Re: SSL_accept error / lost connection after STARTTLS

[Merrick]

I ended up getting this to work after installing:

apt-get install dovecot-postfix

and accepting the dovecot-postfix.conf file that comes with the package.

Hope this helps someone down the road, sorry for replying to myself.


On Tue, Feb 16, 2010 at 9:23 PM, Merrick  wrote:
> I migrated an 8 year old mail server this morning, I can check mail
> fine but I have not succeeded in sending mail. Here is a summary of
> what I am getting, what I am running, and my conf files.
>
> Any help is appreciated, I've been at it for 8 hours now.
>
> Thanks
>
>
> Feb 16 20:39:41 mail postfix/smtpd[2918]: setting up TLS connection
> from ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]
> Feb 16 20:39:41 mail postfix/smtpd[2918]:
> ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]: TLS cipher list
> "ALL:+RC4:@STRENGTH"
> Feb 16 20:39:41 mail postfix/smtpd[2918]: SSL_accept error from
> ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]: -1
> Feb 16 20:39:41 mail postfix/smtpd[2918]: lost connection after
> STARTTLS from ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]
>
>
> *
> installed
> *
> Ubuntu 9.10
> postfix             2.6.5-3
> libsasl2-2          2.1.23.dfsg1-1ubunt
> dovecot-common      1:1.1.11-0ubuntu11
> dovecot-imapd       1:1.1.11-0ubuntu11
>
> *
> mail.app client settings
> *
> server name: mail.mydomain.com
> use default ports (25,465,587)
> also tried
> port 25000
> authentication: password
> username (filled in correctly)
> password (filled in correctly)
>
> ssl checked on
>
> I followed this article, it did not work:
> https://help.ubuntu.com/community/Postfix
>
> *
> main.cf
> *
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> home_mailbox = Maildir/
> inet_interfaces = all
> inet_protocols = all
> mailbox_command =
> mailbox_size_limit = 6400
> message_size_limit = 3200
> mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
> mydomain = mydomain.com
> myhostname = mail.mydomain.com
> mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
> mynetworks_style = host
> myorigin = /etc/mailname
> readme_directory = no
> recipient_delimiter = +
> relay_domains = $mydestination
> relayhost =
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = may
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_enforce_tls = yes
> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service
> inet:127.0.0.1:10023
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated
> reject_unknown_sender_domain check_sender_access
> hash:/etc/postfix/access
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
> smtpd_tls_key_file = /etc/ssl/private/smtpd.key
> smtpd_tls_loglevel = 4
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = hash:/etc/postfix/virtual
>
>
>
>
> *
> master.cf
> *
> #
> # Postfix master process configuration file.  For details on the format
> # of the file, see the master(5) manual page (command: "man 5 master").
> #
> # Do not forget to execute "postfix reload" after editing this file.
> #
> # ==
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> # ==
> #smtp      inet  n       -       -       -       -       smtpd
> smtp      inet  n       -       -       -       -       smtpd
> #submission inet n       -       -       -       -       smtpd
> #  -o smtpd_tls_security_level=encrypt
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> #smtps     inet  n       -       -       -       -       smtpd
> #  -o smtpd_tls_wrappermode=yes
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> #628      inet  n       -       -       -       -       qmqpd
> pickup    fifo  n       -       -       60      1       pickup
>         -o content_filter=
>         -o receive_override_options=no_header_body_checks
> cleanup   unix  n       -       -       -       0       cleanup
> qmgr      fifo  n      

Exceptions to reject_invalid_hostname ?

[Frank Bonnet]

Hello

I have the following rules in main.cf :

smtpd_recipient_restrictions =
   reject_invalid_hostname,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   permit_mynetworks,
   reject_unauth_destination,
   reject_unlisted_recipient,
   check_policy_service inet:127.0.0.1:10023,
   permit


I wonder if it is possible to add exceptions to the 
reject_invalid_hostname statement because two professors

need to receive some emails from few persons that haven't
well configured machines and don't have DNS access/knowledge.


Thanks a lot

Re: If I don't want to queue emails, which value I've to give to default_transport?

