On Thu, Dec 23, 2021 at 11:20:09AM +1100, raf wrote:
> On Wed, Dec 22, 2021 at 12:20:31AM -0500, Ruben Safir <ru...@mrbrklyn.com>
> wrote:
>
> > On Wed, Dec 22, 2021 at 02:19:49PM +1100, raf wrote:
> > > On Tue, Dec 21, 2021 at 06:52:23AM -0500, Ruben Safir
> > > <ru...@mrbrklyn.com> wrote:
> > >
> > > > I want to add a domain for the office in addition to my current domain.
> > > >
> > > > I've done this before, following the outline in:
> > > > http://www.postfix.org/VIRTUAL_README.html#canonical
> > > >
> > > > using
> > > >
> > > > [ruben@www2 ~]$ cat /etc/postfix/main.cf|grep mydest
> > > > mydestination = www.domain1.com, www2.domain1.com, home.domain1.com,
> > > > domain1.com, domain2.com, domain3.com, domain4.com, domain5.com,
> > > > newistdomain.com
> > > >
> > > > So I can receive mail satisfactory and this has been good enough since I
> > > > normally ssh in from remote and use mutt and all my outgoing email is
> > > > transformed to n...@domain.com
> > > >
> > > > I need for select users from the newistdomain.com to have that
> > > > n...@newistdomain.com
> > > >
> > > > I am using thunderbird and dovecot to pop mail from the system. At
> > > > home, this is no problem as I am on the local network. I just set up the
> > > > smtp server to the postfix host running postfix.
> > >
> > > That should probably be the same for all Thunderbird users as well.
> > >
> > > > mydomain = domain1.com
> > > > masquerade_domains = domain1.com, domain1.com #which is probably wrong
> > > > myhostname = domain1.com
> > >
> > > I'm sure that domain1.com doesn't need to appear twice in
> > > the masquerade_domains parameter, but it's harmless.
> > >
> > > > How do I securely open postfix to relay email received from these
> > > > specific external office locals using newistdomain.coms
> > >
> > > If you can already connect using Thunderbird, you must
> > > have an entry for submission and/or submissions/smtps
> > > (i.e., port 587 and/or 465) in /etc/postfix.master.cf,
> >
> > Thunderbird can directly talk to postfix SMTP without dovecot et al?
> >
> > I thought it only talks to postfix on the outbound mail. This is not
> > taylor uucp :(
>
> Thunderbird can talk SMTP to Postfix on ports 25, 465,
> and/or 587. But it can probably only use port 25 when
> it's connecting from an IP address that is in Postfix's
> $mynetworks and so doesn't necessarily require
> authentication. Ports 465 and 587 should require
> authentication.
>
> Thunderbird only connects to Dovecot directly for
> reading mail via POP/IMAP (ports 110, 143, 993, 995).
>
> However, for authenticated SMTP, Thunderbird connects
> to Postfix, and Postfix can then connect to Dovecot
> locally for authenticating the user. One way of doing
> that is:
>
> /etc/postfix/main.cf:
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
>
Can't this be done with tls withouth dovecot or sasl?
I tried to do this and I get this error
An error occurred while sending mail: Outgoing server (SMTP) error. The
server responded: TLS not available due to local problem.
I have this in the config file now:
/etc/postfix/main.cf
smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unknown_sender_domain
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/helo_client_exceptions
check_sender_access hash:/etc/postfix/sender_checks,
reject_invalid_hostname,
### Can cause issues with Auth SMTP, so be weary!
reject_non_fqdn_hostname,
##################################
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
permit_mynetworks, reject_unauth_destination,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
reject_rbl_client cbl.abuseat.org,
permit
smtpd_data_restrictions = reject_unauth_pipelining, permit
############################################################
# SASL stuff
############################################################
smtp_sasl_auth_enable = no
smtp_sasl_security_options =
smtp_sasl_password_maps =
smtpd_sasl_auth_enable = no
############################################################
# TLS stuff
############################################################
#tls_append_default_CA = no
relay_clientcerts =
#tls_random_source = dev:/dev/urandom
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_enforce_tls = no
smtp_tls_CAfile = /etc/postfix/tls/smtpd.pem
#smtp_tls_CApath =
smtp_tls_cert_file = /etc/postfix/tls/smtpd.pem
smtp_tls_key_file = /etc/postfix/tls/smtpd.pem
#smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_CAfile = /etc/postfix/tls/smtpd.pem
#smtpd_tls_CApath =/etc/postfix/tls/smtpd.pem
smtpd_tls_cert_file =/etc/postfix/tls/smtpd.pem
smtpd_tls_key_file =/etc/postfix/tls/smtpd.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> I think you only need SASL "installed" when using cyrus.
