March 27, 2019 
< | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | >
March 27, 2019 [00:02:46] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 272 seconds)[00:04:25] *** gu1lle_ <gu1lle_!~Thunderbi@201.216.253.75> has quit IRC (Remote host closed the connection)[00:20:46] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 250 seconds)[00:20:51] *** cemotyz09 <cemotyz09!~cemotyz09@cpe-70-121-128-59.satx.res.rr.com> has joined #postfix[00:27:57] *** pppingme <pppingme!~pppingme@unaffiliated/pppingme> has quit IRC (Read error: Connection reset by peer)[00:28:36] *** pppingme <pppingme!~pppingme@unaffiliated/pppingme> has joined #postfix[00:46:19] *** AlexPortable <AlexPortable!uid7568@gateway/web/irccloud.com/x-pawzshawlckjvhxg> has quit IRC (Quit: Connection closed for inactivity)[00:56:35] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has quit IRC (Ping timeout: 258 seconds)[00:57:23] *** shibboleth <shibboleth!~shibbolet@gateway/tor-sasl/shibboleth> has quit IRC (Quit: shibboleth)[00:58:02] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has joined #postfix[01:09:31] *** shibboleth <shibboleth!~shibbolet@gateway/tor-sasl/shibboleth> has joined #postfix[01:11:48] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[01:33:13] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has quit IRC (Quit: inabit. zz.)[01:42:03] *** cemotyz09 <cemotyz09!~cemotyz09@cpe-70-121-128-59.satx.res.rr.com> has quit IRC (Quit: cemotyz09)[01:57:19] *** KNERD <KNERD!~KNERD@104.248.183.163> has quit IRC (Killed (Sigyn (Spam is off topic on freenode.)))[02:20:16] *** treefrob <treefrob!~treefrob@p57A96449.dip0.t-ipconnect.de> has quit IRC (Read error: Connection reset by peer)[02:20:27] *** Bebef <Bebef!sbreit@phobos.bebef.de> has quit IRC (Read error: Connection reset by peer)[02:21:31] *** Bebef <Bebef!sbreit@phobos.bebef.de> has joined #postfix[02:22:12] *** shibboleth <shibboleth!~shibbolet@gateway/tor-sasl/shibboleth> has quit IRC (Quit: shibboleth)[02:24:00] *** phoenixz <phoenixz!~quassel@unaffiliated/phoenixz> has quit IRC (Ping timeout: 272 seconds)[02:29:44] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[02:30:43] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has joined #postfix[02:30:57] *** phoenixz <phoenixz!~quassel@mail.capmega.com> has joined #postfix[02:37:13] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 255 seconds)[02:53:20] *** KNERD_ <KNERD_!~KNERD@104.248.183.163> has joined #postfix[03:02:52] *** KNERD_ <KNERD_!~KNERD@104.248.183.163> has left #postfix[03:08:51] *** hjjg <hjjg!~hg@p5B221B3D.dip0.t-ipconnect.de> has joined #postfix[03:11:54] *** hjjg_ <hjjg_!~hg@p5B221A13.dip0.t-ipconnect.de> has quit IRC (Ping timeout: 246 seconds)[03:15:43] *** Bebef <Bebef!sbreit@phobos.bebef.de> has quit IRC (Quit: Ping timeout (120 seconds))[03:17:35] *** Bebef <Bebef!sbreit@phobos.bebef.de> has joined #postfix[03:30:48] *** Dessa <Dessa!Dessa@kvirc/staff/Dessa> has quit IRC (Quit: ZNC - http://znc.in)[03:31:12] *** Dessa <Dessa!Dessa@pku74f0o.dip0.t-iqconnect.de> has joined #postfix[03:47:00] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has quit IRC (Quit: Ex-Chat)[04:25:44] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[04:27:23] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[05:49:48] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has joined #postfix[06:38:18] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[06:38:54] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has joined #postfix[06:48:54] *** phoenixz <phoenixz!~quassel@mail.capmega.com> has quit IRC (Ping timeout: 250 seconds)[06:49:17] *** led_dark_1 <led_dark_1!~Thunderbi@217.66.160.14> has quit IRC (Quit: led_dark_1)[06:51:57] *** led_dark_1 <led_dark_1!~Thunderbi@217.66.160.14> has joined #postfix[06:55:18] *** BoomerBile <BoomerBile!~MetaPhaze@96-42-197-150.dhcp.roch.mn.charter.com> has joined #postfix[07:05:45] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has quit IRC (Quit: leaving)[07:06:13] *** jimpop <jimpop!~jimpop@pdpc/supporter/professional/jimpop> has joined #postfix[07:32:08] *** [NoClan]GoAway <[NoClan]GoAway!~NoClan@195.138.249.4> has quit IRC (Read error: Connection reset by peer)[07:45:55] *** [NoClan]GoAway <[NoClan]GoAway!~NoClan@195.138.249.11> has joined #postfix[08:15:42] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[08:18:42] *** olspookishmagus <olspookishmagus!~pookie@snf-137798.vm.okeanos.grnet.gr> has joined #postfix[09:04:40] *** TheFatherMind- <TheFatherMind-!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has joined #postfix[09:05:27] *** TheFatherMind <TheFatherMind!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has quit IRC (Ping timeout: 245 seconds)[09:08:49] *** TheFatherMind <TheFatherMind!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has joined #postfix[09:09:43] *** TheFatherMind- <TheFatherMind-!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has quit IRC (Ping timeout: 246 seconds)[09:21:44] *** TheFatherMind <TheFatherMind!~TheFather@cpe-104-34-204-52.socal.res.rr.com> has quit IRC ()[09:35:11] <noefk> is it possible to have policies per source ip or network for things smtpd_client_connection_* settings? if I want to prioritise some hosts over others, can this be done?[09:39:01] *** knut__ <knut__!~knut@97.79-160-125.customer.lyse.net> has joined #postfix[09:39:01] *** NonICE <NonICE!~knut@97.79-160-125.customer.lyse.net> has quit IRC (Read error: Connection reset by peer)[09:41:12] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[09:46:56] *** ]SiB[1 <]SiB[1!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[09:46:57] *** knut__ <knut__!~knut@97.79-160-125.customer.lyse.net> has quit IRC (Read error: Connection reset by peer)[09:47:15] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has joined #postfix[09:48:44] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 250 seconds)[09:48:45] *** ]SiB[1 is now known as ]SiB[[09:49:03] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has quit IRC (Read error: Connection reset by peer)[09:49:14] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has joined #postfix[09:51:53] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has quit IRC (Read error: Connection reset by peer)[09:52:00] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has joined #postfix[09:57:33] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has quit IRC (Ping timeout: 245 seconds)[10:03:35] *** Non-ICE <Non-ICE!