February 12, 2017 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | >
February 12, 2017 [00:05:16] *** necrogami <necrogami!~necrogami@unaffiliated/necrogami> has quit IRC (Disconnected by services)[00:05:29] *** necrogami <necrogami!~necrogami@unaffiliated/necrogami> has joined #postfix[00:05:33] *** necrogami <necrogami!~necrogami@unaffiliated/necrogami> has quit IRC (Disconnected by services)[00:05:59] *** necrogami_ <necrogami_!~necrogami@mars.c4.io> has joined #postfix[00:07:35] *** Diemuzi <Diemuzi!~IceChat9@unaffiliated/diemuzi> has joined #postfix[00:14:16] <ThiefMaster> so if i have foo at example dot com that is both a mailbox and an alias (e.g. because i want delivery to a mailbox and some other address) i noticed that I need to add a foo at example dot com -> foo at example dot com entry in my aliases map too, but i don't need that when there are no aliases but just a mailbox[00:14:30] <ThiefMaster> is there any way to either avoid this or always require an aliases entry even if i just want delivery to a mailbox?[00:14:59] <ThiefMaster> (if not i'll just update my SQL view to include mailboxes in the aliases queried by postfix)[00:16:11] *** Death_rattle <Death_rattle!~death@p5494E87D.dip0.t-ipconnect.de> has quit IRC (Remote host closed the connection)[00:17:35] <pj> ThiefMaster: in answer to your prior question, if you're using pipe(8) you can use ${original_recipient}. If you're using lmtp then it may be able to read the X-Original_to header that cleanup(8) adds by default.[00:18:23] <pj> and in answer to your last question, yes, that is correct, if you have any aliases and you want delivery to the orignal mailbox then you need to have an alias for it.[00:18:28] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 240 seconds)[00:19:14] <pj> you can always put an aliases entry if you want, it doesn't hurt to just have one alias that points to itself.[00:21:40] <ThiefMaster> ok - now the interesting question is whether i can always require this entry in my aliases, so postfix doesn't even try delivering to the mailbox if there's no alias entry. i used to do that in my previous exim setup - i don't really need it, just curious whether it's possible[00:22:18] <ThiefMaster> it was kind of nice since that way i could have a "secret" mailbox name so any bruteforce attempts using the email address as the username didn't even have a chance to guess the password since their username was always wrong[00:22:35] <ThiefMaster> of course i could still do it, but the "secret" mailbox name would now also be able receive emails[00:33:54] *** techriskno <techriskno!~techriskn@203.161.80.66.static.amnet.net.au> has joined #postfix[00:43:51] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has quit IRC (Remote host closed the connection)[00:46:51] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has joined #postfix[00:53:44] *** giesen <giesen!~ggiesen@2001:19f0:0:1019:5400:ff:fe25:bda6> has quit IRC (Ping timeout: 276 seconds)[00:58:53] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has quit IRC (Quit: leaving)[01:00:31] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has joined #postfix[01:01:06] <pj> ThiefMaster: what type of db are you using?[01:02:11] <pj> ...and your SASL login name does not have to be the same as your mailbox name.[01:03:01] <pj> in fact the SASL login has nothing technically to do with the mailbox name.[01:03:06] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has quit IRC (Client Quit)[01:03:15] <pj> it is usually the same, simply by convention.[01:08:51] <ThiefMaster> postgres - and true, i could simply use a different login name[01:12:57] <pj> ThiefMaster: you can customize your sql query for virtual_mailbox_maps to exclude results where there is no matching alias.[01:13:53] *** Diemuzi <Diemuzi!~IceChat9@unaffiliated/diemuzi> has quit IRC (Quit: See you on the flip side)[01:13:53] <ThiefMaster> thx, that's actually a pretty good idea :)[01:15:00] <pj> but if all you're trying to do is obfuscate your SASL username then it's much better to just change the SASL username.[01:20:32] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has joined #postfix[01:27:06] <ThiefMaster> i think i'll go for both - just remembered that i once setup foo at mydomain dot com for my father and then he asked me to disable it since he was getting too much crap but still uses it for imap/smtp login, just not to receive mails on the address with the same name[01:27:16] <ThiefMaster> so supporting it saves me the hassle of helping him reconfigure his email client :D[01:44:18] <pj> what's the point of having an IMAP login for a mailbox you don't use?[01:51:36] <ThiefMaster> i do, just from different aliases[01:58:57] *** ovrstorm <ovrstorm!~ovrstorm@air.raid.io> has quit IRC (Ping timeout: 240 seconds)[01:59:57] *** patdk-lap <patdk-lap!~patrickdk@96-91-219-129-static.hfc.comcastbusiness.net> has quit IRC (Ping timeout: 240 seconds)[02:00:53] *** patdk-lap <patdk-lap!~patrickdk@96-91-219-129-static.hfc.comcastbusiness.net> has joined #postfix[02:01:20] *** ovrstorm <ovrstorm!~ovrstorm@air.raid.io> has joined #postfix[02:06:16] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2606:f180:1:2ea:2ea:af60:f0b8:8f26> has joined #postfix[02:09:08] *** lvlinux <lvlinux!~ruel@unaffiliated/lvlinux> has quit IRC (Ping timeout: 276 seconds)[02:10:03] *** lvlinux <lvlinux!~ruel@unaffiliated/lvlinux> has joined #postfix[02:16:22] *** Dominian <Dominian!~dominian@opensuse/member/dominian> has quit IRC (Ping timeout: 256 seconds)[02:16:52] <ThiefMaster> what's the best way of rejecting all emails to user@[ip-address]? i don't intend to do any local deliveries and i don't see why anyone would sent legit email to *@[ip][02:19:50] *** gu1lle_ <gu1lle_!~Thunderbi@190.18.2.99> has joined #postfix[02:20:39] <rizonz> I wonder what is most easy to manage with postfix, mysql or ldap, I use mysql for all lookups and I think it's best scalable but people might think different, any idea ?[02:30:04] *** Dominian <Dominian!~dominian@opensuse/member/dominian> has joined #postfix[02:31:35] <techriskno> ThiefMaster: reject_non_fqdn_recipient and/or reject_unknown_recipient_domain from memory[02:31:50] <ThiefMaster> ty[02:45:14] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has quit IRC (Read error: Connection reset by peer)[02:47:19] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has joined #postfix[02:51:34] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has quit IRC (Read error: Connection reset by peer)[02:53:39] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has joined #postfix[03:06:48] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2606:f180:1:2ea:2ea:af60:f0b8:8f26> has left #postfix[03:16:04] *** BoomerBile <BoomerBile!~MetaPhaze@96-42-197-150.dhcp.roch.mn.charter.com> has joined #postfix[03:17:57] <techriskno> rizonz: both can scale so i guess its what proves most practical in terms of familiarity and situation[03:18:17] *** mroe <mroe!