Thanks, and I do use those tools. They require me to think to run
them. I'd like to find commandline versions I can stick in cron and
configure to notify me if there's a problem. Most days, there is no
problem, and I'm happy not to think about this.
For continuing readers, this is the status of my question:
1. I'm trying to sort out authentication, but this is probably a
dovecot issue, so I should look there, even though it's postfix
that's reporting the error.
2. I'm still looking for testing tools other than configuring an
MUA for the test.
3. I'm still looking for automated testing tools that I can stick
in cron so that I don't need to pay attention except if there's some
day a problem.
Many thanks.
Jeff
On 24/01/2021 13:07, Curtis Maurand wrote:
> for the blackhole lists, etc. take a look ar mxtoolbox.com
>
> postfix should be passing sasl requests to dovecot’s imap process. I
> use a tool called ispconfig which sets all of this up along with other
> tools such as clamav, rspamd or amavisd along with per user policies.
>
> my $0.02. I like its security way better than cpanel. it’s closer to
> plesk in that regard. best of all it’s free.
>
> Sent from my iPhone
>
>> On Jan 24, 2021, at 6:43 AM, Jeff Abrahamson <j...@p27.eu> wrote:
>>
>>
>>
>> I've set up a new postfix instance which more or less duplicates an
>> older one. The main change (besides being newer) is that the old one
>> used real users with real accounts while this one uses virtual
>> users. Some bits work, some don't. I'm a bit confused on how to
>> test it, really, short of connecting with a regular email client
>> (mutt, thunderbird, etc.).
>>
>> But I've a few questions, mostly about auth, which is what has most
>> changed and which I've clearly not got going correctly. (And I'm
>> aware that auth may be handled by dovecot and so not be appropriate
>> to /this/ list. But I'm not yet convinced of that, so I have to ask
>> here first.)
>>
>> 1. Users need to provide user + password to send (smtps) and receive
>> (imaps). I see where I've configured this for dovecot, which is
>> /etc/dovecot/passwd.db. That file contains lines like this:
>>
>> j...@mobilitains.fr:{BLF-CRYPT}$2y$05$c...
>>
>> I do not see how postfix knows who is allowed to connect, however.
>> Does postfix delegate SASL to dovecot? This is the relevant config,
>> I think:
>>
>> [T] jeff@nantes-m1:log $ postconf -n | grep -i sasl
>> broken_sasl_auth_clients = yes
>> smtpd_recipient_restrictions =
>>
>> reject_unknown_client_hostname,reject_unknown_sender_domain,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_invalid_hostname,reject_non_fqdn_sender
>> smtpd_relay_restrictions = permit_mynetworks
>> permit_sasl_authenticated defer_unauth_destination
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_local_domain =
>> smtpd_sasl_path = private/auth
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_type = dovecot
>>
>> [T] jeff@nantes-m1:log $ postconf -Mf
>> smtp inet n - y - - smtpd
>> submission inet n - y - - smtpd
>> -o syslog_name=postfix/submission
>> -o smtpd_tls_security_level=encrypt
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_client_restrictions=
>> -o smtpd_helo_restrictions=
>> -o smtpd_sender_restrictions=
>> -o smtpd_recipient_restrictions=
>> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>> -o milter_macro_daemon_name=ORIGINATING
>> smtps inet n - y - - smtpd
>> -o syslog_name=postfix/smtps
>> -o smtpd_tls_wrappermode=yes
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_reject_unlisted_recipient=no
>> -o smtpd_client_restrictions=
>> -o smtpd_helo_restrictions=
>> -o smtpd_sender_restrictions=
>> -o smtpd_recipient_restrictions=
>> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>> -o milter_macro_daemon_name=ORIGINATING
>> ...
>>
>> 2. Any suggestions on how to test this (and continue testing it)?
>> First, about today, as in, are there good commandline tools to poke
>> at a postfix instance?
>>
>> Second, for later, I'm aware of some very useful online web-based
>> tools (mxtoolbox, etc.), but I'd be quite happy to have some process
>> run on another host and periodically check that my MX isn't on any
>> blackhole lists, that the reasonably foreseeable stuff is all working
>> correctly, etc. I've not found that. Any suggestions?
>>
>> Many thanks for any pointers.
>>
>> --
>> Jeff Abrahamson
>> +33 6 24 40 01 57
>> +44 7920 594 255
>>
>> http://p27.eu/jeff/
>> http://transport-nantes.com/
--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
http://p27.eu/jeff/
http://transport-nantes.com/