~knut@97.79-160-125.customer.lyse.net> has joined #postfix[10:09:42] *** elge <elge!~elge@ssd.nethence.com> has joined #postfix[10:09:58] <elge> meow. are there some online bayesian white/black word lists available?[10:10:40] <elge> would you consider applying bayesian anti-spam filtering be done at session level (aka milter)?[10:10:56] <elge> (note that this implies you can not use your user-base to actually teach the system...)[10:12:54] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has joined #postfix[10:17:41] <tuxick> elge: having per-user bayes is kinda pointless[10:18:14] <tuxick> 1) user is always wrong 2) it requires an awful lot of data[10:18:41] <tuxick> but you can use spamassin with milter[10:18:45] <tuxick> sa-milter[10:18:54] <tuxick> spamassassassin[10:19:44] <pj> I think there's a few different anti-spam products with baysian filtering, SA being one of them, and you would have to check with them to see which ones come with pre-trained lists.[10:21:37] <pj> tuxick: why would you say that per-user training is wrong? IMO that's really the best way to train baysian filters because every user has a different consideration of what constitutes SPAM or not to them, so one user may want to see the same types of content that another wants to avoid.[10:25:33] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 246 seconds)[10:30:17] <elge> tuxick, so sa has shared bayes lists for everyone?[10:31:19] <elge> 1. I would not consider per-user data to be much useful/efficient either, this is rather provider's job[10:31:34] <elge> 2. however there is no other way to train the facility other than from a user perspective.[10:32:18] <elge> 3. and if I block at milter time, well, we do not even get the true positive to actually further train the facility[10:32:41] <elge> (unless we keep a copy of it before filtering it, which is probably not implemented)[10:35:10] <pj> personally I avoid baysian filtering unless it's really needed. The vast majority of times there are other better ways to identify SPAM.[10:36:02] <Alver> I'd give a pretty penny to know how google does it. They rejected another mail *again* this week, even before submitting.[10:36:18] <Alver> From a locked down mailserver without forwards, all the tech in place, and the IP has been mine for years.[10:36:39] <Alver> Makes you wonder if they just do it to push people to abandon their own mail infra. :/[10:36:45] <pj> google's black box that seemingly dumps craptons of HAM into my Spam folder?[10:40:52] <pj> I think google is based largely on a combination of IP reputation and making sure things such as SPF, DKIM and DMARC are all correct as well as FCRDNS and several other metrics. Also based largely on metrics of users who open and read your mail and how often they manually put it in Spam, etc.[10:46:06] <tuxick> Alver: spammers would be pretty penny * 2 :)[10:46:09] <tuxick> would pay[10:47:00] <Alver> pj: that's what I don't get. The IP is mine, for a long time. It's fixed. DNS is in order. It doesn't forward. It has SPF, DKIM, DMARC in place. It's used for 95% by me only, for things that are 50+ percent business related.[10:47:13] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[10:47:16] <Alver> I fail to see any red flag anywhere, and yet... it happens, again and again.[10:47:23] <tuxick> elge: if you insist on using bayes, you need some way to centralise ham/spam reports from users[10:47:39] <tuxick> and check that before committing, because users are stupid[10:47:57] <tuxick> they'll report mails as spam because too lazy to unsubscribe[10:48:01] <tuxick> for example[10:48:05] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has joined #postfix[10:51:40] <elge> alver, MS's mail hosting is much worse. at least Google is enabling new standards and features, while the former just keeps its own error messages database to understand and crazy wide blacklist for you to be upset against (need to register!!!)[10:52:04] <Alver> elge: MS is better; I haven't had any mails blocked by them.[10:52:14] <Alver> Google is *loads* of false positives, for reasons completely unknown.[10:52:39] <elge> what is the return message?[10:52:49] <elge> usually its ipv6 SPF and shit[10:52:52] <elge> that is actually fine[10:53:13] <elge> I hate google, but I'm not sure their SMTP service sucks[10:53:19] <Alver> Yesterday they blocked the mail before it got there with a 550-5.7.1.[10:53:33] <Alver> Oh, it sucks. It sucks huge, sweaty hippopotamus testicles.[10:53:47] <elge> error code is one thing. the strings that follows matters more[10:53:56] <elge> if they used 5xx it means they are pretty sure of their policy[10:54:12] <Alver> Yep. Except it was again wrong.[10:54:22] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[10:54:31] <Alver> And the strings were the usual "we think it's spam, here's a link to our policies that actually give zero insights in what you tripped".[10:54:52] <elge> ooh I see, that sounds like the experience I had with MS[10:55:34] <elge> even worse if they do not say WHAT POLICY EXACTLY is implied.[11:03:05] *** led_dark_1 <led_dark_1!~Thunderbi@217.66.160.14> has quit IRC (Quit: led_dark_1)[11:06:14] *** led_dark_1 <led_dark_1!~Thunderbi@217.66.160.14> has joined #postfix[11:09:33] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[11:21:33] *** ]SiB[1 <]SiB[1!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[11:24:37] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 255 seconds)[11:24:37] *** ]SiB[1 is now known as ]SiB[[11:25:56] *** Olipro_ <Olipro_!~Olipro@6.123.2.81.in-addr.arpa> has joined #postfix[11:25:56] *** Olipro_ <Olipro_!