Odd transcript - Server configuration error

[Simon Waters]

I have started receiving the transcript below from one of our email servers.

The pattern is consistent with one email queued and being retried from 
serv1.copahost.com, i.e. it repeats from same host, but less and less 
frequently as if backing off.

I've tried to contact the remote admin to see if there is anything unusual 
about the message/server without success.

During this period I receive emails routinely to the address shown 
(domain-ad...@zynet.net) without issue, I see no similar errors about server 
configuration in the log other than from this one host.

Anyone seen anything similar not caused by a configuration error? 

It looks a lot like some sort of data related problem, but cutting and pasting 
the transcript works as expect, so seems unlikely the essence of it is 
captured in the transcript. The lookup of recipient is done in Postgres 
database query, so plenty of scope for mistakes by myself or the server being 
busy, but previously Postfix has always done the right thing, or given an 
obvious error message when there is a database issue.

Host has Debian Lenny
ii  postfix  2.5.5-1.1 
ii  postfix-doc  2.5.5-1.1
ii  postfix-pgsql2.5.5-1.1

Transcript of session follows.

 Out: 220 h7.zynet2.co.uk ESMTP Postfix (Debian/GNU)
 In:  EHLO serv1.copahost.com
 Out: 250-h7.zynet2.co.uk
 Out: 250-PIPELINING
 Out: 250-SIZE 2000
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1770
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 451 4.3.5 Server configuration error
 In:  DATA
 Out: 554 5.5.1 Error: no valid recipients
 In:  QUIT
 Out: 221 2.0.0 Bye

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
default_process_limit = 200
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 5120
message_size_limit = 2000
mydestination = localhost.localdomain localhost.localdomain localhost 
h7.zynet2.co.uk
myhostname = h7.zynet2.co.uk
mynetworks = 127.0.0.0/8, 212.24.80.0/27, 212.24.80.32/27, 212.24.80.64/27
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps 
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks 
proxy:pgsql:/etc/postfix/pgsql-valid-rcpt.cf
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_restrictions = cidr:/etc/postfix/cidr-badips
smtpd_delay_reject = yes
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,  check_helo_access 
hash:/etc/postfix/helo_access,  permit
smtpd_junk_command_limit = 10
smtpd_recipient_restrictions = permit_mynetworks,reject_rbl_client 
zen.spamhaus.org,check_policy_service inet:127.0.0.1:6,   
check_recipient_access hash:/etc/postfix/verify_recipient,  
check_recipient_access hash:/etc/postfix/relay-domains, 
check_recipient_access proxy:pgsql:/etc/postfix/pgsql-valid-rcpt.cf, 
reject_unauth_destination
smtpd_sender_restrictions = hash:/etc/postfix/access,   
reject_unknown_sender_domain
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 554
unverified_recipient_reject_code = 550
virtual_alias_domains = proxy:pgsql:/etc/postfix/pgsql-email-virt-domains.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql-email-virtual.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_domains = pop.mail.zynet.net
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000

Re: postfix 2.3.x vs postfix 2.6 stable

[Mikael Bak]

Zhang Huangbin wrote:
> 
> On Oct 10, 2009, at 2:55 AM, Eero Volotinen wrote:
> 
>> I am currently using postfix 2.3.x on RHEL for mail proxy and mailserver.
>>
>> Is there any good reason to update to 2.6 ? and if is, is there any
>> good and stable rpm repositories for RHEL 5 on web ?
> 
> As i know, postfix-2.3.x which shipped in RHEL/CentOS doesn't support
> 'receive_override_options=no_address_mappings'. You have to update to
> 2.3.14 or newer version.
> 

Perhaps you can try these:
ftp://mirror.newnanutilities.org/pub/postfix-rpm/official/2.6/

HTH,
Mikael

Re: postfix 2.3.x vs postfix 2.6 stable

[Wietse Venema]

Zhang Huangbin:
> 
> On Oct 10, 2009, at 2:55 AM, Eero Volotinen wrote:
> 
> > I am currently using postfix 2.3.x on RHEL for mail proxy and  
> > mailserver.
> >
> > Is there any good reason to update to 2.6 ? and if is, is there any  
> > good and stable rpm repositories for RHEL 5 on web ?
> 
> As i know, postfix-2.3.x which shipped in RHEL/CentOS doesn't support  
> 'receive_override_options=no_address_mappings'. You have to update to  
> 2.3.14 or newer version.

postfix-2.1.0 supports "receive_override_options = no_address_mappings". 

Wietse

Re: Odd transcript - Server configuration error

[Wietse Venema]

Simon Waters:
>  In:  RCPT TO:
>  Out: 451 4.3.5 Server configuration error

The details are logged to the MAILLOG file.

Postfix does not disclose config errors in 
responses to random SMTP clients.

Wietse

Re: Odd transcript - Server configuration error

[Simon Waters]

On Tuesday 13 October 2009 11:38:36 Wietse Venema wrote:
> Simon Waters:
> >  In:  RCPT TO:
> >  Out: 451 4.3.5 Server configuration error
>
> The details are logged to the MAILLOG file.

Darn missed it when I looked.

Oct 13 06:30:57 bannerman postfix/smtpd[17691]: warning: unknown smtpd 
restriction: "spammers"

Clearly I should have typed the following but my fingers got carried away...

200.160.238.0/24 REJECT spammers

Re: postfix 2.3.x vs postfix 2.6 stable

[Eero Volotinen]

Zhang Huangbin kirjoitti:


On Oct 10, 2009, at 2:55 AM, Eero Volotinen wrote:


I am currently using postfix 2.3.x on RHEL for mail proxy and mailserver.

Is there any good reason to update to 2.6 ? and if is, is there any 
good and stable rpm repositories for RHEL 5 on web ?


As i know, postfix-2.3.x which shipped in RHEL/CentOS doesn't support 
'receive_override_options=no_address_mappings'. You have to update to 
2.3.14 or newer version.




