Re: DKIM checking but not signing with Postfix?

[mouss]

VR a écrit :
> My Debian(Lenny)/Postfix environment is inbound only (except
> bounces/rejects of course) that uses transports to hand messages off to
> Exchange servers for multiple domains.
> 
> I've been reading about DKIM in the Postfix archives most of tonight and
> have seen both praise and pause going back to about 2007 regarding
> implementing DKIM in general.
> 
> I realize DKIM, nor Postfix are "spam solutions" but I would like to
> know if DKIM might reduce the number of forgeries passed through my
> Postfix gateway?  More specifically, from hosts claiming to be larger
> organizations that do use DKIM signing for their outbound traffic?
> 

dkim won't help you much. you can't simply reject on dkim failure. Even
when the site policy says dkim is mandatory, you'll see broken signatures.

dkim can help as one component of a content filtering solution.


> Ideally I would not like to do content inspection (at this time) nor
> would I like to implement outbound signing. I have seen some write ups
> on DKIM but all discuss signing outbound.  Can DKIM be done just for
> inbound? 

yes.

> And which DKIM implementation works smoothly or is recommended
> with Postfix?

I use milter-dkim.
if you use amavisd-new, then it has DKIM support.

Re: DKIM checking but not signing with Postfix?

[ram]

On Sun, 2010-05-09 at 21:57 -0400, VR wrote:
> My Debian(Lenny)/Postfix environment is inbound only (except 
> bounces/rejects of course) that uses transports to hand messages off to 
> Exchange servers for multiple domains.
> 
> I've been reading about DKIM in the Postfix archives most of tonight and 
> have seen both praise and pause going back to about 2007 regarding 
> implementing DKIM in general.
> 
> I realize DKIM, nor Postfix are "spam solutions" but I would like to 
> know if DKIM might reduce the number of forgeries passed through my 
> Postfix gateway?  More specifically, from hosts claiming to be larger 
> organizations that do use DKIM signing for their outbound traffic?
> 
> Ideally I would not like to do content inspection (at this time) nor 
> would I like to implement outbound signing. I have seen some write ups 
> on DKIM but all discuss signing outbound.  Can DKIM be done just for 
> inbound?  And which DKIM implementation works smoothly or is recommended 
> with Postfix?
> 
DKIM checking  for inbound mails has almost nothing to do with postfix. 
The best way will be  to use spamassassin and use the DKIM_* rules. 
Default SA has them configured

If you use some other antispam , see how it supports DKIM checks 

Thanks
Ram

Re: Drop mail when X-Something header contains "value" AND destination domain == "somedomain.com"

[Roman Medina-Heigl Hernandez]

The (real) problem is the following: my Amavis/Spamasssin setup analyzes
mail and adds X-Spam-* headers accordingly but it does NOT block/drop any
mail. Filtering is done at the MDA level via sieve, which analyzes headers
and decides what to do with certain mails based on those headers (the
advantage is that the user has the last choice, so he/she can decide
whether the spam threshold would be, etc).

Now, I need my MTA to perform additional functionality: to act as relay for
CERTAIN domains (keeping, of course, the *other* domains which my server
owns mailboxes for). I do NOT control the final delivery for these "relayed
domains" (I do NOT own final MTA with mailboxes), so I'd like to make some
blocking based on headers but ONLY for my relayed domains.

Postfix supports filtering based on headers but all mail (relayed and not
relayed) would be filtered in this case (which is not what I want), I don't
know how could I add the "conditional" behaviour: "if mail destination is
one of my relayed domains, check headers and drop spam mail; if not, don't
check headers". I think Postfix supports the concept of "classes", but I
never used them and I don't know if what I need could be done with that
feature.

Hope it is clear now, and sorry for the long email. You're making a great
work here in this list, mouss. Thank you in advance.

PS: I'm using Postfix 2.5.5.

Cheers,
-Roman

mouss escribió:
> Roman Medina-Heigl Hernandez a écrit :
>> Hello,
>>
>> (see subject) Is it easily doable with Postfix? (notice that I'd like to
>> combine some checks and that the block action should only be performed in
>> both conditions are met; I'd like to be able to put more similar complex
>> "rules" mixed with the common/simple/typical rules).
>>
> 
> you can't do that in a single "check" inside postfix. postfix header
> checks test headers one at a time, indendently(so you can say if "head A
> matches foo AND header B matches bar).
> 
> to do what you want, you need one of:
> - milter or filter. where you can do anything you want
> - pass mail through multiple smtpd listeners. when you can "cascade"
> checks. not recommended except in a few cases...
> 
> now, what (real) problem are you trying to solve?
> (h don't tell us you want to block spam from "joe" to "joe". this has
> been discussed many times. "the" answer is to use standard checks such
> as spamhaus and only if you still get that junk should you ask for
> more...).

Re: PostFix Mail Delivery to Different Hosts

[Simon Croome]

On 07/05/2010 14:32, Wietse Venema wrote:

Simon Croome:
   

# main.cf
transport_maps = hash:/etc/postfix/transports

# /etc/postfix/transports
firstname.lastn...@example.com  relay:lotus.notes.server:25
firstname1.lastna...@example.comrelay:lotus.notes.server:25
firstname2.lastna...@example.comrelay:lotus.notes.server:25
example.com relay:ocs.server:25

 

If you take the transport_maps solution, then you need to set up
a relay-recipient_maps table with the addresses of valid recipients,
   

I can save you a lot of work if your problem description was accurate.

1) Set up the relay_recipient_maps over LDAP as discussed by Patrick.
This ensures that Postfix will NOT accept mail for bogus addresses.

2) Instead of one transport map entry per user, use a regular expression:

 /etc/postfix/main.cf:
 transport_maps = regexp:/etc/postfix/transports.regexp

 /etc/postfix/transports.regexp
 /\...@example\.com$/relay:lotus.notes.server:25
 /@example\.com$/relay:ocs.server:25

The first pattern sends send first.l...@example.com to lotus.notes.server,
and the second sends all other example.com mail to ocs.server.

Caution: regular expressions are unlike file name wildcards.  The
above example uses "\." to match a dot character, ".+" for wild-card,
and $ at the end.

 Wietse
   

Thanks for you help with the above problem.

Could I ask what would be the best way to prevent connections to 
postfix, similar to how tcp wrappers is used with sendmail.


I only want approx 4 ip addresses which would be in different network to 
be able to connect the postfix daemon ?


Thanks again.

Re: Postfix architecture + Ldap + Courier IMAP

[spambox]

On Mon, 10 May 2010 01:00:29 -0430
Jose Ildefonso Camargo Tolosa  wrote:

> Hi!
> 
> Yes, I know, this is kinda off-topic, but looks interesting.

