October 23, 2013 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
October 23, 2013 [00:00:05] <Shinobi> thumbs: I don't know, i have to figure out how this thing was put together.[00:00:13] <thumbs> Shinobi: it's trivial to set up submission instead.[00:00:20] <thumbs> well, for us[00:00:24] <Shinobi> :)[00:00:47] * adaptr hums that eternal Bowie classic, "submission"[00:01:04] <Shinobi> I just want to get some mail in, then I'll decode all the ldap, kerberos, and rework ssl to tls[00:01:26] <thumbs> Shinobi: mail comes in on port 25.[00:01:48] <thumbs> Shinobi: mail is submitted on port 587 using TLS[00:02:12] <thumbs> Shinobi: there's no point in trying to cheat and skip the learning steps.[00:04:32] <pj> TLS is important, but I would actually configure postfix to just accept plaintext inbound mail and send outbound mail plaintext on port 587 from localhost before enabling TLS.[00:04:40] <pj> just to get the very first basics down.[00:04:43] <Shinobi> is TLS used between MTAs?[00:04:55] <pj> Shinobi: if both MTAs support it, yes.[00:04:55] <thumbs> Shinobi: no.[00:05:01] <thumbs> well, it's atypical[00:05:11] <Shinobi> :O[00:05:19] <Shinobi> I was under a gross assumption[00:05:19] <pj> becoming a lot more common, nowadays[00:05:47] <Shinobi> hense Snoden[00:05:53] <pj> but postfix should be configured for opportunistic TLS on port 25, so it will use TLS if available, and fall back to plain text otherwise.[00:07:36] <Shinobi> OK, when I was reading about TLS and SSL I thought (incorrectly) that MTA to MTA transfer would be common practice by now. Ok, that just made things a lot clearer[00:08:11] <pj> well it is common enough, but there is still enough older MTAs that don't support TLS that you will need to be able to fall back to plain text.[00:08:44] <pj> well "fall back" isn't exactly the right word for how it works.[00:08:50] <rob0> Some sites deliberately do not enable TLS for port 25.[00:09:40] <pj> rob0: that's rather interesting, why would a site deliberately not have TLS enabled? Is it just due to all the broken TLS implementations?[00:10:31] <rob0> I suppose there could be lots of reasons; one I might consider is to reduce the CPU load on an inadequate machine.[00:11:48] <rob0> I recall seeing a large receiver once which did not offer STARTTLS, but I can't remember which one it was.[00:14:23] *** sputnik has quit IRC[00:23:45] *** jarif has quit IRC[00:24:50] *** davlefou_ has joined #postfix[00:28:17] *** davlefou__ has quit IRC[00:36:15] *** nathanhi has quit IRC[00:39:19] *** Guest41889 has joined #postfix[00:44:22] *** marai2 has joined #postfix[00:55:00] *** Pegasus_RPG has joined #postfix[00:56:31] *** steven4455 has quit IRC[01:05:40] *** marai2 has quit IRC[01:10:06] *** bodom has joined #postfix[01:11:02] *** tmberg has quit IRC[01:15:48] *** pedahzur has left #postfix[01:17:27] *** bobajett has joined #postfix[01:18:10] *** tmberg has joined #postfix[01:18:41] <bobajett> when I send mail from the cmdline my sending address shows as 'bobajett at my_machine_name dot correct_domain.com' - how can I configure postfix to not send 'my_machine_name' ?[01:21:23] <rob0> !mail[01:21:23] <knoba> rob0: "mail" : mail(1) (also known as mailx(1) or bsd-mailx) is not a Postfix-provided command. For help with it, see its man page. More powerful, commonly available console- and CLI-based MUAs include mutt, alpine and heirloom mailx (likewise, not supported here.)[01:21:38] <rob0> !basic[01:21:38] <knoba> rob0: "basic" : http://www.postfix.org/BASIC_CONFIGURATION_README.html : a good starting place for Postfix beginners, many common questions are answered here.[01:21:46] <rob0> !myorigin[01:21:46] <knoba> rob0: "myorigin" : a configuration parameter in the main.cf: The default domain name that locally-posted mail appears to come from, and that locally posted mail is delivered to. The default $myhostname, which is fine for small sites. If you run a domain with multiple machines, you should (1) change this to $mydomain and (2) set up a domain-wide alias database that aliases each user to user at that dot users.mailhost.[01:22:48] <bobajett> rob0: thanks :-)[01:25:18] *** davlefou__ has joined #postfix[01:28:50] *** davlefou_ has quit IRC[01:29:29] *** freezey has quit IRC[01:29:37] *** bodom has quit IRC[01:30:41] *** donmichelangelo has joined #postfix[01:32:04] *** freezey has joined #postfix[01:34:59] *** bobajett has quit IRC[01:35:16] *** Ahrotahntee has quit IRC[01:41:47] *** MaximusColourum has quit IRC[01:42:29] *** sphenxes has quit IRC[01:47:30] *** sphenxes has joined #postfix[01:51:01] *** on1ald has quit IRC[01:56:33] *** jeff_e47 has joined #postfix[01:57:13] *** freezey has quit IRC[02:00:24] <jeff_e47> I had an account compromised on my Postfix server over the weekend, resulting in about 75K spams being sent out. I had been allowing PLAIN as an auth mechanism, but I turned that off and only permit CRAM-MD5 now.[02:00:46] <jeff_e47> However, I'm running into a compatibility issue. Is it safe to permit PLAIN if I use smtpd_enforce_tls?[02:02:07] *** twb has joined #postfix[02:03:36] *** on1ald has joined #postfix[02:04:46] <jeff_e47> Thinking about the same problem… it is possible to require my users to submit via 587 over the secure channel, and only accept incoming email on 25?[02:11:37] *** on1ald has quit IRC[02:12:03] *** on1ald has joined #postfix[02:18:08] <twb> That's the Right Thing[02:19:30] <lunaphyte> of course. that's the proper way to set up and run an email server[02:19:59] <lunaphyte> using cram-md5 isn't wise either, fwiw.[02:20:21] <lunaphyte> it's long since been superseded by digest-md5, which is itself really not all that great anyway[02:21:02] <lunaphyte> not to mention, it requires storing credentials as plaintext, which is itself a whole other issue. so you really are doing nothing more than trading one crappy problem for another.[02:21:43] <twb> http://valerieaurora.org/hash.html[02:21:44] <jeff_e47> Which requires storing credentials as plaintext? CRAM-MD5? I don't think that's correct...