Viktor.

Re: auth/tls combinations sanity check

> On Jul 13, 2016, at 2:27 AM, Michael Fox wrote: > > So, I'm thinking I need three submission ports: > * one for AUTH but no TLS > * one for AUTH with opportunistic TLS > * one for AUTH with enforced TLS You can combine these into just one service by using: main.cf: mua_di

auth/tls combinations sanity check

I have a possibly unusual AUTH/TLS combination requirement. As a newbie, I could use a sanity check. Requirements: * All virtual mail clients will use SASL AUTH * Virtual mail clients on specific internal networks MUST NOT be offered TLS. This is to satisfy FCC requirements prohibiting the use

Re: Postcreen settings sanity check

On Mon, Jul 13, 2015 at 12:48 PM, Wietse Venema wrote: > I would not enable the "after 220 greeting" protocol tests, because > some senders that pass the tests will not retry (mail will never > be delivered), and some will retry from a different client IP address > (mail will be delayed). Whitel

Re: Postcreen settings sanity check

Steve Jenkins: > I'm trying to come up with a set of suggested Postscreen main.cf settings > that can be a suggested "general" starting place for most personal and > small business users. Below is what I'm currently running on my personal > box, and I would apprec

Postcreen settings sanity check

I'm trying to come up with a set of suggested Postscreen main.cf settings that can be a suggested "general" starting place for most personal and small business users. Below is what I'm currently running on my personal box, and I would appreciate any "sanity check" f

Re: Sanity check

On 2/19/2015 8:18 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 14:11 schrieb John: On 2/19/2015 7:48 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wro

Re: Sanity check

Am 19.02.2015 um 14:11 schrieb John: On 2/19/2015 7:48 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydo

Re: Sanity check

On 2/19/2015 7:48 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /roo

Re: Sanity check

Am 19.02.2015 um 13:22 schrieb John: On 2/19/2015 6:49 AM, Richard James Salts wrote: On Thu, 19 Feb 2015 06:32:29 John wrote: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are th

Re: Sanity check

Am 19.02.2015 um 13:30 schrieb John: On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any

Re: Sanity check

On 2/19/2015 6:35 AM, li...@rhsoft.net wrote: Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need clie

Re: Sanity check

On 2/19/2015 6:49 AM, Richard James Salts wrote: On Thu, 19 Feb 2015 06:32:29 John wrote: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need

Re: Sanity check

On Thu, 19 Feb 2015 06:32:29 John wrote: > On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: > >> smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem > >> smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key > > > > Are there any destinations for which you need client certs to gain > > access?

Re: Sanity check

Am 19.02.2015 um 12:32 schrieb John: On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need client certs to gain access? If not set these empt

Re: Sanity check

On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key Are there any destinations for which you need client certs to gain access? If not set these empty. I thought these were needed for TLS

Re: Sanity check

On Tue, Feb 17, 2015 at 07:07:04AM -0500, Wietse Venema wrote: > Viktor Dukhovni: > > > submission inet n - n - 30 smtpd > > > -o syslog_name=postfix/submission > > > -o smtpd_tls_wrappermode=no > > > > Postfix 3.0? (smtpd_tls_wrappermode is new with 3.0 IIRC, just

Re: Sanity check

On 2/16/2015 10:29 PM, Viktor Dukhovni wrote: On Mon, Feb 16, 2015 at 09:46:17PM -0500, John Allen wrote: smtp_dns_support_level = dnssec smtp_tls_security_level = dane Givent he above, the following are pointless: smtp_tls_enforce_peername = no A Postfix 2.2 parameter Obsoleted by smt

Re: Sanity check

Viktor Dukhovni: > > submission inet n - n - 30 smtpd > > -o syslog_name=postfix/submission > > -o smtpd_tls_wrappermode=no > > -o smtpd_tls_security_level=encrypt > > -o smtpd_sasl_auth_enable=yes > > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject >

Re: Sanity check

On Mon, Feb 16, 2015 at 09:46:17PM -0500, John Allen wrote: > smtp_dns_support_level = dnssec > smtp_tls_security_level = dane Givent he above, the following are pointless: > smtp_tls_enforce_peername = no A Postfix 2.2 parameter Obsoleted by smtp security levels. Remove from main.cf.