Anyway, looks like there is not much advantage to gain to upgrade to 2.6 
in my non-advanced mailsystem (only one domain, spamfiltering, no 
database in use, no virtual users.)


thanks anyway.

--
Eero

unable to open Berkeley db

[Dan Schaefer]

This has been a problem from day one of my postfix installation. I get 
the following error in my maillog:


postfix/smtpd[1088]: warning: SASL authentication problem: unable to 
open Berkeley db /etc/sasldb2: No such file or directory


This error appears sometimes 2-3 or more times in a row. I'm running 
Postfix with MySQL. Any other information needed? Thank you for your 
suggestions in advance.


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: unable to open Berkeley db

[Eero Volotinen]

Dan Schaefer kirjoitti:
This has been a problem from day one of my postfix installation. I get 
the following error in my maillog:


postfix/smtpd[1088]: warning: SASL authentication problem: unable to 
open Berkeley db /etc/sasldb2: No such file or directory


This error appears sometimes 2-3 or more times in a row. I'm running 
Postfix with MySQL. Any other information needed? Thank you for your 
suggestions in advance.


postconf -n and outputs from mail-logs are important to solve issue.

--
Eero

Re: unable to open Berkeley db

[Brian Evans - Postfix List]

Dan Schaefer wrote:
> This has been a problem from day one of my postfix installation. I get
> the following error in my maillog:
>
> postfix/smtpd[1088]: warning: SASL authentication problem: unable to
> open Berkeley db /etc/sasldb2: No such file or directory
>
This is a message from the Cyrus SASL library.
Postfix is complaining because you appear to have enabled sasl but
didn't finish the Cyrus setup.

A quick Google may give decent answers.

Re: unable to open Berkeley db

[Patrick Ben Koetter]

* Dan Schaefer :
> This has been a problem from day one of my postfix installation. I
> get the following error in my maillog:
> 
> postfix/smtpd[1088]: warning: SASL authentication problem: unable to
> open Berkeley db /etc/sasldb2: No such file or directory

a) you configured Cyrus SASL to use the auxprop_plugin: sasldb, but libsasl
   fails to find the database at /etc/sasldb2.
b) you configured Cyrus SASL to use anything else but the auxprop_plugin:
   sasldb, but the plugin name you provided is unknown to Cyrus SASL causing
   libsasl to search for /etc/sasldb2 as a fallback resort
c) you configured SMTP AUTH in Postfix's main.cf, but you did not provide a
   smtpd.conf to configure Cyrus SASLs part in the authentication process. As
   a result libsasl searches for /etc/sasldb2 as a fallback authentication
   database.

If none of the alternatives above matches, send output from "saslfinger -s".

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: unable to open Berkeley db

[Dan Schaefer]

Eero Volotinen wrote:

Dan Schaefer kirjoitti:
This has been a problem from day one of my postfix installation. I 
get the following error in my maillog:


postfix/smtpd[1088]: warning: SASL authentication problem: unable to 
open Berkeley db /etc/sasldb2: No such file or directory


This error appears sometimes 2-3 or more times in a row. I'm running 
Postfix with MySQL. Any other information needed? Thank you for your 
suggestions in advance.


postconf -n and outputs from mail-logs are important to solve issue.

--
Eero



My output is here: http://pastebin.com/m599120ff

Brian Evans - Postfix List wrote:

This is a message from the Cyrus SASL library.
Postfix is complaining because you appear to have enabled sasl but
didn't finish the Cyrus setup.

A quick Google may give decent answers.
I have dovecot installed. I used this guide for my mail server 
installation: 
http://www.howtoforge.com/isp-mailserver-with-virtual-users-domains-postfix-dovecot-mysql-centos5.0


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: unable to open Berkeley db

[Dan Schaefer]

Dan Schaefer wrote:

Eero Volotinen wrote:

Dan Schaefer kirjoitti:
This has been a problem from day one of my postfix installation. I 
get the following error in my maillog:


postfix/smtpd[1088]: warning: SASL authentication problem: unable to 
open Berkeley db /etc/sasldb2: No such file or directory


This error appears sometimes 2-3 or more times in a row. I'm running 
Postfix with MySQL. Any other information needed? Thank you for your 
suggestions in advance.


postconf -n and outputs from mail-logs are important to solve issue.

--
Eero



My output is here: http://pastebin.com/m599120ff

Brian Evans - Postfix List wrote:

This is a message from the Cyrus SASL library.
Postfix is complaining because you appear to have enabled sasl but
didn't finish the Cyrus setup.

A quick Google may give decent answers.
I have dovecot installed. I used this guide for my mail server 
installation: 
http://www.howtoforge.com/isp-mailserver-with-virtual-users-domains-postfix-dovecot-mysql-centos5.0



I noticed that I have this line:
smtp_sasl_password_maps = mysql:$config_directory/mysql_smtpd.cf

Should I also have this line for smtpd as well?
smtpd_sasl_password_maps = mysql:$config_directory/mysql_smtpd.cf

--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: unable to open Berkeley db

[Eero Volotinen]

I noticed that I have this line:
smtp_sasl_password_maps = mysql:$config_directory/mysql_smtpd.cf

Should I also have this line for smtpd as well?
smtpd_sasl_password_maps = mysql:$config_directory/mysql_smtpd.cf


Are you using dovecot or cyrus? Dovecot has it's own sasl interface 
which works fine with postfix.


see: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

--
Eero

SASL fine from iPhone, not from Nokia?