~Olipro@6.123.2.81.in-addr.arpa> has quit IRC (Changing host)[11:25:56] *** Olipro_ <Olipro_!~Olipro@uncyclopedia/pdpc.21for7.olipro> has joined #postfix[11:26:01] *** Olipro <Olipro!~Olipro@uncyclopedia/pdpc.21for7.olipro> has quit IRC (Ping timeout: 258 seconds)[11:26:33] *** Olipro_ is now known as Olipro[11:38:48] *** johnny56 <johnny56!johnny56@gateway/vpn/protonvpn/johnny56> has quit IRC (Ping timeout: 272 seconds)[11:42:27] *** johnny56 <johnny56!johnny56@gateway/vpn/protonvpn/johnny56> has joined #postfix[12:31:35] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[12:32:53] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[12:39:40] *** section1 <section1!~section1@178.33.109.106> has joined #postfix[12:45:06] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 250 seconds)[12:45:11] *** ]SiB[1 <]SiB[1!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[12:47:32] *** ]SiB[1 is now known as ]SiB[[13:00:50] *** ]SiB[1 <]SiB[1!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[13:03:10] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 246 seconds)[13:03:10] *** ]SiB[1 is now known as ]SiB[[13:29:21] *** sysmonk <sysmonk!alex@freenode/sponsor/sysmonk> has quit IRC (Ping timeout: 250 seconds)[13:29:28] *** Alina-malina <Alina-malina!~Alina-mal@unaffiliated/alina-malina> has quit IRC (Ping timeout: 244 seconds)[13:29:52] *** Alina-malina <Alina-malina!~Alina-mal@unaffiliated/alina-malina> has joined #postfix[13:31:11] *** sysmonk <sysmonk!alex@193.219.128.48> has joined #postfix[13:31:46] *** KickPost <KickPost!2ef8a1a5@gateway/web/freenode/ip.46.248.161.165> has joined #postfix[13:33:14] <KickPost> ehlo localhost[13:40:44] <KickPost> I have a virtual domains an vusers. What do you propose to achieve. To create alias Which specific senders can send to ?[13:41:23] <KickPost> like all at vdomain1 dot com allow from user at gmail dot com and martin at otherdomain dot com.[13:41:54] *** cybrNaut <cybrNaut!cybrNaut@unaffiliated/cybrnaut> has quit IRC (Ping timeout: 264 seconds)[13:42:01] <KickPost> and allias2@secondvdomain allow jogn at gmail dot com and jack at aol dot com - other rejected[13:42:16] <KickPost> insidres_only not working what I need[13:45:06] *** cybrNaut <cybrNaut!cybrNaut@rrcs-67-53-148-69.west.biz.rr.com> has joined #postfix[13:50:35] <survietamine> that's MLM features[14:00:23] *** robinho86 <robinho86!~robsonjf@191.36.239.241> has joined #postfix[14:06:43] *** Diemuzi <Diemuzi!~diemuzi@unaffiliated/diemuzi> has joined #postfix[14:09:07] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[14:10:05] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Read error: Connection reset by peer)[14:10:26] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[14:13:11] *** pj <pj!~pj@centos/ops/pj> has quit IRC (Ping timeout: 268 seconds)[14:15:27] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has quit IRC (Ping timeout: 258 seconds)[14:16:39] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has joined #postfix[14:25:12] *** pj <pj!~pj@centos/ops/pj> has joined #postfix[14:28:10] *** VibesYuth <VibesYuth!~Oval@pool-71-105-195-111.nycmny.fios.verizon.net> has joined #postfix[14:30:09] <KickPost> survietamine: in qmail I create patch limit sender and map: https://paste.debian.net/1074892/[14:31:33] <KickPost> hm maby you have right mailman hm...[14:33:36] <survietamine> I don't know about qmail, sure you can do some tricks in most mail servers[14:33:36] *** MACscr <MACscr!~MACscr@c-98-215-100-46.hsd1.il.comcast.net> has quit IRC (Ping timeout: 272 seconds)[14:34:31] <survietamine> maybe it's ok with restriction classes, policy service, etc.[14:34:55] <survietamine> not mailman, i have SYMPA, but still, it does manage that features[14:35:07] *** VibesYuth <VibesYuth!~Oval@pool-71-105-195-111.nycmny.fios.verizon.net> has quit IRC (Quit: Leaving)[14:35:25] <survietamine> you still have qmail nowadays?[14:35:54] <KickPost> qmail +many many many many patches and now im moved to postfix[14:35:58] <survietamine> IIRC, with opensmtpd, you can write rules like that easily, like you write rules for firewall[14:38:10] <KickPost> survietamine: https://paste.debian.net/1074895/[14:38:31] <KickPost> this is in python[14:38:49] <KickPost> and maby rewrit to postfix quue[14:46:49] *** rednul <rednul!~rednul@219.163.48.199.static.reverse.as19531.net> has joined #postfix[14:49:27] *** Gaaab <Gaaab!~Gaaab@milik.frozenstar.info> has quit IRC (Remote host closed the connection)[14:51:22] *** FinboySlick <FinboySlick!~shark@74.117.40.10> has quit IRC (Quit: Leaving.)[14:56:18] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has quit IRC (Read error: Connection reset by peer)[14:56:35] *** MACscr <MACscr!~MACscr@c-98-215-100-46.hsd1.il.comcast.net> has joined #postfix[14:57:16] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has joined #postfix[15:02:51] *** FinboySlick <FinboySlick!~shark@74.117.40.10> has joined #postfix[15:21:52] *** Azrael_- <Azrael_-!~aweoi@adsl-178-39-68-29.adslplus.ch> has quit IRC ()[15:22:24] *** edux <edux!~edux@190.247.46.25> has joined #postfix[15:43:27] *** Alina-malina_ <Alina-malina_!~Alina-mal@unaffiliated/alina-malina> has joined #postfix[15:44:43] *** Alina-malina <Alina-malina!~Alina-mal@unaffiliated/alina-malina> has quit IRC (Ping timeout: 255 seconds)[15:45:05] *** Alina-malina_ <Alina-malina_!~Alina-mal@unaffiliated/alina-malina> has quit IRC (Remote host closed the connection)[15:50:30] *** Alina-malina <Alina-malina!~Alina-mal@unaffiliated/alina-malina> has joined #postfix[15:55:15] *** MACscr <MACscr!~MACscr@c-98-215-100-46.hsd1.il.comcast.net> has quit IRC (Ping timeout: 246 seconds)[16:02:37] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has joined #postfix[16:11:01] *** MACscr <MACscr!~MACscr@c-98-215-100-46.hsd1.il.comcast.net> has joined #postfix[16:24:07] *** karlpinc <karlpinc!~user@meme-net.meme.com> has quit IRC (Remote host closed the connection)[16:28:50] *** cybrNaut <cybrNaut!cybrNaut@rrcs-67-53-148-69.west.biz.rr.com> has quit IRC (Changing host)[16:28:50] *** cybrNaut <cybrNaut!cybrNaut@unaffiliated/cybrnaut> has joined #postfix[16:35:18] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[16:36:35] *** edux <edux!