March 18, 2019 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
March 18, 2019 [00:01:52] *** epony <epony!~epony@unaffiliated/epony> has quit IRC (Quit: QUIT)[00:32:52] *** TheFatherMind- is now known as TheFatherMind[01:20:32] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has joined #postfix[01:21:53] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[01:30:15] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 246 seconds)[01:32:58] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has quit IRC (Quit: Ex-Chat)[01:52:20] <pj> !easy_dmarc[01:52:20] <knoba> pj: "easy_dmarc" : If you just need a DMARC policy to help satisfy ESP recommendations you can use this to basically tell servers not to enforce DMARC on your mail: _dmarc.example.com. TXT "v=DMARC1;p=none;adkim=r;aspf=r;pct=0"[02:16:25] *** lecoder <lecoder!~lecoder@unaffiliated/lecoder> has joined #postfix[02:16:53] <lecoder> so has anyone else had issues getting postfix working with virtual domains?[02:17:08] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 272 seconds)[02:17:34] <lecoder> I'm trying to get a server going with about a dozen low-traffic domains sharing it for email, and I'm using postfix+dovetol+postfixadmin[02:18:49] <lecoder> and everything seems to work great aside from emails seemingly getting bounce with 550 user (sometimes domain) doesn't exist messages (even after setting it to use 450 instead) and a potentially more minor issue of not being able to serve up a different ssl cert for each domain's mail.* address[02:19:24] <lecoder> anyone have any thoughts on the issue? this is my first time building out a non-Exchange email server, so I'm probably missing something stupid[02:19:31] <lecoder> (sendmail is already uninstalled as well)[02:19:36] *** Bebef <Bebef!sbreit@phobos.bebef.de> has quit IRC (Read error: Connection reset by peer)[02:20:45] *** Bebef <Bebef!sbreit@phobos.bebef.de> has joined #postfix[02:21:08] *** BoomerBile <BoomerBile!~MetaPhaze@96-42-197-150.dhcp.roch.mn.charter.com> has quit IRC (Quit: Pidgin ate Hexchat! Now what do I do!?)[02:48:28] <lunaphyte> !tell lecoder getting_help[02:48:28] <knoba> lecoder: "getting_help" : before asking your question, read the !relevant_logs and !showconfig factoids, and prepare a single pastebin containing all of that data. if you don't understand what this means, or if you need help doing this, please let us know. also see !pastebin[03:37:32] *** MACscr <MACscr!~MACscr@c-98-215-100-46.hsd1.il.comcast.net> has quit IRC (Quit: Textual IRC Client: www.textualapp.com)[03:47:27] *** namyzarc <namyzarc!~namyzarc@c-73-187-86-216.hsd1.pa.comcast.net> has quit IRC (Quit: Leaving)[04:21:52] <pinPoint> Fire-Dragon-DoL: good! That is awesome[04:42:31] *** JPT <JPT!~jpt@classified.name> has quit IRC (Remote host closed the connection)[04:53:18] *** JPT <JPT!~jpt@classified.name> has joined #postfix[05:05:20] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[05:06:48] *** Brilpikk3wyn <Brilpikk3wyn!~Segfault0@unaffiliated/segfault0x40> has joined #postfix[05:26:48] *** MACscr <MACscr!~MACscr@c-98-215-100-46.hsd1.il.comcast.net> has joined #postfix[05:35:45] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[05:36:32] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has joined #postfix[05:45:08] *** Bahhumbug <Bahhumbug!jrd@psychotic/admin/jrd> has left #postfix[06:03:42] *** yoink <yoink!~yoink@unaffiliated/yoink> has quit IRC (Ping timeout: 252 seconds)[06:03:45] *** Bahhumbug <Bahhumbug!jrd@psychotic/admin/jrd> has joined #postfix[06:24:05] *** Brilpikk3wyn <Brilpikk3wyn!~Segfault0@unaffiliated/segfault0x40> has quit IRC (Remote host closed the connection)[06:37:12] *** led_dark_1 <led_dark_1!~Thunderbi@217.66.160.14> has quit IRC (Quit: led_dark_1)[06:41:49] *** xjsx <xjsx!~xjsxxx@unaffiliated/pokergod> has quit IRC (Quit: Leaving)[07:00:03] <pinPoint> So on the topic of postscreen. Could it theoretically block attemps such as these before fail2ban(being log based) picks-up on them? "Mar 13 15:45:08 mail postfix/submission/smtpd[16508]: lost connection after CONNECT from ip59.ip-151-80-9.eu[151.80.9.59]"[07:00:16] <pinPoint> that is a banned entry from fail2ban.[07:26:45] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Read error: Connection reset by peer)[07:29:21] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has quit IRC (Ping timeout: 246 seconds)[07:40:47] *** epony <epony!