Thank you for your interest!

> > |-|
> > |   postfix1  |               very big storage
> > |   LDAP1     |-|
> > |   server1   |             |                   *
> > |-|             |   /home1          *
> >       |                     |                   *
> >       |                     |---*
> > |-|             |                   *
> > |   postfix2  |             |                   *
> > |   LDAP2     |-|   /home2          *
> > |   server2   |             |                   *
> > |-|             |                   *
> >       |                     |---*
> >       |                     |                   *
> > |-|             |   /home3          *
> > |   postfix3  |             |                   *
> > |   LDAP3     |-|
> > |   server3   |
> > |-|
> >
> >
> >
> >

> Ok, so, load balancing here, with different homes for each server, so,
> each server have its own "set of users", right?

Yes, each LDAP have list of his users. For each LDAP entry we have a record 
telling us, who is the Mail server for that user. So if the balancer send user 
"test" to mail server1 and from the LDAP we see that "test" user belong to 
server1 then "test" request is served, ELSE if user "test" has mail server set 
on "mailserver3" for example, the request is redirect to mailserver3 that will 
handle his request.

 
> >
> > if one server goes down, the one next to him will Up his ip address and 
> > mount his partition on the storage untill the server restarts correctly.
> 
> Now, this is more typical of HA clusters, what gets me confused is
> what I asked on the last question, so, when say, server 1 goes down,
> server 2 mount server1's home partition and start getting mails (and
> serving IMAP requests) as if it were server1, right? I'll reserve my
> other comments until I get more information on this.

Yes, if server1 goes down the cluster will mount up server1 interface and home 
partition on server2. Server2 will temporarily act as server1 and server2 
untill server1 is back on line.




> > 1) I've never used Courier IMAP, but reading on the internet i've found 
> > that it use gethostbyname() to resolve and this may cause an infinite loop 
> > for a host with 2 interface but one hostname if one server goes down.
> > So, i'm afraid that i will be able to installa courier-imap on each server 
> > and this will cause a big problem to the scalability of the system.
> >
> > 2) Has anyone ever tryed something like this and its ablet to redirect me 
> > to some good documentation?
>
> I don't use Courier (several reasons, off-topic here), I use Dovecot
> (I can even use SASL from Dovecot to authenticate Postifx's smtp,
> really handy along with reject_authenticated_sender_login_mismatch and
> smtpd_sender_login_maps on ldap).

Nice, i gave a look to this Dovecot and its looks pretty nice! i'vent tested it 
yet but it seems it can be a valid alternative. Im trying to move from Qmail to 
postfix because Qmail is patch-project(dead), while i think Postfix is a valid 
alternative that will make life a lot easyer.




-- 
spambox 

Re: lpr notifications thru postfix

[Reinaldo de Carvalho]

On Sun, May 9, 2010 at 11:24 PM, Jamal Mubarak  wrote:
>>
>> 'owner process' isn't 'owner of lp* files', you need look owner pf
>> cups process with 'ps' command.
>
> jamal% ps -afx | grep cups
>    0 11783     1   0   0:00.90 ??         0:00.96 /usr/sbin/cupsd -l
>

Who is the process onwer? try 'ps -ef | grep cups'

> jamal% ls -l /usr/sbin/cupsd
> -r-x--  1 root  wheel  887456 Feb 11 01:47 /usr/sbin/cupsd
>
> Is this what you are asking for?  I have tried to change the group of 
> /usr/sbin/postdrop to "wheel" from "_postdrop" without any difference.  Same 
> error.
>

Cups process onwer is in wheel? I think no.

> Jamal
>
>



-- 
Reinaldo de Carvalho
http://korreio.sf.net
http://python-cyrus.sf.net

"Don't try to adapt the software to the way you work, but rather
yourself to the way the software works" (myself)

lmtp_generic_maps for delivery to dovecot

[ram]

Can I use somthing like lmtp_generic_maps for delivery to dovecot


Thanks
Ram

Postfix, SASL sending mail through Postfix.

[BABEDH-DHRA]

I have been trying to get this to work for about a year and I have had no
success.  I have installed Debian Lenny AMD-64 bit with this setup.
http://www200.pair.com/mecham/spam/virtual2p1.html

I am trying to send mail through my own mail server so Postfix will handle
everything.

What do I need to do to get this to work correctly.

Re: Postfix, SASL sending mail through Postfix.

[Charles Marcus]

On 2010-05-10 10:08 AM, BABEDH-DHRA wrote:
> I have been trying to get this to work for about a year and I have had
> no success.  I have installed Debian Lenny AMD-64 bit with this setup. 
> http://www200.pair.com/mecham/spam/virtual2p1.html
> 
> I am trying to send mail through my own mail server so Postfix will
> handle everything.
> 
> What do I need to do to get this to work correctly.

You're asking the wrong question in the wrong way without providing
necessary details:

Per the welcome message you received when you joined the list:

TO REPORT A PROBLEM see:
http://www.postfix.org/DEBUG_README.html#mail

At a minimum, postfix version, output of postconf -n and unedited
NON-verbose logs exhibiting the problem should be provided...

-- 

Best regards,

Charles

Re: Postfix, SASL sending mail through Postfix.

[Ansgar Wiechers]

On 2010-05-10 Charles Marcus wrote:
> On 2010-05-10 10:08 AM, BABEDH-DHRA wrote:
>> I have been trying to get this to work for about a year and I have had
>> no success.  I have installed Debian Lenny AMD-64 bit with this setup. 
>> http://www200.pair.com/mecham/spam/virtual2p1.html
>> 
>> I am trying to send mail through my own mail server so Postfix will
>> handle everything.
>> 
>> What do I need to do to get this to work correctly.
> 
> You're asking the wrong question in the wrong way without providing
> necessary details:
> 
> Per the welcome message you received when you joined the list:
> 
> TO REPORT A PROBLEM see:
> http://www.postfix.org/DEBUG_README.html#mail
> 
> At a minimum, postfix version, output of postconf -n and unedited
> NON-verbose logs exhibiting the problem should be provided...

Since the OP wants to send SASL-authenticated e-mail, I'd suggest to
start with Postfix' SASL Howto [1]. Debugging comes as a second step
when he encounters problems while following the documentation.

[1] http://www.postfix.org/SASL_README.html

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

RE: Postfix, SASL sending mail through Postfix.

[BABEDH-DHRA]

I certainly appreciate the input but as I have said I have tried to get this
working over the last 365 days +

I do not quite understand how it is not working.