[Simon Wilson]

I have a postfix 2.3.3 server, and I *think* I have SASL set up right.  
The reason I think it is right is that I have an iphone that connects  
fine to Postfix, and sends emails fine through port 587 with the  
following logs:


Oct 13 23:33:21 server04 postfix/smtpd[988]: connect from  
unknown[120.155.207.95]
Oct 13 23:33:21 server04 postfix/smtpd[988]: setting up TLS connection  
from unknown[120.155.207.95]
Oct 13 23:33:22 server04 postfix/smtpd[988]: TLS connection  
established from unknown[120.155.207.95]: TLSv1 with cipher AES128-SHA  
(128/128 bits)
Oct 13 23:33:22 server04 postfix/smtpd[988]: DDB8C57522:  
client=unknown[120.155.207.95], sasl_method=PLAIN, sasl_username=simon


It seems to be authing against SASL fine, uses PLAIN as its mech, but  
as it is TLS encrypted that's fine, and verifies me against LDAP.


My /usr/lib64/sasl2/smtpd.conf reads:

pwcheck_method: saslauthd
saslauthd_version: 2
mech_list: plain login cram-md5

saslauthd is configured to use LDAP.

I can testsaslauthd -u simon -p password with no problems, and it hits  
my LDAP server.


Now my wife has just got a Nokia E51. When it tries to send using SMTP  
to the same port 587, it tries to use CRAM-MD5, and the send fails:


Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS connection  
from unknown[58.171.251.169]
Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection  
established from unknown[58.171.251.169]: TLSv1 with cipher AES256-SHA  
(256/256 bits)
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication problem: unable to open Berkeley db /etc/sasldb2:  
Permission denied
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication problem: unable to open Berkeley db /etc/sasldb2:  
Permission denied
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication failure: no secret in database
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:  
unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:  
authentication failure


It establishes the TLS fine, but then tries to use sasldb2 instead of  
saslauthd which is configured to go to LDAP. There is nothing IN  
sasldb2, no secrets etc as it says - it's not supposed to be using it.


One thing I note is that "telnet mail.simonandkate.net 587" does not  
return AUTH in the list offered:


220 mail.simonandkate.net ESMTP Postfix
EHLO simon.whatever
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

So it would appear that SASL is *not* setup right... but why do I get  
log entries saying the iPhone is sending email as sasl_method=PLAIN,  
sasl_username=simon?


So can anyone tell me what I have done wrong? Why does SASL appear to  
be (possibly) working for PLAIN (iPhone) but not for the Nokia  
(CRAM-MD5), and why is the server not advertising the AUTH methods?


Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = no
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = !system.simonandkate.net, simonandkate.net,  
simonandkate.lan

message_size_limit = 26214400
mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, localhost.localdomain, simonandkate.net,  
system.simonandkate.net, howiesue.net

myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining  permit
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,  reject_unauth_destination,
reject_unauth_pipelining,  reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,   
reject_non_fqdn_sender,reject_unknown_sender_domain, 
reject_non_fqdn_recipient,  reject_unknown_recipient_domain,
 check_sender_access hash:/etc/postfix/sender_access,
reject_rbl_client zen.spamhaus.org,   reject_rbl_client  
bl.spamcop.net,   check_policy_service unix:postgrey/socket,  
check_policy_service unix:private/policypermit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/simonand

Re: SASL fine from iPhone, not from Nokia?

[Eero Volotinen]

One thing I note is that "telnet mail.simonandkate.net 587" does not 
return AUTH in the list offered:


220 mail.simonandkate.net ESMTP Postfix
EHLO simon.whatever
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

So it would appear that SASL is *not* setup right... but why do I get 
log entries saying the iPhone is sending email as sasl_method=PLAIN, 
sasl_username=simon?


So can anyone tell me what I have done wrong? Why does SASL appear to be 
(possibly) working for PLAIN (iPhone) but not for the Nokia (CRAM-MD5), 
and why is the server not advertising the AUTH methods?

smtpd_tls_auth_only = yes


Because of:

smtpd_tls_auth_only (default: no)
When TLS encryption is optional in the Postfix SMTP server, do not 
announce or accept SASL authentication over unencrypted connections.


This feature is available in Postfix 2.2 and later.

you need to use openssl s_client -connect mailserver:port to get the 
auth advertising, so pure telnet is not encrypted connection.


Make sure that nokia is really using encryption (tls)

--
Eero

Re: SASL fine from iPhone, not from Nokia?

[Patrick Ben Koetter]

* Simon Wilson :
> I have a postfix 2.3.3 server, and I *think* I have SASL set up
> right. The reason I think it is right is that I have an iphone that
> connects fine to Postfix, and sends emails fine through port 587
> with the following logs:
> 
> Oct 13 23:33:21 server04 postfix/smtpd[988]: connect from
> unknown[120.155.207.95]
> Oct 13 23:33:21 server04 postfix/smtpd[988]: setting up TLS
> connection from unknown[120.155.207.95]
> Oct 13 23:33:22 server04 postfix/smtpd[988]: TLS connection
> established from unknown[120.155.207.95]: TLSv1 with cipher
> AES128-SHA (128/128 bits)
> Oct 13 23:33:22 server04 postfix/smtpd[988]: DDB8C57522:
> client=unknown[120.155.207.95], sasl_method=PLAIN,
> sasl_username=simon
> 
> It seems to be authing against SASL fine, uses PLAIN as its mech,
> but as it is TLS encrypted that's fine, and verifies me against
> LDAP.
> 
> My /usr/lib64/sasl2/smtpd.conf reads:
> 
> pwcheck_method: saslauthd
> saslauthd_version: 2
> mech_list: plain login cram-md5
> 
> saslauthd is configured to use LDAP.
> 
> I can testsaslauthd -u simon -p password with no problems, and it
> hits my LDAP server.
> 
> Now my wife has just got a Nokia E51. When it tries to send using
> SMTP to the same port 587, it tries to use CRAM-MD5, and the send
> fails:

The saslauthd password verification service can't deal with shared-secret
mechanisms such as cram-md5.