~epony@unaffiliated/epony> has joined #postfix[08:03:59] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has joined #postfix[08:19:06] <pj> pinPoint: postscreen logs what it does. fail2ban works by reading the logs. I'm sure you can figure out the rest.[08:23:44] *** stenrose <stenrose!~martin@martin.ilait.se> has quit IRC (Remote host closed the connection)[08:24:26] *** random_yanek <random_yanek!~random_ya@87.116.237.230> has quit IRC (Quit: random_yanek)[08:25:02] *** stenrose <stenrose!~martin@martin.ilait.se> has joined #postfix[08:25:04] *** random_yanek <random_yanek!~random_ya@87.116.237.230> has joined #postfix[08:25:05] *** random_yanek <random_yanek!~random_ya@87.116.237.230> has quit IRC (Max SendQ exceeded)[08:25:44] *** johnny56 <johnny56!johnny56@unaffiliated/johnny56> has quit IRC (Ping timeout: 272 seconds)[08:26:49] *** random_yanek <random_yanek!~random_ya@87.116.237.230> has joined #postfix[08:28:00] *** johnny56 <johnny56!johnny56@unaffiliated/johnny56> has joined #postfix[08:41:56] *** Noti <Noti!~steffan@ip4da40774.direct-adsl.nl> has joined #postfix[08:42:13] *** Olipro <Olipro!~Olipro@uncyclopedia/pdpc.21for7.olipro> has quit IRC (Ping timeout: 258 seconds)[09:08:49] *** Brilpikk3wyn <Brilpikk3wyn!~Segfault0@unaffiliated/segfault0x40> has joined #postfix[09:09:07] *** Brilpikk3wyn is now known as Pikk3wyn[09:10:46] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[09:21:07] *** gislaved <gislaved!b9e814ec@gateway/web/cgi-irc/kiwiirc.com/ip.185.232.20.236> has quit IRC (Ping timeout: 246 seconds)[09:30:31] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[09:34:44] *** Sylhouet1e <Sylhouet1e!~johan@62.12.9.66> has quit IRC (Remote host closed the connection)[09:41:03] *** aniketh <aniketh!uid171160@gateway/web/irccloud.com/x-egyxhmmghwpmbjvn> has joined #postfix[09:41:19] *** Pikk3wyn <Pikk3wyn!~Segfault0@unaffiliated/segfault0x40> has quit IRC (Read error: Connection reset by peer)[09:44:42] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[09:45:03] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has joined #postfix[09:46:11] *** Pikk3wyn <Pikk3wyn!~Segfault0@unaffiliated/segfault0x40> has joined #postfix[09:50:37] *** Noti <Noti!~steffan@ip4da40774.direct-adsl.nl> has quit IRC (Quit: Konversation terminated!)[10:06:09] *** Pikk3wyn <Pikk3wyn!~Segfault0@unaffiliated/segfault0x40> has quit IRC (Remote host closed the connection)[10:14:08] *** DTZUZU <DTZUZU!~DTZUZU@S0106bcd16584b0aa.vs.shawcable.net> has quit IRC (Ping timeout: 268 seconds)[10:14:45] *** DTZUZO <DTZUZO!~DTZUZO@S0106bcd16584b0aa.vs.shawcable.net> has quit IRC (Ping timeout: 268 seconds)[10:37:19] *** DTZUZU <DTZUZU!~DTZUZU@S0106bcd16584b0aa.vs.shawcable.net> has joined #postfix[10:38:14] *** DTZUZO <DTZUZO!~DTZUZO@S0106bcd16584b0aa.vs.shawcable.net> has joined #postfix[10:49:38] <tibyke> it I update header_checks does it need a reload of postfix or the daemon reloads it every now and then?[10:53:32] <tibyke> " If you change a regexp:, pcre:, cidr: or texthash: file then Postfix may not pick up the file changes immediately. This is because a Postfix process reads the entire file into memory once and never examines the file again. "[10:53:41] <tibyke> but thats not too specific[11:17:20] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has joined #postfix[11:21:56] *** rsx <rsx!~rsx@ppp-188-174-151-218.dynamic.mnet-online.de> has joined #postfix[11:28:27] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[11:30:43] *** gislaved <gislaved!b9e814ec@gateway/web/cgi-irc/kiwiirc.com/ip.185.232.20.236> has joined #postfix[11:32:21] *** Panther_1 <Panther_1!~rherold@messaging.insecure.pw> has joined #postfix[11:32:50] <Panther_1> hi can it be that postfix does sender verify only against primary mx servers?[11:37:11] <tuxick> huh?[11:37:45] <tuxick> my crystal ball is at work, what on earth do you mean?[11:42:47] *** aniketh <aniketh!uid171160@gateway/web/irccloud.com/x-egyxhmmghwpmbjvn> has quit IRC ()[11:47:27] <Panther_1> tuxick: I have enabled sender_verify and I see that it fails for account-security-noreply at accountprotection dot microsoft.com[11:47:57] <Panther_1> tuxick: accountprotection.microsoft.com has 5 mx servers but postfix tested the verify only agains four[11:48:13] <Panther_1> tuxick: thix four have prio 5 and the last one has prio 10[11:48:29] <Panther_1> tuxick: the prio 5 are not reachable[11:53:42] <tuxick> what are you expecting sender verify to do for you?