~roe@unaffiliated/roe> has joined #postfix[03:20:55] <ThiefMaster> does postfix have an equivalent to exim's envelope_to_add option? (http://www.exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_transports.html)[03:23:05] *** necrogami_ <necrogami_!~necrogami@mars.c4.io> has quit IRC (Ping timeout: 240 seconds)[03:24:23] <ThiefMaster> (i'd like to use the 'envelope' test in my sieve filters and they aren't working right now and i think it's because the envelope headers are missing)[03:24:44] <patdk-lap> ThiefMaster, there is no need for an option[03:24:54] <ThiefMaster> well, the header isn't added ;)[03:24:59] <patdk-lap> just anything will do it[03:25:03] <patdk-lap> using a prepend header[03:25:13] <patdk-lap> did you configure somethiung to add it?[03:25:55] <ThiefMaster> nope, that's why i'm asking - i didn't know how to do that and searching for that specific header name didn't yield any useful results[03:27:14] <patdk-lap> use a check_recipient rule with a regex[03:27:19] <patdk-lap> regex match on everything[03:27:23] <patdk-lap> and have it prepend the header[03:27:43] <ThiefMaster> ah, maybe http://serverfault.com/a/625214/41940 is actually enough[03:27:49] <patdk-lap> http://serverfault.com/questions/693904/add-a-custom-header-to-postfix-with-the-relayed-domain[03:28:09] <patdk-lap> that isn't postfix[03:28:56] *** mroe <mroe!~roe@unaffiliated/roe> has quit IRC (Quit: Leaving...)[03:36:05] *** Guest43_ <Guest43_!~textual@86.123.182.225> has quit IRC (Quit: My MacBook has gone to sleep. ZZZzzz…)[04:09:58] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has quit IRC (Ping timeout: 264 seconds)[04:11:20] *** MadPsy <MadPsy!~MadPsy@unaffiliated/madpsy-/x-5109697> has left #postfix[04:13:47] *** necrogami_ <necrogami_!~necrogami@mars.c4.io> has joined #postfix[04:15:50] *** johnny56 <johnny56!~johnny56@unaffiliated/johnny56> has joined #postfix[04:22:41] *** TechDesk <TechDesk!~TechDesk@19.32.30.109.rev.sfr.net> has joined #postfix[04:23:32] <TechDesk> hi all[04:25:03] <TechDesk> i have a problem for send mail with sendmail email at gmail dot com, it does not send anything[04:26:12] <patdk-lap> !tell TechDesk getting_help[04:26:12] <knoba> TechDesk: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[04:26:46] *** chachasmooth <chachasmooth!~chachasmo@unaffiliated/chachasmooth> has quit IRC (Ping timeout: 255 seconds)[04:26:59] <TechDesk> hum[04:27:13] <TechDesk> i'm not good in english[04:27:53] <patdk-lap> that isn't something I can help with[04:28:04] <jaybe> all the words are right there ^ --- take your time to digest and comprehend them[04:28:21] <TechDesk> you want my /etc/postfix/main.cf ?[04:29:03] <patdk-lap> yes and logs[04:29:08] <patdk-lap> !relevant_logs[04:29:08] <knoba> patdk-lap: "relevant_logs" : mail.* syslog Postfix log messages (NOT verbose, see !no_verbose) which show ONLY the entire handling of a single mail which illustrates the issue with which you want help. Random selections from your mail log are not adequate. IMAP/POP3 daemons and external delivery agents often log to the same syslog facility (mail); filter such messages out unless asked not to.[04:29:10] <patdk-lap> !showconfig[04:29:11] <knoba> patdk-lap: "showconfig" : when asked to provide your config, please provide a SINGLE pastebin with postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[04:29:40] *** chachasmooth <chachasmooth!~chachasmo@unaffiliated/chachasmooth> has joined #postfix[04:29:47] <TechDesk> http://pastebin.com/neniQ46A[04:30:35] <TechDesk> http://pastebin.com/eEr5ifK0[04:32:06] <TechDesk> http://pastebin.com/CX3Fy4jR[04:32:40] <TechDesk> http://pastebin.com/2jDhqKdh[04:33:15] <thumbs> TechDesk: why four paste links?[04:33:37] <TechDesk> 1 it's /etc/postfix/main.cf[04:33:46] <TechDesk> 2 it's sendmail command[04:34:00] <TechDesk> 3 it's postconf -nf[04:34:06] <TechDesk> and 4 postconf -Mf[04:34:15] <thumbs> TechDesk: post everthing in a single link.[04:34:28] <TechDesk> ok, sorry[04:34:34] <patdk-lap> but the most important part, the logs are still missing[04:34:45] <TechDesk> how i see logs ?[04:34:59] <patdk-lap> I don't know, I don't own or manage your server[04:35:01] <patdk-lap> !logs[04:35:02] <knoba> patdk-lap: "logs" : Postfix logs to the mail facility of syslog. You can usually find them with ls /var/log/mail*; otherwise see your system's syslog server documentation. Also see !nologs and !mung[04:38:07] <TechDesk> http://pastebin.com/WiKXg6XN[04:46:49] *** giesen <giesen!~ggiesen@2001:19f0:0:1019:5400:ff:fe25:bda6> has joined #postfix[04:47:42] <patdk-lap> that says something is seriously wrong[04:47:53] <patdk-lap> like nothing is installed correctly, permissions are screwed, soemthing major[04:48:22] <TechDesk> ah[04:49:20] <patdk-lap> check the folders exist, starting with the /var/lib/postfix and /var/spool/postfix and permissions look reasonable[04:51:21] <TechDesk> i have /var/lib/postfix/master.lock, and /var/spool/postfix/ yes[04:51:56] <patdk-lap> ah, hmm, that might not matter[04:52:04] <patdk-lap> might be it was attempted to be started twice then[04:52:18] <patdk-lap> so lets locate the logs for the sendmail command you ran[04:54:21] <TechDesk> i do not know how to do this[04:54:34] <patdk-lap> you have to be able to manage your own system[04:54:54] <TechDesk> :)[04:54:56] <TechDesk> sorry[04:55:20] <thumbs> running a server isn't simple. It's OK. You don't have to run one.[04:56:16] <patdk-lap> well, I guess we could hope a nullmailer is what you really need[04:56:19] <patdk-lap> !nullmailer[04:56:19] <knoba> patdk-lap: "nullmailer" : a nullclient program which provides a means for a computer to submit mail to an existing msa. see http://untroubled.org/nullmailer/ for more info. also see !nullclient_software, !nullclient and !msa[04:56:21] <patdk-lap> !msmtp[04:56:21] <knoba> patdk-lap: "msmtp" : a nullclient program which provides a means for a computer to submit mail to an existing msa. see http://msmtp.sourceforge.net/ for more info. also see !nullclient_software, !nullclient and !msa[04:57:49] <TechDesk> thank you very much[04:58:20] <patdk-lap> atleast if using the sendmail command is the only goal you have[04:58:31] <patdk-lap> postfix is just too much overhead and complexity for somethign like that[05:02:02] <TechDesk> no no, it is to try before continuing the installation of dovecot[05:04:31] <thumbs> TechDesk: you're in way over your head.[05:05:51] <jaybe> much work to do before being good at internet email[05:06:03] <jaybe> good and safe[05:07:13] <TechDesk> tes :) much[05:07:17] <TechDesk> yes*[05:08:15] <jaybe> !basic[05:08:15] <knoba> jaybe: "basic" : http://www.postfix.org/BASIC_CONFIGURATION_README.html : a good starting place for Postfix beginners, many common questions are answered here.[05:08:28] <thumbs> if you're the same techdesk I recall, I would probably put off setting up a mail + imap server until late 2017[05:08:39] <thumbs> until you can read about it all this time.