Remove "cram-md5" from $mech_list in /usr/lib64/sasl2/smtpd.conf and the Nokia
E51 should be able to auth.

p...@rick




> 
> Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS
> connection from unknown[58.171.251.169]
> Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection
> established from unknown[58.171.251.169]: TLSv1 with cipher
> AES256-SHA (256/256 bits)
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication failure: no secret in database
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:
> unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:
> authentication failure
> 
> It establishes the TLS fine, but then tries to use sasldb2 instead
> of saslauthd which is configured to go to LDAP. There is nothing IN
> sasldb2, no secrets etc as it says - it's not supposed to be using
> it.
> 
> One thing I note is that "telnet mail.simonandkate.net 587" does not
> return AUTH in the list offered:
> 
> 220 mail.simonandkate.net ESMTP Postfix
> EHLO simon.whatever
> 250-mail.simonandkate.net
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
> So it would appear that SASL is *not* setup right... but why do I
> get log entries saying the iPhone is sending email as
> sasl_method=PLAIN, sasl_username=simon?
> 
> So can anyone tell me what I have done wrong? Why does SASL appear
> to be (possibly) working for PLAIN (iPhone) but not for the Nokia
> (CRAM-MD5), and why is the server not advertising the AUTH methods?
> 
> Postconf -n:
> 
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> bounce_template_file = /etc/postfix/bounce.cf
> broken_sasl_auth_clients = yes
> canonical_maps = hash:/etc/postfix/canonical
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> delay_warning_time = 2h
> disable_vrfy_command = yes
> html_directory = no
> mailbox_transport = cyrus
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> masquerade_domains = !system.simonandkate.net, simonandkate.net,
> simonandkate.lan
> message_size_limit = 26214400
> mydestination = $myhostname, localhost.$mydomain, localhost,
> $mydomain, localhost.localdomain, simonandkate.net,
> system.simonandkate.net, howiesue.net
> myhostname = mail.simonandkate.net
> mynetworks = 127.0.0.0/8, 192.168.1.0/24
> myorigin = simonandkate.net
> newaliases_path = /usr/bin/newaliases.postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> smtpd_client_restrictions =
> smtpd_data_restrictions = reject_unauth_pipelining  permit
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,  reject_unauth_destination,
> reject_unauth_pipelining,  reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_non_fqdn_sender,reject_unknown_sender_domain,
> reject_non_fqdn_recipient,  reject_unknown_recipient_domain,
> check_sender_access hash:/etc/postfix/sender_access,
> reject_rbl_client zen

Re: SASL fine from iPhone, not from Nokia?

[Patrick Ben Koetter]

* Eero Volotinen :
> 
> >One thing I note is that "telnet mail.simonandkate.net 587" does
> >not return AUTH in the list offered:
> >
> >220 mail.simonandkate.net ESMTP Postfix
> >EHLO simon.whatever
> >250-mail.simonandkate.net
> >250-PIPELINING
> >250-SIZE 26214400
> >250-ETRN
> >250-STARTTLS
> >250-ENHANCEDSTATUSCODES
> >250-8BITMIME
> >250 DSN
> >
> >So it would appear that SASL is *not* setup right... but why do I
> >get log entries saying the iPhone is sending email as
> >sasl_method=PLAIN, sasl_username=simon?
> >
> >So can anyone tell me what I have done wrong? Why does SASL appear
> >to be (possibly) working for PLAIN (iPhone) but not for the Nokia
> >(CRAM-MD5), and why is the server not advertising the AUTH
> >methods?
> >smtpd_tls_auth_only = yes
> 
> Because of:
> 
> smtpd_tls_auth_only (default: no)
> When TLS encryption is optional in the Postfix SMTP server, do not
> announce or accept SASL authentication over unencrypted connections.
> 
> This feature is available in Postfix 2.2 and later.
> 
> you need to use openssl s_client -connect mailserver:port to get the
> auth advertising, so pure telnet is not encrypted connection.
> 
> Make sure that nokia is really using encryption (tls)

This is wrong. The log shows the mobile is using TLS. The SASL part fails. See
my other post why it fails.

p...@rick



> 
> --
> Eero

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: SASL fine from iPhone, not from Nokia?

[Eero Volotinen]

you need to use openssl s_client -connect mailserver:port to get the 
auth advertising, so pure telnet is not encrypted connection.


Sorry, the correct commandline is:

openssl s_client -starttls smtp -connect mailhost:port

--
Eero

Re: SASL fine from iPhone, not from Nokia?

[Jan Kohnert]

Am Tuesday 13 October 2009 15:52:32 schrieb Simon Wilson:
> Now my wife has just got a Nokia E51. When it tries to send using SMTP
> to the same port 587, it tries to use CRAM-MD5, and the send fails:
>
> Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS connection
> from unknown[58.171.251.169]
> Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection
> established from unknown[58.171.251.169]: TLSv1 with cipher AES256-SHA
> (256/256 bits)
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2:
> Permission denied
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL
> authentication failure: no secret in database
> Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:
> unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:
> authentication failure
>
> It establishes the TLS fine, but then tries to use sasldb2 instead of
> saslauthd which is configured to go to LDAP. There is nothing IN
> sasldb2, no secrets etc as it says - it's not supposed to be using it.

Well, if you did not setup LDAP to store passwords in plaintext format (which 
you probably don't want to), it will not work with CRAM-MD5, that's just the 
way it is. But anyway, if you use TLS/SSL passwords are sumitted over an 
encrypted connection, so submitting plaintext passwords should not be a big 
security issue here.

> One thing I note is that "telnet mail.simonandkate.net 587" does not
> return AUTH in the list offered:
>
> 220 mail.simonandkate.net ESMTP Postfix
> EHLO simon.whatever
> 250-mail.simonandkate.net
> 250-PIPELINING
> 250-SIZE 26214400
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN

> Postconf -n:
[...]
> smtpd_sasl_auth_enable = yes
> smtpd_tls_auth_only = yes
[...]

That's the way you configured postfix. It shall only give AUTH *after* 
STARTTLS (or over an SSL connection). That's just fine. I would propose (am I 
allowed to?), to configure your wifes phone to use TLS, and AUTH PLAIN.

