Postings by John


I  was just taking a look through my postfix configuration and noticed
that I have a "check_policy_service" for postgrey a greylisting service.

I greylisting still considered worthwhile or should I drop it?


John A

removing postgrey - reconfigring postix

I have been using postgrey for some time, but recently I have seen some
posting that indicate that this is not the "best" way of spam control.

Is there a write up of how to setup up postscreen for maximum spam control.


John A

smtp_tls-security_level .may/dane/encrypt

I currently use "smtp_tls_security_level = dane" but recent discussion
have made me wonder if I should change that. Maybe encrypt.

john A

OT? - Blocking attachments

This may not be a Postfix problem, but bearing in mind the recent events
this forum may have some good ideas.

After the recent rasomeware attacks we are considering the idea of
blocking all attachments. I am not sure of the best way of doing this,
but several ideas have been put forward:

1. block all email with attachments - a little too drastic for some as
there are legit reasons for attachments.
block all email that is in any format that can hide executable code.
2. rename attachments so that they will not/cannot be executed/run by
just opening them.

Sanity check - of my postfix setup.

I am trying to debug a problem with my mail system. I think the problem
is with Dovecot, or Thunderbird.

However, just to make sure i am not missing something really stupid
could I get a check on my postfix setup.


John A

OT? SRV records etc

How likely is it for a DNS to have SRV records for such things as smtp.
imap ...
I know that a dumb ? but I am try to guesstimate how big an dewy eyed
optomist I am being in hoping that they are common practise.

OT - Security Certs for postfix, dovecot

This may be off topic, so I will not include postfix config for the moment.

Should I be using different certs for Postfix smtp (25) and submission
(587)? Is this even possible in Postfix?
Should Dovecot imaps (993) be using a different cert from Postfix?

The question was if the Cert+Key are compromised how does this affect
the system.
What are the effects for submission, imap?

Warning: group or other writeable:

I am seeing the above message associated with the following files -


My problem is that I cannot find these files - where should I look and
why are they group/other writeable?

John A

Macros + Require constructs

I am trying to setup up a webdav serve. Each user is allocated a
directory (%location) and an id (%user).

Best practice?

Is it better to add restrictions/tests to the appropriate section or is
it better to place then all under one, for example everything to do with
sender (check_sender_access...) with smtpd_sender_restrictions.

Condition negation

Is there a way of negating a smtpd condition.
For example if I were to apply c "check_sender_access sql_lookup" under
submission in would it be possible to say something like
!check_check_acess ... under smtpd restrctions

The idea being that if is allowed access via submission they
are denied access via smtpd.

Sorry for the poor presentation, working from my cell phone.


I am trying to work out what parameters to add to
/smtpd_relay_restrictions, /both in and

1. We do not allow relaying by any means!
2. In-house users must be registered, use our domains and port 587
(submission) to send.
I use /check_sender_access/ with a table in the form "
permit_sasl_authenticated, reject" to enforce these rules (thanks to
a Sebastian Nielsen for the idea) in the submission section of


Recently there was a discussion about file permissions and ownership.
My postfix setup is as far as I know fairly conventional Debian stretch.

/etc/postfix root root 755 root root 644 root root 644

/etc/postfix/maps root root 755
Map, pcre etc root root 644

/etc/postfix/sasl root root 755


How can/could I redirect based upon sender.

Is it possible to redirect mail based upon sender.

I need to redirect email from <a href="mailto: ... at example dot com"> ... at example dot com</a> which would normally be sent
to <a href="mailto: ... at klam dot com"> ... at klam dot com</a> to <a href="mailto: ... at our_lawyers dot com"> ... at our_lawyers dot com</a> and/or <a href="mailto: ... at klam dot com"> ... at klam dot com</a>.

I would like to just block them but they may be needed!

John A

DKIM Signing (postfix + amavis-new)

1. This maybe off topic.
2. I am currently unable to get at the output of postconf -n etc.

In the past we have had occasional problems with DKIM signing not working.
It would be one or two emails and we would not find out about the problem
immediately. Often the sender would put it down a transient blip in the
system and not report the problem.

I recently had to come to NZ for family emergency and have been here for
awhile and as a result have suffered the same problem on a much larger

Weak Ciphers

I ran the ssl-tools tests on my mail server.
Everything seems to be OK, *BUT* it reports that i am using a weak
cipher "ECDHE_RSA_WITH_RC4_128_SHA"!