[05:09:03] <patdk-lap> if it's your first mail setup, expect it to take atleast a month[05:09:14] <thumbs> patdk-lap: 6 for him.[05:09:18] <patdk-lap> hell, I have been doing it since the 90's, and still progressing :)[05:09:54] <TechDesk> thumbs >< yes i'ts me[05:10:39] <TechDesk> yes i'ts my first mail setup[05:11:07] <TechDesk> thumbs you speak french ?[05:11:18] <TechDesk> i know your nick[05:11:18] <patdk-lap> well, need to figure out your os, and where your logs are, and where dovecot and postfix logs are going[05:11:30] <patdk-lap> !thumbs[05:11:30] <knoba> patdk-lap: "thumbs" : (#1) Those opposable things which keep those apes dominant over cats, or (#2) The other bot in the channel[05:11:54] <thumbs> TechDesk: I speak binary[05:11:59] <TechDesk> :)[05:14:11] <thumbs> TechDesk: seriously, give yourself at least 6 Months to learn mail servers.[05:14:52] <TechDesk> okay[05:16:45] <TechDesk> thank you very much for all[05:27:57] <rob0> je parle binaire[05:31:09] <thumbs> yes, rob0 is our resident French expert[05:32:08] <patdk-lap> heh, I can almost speak english[05:32:11] <rob0> Fechez la vache![05:32:19] <patdk-lap> anything else is too much[06:53:46] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2001:590:1405:72:72:3163:b97e:f4f0> has joined #postfix[06:53:46] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2001:590:1405:72:72:3163:b97e:f4f0> has left #postfix[07:09:10] <tuxick> french binary = oui ou non! it's all about intonation[07:42:47] *** muh2000_ <muh2000_!~quassel@prx1.ernw.net> has quit IRC (Remote host closed the connection)[07:46:57] *** gu1lle_1 <gu1lle_1!~Thunderbi@190.18.2.99> has joined #postfix[07:48:58] *** gu1lle_ <gu1lle_!~Thunderbi@190.18.2.99> has quit IRC (Ping timeout: 264 seconds)[07:48:58] *** gu1lle_1 is now known as gu1lle_[08:07:59] *** MACscr <MACscr!~MACscr@c-73-9-230-5.hsd1.il.comcast.net> has quit IRC (Read error: No route to host)[08:09:40] *** MACscr <MACscr!~MACscr@c-73-9-230-5.hsd1.il.comcast.net> has joined #postfix[08:54:23] *** rsx <rsx!~dummy@ppp-93-104-52-233.dynamic.mnet-online.de> has joined #postfix[09:08:08] *** KsChoice <KsChoice!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[09:08:08] *** Phoenixz <Phoenixz!~quassel@187-163-219-201.static.axtel.net> has quit IRC (Remote host closed the connection)[09:10:03] *** mcfate <mcfate!~textual@174-134-145-16.res.bhn.net> has quit IRC (Quit: My MacBook has gone to sleep. ZZZzzz…)[10:18:46] *** infides_afk <infides_afk!~infides@p4FE75272.dip0.t-ipconnect.de> has joined #postfix[10:28:43] <rizonz> techriskno: true but with virtual aliasses and such I get the feeling that mysql is more flexible[10:29:56] *** hejohn_ <hejohn_!~gernot@srv-13.snet.at> has joined #postfix[10:38:47] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[10:56:38] *** karelk <karelk!~karel@31.10.149.26> has joined #postfix[10:58:15] *** markus_e92 <markus_e92!~markus_e9@62-46-27-129.adsl.highway.telekom.at> has quit IRC (Ping timeout: 245 seconds)[10:58:39] *** froz-gab <froz-gab!~froz-gab@host194-58-dynamic.53-79-r.retail.telecomitalia.it> has joined #postfix[11:00:34] *** markus_e92 <markus_e92!~markus_e9@91-115-152-27.adsl.highway.telekom.at> has joined #postfix[11:10:39] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Remote host closed the connection)[11:11:11] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[11:15:40] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Ping timeout: 255 seconds)[11:16:45] *** yoavz <yoavz!~yoavz@white.blackit.io> has quit IRC (Ping timeout: 260 seconds)[11:20:21] *** FMan <FMan!~tropyx@dsl-kvlbrasgw2-50dcc3-5.dhcp.inet.fi> has joined #postfix[11:35:02] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 252 seconds)[12:01:39] *** muh2000_ <muh2000_!~quassel@prx2.ernw.net> has joined #postfix[12:15:22] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Ping timeout: 264 seconds)[12:16:01] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[12:19:00] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[12:35:44] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 256 seconds)[12:39:14] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has joined #postfix[12:40:53] <patsToms> morning[12:43:52] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[12:44:48] *** infides_afk <infides_afk!~infides@p4FE75272.dip0.t-ipconnect.de> has quit IRC (Ping timeout: 256 seconds)[12:46:05] *** iGeni <iGeni!~textual@50702E2F.cm-14.dynamic.ziggo.nl> has joined #postfix[12:53:08] *** lilmike <lilmike!server@mtserver.mwtd.net> has joined #postfix[13:00:20] *** yoavz <yoavz!~yoavz@white.blackit.io> has joined #postfix[13:01:33] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@46.148.182.82> has joined #postfix[13:01:35] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@46.148.182.82> has left #postfix[13:03:09] <lilmike> So I have the following set in /etc/postfix/main.cf: sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay. In the mentioned file I have lines that look like @example.com relay:[smtp.sparkpostmail.com]:587. When I use mail -r test at domain-not-in-that-list dot com -s test <mymail>, it goes through smtp and sends to my mail just fine. When php-fpm sends email from a website, it tries to[13:03:15] <lilmike> relay through sparkpost, and gets rejected because it's not a configured domain and it shoudln't even be trying to go through there. Any thoughts?[13:08:25] <patsToms> I would like to ask some little offtopic here. Is there a place for a tool which would automatically test mail server by what I mean not really like mail-tester.com but for example cli tool which can check for known attacks, try how it filters spam and malware.[13:10:27] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[13:12:47] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 276 seconds)[13:14:55] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Ping timeout: 255 seconds)[13:28:47] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[13:33:45] *** mcfate <mcfate!~textual@174-134-145-16.res.bhn.net> has joined #postfix[13:36:13] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 255 seconds)[13:45:17] *** markus_e92 <markus_e92!~markus_e9@91-115-152-27.adsl.highway.telekom.at> has quit IRC (Ping timeout: 276 seconds)[13:53:00] *** Death_rattle_ <Death_rattle_!~death@p200300868A1F92010000000000000001.dip0.t-ipconnect.de> has joined #postfix[13:55:33] <techriskno> there's the gtube, not sure if theres an exact equiv for virus..[13:55:45] <honestly> there is[13:55:51] *** markus_e92 <markus_e92!