[11:56:35] <tuxick> sounds to me like a thing from a dark past[11:58:45] <Panther_1> tuxick: try all mx servers with the limit from smtp_mx_address_limit[11:59:00] <Panther_1> tuxick: exim for example did os[11:59:59] <Panther_1> tuxick: or make it configurable[12:00:18] <Panther_1> tuxick: but *only* checking the mx with the lowest prio sounds lame[12:02:37] <tuxick> you mean there's still servers allowing VRFY?[12:03:45] <Panther_1> tuxick: no vrfy look for reject_unverified_sender[12:05:39] <tuxick> still sounds to me like a thing from 40 years ago[12:06:48] <Panther_1> tuxick: no it'S nothing uncommon[12:06:56] <Panther_1> tuxick: outside the postfix world[12:07:20] <Panther_1> tuxick: but this could be cause implementation on postfix[12:08:23] <tuxick> i really don't see the added value[12:08:54] <Panther_1> tuxick: it'S a simple reliable way to verify that the sender address exists with cache it hurts nobody[12:09:21] *** gislaved <gislaved!b9e814ec@gateway/web/cgi-irc/kiwiirc.com/ip.185.232.20.236> has quit IRC (Ping timeout: 246 seconds)[12:09:23] <Panther_1> tuxick: you can do it on smtp time and throw so a bunch of spam and non bounceable mails away[12:09:51] <Panther_1> tuxick: just befor you do expensive checks like dkim and so on[12:10:22] <tuxick> sounds like a job for the spamfilter[12:10:32] <tuxick> mine keeps several such lists[12:10:56] <Panther_1> tuxick: yes but then you have it allready in your system[12:11:04] <Panther_1> tuxick: this is done during smtp time[12:11:15] <Kelsar> since most spam comes with existing adresses anyways...[12:11:45] <Panther_1> Kelsar: seeing in my statistics still a lot that comes from existing domains but nit existing addresses[12:11:46] <Kelsar> it doesn't really filter anything, which wouldn't be filtered by SPF and co anyways[12:12:27] <Panther_1> Kelsar: SPF is a point but there are still massiv amount of domains without spf[12:12:58] <Panther_1> Kelsar: and all other stuff is running after your smtp has accepted the mail[12:12:59] <Kelsar> That is why many big ISPs just reject those[12:13:11] <Kelsar> Panther_1: i run all spam filtering while the smtp session runs[12:13:53] <Panther_1> Kelsar: Hope you have your timeouts in controll for example a valid dns respons can took more the a week and it is still valid if you look inside the dns protocol[12:13:57] <Kelsar> I am in germany, if i take the mail, i can't drop it anymore[12:14:21] <Panther_1> Kelsar: yes you can only mark and sort[12:14:33] <Kelsar> that is useless[12:14:45] <tuxick> spam filtering after accepting is just crazy[12:14:49] <Kelsar> true[12:15:21] <bhuddah> then don't accept before filtering?[12:15:52] <tuxick> yeah, just don't accept! that'll teach the spammers![12:16:16] <Panther_1> Kelsar: What did you do with large complicated mails? The one how needs minutes to parse?[12:16:27] <Kelsar> Panther_1: get better HW[12:16:28] <tuxick> minutes??[12:16:42] <Panther_1> tuxick: yes multi stage attachments and so on[12:16:44] <Kelsar> even a 100MB mail won't take minutes[12:16:46] <bhuddah> nothing takes minutes to parse.[12:16:59] <tuxick> i don't accept 100MB mail[12:17:13] <tuxick> it's no bloody filesharing site[12:17:27] <Panther_1> Kelsar: 100MB mail massiv compressed an end up in serveral Gigabyte's to scan[12:17:32] <Kelsar> and in the rare case a mailserver could be loaded, well, come back later[12:17:52] <tuxick> 100MB spam would be pretty crazy anyway[12:17:54] <Kelsar> Panther_1: that won't be useable data, in doubt, kick it[12:18:23] <Panther_1> Kelsar: there would take a look to large organisations that sizer are pretty normal[12:18:24] <Kelsar> Can even tell the sender to use a filesharing service or something[12:18:41] *** Noti <Noti!~steffan@ip4da40774.direct-adsl.nl> has joined #postfix[12:18:49] <Kelsar> Panther_1: no, most large company i worked with don't allow large attachments at all[12:18:56] <Kelsar> many don't allow attachments at all[12:19:05] <tuxick> because windows[12:19:14] <tuxick> too many attack vectors :)[12:20:39] *** Panther_1 <Panther_1!