-- 
MfG Jan


signature.asc
Description: This is a digitally signed message part.

Re: SASL fine from iPhone, not from Nokia?

[Barney Desmond]

2009/10/14 Eero Volotinen :
> Because of:
>
> smtpd_tls_auth_only (default: no)
> When TLS encryption is optional in the Postfix SMTP server, do not announce
> or accept SASL authentication over unencrypted connections.
>
> This feature is available in Postfix 2.2 and later.
>
> you need to use openssl s_client -connect mailserver:port to get the auth
> advertising, so pure telnet is not encrypted connection.
>
> Make sure that nokia is really using encryption (tls)

To expand on what Eero said, Postfix won't advertise AUTH unless the
connection is tunneled through TLS - it's because you have
"smtpd_tls_auth_only = yes".

Here's how I've tested your server, it looks as you'd expect once you
make a TLS connection. As for the use of CRAM-MD5, see Patrick's
notes.


furin...@shirayuki:~$ openssl s_client -connect
mail.simonandkate.net:587 -starttls smtp
CONNECTED(0003)
depth=1 
/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 
s:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=*.simonandkate.net/emailaddress=ser...@simonandkate.net
   
i:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
 1 
s:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
   
i:/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
---
Server certificate
-BEGIN CERTIFICATE-
MIIDPDCCAqWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpTELMAkGA1UEBhMCQVUx

-END CERTIFICATE-
subject=/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=*.simonandkate.net/emailaddress=ser...@simonandkate.net
issuer=/C=AU/ST=Queensland/L=Brisbane/O=Simonandkate.net/OU=Home/CN=ca.simonandkate.net/emailaddress=ser...@simonandkate.net
---
No client certificate CA names sent
---
SSL handshake has read 2594 bytes and written 351 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID: 565F11F92AC11E91E1F356668B37675E03B3D2F929C5A83BA33183E8DA915308
Session-ID-ctx:
Master-Key:
F0BF9E73B3880277076D5005E34B81CC9420B05A1A9B4CB5C0EECB0C8794F60E927053F77D20F0F680C72243F0FD778C
Key-Arg   : None
Start Time: 1255442651
Timeout   : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 DSN
EHLO shirayuki
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-AUTH CRAM-MD5 LOGIN PLAIN
250-AUTH=CRAM-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
DONE

Re: SASL fine from iPhone, not from Nokia?

[Simon Wilson]

Quoting Patrick Ben Koetter :



The saslauthd password verification service can't deal with
shared-secret
mechanisms such as cram-md5.

Remove "cram-md5" from $mech_list in /usr/lib64/sasl2/smtpd.conf
and the Nokia
E51 should be able to auth.

p...@rick



You guys rock... I am so impressed by not only the detail and effort  
but also the speed of responses. Thanks all so much.


p...@rick was correct, it was because I was offering CRAM-MD5 that the  
Nokia was trying to use it. Remove that offering and Bingo! the Nokia  
has fallen back to LOGIN.


Oct 14 00:12:23 server04 postfix/smtpd[2783]: setting up TLS  
connection from unknown[58.171.186.70]
Oct 14 00:12:24 server04 postfix/smtpd[2783]: TLS connection  
established from unknown[58.171.186.70]: TLSv1 with cipher AES256-SHA  
(256/256 bits)
Oct 14 00:12:25 server04 postfix/smtpd[2783]: B7A425751F:  
client=unknown[58.171.186.70], sasl_method=LOGIN, sasl_username=katie


And thanks also to Eero for explaining why the server wasn't appearing  
to offer SASL but it is really - and to Barney for testing my setup  
remotely! :)


As to Jan being allowed to propose configuring the Nokia to use TLS  
and PLAIN - thanks Jan - yes you are allowed... :) It's now working  
using TLS and LOGIN mech.


Thanks again guys - kudos to you all for helping me out.
--
Simon Wilson
www.simonandkate.net

smtpd_sender_login_maps is missing in proxy_read_maps

[Zhang Huangbin]

Hi, all.

smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
idea to add it by default? so that we can use proxymap(8) in  
smtpd_sender_login_maps (with default proxy_read_maps).



--
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
  CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: unable to open Berkeley db

[Dan Schaefer]

Eero Volotinen wrote:



I noticed that I have this line:
smtp_sasl_password_maps = mysql:$config_directory/mysql_smtpd.cf

Should I also have this line for smtpd as well?
smtpd_sasl_password_maps = mysql:$config_directory/mysql_smtpd.cf


Are you using dovecot or cyrus? Dovecot has it's own sasl interface 
which works fine with postfix.


see: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

--
Eero
I no longer receive the error after following the instructions here: 
http://www.postfix.org/SASL_README.html#server_dovecot

Thank you for all the advice.

--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

invalid sender - domain but no username

[Iseli, Erich]

Hello everybody,

A software we use in house is sending e-mails that are processed by postfix 
which relays them to an exchange server that has a connection to the internet 
(unlike the sending server).

Recently, the admin of the exchange server forwarded me the following error 
message our server is causing:

   
-
   The client at "10.xxx.xxx.xxx" sent a "rcpt" command and the SMTP server 
responded with "501 5.5.4 Invalid
   Address ". The full command sent was "rcpt TO:<""@domain.com> 
ORCPT=rfc822;""@domain.com". This will probably
   cause the connection to fail.
   