[02:21:52] <lunaphyte> in terms of traditional password credentials, i'd encourage you to store hashed passwords, use only plain, and of course, require encryption before allowing any form of authentication.[02:22:10] <lunaphyte> encryption should be required, period, *regardless* of the sasl mech you use.[02:22:41] <lunaphyte> those are challenge response mechs. the original secret must be known.[02:22:47] <lunaphyte> it's how they work[02:22:56] <twb> Yeah IMO plain-over-TLS is better because then all the hashing is done on the server side and you can adopt a new hash without upgrading everyone's client[02:23:12] <jeff_e47> OK, well… the database doesn't contain any passwords that aren't hashed.[02:23:24] <twb> Also it means a compromised host only has access to stored hashes (hopefully salted), plus any they can sniff in use before they're caught.[02:23:45] <jeff_e47> But, how do I keep users for connecting in on port 25, without TLS, and authenticating that way?[02:25:20] <lunaphyte> smtp auth should *never* be offered on port 25[02:25:29] <lunaphyte> that's only for submission, and submission is 587[02:25:46] *** davlefou_ has joined #postfix[02:26:10] <jeff_e47> OK, so… no smtp_auth on 25, enforce tis on 587, and then PLAIN auth is ok?[02:26:24] <lunaphyte> you can take it one step further and also disallow "local" email addresses from being used as the envelope sender on port 25. that will relegate all of that traffic to the submission port, where it belongs.[02:26:29] <lunaphyte> correct.[02:26:38] *** freezey has joined #postfix[02:26:51] <lunaphyte> smtp auth and encryption should be required for *all* connections on port 587, period.[02:27:05] <lunaphyte> encryption should be offered but not required on port 25.[02:27:25] <jeff_e47> Can I disable smtp_auth with -o smtpd_sasl_auth_enable=no in master.cf for port 25?[02:27:33] <lunaphyte> other way around.[02:27:47] <lunaphyte> disable it in globally in main.cf. then just enable it for submission.[02:27:54] <lunaphyte> that's safer.[02:28:02] <lunaphyte> pedantically speaking.[02:28:09] <jeff_e47> I agree.[02:28:26] <jeff_e47> OK, well I hope all my users are coming in on 587 but I want to make sure it stays that way.[02:29:21] *** davlefou__ has quit IRC[02:30:04] <lunaphyte> you're welcome to share your config if you'd like other feedback.[02:30:18] <lunaphyte> see the getting_help factoid for instructions on providing it if so.[02:31:49] <jeff_e47> !getting_help[02:31:49] <knoba> jeff_e47: "getting_help" : before asking your question, provide a pastebin which includes relevant log data and your config. see !pastebin, !relevant_logs and !showconfig for instructions on doing this.[02:33:08] <jeff_e47> It might be a good idea. I haven't had problems with the server until this weekend, and that was a stolen user password. But I still want to tighten up where possible.[02:36:28] <rob0> One trick you might use:[02:36:33] <rob0> !syslog_name[02:36:34] <knoba> rob0: "syslog_name" : a configuration parameter in the main.cf: The mail system name that is prepended to the process name in syslog records, so that "smtpd" becomes, for example, "postfix/smtpd".[02:37:21] <rob0> Set -o syslog_name=postfix/submission on submission, so you can clearly see when a non-default smtpd is used.[02:38:00] <jeff_e47> rob0: clever![02:39:58] *** jeff_e47 has quit IRC[02:42:39] *** freezey has quit IRC[02:43:10] *** MaximusColourum has joined #postfix[02:43:42] *** geek_cl has joined #postfix[02:56:56] *** MacWinner has quit IRC[03:22:00] *** spronk has left #postfix[03:24:52] *** jelly has quit IRC[03:25:15] *** jelly has joined #postfix[03:26:16] *** davlefou__ has joined #postfix[03:29:47] *** davlefou_ has quit IRC[04:23:59] *** MaximusColourum_ has joined #postfix[04:24:08] *** MaximusColourum has quit IRC[04:24:08] *** MaximusColourum_ is now known as MaximusColourum[04:26:51] *** davlefou_ has joined #postfix[04:29:02] *** geek_cl has quit IRC[04:30:19] *** davlefou__ has quit IRC[05:15:50] *** jarif has joined #postfix[05:27:10] *** davlefou__ has joined #postfix[05:28:26] *** davlefou_ has quit IRC[05:28:59] *** diabel has quit IRC[05:29:35] *** diabel has joined #postfix[05:40:27] *** Southron has joined #postfix[06:00:32] *** donmichelangelo has quit IRC[06:00:55] *** donmichelangelo has joined #postfix[06:15:50] *** twobithacker has quit IRC[06:26:07] *** jarif has quit IRC[06:27:37] *** davlefou_ has joined #postfix[06:29:39] *** twobithacker has joined #postfix[06:30:51] *** davlefou__ has quit IRC[06:36:37] *** MacWinner has joined #postfix[06:42:50] *** wafflejock_ has joined #postfix[06:48:36] *** olegfusion has joined #postfix[07:28:06] *** davlefou__ has joined #postfix[07:31:43] *** davlefou_ has quit IRC[07:33:28] *** trusktr has joined #postfix[07:40:43] *** chrisp15 has joined #postfix[07:46:10] *** err-or has quit IRC[07:49:12] *** MaximusColourum has quit IRC[07:51:32] *** err-or has joined #postfix[07:53:59] *** vice-versa has joined #postfix[07:56:16] *** gongoputch has quit IRC[08:12:53] *** trusktr has quit IRC[08:24:23] *** jarif has joined #postfix[08:27:48] *** Southron has left #postfix[08:28:38] *** davlefou_ has joined #postfix[08:30:56] *** MaximusColourum has joined #postfix[08:32:09] *** davlefou__ has quit IRC[08:38:01] *** chrisp15 has quit IRC[08:42:54] *** sputnik has joined #postfix[08:45:56] *** chrisp15 has joined #postfix[08:58:36] *** zorg1 has joined #postfix[09:03:43] *** Quadro has joined #postfix[09:07:19] *** MacWinner has quit IRC[09:15:21] *** nbg has joined #postfix[09:21:33] *** wdp has joined #postfix[09:21:34] *** wdp has joined #postfix[09:30:30] *** davlefou__ has joined #postfix[09:32:57] *** davlefou_ has quit IRC[09:33:06] *** MaximusColourum has quit IRC[09:35:04] *** Lidwa has quit IRC[09:39:28] *** Lidwa has joined #postfix[09:42:34] *** sputnik has quit IRC[09:46:20] *** _ruben has quit IRC[09:46:28] *** _ruben has joined #postfix[09:49:55] *** jarif has quit IRC[09:59:33] *** [diablo] has joined #postfix[10:05:53] *** wafflejock_ has quit IRC[10:10:25] *** sputnik has joined #postfix[10:25:37] *** olegfusion has quit IRC[10:29:40] *** davlefou_ has joined #postfix[10:32:31] *** davlefou__ has quit IRC[10:33:43] *** morse