Hi,

I have a question regarding restrictions I can place on EHLO in the smtpd_helo_restrictions parameter.

I have a Postfix server that is Internet facing. I periodically receive e-mail where the other MTA sends a EHLO of an address literal.

Hello,

I have a question regarding DNSBL usage with the main.cf smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:

main.cf
. . .
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
. . .

This has been working very well, although I noticed the following error in my syslog:

Sep 7 16:13:08 server postfix/smtpd[28363]: warning: 188.50.102.94.zen.spamhaus.org: RBL lookup error: Host or domain name not found.

Hello,

I have a question regarding DKIM signing on Postfix bounce back messages.

I was tuning my Dovecot installation around quotas. I sent a test message from Hotmail to a test account on my server to test generation of a bounce back when a user exceeds their quota. The message was successfully generated and then relayed via Postfix back to the Hotmail account, but I noticed the bounce back message went into the Hotmail junk folder.

Inspecting the message I saw that I was not DKIM signing messages generated by Postfix or via sendmail.

Hello,

I noticed something interesting in my logs today. I am running Postfix 3.3.1:

Aug 24 21:09:25 server postfix/submission/smtpd[10256]: connect from unknown[unknown]:unknown
Aug 24 21:09:25 server postfix/submission/smtpd[10256]: lost connection after CONNECT from unknown[unknown]:unknown
Aug 24 21:09:25 server postfix/submission/smtpd[10256]: disconnect from unknown[unknown]:unknown commands=0/0

It is clear that this was a bad connection, but under what circumstances does Postfix consider a remote connection’s address as “unknown” ?

Hello,

I manage a small mail server and have been using Spamcop as a DNSBL’s via postscreen:

/etc/postfix/main.cf
postscreen_dnsbl_sites = bl.spamcop.net
postscreen_dnsbl_action = drop

After reading RFC 5782 “DNS Blacklists and Whitelists”, I decided to add some more
DNSBL’s and specify filters and weighting. While looking at various samples of main.cf
using DNSBL’s, I came back to an old question - where should I implement DNSBL restrictions ?

On this list I seem to recall that using a DNSBL via postscreen is discouraged.

Hi,

I apologize for asking a question that is only tangentially related to Postfix, however the OpenDKIM mailing lists do not appear to be accessible.

I am using Postfix 3.1.0 and OpenDKIM 2.10.3.

Hello,

I had some questions regarding milters in general, with the questions initially focused on the OpenDKIM milter (version 2.10.3), on Postfix 3.1.0

In man 5 opendkim.conf, under the CaptureUnknownErrors parameter, it specifies:

When set, and on systems where MTA quarantine is available, the
filter will request quarantine of a message that results in an internal
error or resource exhaustion.

My questions are:

1. Is this supported on Postfix 3.1.0 and later ?

2.

Hi,

I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d clients on the submission service.

In master.cf I have added the following to the submission service:

-o smtpd_tls_ciphers=high
-o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2

…however, when I test via the OpenSSL client:

openssl s_client -connect example.com:587 -starttls smtp -tls1

…it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS 1.2 on successive tests.

What am I doing wrong ?

Thanks,

- J

Hi,

I have a question regarding 8BITMIME.

I know Postfix supports 8BITMIME and does not support BINARYMIME, but I am wondering why both 8BITMIME and BINARYMIME are ESMTP extensions. It would appear that 8BITMIME solves the same problem as BINARYMIME (allow 8-bit encoding of MIME), so why wasn’t BINARYMIME made obsolete in the RFC’s ?

Also - because 8BITMIME seems to solve the problem without CHUNKING, is that why Postfix supports it over BINARYMIME ?

Thanks,

- J

Hi,

I have a question in regards to removing some trace records when providing submission on Postfix 3.1.x and later.

While reading RFC 6409 (“Message Submission for Mail”), I note that the RFC observes that:

"Even when submitted messages are complete, local site policy may dictate that the message text be
examined or modified in some way, e.g., to conceal local name or address spaces.”

By this I take it that I could remove perhaps the initial trace message that returns information about internal addresses
and network names.

Hi,

I have been reading about the ESMTP CHUNKING extension (RFC 3030), after noticing that both Hotmail and Gmail advertise it on EHLO.

Hello,

I read the “Postfix ETRN Howto” [1] as well as man 5 postconf with regards to:

postscreen_discard_ehlo_keywords
smtpd_discard_ehlo_keywords

...

Hi,

I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis.

I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ?

Hi,

I was looking for some websites that covered e-mail administration in general and that also mentioned Postfix.

I checked the Postfix homepage [1] and on the link “Howtos and FAQs” there are two links at the bottom under the heading “General E-mail/System Administration”. Unfortunately the first link appears to be dead and the second link is more of a discussion of the C10K problem, which appears to be more of use to people writing software on the scale of Postfix.

Can anyone recommend any good sites that cover e-mail administration in general ?

Hi,

I currently use postscreen on my Postfix version 3.1.0 mail server. I implement IP ACL’s via it to ban malicious connections (generally from xDSL IP blocks), against smtpd running on port 25.

