On Thu, Jan 14, 2021 at 04:09:30PM -0500, Harry Putnam wrote:
> > http://www.postfix.org/SOHO_README.html
> > http://www.postfix.org/SOHO_README.html#fantasy
>
> Thx, those are helpful but I'm appartently still not getting it
> right. Still failing like so:
>
> postfix/pickup[23288]: 40BBD492: uid=1000 from=<reader>
> postfix/cleanup[23322]: 40BBD492:
> message-id=<20210114202854.40BBD492@localhost>
> postfix/qmgr[23289]: 40BBD492: from=<rea...@local.lan>, size=374, nrcpt=1
> (queue active)
> postfix/smtp[23324]: connect to smtp.newsguy.com[74.209.136.63]:25:
> Connection timed out
> postfix/smtp[23324]: 40BBD492: to=<rea...@newsguy.com>, relay=none, delay=30,
> delays=0.16/0.17/30/0, dsn=4.4.1, status=deferred (connect to
> smtp.newsguy.com[74.209.136.63]:25: Connection timed out)
Postfix is trying to deliver email to:
> smtp.newsguy.com[74.209.136.63]:25:
but, after waiting for a SYN-ACK (TCP connection completion)
from the server for 30 seconds:
> delay=30, delays=0.16/0.17/30/0
gives up:
> Connection timed out
If your connection is supposed to be to port 25 and 587 or 465, then
this is not a Postfix issue, Postfix is doing all the right things,
but the network connectivity just isn't there.
> Does this line from above indicate that messages are still going out
> with `from=<rea...@local.lan> as sender from?
The message envelope in the queued message is "rea...@local.lan", but if
you're using "smtp_generic_maps", logging of the original address form
is expected, because the rewrites would happen on the fly during delivery,
and so the queued message shows the address pre-rewrite.
> I ask because I do have a 'generic.db' file in place. (content of
> generic file below)
Rewriting via generic happens "post queue" and so is not reflected
in local log messages. The new address is only seen by the remote
system (to which you never connect).
> > The "From:" header has no bearing on the return path of email,
> > which comes from the message envelope. You can set with the
> > "-f sender" option of sendmail(1).
>
> Is that inserted somewhere in postfix configuration or done with
> cmdline?
The "-f sender" option of sendmail(1) is generally understood to be
a command-line option.
> > $ sendmail -f root@localhost.local -bv postmaster@some.where
>
> Still not clear where the sendmail -f is done. The way you've written
> the line ... with leading `$', it appear to be done on command line.
> But clearly not something you would be doing with each mail... so
> where is the sendmail -f line set?
On the command line when you're want to send a delivery probe and
be sure to have results delivered to the right sender address.
> I'm going to include my full main.cf,
http://www.postfix.org/DEBUG_README.html#mail
> mailbox_command = procmail -a "$EXTENSION"
I don't recommend this unless you know what you're doing.
> mailbox_size_limit = 0
This may be unwise.
> myhostname = localhost
> mydestination = local.lan, $myhostname, localhost, localhost.localdomain,
> localhost
It is best to set myhostname to a "dotted" name. And use one of
the above names for the domain part of the sender address, rather
than "localhost.local", which is not listed.
> myorigin = /etc/mailname **added hp( mailname = newsguy.com )
I sure hope that "** ..." bit isn't actually there. And support for
filenames in myorigin is Debian/Ubuntu specific.
> relayhost = [smtp.newsguy.com]
Perhaps a submission port number (587? 465?, ...) is needed here?
> smtp_generic_maps = hash:/etc/postfix/generic
This is fine.
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options =
You should generally set smtp_sasl_tls_security_options as described in
SASL_README.
http://www.postfix.org/SASL_README.html#client_sasl_enable
http://www.postfix.org/SASL_README.html#client_sasl_policy
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtp_tls_CApath=/etc/ssl/certs
> smtp_tls_security_level=may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_use_tls = yes
You should likely *enforce* TLS to the submission server.
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination
> smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_security_level=may
You're unlikely to need an SMTP server, you can just keep it listening
only on the loopback interface, or disable it entirely.
inet_interfaces = loopback-only
master_service_disable = inet
> ------- ------- ---=--- ------- -------
> /etc/postfix/generic
> rea...@local.lan rea...@newsguy.com
Fine.
> /etc/postfix sasl_passwd
> [smtp.newsguy.com] reader:XsecretX
If you add a ":port" suffix to the relay setting, you should also add it
here (the SASL password lookup key), and in the TLS policy file. For
example:
main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls-policy
tls-policy:
[smtp.newsguy.com]:587 secure
--
Viktor.