~edux@190.247.46.25> has quit IRC (Remote host closed the connection)[16:36:36] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[16:44:13] *** pyco <pyco!~p@pdpc/supporter/active/pyco> has quit IRC (Ping timeout: 245 seconds)[16:47:16] *** pyco <pyco!~p@pdpc/supporter/active/pyco> has joined #postfix[16:47:57] *** eugenmayer <eugenmayer!~eugenmaye@pD95DA2AE.dip0.t-ipconnect.de> has joined #postfix[16:51:21] <eugenmayer> i run postfix as an MSA. When i try to authenticate against my exchange satelite on 587 using TLS, postfix does offer GSSAPI and NTLM even before LOGIN, which lets exchange pick NTLM - which then fails since NTLM is not possible. How can i tell postfix which auth mechanism to offer during the negotiation? This also seem to have happened during a recent postfix update, it was not offering this before. Nevertheless, where do i set this s[16:51:21] <eugenmayer> ttings? I run custom services ( smtptls ) in master.cf https://www.pastiebin.com/5c9b9bebf322d .. are those parameters to be placed there?[16:52:09] <grawity> eugenmayer: are you using cyrus sasl or dovecot sasl?[16:53:08] <eugenmayer> hmm, not sure how to check, one second[16:54:02] <eugenmayer> sasl2-bin libsasl2-modules with the saslauthd daemon[16:54:03] <grawity> it's something you've had to have set up in main.cf, generally[16:54:17] <grawity> unless I misunderstood the "postfix offers ... exchange picks ..." part[16:54:39] <grawity> (is postfix the SMTP *client* here?)[16:54:48] <eugenmayer> that is my sals-postfix config https://www.pastiebin.com/5c9b9cbb87d11[16:55:02] <eugenmayer> yes postfix is a SMTP client here, exactly[16:55:19] <grawity> the client doesn't offer mechanisms, it chooses from what the server has offered...[16:55:25] <eugenmayer> i want the "postfix smtp client" offer less "auth mechanism" while the postfix smtp client authenticates against its satelite exchange server[16:56:38] <grawity> again, the client doesn't offer mechanisms, it chooses from what the server has offered[16:56:49] <eugenmayer> i thoght the client offerst a list A-Z, then the server offers a list A-Z an picks the first matching one, left to right[16:57:01] <grawity> no[16:57:10] <eugenmayer> how to limit wha the client picks then?[16:57:20] <grawity> it's kinda like that in e.g. SSH or TLS mechanism negotiation, but usually not in SASL[16:57:30] <grawity> to adjust what the postfix smtp client selects, try changing $smtp_sasl_mechanism_filter in main.cf[16:57:41] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 244 seconds)[16:58:01] <eugenmayer> i have to rush but i keep the client open - if you have any suggestions, let me know. I will try it. Thank you already![16:58:37] <grawity> I've already provided one?[16:59:10] <grawity> smtp_sasl_mechanism_filter (it's also mentioned in SASL_README)[17:01:59] *** Gaaab <Gaaab!~Gaaab@milik.frozenstar.info> has joined #postfix[17:02:30] *** TX1683 <TX1683!~TX1683@unaffiliated/tx1683> has quit IRC (Ping timeout: 250 seconds)[17:05:02] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has quit IRC (Quit: Ex-Chat)[17:08:23] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has quit IRC (Ping timeout: 245 seconds)[17:13:59] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has joined #postfix[17:15:20] <lunaphyte> you might be confusing smtp auth mechanism selection with encryption negotiation, which happens differently[17:16:10] <lunaphyte> my advice would be to disable sasl mechs you don't need/want entirely, within your sasl software[17:42:57] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has quit IRC (Quit: inabit. zz.)[17:45:28] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has quit IRC (Ping timeout: 245 seconds)[17:46:44] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has joined #postfix[17:47:15] *** _NiC <_NiC!~kristian@aeryn.ronningen.no> has quit IRC (Ping timeout: 268 seconds)[17:55:53] *** Wioxjk <Wioxjk!~poppels@81-235-33-215-no286.tbcn.telia.com> has quit IRC (Ping timeout: 245 seconds)[17:56:34] *** Darcidride <Darcidride!~Darcidrid@37.168.140.135> has joined #postfix[17:58:17] *** t-ask <t-ask!~t-ask@217.111.73.154> has joined #postfix[17:58:45] *** _cr_ <_cr_!~quassel@srv.ncxs.de> has joined #postfix[18:05:28] *** Gaaab <Gaaab!~Gaaab@milik.frozenstar.info> has quit IRC (Ping timeout: 250 seconds)[18:08:25] <t-ask> Hi, form some mail servers my server denies receiving the mail with error: `warning: A653B4AD2C3: BDAT request from mail-eopbgr70101.outbound.protection.outlook.com[1.2.3.4] exceeds message size limit`. with `postconf -n | grep size` both are set to 0. Or is this related to anything of Dovecot config?[18:09:39] *** Wioxjk <Wioxjk!~poppels@gatekeeper01.ports.se> has joined #postfix[18:10:55] <t-ask> Not sure where to look. Maybe `postconf -n | grep restrict` helps finding the reason? It is just strange I have thos with Outlook.com and google.com not with other mail providers I know of.[18:16:00] <t-ask> !showconfig[18:16:00] <knoba> t-ask: "showconfig" : when asked to provide your config, please provide a SINGLE pastebin (see !pastebin) with postconf -nf and postconf -Mf. if your version is too old for those commands to work (< 2.9), you should upgrade, but see !showconfig_old[18:16:57] <t-ask> ok, I do it later, have to leave, sry[18:17:01] *** t-ask <t-ask!~t-ask@217.111.73.154> has quit IRC (Quit: leaving)[18:21:46] <rob0> TIL rfc 1830, BDAT[18:22:30] <rob0> "chunking", I always figured that was a reference to cheap, canned Chinese food ;)[18:24:22] <rob0> anyway, If I'm not here when t-ask is back, the answer is "postconf message_size_limit" and postconf.5.html#message_size_limit[18:25:36] <rob0> Seems strange to me that you'd search for "restrict" when the warning clearly gives three usable keywords, "message size limit".[18:27:11] <rob0> As for only getting that from MS and Google, nothing strange at all: those users can't tell the difference between email and file sharing protocols.