On Mon, June 22, 2015 10:09, Viktor Dukhovni wrote: > On Mon, Jun 22, 2015 at 09:40:58AM -0400, James B. Byrne wrote: > >> However, postfix had already been >> under git control as a separate repository when etckeeper was >> installed and, unbeknownst to me git considered that a submodule so >> when etckeeper did its update commits the postfix directory was not >> updated with the rest. > > Have you considered using git to go back to the previous > configuration? > Start with: > > git log
The sad case of unwanted and unrecognised git submodules was previously explained. And this has been fixed. > >> INET07 = local delivery >> [root@inet07 etc]# postconf -n >> ... >> relay_clientcerts = hash:/etc/postfix/relay_clientcerts > > Does the ".db" file exist (did you "postmap" the file)? > >> relay_domains = hash:/etc/postfix/relay_domains > > Ditto. Both these were missing, along with another map. That was indeed the problem with getting the server to accept connections. > >> relayhost = smtp.hamilton.harte-lyne.ca > > Typically, you'd want that in []: > > relayhost = [smtp.hamilton.harte-lyne.ca] > > unless that really is intended to be an MX RRset and not a hostname. > I understand that the brackets mean do not lookup the MX records. I can see why that would be preferred if email was meant to be forwarded on to a specific host not listed in DNS as an MX. But this particular host is the final destination of all mail destined to domains under our control and it does not accept mail for retransmission onward. I do not see the point in this case. I suppose I should just delete the entry. >> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > Generally this is left empty. > >> smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.$TLSHOST.crt >> smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.$TLSHOST.key > > What is this "$TLSHOST"? I notice it is set in the "INET07" main.cf > file but not in this one. An oversight on my part. I made some changes that I did not entirely back out before running postconf. > >> smtp_tls_ciphers = medium >> smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, >> IDEA, RC2, RC5 >> smtp_tls_protocols = !SSLv2, !SSLv3 > > Exchange 2003 interoperability mode, that's fine. > >> smtp_tls_security_level = dane > > Not useful without: > > smtp_dns_support_level = dnssec > > and "127.0.0.1" as the only "nameserver" entry in /etc/resolv.conf > and a validating resolver running on 127.0.0.1. Otherwise, use > "may", not "dane". All MX and delivery hosts have a named instance running on them. Only our internal DNS servers are listed in /etc/resolv.conf on any host. 127.0.0.1 is the first entry in resolv.conf for hosts running a named instance. I do not understand why that should be the only entry however. > >> smtp_use_tls = yes > > Obsolete. Removed. > >> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > Often can be left empty instead. Why load a pile of certificates > you don't use. If you must a pile of certificates, use CApath, > not CAfile. Why is this so? What is the effect of leaving it empty? I presume this has to do with TRUST and since we really do not trust anybody sending email being whom they claim to be it is redundant. > >> smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt >> smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key > > This is more reasonable (no $TLSHOST), do the key and certificate > match? Any signs of trouble in the logs: Nothing respecting the keys or certs. Which is to say there were other problems reported. > > http://www.postfix.org/DEBUG_README.html#logging > >> smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem > > Did you generate that parameter file? Yes, automatically performed weekly by a cron job. It does not seem necessary to do so more frequently than that but if so then a schedule change is trivial. > >> INET08 - MX host unable to connect to INET07 (timeout) >> # postconf -n >> TLSHOST = smtp > > What's the point of this "TLSHOST" business. At one point we were sharing main.cf between two hosts, the vary backup host from which I recovered a working config file. This was an attempt to minimize the number of places customization edits needed to be performed. It has been removed and the file naming rationalized instead. > >> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > Why? We run our own private CA. Our root certificate is required for the validation chain as far as I am aware. This is a custom bundle with our root and issuer CA certificates added. > >> smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.$TLSHOST.crt >> smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.$TLSHOST.key > > Why not just use the exact file name without a "$TLSHOST" variable? Fixed. > >> smtp_use_tls = yes > > Obsolete. Removed > >> smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > Empty is better. Why? > >> smtpd_tls_ask_ccert = yes > > Do you plan to support client certs? For submission? Or > on port 25? Yes, on 25 only. There are no submissions on this particular server. Final delivery only via LMTP/Cyrus-Imap > >> smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem > > Did you generate the parameter file? Yes > >> smtpd_use_tls = yes > > Obsolete. Removed This is what we have now. Mail is being delivered but I still have a number of things to sort out with respect to internal TLS. postconf -n alias_database = hash:/etc/postfix/aliases.main, hash:/etc/postfix/aliases.domains alias_maps = hash:/etc/postfix/aliases.main, hash:/etc/postfix/aliases.domains broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix disable_vrfy_command = yes html_directory = no ignore_mx_lookup_error = no inet_interfaces = $myhostname, localhost inet_protocols = all mail_spool_directory = /var/spool/mail mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 20480000 mydestination = $myhostname, localhost.$mydomain, localhost, hash:/etc/postfix/local_domains newaliases_path = /usr/bin/newaliases.postfix propagate_unmatched_extensions = canonical, virtual queue_minfree = 40960000 rbl_reply_maps = hash:/etc/postfix/rbl_reply readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES recipient_delimiter = + relay_domains = hash:/etc/postfix/relay_domains relayhost = smtp.hamilton.harte-lyne.ca sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_host_lookup = dns smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtp.crt smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED, IDEA, RC2, RC5 smtp_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtp.key smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtpd_client_restrictions = permit smtpd_data_restrictions = permit_mynetworks, reject_multi_recipient_bounce, reject_unauth_pipelining, permit smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access pcre:/etc/postfix/helo_checks.pcre, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit smtpd_proxy_timeout = 300s smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, check_sender_mx_access hash:/etc/postfix/sender_mx_access, check_sender_ns_access hash:/etc/postfix/sender_ns_access, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_starttls_timeout = ${stress?10}${stress:120}s smtpd_timeout = ${stress?10}${stress:120}s smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/ca.harte-lyne.smtpd.crt smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem smtpd_tls_fingerprint_digest = sha1 smtpd_tls_key_file = /etc/pki/tls/private/ca.harte-lyne.smtpd.key smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s soft_bounce = no strict_rfc821_envelopes = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual_domains virtual_alias_maps = hash:/etc/postfix/virtual, regexp:/etc/postfix/virtual.regexp virtual_mailbox_domains = hash:/etc/postfix/virtual_mailbox_domains virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_aliases virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