I have recently configured and turned on submission with SASL. With submission available, I don’t want to ban any particular xDSL IP blocks as clients that are travelling around the world may make use of Internet in cafes, hotels, etc.

Hi,

I currently use Postfix version 3.1.0. I know that there are announcements of feature changes between each release of Postfix via e-mail and I read these, but I was wondering if there was an easy way to see the changes to the main.cf configuration parameters between versions ?

For example, can I somehow diff the difference between man 5 postconf on version 3.1.0 and the current release of Postfix ?

Hello,

I had a question about Postfix’s smtpd DNS resolution.

In my logs (generally from spam sources), I see the following:

Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname 1-2-3-4.dyn.isp.net does not resolve to address 1.2.3.4: Name or service not known

Does this mean that:

1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
3. If the IP addresses don’t match it reports this error

...

Hi,

I was wondering about a configuration parameter listed with the default submission configuration in master.cf.

One of the parameters that overrides the settings in main.cf “milter_macro_daemon_name” is set to “ORIGINATING” instead of the default value in main.cf.

Why is this done ?

Thanks,

- J

Hi,

I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions.

Hi,

I have a question about enabling SASL authentication in the Postfix SMTP server *ONLY* over TLS.

In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it lists recommended configurations for SASL auth that restrict the SASL mechanisms to noanonymous and noplaintext:

A more sophisticated policy . . .

Hi,

I am looking to use either Cyrus or Dovecot for both SASL authentication and IMAP. While Postfix 3.1.0 supports both, I was wondering which to prefer if security is my most important deciding factor ? Does one have a better track record than the other ?

Thanks,

- J

Hi,

I have two questions about the “Autoreplies” section in the VIRTUAL_README [1].

If I was setting up auto replies for the virtually hosted domain of “example.com”, would the correct configuration be:

/etc/postfix/main.cf
virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport

/etc/postfix/virtual
<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto: ... at example dot com"> ... at example dot com</a>,
... at example dot ... at autoreply dot example.com

/etc/postfix/transport
autoreply.example.com autoreply:

/etc/postfix/master.cf
autoreply unix - n n - - pipe

Hi,

I had two short questions regarding Postfix’s elliptic curve support for the SMTP server.

1. Under the man documentation for: tls_eecdh_strong_curve the documentation states “...approximately 128-bit security...”. Is that saying that it is equivalent to 128-bits RSA or it provides an elliptic curve key size of nearly 128-bits ?

2. To make use of ecliptic curve encryption a TLS certificate must have been made with support for ecliptic curves, correct ? A TLS certificate using RSA keys will not work ?

Thanks,

- J

Hi,

I noticed a very small grammatical error under: man 5 postconf

Under the configuration parameter: tls_dane_digest_agility under the “maybe” option, the second last sentence states:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will disabled.”

This should be changed to:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will *BE* disabled”

- J

Hi,

I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:

“As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”

I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?

Thanks,

- J

Hi,

I have a basic question regarding the smtpd_recipient_restrictions parameter.

From what I understand, these are restrictions applied to the SMTP RCP TO command.

In the case of a server that receives mail for a domain and also allows clients to send mail through it (via AUTH’d clients), does smtpd_recipent_restrictions apply to recipients at the domain or to recipients of mail sent by the AUTH’d clients or both ?

So, as an example, if the server handles mail for example.com, do the restrictions apply to:

1. Recipients at example.com (example: <a href="mailto: ... at example dot com"> ... at example dot com</a> is recipient)

2.

Hi,

I was reading the documentation for the smtp_tls_verify_cert_match parameter in man 5 postconf and noted under the “nexthop” strategy that both next-hop and nexthop are specified.

Example:

“Match against the next-hop domain...”

“When MX lookups are not suppressed, this is the original nexthop domain...”

Up until this point, I had been viewing them as interchangeable, but are they in fact referring to two different things/terms ?

Thanks,

- J

Hi,

I was wondering if fellow Postfix users would still recommend using amavisd-new when integrating AV (ClamAV), and spam filtering (SpamAssasin) ?

The site I have this in mind for receives a moderate amount of e-mail per day.

This appears to be the most mentioned configuration via web searches, but I was wondering if this still held true for 2017/2018 (amavisd-new’s last release was 2016/04/26) ?

Thanks,

- J

Hi,

I have a question regarding specifying where the list of trusted CA’s are in regards to the smtp client.

In man 5 postconf, I can see there are two configuration parameters regarding this:

smtp_tls_CAfile
smtp_tls_CApath

The documentation (as I understand it), notes that:

1. smtp_tls_CAfile

— Specifies file that contains CA certs of root CA’s trusted to sign either remote SMTP server certificates or intermediate CA certificates

2.

Hi,

If I recall correctly, Ubuntu 17.10 (desktop version), uses Wayland if the computer’s hardware supports it. Is there an easy way for me to determine on a running 17.10 machine if Wayland is being used or if the OS is falling back to X ?

Thanks,

- J