[18:30:34] <grawity> ah, so because latest postfix now implements BDAT, it's turned into a file sharing protocol and I should look elsewhere[18:32:15] <eugenmayer> grawity: thank you, i look into that![18:42:18] *** chowbok <chowbok!~chowbok@207.181.255.76> has quit IRC (Ping timeout: 250 seconds)[18:44:20] <eugenmayer> grawity: after applying smtp_sasl_mechanism_filter = plain, login[18:44:20] <eugenmayer> i know get 2019-03-27T17:42:39.624964+00:00 msa smtptls/smtp[2097]: warning: zzzzzzzz[xxxx]:587 offered no supported AUTH mechanisms: 'GSSAPI NTLM'[18:44:24] <eugenmayer> s/know/now[18:45:14] <eugenmayer> does this mean, the the server actually only offers GSSAPI NTLM and nothing more? Interestingly, i can send mails using the exact same por /tls /credentials using PHPmailer so i assume there must be something else i am missing[18:45:21] <grawity> well, yes, if the server doesn't even offer PLAIN, it's a problem with the server[18:45:37] <grawity> make sure your postfix actually performs STARTTLS before trying to authenticate, however[18:45:44] *** gu1lle_ <gu1lle_!~Thunderbi@201.216.253.75> has joined #postfix[18:46:26] *** rsx <rsx!~rsx@ppp-188-174-143-31.dynamic.mnet-online.de> has joined #postfix[18:48:09] <eugenmayer> grawity: hmm i think i enforced STARTTLs by :https://www.pastiebin.com/5c9bb73ac2eb5 line 14 ( see the log, smpttls is used in the logs smtptls/smtp[2097][18:48:34] <eugenmayer> smtp_tls_security_level=encrypt should enforce it, right[18:48:50] <thumbs> !smtps[18:48:50] <knoba> thumbs: "smtps" : A deprecated name for port 465; see !submissions and RFC 8314. See also !submission and !tls and !sasl[18:48:58] <thumbs> !submissions[18:48:58] <knoba> thumbs: "submissions" : RFC 8314 renames the old smtps port, 465/tcp, to submissions, for user submission of mail, NOT suitable for mail exchange, with implicit TLS rather than explicit STARTTLS via a plaintext TCP connection. Postfix can implement submissions with a separate smtpd(8) listener with -o smtpd_tls_wrappermode=yes . See the commented example for smtps in master.cf.[18:49:42] <eugenmayer> knoba: this is a MSA case[18:50:23] <eugenmayer> postfix is a MSA in this regard, acting like an email-client if you wish. it contacts (and authenticates ) against an exchange server, which then uses itself either local delivery or a satelite[18:51:23] <eugenmayer> and since iam usin 587 i wont need wrappermode=yes, i am not using 465 with TLS - right[18:51:40] <rob0> This is covered in SASL_README. Sounds like you are missing support for GSSAPI and NTLM AUTH mechanisms.[18:52:02] <eugenmayer> rob0: yes my postfix does no NTLM and not kerberos, it should not.[18:52:23] <rob0> If that's the only thing that MSexchange offers you, it must.[18:52:27] <eugenmayer> and that server also offers LOGIN/PLAIN since using the same port / cred / data i can send using PHPmailer[18:52:37] <rob0> Or, you need to talk to the server admin[18:52:52] <eugenmayer> no i think grawity is fairly right, 587 plaintext will only offer encrypted auth, so NTLM/GSSAPI[18:53:09] <rob0> what is this syslog_name, "smtptls"?[18:53:16] <eugenmayer> that is how exchange is configured by default ( and it make sense ). Most probably STARTTLS is never called, that it why the server never happens to offer LOGIN/PLAIN[18:53:37] <eugenmayer> rob0: yes, see 2019-03-27T17:42:39.624964+00:00 msa smtptls/smtp[2097]: warning: zzzzzzzz[xxxx]:587 offered no supported AUTH mechanisms: 'GSSAPI NTLM'[18:53:48] <grawity> out of curiosity could you do a manual test of the server[18:53:49] <eugenmayer> and https://www.pastiebin.com/5c9bb73ac2eb5 line 14[18:54:04] <eugenmayer> grawity: sure i can use swaks but i already know, it will work 100%[18:54:41] <eugenmayer> stil, i will and will report back. For the later steps though, can i visualize the "authentication" / protocol used when postfix acts as a clinet[18:54:49] <eugenmayer> so i can see if STARTTLS is actually called?[18:55:25] <rob0> Typically you should prefix any syslog_name override with "postfix/" to make it plain to see that these are Postfix logs.[18:55:33] <grawity> I'd probably go with either a) Wireshark/tcpdump, or b) put the Exchange server address in $debug_peer_list[18:55:40] *** rsx <rsx!~rsx@ppp-188-174-143-31.dynamic.mnet-online.de> has quit IRC (Remote host closed the connection)[18:56:15] <lunaphyte> !smtp_tls_loglevel[18:56:15] <knoba> lunaphyte: "smtp_tls_loglevel" : Enable additional Postfix smtp(8) client logging of TLS activity, default 0, 1 is a good operational setting. Each logging level also includes the information that is logged at all lower logging levels.[18:56:18] <lunaphyte> !smtpd_tls_loglevel[18:56:18] <knoba> lunaphyte: "smtpd_tls_loglevel" : enable additional postfix smtp server logging of tls activity. each logging level also includes the information that is logged at a lower logging level.[18:56:32] <eugenmayer> thanks you both! i have some homework to do know, i guess. I will report back. Very helpful![18:56:38] <rob0> also set[18:56:46] <rob0> !smtp_tls_loglevel[18:56:46] <knoba> rob0: "smtp_tls_loglevel" : Enable additional Postfix smtp(8) client logging of TLS activity, default 0, 1 is a good operational setting. Each logging level also includes the information that is logged at all lower logging levels.[18:56:57] <rob0> smtp_tls_loglevel=1[18:57:10] <rob0> do that globally, in main.cf[18:57:33] <rob0> only one extra log line per smtp outbound connection[18:57:51] <rob0> 17:54 < eugenmayer> so i can see if STARTTLS is actually called?[19:00:23] *** Elisha <Elisha!~elisha@188-230-142-97.dynamic.t-2.net> has joined #postfix[19:00:36] *** Elisha <Elisha!~elisha@188-230-142-97.dynamic.t-2.net> has quit IRC (Remote host closed the connection)[19:02:16] *** chowbok <chowbok!