Posts

Enforcing STARTTLS on submission port 587

Welcome fileThe following settings will enable opportunistic TLS for inbound connections on default smtp port(25).smtpd_tls_security_level = may You can enforce STARTTLS on submission port e.g 587 by editing /etc/postfix/master.cfsubmission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt This will enforce STARTTLS on port 587.Note:You would also need to first generate self signed or intermediate certificate to enable inbound TLS in Postfix.

StatusDnsQueryFailed resolving domain

Welcome fileIf you are seeing the following error in PowerMTA or Postfix logs :StatusDnsQueryFailed resolving domain It’s likely caused by 3 reasons :The requested domain does not exist. It doesn’t have neither MX nor A record.The upstream DNS provider is throttling excessive queries from your mail server.You are hitting bandwidth limits on either WAN(if the dns resolver request is going out via internet interface).As always, i highly recommend to use dedicated recursive DNS server on LAN for your mailing infrastructure or use unthrottled upstream DNS resolver.

How to check Postfix queue size or find the count of messages in queue

article1mailq | grep -c "^[A-Z0-9]" You can also grep the last line :mailq | tail -1

How to enable inbound TLS(starttls) in Postfix with Signed Certificate from CA(LetsEncrypt)

Image
article1 Most of the time Postfix is configured with self signed certificate which works well because mostly certificate validation is not required by MTAs. Though it can be useful for applications or mailbox users connecting to central MTA to delivery of emails.
You can either buy SSL certificate from your provider or use letscrypt.org free certificates(needs to be renewed every 3 months). In this guide, i will use letencrypt certificate for my mx host console.postfix.io.
I use letsencrypt utility to manage certificate for my domains, below command will generate standalone certificate for my host.
letsencrypt certonly --standalone -d console.postfix.io The output…
Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/console.postfix.io/fullchain.pem Your key file has been saved at:/etc/letsencrypt/live/console.postfix.io/privkey.pem…
Edit main.cf
vim /etc/postfix/main.cf Replace the following lines :
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil…

How to include Gmail's Feedback-ID header in DKIM signature

article1Feedback-ID is an additional header required by Gmail Feedback Loop to see aggregated data in Google Postmaster tools. Gmail requires it to include in DKIM-Signature. The following guide explains how it can be configured in OpenDKIM :Edit opendkim.confvim /etc/opendkim.conf Add the following line :SignHeaders Feedback-ID Reload openkdim :systemctl reload opendkim.service Reload postfix :systemctl reload postfix.service Send a test email with swaks to gmail :swaks --from postmaster@postfix.io --to xxxx@gmail.com --h-Feedback-ID 123:asd:123 --server 127.0.0.1:25 My test mail results :Authentication-Results: mx.google.com;dkim=pass header.i=@postfix.io header.s=key1 header.b=oY1NVInb;spf=pass (google.com: domain of postmaster@postfix.io designates 45.55.57.182 as permitted sender) smtp.mailfrom=postmaster@postfix.io;dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=postfix.io Date: Sun, 12 Nov 2017 11:04:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=postfix…

421 4.5.1 No more messages on this connection http://tele.dk/25153

article1tele.dk is an ISP from Denmark. As per the Postmaster guidelines, tele.dk mail servers do not accept more than 3 messages per connection, if you attempt to send more emails, you would get the following error message :421 4.5.1 No more messages on this connection, see http://tele.dk/25153 The following quick How-to explains, how to configure Postfix to limit number of messages per smtp connection / session to danish domains which are hosted by tele.dk.Note: The following configurations worked on Postfix 3.2.3.Add the following to /etc/postfix/main.cf# mail.dk transport transport_maps = hash:/etc/postfix/transport teledk_initial_destination_concurrency = 3 teledk_destination_concurrency_limit = 3 Add the following to /etc/postfix/transport.mail.dk teledk: .tdcadsl.dk teledk: .tele.d teledk: .dknet.dk teledk: youseeme.dk teledk: besked.com teledk: beskedboks.dk teledk: You can add more domains by reviewing logs. These are some of common do…

How to find out which Postfix version I'm running?

article1Run the following command on Linux server :postconf mail_version Mine, returns the following output :mail_version = 3.2.3