[Michele Carandente]

This is what I want:
This is a local mailserver, where all the emails generally are queued
and then relayed to differents smtp servers (depending of the sender).
As internal emails I'll have different emails from differents
domain... but I want to be able to say to postfix that one email is
not local for the next 3 days...
With the configuration that I've I'm able to do it.
What I want now is be free to say to postfix that, when I want, all
the emails will be relayed automatically (instead of be queued)

So I need some value for defer_transports and default_transport
(because, as I said before, if I comment out this 2 commands, postfix
is relaying without put in queue...)

I hope I'm more understandable...
Thanks
Michele

Re: Exceptions to reject_invalid_hostname ?

[Barney Desmond]

On 17 February 2010 20:07, Frank Bonnet  wrote:
> smtpd_recipient_restrictions =
>   reject_invalid_hostname,
>   reject_non_fqdn_sender,
>   reject_unknown_sender_domain,
>   reject_unknown_recipient_domain,
>   reject_unauth_pipelining,
>   permit_mynetworks,
>   reject_unauth_destination,
>   reject_unlisted_recipient,
>   check_policy_service inet:127.0.0.1:10023,
>   permit
>
> I wonder if it is possible to add exceptions to the reject_invalid_hostname
> statement because two professors
> need to receive some emails from few persons that haven't
> well configured machines and don't have DNS access/knowledge.

This will depend on what you do/don't have control over. For the
record, reject_invalid_hostname is a deprecated pre-Postfix 2.3 name,
the new name for this is "reject_invalid_helo_hostname". It sounds
like you want to whitelist the professors based on either HELO name
(kind of unreliable and easily abused if someone finds out), or their
IP address (could be troublesome if it's dynamic).

http://www.postfix.org/postconf.5.html#check_client_access
Basically, you'd insert an access-table lookup first in the list of
restrictions and only apply reject_invalid_hostname if the sender
isn't one of the professors. I don't guarantee that I've got this
right, but it'd be something like this...

smtpd_recipient_restrictions =
  check_client_access cidr:/etc/postfix/professors.cidr,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  etc...

Where the contents of /etc/postfix/professors.cidr is:
1.2.3.4DUNNO
1.2.4.10DUNNO
0.0.0.0/0reject_invalid_hostname


This assumes that you're checking the source address. The DUNNO should
skip the professors, and apply reject_invalid_hostname to everyone
else.

More on access tables here: http://www.postfix.org/access.5.html

Deny SASL authentication not from local IP

[Неворотин Вадим]

How can I deny SASL authentication not from local (192.168.0.0/16) IP? Now I
have restrictions in smtpd_recipient_restrictions and other parameters,
which allow send mails to relayhost only from local IPs and only after
authentication. But client from Internet still can authenticate on my
server, but can't send mail. But I need to deny authentication from outer
net at all. It's because my users use very simple passwords, and in my net
each user has only one login/password for all services.

Re: 554 5.7.1 relay access denied

[Jerry]

On Tue, 16 Feb 2010 15:20:56 -0800 (PST)
Jeff Lacki  replied:

>That fixed it.  I knew it would be something
>simple, in the end it usually is.

aka: Occam's razor

-- 
Jerry
postfix.u...@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

I'm so broke I can't even pay attention.

RE: SPF Issues

[Jonathan Tripathy]

Is it safe to put the external IP of my backup MX in mynetworks?

-Original Message-
From: owner-postfix-us...@postfix.org on behalf of LuKreme
Sent: Thu 2/11/2010 20:30
To: postfix-users@postfix.org
Subject: Re: SPF Issues
 
On 11-Feb-2010, at 06:16, Jonathan Tripathy wrote:
> 
> Does anyone know how to "whitelist" a paticular IP when using tumgreyspf with 
> postfix?

Put the spf check later in your restrictions. After permit_mynetworks would be 
good.


-- 
THE PLEDGE OF ALLEGIANCE DOES NOT END WITH HAIL SATAN
Bart chalkboard Ep. 1F16

Re: SPF Issues

[Gaby Vanhegan]

On 17 Feb 2010, at 11:59, Jonathan Tripathy wrote:
> Is it safe to put the external IP of my backup MX in mynetworks?

Provided your backup MX has the same SMTP relay restrictions as the master MX 
you should be OK.  I replicate our master config out to the secondaries but I 
have the master config set as a relay style config on the secondaries rather 
than a virtual delivery config as on the master.

G.