 

I have seen posts that say 

Postfix to Dovecot SASL communication

SMTP Authentication with Postfix using files or MySQL

Postfix Howtos and FAQs

 

I am not an expert I do however have two books on Postfix and of course the
ever popular GOOGLE

 

 

From: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] On Behalf Of BABEDH-DHRA
Sent: Monday, May 10, 2010 10:08 AM
To: postfix-users@postfix.org
Subject: Postfix, SASL sending mail through Postfix.

 

I have been trying to get this to work for about a year and I have had no
success.  I have installed Debian Lenny AMD-64 bit with this setup.
http://www200.pair.com/mecham/spam/virtual2p1.html

I am trying to send mail through my own mail server so Postfix will handle
everything.

What do I need to do to get this to work correctly.

Re: Postfix, SASL sending mail through Postfix.

[Mark Goodge]

On 10/05/2010 16:02, BABEDH-DHRA wrote:

I certainly appreciate the input but as I have said I have tried to get
this working over the last 365 days +

I do not quite understand how it is not working.


In that case, what you really need to do is explain what you've done so 
far, and where you are getting stuck. In particular, have you 
successfully installed Postfix and got it working with unauthenticated 
SMTP (ie, without SASL)? If not, is that because you haven't tried to 
get it working without SASL, or because you have tried but can't get it 
working at all?


If you haven't tried getting it to work without SASL, then do that 
first. SASL is difficult to debug, so it's essential that you first 
ensure that the problem isn't anything to do with SASL!


Mark

Re: lmtp_generic_maps for delivery to dovecot

[Noel Jones]

On 5/10/2010 8:33 AM, ram wrote:

Can I use somthing like lmtp_generic_maps for delivery to dovecot



Your question is incomplete.
What are you trying to accomplish?  How does postfix deliver 
to dovecot?

Re: Postfix, SASL sending mail through Postfix.

[BABEDH-DHRA]

Ok I can start over can you please tell me if this is going to be the right
place to start.

 

apt-get install libsasl2-modules

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
relayhost = [smtp.comcast.net]:2525

In /etc/postfix/sasl_passwd:
[outbound.mailhop.org]:2525 username:password

Re: DKIM checking but not signing with Postfix?

[John Levine]

>dkim can help as one component of a content filtering solution.

Current versions of Spamassassin can do DKIM checking.  Don't turn on
ADSP "reject because I say so" checks (I say this as one of the
authors of the ADSP RFC), but you can adjust your config to list a few
heavily phished DKIM signers like paypal.com and ebay.com on which you
can reject unsigned mail with little collateral damage.

If you're already using spamassassin, you just add stuff to local.cf
as suggested by comments in the DKIM plugin, and then restart spamd.

R's,
John

Postfix ignoring "", won't do fingerprint checking

[Dave O'Larte]

I'm trying to enable TLS client fingerprint checking on Postfix - that is, I
want Postfix, acting as a server, to check the fingerprint of clients trying
to connect against a table of cert fingerprints.

>From the Postfix logfile, TLS is working, client certs are being requested,
but I can't get Postfix to do the fingerprint check.

In a nutshell, Postfix doesn't seem to pay any attention at all to the
following line in main.cf:


smtpd_client_restrictions=permit_tls_clientcerts,warn_if_reject,reject

I can put gibberish in the right side of the above main.cf parameter and
Postfix doesn't seem to pay any attention.

"postconf -n" shows that the parameter was correctly read from main.cf.
master.cf does not override this value.

This is on an Ubuntu 9.10 system, running Postfix v 2.6.5
The frustrating thing is, I can get this to work on other Ubuntu systems
running the same version of Postfix, so obviously I'm doing something wrong.

Anyone know of a reason Postfix would ignore "smtpd_client_restrictions"?

As this is the first time I've ever tried to post a Postfix question, please
don't hesitate to let me know if there's a better way to pPost such a newb
question ...


Dave

Re: Postfix ignoring "", won't do fingerprint checking

[Noel Jones]

On 5/10/2010 10:30 AM, Dave O'Larte wrote:

I'm trying to enable TLS client fingerprint checking on Postfix - that
is, I want Postfix, acting as a server, to check the fingerprint of
clients trying to connect against a table of cert fingerprints.

 From the Postfix logfile, TLS is working, client certs are being
requested, but I can't get Postfix to do the fingerprint check.

In a nutshell, Postfix doesn't seem to pay any attention at all to the
following line in main.cf :


smtpd_client_restrictions=permit_tls_clientcerts,warn_if_reject,reject

I can put gibberish in the right side of the above main.cf
 parameter and Postfix doesn't seem to pay any attention.

"postconf -n" shows that the parameter was correctly read from main.cf
.
master.cf  does not override this value.

This is on an Ubuntu 9.10 system, running Postfix v 2.6.5
The frustrating thing is, I can get this to work on other Ubuntu systems
running the same version of Postfix, so obviously I'm doing something wrong.

Anyone know of a reason Postfix would ignore "smtpd_client_restrictions"?

As this is the first time I've ever tried to post a Postfix question,
please don't hesitate to let me know if there's a better way to pPost
such a newb question ...


Dave



http://www.postfix.org/DEBUG_README.html#mail

Show us your "postconf -n" and non-comment entries in master.cf.

Are you sure you're editing the right main.cf?  Maybe you have 
multiple postfix installations.  Run "find / -name main.cf 
-ls" to make sure.  Also, postfix/master logs the 
configuration directory when postfix starts or reloads.


  -- Noel Jones

Re: Postfix, SASL sending mail through Postfix.

[Ansgar Wiechers]

On 2010-05-10 BABEDH-DHRA wrote:
> Ok I can start over can you please tell me if this is going to be the
> right place to start.

As already mentioned, the right place to start is here:

  http://www.postfix.org/SASL_README.html

If you encounter any problems while following this Howto, follow the
procedure described here:

  http://www.postfix.org/DEBUG_README.html#mail

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

two domains on one server

[Jeffs]

I have a setup with one qualified domain name, i.e., example.com on one 
ubuntu server running postfix 2.5.5


I now need to have this setup send and receive mail for another_domain.com

I have successfully set up the sending and receiving, however all mail 
from this secondary domain is seen as spam, whereas all mail from the 
primary domain is never seen as spam.  I'm wondering what I might be 
doing wrong, or if indeed this even is a postfix issue?  I would 
appreciate it if someone could eyeball my main.cf file below and see if 
there are any security issues with the setup and if anything might be 
accountable for this spam issue.


Thanks in advance.