~chowbok@207.181.255.76> has joined #postfix[19:03:39] <eugenmayer> So what i know know using telnet on 587 is, that without STARTTLS, i get 250-AUTH GSSAPI NTLM … and after calling STARTTLS with swaks i get <~ 250-AUTH GSSAPI NTLM LOGIN[19:03:54] <eugenmayer> so it is for sure no server issue, it is, somehow, postfix not using STARTTLS[19:04:19] <grawity> bit odd that it's offering LOGIN but not the standard PLAIN[19:04:20] <lunaphyte> i would strongly suggest not offering smtp auth, at all, without encryption[19:05:01] <lunaphyte> first, that would likely simplify this troubleshooting process for you, and second, there's just really no practical reason to not do so[19:06:32] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has quit IRC (Remote host closed the connection)[19:07:22] <lunaphyte> !smtpd_tls_auth_only[19:07:22] <knoba> lunaphyte: "smtpd_tls_auth_only" : When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections.[19:07:49] *** i1nfusion <i1nfusion!~i1nfusion@46.101.134.251> has joined #postfix[19:08:21] <grawity> the server has been mentioned to be MS Exchange, not Postfix[19:09:09] <lunaphyte> oh postfix is strictly an smtp client in this conversation?[19:19:06] *** Gaaab <Gaaab!~Gaaab@milik.frozenstar.info> has joined #postfix[19:19:56] <rob0> right[19:20:31] <rob0> smtp_tls_loglevel=1 will show if STARTTLS is used.[19:20:48] <rob0> oh, IIRC there's also a setting to log the STARTTLS offer[19:21:43] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[19:22:08] *** edux <edux!~edux@190.55.164.78> has joined #postfix[19:23:01] <rob0> smtp_tls_note_starttls_offer = yes[19:26:13] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has quit IRC (Quit: WeeChat 2.4)[19:27:34] <eugenmayer> thank you sir[19:32:52] <eugenmayer> rob0: neither of these let me see any STARTTL right now, do i need to use debug_peer too?[19:33:02] <rob0> no[19:33:22] <rob0> if STARTTLS is not offered, STARTTLS is not used[19:33:41] <rob0> so there's yor problem[19:34:15] <eugenmayer> smtp_tls_loglevel=1[19:34:15] <eugenmayer> smtp_tls_note_starttls_offer = yes[19:34:27] <eugenmayer> i just ask myself if i am loogin at the wrong logs probably[19:34:56] *** edux <edux!~edux@190.55.164.78> has quit IRC (Remote host closed the connection)[19:35:06] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has quit IRC (Quit: inabit. zz.)[19:35:10] <rob0> pastebin a manual telnet to the server and its EHLO reply[19:35:25] <rob0> from the Postfix machine of course[19:36:22] <rob0> Still a long shot at this point, but I am suspecting a stupid proxy like Cisco ASA or PIX[19:36:46] <rob0> could be on your end or theirs[19:38:01] <eugenmayer> rob0: https://www.pastiebin.com/5c9bc2e0108e2 that is what i see ( untrusted ) which is ok since i use … smtp_tls_security_level=encrypt[19:38:30] <eugenmayer> there is no "on my side", the server in there infra, not mine[19:38:50] <eugenmayer> 2 customers, 2 times exchange 2016, 2x 587[19:38:56] <eugenmayer> exactly the same issue[19:39:12] <rob0> so, STARTTLS is used[19:39:36] *** Wioxjk <Wioxjk!~poppels@gatekeeper01.ports.se> has quit IRC (Quit: Leaving)[19:39:57] <grawity> those are 3 different processes, so I wonder if it's something that occurs just some of the time[19:39:58] <eugenmayer> i cannot see that explicitly[19:40:02] <rob0> and yes, there IS a router on your side, and if it was doing the stupid "SMTP Fixup" misfeature, it would intercept STARTTLS[19:41:09] <eugenmayer> i am confused what to do[19:41:25] *** kermit <kermit!~zip55413@pdpc/supporter/bronze/kermit> has quit IRC (Ping timeout: 255 seconds)[19:41:30] <rob0> 18:35 < rob0> pastebin a manual telnet to the server and its EHLO reply[19:41:30] <pj> if t-ask pops back in, he either needs to upgrade to postfix 3.4.4 or set message_size_limit to a huge number instead of 0.[19:41:43] <rob0> 18:35 < rob0> pastebin a manual telnet to the server and its EHLO reply[19:41:48] <rob0> oops[19:41:51] <grawity> so the reason I was asking for debug_peer_list is because I'd very much like to see exactly what *postfix* sees during *those specific bad connections*[19:42:10] <grawity> not what a random CLI tool sees during a random connection that may or may not be affected[19:42:24] <rob0> Oh, nm about the telnet, we know STARTTLS is used[19:42:36] <grawity> where do you know that from[19:42:47] <rob0> the last pastebin[19:43:20] <grawity> that pastebin shows TLS being used by pid 3047, and then an auth failure by pid 3055[19:43:32] <rob0> ah, you're right[19:43:35] <grawity> doesn't that imply they're two different connections – one using TLS, and another failing auth?[19:43:47] <rob0> we'd want to know what 3055 logged[19:44:23] <rob0> This is what happens when incomplete logging is shared, makes it harder for us.[19:45:15] <rob0> We need to see the entire logging of pid 3055 which led to the warning on the third line[19:47:00] <rob0> pj, how does the upgrade fix message_size_limit?[19:47:44] <pj> rob0: it is a long-standing bug, was reported on the ml and fixed in the stable release from ... last week, I think.[19:48:05] <pj> the bug is that message_size_limit of 0 really means 0, not unlimited as people may think.[19:48:31] <pj> honestly people shouldn't be trying to set it to 0 anyways, imo.[19:48:32] <rob0> oh! I'm not keeping up on the list.[19:49:29] <pj> eugenmayer: at a guess you don't have the correct cyrus sasl libraries installed to support plain and login client auth.[19:50:12] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 250 seconds)[19:50:25] <rob0> pj, I don't think that's it. Seems that sometimes STARTTLS just not offered, so PLAIN and LOGIN are not available.[19:50:55] <rob0> and yes, debug_peer_list might help, if it's intermittent[19:51:00] <pj> you think the exchange server is not offering plain and login?[19:51:13] <rob0> sure it is, AFTER STARTTLS[19:51:34] <pj> oh, I see[19:51:47] <pj> just use s_client to see what the server is offering, then.[19:52:20] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[19:52:49] <pj> and make sure that postfix is configured to require encryption (smtp_tls_security_level=encrypt[19:52:58] <rob0> Seems that sometimes, STARTTLS is offered (and used), sometimes not.[19:53:10] *** r0ni <r0ni!