Sanity check

Would somebody take a look at my config. I am a little concerned about the security on submission (587). This is the family server which I use for experimenting. Thanks John A config_directory = /etc/postfix biff = no append_dot_mydomain = no mydomain = klam.ca myorigin = $mydomain myhostname

Re: newbie check Was [Re: port 25 submission settings sanity check]

On 8/30/2013 10:12 AM, Terry Gilsenan wrote: > I am not talking about implementing SMTP on UDP, I am taking about the > possibility of adding a side-channel for bulk data that would use UDP. I'm really surprised nobody has mentioned this yet. It seems there's a far simpler solution to the descr

RE: newbie check Was [Re: port 25 submission settings sanity check]

-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Glenn English Sent: Saturday, 31 August 2013 12:52 AM To: postfix-users@postfix.org Subject: Re: newbie check Was [Re: port 25 submission settings sanity check] On Aug 30, 2013

RE: newbie check Was [Re: port 25 submission settings sanity check]

-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Glenn English Sent: Saturday, 31 August 2013 12:52 AM To: postfix-users@postfix.org Subject: Re: newbie check Was [Re: port 25 submission settings sanity check] On Aug 30, 2013

RE: newbie check Was [Re: port 25 submission settings sanity check]

-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Jan P. Kessler Sent: Saturday, 31 August 2013 12:21 AM To: postfix-users@postfix.org Subject: Re: newbie check Was [Re: port 25 submission settings sanity check] >&

Re: newbie check Was [Re: port 25 submission settings sanity check]

On Aug 30, 2013, at 7:07 AM, Terry Gilsenan wrote: > As attachments get larger, and end users use email rather than ftp for file > transfer for convenience sake, a UDP implementation, perhaps using UDP as a > data streaming channel could become a very useful configuration, and the > transfer s

Re: newbie check Was [Re: port 25 submission settings sanity check]

As attachments get larger, and end users use email rather than ftp for file transfer for convenience sake, a UDP implementation, perhaps using UDP as a data streaming channel could become a very useful configuration, and the transfer speed over high latency links (think satellite etc) could i

RE: newbie check Was [Re: port 25 submission settings sanity check]

) could improve immensely. T -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Peter Sent: Friday, 30 August 2013 12:15 PM To: postfix-users@postfix.org Subject: Re: newbie check Was [Re: port 25 submission settings sanity check

Re: newbie check Was [Re: port 25 submission settings sanity check]

On 08/30/2013 02:49 PM, John Levine wrote: > >>> submission 587/udp > > I've been doing this for a long time, and I've never seen anyone try > to do SMTP over anything other than TCP. You'll see this for a lot of services in the file. The old practice was for IANA to assign both tcp and ud

Re: newbie check Was [Re: port 25 submission settings sanity check]

>> submission 587/udp I've been doing this for a long time, and I've never seen anyone try to do SMTP over anything other than TCP. Regards, John Levine, postmas...@cauce.org, CAUCE postmaster http://www.cauce.org

Re: newbie check Was [Re: port 25 submission settings sanity check]

On 08/30/2013 08:53 AM, Terry Gilsenan wrote: > There are no MTAs that accept submission on UDP, yet, so maybe reserved > for future use? No, it's just the assignment from IANA. In the past when either a TCP or UDP port assignment was requested both were assigned, this does not mean that there is

Re: newbie check Was [Re: port 25 submission settings sanity check]

On 8/29/2013 3:43 PM, Glenn English wrote: > > On Aug 29, 2013, at 2:18 PM, LuKreme wrote: > >> $ grep 587 /etc/services >> submission 587/tcp >> submission 587/udp > > That's what mine says too. Does Postfix accept UDP submissions? > > I looked at RFC6409 (the newest I could find on