Any help much appreciated.  main.cf follows:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname =example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = example.com, other_domain.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
mailbox_command =
#always_bcc = u...@example.com
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = 
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

inet_protocols = allsmtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

Re: Postfix ignoring "", won't do fingerprint checking

[Dave O'Larte]

Regarding using the right main.cf:
I've only installed a single Postfix instance, and changes I make to
main.cfdo affect Postfix. (E.g. turning up logging, etc.) The Postfix
log says I'm
using the config in /etc/postfix.

The output from postfinger:

# ./postfinger
postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.6.5
hostname = AA-DD-DDD-DDD-DDD
uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13
19:06:04 UTC 2009 i686 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.6.5-3

--main.cf non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 0
mailbox_size_limit = 0
maximal_backoff_time = 10s
maximal_queue_lifetime = 0
mydestination = aa-dd-ddd-ddd-ddd.aaa., localhost
myhostname = aa-dd-ddd-ddd-ddd.aaa.
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_client_certs
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
virtual_gid_maps = static:1004
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = a.com
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:1004

--master.cf--
smtp  inet  n   -   -   -   -   smtpd
smtps inet  n   -   -   -   -   smtpd
 -o smtpd_sasl_path=smtpd
 -o smtp_tls_security_level=fingerprint
 -o smtpd_tls_security_level=encrypt
 -o smtpd_tls_auth_only=yes
 -o smtp_tls_note_starttls_offer=yes
 -o smtpd_tls_req_ccert=no
 -o smtpd_tls_received_header=yes
 -o smtpd_sasl_local_domain=
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_sasl_security_options=noanonymous
 -o broken_sasl_auth_clients=yes
 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 -o smtpd_client_restrictions=
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
-o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmailunix  -   n   n   -   -   pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail 

Re: Postfix, SASL sending mail through Postfix.

[BABEDH-DHRA]

Ansgar Wiechers

Thanks. 

I have gone through this and also looking at the dovecot.conf file.  I am
seeing references to mysql.  I am now concerned that by making changes to
the conf file I will mess up my mysql configuration.

 

Main.cf

 

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

 

 

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

 

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

 

# appending .domain is the MUA's job.

append_dot_mydomain = no

 

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h

 

readme_directory = no

 

# TLS parameters

smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem

smtpd_tls_key_file = /etc/ssl/private/dovecot.pem

 

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

 

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.

 

myhostname = mail.biggdog.biz

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

myorigin = biggdog.biz

mydestination = 

relayhost = 

mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all

smtpd_tls_CAfile = /etc/ssl/certs/cacert.biggdog.biz.pem

smtpd_tls_received_header = yes

mydomain = biggdog.biz

virtual_minimum_uid = 6060

virtual_gid_maps = static:6060

virtual_uid_maps = static:6060

virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf,
hash:/etc/postfix/virtual

virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf

virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf

virtual_transport = dovecot

virtual_mailbox_base = /var/vmail/

dovecot_destination_concurrency_limit = 2

dovecot_destination_recipient_limit = 1

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

broken_sasl_auth_clients = yes

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous

smtpd_sasl_authenticated_header = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_recipient, check_recipient_access
hash:/etc/postfix/reject_over_quota, check_sender_access
hash:/etc/postfix/rbl_sender_exceptions, check_client_access
hash:/etc/postfix/rbl_client_exceptions, check_recipient_access
hash:/etc/postfix/rbl_recipient_exceptions, reject_rbl_client
sbl-xbl.spamhaus.org

smtpd_hard_error_limit = 10

smtpd_soft_error_limit = 8

smtpd_helo_required = yes

smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
reject_unknown_sender_domain

smtpd_data_restrictions = reject_unauth_pipelining

local_transport = error:no local mail delivery

proxy_interfaces = 68.55.47.24

message_size_limit = 5120

transport_maps = hash:/etc/postfix/transport

vacation_destination_recipient_limit = 1

 

 

Wildcard use in Aliases… or something that approxi mates this behavior…

[Andrew Grant]

Hello,

I would like to create an "everyone" alias in Postfix that sends email
to all of my aliases / users without having to update the aliases file
every time I add a user.

Is this possible using just Postfix?

I am using OS X Server 10.6 3. Under Server Admin (GUI), Mail Service,
Mailing Lists tab, there is an option to
"Enable server group mailing lists" with an explanation of:
"Allow groups in the directory to have mailing lists. The recipients
for each list will be updated periodically"

Can this functionality be duplicated without using the GUI?

Any insight would be greatly appreciated.

Re: two domains on one server

[Noel Jones]

On 5/10/2010 12:50 PM, Jeffs wrote:

I have a setup with one qualified domain name, i.e., example.com on one
ubuntu server running postfix 2.5.5

I now need to have this setup send and receive mail for another_domain.com

I have successfully set up the sending and receiving, however all mail
from this secondary domain is seen as spam, whereas all mail from the
primary domain is never seen as spam. I'm wondering what I might be
doing wrong, or if indeed this even is a postfix issue? I would
appreciate it if someone could eyeball my main.cf file below and see if
there are any security issues with the setup and if anything might be
accountable for this spam issue.



Not a postfix issue.  You'll need to check with the receiving 
party to find out why they mark your mail as spam.



  -- Noel Jones

Re: two domains on one server

[Ansgar Wiechers]

On 2010-05-10 Jeffs wrote:
> I have a setup with one qualified domain name, i.e., example.com on
> one  ubuntu server running postfix 2.5.5
>
> I now need to have this setup send and receive mail for
> another_domain.com
>
> I have successfully set up the sending and receiving, however all mail
> from this secondary domain is seen as spam, whereas all mail from the
> primary domain is never seen as spam.

By whom?

> I'm wondering what I might be  doing wrong, or if indeed this even is
> a postfix issue?

If someone else's mail system classifies mail from u...@other_domain.com
as spam, then this has nothing to do with your Postfix. It may be
related to your DNS setup, though.

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Postfix, SASL sending mail through Postfix.

[Ansgar Wiechers]

On 2010-05-10 BABEDH-DHRA wrote:
> I have gone through this and also looking at the dovecot.conf file.  I
> am seeing references to mysql.  I am now concerned that by making
> changes to the conf file I will mess up my mysql configuration.

Which part of  did you
fail to understand?

Regards
Ansgar Wiechers
-- 
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky

Re: Postfix, SASL sending mail through Postfix.

[Charles Marcus]

On 2010-05-10 2:08 PM, BABEDH-DHRA wrote:
> *Main.cf*
> 
> # See /usr/share/postfix/main.cf.dist for a commented, more complete
> version

I've told you twice now in private...

Please do NOT post copy/pastes from main.cf, post *only* the output of
postconf -n...