~rherold@messaging.insecure.pw> has left #postfix ("Client exiting")[12:33:36] *** section1 <section1!~section1@178.33.109.106> has joined #postfix[12:53:43] *** gislaved <gislaved!b9e814ec@gateway/web/cgi-irc/kiwiirc.com/ip.185.232.20.236> has joined #postfix[12:54:41] *** max-m <max-m!~max-m@2a01:4f8:150:6153:beef::6667> has quit IRC (Quit: Ping timeout: 480 seconds)[12:54:41] *** TimWolla <TimWolla!~timwolla@2a01:4f8:150:6153:beef::6667> has quit IRC (Quit: Bye)[12:54:56] *** max-m <max-m!~max-m@2a01:4f8:150:6153:beef::6667> has joined #postfix[12:57:15] *** TimWolla <TimWolla!~timwolla@2a01:4f8:150:6153:beef::6667> has joined #postfix[13:02:46] *** yoink <yoink!~yoink@unaffiliated/yoink> has joined #postfix[13:31:05] *** Gaaab <Gaaab!~Gaaab@87.18.34.103> has quit IRC (Remote host closed the connection)[13:33:19] *** somepoortech <somepoortech!~somepoort@72.12.70.165> has quit IRC (Ping timeout: 268 seconds)[13:33:36] *** Gaaab <Gaaab!~Gaaab@milik.frozenstar.info> has joined #postfix[13:34:08] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Read error: Connection reset by peer)[13:34:31] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[13:45:10] *** somepoortech <somepoortech!~somepoort@72.12.70.165> has joined #postfix[13:53:05] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[13:53:31] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has joined #postfix[13:55:58] *** robinho86 <robinho86!~robsonjf@191.36.239.241> has joined #postfix[14:08:52] *** alexandre9099 <alexandre9099!~alexandre@unaffiliated/alexandre9099> has quit IRC (Ping timeout: 255 seconds)[14:14:25] *** alexandre9099 <alexandre9099!~alexandre@unaffiliated/alexandre9099> has joined #postfix[14:22:19] *** independence <independence!independen@gateway/shell/blinkenshell.org/x-nijjggrvyxdrnqnn> has left #postfix[15:22:48] *** edux <edux!~edux@190.247.46.25> has joined #postfix[15:24:48] <rob0> !tell pinPoint postscreen_dnsbl_whitelist_threshold[15:24:48] <knoba> rob0: Error: No factoid matches that key.[15:25:15] <rob0> hmm, see postconf.5.html#postscreen_dnsbl_whitelist_threshold and find it in:[15:25:19] <rob0> !postscreen[15:25:20] <knoba> rob0: "postscreen" : SMTP triage server available since Postfix 2.8, see http://www.postfix.org/POSTSCREEN_README.html and http://www.postfix.org/postscreen.8.html[15:26:19] <rob0> The problem you mentioned in ##email goes away with this and[15:26:24] <rob0> !dnswl[15:26:24] <knoba> rob0: "dnswl" : http://www.dnswl.org The DNS Whitelist protects against false positives from known good senders[15:27:36] <rob0> Professionally-run sites are all DNSWL-listed; ones that are not listed are usually small enough to retry from the same IP address.[15:27:45] <lecoder> is it possible to configure proxies for postfix such that you can host several virtual domains on one IP address with a domain-specific cert for each?[15:28:15] <thumbs> lecoder: why?[15:28:33] <rob0> I haven't had any "greylisting delay" complaints in years.[15:29:01] <lecoder> thumbs: so each domain user could have a mail.domain.tld specific to them[15:29:37] <rob0> lecoder, why? Why do you think this is important?[15:29:45] <lecoder> currently I can set it to a single cert for all SMTP traffic with auth, but if I have mail.domain1.com as the cert then mail.domain2.com gets cert errors in the email clients[15:29:45] *** edux__ <edux__!~edux@190.247.46.25> has joined #postfix[15:30:05] <lecoder> so that different clients don't have to see other domains[15:30:30] <rob0> For user submission, give out the main, generic hostname.[15:30:56] <lecoder> if you have customer1.com and customer2.com you don't want customer 1 using customer 2's domain or visa versa, and it looks more personalized if you have a cert for each such that they aren't using yourcompany.com to send email[15:31:02] *** edux__ is now known as edux_[15:31:30] <rob0> Large-scale hosting operations don't do what you're describing.[15:32:08] *** edux <edux!~edux@190.247.46.25> has quit IRC (Ping timeout: 245 seconds)[15:32:15] <lecoder> also, and I'm not an expert on email so this could be completely off-base, don't mail servers check that sometimes when sending to a location (or do they just dump it without rejecting certs at whatever IP the MX record indicates? -- I'm still not clear on that point)[15:32:31] *** Noti <Noti!