-

In order to find out what messages were causing this, I had them deliver to a 
local mailbox. Here how ist headers are looking like:

---
From ""@domain.com  Tue Oct 13 13:53:47 2009
Return-Path: <""@domain.com>
X-Original-To: iselie
Delivered-To: ise...@internal.domain.com
Received: from domain.com (internal [10.xxx.xxx.xxx])
by internal.domain.com (Postfix) with SMTP id 0F3A4D2579
for ; Tue, 13 Oct 2009 13:53:47 +0200 (CEST)
From:Name 
To: 
Subject:Topic of mail
Date: Tue, 13 Oct 2009 11:53:47 0
MIME-Version: 1.0
Content-Type: text/plain
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: SOME-CUSTOM Mailer
X-MimeOLE: Produced By SOME-CUSTOM Mime
Message-Id: <20091013115347.0f3a4d2...@internal.domain.com>
---

Now this confirms the error message coming from the exchange server. However 
things are not that simple. I then asked Postfix to keep the message internally 
with the following changes in header_checks

/From: @domain\.com/HOLD
/To: @domain\.com/  HOLD

I then had a look at the messages kept in /var/spool/postfix/hold with postcat 
and I couldn't believe my eyes: actually postfix must be mangling something 
since the "from"-address is absolutely correct! Does anyone see why postfix 
removes the username from the from-information and just sends an empty string? 
Note that some mails actually do get through so it's not an overall problem. Is 
there a mistake in the format the "SOME-CUSTOM Mailer" is generating? If yes, 
can anyone point me to the specification so that I can get in touch with the 
company?


-
*** ENVELOPE RECORDS 08192D2576 ***
message_size: 682 551   1   0
message_arrival_time: Tue Oct 13 12:05:51 2009
create_time: Tue Oct 13 12:05:51 2009
named_attribute: rewrite_context=local
sender: @domain.com
named_attribute: log_client_name=internal
named_attribute: log_client_address=10.xxx.xxx.xxx
named_attribute: log_message_origin=internal[10.xxx.xxx.xxx]
named_attribute: log_helo_name=domain.com
named_attribute: log_protocol_name=SMTP
named_attribute: client_name=internal
named_attribute: reverse_client_name=internal
named_attribute: client_address=10.xxx.xxx.xxx
named_attribute: helo_name=domain.com
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;my.addr...@domain.com
original_recipient: my.addr...@domain.com
recipient: my.addr...@domain.com
*** MESSAGE CONTENTS 08192D2576 ***
Received: from domain.com (internal [10.xxx.xxx.xxx])
by internal.domain.com (Postfix) with SMTP id 08192D2576
for ; Tue, 13 Oct 2009 12:05:51 +0200 (CEST)
From:Name 
^^^
To: 
Subject:Topic of mail
Date: Tue, 13 Oct 2009 10:05:51 +
MIME-Version: 1.0
Content-Type: text/plain
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: SOME-CUSTOM Mailer
X-MimeOLE: Produced By SOME-CUSTOM Mime
Message-Id: <20091013100551.08192d2...@internal.domain.com>

Message Body

*** HEADER EXTRACTED 08192D2576 ***
*** MESSAGE FILE END 08192D2576 ***
-

Thanks a lot for your insights.

Regards,
Erich



P.S. I'm running postfix-2.3.3 on RHEL 5

Re: invalid sender - domain but no username

[Simon Waters]

On Tuesday 13 October 2009 15:40:32 Iseli, Erich wrote:
>
> I then had a look at the messages kept in /var/spool/postfix/hold with
> postcat and I couldn't believe my eyes: actually postfix must be mangling
> something since the "from"-address is absolutely correct! 

> sender: @domain.com

The sender is blank, which is what Exchange is complaining about.

Re: invalid sender - domain but no username

[Ralf Hildebrandt]

* Iseli, Erich :

> From ""@domain.com  Tue Oct 13 13:53:47 2009
  envelope sender
  
> Return-Path: <""@domain.com>
  envelope sender

> From:Name 
  header from

> I then had a look at the messages kept in /var/spool/postfix/hold with
> postcat and I couldn't believe my eyes: actually postfix must be
> mangling something since the "from"-address is absolutely correct! 

You haven't understood the difference between header and envelope sender.

> sender: @domain.com
wrong envelope sender

> From:Name 
> ^^^
header

Solution: Specifiy a correct envelope sender.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: invalid sender - domain but no username

[Patrick Ben Koetter]

* Iseli, Erich :
> Hello everybody,
> 
> A software we use in house is sending e-mails that are processed by postfix
> which relays them to an exchange server that has a connection to the
> internet (unlike the sending server).

The software you use inhouse does not specify a valid envelope sender. Have
that fixed and the problems will go away.

p...@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: smtpd_sender_login_maps is missing in proxy_read_maps

[Wietse Venema]

Zhang Huangbin:
> Hi, all.
> 
> smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
> idea to add it by default? so that we can use proxymap(8) in  
> smtpd_sender_login_maps (with default proxy_read_maps).

I see no problem with doing this.

Wietse
> 
> -- 
> Best Regards.
> 
> Zhang Huangbin
> 
> - Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
>CentOS, Debian, Ubuntu: http://www.iredmail.org/
> 
> 
> 

Re: smtpd_sender_login_maps is missing in proxy_read_maps

[Victor Duchovni]

On Tue, Oct 13, 2009 at 01:05:18PM -0400, Wietse Venema wrote:

> Zhang Huangbin:
> > Hi, all.
> > 
> > smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
> > idea to add it by default? so that we can use proxymap(8) in  
> > smtpd_sender_login_maps (with default proxy_read_maps).
> 
> I see no problem with doing this.