~markus_e9@91-115-152-27.adsl.highway.telekom.at> has joined #postfix[13:55:51] <honestly> it's called the EICAR file[13:55:59] <honestly> GTUBE was inspired by EICAR[13:56:03] <techriskno> booya[13:56:46] <rob0> !gtube[13:56:46] <knoba> rob0: "gtube" : Generic Test for Unsolicited Bulk Email - an eicar.com like spam signature that always should trigger spam filters. See http://spamassassin.apache.org/gtube/ or get the string here: !gtube_string[13:56:49] <rob0> !eicar[13:56:49] <knoba> rob0: "eicar" : A test signature that is detected by all common virus scanners. It is not a virus and thus completely harmless. Get the file from http://en.wikipedia.org/wiki/EICAR_test_file , or just !eicar_string[13:56:50] <techriskno> any old binary renamed to trick grandma also ought to be picked up[13:59:48] <rob0> The best way to detect spam/malware is to see from whence it comes. Connections from known spam sources are nearly always spam (and deserve to be blocked, regardless.) There can be no way to test that, but,[14:00:00] <rob0> !factoids search spamhaus[14:00:00] <knoba> rob0: No keys matched that query.[14:00:12] <rob0> !factoids search -values spamhaus[14:00:12] <knoba> rob0: (factoids search [<channel>] [--values] [--{regexp} <value>] [<glob> ...]) -- Searches the keyspace for keys matching <glob>. If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace.[14:00:19] <rob0> !factoids search --values spamhaus[14:00:19] <knoba> rob0: 'pbl', 'Zen', 'rbl', 'dbl', and 'dnsbl_test'[14:00:28] <rob0> !dnsbl_test[14:00:28] <knoba> rob0: "dnsbl_test" : Many DNSBLs support a special test record of 127.0.0.2, so you can dig 2.0.0.127.zen.spamhaus.org. any to test Zen, for example. See also http://www.crynwr.com/spam/ to test your server's use of various DNSBLs.[14:00:57] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has quit IRC (Quit: leaving)[14:02:24] <techriskno> yeah no doubt[14:02:58] <rob0> lilmike, I think you are asking us why your relay provider rejected you, and I am not sure why you ask us. Shouldn't you ask your provider?[14:03:34] <techriskno> and if you exceed the public query rate the rsync service is definitely worth the bucks[14:04:35] *** hejohn_ <hejohn_!~gernot@srv-13.snet.at> has quit IRC (Quit: hejohn_)[14:05:32] <lilmike> rob0: no, I know why it rejects me, because i haven't set up the domain to be used by that service. And from all I've set up and seen postfix shouldn't even be sending the email through the relay. Hense my question why mail -r test at example dot org -s subject <mymail> goes through regular smtp, but when php-fpm sends an email through postfix it sends (everything*, regardless of its presence in[14:05:38] <lilmike> /etc/postfix/sender-relay[14:06:01] <rob0> you could read the /topic and make a pastebin to show it[14:06:37] <rob0> techriskno++[14:07:20] <rob0> (but most people who go to IRC for help are probably not in danger of exceeding the query limit)[14:07:46] <rob0> (and if they are, they should be paying for help anyway ;) )[14:08:30] *** Guest43 <Guest43!~textual@86.123.182.225> has joined #postfix[14:09:31] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has quit IRC (Quit: inabit. zz.)[14:11:16] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[14:11:33] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has joined #postfix[14:14:31] <rizonz> has anyone some opinion about the lookup differences between ldap and *sql ? does SQL give me more options to lookup ?[14:15:00] <lilmike> !showconfig[14:15:00] <knoba> lilmike: "showconfig" : when asked to provide your config, please provide a SINGLE pastebin with postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[14:15:00] <rizonz> I'm thinking about moving and also checkingout which lookups are mostly used and what to keep in local files[14:15:42] <rizonz> what has my config todo with a general question about flexibility, scaling and performance ?[14:16:01] <rob0> A lovely wedding of local files (100% reliable and fast) and SQL power is sqlite3[14:16:07] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Ping timeout: 255 seconds)[14:16:11] <techriskno> rob0: well made and noted[14:17:20] *** hejohn_ <hejohn_!~gernot@srv-13.snet.at> has joined #postfix[14:18:11] <lilmike> logs of a successful mail and an unsuccessful mail along with config: http://codepad.org/OBMvedg5[14:18:26] <rizonz> rob0: yap I agree (can't say about sqlite as I have seen bad performance things with it), so when doing ldap what about flexibiltiy for virtual domains compared to a sql lookup ?[14:19:21] <rob0> bad performance with sqlite? It's almost as fast as hash: tables![14:20:47] <rizonz> yeah have seen some issues with large tables[14:20:55] <rizonz> anyways that was not the discussion[14:21:23] <rob0> lilmike, note that your PHP sent with an incomplete address, <http>[14:21:40] <rizonz> I'm thinking about moving to ldap lookups but I have the feeling that I miss some things I can lookup for a user compared to the *sql queries[14:23:51] <lilmike> rob0: odd, the "from:" supposedly must have gone through, as mtserver.mwtd.net is a configured domain, so I get my mails when my servers sends me messages, but apparently that's not what the default-transport-table looks at?[14:24:10] <lilmike> rob0: sorry, sender-dependant-default-transport[14:24:25] <rob0> !enable_long_queue_ids[14:24:25] <knoba> rob0: "enable_long_queue_ids" : Enable long, non-repeating, queue IDs (queue file names). The benefit of non-repeating names is simpler logfile analysis and easier queue migration (there is no need to run postsuper to change queue file names that don't match their message file inode number). See http://www.postfix.org/postconf.5.html#enable_long_queue_ids[14:24:33] <rob0> enable_long_queue_ids=yes[14:26:38] <lilmike> rob0: would you say that postfix is taking the http at mtserver dot mwtd.net as the from address, while sparkpost is taking the from: that WordPress provides as the from, so postfix is relaying it, but sparkpost is not, as the from from WordPress is not a configured domain? Is there any way around this if so?[14:27:33] <rob0> Postfix deals in envelope addresses. If your provider is ignoring those and looking at headers instead, that is strange.[14:28:06] <techriskno> its not, though[14:28:15] <rob0> I guess you'll need to configure your wordpress to do as the provider wants.[14:28:54] <lilmike> rob0: I'm honestly not sure, the only thing I know is that mail -r test at conservativeworld dot net -s <subject> <mymail> goes through smtp, while anything sent through php-fpm goes through sparkpost[14:29:02] <techriskno> the from is just being set by pickup as the client hasnt[14:29:33] <rob0> but wordpress is probably setting a From: header[14:31:10] <rob0> A non-qualified localpart as sender will have @$myorigin appended. $myorigin wasn't set in main.cf, but it defaults to $myhostname (which is set.)[14:33:17] <lilmike> rob0: hmm, I think I see, postfix is seeing that http[ at mtserver dot mwtd.net] is sending the message, but sparkpost is seeing the from: and rejecting it. I'll have to see if I can get WordPress or php to set an envelope address. Thanks![14:33:48] <lilmike> probably WordPress itself because different WordPRess will have different from addresses.