Postings by Phil Stracchino

SPF failure

I have mail from one specific domain (handled by Google) being rejected
by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
Permanent Error: Too many DNS lookups' — but it is not obvious to me
what the problem is, unless it's something to do with having five MX
forwarders to look up. Only this one domain seems to be affected. I
can SEND mail to them, but not RECEIVE mail from them.

How in blazes is this still getting through?

header_checks = pcre:/etc/postfix/smtp_header_checks


/^X-Clacks-Overhead:/ IGNORE
/^Content-Transfer-Encoding:/i PREPEND X-Clacks-Overhead: GNU Terry
Pratchett, Iain M.

Configure failure on 5.x kernels?

I don't know if this is Gentoo specific.

Click tracker removal ideas?

Quick question I hope:

Does anyone have any suggestions for a tool for filtering out click
trackers from links in email bodies and rewriting the links without the
click tracking?

Missing something in allowing a program-alias address

I switched last year from DSpam to rspamd for spam filtering. I have a
spam retrain address to send false-negative messages to rspamd for

Puzzling error: Mailbox file "too large"

One of my daughters cannot receive mail because Postfix apparently
thinks her mailbox file is too large:

Oct 28 16:05:31 minbar postfix/local[4960]: 4EF344037B962:
to=< ... at caerllewys dot net>, relay=local, delay=5.6,
delays=5.5/0.01/0/0.01, dsn=5.2.2, status=bounced (cannot update mailbox
/var/spool/mail/valkyrie for user valkyrie. error writing message: File
too large)

The file is only 50MB and contains just under a thousand messages. That
doesn't seem fatally oversized to me.

A problem I'm not sure how best to solve

I have a perplexing puzzle thrust upon me.

Consider the following:

Oct 8 15:55:33 minbar postfix/smtpd[7422]: NOQUEUE: reject: RCPT from[]: 551 5.1.8 < ... at mg dot>:
Sender address rejected: Domain not found;
from=<bounce+db1162.5fcd4c-alrekr=caerllewys. ... at mg dot>
to=< ... at caerllewys dot net> proto=ESMTP helo=<> is connecting with a good HELO, and appears to be authorized
to send mail on behalf of, but the mail has a sender
address that is bad because does not resolve in DNS, and

Heads up for Gentoo users: mail-mta/postfix-3.3.1-r1 has permissions problems

For anyone using Postfix on Gentoo, be aware that
mail-mta/postfix-3.3.1-r1 installs with many incorrect file permissions
that result in impaired functionality (specifically, postdrop won't
work). You may want to consider rolling back to 3.2.4 until the ebuild
is fixed. If you want to just fix the permissions, you'll need to do it
manually, because 'postfix set-permissions' isn't working correctly in
3.3.1-r1 either.

(See Gentoo bug #665280)

SPF + outside backup MX relay = redelivery failures: Help requested

I am running Postfix with opendkim, rspamd, pypolicyd-spf, and DMARC.
This is working fine for mail delivered directly to my domain. However,
if my net connection goes down and mail gets queued by my backup MX at
another domain (which I do not control), then when my connection comes
back up and the MX relay attempts to redeliver all the queued mail,
delivery fails due to SPF failures like this one, because the sender's
domain has not authorized my mail relay to send mail on its behalf.

Fail2ban integration questions

This is semi-hypothetical ...

I often see spews of failed connect attempts logged by postscreen:

Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from
[]:54708 to []:25
Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
from []:54708: EHLO ylmf-pc\r\n
Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
[]:54708 in tests after SMTP handshake
Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from

This ought to be simple to stop. Am I missing something?

I'm getting spam leaking through from sites with non-resolving IP or
invalid DNS, sending mail to myself as me.

DSpam and Postfix

I use DSpam with Postfix, and it works well ... except that some time
back, redelivery of false positives stopped working.

Multiple PREPENDs

Let's suppose I have the following directives in
/etc/postfix/header-checks. (Because I do.)

/^X-Clacks-Overhead:/ IGNORE
/^Content-Transfer-Encoding:/i PREPEND X-Clacks-Overhead: GNU Terry

(If this header doesn't mean anything to you, it's a Discworld thing.
"A man is not dead while his name is still spoken.")

Now suppose I wanted to do the same for a second writer. Adding:

/^Content-Transfer-Encoding:/i PREPEND X-Clacks-Overhead: GNU Iain M. Banks

does not work. Is it simply that I cannot prepend a second header by
the same name? Or is the second PREPEND not firing?