Currently proxy_read_maps includes the various (non security sensitive)
"rewriting" related tables, and not others:

#define DEF_PROXY_READ_MAPS "$" VAR_LOCAL_RCPT_MAPS \
" $" VAR_MYDEST \
" $" VAR_VIRT_ALIAS_MAPS \
" $" VAR_VIRT_ALIAS_DOMS \
" $" VAR_VIRT_MAILBOX_MAPS \
" $" VAR_VIRT_MAILBOX_DOMS \
" $" VAR_RELAY_RCPT_MAPS \
" $" VAR_RELAY_DOMAINS \
" $" VAR_CANONICAL_MAPS \
" $" VAR_SEND_CANON_MAPS \
" $" VAR_RCPT_CANON_MAPS \
" $" VAR_RELOCATED_MAPS \
" $" VAR_TRANSPORT_MAPS \
" $" VAR_MYNETWORKS \
" $" VAR_SEND_BCC_MAPS \
" $" VAR_RCPT_BCC_MAPS \
" $" VAR_SMTP_GENERIC_MAPS \
" $" VAR_LMTP_GENERIC_MAPS

How comprehensive should the default list be?
If smtpd_sender_login_maps is included, what else should be added?

address_verify_sender_dependent_relayhost_maps 
address_verify_transport_maps 
fallback_transport_maps 
lmtp_discard_lhlo_keyword_address_maps 
lmtp_pix_workaround_maps 
lmtp_sasl_password_maps 
lmtp_tls_policy_maps 
mailbox_transport_maps 
rbl_reply_maps 
sender_dependent_relayhost_maps 
smtp_discard_ehlo_keyword_address_maps 
smtp_pix_workaround_maps 
smtp_sasl_password_maps 
smtp_tls_policy_maps 
smtpd_discard_ehlo_keyword_address_maps 
smtpd_sender_login_maps 

Perhaps, more, the above are just the candidate parameters not listed
whose names end in "_maps". There are at least also:

lmtp_tls_per_site
smtp_tls_per_site
relay_clientcerts

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: smtpd_sender_login_maps is missing in proxy_read_maps

[Wietse Venema]

Victor Duchovni:
> On Tue, Oct 13, 2009 at 01:05:18PM -0400, Wietse Venema wrote:
> 
> > Zhang Huangbin:
> > > Hi, all.
> > > 
> > > smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
> > > idea to add it by default? so that we can use proxymap(8) in  
> > > smtpd_sender_login_maps (with default proxy_read_maps).
> > 
> > I see no problem with doing this.
> 
> Currently proxy_read_maps includes the various (non security sensitive)
> "rewriting" related tables, and not others:
> 
> #define DEF_PROXY_READ_MAPS "$" VAR_LOCAL_RCPT_MAPS \
>   " $" VAR_MYDEST \
>   " $" VAR_VIRT_ALIAS_MAPS \
>   " $" VAR_VIRT_ALIAS_DOMS \
>   " $" VAR_VIRT_MAILBOX_MAPS \
>   " $" VAR_VIRT_MAILBOX_DOMS \
>   " $" VAR_RELAY_RCPT_MAPS \
>   " $" VAR_RELAY_DOMAINS \
>   " $" VAR_CANONICAL_MAPS \
>   " $" VAR_SEND_CANON_MAPS \
>   " $" VAR_RCPT_CANON_MAPS \
>   " $" VAR_RELOCATED_MAPS \
>   " $" VAR_TRANSPORT_MAPS \
>   " $" VAR_MYNETWORKS \
>   " $" VAR_SEND_BCC_MAPS \
>   " $" VAR_RCPT_BCC_MAPS \
>   " $" VAR_SMTP_GENERIC_MAPS \
>   " $" VAR_LMTP_GENERIC_MAPS
> 
> How comprehensive should the default list be?
> If smtpd_sender_login_maps is included, what else should be added?
>
> address_verify_sender_dependent_relayhost_maps 
> address_verify_transport_maps 
> fallback_transport_maps 
> lmtp_discard_lhlo_keyword_address_maps 
> lmtp_pix_workaround_maps 
> lmtp_sasl_password_maps 
> lmtp_tls_policy_maps 
> mailbox_transport_maps 
> rbl_reply_maps 
> sender_dependent_relayhost_maps 
> smtp_discard_ehlo_keyword_address_maps 
> smtp_pix_workaround_maps 
> smtp_sasl_password_maps 
> smtp_tls_policy_maps 
> smtpd_discard_ehlo_keyword_address_maps 
> smtpd_sender_login_maps 
> 
> Perhaps, more, the above are just the candidate parameters not listed
> whose names end in "_maps". There are at least also:
> 
>   lmtp_tls_per_site
>   smtp_tls_per_site
>   relay_clientcerts

A little background may be in order.

Postfix has table-driven mechanisms (some security-sensitive such
as alias_maps or virtual_uid_maps) and table lookup mechanisms
(some unsuitable for security-sensitive features, such as proxy:
or tcp:  maps).

The purpose of proxy_read maps is to access maps with "delayed
open" semantics (such as passwd or group) that would break when
used in chrooted daemons, and to reduce the number of handles
for "expensive" maps (such as *SQL or LDAP).

With proxy_write_maps the primary purpose is "single updater"
semantics (allowing read/write access without need for locks,
because the proxywrite server *is* the lock).

As of several years the security-sensitive table-driven mechanisms
won't allow lookups from proxy: or tcp: maps, so we don't have to
worry about that.  

So the main purpose of the proxy_read_maps list is damage control:
to avoid read access to the entire file system by a compromised
chrooted process. We also may may not want to list maps with
passwords here, but it is not the end of the world if we do.

In the case of proxy_write_maps it may also be desirable to limit
the list for damage-control purposes, and list only maps where it
is OK to accept updates from arbitrary Postfix daemon processes.

Wietse

milter (smtp-vilter) not seeing 'Authenticated sender' in postfix 'Received:' header

[Martin Crossley]

Hello all -

I've run Postfix for many years, and really is an excellent piece of work.

Whist rebuilding a server recently I decided to try integrating the 
anti-virus and anti-SPAM filters via smtpd's milter interface.  I've always 
previously done so via a content filter (amavisd-new).