[14:34:22] <lilmike> rob0: thanks![14:38:28] <techriskno> probably also worth setting myorigin - or your dsns will originate from a fqdn with no mx etc etc[14:40:14] *** infides_afk <infides_afk!~infides@p4FE75272.dip0.t-ipconnect.de> has joined #postfix[14:43:10] *** namix <namix!~namix@unaffiliated/namix> has quit IRC (Quit: ...)[14:43:39] <rob0> I generally recommend setting all of the settings mentioned in:[14:43:46] <rob0> !basic[14:43:46] <knoba> rob0: "basic" : http://www.postfix.org/BASIC_CONFIGURATION_README.html : a good starting place for Postfix beginners, many common questions are answered here.[14:44:16] <rob0> They're too important to be left to chance.[14:53:36] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[15:03:43] *** zokum <zokum!~zokum@188.51-174-52.customer.lyse.net> has joined #postfix[15:04:35] *** zokum_ <zokum_!~zokum@188.51-174-52.customer.lyse.net> has quit IRC (Ping timeout: 240 seconds)[15:05:27] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 240 seconds)[15:08:00] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[15:08:40] <patsToms> techriskno, rob0, I am thinking for a user friendly tool which could be used by people which makes they own mail servers[15:13:10] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 240 seconds)[15:15:34] <techriskno> see whats on cpan and its relatives[15:19:10] *** infides_afk <infides_afk!~infides@p4FE75272.dip0.t-ipconnect.de> has quit IRC (Ping timeout: 240 seconds)[15:21:33] <techriskno> and bear in mind the task in entirety goes somewhat beyond a tool. e.g., need more than one inet (or to be able to manipulate access and reload).[15:34:40] *** pti-jean_ <pti-jean_!~quassel@165.21.124.78.rev.sfr.net> has joined #postfix[15:36:02] <patdk-lap> patsToms, there should not be a user friendly tool :)[15:36:06] <patdk-lap> this is what a tutorial is[15:36:23] <patdk-lap> the problem is, this tool would never do things that people need, it can only set the most basic of things[15:36:59] <patdk-lap> and if you cause people to skip over the training for the basics, they will never be able to do anything harder, or even the simple stuff, cause the tool just caused a huge hole in their education[15:37:16] <patdk-lap> !tutorial[15:37:16] <knoba> patdk-lap: "tutorial" : A very common problem is that some people prefer to follow a step-by-step tutorial that shows them how to setup their server w/out reading the documentation or understanding what they are doing. If something goes wrong, they have no clue whatsoever about where to find hints, and they sometimes decide to start from scratch using a different tutorial. This is not The Proper Way.[15:38:01] <patdk-lap> this is exactly what the debian postfix installers do, and is a source of a lot of issues in this channel[15:49:34] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has quit IRC (Remote host closed the connection)[15:53:59] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has joined #postfix[16:06:42] *** iGeni <iGeni!~textual@50702E2F.cm-14.dynamic.ziggo.nl> has quit IRC (Quit: My iMac has gone to sleep. ZZZzzz…)[16:11:19] *** orion <orion!~orion@unaffiliated/orion> has quit IRC (Ping timeout: 258 seconds)[16:12:07] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[16:16:43] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has quit IRC (Ping timeout: 255 seconds)[16:18:01] *** orion_ <orion_!~orion@c-73-60-0-254.hsd1.nh.comcast.net> has joined #postfix[16:24:13] <ThiefMaster> ugh, amavis.. who thought it'd be a good idea to make a config file a perl script? :x[16:26:58] <lunaphyte> it's much more flexible that way.[16:27:04] <lunaphyte> i woudln't want it to be any different[16:27:07] <techriskno> to be fair the original question was about a tool which tests an mtas asav handling[16:27:11] <lunaphyte> *wouldn't[16:29:36] *** Diemuzi <Diemuzi!~IceChat9@unaffiliated/diemuzi> has joined #postfix[16:35:16] *** namix <namix!~namix@bla.mode42.net> has joined #postfix[16:35:16] *** namix <namix!~namix@bla.mode42.net> has quit IRC (Changing host)[16:35:16] *** namix <namix!~namix@unaffiliated/namix> has joined #postfix[16:37:53] <rizonz> is there a good way using headerchecks to remove earlier hops on outgoing mail only ? Yeah I know outgoing is always the fact but to the outside world and leave them whgen you delived on your local network[16:39:39] <lunaphyte> generally, that's a foolish idea[16:39:45] <lunaphyte> but yes, it is *possible*[16:40:02] <lunaphyte> please don't conflate it being possible with "you should do it" :([16:41:12] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[16:46:53] *** orion_ <orion_!~orion@c-73-60-0-254.hsd1.nh.comcast.net> has left #postfix[16:47:25] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 245 seconds)[16:53:45] *** souther <souther!~souther@2605:6400:1:fed5:22:1ac:61c0:e24e> has joined #postfix[17:01:41] <ThiefMaster> what's the recommended way of adding DKIM signatures to emails sent through postfix?[17:09:50] <patdk-lap> amavis? opendkim?[17:13:33] <lunaphyte> i'd recommend opendkim[17:13:54] <ThiefMaster> i don't route outgoing emails through amavis (since it seems to have no way of getting the local domains list from a DB that does not involve a custom script, dumping the domain list in a file and reloading amavis when it changed) so i guess i'll give opendkim a try[17:14:17] <lunaphyte> i'd use opendkim even if you did[17:15:02] <patdk-lap> heh? don't understand that[17:15:06] <patdk-lap> I get it the same way postfix gets it[17:15:20] <patdk-lap> but I use both ways, depending on the needs[17:16:32] <ThiefMaster> patdk-lap: our of curiosity, how do you get the domain list from a DB in amavis?[17:16:40] <ThiefMaster> *out[17:16:59] <ThiefMaster> i thought about writing a perl function (yuck :D) but that'd only run when the config file is parsed so i'd still need to reload it after adding a domain[17:17:41] <ThiefMaster> just looking into opendkim: is it common to use one key per machine instead of one key per domain? ie having the same DKIM DNS records on all domains the machine handles?[17:18:56] <JPT> For my personal setup, i use one key per machine - it is easy for me since all the domains on a machine are also under my control.[17:19:03] <JPT> Different scenarios might require different setups[17:20:08] <ThiefMaster> same for me so i guess i'll also go the easy way[17:20:59] <JPT> Today i renewed my dkim keys from 2014. :|[17:21:28] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2606:f180:1:df:df:121e:9695:caa6> has joined #postfix[17:21:30] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2606:f180:1:df:df:121e:9695:caa6> has left #postfix[17:23:01] <ThiefMaster> i guess the smtpd_milters for opendkim should be set only on the smtpd ips/ports used by users but not the one that handles incoming mail for the domain (ie the one the MX points to)?