Unable to send e-mail

[Tolga]

Hi,

I am using postfixadmin to add mailboxes.

Oct 19 15:40:01 vps postfix/pickup[3517]: 5DBFA4100B2B: uid=1005 from=
Oct 19 15:40:01 vps postfix/cleanup[3575]: 5DBFA4100B2B: 
message-id=<20111019124001.5dbfa4100...@mail.bilgisayarciniz.org>
Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: 
from=, size=652, nrcpt=1 (queue active)
Oct 19 15:40:01 vps postfix/smtp[3577]: 5DBFA4100B2B: 
to=, orig_to=, relay=none, delay=0.04, 
delays=0.02/0.01/0.01/0, dsn=5.4.4, status=bounced (Host or domain name 
not found. Name service error for name=vps.ozses.net type=A: Host not found)
Oct 19 15:40:01 vps postfix/cleanup[3575]: 66B774100B2C: 
message-id=<20111019124001.66b774100...@mail.bilgisayarciniz.org>
Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: from=<>, 
size=2672, nrcpt=1 (queue active)
Oct 19 15:40:01 vps postfix/bounce[3579]: 5DBFA4100B2B: sender 
non-delivery notification: 66B774100B2C

Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: removed
Oct 19 15:40:01 vps postfix/smtp[3577]: 66B774100B2C: 
to=, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4, 
status=bounced (Host or domain name not found. Name service error for 
name=vps.ozses.net type=A: Host not found)

Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: removed

I have these logs and below postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = localhost
myhostname = mail.bilgisayarciniz.org
mynetworks = 127.0.0.0/8 127.0.0.2/32 184.82.40.0/24
myorigin = /etc/mailname
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,  
permit_mynetworks,  reject_unauth_destination,  
reject_non_fqdn_hostname,  reject_non_fqdn_sender,  
reject_non_fqdn_recipient,  reject_unauth_pipelining,  
reject_invalid_hostname,  reject_rbl_client sbl.spamhaus.org,  
reject_rbl_client xbl.spamhaus.org

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /srv/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 100
virtual_transport = virtual
virtual_uid_maps = static:5000

When I add a new mailbox, I get "Unable to send e-mail" from 
postfixadmin. Where should I look for the problem?


Regards,

Re: Unable to send e-mail

[Robert Schetterer]

Am 19.10.2011 14:57, schrieb Tolga:
> Hi,
> 
> I am using postfixadmin to add mailboxes.
> 
> Oct 19 15:40:01 vps postfix/pickup[3517]: 5DBFA4100B2B: uid=1005
> from=
> Oct 19 15:40:01 vps postfix/cleanup[3575]: 5DBFA4100B2B:
> message-id=<20111019124001.5dbfa4100...@mail.bilgisayarciniz.org>
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B:
> from=, size=652, nrcpt=1 (queue active)
> Oct 19 15:40:01 vps postfix/smtp[3577]: 5DBFA4100B2B:
> to=, orig_to=, relay=none, delay=0.04,
> delays=0.02/0.01/0.01/0, dsn=5.4.4, status=bounced (Host or domain name
> not found. Name service error for name=vps.ozses.net type=A: Host not
> found)
> Oct 19 15:40:01 vps postfix/cleanup[3575]: 66B774100B2C:
> message-id=<20111019124001.66b774100...@mail.bilgisayarciniz.org>
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: from=<>,
> size=2672, nrcpt=1 (queue active)
> Oct 19 15:40:01 vps postfix/bounce[3579]: 5DBFA4100B2B: sender
> non-delivery notification: 66B774100B2C
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: removed
> Oct 19 15:40:01 vps postfix/smtp[3577]: 66B774100B2C:
> to=, relay=none, delay=0, delays=0/0/0/0, dsn=5.4.4,
> status=bounced (Host or domain name not found. Name service error for
> name=vps.ozses.net type=A: Host not found)
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: removed
> 
> I have these logs and below postconf -n:
> 
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> html_directory = /usr/share/doc/postfix/html
> inet_interfaces = all
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> mydestination = localhost
> myhostname = mail.bilgisayarciniz.org
> mynetworks = 127.0.0.0/8 127.0.0.2/32 184.82.40.0/24
> myorigin = /etc/mailname
> readme_directory = /usr/share/doc/postfix
> recipient_delimiter = +
> relayhost =
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_recipient_restrictions = permit_sasl_authenticated, 
> permit_mynetworks,  reject_unauth_destination, 
> reject_non_fqdn_hostname,  reject_non_fqdn_sender, 
> reject_non_fqdn_recipient,  reject_unauth_pipelining, 
> reject_invalid_hostname,  reject_rbl_client sbl.spamhaus.org, 
> reject_rbl_client xbl.spamhaus.org
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /srv/vmail
> virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
> virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
> virtual_minimum_uid = 100
> virtual_transport = virtual
> virtual_uid_maps = static:5000
> 
> When I add a new mailbox, I get "Unable to send e-mail" from
> postfixadmin. Where should I look for the problem?
> 
> Regards,