has quit IRC[11:01:08] *** twb has quit IRC[11:24:25] *** morse has joined #postfix[11:26:11] *** gongoputch has joined #postfix[11:30:07] *** davlefou__ has joined #postfix[11:32:02] *** UQlev has joined #postfix[11:33:02] *** davlefou_ has quit IRC[11:51:13] *** wild_oscar has joined #postfix[11:52:29] <wild_oscar> hey. a company I work with seems to be having some of my emails filtered by spam. I received this from their sysadmin: "I've been going back and forth with our email provider (Microsoft) ...Their new theory is that it has something to do with the fact that the email use 7bit encoding. The idea is that this is a legacy encoding for emails and it may be playing into the spam detection heuristic to elevate the detection as spam. Do you have any way of ch[11:52:36] <wild_oscar> I have 2 questions:[11:53:12] <wild_oscar> 1) character encoding is something set at the mail client level and not at the mail server level, correct?[11:53:20] <tuxick> MS complaining about standards?[11:53:41] <wild_oscar> 2) is 7bit encoding relevant for spam filtering?[11:54:05] <pj> no, 7 bit encoding is perfectly valid.[11:54:09] <tuxick> it is as soon as criminals trying abusing it :)[11:54:36] <pj> but if a particular recipient seems to have problems with it, then you can re-encode the mail just for that recipient.[11:54:38] *** SMalametal has quit IRC[11:56:05] <wild_oscar> pj: these emails are sent by a java program; I haven't looked at it yet, first I wanted to know who's responsible for encoding (ie., if it's the mail client then I suppose somewhere in the java API there will be an option to set it)[11:57:13] <pj> wild_oscar: postfix converts all 8 bit messages to 7 bit because it is *required by the SMTP protocol*[11:57:43] <pj> !tell wild_oscar overview[11:57:43] <knoba> wild_oscar: "overview" : Postfix Architecture Overview : http://www.postfix.org/OVERVIEW.html[11:58:05] <pj> from here ^^^ "The smtp(8) client looks up a list of mail exchangers for the destination host, sorts the list by preference, and tries each server in turn until it finds a server that responds. It then encapsulates the sender, recipient and message content as required by the SMTP protocol; this includes conversion of 8-bit MIME to 7-bit encoding."[11:58:42] <pj> so anyone that is telling you that 7 bit is legacy is talking out of their @$$ and should be put in their place.[11:58:42] <wild_oscar> oh, I'm reading that[11:59:49] <wild_oscar> pj: the only reference I've seen is the wikipedia article that says 7-bit is the default[12:00:44] <wild_oscar> but according to the postfix overview...this means you can't even change it to 8-bit if you want to, as postfix will convert it back to 7-bit[12:00:57] <pj> yeah[12:01:18] <pj> I'm reading up on RFC 2821 to see what it says[12:02:56] <pj> if the 8BITMIME SMTP extension is supported and used by both the client and server then the data may be encoded in 8 bit, but the headers always have to be 7 bit.[12:03:10] <pj> s/data/body/[12:04:21] <wild_oscar> is that in http://www.ietf.org/rfc/rfc2821.txt ?[12:04:44] <pj> yeah[12:04:56] <pj> it refers to 7 bit encoding as US ASCII[12:05:07] *** quadro_ has joined #postfix[12:05:47] <wild_oscar> can't find the text there[12:05:59] <pj> the basic gist is that if a bunch of conditions are met then 8 bit is fine in some places.[12:06:12] <pj> but you should always be able to use 7 bit everywhere and have to use it in certain places.[12:06:46] *** SMalametal has joined #postfix[12:06:49] <pj> and so just converting everything to 7 bit is a perfectly reasonable measure to ensure that pretty much every server can deal with the content.[12:07:08] <pj> to say that this is indicative of SPAM is just utterly stupid, imo.[12:09:04] <wild_oscar> I have already set the SPF record up to prevent this spam filtering, but apparently it didn't work[12:10:51] <pj> well, if you're concerned about 7 bit vs 8 bit you should probably post to the mailing list and Weitse will likely jump in and answer you.[12:11:47] <tuxick> i learned that hotmail is a pain anyway[12:12:07] <tuxick> people clicking on IS SPAM button for totally legitimate mails they can simply unsubscribe for[12:12:12] <tuxick> leading to blacklisting[12:12:25] <pj> yes, very much so[12:12:28] <tuxick> too bloody stupid to understand the difference[12:12:48] <tuxick> "click on button and magicmonkeys will sort it all out"[12:12:49] <pj> wild_oscar: is it possible that he was referring to the use of 8bitmime content without the appropriate 8bitmime header?[12:12:52] <wild_oscar> tuxick: no idea if they use the hotmail infrastructure (they don't have hotmail accounts)[12:13:53] <tuxick> then what's the microsoft bit about?[12:13:57] <wild_oscar> pj: I don't know, that's all he said - and ask if we could change the encoding of the automated mails to 8bit[12:14:14] <wild_oscar> in the source of said emails I see:[12:14:16] <wild_oscar> MIME-Version: 1.0[12:14:16] <wild_oscar> Content-Type: text/plain; charset=us-ascii[12:14:16] <wild_oscar> Content-Transfer-Encoding: 7bit[12:14:48] <wild_oscar> tuxick: apparently MS is their email provider (but of emails with domain @company.com)[12:14:59] <pj> right tell him no, and quote that bit from the postfix docs as to why not.[12:15:17] <wild_oscar> no clue how they hired them, but google offers a similar service for companies[12:15:28] <pj> or post to the ml and ask for help.[12:15:41] <pj> but I don't think that postfix has any setting to turn that feature off.[12:15:44] <pj> I could be wrong.[12:16:11] <pj> oh, I am wrong[12:16:24] <pj> !disable_mime_output_conversion[12:16:24] <knoba> pj: "disable_mime_output_conversion" : a configuration parameter in the main.cf: Disable the conversion of 8BITMIME format to 7BIT format. Mime output conversion is needed when the destination does not advertise 8BITMIME support.[12:16:59] <pj> I would just use that setting for microsoft servers.[12:17:18] <tuxick> but that means the ms sewers are broken[12:17:24] <wild_oscar> how do you limit that though?[12:17:29] * tuxick giggles[12:18:18] <pj> you need to create a transport in master.cf with that setting, and direct microsoft-destined mail to that transport.