[17:23:46] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[17:26:26] <JPT> sounds reasonable[17:26:31] <JPT> you want to sign outgoing mail[17:33:36] *** fatdragon <fatdragon!~fatdragon@cpe-107-184-105-188.socal.res.rr.com> has joined #postfix[17:48:59] <ThiefMaster> damn, opendkim also expects a list of domains with no apparent option to load it from a database :/[17:50:03] <rizonz> patdk-lap: opendkim[17:50:12] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2606:f180:1:df:df:9548:2882:a7c6> has joined #postfix[17:50:26] * rizonz is trying to get dkim to get working on assp[17:50:31] <rizonz> assp is damn good btw[17:50:40] *** FiveBroDeepBook <FiveBroDeepBook!~gk.1wm.su@2606:f180:1:df:df:9548:2882:a7c6> has left #postfix[17:52:03] <ThiefMaster> rizonz: why does a developer of "damn good" software use CVS though? :D[17:54:50] <ThiefMaster> ah, `Domain *` seems to work so it signs everything[17:54:57] <ThiefMaster> dunno if that has any drawbacks though..[17:55:37] <JPT> Depends on if signing mail that does not have a dkim record in dns has impacts on spam evaluation[17:56:20] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has joined #postfix[17:59:10] <ThiefMaster> maybe i'll just stay on the safe side and manually add the domains where i added the dns records in there[18:09:08] <rizonz> ThiefMaster: nothing wrong with it, dunno I think he will move to github but he is on vacation now... but spamtagging is so good and it's superb fast[18:10:51] *** JanC_ <JanC_!~janc@lugwv/member/JanC> has joined #postfix[18:10:51] *** JanC is now known as Guest86017[18:10:52] *** Guest86017 <Guest86017!~janc@lugwv/member/JanC> has quit IRC (Killed (hitchcock.freenode.net (Nickname regained by services)))[18:10:52] *** JanC_ is now known as JanC[18:10:52] *** dargains <dargains!~dargains@179.179.164.238> has joined #postfix[18:18:02] *** rsx <rsx!~dummy@ppp-93-104-52-233.dynamic.mnet-online.de> has quit IRC (Remote host closed the connection)[18:20:06] <lunaphyte> assp has some fundamental flaws[18:20:37] <lunaphyte> i certainly would never categorize is as "damn good" until those are addressed[18:21:30] <lunaphyte> ThiefMaster: using a single key for all domains is fine. it's not written in stone, so if as time passes and things evolve, it needs to change, that's perfectly ok[18:25:00] *** namyzarc <namyzarc!~namyzarc@2601:989:4201:5921:3552:33f1:613a:441d> has quit IRC (Quit: Leaving)[18:25:26] *** sarri <sarri!~sari@unaffiliated/sarri> has quit IRC (Ping timeout: 276 seconds)[18:29:52] *** infides_afk <infides_afk!~infides@p4FE75272.dip0.t-ipconnect.de> has joined #postfix[18:30:40] *** dargains <dargains!~dargains@179.179.164.238> has quit IRC (Remote host closed the connection)[18:34:32] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 276 seconds)[18:37:58] <ThiefMaster> do i understand smtpd_relay_restrictions / smtpd_recipient_restrictions correctly? smtpd_relay_restrictions applies when the RCPT TO address is not handled in an alias/mailbox and afterwards smtpd_recipient_restrictions is applied in any case?[18:38:37] *** dargains <dargains!~dargains@179.179.164.238> has joined #postfix[18:38:38] <lunaphyte> my advice is to unset smtpd_relay_restrictions, and just use smtpd_recipient_restrictions[18:39:27] <lunaphyte> smtpd_relay_restrictions mostly exists due to the historical irresponsible practice of using the same port/service for mx traffic and submission traffic[18:41:20] <ThiefMaster> hm.. i have this and i'm still able to send an email to root at [my dot ip]: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit[18:41:24] <ThiefMaster> shouldn't reject_non_fqdn_recipient prevent this?[18:42:04] <ThiefMaster> (i don't want to deliver mails to a local mbox in *any* case)[18:42:58] <lunaphyte> permit_sasl_authenticated, permit_mynetworks never ever belong in global smtpd_recipient_restrictions[18:43:02] <lunaphyte> that is a huge no no[18:43:14] <lunaphyte> and permit_mynetworks just should not be used, period.[18:43:35] <lunaphyte> root at [my dot ip] is a valid email address[18:44:05] <ThiefMaster> what's wrong with it? fwiw, i do set smtpd_sasl_auth_enable=no on the ip/port intended to be used for MX traffic[18:44:15] <lunaphyte> that's backwards[18:44:23] <lunaphyte> global smtpd_sasl_auth_enable should be no.[18:44:32] <lunaphyte> it should only be *enabled* for the submission service[18:44:48] <ThiefMaster> i don't have global setting and set it on all the services (either yes/no)[18:45:01] <lunaphyte> as i said, that's backwards[18:45:31] <lunaphyte> settings which introduce the possibility for abuse should never ever be enabled globally, or by default.[18:45:43] <ThiefMaster> how could it be abused?[18:45:45] <lunaphyte> this is just responsible security practices 101[18:46:22] <lunaphyte> err on the side of caution. act conservatively, not radically/liberally.[18:46:43] <ThiefMaster> i guess trying smtp.domain.tld instead of mx.domain.tld would be the first thing an attacker tries when not being able to try smtp auth credentials on the mx one[18:46:47] <ThiefMaster> but yeah, makes sense[18:47:28] <lunaphyte> don't get caught in the trap of thinking unless you can think of a way that something bad can happen, there is no reason to protect against it ;)[18:48:29] <lunaphyte> that's nothing more than an egotistical fast track to unexpected problems[18:48:36] <ThiefMaster> but how would i avoid setting `permit_sasl_authenticated, permit_mynetworks` globally without having to repeat *all* other smtpd_recipient_restrictions in master.cf?[18:49:01] <lunaphyte> set conservative, restrictive smtpd_recipient_restrictions globally.[18:49:15] <lunaphyte> set more relaxed, permissive smtpd_recipient_restrictions for the submission service[18:49:46] <ThiefMaster> i have 2 mx ports (smtp/smtps) and 3 client ports (smtp/smtps/submission) in master.cf - is there any way to avoid repeating options that are the same e.g. for the 3 client ports?[18:50:13] <lunaphyte> huh?[18:50:20] <lunaphyte> 2 mx ports? that makes no sense[18:50:32] <lunaphyte> and smtps? what on earth? turn that off.[18:50:40] <lunaphyte> smtps has been deprecated for close to 20 years now.[18:50:50] <lunaphyte> why on earth are poeople *still* doing this?[18:50:53] <ThiefMaster> there aren't any legit mail servers insisting on using it?[18:50:53] <lunaphyte> boggles my mind[18:51:03] <lunaphyte> using what, exactly?[18:51:14] <ThiefMaster> smtps instead of smtp/smtp+starttls[18:51:27] <lunaphyte> where did you get such an idea? there is no such thing, at all[18:51:33] <lunaphyte> what port would you even use for that?[18:51:43] <ThiefMaster> 465?[18:51:51] <lunaphyte> 465 is NOT mx[18:51:55] <ThiefMaster> and i based my config on that of a friend who used to work at an ISP so i assumed he knows what he does :)[18:51:59] <lunaphyte> 465 is sptms, which is for *client* only.[18:52:06] <lunaphyte> *smtps[18:52:16] <lunaphyte> and 465/smtps should not be used.