ipv6 on postfix

Works, although it does feel a little incoherent setup wise it [] sometimes required and not required, and having access to reverse dns means i can mail google in ipv6, your experience might be different (not here) than the zoo’s

Don’t forget about spf records

Being ipv6 is very mostly silicon valley based (not amazon) i was surprised that some try and abuse ipv6 and the domain name system

Domain unknown senders

Although we do see them trying this from ipv4 too

No damage was done and the ipv6 and ipv4 protocol matched the fake domain.

Ipv6 accounts for 25% of dns traffic and not many ipv6 mx entries so 1% of email traffic unless you email gmail all the time.

debian stretch update 9.2 screw ups with systemd

Sisyphus is still a role model

I hate systemd – an update to postfix wiped our systemd file (our file) and the postmulti settings did not start. Another milllion reasons to hang draw and quarter Potterang and the systemd people (my blog).

Fishing about in my notes i diagnosed with postmulti,, copied yet another broken debain systemd file copied my backup to the real systemd file, daemon reloaded systemctl and then started postfix.

Postfix starts x5 but now the systemd file says it does not start even though they are – so if you still think systemd is a good idea your in need a mental health doctor.

If anybody can fuckup a start stop script these people can.  I mean if my copy of what once worked now does not how the fuck is this maintainable.  Beyond me.

How was your weekend ?

Then i had the issues with opendkim. (my blog) same old shit once more which makes systemd a nightmare.

A second attempt at opendmarc

lost_touristHaving failed in my first attempt (my blog) so i decided to try again looking at blogs who confirmed my suspicions that it did not work too well i looked at how others had got the thing to ‘work’

The zoo has dane,dkim and other stuff for some time so i will not be discussing that..

There’s a public suffix list some use which is not included in the debain packaging which was fun and indicates that maybe this is a compiled from source thing rather than an os package to install – ala here is one i prepared earlier.

My first days attempts seemed to work, but i had socket problems with postfix and logging changing ownership and creating the file because that is the sort of thing that it probably needs but won’t automatically do.

On my second day i still have no damm clue as to what opendmarc should be doing. and despite my best efforts

smtpd[*]: warning: connect to Milter service unix:/var/run/opendmarc/opendmarc.sock: No such file or directory

I changed unix to local as specified in /etc/default/opendmarc making the required change to posfix and still nothing happened

so eventually i went with it takes an hour or so to get a message from postfix about the broken socket on a not that busy mail server.


in opendmarc.conf , /etc/default/opendmarc and in the correct main.cf and that seemed to work in version 1.3.0 (current debian stable version)  at time of writing 1.3.1 is debian testing, and 1.3.2. in experimental so there’s no reason to expect massive changes down the release cycle.

I just have it running on four mail hosts

Here is what a correct mail log looks like

date* 17:57:49 host opendmarc[1047]: 1XX8BD6310: gmail.com pass
date* 07:30:15 host opendmarc[1047]: 5XX35BD6310: plexiglas.de none
date* 08:24:20 host opendmarc[1047]: 0XX85BD6310: factoringforless.eu none

not seen it

not seen it

That covers most use cases if hosts do not have dmarc hey that is not my fault.

Errors (or huh) are stated as

opendmarc[*]: *314: unable to parse From header field

So even the dmarc milter has problems with crap email.

For tls signed email

<example.com> SSL

is the response.

If your internal email does not outbound via a public internet address and then return* It seems opendmarc bitches and whines like

opendmarc[1047]: 23XXEBD6310: zoo** fail

However since i route fail2ban email from internal mail to a real email server those messages seem be ignored if you do not specify the opendmarc milter in the internal postfix handler we have.

I might have to add ignore hosts to a file (not done) – or fix internal relaying which is what i did

I am not sure if i can turn off rejectfailures option in opendmarc without perhaps some additional postfix plumbing but that;s my problem not yours since i am probably doing that the wrong way.

Things i have yet to do reporting***, see if the spf thing is broken in opendmarc – works.  But its working with postfix

*i see no point  ** our domains (my blog) are zoo,zoo1,zoo2,zoo3 *** needs mysql (fucking crap software) i will save for another post.

Does the monkey house save the day or will it go wrong, stay tuned for the next episode of opendmarc in draft as we attempt speak with some noteworthy retards with dmarc.

tlsv1.0 in the wild.

girlfriendIn 2015 and i have a dane compatible servers (my blog) running the latest and greatest in tls support which is version 1.2 and not version 1.0.  I thought i did not need the old version, they still use ssl v3 as well

I run a script and see a certain address with thousands of connects but no mail, and one day i guess they use the thing i do not have.  Grudgingly i enable tlsv1 on one mail server.

That should fix it.


tinfoilhatDane in postfix is not hard but what many of the things out there dont say (not here)  is that the tlsa record should state a host name


so port 25, using tcp, on host smtp, for domian kernel-error.de

crossport 25, tcp, domain wont work.


Postfix is a little more specific than that for https requests.


the man who became a pig

the man who became a pig

I wish i knew that before i started. Anyhow the zoo has dane, which is not a danish farm animal

policyd-spf in debian 8 and remaining upgrade issues

mehI had issues with this (my blog) so having five instances of postfix i reintroduced it,  I have no idea why nobody works and the other policyd-spf user does not.  However policyd-spf  does induce

postfix/smtpd[x]: warning: problem talking to server
private/spf-policy: Connection reset by peer

So change policyd-spf in master.cf, and add the spf checks in main.cf otherwise it will not get called.

policyd-spf  unix  -       n       n       -       0       spawn
            user=policyd-spf argv=/usr/bin/policyd-spf

And its  working again with the appended  0.and slighty different argv  – another two instances to change in the zoo.  Needs some tinkering and reading of the document in /usr/share/doc/postfix-policyd-spf-python/README.debain

200px-Gremlins_think_it's_fun_to_hurt_you._Use_care_always._Back_up_our_battleskies^_-_NARA_-_535381Cyrus imap also had a problem with /usr/sbin missing binaries which the cyrus.conf picks up they do exist and have since moved to /usr/lib/cyrus/bin.  It did not affect mail delivery but your see what i mean if you run it.

Mod_defensible in apache 2.4 does work but not from the repo’s, download it from the debian site and the files show up – dont ask me why. but it works remember the config goes in apache2.conf

One thing i dont have much clue on in is postgressql upgrading (9.1  to 9.4) i have both so i will ignore that one for the time being