~steffan@ip4da40774.direct-adsl.nl> has quit IRC (Quit: Konversation terminated!)[15:32:52] <rob0> SMTP clients (MTAs as client, that is) do not validate TLS certs.[15:33:15] <lecoder> hmm ok[15:33:41] <lecoder> so I guess this is going to end up a more "how do I do multiple certs in dovecot" question, which seems to have some more info via google[15:33:46] *** magyar <magyar!~magyar@unaffiliated/magyar> has joined #postfix[15:34:18] <rob0> Dovecot has a channel, btw, #dovecot[15:34:36] <lecoder> yeah, not going to pester you all with dovecot questions - was more thinking aloud there[15:34:53] <rob0> So did this kind of thing work, or appear to work, in MSexchange?[15:35:28] <lecoder> I've only ever run a single email server per domain before[15:35:46] <lecoder> never tried to stack a dozen virtual domains into a single server+ip before[15:36:04] <rob0> !sni[15:36:04] <knoba> rob0: Error: "sni" is not a valid command.[15:36:38] <rob0> SNI support (and in fact, the standard itself) is very new.[15:37:15] <rob0> Postfix 3.4, I think, and that's about a month old.[15:38:06] <rob0> It's not widely supported in MUAs nor MTAs, and won't be, for many years.[15:44:30] <colo-work> SNI was spec'd in 2003 or so[15:44:57] <colo-work> https://tools.ietf.org/html/rfc3546#section-3.1[15:48:19] *** edux_ is now known as edux[15:49:56] <Kelsar> colo-work: but not for smtp[15:50:13] <Kelsar> colo-work: it is a tls extension, it is technical optional[15:50:18] <colo-work> well, yeah but SNI is s a TLS feature at heart.[15:51:14] <Kelsar> and frankly, it does not make whole much sense with smtp at all[15:51:19] <rob0> And well suited to the way things are done in HTTP, so it's widely deployed there. Not so for SMTP.[15:51:56] <colo-work> I agree :) I was just contesting the notion that SNI was new.[15:52:14] <Kelsar> It is new in smtp[15:52:21] <colo-work> but some things, like renaming SSL to TLS, will always remain "new" on the net, I guess :)[15:58:40] *** ghoti <ghoti!ghoti@dev-160.experiencepoint.com> has joined #postfix[16:02:56] <Kelsar> it will be called ssl for generations[16:05:16] <colo-work> as long as you'll be able to "buy SSL encryption" somewhere, yeah[16:10:20] <lunaphyte> there's a reason why the proper term to use is simply "encryption" :)[16:10:31] <lunaphyte> then, terms don't need to change when technology evolves[16:13:01] <pinPoint> rob0: yeah I read that whole page last night after seeing the topic discussed earlier during the day. Thanks.[16:13:42] <pinPoint> read your configs here too :http://rob0.nodns4.us/postscreen.html will probably implement something later on my test boxes for testing.[16:18:43] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has joined #postfix[16:23:44] *** led_dark_1 <led_dark_1!~Thunderbi@217.66.160.14> has joined #postfix[16:32:40] *** edux <edux!~edux@190.247.46.25> has quit IRC (Remote host closed the connection)[16:36:53] *** edux <edux!~edux@190.247.46.25> has joined #postfix[16:43:48] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 245 seconds)[16:52:57] *** hjjg_ <hjjg_!~hg@p5B221B5E.dip0.t-ipconnect.de> has joined #postfix[16:55:33] *** hjjg_ <hjjg_!~hg@p5B221B5E.dip0.t-ipconnect.de> has left #postfix[16:55:48] *** hjjg <hjjg!~hg@p5B221B5E.dip0.t-ipconnect.de> has joined #postfix[16:57:02] <hjjg> Hi folks! Is there a way to get numbers on used TLS connections vs. unencrypted delivery? I found saftsumm, a perl script. CPAN installed dependencies for like 30 minutes just to tell me that saftsumm could not be installed. I then tried to do it myself by using some command line magic, but I did not succeed.[16:58:12] <rob0> On the Postfix side you need two non-default settings:[16:58:14] <hjjg> Unfortunately the TLS socket information in my mail log does not contain the message id.[16:58:39] <rob0> !smtpd_tls_loglevel[16:58:39] <knoba> rob0: "smtpd_tls_loglevel" : enable additional postfix smtp server logging of tls activity. each logging level also includes the information that is logged at a lower logging level.[16:58:48] <rob0> !smtp_tls_loglevel[16:58:48] <knoba> rob0: "smtp_tls_loglevel" : Enable additional Postfix smtp(8) client logging of TLS activity, default 0, 1 is a good operational setting. Each logging level also includes the information that is logged at all lower logging levels.