[18:52:26] <lunaphyte> it was never a standard, and has been abaondoned for over 15 years[18:52:47] <ThiefMaster> ok, so down to 3 ports :) smtp for MX and smtp+submission for clients[18:52:53] <lunaphyte> assumming that someone knows what they're doing just because they "worked at an isp" is a recipe for distress[18:53:06] <lunaphyte> 3 ports? that's 2 ports[18:53:17] <lunaphyte> smtp/25, and submission/587[18:53:19] <lunaphyte> that's it.[18:53:24] <ThiefMaster> i'm going to use different ips for MX and clients[18:53:31] <ThiefMaster> so 2 ports but 3 ip:port combinations[18:53:37] <lunaphyte> huh?[18:53:47] <lunaphyte> first, you don't need different ip addresses.[18:53:54] <lunaphyte> however, it is ok to do so[18:54:06] <lunaphyte> second, even if you use different ip addresses, it's still only 2 ports.[18:54:19] <lunaphyte> one ip address listening on port 25, and another ip address listening on port 587[18:54:21] <lunaphyte> that's it[18:54:30] <ThiefMaster> i was mainly thinking about the case where i'm in a network that has a shitty firewall that allows 25 but not 587[18:54:35] <ThiefMaster> but probably never going to happen ;x[18:55:10] <lunaphyte> it is precisely the opposite which will happen, which was a HUGE part of the imeptus behind separating server and client traffic[18:55:22] <lunaphyte> port 25 is routinely blocked, whereas port 587 is NOT[18:55:47] <lunaphyte> and you can quite trust that, if port 587 is blocked, port 25 will almost certainly not be open[18:56:22] <lunaphyte> another fundamental tenet of responsible network security is to not overcomplicate things without an actual reason ;)[18:56:37] <ThiefMaster> ok, much less mess in my config now ;)[19:00:45] *** Death_rattle_ <Death_rattle_!~death@p200300868A1F92010000000000000001.dip0.t-ipconnect.de> has quit IRC (Ping timeout: 258 seconds)[19:02:13] *** Death_rattle_ <Death_rattle_!~death@p5DC9A7BD.dip0.t-ipconnect.de> has joined #postfix[19:09:25] <ThiefMaster> !pastebin[19:09:25] <knoba> ThiefMaster: "pastebin" : a pastebin site lets you easily share logs and configuration. Examples are dpaste.org, fpaste.org, or pastebin.ca. Please avoid ad-supported sites such as pastebin.com if possible.[19:09:45] <ThiefMaster> ok, no weird/fancy one like some other channels ;)[19:10:08] <lunaphyte> the more basic the pastebin site, the better[19:10:24] <lunaphyte> e.g. something like dpaste.com[19:11:46] <ThiefMaster> yeah, pastebin.com is literally the worst[19:12:19] <lunaphyte> well, certainly among them[19:14:31] <ThiefMaster> lunaphyte: does https://gist.github.com/ThiefMaster/e6ff953e78002f8ec9082a0942243663#file-main-cf-L34-L51 looks saner to you?[19:14:52] <lunaphyte> !tell ThiefMaster showconfig[19:14:52] <knoba> ThiefMaster: "showconfig" : when asked to provide your config, please provide a SINGLE pastebin with postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[19:15:00] <techriskno> termbin.com[19:15:01] <ThiefMaster> actually i guess reject_unauth_destination, permit should go away from the mua one[19:16:41] <ThiefMaster> https://bpaste.net/show/3099abd9edee[19:21:20] <ThiefMaster> but i'm still able to send emails to localuset@[ip] :/ (obviously, since i only cleaned up the config but didn't do anything regarding that)[19:22:47] <lunaphyte> i would make a restriction class for basic restrictions, and reference it for both mx and submission[19:23:04] <lunaphyte> and i'd include more than what you've currently got[19:23:15] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[19:24:24] <lunaphyte> i'd also just use restriction classes for your mx and mua restrictions, instead of variables[19:25:28] <ThiefMaster> do you have any good examples (e.g. from your own config)?[19:25:50] *** fling <fling!~fling@fsf/member/fling> has quit IRC (Ping timeout: 252 seconds)[19:28:39] <lunaphyte> http://dpaste.com/304AS2T[19:28:50] <lunaphyte> also, you MUST require encryption on port 587[19:29:09] <lunaphyte> allowing smtp auth without requiring encryption is irresponsible[19:29:45] <lunaphyte> in other news, relaying to dovecot with virtual doens't make sense[19:30:14] <lunaphyte> if you're relaying from postfix to some other system/software, then you should use the relay address class, not the virtual address class[19:30:39] <lunaphyte> and also, on that note, using pipe(8) to feed to dovecot is also not recommended. instead, use lmtp[19:31:12] <lunaphyte> and - on that note - then there's not realy a reason to deliver mail back to postfix after amavis. just have amavis send it to dovecot[19:31:24] <lunaphyte> internet -> postfix -> amavis -> dovecot[19:31:24] *** Guest43 <Guest43!~textual@86.123.182.225> has quit IRC (Quit: Textual IRC Client: www.textualapp.com)[19:33:34] <lunaphyte> there are also a few other settings that i would always set http://dpaste.com/2XA5AFJ[19:33:38] *** yoavz <yoavz!~yoavz@white.blackit.io> has quit IRC (Ping timeout: 268 seconds)[19:33:56] <lunaphyte> if you're not using local(8) or virtual(8), those can be commented out in master.cf too[19:42:49] *** roukoswarf <roukoswarf!root@rouk.org> has quit IRC (Quit: rouk.org)[19:43:25] *** roukoswarf <roukoswarf!znc@rouk.org> has joined #postfix[19:48:46] <pj> you need to be careful with commenting out local(8). If you're using local domains at all even with a 3rd party delivery agent you're still using local(8).[19:52:48] <ThiefMaster> i can't feed straight from amavis to dovecot since dovecot couldn't handle aliases pointing to external domains (like foo at mydomain dot com -> foo at gmail dot com)[20:02:10] *** yoavz <yoavz!~yoavz@white.blackit.io> has joined #postfix[20:02:30] *** cpm <cpm!~Chip@71.58.89.172> has joined #postfix[20:02:30] *** cpm <cpm!~Chip@71.58.89.172> has quit IRC (Changing host)[20:02:30] *** cpm <cpm!~Chip@pdpc/supporter/active/cpm> has joined #postfix[20:11:12] *** iGeni <iGeni!~textual@50702E2F.cm-14.dynamic.ziggo.nl> has joined #postfix[20:12:19] <ThiefMaster> <lunaphyte> if you're relaying from postfix to some other system/software, then you should use the relay address class, not the virtual address class <-- there aren't equivalent options for virtual_mailbox_domains/virtual_mailbox_maps/virtual_alias_maps (just relay_recipient_maps) - how would i get the same behavior?[20:15:56] *** caitnop <caitnop!~py@ool-1826eaa1.dyn.optonline.net> has quit IRC (Ping timeout: 276 seconds)[20:22:20] <lunaphyte> virtual_alias_maps is completely unrelated to any of that[20:22:37] <lunaphyte> you will still use virtual_alias_maps exactly as you have been[20:25:21] *** fling <fling!~fling@fsf/member/fling> has joined #postfix[20:28:26] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 240 seconds)[20:36:05] <ThiefMaster> in the meantime i was trying to use LMTP instead of LDA - but it looks like X-Original-To is not being set when using LMTP[20:36:34] <ThiefMaster> i found some workarounds like the one described in https://listi.jpberlin.de/pipermail/postfixbuch-users/2015-November/063658.html but it feels extrmely dirty[20:37:19] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[20:48:27] *** dargains <dargains!