havent looked all

but
vps.ozses.net does not exist in dns
so its ok to bounce

dig vps.ozses.net

; <<>> DiG 9.7.0-P1 <<>> vps.ozses.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56623
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;vps.ozses.net. IN  A

;; AUTHORITY SECTION:
ozses.net.  3600IN  SOA ns01.ozses.net.
root.ozses.net. 2011100101 10800 15 604800 10800

;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 19 14:59:42 2011
;; MSG SIZE  rcvd: 77


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

Re: Unable to send e-mail

[Reindl Harald]

Am 19.10.2011 14:57, schrieb Tolga:
> Oct 19 15:40:01 vps postfix/pickup[3517]: 5DBFA4100B2B: uid=1005 from=
> Oct 19 15:40:01 vps postfix/cleanup[3575]: 5DBFA4100B2B:
> message-id=<20111019124001.5dbfa4100...@mail.bilgisayarciniz.org>
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: 
> from=, size=652, nrcpt=1 (queue active)
> Oct 19 15:40:01 vps postfix/smtp[3577]: 5DBFA4100B2B: 
> to=, orig_to=, relay=none,
> delay=0.04, delays=0.02/0.01/0.01/0, dsn=5.4.4, status=bounced (Host or 
> domain name not found. Name service error
> for name=vps.ozses.net type=A: Host not found)
> Oct 19 15:40:01 vps postfix/cleanup[3575]: 66B774100B2C:
> message-id=<20111019124001.66b774100...@mail.bilgisayarciniz.org>
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: from=<>, size=2672, 
> nrcpt=1 (queue active)
> Oct 19 15:40:01 vps postfix/bounce[3579]: 5DBFA4100B2B: sender non-delivery 
> notification: 66B774100B2C
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: removed
> Oct 19 15:40:01 vps postfix/smtp[3577]: 66B774100B2C: 
> to=, relay=none, delay=0, delays=0/0/0/0,
> dsn=5.4.4, status=bounced (Host or domain name not found. Name service error 
> for name=vps.ozses.net type=A: Host
> not found)
> Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: removed

what do you expect?
"vps.ozses.net" != "ozses.net" and has no MX or A-records



signature.asc
Description: OpenPGP digital signature

Re: Unable to send e-mail

[Tolga]

On 10/19/2011 04:01 PM, Reindl Harald wrote:


Am 19.10.2011 14:57, schrieb Tolga:

Oct 19 15:40:01 vps postfix/pickup[3517]: 5DBFA4100B2B: uid=1005 from=
Oct 19 15:40:01 vps postfix/cleanup[3575]: 5DBFA4100B2B:
message-id=<20111019124001.5dbfa4100...@mail.bilgisayarciniz.org>
Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: 
from=, size=652, nrcpt=1 (queue active)
Oct 19 15:40:01 vps postfix/smtp[3577]: 5DBFA4100B2B: to=, 
orig_to=, relay=none,
delay=0.04, delays=0.02/0.01/0.01/0, dsn=5.4.4, status=bounced (Host or domain 
name not found. Name service error
for name=vps.ozses.net type=A: Host not found)
Oct 19 15:40:01 vps postfix/cleanup[3575]: 66B774100B2C:
message-id=<20111019124001.66b774100...@mail.bilgisayarciniz.org>
Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: from=<>, size=2672, 
nrcpt=1 (queue active)
Oct 19 15:40:01 vps postfix/bounce[3579]: 5DBFA4100B2B: sender non-delivery 
notification: 66B774100B2C
Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: removed
Oct 19 15:40:01 vps postfix/smtp[3577]: 66B774100B2C: to=, 
relay=none, delay=0, delays=0/0/0/0,
dsn=5.4.4, status=bounced (Host or domain name not found. Name service error 
for name=vps.ozses.net type=A: Host
not found)
Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: removed

what do you expect?
"vps.ozses.net" != "ozses.net" and has no MX or A-records

Sorry, those were the logs of another transaction (didn't look closely 
enough :() For the postfixadmin transaction, I have no logs. Is this 
even possible?