You aren't going to get much help here if you cannot follow the simplest
of instructions...

-- 

Best regards,

Charles

Re: Postfix ignoring "", won't do fingerprint checking

[Larry Stone]

Please don't top post in this group.

On Mon, 10 May 2010, Dave O'Larte wrote:


--main.cf non-default parameters--
smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject


is overridden by:


--master.cf--
smtps inet  n   -   -   -   -   smtpd
-o smtpd_client_restrictions=


for smtps. Is the problem connection to the smtps port?

-- Larry Stone
   lston...@stonejongleux.com

Re: Postfix ignoring "", won't do fingerprint checking

[Dave O'Larte]

On Mon, May 10, 2010 at 2:28 PM, Larry Stone  wrote:
>
> Please don't top post in this group.

Interleaving it is then.

>
> On Mon, 10 May 2010, Dave O'Larte wrote:
>
>> --main.cf non-default parameters--
>> smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
>
> is overridden by:
>
>> --master.cf--
>> smtps     inet  n       -       -       -       -       smtpd
>> -o smtpd_client_restrictions=
>
> for smtps. Is the problem connection to the smtps port?

No - the problem is the connection to port 25 - the smtp port. The
smtps port is used for SASL connections, for which a client
certificate is not used.

>
> -- Larry Stone
>   lston...@stonejongleux.com

Re: Postfix ignoring "", won't do fingerprint checking

[Noel Jones]

On 5/10/2010 12:52 PM, Dave O'Larte wrote:

Regarding using the right main.cf :
I've only installed a single Postfix instance, and changes I make to
main.cf  do affect Postfix. (E.g. turning up logging,
etc.) The Postfix log says I'm using the config in /etc/postfix.

The output from postfinger:

# ./postfinger
postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010
version: 1.30

Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public.  If this is the case it is your responsibility to modify
the output to hide this private information.  [Remove this warning with
the --nowarn option.]

--System Parameters--
mail_version = 2.6.5
hostname = AA-DD-DDD-DDD-DDD
uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13
19:06:04 UTC 2009 i686 GNU/Linux

--Packaging information--
looks like this postfix comes from deb package: postfix-2.6.5-3

--main.cf  non-default parameters--
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 0
mailbox_size_limit = 0
maximal_backoff_time = 10s
maximal_queue_lifetime = 0
mydestination = aa-dd-ddd-ddd-ddd.aaa., localhost
myhostname = aa-dd-ddd-ddd-ddd.aaa.
mynetworks = 127.0.0.0/8  [:::127.0.0.0]/104
[::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_clientcerts = hash:/etc/postfix/relay_client_certs
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_fingerprint_digest = sha1
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_security_level = encrypt
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_fingerprint_digest = sha1
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
virtual_gid_maps = static:1004
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = a.com

virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:1004

--master.cf--
smtp  inet  n   -   -   -   -   smtpd
smtps inet  n   -   -   -   -   smtpd
  -o smtpd_sasl_path=smtpd
  -o smtp_tls_security_level=fingerprint
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtp_tls_note_starttls_offer=yes
  -o smtpd_tls_req_ccert=no
  -o smtpd_tls_received_header=yes
  -o smtpd_sasl_local_domain=
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o broken_sasl_auth_clients=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_restrictions=
pickupfifo  n   -   -   60  1   pickup
cleanup   unix  n   -   -   -   0   cleanup
qmgr  fifo  n   -   n   300 1   qmgr
tlsmgrunix  -   -   -   1000?   1   tlsmgr
rewrite   unix  -   -   -   -   -   trivial-rewrite
bounceunix  -   -   -   -   0   bounce
defer unix  -   -   -   -   0   bounce
trace unix  -   -   -   -   0   bounce
verifyunix  -   -   -   -   1   verify
flush unix  n   -   -   1000?   0   flush
proxymap  unix  -   -   n   -   -   proxymap
proxywrite unix -   -   n   -   1   proxymap
smtp  unix  -   -   -   -   -   smtp
relay unix  -   -   -   -   -   smtp
 -o smtp_fallback_relay=
showq unix  n   -   -   -   -   showq
error unix  -   -   -   -   -   error
retry unix  -   -   -   -   -   error
discard   unix  -   -   -   -   -   discard
local unix  -   n   n   -   -   local
virtual   unix  -   n   n   -   -   virtual
lmtp  unix  -   -   -   -   -   lmtp
anvil unix  -   -   -   -   1   anvil
scacheunix  -   -   -   -   1   scache
maildrop  unix  -   n   n   -   -   pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp  unix  -   n   n   -   -   pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmailunix  -   n   n   -   -   pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix  -   n   n   -   -   pipe
   flags=

Re: Postfix, SASL sending mail through Postfix.

[Patrick Ben Koetter]

BABEDH-DHRA,

* BABEDH-DHRA :
> Ok I can start over can you please tell me if this is going to be the right
> place to start.

please describe in detail which goal you want to accieve. As far as I
understand it at the moment you want your Postfix to offer SMTP AUTH and you
want to use a MySQL database to store user and password data. Is this correct?
If not, what is it then you want to have? Please be as specific as possible.

p...@rick

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

Re: Postfix architecture + Ldap + Courier IMAP

[Jose Ildefonso Camargo Tolosa]

Hi!

On Mon, May 10, 2010 at 6:47 AM, spambox  wrote:
>
>
> On Mon, 10 May 2010 01:00:29 -0430
> Jose Ildefonso Camargo Tolosa  wrote:
>
>> Hi!
>>
>> Yes, I know, this is kinda off-topic, but looks interesting.
>
> Thank you for your interest!
>
>> > |-|
>> > |   postfix1  |               very big storage
>> > |   LDAP1     |-|
>> > |   server1   |             |                   *
>> > |-|             |   /home1          *
>> >       |                     |                   *
>> >       |                     |---*
>> > |-|             |                   *
>> > |   postfix2  |             |                   *
>> > |   LDAP2     |-|   /home2          *
>> > |   server2   |             |                   *
>> > |-|             |                   *
>> >       |                     |---*
>> >       |                     |                   *
>> > |-|             |   /home3          *
>> > |   postfix3  |             |                   *
>> > |   LDAP3     |-|
>> > |   server3   |
>> > |-|
>> >
>> >
>> >
>> >
>
>> Ok, so, load balancing here, with different homes for each server, so,
>> each server have its own "set of users", right?
>
> Yes, each LDAP have list of his users. For each LDAP entry we have a record 
> telling us, who is the Mail server for that user. So if the balancer send 
> user "test" to mail server1 and from the LDAP we see that "test" user belong 
> to server1 then "test" request is served, ELSE if user "test" has mail server 
> set on "mailserver3" for example, the request is redirect to mailserver3 that 
> will handle his request.