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/

Re: Deny SASL authentication not from local IP

[Patrick Ben Koetter]

* Неворотин Вадим :
> How can I deny SASL authentication not from local (192.168.0.0/16) IP? Now I
> have restrictions in smtpd_recipient_restrictions and other parameters,
> which allow send mails to relayhost only from local IPs and only after
> authentication. But client from Internet still can authenticate on my
> server, but can't send mail. But I need to deny authentication from outer
> net at all. It's because my users use very simple passwords, and in my net
> each user has only one login/password for all services.

If your users also connect from outside, then there's no way to deny SASL
authentication.

If, however, you can identify your users by network range, split Postfix smtpd
into an outside and an inside configuration like this in master.cf:


# ==
# service type  private unpriv  chroot  wakeup  maxproc command + args
#   (yes)   (yes)   (yes)   (never) (100)
# ==
# smtp  inet  n   -   -   -   -   smtpd
:25  inet  n   -   -   -   -   smtpd
  -o smtpd_sasl_auth_enable=yes
:25  inet  n   -   -   -   -   smtpd


Then remove "smtpd_sasl_auth_enable = yes" from main.cf and restart postfix.

p...@rick




-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

RE: SPF Issues

[Jonathan Tripathy]

Yeah, what I do is have all my mail virtual mail accounts stored on the primary 
mx, and my backup mx is configured to relay mail (only my domains) to the 
primary mx using transport maps. I have since introduced SPF checking in the 
primary, and some emails are getting rejected when mail comes from the backup 
mx as the SFP scripts see the IP of the backup mx.

So this sounds ok then to put the external IP of the mx in mynetwork?

Thanks
-Original Message-
From: owner-postfix-us...@postfix.org on behalf of Gaby Vanhegan
Sent: Wed 2/17/2010 12:26
To: Postfix users
Subject: Re: SPF Issues
 

On 17 Feb 2010, at 11:59, Jonathan Tripathy wrote:
> Is it safe to put the external IP of my backup MX in mynetworks?

Provided your backup MX has the same SMTP relay restrictions as the master MX 
you should be OK.  I replicate our master config out to the secondaries but I 
have the master config set as a relay style config on the secondaries rather 
than a virtual delivery config as on the master.

G.

--
Junkets for bunterish lickspittles since 1998!
http://www.playr.co.uk/

Re: helo_access

[Manu]

Hello

Thanks for all your reply

I've made this change :
smtpd_recipient_restrictions =
  check_client_access hash:/etc/postfix/smtp.domaineok.com
  reject

/etc/postfix/smtp.domaineok.com contains:
smtp.domaineok.com   OK

Another problem is that smtp.domaineok.com   is a pool of computer (anti 
virus + anti spam relay).

I've tried to change /etc/postfix/smtp.domaineok.com to

.domaineok.com   OK

But it doesn't work.

It's OK when i put
smtp1.domaineok.com   OK
smtp2.domaineok.com   OK
smtp3.domaineok.com   OK
smtp4.domaineok.com   OK

But by doing this I will reject mail if there is a new computer in the pool.
Is my syntax ".domaineok.com   OK" good ?

Re: helo_access

[Ralf Hildebrandt]

* Manu :

> .domaineok.com   OK

man 5 access says:

domain.tld

Matches domain.tld as the domain part of an email address.

The pattern domain.tld also matches subdomains, but only when the string
smtpd_access_maps is listed in the Postfix par‐
ent_domain_matches_subdomains configuration setting (note that this is
the default for some versions of Postfix). Other‐ wise, specify
.domain.tld (note the initial dot) in order to match subdomains.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: helo_access

[Manu]

Yes I've seen this too.

As i don't understand very well the smtpd_access_maps, i've choosen the 
second solution

.domain.tld (note the initial dot)

But strangly it doesn't work.

domain.tld (without the initial dot) is OK

Thanks for all

- Original Message - 
From: "Ralf Hildebrandt" 

To: 
Sent: Wednesday, February 17, 2010 2:49 PM
Subject: Re: helo_access




* Manu :


.domaineok.com   OK


man 5 access says:

domain.tld

Matches domain.tld as the domain part of an email address.

The pattern domain.tld also matches subdomains, but only when the string
smtpd_access_maps is listed in the Postfix par‐
ent_domain_matches_subdomains configuration setting (note that this is
the default for some versions of Postfix). Other‐ wise, specify
.domain.tld (note the initial dot) in order to match subdomains.