[12:18:29] <wild_oscar> and tbh, having to change the encoding in the java program *AND* having to change my mail server just because MS spam filter is working improperly...[12:18:43] <wild_oscar> is something that kinda annoys me[12:19:01] <pj> wild_oscar: well, you could just say no to your boss, but anyways, that's what you have to do to get 8 bit encoding out.[12:19:17] <wild_oscar> pj: I am my boss ;)[12:19:57] <pj> the client, then[12:20:51] <wild_oscar> pj: where did you get the text from " if the 8BITMIME SMTP extension is supported and used by both the client and server then the data may be encoded in 8 bit, but the headers always have to be 7 bit." ?[12:23:51] <wild_oscar> in http://www.ietf.org/rfc/rfc2821.txt I read " More specifically, the unextended SMTP service provides seven bit transport only. An originating SMTP client which has not successfully negotiated an appropriate extension with a particular server MUST NOT transmit messages with information in the high-order bit of octets. If such messages are transmitted in violation of this rule, receiving SMTP servers MAY clear the high-order bit or r[12:24:20] <rob0> 2821 was superceded by 5321[12:24:34] <wild_oscar> trying to interpret this - is this essentially saying that if you set your server to transmit 8bit, if you contact a server without that extension the message may be rejected?[12:25:54] <UQlev> wild_oscar: all characters will be replaced with "?"[12:26:22] <UQlev> wild_oscar: message will be unreadable[12:26:29] <wild_oscar> I see[12:27:10] <UQlev> wild_oscar: use MIME BASE64 in your MUA it is safer[12:28:28] <wild_oscar> UQlev: yeah, contents of the mail aren't a problem. setting that won't change the encoding to 8bits, which is what the client asked if it was possible[12:30:19] *** MaximusColourum has joined #postfix[12:31:17] *** davlefou_ has joined #postfix[12:31:19] *** UQlev has quit IRC[12:32:26] <wild_oscar> rob0: thanks for that info[12:34:07] *** davlefou__ has quit IRC[12:34:17] <wild_oscar> what I don't see - even in http://tools.ietf.org/html/rfc5321 - is any indication of what the default encoding should be[12:34:37] <wild_oscar> (which would help, to tell the Microsoft guys off. "they are wrong - standard says X")[12:35:06] <tuxick> haha right[12:35:19] <tuxick> MS got big by setting their own standards[12:35:25] <tuxick> and blaming others if things fail[12:36:48] *** MaximusColourum has quit IRC[12:40:00] *** hparker has quit IRC[12:41:51] *** whoami has quit IRC[12:45:54] *** whoami has joined #postfix[12:45:59] *** whoami has joined #postfix[12:47:58] *** hparker has joined #postfix[12:55:53] *** olegfusion has joined #postfix[13:07:15] <tuxick> i frequently have to create exceptions for misconfigured exchanges too[13:07:43] *** donmichelangelo has quit IRC[13:08:16] <pj> wild_oscar: http://www.ietf.org/rfc/rfc5321.txt page 11 2nd paragraph.[13:08:38] *** donmichelangelo has joined #postfix[13:09:14] <pj> The content is textual in nature, expressed using the US-ASCII repertoire [6]. Although SMTP extensions (such as "8BITMIME", RFC 1652 [22]) may relax this restriction for the content body, the content header fields are always encoded using the US-ASCII repertoire.[13:09:15] <wild_oscar> pj: "The content is textual in nature, expressed using the US-ASCII repertoire " ?[13:09:29] <wild_oscar> US-ASCII = 7-bit?[13:09:32] <pj> yep[13:09:51] <pj> it refers to footnote [6][13:10:56] <wild_oscar> that's excellent :)[13:11:06] <pj> [6] American National Standards Institute (formerly United States of America Standards Institute), "USA Code for Information Interchange", ANSI X3.4-1968, 1968. ANSI X3.4-1968 has been replaced by newer versions with slight modifications, but the 1968 version remains definitive for the Internet.[13:11:36] <pj> you can look up ANSI X3.4-1968 and see that it is a 7 bit encoding[13:11:49] <pj> or it won't have any characters encoded beyond 127[13:13:56] <pj> that is RFC20, btw[13:14:20] <pj> http://tools.ietf.org/html/rfc20[13:31:02] *** davlefou__ has joined #postfix[13:34:09] *** davlefou_ has quit IRC[13:35:07] <wild_oscar> that's helpful :)[13:36:00] <wild_oscar> pj: would you agree with this:[13:36:09] <wild_oscar> In my opinion, blaming the (default) 7bit MIME content transfer encoding for a high spam level is far fetched. If I was the mail administrator/provider, I would first check the spam algorithm to see what is upping the spam level (the overall level is a sum of various tests, like "is the sender valid?", "what words appear?","is it being mass sent?", etc ).[13:36:17] <wild_oscar> etc= http://spamassassin.apache.org/tests_3_3_x.html[13:39:01] <wild_oscar> hmm...actually, there's a test there: body includs 8 consecutive 8-bit characters BODY_8BITS[13:42:07] <pj> yeah, that doesn't have much of anything to do with what you mentioned before.[13:43:41] <pj> anyways, the fact that postfix converts everything to 7 bit by default should go a long ways towards putting that crap to bed. They would have to SPAM-bin quite a bit of legitimate mail and it's hardly any kind of spam indicator at all.[13:54:36] *** robinho86 has joined #postfix[13:55:25] *** olegfusion has quit IRC[13:55:42] *** olegfusion has joined #postfix[13:56:57] *** robinho86 has quit IRC[13:57:38] *** robinho86 has joined #postfix[13:59:19] *** Section1 has joined #postfix[14:05:37] *** muh2000 has quit IRC[14:09:38] *** olegfusion has quit IRC[14:09:54] *** olegfusion has joined #postfix[14:11:16] *** muh2000 has joined #postfix[14:22:03] <survietamine> pj, wild_oscar : damnit, during years I thought that octet is the french translation for byte, by reading rfc2821 it seems that it's a plenty valid english word. Now I remember I've seen application/octet-stream in some MIME[14:29:46] <patdk-wk> octo = 8[14:29:58] <patdk-wk> octet is an base 8 number[14:30:41] <patdk-wk> or maybe in that sense, an 8bit[14:30:55] * patdk-wk is stuck thinking of permissions[14:31:47] *** davlefou_ has joined #postfix[14:34:14] *** davlefou__ has quit IRC[14:34:55] <survietamine> patdk-wk: yeah, but I thought that only french people used octet and english it is byte like in kb (kilo-bit) vs kB (kilo-byte). I was wondering if octet and byte are synonyms in english[14:35:15] *** MaximusColourum has joined #postfix[14:35:26] * patdk-wk blames spiderman comics[14:35:47] <patdk-wk> octagon[14:38:03] *** MaximusColourum_ has joined #postfix[14:39:29] *** zok has joined #postfix[14:39:35] *** KaiForce has joined #postfix[14:40:26] *** MaximusColourum has quit IRC[14:40:26] *** MaximusColourum_ is now known as MaximusColourum[14:43:39] *** tuxick has quit IRC[14:46:16] <trurl> survietamine: octet = 8 bit, byte = almost always 8 bit, but _depending on the plattform_ it could be 6 or 7 or whatever[14:46:41] <lunaphyte_> octet is eight of anything. not just bits.