Cool, I have implemented a similar approach, but on postfix level, ie,
each smtp server can receive mail for any user, and then look for the
smtp server on a ldap attribute (I use maildrop attr for that).  I use
this to have a "distributed email system", so that each user have its
mail "locally" on the locality he/she works.  If one server is
unavailable, the system will keep the mail queued until the
corresponding server is back, so: no HA here.

>
>
>> >
>> > if one server goes down, the one next to him will Up his ip address and 
>> > mount his partition on the storage untill the server restarts correctly.
>>
>> Now, this is more typical of HA clusters, what gets me confused is
>> what I asked on the last question, so, when say, server 1 goes down,
>> server 2 mount server1's home partition and start getting mails (and
>> serving IMAP requests) as if it were server1, right? I'll reserve my
>> other comments until I get more information on this.
>
> Yes, if server1 goes down the cluster will mount up server1 interface and 
> home partition on server2. Server2 will temporarily act as server1 and 
> server2 untill server1 is back on line.

Ok.

>
>
>
>
>> > 1) I've never used Courier IMAP, but reading on the internet i've found 
>> > that it use gethostbyname() to resolve and this may cause an infinite loop 
>> > for a host with 2 interface but one hostname if one server goes down.
>> > So, i'm afraid that i will be able to installa courier-imap on each server 
>> > and this will cause a big problem to the scalability of the system.
>> >
>> > 2) Has anyone ever tryed something like this and its ablet to redirect me 
>> > to some good documentation?
>>
>> I don't use Courier (several reasons, off-topic here), I use Dovecot
>> (I can even use SASL from Dovecot to authenticate Postifx's smtp,
>> really handy along with reject_authenticated_sender_login_mismatch and
>> smtpd_sender_login_maps on ldap).
>
> Nice, i gave a look to this Dovecot and its looks pretty nice! i'vent tested 
> it yet but it seems it can be a valid alternative. Im trying to move from 
> Qmail to postfix because Qmail is patch-project(dead), while i think Postfix 
> is a valid alternative that will make life a lot easyer.

postfix is extremely flexible.  Believe me: you can replace qmail with
*no* changes to your ldap entries.

Your project looks interesting,

Ildefonso Camargo

Re: DKIM checking but not signing with Postfix?

[mouss]

John Levine a écrit :
>> dkim can help as one component of a content filtering solution.
> 
> Current versions of Spamassassin can do DKIM checking.  Don't turn on
> ADSP "reject because I say so" checks (I say this as one of the
> authors of the ADSP RFC), but you can adjust your config to list a few
> heavily phished DKIM signers like paypal.com and ebay.com on which you
> can reject unsigned mail with little collateral damage.
> 
> If you're already using spamassassin, you just add stuff to local.cf
> as suggested by comments in the DKIM plugin, and then restart spamd.
> 

yes. and a few rules were proposed by Mark Martinek (amavisd-new). see
amavisd-new docs. however, I had to disable some of these rules because
I kept seeing borked dkim sigs from yahoo.

anyway, from what I have here, I don't see dkim as bringing much to the
battle... I could disable dkim and it wouldn't change the results.

Re: Drop mail when X-Something header contains "value" AND destination domain == "somedomain.com"

[mouss]

Roman Medina-Heigl Hernandez a écrit :
> The (real) problem is the following: my Amavis/Spamasssin setup analyzes
> mail and adds X-Spam-* headers accordingly but it does NOT block/drop any
> mail. Filtering is done at the MDA level via sieve, which analyzes headers
> and decides what to do with certain mails based on those headers (the
> advantage is that the user has the last choice, so he/she can decide
> whether the spam threshold would be, etc).
> 

that's how I do it. all mail is delivered except:
- if rejected at postfix level
- if blocked because of a virus check (even this I used to deliver to a
specific folder. but I stopped it...).

dest folder depends on rules implemented in dovecot sieve. default for
spam is the "Junk" folder.

> Now, I need my MTA to perform additional functionality: to act as relay for
> CERTAIN domains (keeping, of course, the *other* domains which my server
> owns mailboxes for). I do NOT control the final delivery for these "relayed
> domains" (I do NOT own final MTA with mailboxes), so I'd like to make some
> blocking based on headers but ONLY for my relayed domains.
> 
> Postfix supports filtering based on headers but all mail (relayed and not
> relayed) would be filtered in this case (which is not what I want), I don't
> know how could I add the "conditional" behaviour: "if mail destination is
> one of my relayed domains, check headers and drop spam mail; if not, don't
> check headers". I think Postfix supports the concept of "classes", but I
> never used them and I don't know if what I need could be done with that
> feature.
> 

you need to pass relayed mail via a specific smtp which has its own
cleanup, in which case you can associate specific header_checks.

The difficulty in your case is that transport_maps are common to all
smtpd listeners. so you can't do it with just "ok, move'em first to this
smtp, then relay after that".

you could use FILTER as an access check result, but you'll have a
problem for multi-recipient mail (only one filter is used however is the
number of recipients).

now, things may be easier if yoy tell us more about your setup. which
content filter do you use? do you use amavisd-new? (with amavisd-new,
you have more flexibility). also, what exactly do you want to do with
header_checks. maybe it's ok to apply them to all inbound mail?

> Hope it is clear now, and sorry for the long email. You're making a great
> work here in this list, mouss. Thank you in advance.

thanks for the compliment. but most of all, thanks to the great guys
here with whom I learned...

Re: Wildcard use in Aliases... or somet hing that approximates this behavior...

[mouss]

Andrew Grant a écrit :
> Hello,
> 
> I would like to create an "everyone" alias in Postfix that sends email
> to all of my aliases / users without having to update the aliases file
> every time I add a user.

No. Under unix, "add a user" is so generic. I wouldn't like to send mail
to "bind", "sys", ... etc.

you can however create a wrapper that adds the user to whichever alias
file you want.

> 
> Is this possible using just Postfix?
> 
> I am using OS X Server 10.6 3. Under Server Admin (GUI), Mail Service,
> Mailing Lists tab, there is an option to
> "Enable server group mailing lists" with an explanation of:
> "Allow groups in the directory to have mailing lists. The recipients
> for each list will be updated periodically"
> 
> Can this functionality be duplicated without using the GUI?
> 
> Any insight would be greatly appreciated.