--
Ralf Hildebrandt
 Geschäftsbereich IT | Abteilung Netzwerk
 Charité - Universitätsmedizin Berlin
 Campus Benjamin Franklin
 Hindenburgdamm 30 | D-12203 Berlin
 Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
 ralf.hildebra...@charite.de | http://www.charite.de

Re: If I don't want to queue emails, which value I've to give to default_transport?

[Reinaldo de Carvalho]

On Wed, Feb 17, 2010 at 6:09 AM, Michele Carandente
 wrote:
> This is what I want:
> This is a local mailserver, where all the emails generally are queued
> and then relayed to differents smtp servers (depending of the sender).

Sender?

> As internal emails I'll have different emails from differents
> domain... but I want to be able to say to postfix that one email is
> not local for the next 3 days...


If you defer 'smtp' transport, you need set a new service in master.cf:

smtp-fine  unix  -   -   -   -   -   smtp

Configure transport_maps:

exam...@local.example.com   smtp-fine:


> With the configuration that I've I'm able to do it.
> What I want now is be free to say to postfix that, when I want, all
> the emails will be relayed automatically (instead of be queued)
>
> So I need some value for defer_transports and default_transport
> (because, as I said before, if I comment out this 2 commands, postfix
> is relaying without put in queue...)
>
> I hope I'm more understandable...
> Thanks
> Michele
>



-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

Re: helo_access

[Victor Duchovni]

On Wed, Feb 17, 2010 at 02:47:26PM +0100, Manu wrote:

> Another problem is that smtp.domaineok.com   is a pool of computer (anti 
> virus + anti spam relay).
> I've tried to change /etc/postfix/smtp.domaineok.com to
>
> .domaineok.com   OK
>
> But it doesn't work.
>
> It's OK when i put
> smtp1.domaineok.com   OK
> smtp2.domaineok.com   OK
> smtp3.domaineok.com   OK
> smtp4.domaineok.com   OK

Some day you'll reject a lot of mail incorrectly. Use CIDR blocks, not
hostnames.

-- 
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Re: Postfix - Timeout While Sending End of Data (slightly OT)

[Charles Marcus]

On 2010-02-16 7:30 PM, Sahil Tandon wrote:
>> I wasn't the one posting the link, but I checked it when DJ Lucas posted
>> it and checked it again just now, and it does have a visible answer (at
>> the bottom of the page).

> Yes, but for posterity and archives, Ansgar is correct and LuKreme is
> wrong.  I just verified using SeaMonkey here.

While we're talking posterity... I don't see it (the answer)... but I
didn't bother to change my user agent string either, so I guess that's
the key - but the simple fact is, normal people won't bother taking the
time to do that...

Re: Exceptions to reject_invalid_hostname ?

[Frank Bonnet]

On 02/17/10 11:32, Barney Desmond wrote:

On 17 February 2010 20:07, Frank Bonnet  wrote:

smtpd_recipient_restrictions =
   reject_invalid_hostname,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   reject_unauth_pipelining,
   permit_mynetworks,
   reject_unauth_destination,
   reject_unlisted_recipient,
   check_policy_service inet:127.0.0.1:10023,
   permit

I wonder if it is possible to add exceptions to the reject_invalid_hostname
statement because two professors
need to receive some emails from few persons that haven't
well configured machines and don't have DNS access/knowledge.


This will depend on what you do/don't have control over. For the
record, reject_invalid_hostname is a deprecated pre-Postfix 2.3 name,
the new name for this is "reject_invalid_helo_hostname". It sounds
like you want to whitelist the professors based on either HELO name
(kind of unreliable and easily abused if someone finds out), or their
IP address (could be troublesome if it's dynamic).

http://www.postfix.org/postconf.5.html#check_client_access
Basically, you'd insert an access-table lookup first in the list of
restrictions and only apply reject_invalid_hostname if the sender
isn't one of the professors. I don't guarantee that I've got this
right, but it'd be something like this...

smtpd_recipient_restrictions =
   check_client_access cidr:/etc/postfix/professors.cidr,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   etc...

Where the contents of /etc/postfix/professors.cidr is:
1.2.3.4DUNNO
1.2.4.10DUNNO
0.0.0.0/0reject_invalid_hostname


This assumes that you're checking the source address. The DUNNO should
skip the professors, and apply reject_invalid_hostname to everyone
else.

More on access tables here: http://www.postfix.org/access.5.html


OK,
 thanks a lot Barney