So I sat down and googled - postfix/dovecot/apache - ciphers
suites/recommendations less than one year old.
I gave up at about the fifteenth response. Everyone of them was
different and gave me lists of cipher ranging in length from about eight
to almost a full web page.

Would somebody point me in the right direction. I am trying to make my
installation secure, but manageable.


Is OpenDKIM worth while?
I use amavis and it says it signs and verifies DKIM so do need anything

This maybe off topic, but could somebody tell me what i am doing wrong?

We want to send alerts to our admin staff from some of our remote
servers. All the servers are Debian based and supply, smtp, imaps, file
sharing (webdav), calendar and address book capabilities.

To send the alerts we have tried email and sms messaging. eMail works
but can be slow depending upon the number and quailiy of hops needed to
get from the server to the admin.

We had thought of of simply using a cell phone modem for each server.
However cellular service at some of the locations is unreliable (too far

webdav user login/validation

i run a webdav server with a number of users.
each user has access to a private space and everybody has access to a
common space

user access their space with <a href="" title=""></a>
and the common space with <a href="" title=""></a>

to make life easier for myself and the other admins we created a apache
macro to configure the webdav site, see below.

how to refuse un-encrypted email

Is there any way of testing for and refusing un-encrypted email?
secondary, would it be possible to do this based upon the recipient.
default would be encrypted, but email directed at some recipients may be
in plain text.


<meta http-equiv="content-type" content="text/html; charset=utf-8">
<body bgcolor="#FFFFFF" text="#000000">
Retirement - Mine.<br>
I have finally persuaded my family that it would be a good idea to
give up on the family server.<br>
I have two, probably minor, problems<br>
<li>informing senders of recipients address change.<br>
<li>redirect to recipients new address.</li>
<li>how to transfer existing imap folders to new service -
probably gmail.

detecting encryption for outgoing mail

A couple of the servers I support are medical offices, and for patient
confidentiality reasons they need to send email out encrypted.
After a lot of discussion they have come to the conclusion that in order
to avoid accidentally sending confidential data unencrypted, all email
must be encrypted.
What they would like is a filter on outgoing email that checks for
encryption and refuses anything not encrypted. They need to err on the
side of caution.

So far Google has not been my friend.

Does anybody know of a way of enforcing encryption, or detecting
unencrypted email.

Next Dumb question - mynetworks

While looking at the various Postfix configurations that I deal with I
realized that /mynetworks/ is configured identically in all four setups.
In the three installations I support there no local users, and the
people who belonging to those domains all use port submission (587) to
send and imaps (993) to receive email.
The KLaM domain is slightly different in that there local users, however
they like the other domains all use 587/993.
Does /mynetworks/ have to contain anything other than and

user defined parameters in main and master

Are parameters case sensitive, are myDomain and mydomain the same or
I have read the Postfix configuration man page and several other texts,
but I have not found any specific info.
I have four almost identical servers, my family server which I use for
experimentation and three others that I support.

What I would like to do parametrize anything that is different between
them in order to make maint easier.
So for example could I do something like this

myregDomain = klam
myTLD = ca
mydomain = $myregDomain\*.*myTLD
smtp_tls_cert_file = /..../$myregDomain\_mail.pem

DMARC Reports check

So far all the DMARC reports I have received appear to be the result of
somebody posting to a mailing list.
Is it normal for mailing lists cause DMARC reports?
Is there some way of filtering out these reports, which in my opinion
are false?


Although I do not see any signs of backscatter in my mail logs. Is there a
way of testing to ensure that I am not a potential source of backscatter?


I am not sure about implementing DMARC on my servers.
However, is it worth adding a DMARC record to the DNS? What, if
anything, would it buy us.
If we were to add such a record, what would be the "best" setup/set of
parameters be?

OT - DNSSEC DANE rollover

I wrote the attached script to help me with key rollover.
I am not sure where to go with this. If anybody is interested take a
look and make what use of you will.
Comments and suggestions please.

John A

Postfix + Davical RE-SENT

I am resubmitting this as I am not sure it made it out the door, System

We use davical for our address book,.
It occurred to me that anybody who was in address book should probably
pass the sender access check.
So I created the following postgresql query, however it does not seem to
work. I am not a SQL of any sort expert, so would somebody mind taking a
look and telling me what I have screwed up.

*/SELECT CASE WHEN count(DISTINCT email) =1 then 'OK' ELSE 'DUNNO' END/**/
/**/FROM addressbook_address_email WHERE
= '%s';/*