On 1/16/21 4:08 PM, Viktor Dukhovni wrote:
On Sat, Jan 16, 2021 at 03:11:58PM -0700, Gary Aitken wrote:
I'm trying to set up a postfix-server on a google-compute-engine vm that works
as follows:
* outgoing mail from local machine (aaa.xxx.com) to a select few specific
addresses and any address on a specific domain (yyy.com)
* incoming mail from a single domain only (yyy.com)
DNS is set with MX as aaa.xxx.com, although the IP on the ipv4 interface is
an internal google address, not the one returned for aaa.xxx.com.
I've set the following:
/etc/aliases
postmaster: root
root: m...@yyy.com
foo-admin: u...@yyy.com,u...@yyy.com
/etc/mailname:
xxx.com
/etc/postfix/access
xxx.com OK
yyy.com OK
* 5.2.1 No incoming mail allowed
You say *outgoing* mail to these domains, but from which sources?
Just "mynetworks"?
Yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com
Do I need to explicitly add xxx.com, even though it is 127.0.0.0?
/etc/postfix/main.cf:
smtpd_tls_cert_file=/path/to/fullchain.pem
smtpd_tls_key_file=/path/to/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
It seems you intend to receive some mail via inbound SMTP...
yes, on port 587.
recipient_restrictions = check_recipient_access hash:/etc/postfix/access
There is no such parameter in Postfix. Perhaps you wanted
"smtpd_recipient_restrictions".
Yes, typo in the original message
Is there a way to specify this in main.cf, or only in master.cf?
* If you're using Postfix >= 3.3, unless $compatibility_level
is set to a value > 0, the default "smtpd_relay_restrictions"
is empty, and the above configuration will fail for lack of
"reject-by-default" relay control.
postfix 3.3.0-1
* With Postfix 2.10 through 3.2, or compatibility_level >= 1,
With the default "smtpd_relay_restrictions", this allows outbound
mail from just mynetworks.
compatibility_level = 2
yes, I only want outbound from mynetworks
However, the default relay restrictions "defer" unauthorised relay
attempts, you should generally "reject" once the configuration is
deemed correct.
I thought the above /etc/postfix/access should do that?
xxx.com OK
yyy.com OK
* 5.2.1 No incoming mail allowed
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_loglevel=2
This TLS log level is too verbose for anything other than expert
debugging. Set it back to 1.
Happily...
I think I was seeing minimal output, which was why I bumped it up.
smtp_tls_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
What is this?
typo, error in transcription, should have been:
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
however, that was left-over from I'm not sure where and should probably be
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 yyy.com
Hostnames in mynetworks are fragile, and not recommended, don't recall
whether they're still supported, but even if they are, you should not
use them. So no "yyy.com" here.
thanks.
/etc/postfix/master.cf:
#smtp inet n - y - - smtpd
submission inet n - y - - smtpd
This looks like a submission service, so you would generally require
TLS.
Yes, I assume that's a hint I need
smtp_use_tls=yes
Do I need others besides smtp_tls_cert_file and smtp_tls_key_file?
When I attempt to send mail out using the mail command, the log shows:
Jan 16 21:20:05 ggg postfix/qmgr[13811]: 3CF5C3F3A5: from=<m...@xxx.com>,
size=423, nrcpt=1 (queue active)
Jan 16 21:20:05 ggg postfix/smtp[13860]: initializing the client-side TLS engine
Jan 16 21:20:06 ggg postfix/smtp[13820]: connect to xxx.com[a.b.c.d]:25:
Connection timed out
Jan 16 21:20:06 ggg postfix/smtp[13829]: connect to xxx.com[a.b.c.d]:25:
Connection timed out
questions:
1. Why is it attempting to send mail on port 25 and not 587?
You have nothing in your configuration that would direct outbound
traffic to port 587, and it is likely not what you want anyway.
Does "xx.com" really receive inbound email on port 587? If so,
you'd need a transport table entry to send it there, and probably
SASL to authenticate your access to that service.
In this case the destination address does listen on 587.
Why is it not likely what I want?
When specified as relayhost, the postfix process delivers the mail to the
(same) relayhost as a destination just fine.
2. Why is it trying to connect to itself (xxx.com)?
Note: the interface IP addr is of an internal google network,
not the external DNS address which points to this machine.
Because the recipient domain is not listed in mydestination, or
virtual_mailbox_domains, and the MX host of the recipient domain
(or the domain itself otherwise) is "xxx.com".
The recipient domain is not listed in mydestination; but shouldn't it be
contacting the MX host of the recipient domain rather than itself?
The Postfix book by Ralf and Patrick is probably a good first
resource if the material in:
http://www.postfix.org/BASIC_CONFIGURATION_README.html
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
http://www.postfix.org/SOHO_README.html
assumes more background than you already have.
Thanks, I will go through those (again).
The book seems likely to be horribly out of date, unfortunately.
This *seems* like it should be fairly straight-forward:
postfix-server.xxx.com => yyy.com:587
postfix-server.xxx.com:587 <= yyy.com
postfix-server.xxx.com => zzz.com:587
Gary