~jloco@c-68-43-217-143.hsd1.mi.comcast.net> has joined #postfix[19:53:22] <rob0> the smtptls transport has that set[19:54:19] <pj> well, if he's hitting a server that doesn't support STARTTLS then he either has to use one of the mechs that it offers or try something else? maybe he can connect to submissions instead.[19:55:23] <pj> It's sounding like the exchange server is actually multiple different servers behind a load balancer and some of them offer STARTTLS and some don[19:55:31] <pj> *don't[19:58:12] <pj> either connect to 465 instead or install cyrus-sasl-ntlm or cyrus-sasl-gssapi or both.[19:58:41] <pj> assuming those are the package names for your distro, that is.[20:01:20] <grawity> assuming one wants to use ntlm/gssapi in the first place[20:01:39] <pj> well, he may not have much choice if he wants to reliably auth to those servers.[20:01:48] <rob0> which he said he does not want to do[20:02:14] <pj> I skimmed through the scrollback so I missed the bit where he said that.[20:03:03] <rob0> Intermittent STARTTLS and a transport with smtp_tls_security_level=encrypt means reliable AUTH is not possible.[20:03:06] *** nortega <nortega!~nortega@gateway/tor-sasl/deathsbreed> has joined #postfix[20:03:06] <grawity> though if all else fails (eugenmayer mentioned no access to the servers), I *would* try GSSAPI auth, it's not really painful[20:03:30] <grawity> but that's after the STARTTLS thing is solved[20:03:49] <pj> rob0: exactly. If the servers accept port 465 connections then that is the other way to fix it.[20:04:09] <rob0> 465 is an idea, yes[20:04:14] <pj> it's possible that 465 works mroe reliably on those servers than 587/starttls[20:04:37] <nortega> Hello, I'm having an issue setting the inet_protocols parameter to `inet_protocols = ipv4'. I've edited the `/etc/postfix/main.cf' file such that `inet_protocols = ipv4', and I've restarted the system service, but when I run `postconf inet_protocols' it still tells me `inet_protocols = all'.[20:04:46] <nortega> I'm running postfix on CentOS 7.[20:04:50] *** t-ask <t-ask!t-ask@gateway/vpn/protonvpn/task/x-53939944> has joined #postfix[20:06:26] <pj> postfix 3.0 and later offer smtp_tls_wrappermode for port 465 connections, earlier versions require tunnelling the connection through stunnel or something similar.[20:07:05] <rob0> 17:24 < rob0> anyway, If I'm not here when t-ask is back, the answer is "postconf message_size_limit" and postconf.5.html#message_size_limit[20:07:08] <rob0> 17:25 < rob0> Seems strange to me that you'd search for "restrict" when the warning clearly gives three usable keywords, "message size limit".[20:07:18] <rob0> 17:27 < rob0> As for only getting that from MS and Google, nothing strange at all: those users can't tell the difference between email and file sharing protocols.[20:07:32] <pj> nortega: you probably have two entries for it in the file and the later one takes precidence.[20:07:36] *** Darcidride <Darcidride!~Darcidrid@37.168.140.135> has quit IRC (Ping timeout: 246 seconds)[20:07:38] <rob0> 18:41 < pj> if t-ask pops back in, he either needs to upgrade to postfix 3.4.4 or set message_size_limit to a huge number instead of 0.[20:08:12] *** Darcidride <Darcidride!~Darcidrid@37.169.153.70> has joined #postfix[20:08:54] <pj> t-ask: there is a long standing bug in message_size_limit which was only fixed in the very latest release this last week where a limit of 0 really does mean 0, not unlimited.[20:09:36] <pj> you should probably not be setting it to 0 anyways, it's a safety feature, just set it as high as you think you may need.[20:10:12] *** edux <edux!~edux@186.22.120.5> has joined #postfix[20:10:35] <pj> t-ask: and also you should probably wait longer than 15 minutes for an answer before giving up in IRC. A lot longer in some cases.[20:14:40] <nortega> pj: ah, you're right. Now sure how that happened. Thanks[20:14:58] *** ]SiB[ <]SiB[!~Thunderbi@unaffiliated/sib/x-9459575> has joined #postfix[20:15:02] <pj> nortega: yw[20:16:32] *** Diemuzi <Diemuzi!~diemuzi@unaffiliated/diemuzi> has quit IRC (Quit: See you on the flip side!)[20:17:45] <t-ask> pj: thanks,nice info. I will do what you suggested. Yes, I know leaving this soon is waytoo early. I just didn't expect this time taht I had too leave the place that soon.[20:18:02] <pj> t-ask: fair enough.[20:20:41] *** nortega <nortega!~nortega@gateway/tor-sasl/deathsbreed> has left #postfix ("leaving")[20:21:40] <t-ask> pj: looks like I'm on 3.4.4 already,I willsetthen to ahigher value anyways then.[20:22:11] <pj> sorry, not fixed in the latest release, I was mistaken about that.[20:24:50] *** olegfusion <olegfusion!~olegfusio@mail.mobileforsale.ru> has quit IRC (Quit: Leaving)[20:25:01] <pj> ...and it may not be fixed, it's actually not documented for message_size_limit to work that way, it has done so in the past but since it's not a documented feature there was never any guarantee that a setting of 0 would always mean "unlimited".[20:26:56] *** edux__ <edux__!~edux@host99.181-13-73.telecom.net.ar> has joined #postfix[20:27:43] *** mikecmpbll <mikecmpbll!~mikecmpbl@ruby/staff/mikecmpbll> has joined #postfix[20:27:44] <t-ask> then I better set those values on every postfix server[20:28:46] <pj> if the default of approximately 10MB is not sufficient, then yes.[20:29:12] <t-ask> I know some of my win mates ;)[20:29:57] <pj> that's fine, there's no issue with setting it higher, except that you may still run afoul of other servers that have it set lower.[20:30:08] <t-ask> the odd thing in this case was just that the testmial from that friend was empty..[20:30:28] *** edux <edux!~edux@186.22.120.5> has quit IRC (Ping timeout: 245 seconds)[20:30:37] <pj> It should just be set to some reasonable value for you, because to set it to unlimited opens up a possible security hole.[20:31:02] <t-ask> ok, then i comment those values to default... I gguess that's then the best choice[20:31:07] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has quit IRC (Ping timeout: 258 seconds)[20:31:32] <pj> t-ask: the default is a good choice, but as I said, it's not unreasonable to set it higher if you want.