~dargains@179.179.164.238> has quit IRC (Remote host closed the connection)[20:49:06] *** dargains <dargains!~dargains@179.179.164.238> has joined #postfix[20:50:26] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 240 seconds)[20:53:27] *** dargains <dargains!~dargains@179.179.164.238> has quit IRC (Ping timeout: 258 seconds)[20:59:54] *** Motoko <Motoko!~maoyama@simplemachines/serverteam/Motoko> has joined #postfix[21:01:07] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[21:13:44] <ThiefMaster> ok, got the relay stuff working. still curious whether there's a better solution than (ab)using check_recipient_access to add the header with LDA[21:13:47] <ThiefMaster> err, with LMTP[21:31:35] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has quit IRC (Ping timeout: 245 seconds)[21:36:46] *** chris|_ <chris|_!~ident@static.77.63.9.5.clients.your-server.de> has joined #postfix[21:41:22] *** chris|_ <chris|_!~ident@static.77.63.9.5.clients.your-server.de> has quit IRC (Client Quit)[21:41:46] *** j7k6 <j7k6!~j7k6@unaffiliated/j7k6> has joined #postfix[21:50:40] *** dargains <dargains!~dargains@179.179.164.238> has joined #postfix[21:54:42] *** chris|_ <chris|_!~ident@static.77.63.9.5.clients.your-server.de> has joined #postfix[21:54:55] *** dargains <dargains!~dargains@179.179.164.238> has quit IRC (Ping timeout: 245 seconds)[21:56:09] *** chris|_ <chris|_!~ident@static.77.63.9.5.clients.your-server.de> has quit IRC (Client Quit)[21:57:38] *** chris|_ <chris|_!~ident@unaffiliated/chris/x-9333407> has joined #postfix[22:00:01] *** chris| <chris|!~Chris@unaffiliated/chris/x-9333407> has quit IRC (Quit: ZNC - http://znc.in)[22:00:01] *** chris|_ is now known as chris|[22:04:26] <ThiefMaster> is there any way to use virtual aliases to discard an email (e.g. for a noreply address)?[22:05:50] <lunaphyte> that doesn't really make sense[22:06:03] <lunaphyte> for starters, you don't accept mail and then discard it[22:06:12] <lunaphyte> that is fundamentally flawed[22:06:21] <lunaphyte> !tell ThiefMaster mantras[22:06:21] <knoba> ThiefMaster: "mantras" : 1. do not accept mail that you do not intend to deliver. 2. do not drop mail. 3. do not use wildcards or catchalls. 4. do not forward mail to outside/third party systems[22:06:51] <ThiefMaster> isn't that common behavior for noreply@* addresses? (i agree that it's a bad idea for anything else)[22:07:02] <ThiefMaster> hm actually, i guess clean reject for noreply makes more sense[22:07:34] <lunaphyte> it doesn't matter if it's common [i'd imagine you'd find it isn't anyway][22:07:43] <lunaphyte> yes, simply reject it[22:09:34] <ThiefMaster> i was thinking that this might be a problem when using smtpd_reject_unlisted_sender but obviously i'd only set that on the submission port -- and any application on the server that needs to send emails would use a separate port where it can send without sender verification (and possibly even without smtp auth)[22:10:30] <lunaphyte> i would not use smtpd_reject_unlisted_sender period[22:11:00] *** Zilon <Zilon!~Zilon@www.schem.me> has joined #postfix[22:11:20] <patdk-lap> using a noreply address is a BAD idea to start with, and a HORRIBLE idea[22:11:34] <patdk-lap> it breaks your handling of non-delievery[22:11:35] <lunaphyte> it doesn't apply to the mx service anyway, and there are better ways to accomplish the actual goal wrt submission[22:12:18] <ThiefMaster> what would these better ways be?[22:12:27] <Zilon> hello, anyone having trouble receiving mails from GMX?[22:12:52] <ThiefMaster> i trust my few users enough to allow any sender address, BUT there is one who actually wants this restriction: he's using different email addresses for different recipients and has the default address in his MUA set to invalid at mydomain dot com so he can't accidentally send an email without using a valid address[22:13:23] <ThiefMaster> and considering how gibberish-y some of his valid addresses are it's better since with verification failing he'll immediately see he made a typo instead of sending an email where replies will bounce[22:13:35] <lunaphyte> ThiefMaster: use reject_sender_login_mismatch[22:13:55] <lunaphyte> do NOT "allow any sender address". that is bad bad bad[22:14:08] <lunaphyte> it has nothing to do with trust[22:14:15] <patdk-lap> and just don't allow his *invalid* one to send[22:14:37] <lunaphyte> people should NOT be using your submission service for OTHER email addresses[22:14:43] <ThiefMaster> ah, and reject_sender_login_mismatch and then smtpd_sender_login_maps pointing to a SQL query that loads the valid sender addresses?[22:14:52] <lunaphyte> however you like[22:16:56] <ThiefMaster> thx all of you for being super helpful btw! feels like moving from exim to postfix was a good decision :)[22:17:38] *** madduck <madduck!~madduck@debian/developer/madduck> has quit IRC (Remote host closed the connection)[22:18:39] <patdk-lap> zilon, not that I know of :)[22:28:42] *** 59NAAGBNY <59NAAGBNY!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[22:28:42] *** 92AAAJXXX <92AAAJXXX!~quassel@187-163-219-201.static.axtel.net> has joined #postfix[22:31:54] *** infides_afk <infides_afk!~infides@p4FE75272.dip0.t-ipconnect.de> has quit IRC (Ping timeout: 240 seconds)[22:40:46] *** iGeni <iGeni!~textual@50702E2F.cm-14.dynamic.ziggo.nl> has quit IRC (Quit: My iMac has gone to sleep. ZZZzzz…)[22:45:56] *** dargains <dargains!~dargains@179.179.164.238> has joined #postfix[23:00:20] *** Death_rattle_ <Death_rattle_!~death@p5DC9A7BD.dip0.t-ipconnect.de> has quit IRC (Remote host closed the connection)[23:12:00] *** madduck <madduck!~madduck@debian/developer/madduck> has joined #postfix[23:21:58] *** mcfate <mcfate!~textual@174-134-145-16.res.bhn.net> has quit IRC (Ping timeout: 255 seconds)[23:23:17] *** zokum_ <zokum_!~zokum@188.51-174-52.customer.lyse.net> has joined #postfix[23:25:43] *** zokum <zokum!~zokum@188.51-174-52.customer.lyse.net> has quit IRC (Ping timeout: 255 seconds)[23:39:35] *** TAARs <TAARs!~user@unaffiliated/taars> has quit IRC (Quit: Quit)[23:42:38] *** TAARs <TAARs!~user@unaffiliated/taars> has joined #postfix[23:43:50] <Zilon> fixed it already. I had to update one of my tlsa entries...[23:48:46] <ThiefMaster> beautiful, now i have a SQL query that recursively resolves aliases to mailbox names so i can get the list of smtp auth usernames (=mailbox names) allowed to send emails for an alias[23:48:59] <ThiefMaster> recursive postgres CTEs to the rescue! ;)[23:52:23] *** madduck <madduck!~madduck@debian/developer/madduck> has quit IRC (Remote host closed the connection)[23:52:45] *** madduck <madduck!~madduck@debian/developer/madduck> has joined #postfix[23:55:34] *** higuita <higuita!~higuita@2a01:240:fe00:82a7:ec72:50ff:fe96:f291> has quit IRC (Ping timeout: 264 seconds)