[16:59:00] <rob0> both should be set to 1[16:59:30] <pinPoint> fail2ban actually captured logs with clean IPs from OVH. I guess I need to do this differently.[16:59:41] <rob0> this might help to get the information you are after:[16:59:47] <rob0> !pflogsumm[16:59:47] <knoba> rob0: "pflogsumm" : a perl script to analyse your mail log file and generate nice reports. See: http://jimsun.linxnet.com/postfix_contrib.html (metalog users see the !mpflogsumm factoid)[17:00:29] <rob0> There is no message-id yet, at the time of TLS negotiation.[17:02:06] <rob0> The only choice is to parse logs to link connections with mails.[17:02:25] <rob0> oh, duh, then there's what I did some time back:[17:03:12] <rob0> A smtpd restriction, "warn_if_reject reject_plaintext_session"[17:03:53] <rob0> that would get you all non-TLS connections logged[17:04:53] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[17:05:34] <rob0> I discovered at the time that there's not much non-TLS mail. Some ESPs didn't bother with TLS (not spam, but COI bulk mail.)[17:05:41] <hjjg> rob0: thank you very much for the input![17:05:57] <rob0> ymmv, depending who sends you mail, of course[17:06:29] <hjjg> Would be enough to see that on outgoing mails[17:07:54] <rob0> oh, there are no restrictions, outgoing[17:11:10] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 246 seconds)[17:25:50] *** Blubberbop <Blubberbop!~quassel@189.210.119.176> has joined #postfix[17:27:03] <lunaphyte> there's also the correlate script which can help with exercises like this[17:28:01] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[17:28:21] *** GeneralSpongebob <GeneralSpongebob!~IRC@cpc127156-mapp14-2-0-cust83.12-4.cable.virginm.net> has joined #postfix[17:29:08] *** kurkale6ka <kurkale6ka!~kurkale6k@84.45.99.125> has joined #postfix[17:33:28] *** god^u <god^u!50a903fe@gateway/web/freenode/ip.80.169.3.254> has joined #postfix[17:34:30] *** catern <catern!~catern@catern.com> has left #postfix ("Using Circe, the loveliest of all IRC clients")[17:35:07] *** god^u <god^u!50a903fe@gateway/web/freenode/ip.80.169.3.254> has left #postfix[17:36:56] *** godu <godu!50a903fe@gateway/web/freenode/ip.80.169.3.254> has joined #postfix[17:37:29] *** kurkale6ka <kurkale6ka!~kurkale6k@84.45.99.125> has quit IRC (Quit: WeeChat 2.4)[17:38:26] <godu> !welcome[17:38:26] <knoba> godu: "welcome" : Welcome to #postfix! If you're new here, or to IRC, first read the channel topic (/topic). It has important instructions on how to ask good questions. You will get more and better help if you follow those instructions. Good Luck![17:38:47] <godu> re[17:42:57] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[17:43:01] <godu> Hi all, my question is not strongly postfix related so please don't shitlistme. Have you guys seen an update recently that is enforcing the RFC2822 more strictly in postfix by default? More specifically the RFC2822 rule about CR LF in the message header.[17:45:16] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[17:48:12] <tuxick> can't imagine[17:53:09] *** Diemuzi <Diemuzi!~diemuzi@unaffiliated/diemuzi> has joined #postfix[17:53:54] <godu> I see, would anyone able to help me interpret a message header to confirm my suspicion that it contains a lone CR or LF char as I am not an expert of this.[17:54:23] <rob0> You'd probably do better by showing what you have seen, then we might be able to explain what happened.[17:55:11] <godu> so one big provider mail server is bouncing our emails with 5.0.0 smtp; 5.3.0 - Other mail system problem 550-'5.6.0 Lone CR or LF in headers[17:56:08] <godu> this is started as of today morning and we have not changed anything so I suspect they tightened security to RFC. what is fair enough.[17:57:38] <godu> I have sent an email to my personal mail server to see the header and I suspect I found the problematic part. If someone could confirm that I am happy to go down that road how to remove it from the header. Otherwise it may be just a huge waist of time for me.[17:59:42] <rob0> this is some kind of bulk mail sending?[18:00:09] <godu> no it is not. these are emails from our users to one recipient[18:00:49] <rob0> I would be inclined to ask the big provider about this rejection. It's possible they did it wrong.