[20:32:18] <pj> the security issue with having it unlimited is that an attacker could sit there and feed it gigs or terrabytes of data to fill up all available RAM or even disk space on your server and bring it to a grinding halt.[20:33:05] *** Penguin_ <Penguin_!~xwQ5kwYl6@our.systems.are.full.of.penguins.at.penguinsystems.net> has joined #postfix[20:36:05] *** Darcidride <Darcidride!~Darcidrid@37.169.153.70> has quit IRC (Quit: Bye.)[20:36:11] <t-ask> pj: right, good hint[20:36:20] *** Darcidride <Darcidride!~Darcidrid@37.169.153.70> has joined #postfix[20:40:11] *** section1 <section1!~section1@178.33.109.106> has quit IRC (Quit: Leaving)[20:40:58] *** kermit <kermit!~zip55413@pdpc/supporter/bronze/kermit> has joined #postfix[20:43:32] <pj> oh, I see where it was introduced. It has to do with postfix's chunking support which is new in 3.4. Chunking in 3.4 is enabled by default and the check for message_size_limit there does not have the usual explicit check for 0. Thus configs that used to work in prior versions of postfix where message_size_limit was set to 0 do not work in 3.4 unless chunking is explicitly disabled. Do note that's another option is to disable chunking, but tbh you're better[20:43:33] <pj> off leaving it on, it's a good feature.[20:47:04] <rob0> of course, even with the message_size_limit an attacker can do what you describe, it would just take a bit longer[20:47:19] <rob0> *message_size_limit default setting[20:48:12] *** Blubberbop <Blubberbop!~quassel@mail.capmega.com> has joined #postfix[20:48:13] <pj> well, yes, I suppose, but still I would not advise setting message_size_limit to 0 also for the reason that doing so is undocumented and can (and apparently now has) changed what can happen if you do.[20:51:55] *** edux__ <edux__!~edux@host99.181-13-73.telecom.net.ar> has quit IRC (Remote host closed the connection)[20:52:14] <pj> I'm actually debating what to do with GF for this case, as there could be a number of people who use that setting expecting it to mean "unlimited" and pushing out postfix 3.4 to stable would break their systems. My options are (1) apply the patch from the ml to fix this so that message_size_limit acts like it always has in respect to a setting of 0, or (2) document the issue and handle the number of complaints people have that the new release breaks their system[20:52:15] <pj> because they used an undocumented feature.[20:53:20] *** edux <edux!~edux@186.22.120.5> has joined #postfix[20:57:29] <pj> option (3) might be to change the patch so that it warns the user if message_size_limit is set to 0 that they're using an undocumented feature that may change at any time.[20:58:31] <pj> I'm gonna go AFK for a while, I'll decide later.[21:00:24] *** eugenmayer1 <eugenmayer1!~eugenmaye@pD95DA2AE.dip0.t-ipconnect.de> has joined #postfix[21:00:24] *** eugenmayer <eugenmayer!~eugenmaye@pD95DA2AE.dip0.t-ipconnect.de> has quit IRC (Read error: Connection reset by peer)[21:00:36] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has joined #postfix[21:01:38] *** eelstrebor <eelstrebor!~eelstrebo@216-75-116-100.static.allophone.net> has quit IRC (Remote host closed the connection)[21:02:02] *** edux__ <edux__!~edux@host99.181-13-73.telecom.net.ar> has joined #postfix[21:05:41] *** edux <edux!~edux@186.22.120.5> has quit IRC (Ping timeout: 244 seconds)[21:05:42] *** edux__ <edux__!~edux@host99.181-13-73.telecom.net.ar> has quit IRC (Remote host closed the connection)[21:10:34] *** treefrob <treefrob!~treefrob@p57A96449.dip0.t-ipconnect.de> has joined #postfix[21:10:34] *** treefrob <treefrob!~treefrob@p57A96449.dip0.t-ipconnect.de> has quit IRC (Client Quit)[21:10:56] *** treefrob <treefrob!~treefrob@p57A96449.dip0.t-ipconnect.de> has joined #postfix[22:03:50] *** double-p <double-p!~pbuehler@xfw.fips.de> has quit IRC (Quit: WeeChat 2.2)[22:10:02] *** FinboySlick <FinboySlick!~shark@74.117.40.10> has quit IRC (Quit: Leaving.)[22:17:59] *** gu1lle_ <gu1lle_!~Thunderbi@201.216.253.75> has quit IRC (Remote host closed the connection)[22:25:28] *** sloucher <sloucher!~Thunderbi@2604:5500:c128:d600::d09> has joined #postfix[22:28:10] *** n_1-c_k <n_1-c_k!~n_1-c_k@2a02:8010:63a6::70> has joined #postfix[22:28:22] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 250 seconds)[22:42:51] *** t-ask <t-ask!t-ask@gateway/vpn/protonvpn/task/x-53939944> has quit IRC (Read error: Connection reset by peer)[22:47:02] *** t-ask <t-ask!~t-ask@83.135.21.251> has joined #postfix[23:01:44] *** robinho86 <robinho86!~robsonjf@191.36.239.241> has quit IRC (Quit: Leaving.)[23:04:07] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has joined #postfix[23:04:32] *** edux <edux!~edux@2800:810:48a:8373:ada5:af7b:dfa:9c62> has joined #postfix[23:05:13] *** t-ask <t-ask!~t-ask@83.135.21.251> has quit IRC (Ping timeout: 250 seconds)[23:07:29] *** t-ask <t-ask!t-ask@gateway/vpn/protonvpn/task/x-53939944> has joined #postfix[23:08:33] *** ddBz <ddBz!~gary@cpe-67-246-27-81.nycap.res.rr.com> has quit IRC (Ping timeout: 246 seconds)[23:09:02] *** edux <edux!~edux@2800:810:48a:8373:ada5:af7b:dfa:9c62> has quit IRC (Remote host closed the connection)[23:22:20] *** eugenmayer1 <eugenmayer1!~eugenmaye@pD95DA2AE.dip0.t-ipconnect.de> has quit IRC (Quit: Leaving.)[23:27:07] *** chkbsd <chkbsd!~ucio@unaffiliated/ucio> has quit IRC (Ping timeout: 240 seconds)[23:28:51] *** chkbsd <chkbsd!~ucio@bla.mode42.one> has joined #postfix[23:28:51] *** chkbsd <chkbsd!~ucio@bla.mode42.one> has quit IRC (Changing host)[23:28:51] *** chkbsd <chkbsd!~ucio@unaffiliated/ucio> has joined #postfix[23:41:43] *** cybrNaut <cybrNaut!cybrNaut@unaffiliated/cybrnaut> has quit IRC (Ping timeout: 255 seconds)[23:44:15] *** Darcidride <Darcidride!~Darcidrid@37.169.153.70> has quit IRC (Read error: Connection reset by peer)[23:46:48] *** cybrNaut <cybrNaut!cybrNaut@2001:0:53aa:64c:34bd:aca7:bcca:6bba> has joined #postfix[23:48:57] *** gabizou <gabizou!~gabizou@irc.spongepowered.org> has quit IRC (Ping timeout: 244 seconds)[23:59:23] *** BoomerBile <BoomerBile!~MetaPhaze@96-42-197-150.dhcp.roch.mn.charter.com> has quit IRC (Quit: Pidgin ate Hexchat! Now what do I do!?)