[14:47:08] <survietamine> lunaphyte_: so a byte is an octet of 8-bit[14:47:11] <survietamine> ?[14:47:12] *** muh2000 has quit IRC[14:47:28] *** muh2000 has joined #postfix[14:47:46] <survietamine> lunaphyte_: and octopus has an octet of tentacles ?[14:48:14] <trurl> lunaphyte_: well. thank you for clearing that up, considering the context i was thinking 8 bananas.[14:49:06] <patdk-wk> a byte can be 8bits, but doesn't have to be[14:49:19] <patdk-wk> personally I like to take large bytes[14:50:49] <survietamine> patdk-wk: ok, thanks I thought that it is always composed of 8 bits[14:54:01] <survietamine> trurl: yeah, thanks to him because I'm to dumb to understand without analogies/examples like this :)[14:55:20] *** Pegasus_RPG has quit IRC[14:56:07] <trurl> survietamine: https://en.wikipedia.org/wiki/Setun - this one's using tits and tytes. 8 tits per tyte? i don't know... (pun intented)[14:56:35] *** Pegasus_RPG has joined #postfix[14:57:02] <survietamine> trurl: thanks a lot, I've never heard about this setun ![14:57:52] *** olegfusion has quit IRC[14:58:20] <lunaphyte_> trurl: why on earth would you think i was concerned with what you were thinking?[15:02:36] *** tuxick has joined #postfix[15:04:36] *** SMalametal has quit IRC[15:05:59] *** Pegasus_RPG has left #postfix[15:24:35] <survietamine> lunaphyte_: I am very concerned with that you here are thinking (for learning purposes) :)[15:25:33] *** bisoc has quit IRC[15:32:04] *** davlefou__ has joined #postfix[15:33:15] *** bisoc has joined #postfix[15:35:02] *** davlefou_ has quit IRC[15:37:34] <zok> Every time I send email, it sends it from @localhost.zoklet.net instead of just @zoklet.net[15:37:46] <zok> Is this something I screwed up in my postfix settings?[15:39:22] *** erob has joined #postfix[15:41:51] <Zerberus> zok: `hostname' will spit this out; $myhostname and $myorigin have the same content[15:43:14] <zok> hostname spits out: server.zoklet.net[15:44:17] <Zerberus> zok: your /etc/hosts may have wrong content[15:45:51] <zok> Hmmm[15:46:36] <Shinobi> I have a box where incoming mail is not recieved and no bounce/error emails are sent back to the sender (gmail/yahoo). Outgoing mail is not received and no message is given to the sender.[15:46:40] <survietamine> in my opinion, you decide if myorigin = $myhostname or myorigin = $mydomain[15:46:43] <Shinobi> How do I troubleshoot this.[15:47:03] <survietamine> or whatever[15:47:15] *** SMalametal has joined #postfix[15:55:51] <Zerberus> Shinobi: check DNS and firewall, firewalling policy of your provider for incoming mail[15:56:43] <Shinobi> Zerberus: Good point I'm testing this at home, which means Comcast.[15:56:52] <lunaphyte_> logs[15:56:59] <lunaphyte_> what do the logs say...?[15:57:46] *** jarif has joined #postfix[16:00:10] *** donmichelangelo has quit IRC[16:00:50] *** donmichelangelo has joined #postfix[16:05:00] *** olegfusion has joined #postfix[16:32:34] *** davlefou_ has joined #postfix[16:33:38] *** davlefou__ has quit IRC[16:34:42] *** freezey has joined #postfix[16:37:19] *** chrisp15 has quit IRC[16:57:33] *** Uranio has joined #postfix[17:00:02] *** [diablo] has quit IRC[17:03:24] *** Uranio has quit IRC[17:03:52] *** erob has quit IRC[17:05:50] *** jeff_e47 has joined #postfix[17:07:16] <jeff_e47> Hello. I talked to some nice folks last night about disabling SMTP-Auth on port 25, and allowing it only with TLS on port 587. However, it doesn't seem to be working the way I expected.[17:07:49] <jeff_e47> I added smtpd_sasl_auth_enable = no to main.cf, and enabled it specifically for 587 only. However, I was still able to send email via 25. What am I missing?[17:10:21] <jeff_e47> What I want is to require all my users to send email on 587, authorizing under TLS only. And have only incoming mail come through 25, never a submission from one of my users.[17:10:32] <lunaphyte_> prepare a pastebin with the info as per that getting_help factoid[17:10:45] <jeff_e47> Will do.[17:10:57] <lunaphyte_> oh, and don't you dare call me "nice"[17:10:59] <lunaphyte_> :p[17:11:52] <survietamine> :)[17:12:09] <jeff_e47> !getting_help[17:12:09] <knoba> jeff_e47: "getting_help" : before asking your question, provide a pastebin which includes relevant log data and your config. see !pastebin, !relevant_logs and !showconfig for instructions on doing this.[17:13:33] <jeff_e47> Here's postconf -n: http://pastebin.com/Dqf6bqts It's confusing, at least to me. This is a small server that I started working on quite some time ago, as I was learning. It's possible (likely!) there are things there that should not be![17:14:17] <jeff_e47> master.cf: http://pastebin.com/zcRiDuLY[17:14:47] <lunaphyte_> um, please follow the instructions[17:15:11] <jeff_e47> !pastbin[17:15:11] <knoba> jeff_e47: Error: "pastbin" is not a valid command.[17:15:18] <jeff_e47> !pastebin[17:15:18] <knoba> jeff_e47: "pastebin" : (#1) see !paste, or (#2) a pastebin site lets you easily share logs and configuration. Examples are dpaste.org, fpaste.org, or pastebin.ca. Please avoid ad-supported sites such as pastebin.com if possible.[17:15:39] <jeff_e47> !showconfig[17:15:39] <knoba> jeff_e47: "showconfig" : when asked to provide your config, pastebin postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[17:16:46] <rob0> You probably either used sendmail, or submitted from within mynetworks.