[18:01:52] <godu> rob0: absolutly right and I have already emails postmaster but not expecting a fast response. their support refused to help as we are not a customer[18:02:02] <rob0> What software generated these rejected mails?[18:02:13] <godu> it's rackspace btw and we have already found to of our supplier who is using them[18:02:29] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[18:03:11] <godu> our mail server is an exchange 2013 + ironport combo. I do understand this is the postfix channel so any help with the RFC is much appreciated[18:03:41] <godu> and I do believe it is Microsoft who is not RFC compliant[18:03:56] *** robinho86 <robinho86!~robsonjf@191.36.239.241> has quit IRC (Quit: Leaving.)[18:04:40] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[18:04:48] <tuxick> haha[18:06:05] <rob0> Those rejections you shared do not look like Postfix; I don't know what Rackspace uses, but it sounds like they're relaying to something internal which is non-Postfix.[18:06:46] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[18:06:55] <rob0> Answer to your original question, no.[18:07:40] <rob0> A better place to follow up, since I can't see any Postfix involved at all, ##email[18:09:30] <godu> Thanks rob0. I do understand this question is not related to the channel. so I do appreciate any response. I just have been suggested that users here are top of the line when it comes to RFC[18:21:43] *** robinho86 <robinho86!~robsonjf@191.36.239.241> has joined #postfix[18:22:22] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has quit IRC (Quit: Ex-Chat)[18:24:17] *** Elisha <Elisha!~elisha@188-230-142-97.dynamic.t-2.net> has joined #postfix[18:28:47] *** DTZUZO <DTZUZO!~DTZUZO@S0106bcd16584b0aa.vs.shawcable.net> has quit IRC (Ping timeout: 245 seconds)[18:33:04] *** gislaved <gislaved!b9e814ec@gateway/web/cgi-irc/kiwiirc.com/ip.185.232.20.236> has quit IRC (Ping timeout: 246 seconds)[18:33:55] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has quit IRC (Quit: inabit. zz.)[18:43:20] *** Brilpikk3wyn <Brilpikk3wyn!~Segfault0@unaffiliated/segfault0x40> has joined #postfix[18:43:24] *** Brilpikk3wyn <Brilpikk3wyn!~Segfault0@unaffiliated/segfault0x40> has quit IRC (Client Quit)[18:44:46] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has quit IRC (Quit: leaving)[18:45:15] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has joined #postfix[18:55:59] *** rsx <rsx!~rsx@ppp-188-174-151-218.dynamic.mnet-online.de> has quit IRC (Quit: rsx)[19:08:21] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has quit IRC (Quit: leaving)[19:08:42] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has joined #postfix[19:11:24] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has quit IRC (Client Quit)[19:11:56] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has joined #postfix[19:23:32] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has quit IRC (Ping timeout: 258 seconds)[19:26:13] <pj> godu: postscreen in general is flexible enough to work with multiple different line endings, but there is a postscreen test that checks specifically for CRLF, it is very possible that the server you connected to is running postscreen and has that test enabled.[19:26:37] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has joined #postfix[19:26:42] <pj> errr that should say "postfix in general..."[19:28:38] <rob0> postscreen can't check content, because it can't receive DATA[19:28:57] <pj> http://www.postfix.org/POSTSCREEN_README.html#barelf[19:29:08] <pj> rob0: it's an after-220 test[19:29:20] <rob0> in SMTP, but not in a message header[19:29:27] <pj> and that's right, but this isn't content.[19:29:32] <rob0> ok[19:30:06] <pj> oh, the message says "in headers" that's different. I think that might be a mis-interpretation of the RFC, but I could be wrong.[19:35:59] <pj> oh, sorry it is not, RFC 2822 does indeed require CRLF as the line ending for message content.[19:57:39] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has quit IRC (Ping timeout: 258 seconds)[19:58:48] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 245 seconds)[19:58:58] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has quit IRC (Ping timeout: 255 seconds)[19:59:07] *** gislaved <gislaved!b23fedfd@gateway/web/cgi-irc/kiwiirc.com/ip.178.63.237.253> has joined #postfix[19:59:33] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has joined #postfix[19:59:46] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[20:04:18] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 246 seconds)[20:04:26] *** TheFatherMind <TheFatherMind!