Re: lpr notifications thru postfix

[mouss]

Reinaldo de Carvalho a écrit :
> On Sun, May 9, 2010 at 11:24 PM, Jamal Mubarak  wrote:
>>> 'owner process' isn't 'owner of lp* files', you need look owner pf
>>> cups process with 'ps' command.
>> jamal% ps -afx | grep cups
>>0 11783 1   0   0:00.90 ?? 0:00.96 /usr/sbin/cupsd -l
>>
> 
> Who is the process onwer? try 'ps -ef | grep cups'

That's SYSV syntax. OP is running a BSD system:
ps -aux | grep cups


> 
>> jamal% ls -l /usr/sbin/cupsd
>> -r-x--  1 root  wheel  887456 Feb 11 01:47 /usr/sbin/cupsd
>>
>> Is this what you are asking for?  I have tried to change the group of 
>> /usr/sbin/postdrop to "wheel" from "_postdrop" without any difference.  Same 
>> error.
>>
> 
> Cups process onwer is in wheel? I think no.
> 

OP has "another" problem. see Wietse posts.

Re: Postfix ignoring "", won't do fingerprint checking

[/dev/rob0]

On Mon, May 10, 2010 at 12:52:55PM -0500, Dave O'Larte wrote:
> relay_clientcerts = hash:/etc/postfix/relay_client_certs

> smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, 
> reject

Please see:
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/postconf.5.html#smtpd_client_restrictions

I am guessing that you think a "permit" in smtpd_client_restrictions 
should mean the mail is accepted, no matter what. This is not so. 
Every other restriction stage must resolve to permit or DUNNO. Of 
particular importance is smtpd_recipient_restrictions, which controls 
relaying.

> -- end of postfinger output --

> Postfix logfile contents from a client connect:

> May 10 17:33:14 a postfix/smtpd[5521]: 
> localhost[127.0.0.1]: certificate verification depth=1 verify=1 
> subject=/C=US/ST=aa/O=aa/OU=aa/CN=aa/emailAddress= 
> a...@aa.com
> May 10 17:33:14 a postfix/smtpd[5521]: 
> localhost[127.0.0.1]: certificate verification depth=0 verify=1 
> subject=/C=US/ST=aa/O=aa/OU=aa/CN= 
> aaa-nnn-nn-nnn-nnn.aa-n.a.com/emailaddress=a...@aa.com

That looks verified.

> May 10 17:33:14 a postfix/smtpd[5521]: Trusted TLS
> connection established from localhost[127.0.0.1]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> May 10 17:33:29 a postfix/smtpd[5521]: disconnect 
> from localhost[127.0.0.1]

"Trusted connection" means it is verified. There is no reject_warning 
among what you posted.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: lpr notifications thru postfix

[Jamal Mubarak]

On May 10, 2010, at 8:25 AM, Reinaldo de Carvalho wrote:

> On Sun, May 9, 2010 at 11:24 PM, Jamal Mubarak  wrote:
>>> 
>>> 'owner process' isn't 'owner of lp* files', you need look owner pf
>>> cups process with 'ps' command.
>> 
>> jamal% ps -afx | grep cups
>>0 11783 1   0   0:00.90 ?? 0:00.96 /usr/sbin/cupsd -l
> 
> Who is the process onwer? try 'ps -ef | grep cups'

ps -aux does not work in Mac OS (Darwin) any more.

jamal% ps -ajx | grep cups
root 11783 1 11783 8fade780 Ss ??0:01.71 /usr/sbin/cupsd -l

So it appears that cups is running as root.

>> jamal% ls -l /usr/sbin/cupsd
>> -r-x--  1 root  wheel  887456 Feb 11 01:47 /usr/sbin/cupsd
>> 
>> Is this what you are asking for?  I have tried to change the group of 
>> /usr/sbin/postdrop to "wheel" from "_postdrop" without any difference.  Same 
>> error.
> 
> Cups process onwer is in wheel? I think no.

Apparently so, but I defer to your wisdom.

On May 10, 2010, at 5:57 PM, mouss wrote:

> OP has "another" problem. see Wietse posts.

Well, Mac OS has BSM (Basic Security Module) audit.

http://www.trustedbsd.org/openbsm.html
http://developer.apple.com/mac/library/DOCUMENTATION/Darwin/Reference/ManPages/man2/auditon.2.html

Should  I mess with auditon?

Jamal

Postfix, Amavisd and DKIM

[The Doctor]

Just reading from amavisd docs on the how set up
DKIM and I was wondering if this section of their documentation
is correct:

Configuring multiple mail paths in Postfix

Here is one way of configuring Postfix for providing two paths through a 
content filter. Locally submitted or authenticated mail will go to a content 
filter to its port 10026 and will be signed on its way out (either by amavisd 
or by a signing milter). All other mail (incoming) will be diverted to port 
10024 for normal content filtering, and will not be eligible for signing.

main.cf:

  # on re-queueing of a message smtpd_*_restrictions do not apply,
  # so we'd better provide a safe default for a content_filter,
  # even at an expense of later flipping the choice twice
  # (which adds a bit to log clutter, but never mind)
  #
  content_filter = amavisfeed:[127.0.0.1]:10024

  # each triggered FILTER deposits its argument into a
  # content_filter setting, the last deposited value applies
  #
  smtpd_sender_restrictions =
check_sender_access regexp:/etc/postfix/tag_as_originating.re
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
check_sender_access regexp:/etc/postfix/tag_as_foreign.re

  # Make sure to assign FILTER tags in restrictions which
  # are only invoked once per message, e.g. client or sender
  # restrictions, but NOT on smtpd_recipient_restrictions,
  # as a message may have multiple recipients, so multiple
  # passes through FILTER tag assignments can yield a
  # surprising (and incorrect) result.

/etc/postfix/tag_as_originating.re:

  /^/  FILTER amavisfeed:[127.0.0.1]:10026

/etc/postfix/tag_as_foreign.re:

  /^/  FILTER amavisfeed:[127.0.0.1]:10024

In master.cf set up two listening smtpd services for receiving filtered mail 
from amavisd (as per README.postfix), one on tcp port 10025 (for inbound mail) 
and the other on port 10027 (for originating mail). If a signing milter is in 
use it will be attached to a smtpd service on 10027 only. If no milters are in 
use and signing is done by amavisd, both smtpd services can have exactly the 
same settings, and in fact only one suffices, in which case redirecting 
$forward_method and $notify_method to 'smtp:[127.0.0.1]:10027' in later example 
can be disregarded.