[17:17:12] <rob0> In the first case, all you can do is disable sendmail for specific users:[17:17:21] <rob0> !authorized_submit_users[17:17:21] <knoba> rob0: "authorized_submit_users" : List of users who are authorized to submit mail with the sendmail(1) command (and with the privileged postdrop(1) helper command).[17:17:35] *** Tabmow has quit IRC[17:18:17] <rob0> For the latter case, remove all permit_* restrictions from the global smtpd_recipient_restrictions (or smtpd_relay_restrictions in 2.10+).[17:18:20] <jeff_e47> postconf -nf: https://dpaste.de/iTiy postconf -Mf: https://dpaste.de/fzRE better? :)[17:18:57] <lunaphyte_> yes, thank you.[17:18:58] *** Tabmow has joined #postfix[17:19:10] <rob0> Submission should have its own set of restrictions, basically "permit_sasl_authenticated,reject".[17:21:00] <rob0> Which one of those had logs? Why multiple pastebins?[17:21:46] <jeff_e47> Oh, sorry - thought it would be clearer to have one file per bin.[17:22:37] <jeff_e47> Do you want me to try sending via 25 and show that log? The log right now is not going to be informative, just shows a bunch of rejected spam.[17:23:04] <survietamine> just the part that shows that your message is accepted without sasl[17:23:07] <lunaphyte_> a log snippit that demonstrates whatever "it doesn't seem to be working the way I expected" is[17:23:09] <rob0> Did you read my two guesses above?[17:23:57] *** Guest41889 has quit IRC[17:23:57] *** Guest41889 has joined #postfix[17:24:07] *** Guest41889 is now known as nathanhi[17:24:11] *** wild_oscar has left #postfix[17:24:49] <jeff_e47> rob0: yes. To the best of my knowledge that isn't the case. But my knowledge is incomplete, or I wouldn't be here! :) Let me run a test and get a log sample.[17:25:20] <rob0> How did you test?[17:27:09] <rob0> yikes, that is a crazy long postconf[17:28:38] <jeff_e47> I set my email client to submit on 25, without TLS. The mail is accepted and delivered. I was hoping it would not be accepted. https://dpaste.de/6bb8[17:28:48] <lunaphyte_> reminds me of !duplicates :)[17:29:16] <rob0> reminds me of !tutorial[17:29:19] <jeff_e47> I am sure it needs cleaning up. I'm kind of stuck... afraid to break things![17:29:31] <lunaphyte_> jeff_e47: one other request - please share the raw urls in the future[17:30:08] <lunaphyte_> ah, so this goes back to the other comment i made during your initial inquiry yesterday[17:30:34] <lunaphyte_> [02:26:24] <lunaphyte> you can take it one step further and also disallow "local" email addresses from being used as the envelope sender on port 25. that will relegate all of that traffic to the submission port, where it belongs.[17:30:42] <jeff_e47> Not sure I understand... raw urls?[17:30:53] <lunaphyte_> for example, https://dpaste.de/6bb8/raw/[17:31:03] <jeff_e47> Oh, ok I get it.[17:31:05] <lunaphyte_> it's easier to read and less other crap to load[17:31:22] <jeff_e47> OK, so how to I disallow local email addresses on 25?[17:31:39] <lunaphyte_> the reason that message was accepted was because it was addressed to a recipent that postfix is supposed to accept mail for.[17:31:57] <lunaphyte_> you use check_sender_access in your smtp_recipient_restrictions[17:32:35] <jeff_e47> then have a table of local emails w/ reject?[17:32:44] <lunaphyte_> table of domains, but yes.[17:32:57] *** davlefou__ has joined #postfix[17:32:59] <jeff_e47> OK, I think I understand that.[17:33:11] <lunaphyte_> so then if someone tries to use your domains as their from address, they'll be denied.[17:33:35] <jeff_e47> And just apply that restriction to port 25.[17:33:40] <lunaphyte_> right.[17:33:58] <lunaphyte_> the one caveat to be aware of is that there is a small possibility that this could break some "legit" mail.[17:34:33] <jeff_e47> Can you think of an example?[17:35:02] <lunaphyte_> automated systems can sometimes be known to do things like using the recipient's address as the sender.[17:35:25] <lunaphyte_> it's lame, and brain dead, but it does sometimes happen.[17:35:38] <jeff_e47> Ah, yes... I've seen that sometimes like when someone shares a webpage or article, for example. I hate that.[17:35:44] <lunaphyte_> right.[17:36:15] *** davlefou_ has quit IRC[17:36:16] <lunaphyte_> i consider it to be rare enough and the content meaningless enough that it's really not much of a genuinely practical consideration. just soemthing to be aware of.[17:36:22] <lunaphyte_> *something[17:36:38] <jeff_e47> Well, it's not a perfect solution. It's pretty rare to find those anyway![17:37:18] <lunaphyte_> if only perfection were my only flaw...[17:37:33] <jeff_e47> So... as for the rat's nest that is my main.cf... any suggestions for cleaning it up? Start from the stock one... or?[17:37:49] <lunaphyte_> no, you don't need to do that, necesarily.[17:37:57] <lunaphyte_> start with the !duplicates factoid[17:38:07] <jeff_e47> !duplicates[17:38:07] <knoba> jeff_e47: "duplicates" : the following can be used to list redundant settings defined in main.cf: (postconf -d; postconf -n) | sort | uniq -d - also see !compare[17:38:30] <lunaphyte_> once you've cleared that hurdle, do a new config pastebin and we can offer further critiques.[17:39:35] <jeff_e47> OK, that'd would be great.[17:41:43] <jeff_e47> I only get one line when I run (postconf -d; postconf -n) | sort | uniq -d: config_directory = /etc/postfix. Does that mean there are no duplicates?[17:42:57] *** KaiForce has quit IRC[17:43:46] <lunaphyte_> oh, interesting.[17:44:01] <lunaphyte_> yeah, that means everything in your config is actually there for a "reason"[17:44:05] <lunaphyte_> fsvo reason :)[17:44:23] <lunaphyte_> i'll look closer[17:44:44] <jeff_e47> yeah, our appendix could be said to be there for a reason too...[17:44:49] *** steven4455 has joined #postfix[17:46:07] <lunaphyte_> is there some other piece of software that is being used in conjunction with postfix? some other sort of "management" software?[17:46:41] <jeff_e47> You mean to help configure it? If so, no. I edit master & main by hand.[17:47:01] <lunaphyte_> actually, something doesn't quite add up[17:47:27] <lunaphyte_> compare postconf -d sendmail_path and postconf sendmail_path[17:47:30] <lunaphyte_> do they differ?