To be specific, my new configuration is:

OpenBSD 4.5 on i386 (Soekris net5501)
   postfix 2.6.20091025-mysql (from the OpenBSD package collection)
   - virtual mailboxes via dovecot (1.1.11p1) 'deliver' and MySQL 
(5.0.77)

   - SASL and TLS via dovecot auth
   - relaying permitted for remote SASL authenticated clients
   - pre-queue filtering via smtpd_milter 'smtp-vilter' (1.3.6p2)
   - anti-virus via ClamAV (0.95.2)
   - anti-SPAM via Spamassassin (3.5.2p1) spamd

   (for info, most of the above apps are running chrooted)

Everything works fine :-)  very pleased with this setup and in the process 
of writing it up along the lines of Daniele Mazzoccio's excellent guide at 
http://www.kernel-panic.it/openbsd/mail/index.html.


Just one slight issue, with which I would like to request a little help from 
the list :-)


As noted above, I allow 'road warriors' to relay mail as long as they 
authenticate via SASL (plain / login) and TLS.  However I've had problems 
with the server incorrectly tagging such mails as 'SPAM'.


I thought this would be easy to fix by adding an appropriate rule to 
smapassassin, but to my surprise the milter is passing spamassassin (or, to 
be more precise, spamd) a version of the 'Received:' header that does not 
contain the 'Authenticated sender' information.


Unsurprisingly, Postfix is correctly flagging the authentication status in 
the 'Received:' header (courtesy of smtpd_sasl_authenticated_header) in the 
message that ends up in the recipient's inbox.


For example (in header of delivered message):


Return-Path: 
Delivered-To: recipi...@my.domain
Received: from CLIENT (client.my.domain [xx.xx.xx.xx])
   (Authenticated sender: sen...@my.domain)
   by server.my.domain (Postfix) with ESMTPSA id 28C0E19698
   for recipi...@my.domain; xxx, xx Oct 2009 xx:xx:xx +0100 (BST)
Message-ID: x...@client
From: "sender" sen...@my.domain
To: "recipient" 
Subject: test auth


Versus a capture (with tcpdump) of what the milter is sending to spamd:



From 

Received: from CLIENT (client.my.domain [xx.xx.xx.xx]) by server.my.domain
Message-ID: 
From: "sender" sen...@my.domain
To: "recipient" 
Subject: test auth
Date: xxx, xx Oct 2009 xx:xx:xx+0100


Hm !!

So, I'd really appreciate any clues as to whether:

1) this is likely to be because I have mis-configured the milter interface 
on the Postfix side (I hasten to admit I haven't yet explored any of the 
params beyond smtpd_milters);


OR

2) this is more likely to be a problem with the milter itself.

All suggestions on diagnosis or workarounds very kindly appreciated.

Many kind regards, MARTIN

-
$ postconf |grep milter
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v _
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_end_of_header_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} 
{cert_issuer}

milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
milter_protocol = 2
milter_rcpt_macros = i {rcpt_addr}
milter_unknown_command_macros =
non_smtpd_milters =
smtpd_milters = unix:smtp-vilter/run/smtp-vilter/smtp-vilter.sock

Re: milter (smtp-vilter) not seeing 'Authenticated sender' in postfix 'Received:' header

[Wietse Venema]

> >From 
> Received: from CLIENT (client.my.domain [xx.xx.xx.xx]) by server.my.domain
> Message-ID: 

Postfix always produces Received: headers that include "by servername
(Postfix) with protocolname", followed by "for " if the
message has only one recipient.

If that information is deleted, then you need to examine your
header_checks rules.

Wietse

Re: milter (smtp-vilter) not seeing 'Authenticated sender' in postfix 'Received:' header

[Wietse Venema]

Wietse Venema:
> > From 
> > Received: from CLIENT (client.my.domain [xx.xx.xx.xx]) by server.my.domain
> > Message-ID: 

First of all, that "From " line is an mbox header that
POSTFIX never sends to milter applications.

> Postfix always produces Received: headers that include "by servername
> (Postfix) with protocolname", followed by "for " if the
> message has only one recipient.

The Postfix SMTP server, that is.

> If that information is deleted, then you need to examine your
> header_checks rules.

Mail submitted with /usr/sbin/sendmail gets a Received: header
that looks like:

Received: by servername (Postfix, from userid number)
id queueid; date

which also does not match your quote.

Wietse

Re: smtpd_sender_login_maps is missing in proxy_read_maps

[Zhang Huangbin]

On Oct 14, 2009, at 4:42 AM, Wietse Venema wrote:


A little background may be in order.


Thanks Victor and Wietse for your detail description.

In my case, smtpd_sender_login_maps only lookup username field in LDAP/ 
MYSQL, so i think it's safe to add it in proxy_read_maps manually.  
right?


--
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
  CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: smtpd_sender_login_maps is missing in proxy_read_maps

[Victor Duchovni]

On Wed, Oct 14, 2009 at 10:25:49AM +0800, Zhang Huangbin wrote:

>
> On Oct 14, 2009, at 4:42 AM, Wietse Venema wrote:
>>
>> A little background may be in order.
>
> Thanks Victor and Wietse for your detail description.
>
> In my case, smtpd_sender_login_maps only lookup username field in 
> LDAP/MYSQL, so i think it's safe to add it in proxy_read_maps manually. 
> right?

Yes.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: Postfix as a "extra smart host"

[Joris Dobbelsteen]

Fons van der Beek wrote:

Hello all,

I have a SBS server that has several users from different domains, 
receiving mails for several domains on the SBS box is no problem.

The problem is in sending.

Suppose I use postfix as an outgoing smarthost, but this smart host 
should rewrite the senders adress.


e.g.
Exchange sends an email from u...@domain.com to the smarthost
The smart host converts u...@domain.com to us...@anotherdomain.com and 
sends this message to the intended receiver.


Can this be done?
I can imagine this can be done by using headerchecks, did anybody do 
this before?

if so can someone point me in the right direction?

You should be able to control that with Exchange.

If you are looking in the active directory, for every user you can set 
various e-mail addresses. One is picked as the default e-mail and this 
is the one exchange advertises. Using Recipient Policies you should be 
able to create an LDAP filter and automate that process for large groups 
of users.

This would look like a much cleaner solution.

- Joris