Tag Archives: postfix

ispconfig tlsa patch for dane using postfix

Hi There

I’ve added TLSA DNS RR support to my ispconfig server. This howto relies on my previous post which adds dnssec support to ispconfig. http://www.paranoids.at/bind9-ispconfig-dnssec-inline-signing-ubuntu-1204/

Actually I’m using ubuntu 14.04 with most recent version of ispconfig 3. With ubuntu 14.04 you don’t need the bind ppa cause bind version in 14.04 supports auto keyrollover for dnssec singed zones.

Simply copy the files as following:

cd /usr/local/ispconfig/interface/web/dns
cp -av dns_srv_edit.php  dns_tlsa_edit.php
cp -av form/dns_srv.tform.php form/dns_tlsa.tform.php
cp -av templates/dns_srv_edit.htm templates/dns_tlsa_edit.htm
cp -av lib/lang/de_dns_srv.lng templates/dns_tlsa_edit.htm

Then run the patches agains every file mentioned in the patch.

Here the patch for the interface:
Here the patch for the server:

You also have to alter the table structure of dns_rr in dbispconfig. You only have to edit type as following:


Here some nice Firefox tool to verify your dnssec and tlsa records: https://www.dnssec-validator.cz/

Here the config snippets from postfix’s main.cf:

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

Have fun!

postfix per smtp-transport smtp_fallback_relay master.cf

Hi there

I’d got multiple SMTP transports on my postfix server, but one of these send’s newsletters,
As we already seen this in real life of an mailadmin some servers got rate-limit’s setup, so only a specific
amount of mail is accepted in a specific timeframe.

To get these masses sent to these destinations in a adequate timeframe we need a fallback relay.
Due to the configuration of the destination server these will accept mails from other client IP’s than
the rate-limited server is and they would send an 450 temporary error.

Long speech short sin.

Here as always my config snippet from postfix master.cf (somewhere at line 40):

smtp      unix  -       -       -       -       50       smtp
        -o smtp_fallback_relay=relay01.bla.com
No magic. Really? 

DONT FORGET THE S**** TABSTOP IN FRONT of "-o smtp_fallback_relay="

Otherwhise you gonna get this:

postfix/master[8319]: fatal: /etc/postfix/master.cf: line 40: bad transport type: smtp_fallback_relay=relay01.bla.com

Due to this litte config mistake a new grey hair in my beard will gonna grow.

Have fun!

dnsbl.njabl.org to b.barracudacentral.org policyd-weight


Because njabl.org stop it’s services I need to find another rbl which is easy to delist for mail-admins, less flase positives and has no connections to the sh** rbl’s of fu***ing SORBS. I decided to test b.barracudacentral.org. After some days of logreviews and  testing I decided to use the b.barracudacentral.org for production. Works like a charm.

So I’ve edited the line arround 377 in /usr/sbin/policyd-weight

#'dnsbl.njabl.org',        4.25,       -1.5,        'BL_NJABL',
'b.barracudacentral.org', 4.25,        -1.5,       'BL_BARRACUDA',
/etc/init.d/policyd-weight restart

Have fun!

To every Mail-Admin: Don’t use SORBS they are a conglomerate of arrogant a** f*****s
I needed for a delisting of a “dnyamic” IP-Pool 4weeks and more than 15 mails and tickets
Also the proofpoint.com rbl seems to be managed by the same arrogant guys, but the problem is that me.com icloud.com and some other big mail players are using it.
The https://support.proofpoint.com/dnsbl-lookup.cgi is nice and shows the listing of an IP-Address but has no more functions. Seems none is reading the output of the form.
After filling the form every day for 14days I decided self monologues are boring.
So I contacted this company by E-Mail.
Pow after 1 day I got delistet with no response from the german mailbox. 🙂
The next problem of that list is it’s not public queryable, so none is able to monitor via nagios etc the rbl.
SORBS sucks

dkim postfix howto


Here some nice howto to setup opendkim with postfix

Install and configure opendkim:

aptitude install opendkim
mkdir -p /etc/opendkim/keys/yourdomain.tld
cd /etc/opendkim/keys/yourdomain.tld
opendkim-genkey -r -d yourdomin.tld
vim /etc/opendkim.conf
AutoRestart             Yes
AutoRestartRate         10/1h
Syslog                  yes
LogWhy                  yes
SyslogSuccess           yes
UMask                   002
Socket                  inet:8891@localhost
KeyTable                refile:/etc/opendkim/keytable
SigningTable            refile:/etc/opendkim/signingtable
vim /etc/opendkim/keytable
default._domainkey.yourdomain.tld yourdomain.tld:default:/etc/opendkim/keys/yourdomain.tld/default.private
vim /etc/opendkim/signingtable
*@yourdomain.tld default._domainkey.yourdomain.tld
vim /etc/postfix/master.cf
smtp      inet  n       -       -       -       -       smtpd
        -o smtpd_milters=inet:
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_milters=inet:
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
/etc/init.d/postfix restart
/etc/init.d/opendkim restart
cat /etc/opendkim/keys/yourdomain.tld/default.txt
add this record to your dns zone of yourdomain.tld

Hint: In ubuntu 12.04 opendkim-genkey has a bug which generates an invalid dkim public key in the default.txt. Here the example:

default._domainkey IN TXT "v=DKIM1;=rsa; p=MIGfMA0GC .... Q7GWwsbQIDAQAB" WRONG
default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GC .... Q7GWwsbQIDAQAB" RIGHT

You can also install a ubuntu backport which does not have the problem

To verify your dkim install you can use any gmail account.
Here Gmails help for this http://support.google.com/mail/bin/answer.py?hl=en&answer=180707

“mailed-by yourdomain.tld” -> Means your SPF Record is valid
“signed-by yourdomain.tld” -> Means your DKIM Setup is valid

Have fun!