[17:48:02] <jeff_e47> No, both are /usr/sbin/sendmail[17:48:13] <lunaphyte_> then that command didn't do as was intended.[17:48:43] <lunaphyte_> what os/version, and what is postconf mail_version?[17:49:26] <jeff_e47> Debian 7.2, mail_version = 2.9.6.[17:50:41] <lunaphyte_> i've got to run for a bit. be back in a little while[17:51:24] <survietamine> jeff_e47: your smtpd_recipient_restrictions ends with permit[17:51:41] <jeff_e47> Oh hmm... postconf -n gives only config_directory = /etc/postfix as its output. That doesn't seem right.[17:51:44] <survietamine> so if all checks don't succeed, it will be allowed ?[17:51:58] <survietamine> or as rob0 said maybe you tried from mynetworks[17:52:30] <survietamine> jeff_e47: but iirc, your logs showed that your submitted the message to your own domain[17:52:45] <survietamine> the domain your postfix accepts messages for[17:52:51] <survietamine> so what's wrong with that ?[17:52:57] <survietamine> I don't get it[17:53:07] <survietamine> (and I'm newbie too)[17:54:41] <jeff_e47> survietamine: yes, it was a local email. Maybe that's the wrinkle. I want all email submitted by users (whether destined for a local delivery or remote) to come through port 587, so I can enforce TLS and protect passwords. I would like only mail coming from a remote server destined for my domains to be accepted via 25.[17:56:06] <rob0> and that has been answered also[17:56:45] <rob0> [typo fixed] 15:31 < lunaphyte_> you use check_sender_access in your smtpd_recipient_restrictions[17:57:21] <rob0> reject anything where the sender is in your domains[17:57:56] <jeff_e47> rob0: I was trying to explain for survietamine, not re-ask the question.[17:59:01] <rob0> ah, sorry[17:59:17] <rob0> the "Maybe" implied uncertainty[17:59:48] <jeff_e47> lunaphyte_: yes, I see the problem. somewhere I messed up something: main.cf is suddenly empty. That's one way to clean things up![18:01:16] <jeff_e47> rob0: no worries, just didn't want it so seem like i was not paying attention to the help offered![18:06:05] <jeff_e47> Would smtpd_tls_auth_only=yes require the behavior I'm after? Only accept AUTH after encryption?[18:06:06] <survietamine> jeff_e47: that depends what you consider "users", is a script (shell, php...) on your own postfix server (localhost) a user ? I should be but if it is in mynetworks, it will be accepted. But rob0 has wrote about authorized_submit_users[18:06:37] <survietamine> s/I / It/[18:07:44] <survietamine> damn, wrong pattern and replacement string :/[18:08:13] <survietamine> anyway, rob0 and lunaphyte_ helped you a lot, you are a lucky guy :)[18:11:02] *** mentes has joined #postfix[18:14:24] <mentes> hello[18:14:38] <rob0> smtpd_tls_auth_only=yes only *offers* AUTH after STARTTLS[18:15:12] <rob0> I thought you said you didn't want to offer AUTH on 25 at all, only on submission?[18:16:57] <jeff_e47> I only want users to send passwords in a secure way. No PLAIN over unencrypted channel, for example.[18:17:11] <mentes> I would like know all sent mail addresses from an account. How I can do that? Do you know a script for parse mail.log to get that?[18:17:40] <jeff_e47> If they use TLS on 25, then I'm fine if they use AUTH there. But *only* if they use TLS.[18:18:14] <rob0> your goal is shifting[18:18:15] <jeff_e47> I probably should have started with that goal in clearer language![18:21:49] *** mentes has quit IRC[18:22:15] <jeff_e47> rob0: you wrote *offers* like there's a caveat there. Does that mean it will still accept it, if the client tries, even though it didn't advertise it?[18:22:42] *** mentes has joined #postfix[18:26:05] <rob0> that's not how ESMTP extensions work. If an extension is not offered, it's not accepted.[18:26:33] <rob0> For one thing, a client could not even know what AUTH mechanisms are supported.[18:26:48] <jeff_e47> OK, well that sounds like it might be exactly what I need.[18:30:20] *** donmichelangelo has quit IRC[18:30:49] *** donmichelangelo has joined #postfix[18:33:28] *** davlefou_ has joined #postfix[18:37:08] *** davlefou__ has quit IRC[18:50:40] <jeff_e47> rob0 and lunaphyte_: thanks very much for the help, I think this work the way I wanted. I'll work on cleaning up main.cf later.[18:55:00] *** zorg1 has quit IRC[18:56:14] *** jeff_e47 has quit IRC[18:56:22] *** zerick has joined #postfix[19:02:30] *** robinho86 has left #postfix[19:04:34] <mentes> !getting_help[19:04:34] <knoba> mentes: "getting_help" : before asking your question, provide a pastebin which includes relevant log data and your config. see !pastebin, !relevant_logs and !showconfig for instructions on doing this.[19:15:14] *** olegfusion has quit IRC[19:15:23] *** olegfusion has joined #postfix[19:16:30] *** Southron has joined #postfix[19:24:53] *** olegfusion has quit IRC[19:30:52] *** Aprogas has quit IRC[19:35:31] *** davlefou__ has joined #postfix[19:37:14] *** Aprogas has joined #postfix[19:37:26] *** davlefou_ has quit IRC[19:40:04] *** mentes has quit IRC[19:45:24] *** Cromulent has joined #postfix[19:57:49] *** Tabmow has quit IRC[20:00:42] *** Tabmow has joined #postfix[20:08:36] *** robinho86 has joined #postfix[20:10:26] *** hallamigo has joined #postfix[20:13:00] *** hallamigo has quit IRC[20:13:26] *** hallamigo has joined #postfix[20:14:07] *** hallamigo has joined #postfix[20:18:20] *** Cromulent has quit IRC[20:22:45] *** davlefou__ has quit IRC[20:24:07] *** TheJH has left #postfix[20:41:57] *** Section1 has quit IRC[20:46:20] *** Phoenixz has joined #postfix[20:53:19] *** Section1 has joined #postfix[20:55:29] *** olegfusion has joined #postfix[20:59:40] *** davlefou has joined #postfix[21:14:17] *** master_o1_master has joined #postfix[21:17:31] *** master_of_master has quit IRC[21:22:55] *** Section1 has quit IRC[21:28:10] *** davlefou_ has joined #postfix[21:29:19] *** thelamest has quit IRC[21:30:36] *** davlefou has quit IRC[21:44:16] *** pav5088_ has joined #postfix[21:47:21] *** pav5088 has quit IRC[21:51:26] *** amospalla has quit IRC[21:58:54] *** amospalla has joined #postfix[22:04:55] *** thelamest has joined #postfix[22:05:03] *** mroe has joined #postfix[22:13:20] *** Bronze has joined #postfix[22:13:46] *** Bronze has quit IRC[22:14:03] *** Bronze has joined #postfix[22:16:50] *** mroe has quit IRC[22:17:28] *** mroe has joined #postfix[22:22:06] *** mroe has quit IRC[22:25:33] *** olegfusion has quit IRC[22:31:25] *** davlefou_ has quit IRC[22:35:28] *** UQlev has joined #postfix[22:44:38] *** davlefou_ has joined #postfix[22:54:21] *** wdp has quit IRC[22:58:28] *** Cromulent has joined #postfix[23:05:49] *** sharky_ has joined #postfix[23:05:49] *** Southron has left #postfix[23:10:03] *** sharky has quit IRC[23:17:07] *** kithpom has joined #postfix[23:18:58] <kithpom> any one familiar with an issue of postfix automatically adding your domain on the from address of an incoming email to addresses that should be from another domain?