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has quit IRC ()[20:06:10] *** samy1028 <samy1028!~samy1028c@mx.10.acs.entrustedmail.net> has joined #postfix[20:14:08] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Read error: Connection reset by peer)[20:25:50] *** gislaved <gislaved!b23fedfd@gateway/web/cgi-irc/kiwiirc.com/ip.178.63.237.253> has quit IRC (Ping timeout: 272 seconds)[20:26:34] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[20:27:55] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[20:31:34] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[20:32:54] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[20:34:20] *** section1 <section1!~section1@178.33.109.106> has quit IRC (Remote host closed the connection)[20:39:19] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[20:43:37] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 246 seconds)[20:49:46] *** gislaved <gislaved!b23fedfd@gateway/web/cgi-irc/kiwiirc.com/ip.178.63.237.253> has joined #postfix[20:52:59] *** Blubberbop <Blubberbop!~quassel@189.210.119.176> has quit IRC (Ping timeout: 245 seconds)[21:21:03] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has joined #postfix[21:22:52] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has quit IRC (Client Quit)[21:23:30] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[21:31:24] *** phoenixz <phoenixz!~quassel@mx1.capmegamail.com> has joined #postfix[21:34:24] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[21:35:42] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[21:44:16] *** shibboleth <shibboleth!~shibbolet@gateway/tor-sasl/shibboleth> has joined #postfix[21:48:36] *** Olipro <Olipro!~Olipro@2001:8b0:14a7:1b24::1> has joined #postfix[21:48:36] *** Olipro <Olipro!~Olipro@2001:8b0:14a7:1b24::1> has quit IRC (Changing host)[21:48:36] *** Olipro <Olipro!~Olipro@uncyclopedia/pdpc.21for7.olipro> has joined #postfix[21:48:48] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 250 seconds)[21:58:39] *** shibboleth <shibboleth!~shibbolet@gateway/tor-sasl/shibboleth> has quit IRC (Quit: shibboleth)[21:59:14] *** FinboySlick <FinboySlick!~shark@74.117.40.10> has quit IRC (Quit: Leaving.)[22:04:11] *** edux <edux!~edux@190.247.46.25> has quit IRC (Quit: Leaving...)[22:07:40] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[22:10:32] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[22:10:48] *** zapata_ <zapata_!~zapata@2a02:b18:581:10:500d:a3f:9205:8977> has joined #postfix[22:11:05] *** n_1-c_k <n_1-c_k!~nick@2a02:8010:63a6::70> has joined #postfix[22:11:49] *** zapata <zapata!~zapata@2a02:b18:581:10:c39:277:d1ea:1069> has quit IRC (Ping timeout: 258 seconds)[22:17:18] *** epony <epony!~epony@unaffiliated/epony> has quit IRC (Ping timeout: 272 seconds)[22:20:29] *** kale <kale!~kale@smtp.kallenberg.dk> has joined #postfix[22:22:04] <kale> hi, we have a bunch of customers that we send emails for. many of them have not configured their SPF record. will it be possible to set postfix up to use relay A if SPF is correct and relay B if SPF is not correct?[22:23:13] *** epony <epony!~epony@unaffiliated/epony> has joined #postfix[22:23:54] *** ddBz_ <ddBz_!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 250 seconds)[22:57:58] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has joined #postfix[23:10:06] *** Diemuzi <Diemuzi!~diemuzi@unaffiliated/diemuzi> has quit IRC (Quit: See you on the flip side!)[23:10:35] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has quit IRC (Remote host closed the connection)[23:11:50] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has joined #postfix[23:13:13] *** zapata_ is now known as zapata[23:17:25] *** sputnik <sputnik!kli0rf@unaffiliated/kli0rf> has joined #postfix[23:44:17] *** likewhoa <likewhoa!~likewhoa@s2.maserver.com> has quit IRC (Quit: speed of coding, not speed of code)[23:44:38] *** likewhoa <likewhoa!~likewhoa@s2.maserver.com> has joined #postfix[23:59:41] *** likewhoa <likewhoa!~likewhoa@s2.maserver.com> has quit IRC (Quit: speed of coding, not speed of code)