> When using dovecot, it's builtin to Dovecot, and uses
> Dovecot's password file.
>
> > > smtps inet n - y - - smtpd
> > > -o syslog_name=postfix/$service_name
> > > -o smtpd_tls_wrappermode=yes
> > > -o smtpd_sasl_auth_enable=yes
> > > -o smtpd_client_restrictions=
> > > -o smtpd_helo_restrictions=
> > > -o smtpd_sender_restrictions=
> > > -o smtpd_recipient_restrictions=
> > > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> > >
> > > submission inet n - y - - smtpd
> > > -o syslog_name=postfix/$service_name
> > > -o smtpd_tls_security_level=encrypt
> > > -o smtpd_sasl_auth_enable=yes
> > > -o smtpd_tls_auth_only=yes
> > > -o smtpd_client_restrictions=
> > > -o smtpd_helo_restrictions=
> > > -o smtpd_sender_restrictions=
> > > -o smtpd_recipient_restrictions=
> > > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> > >
> > > Or have the relevant parameters set similarly in
> > > /etc/postfix/main.cf.
> > >
> > > > and how do I get
> > > > those accounts to default to n...@newistdomain.com ?
> > >
> > > I think that that's something that should be specified
> > > in Thunderbird itself.
> >
> > doesn't masquarade rewrite it?
>
> I don't think so. masquerade_domains changes the domain part
> of the email address (e.g., from a.b.com to b.com). I think
> you are asking for the newistdomain.com domain to remain the
> same, but for the local/user part of the email address to
> change (e.g., d...@newistdomain.com and k...@newistdomain.com
> both change to n...@newistdomain.com, but ot...@newistdomain.com
> remains unchanged).
>
> That requires selective address rewriting, not domain
> rewriting (Note: There is also a masquerade_exceptions
> parameter for excluding user names from masquerading,
> so it's not a blunt instrument, but it still doesn't
> apply to your need to change the user names).
>
> If you only need the user names to change when mail is being
> sent (but not when it arrives), the generic address rewriting
> is probably appropriate (unles I've misunderstood what you're
> asking for):
>
> /etc/postfix/main.cf:
> smtp_generic_maps = hash:/etc/postfix/generic
>
> /etc/postfix/generic:
> d...@newistdomain.com n...@newistdomain.com
> k...@newistdomain.com n...@newistdomain.com
>
> If you also need to rewrite incoming email for these users,
> then use canonical address rewriting instead:
>
> /etc/postfix/main.cf:
> sender_canonical_maps = hash:/etc/postfix/sender_canonical
> recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
>
> /etc/postfix/sender_canonical:
> drew name
> kim name
>
> /etc/postfix/recipient_canonical:
> name drew
>
> But this might not be appropriate when mapping multiple
> user names to the same name (which is what I think you
> are asking for). The above just specifies one of the
> original user names to map "name" back to in incoming
> mail.
>
> It's probably best if you read
> http://www.postfix.org/ADDRESS_REWRITING_README.html
> and see what best matches your needs.
>
> > > But if the Thunderbird clients are configured with an
> > > incorrect/non-ideal sender domain, and you need Postfix
> > > to override that, you can probably handle that either
> > > with canonical or generic address rewriting:
> > >
> > > http://www.postfix.org/ADDRESS_REWRITING_README.html#canonical
> > > (incoming/outgoing)
> > > http://www.postfix.org/ADDRESS_REWRITING_README.html#generic (outgoing
> > > only)
> > >
> >
> > I'll crunch on that. The problem here is that I deal with this so
> > infrequently that I forget everything I learned when I alter the set up.
> >
> > > Any parameter changes that need to be added can be
> > > added to the service declaration in master.cf using -o
> > > options.
> > >
> > > But since this is only for "select users", it probably
> > > makes more sense for those users to just set their
> > > correct from address in Thunderbird (unless I've
> > > misunderstood something).
> > >
> > > cheers,
> > > raf
> >
> > Thanks!
> >
> > Reuvain
> > --
> > So many immigrant groups have swept through our town
> > that Brooklyn, like Atlantis, reaches mythological
> > proportions in the mind of the world - RI Safir 1998
> > http://www.mrbrklyn.com
> >
> > DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> > http://www.nylxs.com - Leadership Development in Free Software
> > http://www2.mrbrklyn.com/resources - Unpublished Archive
> > http://www.coinhangout.com - coins!
> > http://www.brooklyn-living.com
> >
> > Being so tracked is for FARM ANIMALS and extermination camps,
> > but incompatible with living as a free human being. -RI Safir 2013
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