[23:19:32] <Zerberus> !tell kithpom getting_help[23:19:33] <knoba> kithpom: "getting_help" : before asking your question, provide a pastebin which includes relevant log data and your config. see !pastebin, !relevant_logs and !showconfig for instructions on doing this.[23:21:40] <adaptr> kithpom: yes. the answer is that postfix does not come with magic mind-reading software that knows what domain you intended to use instead.[23:21:58] <kithpom> Zerberus: here I am home sick hoping for an easy answer and you want me to work at it. Might have to wait for another day...[23:22:20] *** robinho86 has left #postfix[23:22:51] <kithpom> adaptr: so you are suggesting that normal behavior for an incoming email without address with domain filled out might have postfix fill in with the local domain?[23:22:54] <rob0> No, there are few easy answers here. It's not a matter of what we want, but it is the way it is.[23:23:16] <adaptr> kithpom: I thought I was saying what I said.[23:23:42] <rob0> There are settings which control that. Maybe you want to reject_non_fqdn_recipient ?[23:24:17] <adaptr> that will only reject in combination with append_at_myorigin = no[23:25:07] <rob0> no, that happens in smtpd, before trivial-rewrite gets its grubby hands on it[23:25:11] <kithpom> adaptr: My head is full of crap. Just trying to confirm.[23:25:16] <adaptr> rob0: sorry, nope.[23:27:04] <adaptr> wait - are you talking about smtp or sendmail ?[23:27:21] <kithpom> adaptr: that to me?[23:27:24] <adaptr> in sendmail's case, this is done BY sendmail. you'd be correct abourt smtp.[23:27:35] <adaptr> kithpom: does it make sense to you ?[23:28:08] <kithpom> everything is a little cloudy right now.[23:28:20] <adaptr> meatballs[23:28:58] *** davlefou__ has joined #postfix[23:29:00] <kithpom> I liked how the monkey kept on going after the mustache but otherwise that movie just really isn't for adults...[23:30:12] <rob0> I figured the only way the addresses "should be from another domain" was if they came from outside, thus I guessed smtpd.[23:30:20] *** donmichelangelo has quit IRC[23:30:52] *** donmichelangelo has joined #postfix[23:31:43] <kithpom> yeah in this case it is an auto reply email that appears to come from several local users when it is an outside address that gets divided at periods between names.[23:32:01] <adaptr> rob0: I suspect that mydestination holds multiple domains, and he somehow expects postfix to magically figure out which one to append to the username[23:32:34] *** davlefou_ has quit IRC[23:32:52] <rob0> I think it is a broken autoresponder which didn't give a proper MAIL FROM command.[23:33:00] <adaptr> you cheated.[23:33:20] <adaptr> you actually listened to him[23:34:00] <rob0> But that's okay, because I don't think he's listening to me.[23:34:33] <kithpom> rob0: I'm here, I'm listening.[23:34:34] <adaptr> oh no, I am emulating his write-only mode[23:35:47] *** Cromulent has quit IRC[23:36:07] <rob0> I suggested reject_non_fqdn_recipient, but on further development of the [still incomplete] story, maybe you really want reject_non_fqdn_sender.[23:36:56] <rob0> oh, I guess you did originally say "from address".[23:40:08] <kithpom> rob0: thank you for the suggestion. I'm not sure if we want to reject this email. It does confuse recipients though when it appears to be internal.[23:40:55] <adaptr> !tell kithpom canonical[23:40:55] <knoba> kithpom: "canonical" : canonical(5) table specifies an address mapping that applies when mail is received. This is the opposite of generic(5) mapping, which applies when mail is delivered. See http://www.postfix.org/generic.5.html and !rewrite[23:41:06] <adaptr> you should probably read that, then.[23:47:10] <kithpom> rob0: If I want the email, perhaps I want to use remote_header_rewrite_domain to fill in something appropriate to avoid confusion?[23:48:44] <adaptr> this mail is not submitted via smtp. it will have no effect. read what I said above.[23:50:21] <rob0> remote_header_rewrite_domain, yes, that's it[23:50:35] *** freezey has quit IRC[23:52:32] <kithpom> awesome. adaptr, rob0: thank you very much for your help[23:53:39] <rob0> and I guess it's not a broken MAIL FROM, just a broken From: header[23:53:49] <adaptr> oh, it is smtp. so why was it even relevant what created these messages[23:53:58] *** mocx has joined #postfix[23:54:03] <mocx> quick question[23:54:24] <adaptr> not really[23:54:49] <mocx> postfix requires a FQDN as the hostname or just a PTR record pointing to the server[23:54:59] <adaptr> as the hostname for what ?[23:55:09] <rob0> adaptr, cleanup(8) fixes broken headers[23:55:11] <adaptr> also, that ? thingy at the end isn't really optional[23:55:40] <rob0> !fcrdns[23:55:41] <knoba> rob0: "fcrdns" : http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS : your IP address should resolve to $myhostname, which in turn should resolve back to your IP. This is very important if you want big sites to accept your mail. If you can't have it from your ISP, see !relayhost[23:55:56] <adaptr> mocx: if you make a grand entrance with "I am Ze goink to ask Ze kvestion!", don't state something that clearly isn't a question.[23:56:24] <rob0> and it's not what "postfix requires," it's what email requires[23:57:07] <adaptr> postfix doesn't care what your hostname is. you could try "1" for laffs