RE: newbie check Was [Re: port 25 submission settings sanity check]

heck Was [Re: port 25 submission settings sanity check] On Aug 29, 2013, at 2:18 PM, LuKreme wrote: > $ grep 587 /etc/services > submission 587/tcp > submission 587/udp That's what mine says too. Does Postfix accept UDP submissions? I looked at RFC6409 (the newest I coul

Re: newbie check Was [Re: port 25 submission settings sanity check]

On Aug 29, 2013, at 2:18 PM, LuKreme wrote: > $ grep 587 /etc/services > submission 587/tcp > submission 587/udp That's what mine says too. Does Postfix accept UDP submissions? I looked at RFC6409 (the newest I could find on 587), and all it said was "port 587" -- the protocol isn't

Re: newbie check Was [Re: port 25 submission settings sanity check]

On 29 Aug 2013, at 13:34 , Glenn English wrote: > > On Aug 29, 2013, at 12:49 PM, Quanah Gibson-Mount wrote: > >> --On Thursday, August 29, 2013 3:59 PM +0900 peter evans >> wrote: >> >> >>> Combine these two into one. put permit_sasl_ at the top >>> as it is a first match wins thi

Re: newbie check Was [Re: port 25 submission settings sanity check]

On Aug 29, 2013, at 1:37 PM, li...@rhsoft.net wrote: > > > Am 29.08.2013 21:34, schrieb Glenn English: >> I'm under the impression that 587 is to be used by my local users >> (email clients to local MTA), and 25 is used by MTA<->MTA. Is this wrong? > > correct > >> And /etc/services says: >>

Re: newbie check Was [Re: port 25 submission settings sanity check]

Am 29.08.2013 21:34, schrieb Glenn English: > I'm under the impression that 587 is to be used by my local users > (email clients to local MTA), and 25 is used by MTA<->MTA. Is this wrong? correct > And /etc/services says: > >> auth 113/tcp authentication tap ident > > not 587

newbie check Was [Re: port 25 submission settings sanity check]

On Aug 29, 2013, at 12:49 PM, Quanah Gibson-Mount wrote: > --On Thursday, August 29, 2013 3:59 PM +0900 peter evans wrote: > > >> Combine these two into one. put permit_sasl_ at the top >> as it is a first match wins thing. And of course, re-educate >> your client that auth belo

Re: port 25 submission settings sanity check

--On Thursday, August 29, 2013 3:59 PM +0900 peter evans wrote: Combine these two into one. put permit_sasl_ at the top as it is a first match wins thing. And of course, re-educate your client that auth belongs on port 587. (for example, Japan has a lot of plac

Re: port 25 submission settings sanity check

On 28 Aug 2013, at 13:06 , Quanah Gibson-Mount wrote: > I thought the smtpd_relay_restrictions would automatically allow the email to > pass the RBLs, but this does not appear to be the case. You would have to check the RBLs *after* permit_sasl_authenticated, and you would have to permit_sasl

Re: port 25 submission settings sanity check

On Wed, Aug 28, 2013 at 12:06:17PM -0700, Quanah Gibson-Mount wrote: > We have a client allowing auth'd submissions over port 25. > Unfortunately, the authenticated submissions are hitting their RBL > settings. The postfix release is 2.10.0, with the following > parameters: > > smtpd_recipient_r

Re: port 25 submission settings sanity check

--On Wednesday, August 28, 2013 2:22 PM -0500 Noel Jones wrote: On 8/28/2013 2:06 PM, Quanah Gibson-Mount wrote: We have a client allowing auth'd submissions over port 25. Unfortunately, the authenticated submissions are hitting their RBL settings. The postfix release is 2.10.0, with the fol

Re: port 25 submission settings sanity check

On 8/28/2013 2:06 PM, Quanah Gibson-Mount wrote: > We have a client allowing auth'd submissions over port 25. > Unfortunately, the authenticated submissions are hitting their RBL > settings. The postfix release is 2.10.0, with the following > parameters: > > smtpd_recipient_restrictions = reject

  1   2   >