-- 
Member - Liberal International  This is doc...@nl2k.ab.ca Ici doc...@nl2k.ab.ca
God, Queen and country! Never Satan President Republic! Beware AntiChrist 
rising! 
http://twitter.com/rootnl2k http://www.facebook.com/dyadallee
Coming close to 15 years in business

Re: Postfix ignoring "", won't do fingerprint checking

[Dave O'Larte]

On Mon, May 10, 2010 at 3:31 PM, Noel Jones  wrote:
> On 5/10/2010 12:52 PM, Dave O'Larte wrote:
>>
>> Regarding using the right main.cf :
>> I've only installed a single Postfix instance, and changes I make to
>> main.cf  do affect Postfix. (E.g. turning up logging,
>> etc.) The Postfix log says I'm using the config in /etc/postfix.
>>
>> The output from postfinger:
>>
>> # ./postfinger
>> postfinger - postfix configuration on Mon May 10 17:27:44 UTC 2010
>> version: 1.30
>>
>> Warning: postfinger output may show private configuration information,
>> such as ip addresses and/or domain names which you do not want to show
>> to the public.  If this is the case it is your responsibility to modify
>> the output to hide this private information.  [Remove this warning with
>> the --nowarn option.]
>>
>> --System Parameters--
>> mail_version = 2.6.5
>> hostname = AA-DD-DDD-DDD-DDD
>> uname = Linux aa-dd-ddd-ddd-ddd d.d.dd-ddd-aaa #7-Ubuntu SMP Tue Oct 13
>> 19:06:04 UTC 2009 i686 GNU/Linux
>>
>> --Packaging information--
>> looks like this postfix comes from deb package: postfix-2.6.5-3
>>
>> --main.cf  non-default parameters--
>> alias_maps = hash:/etc/aliases
>> append_dot_mydomain = no
>> biff = no
>> bounce_queue_lifetime = 0
>> mailbox_size_limit = 0
>> maximal_backoff_time = 10s
>> maximal_queue_lifetime = 0
>> mydestination = aa-dd-ddd-ddd-ddd.aaa., localhost
>> myhostname = aa-dd-ddd-ddd-ddd.aaa.
>> mynetworks = 127.0.0.0/8  [:::127.0.0.0]/104
>> [::1]/128
>> myorigin = /etc/mailname
>> readme_directory = no
>> recipient_delimiter = +
>> relay_clientcerts = hash:/etc/postfix/relay_client_certs
>> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
>> smtpd_client_restrictions = permit_tls_clientcerts, warn_if_reject, reject
>> smtpd_tls_CAfile = /etc/postfix/cacert.pem
>> smtpd_tls_cert_file = /etc/postfix/cert.pem
>> smtpd_tls_fingerprint_digest = sha1
>> smtpd_tls_key_file = /etc/postfix/key.pem
>> smtpd_tls_loglevel = 2
>> smtpd_tls_received_header = yes
>> smtpd_tls_req_ccert = yes
>> smtpd_tls_security_level = encrypt
>> smtp_tls_CAfile = /etc/postfix/cacert.pem
>> smtp_tls_cert_file = /etc/postfix/cert.pem
>> smtp_tls_fingerprint_digest = sha1
>> smtp_tls_key_file = /etc/postfix/key.pem
>> smtp_tls_loglevel = 2
>> smtp_tls_note_starttls_offer = yes
>> smtp_tls_security_level = encrypt
>> virtual_gid_maps = static:1004
>> virtual_mailbox_base = /var/mail/vhosts
>> virtual_mailbox_domains = a.com
>> 
>> virtual_mailbox_maps = hash:/etc/postfix/vmailbox
>> virtual_uid_maps = static:1004
>>
>> --master.cf--
>> smtp      inet  n       -       -       -       -       smtpd
>> smtps     inet  n       -       -       -       -       smtpd
>>  -o smtpd_sasl_path=smtpd
>>  -o smtp_tls_security_level=fingerprint
>>  -o smtpd_tls_security_level=encrypt
>>  -o smtpd_tls_auth_only=yes
>>  -o smtp_tls_note_starttls_offer=yes
>>  -o smtpd_tls_req_ccert=no
>>  -o smtpd_tls_received_header=yes
>>  -o smtpd_sasl_local_domain=
>>  -o smtpd_sasl_auth_enable=yes
>>  -o smtpd_sasl_security_options=noanonymous
>>  -o broken_sasl_auth_clients=yes
>>  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
>>  -o smtpd_client_restrictions=
>> pickup    fifo  n       -       -       60      1       pickup
>> cleanup   unix  n       -       -       -       0       cleanup
>> qmgr      fifo  n       -       n       300     1       qmgr
>> tlsmgr    unix  -       -       -       1000?   1       tlsmgr
>> rewrite   unix  -       -       -       -       -       trivial-rewrite
>> bounce    unix  -       -       -       -       0       bounce
>> defer     unix  -       -       -       -       0       bounce
>> trace     unix  -       -       -       -       0       bounce
>> verify    unix  -       -       -       -       1       verify
>> flush     unix  n       -       -       1000?   0       flush
>> proxymap  unix  -       -       n       -       -       proxymap
>> proxywrite unix -       -       n       -       1       proxymap
>> smtp      unix  -       -       -       -       -       smtp
>> relay     unix  -       -       -       -       -       smtp
>>         -o smtp_fallback_relay=
>> showq     unix  n       -       -       -       -       showq
>> error     unix  -       -       -       -       -       error
>> retry     unix  -       -       -       -       -       error
>> discard   unix  -       -       -       -       -       discard
>> local     unix  -       n       n       -       -       local
>> virtual   unix  -       n       n       -       -       virtual
>> lmtp      unix  -       -       -       -       -       lmtp
>> anvil     unix  -       -       -       -       1       anvil
>> scache    unix  -       -       -       -       1       scache
>> maildrop  unix  -       n       n       -       -       pipe
>>   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${r

Re: lmtp_generic_maps for delivery to dovecot

[ram]

On Mon, 2010-05-10 at 10:15 -0500, Noel Jones wrote:
> On 5/10/2010 8:33 AM, ram wrote:
> > Can I use somthing like lmtp_generic_maps for delivery to dovecot
> >
> 
> Your question is incomplete.
> What are you trying to accomplish?  How does postfix deliver 
> to dovecot?


I have a master.cf entry for delivery to dovecot. 

dovecot   unix  -   n   n   -   -   pipe
  flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f
${sender} -d ${recipient}



The rules are very simple

mails to  *...@local.example.com   send to dovecot:[127.0.0.1]
mails to  *...@otherlocation.example.com send to smtp:[otherlocation]



But the users are created on dovecot  as  u...@example.com.
How can I configure postfix to send mails for *...@local.example.com to
dovecot and strip off the "local." 

I use lmtp_generic_maps for a similar thing in postfix+cyrus


Thanks
Derwyn.