Re: Unable to send e-mail

[Reindl Harald]

Am 19.10.2011 15:30, schrieb Tolga:
>> what do you expect?
>> "vps.ozses.net" != "ozses.net" and has no MX or A-records
>>
> Sorry, those were the logs of another transaction (didn't look closely enough 
> :() 
>
> For the postfixadmin transaction,
> I have no logs. Is this even possible?

everything touching postfix is producing logs but if you get a error in
postfixadmin this has nothing to do with postfix himself

http://sourceforge.net/mail/?group_id=191583



signature.asc
Description: OpenPGP digital signature

Re: Unable to send e-mail

[Tom Hendrikx]

On 19/10/11 15:30, Tolga wrote:
> 
> 
> On 10/19/2011 04:01 PM, Reindl Harald wrote:
>>
>> Am 19.10.2011 14:57, schrieb Tolga:
>>> Oct 19 15:40:01 vps postfix/pickup[3517]: 5DBFA4100B2B: uid=1005
>>> from=
>>> Oct 19 15:40:01 vps postfix/cleanup[3575]: 5DBFA4100B2B:
>>> message-id=<20111019124001.5dbfa4100...@mail.bilgisayarciniz.org>
>>> Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B:
>>> from=, size=652, nrcpt=1 (queue active)
>>> Oct 19 15:40:01 vps postfix/smtp[3577]: 5DBFA4100B2B:
>>> to=, orig_to=, relay=none,
>>> delay=0.04, delays=0.02/0.01/0.01/0, dsn=5.4.4, status=bounced (Host
>>> or domain name not found. Name service error
>>> for name=vps.ozses.net type=A: Host not found)
>>> Oct 19 15:40:01 vps postfix/cleanup[3575]: 66B774100B2C:
>>> message-id=<20111019124001.66b774100...@mail.bilgisayarciniz.org>
>>> Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: from=<>,
>>> size=2672, nrcpt=1 (queue active)
>>> Oct 19 15:40:01 vps postfix/bounce[3579]: 5DBFA4100B2B: sender
>>> non-delivery notification: 66B774100B2C
>>> Oct 19 15:40:01 vps postfix/qmgr[5859]: 5DBFA4100B2B: removed
>>> Oct 19 15:40:01 vps postfix/smtp[3577]: 66B774100B2C:
>>> to=, relay=none, delay=0, delays=0/0/0/0,
>>> dsn=5.4.4, status=bounced (Host or domain name not found. Name
>>> service error for name=vps.ozses.net type=A: Host
>>> not found)
>>> Oct 19 15:40:01 vps postfix/qmgr[5859]: 66B774100B2C: removed
>> what do you expect?
>> "vps.ozses.net" != "ozses.net" and has no MX or A-records
>>
> Sorry, those were the logs of another transaction (didn't look closely
> enough :() For the postfixadmin transaction, I have no logs. Is this
> even possible?
> 

Postfixadmin will try to send the mail using the mail() function in
postfix. This command should work in the first place: check your PHP logs.

Most likely (but depending on your setup in php) this will handoff the
mail to the sendmail(1) binary on the webserver hosting postfixadmin.
This will try to send the message to the recipient: the mailaccount you
just created. If this message never arrives on your postfix mailserver
because something is wrong, there will be no postfix logging.

So: to check why postfixadmin cannot send the e-mail, check the error
logging of php/apache until you find an error line telling you why the
message could not be sent by PHP. This is not a postfix-related issue
until the message hits your postfix install.


-- 
Regards,
Tom

Re: Using Spamassassin as content filter

[Kris Deugau]

Daniele Nicolodi wrote:

Hello Kris, thank you for your comments.

On 18/10/11 17:03, Kris Deugau wrote:

Since you're happy to deliver the spam somewhere, rather than trying to
reject it during the SMTP conversation, you're probably best off calling
spamc early in your local-delivery rules rather than trying to integrate
it into Postfix somewhere.  This way mail for a given real recipient
will always get processed by that recipient's filtering rules.


Well, I would very happy to discard spam as early as possible, however,
as I understand it, I can run Spamassassin rules only once the full
message in received, and therefore there is little value in having it
rejected sooner or later. What would be the solution to have it rejected
sooner than what is happening with my current configuration?


I don't know exactly how you'd do it, but IIRC the minimum change would 
be to configure Postfix to send a 550 error if the SA score is beyond a 
certain point.  You still incur the bandwidth cost to receive the data, 
but you don't have to store the messages you reject.


I think this is possible without any other software, but for flexibility 
and better control you'd probably want to switch to a content filter or 
milter that can call SA.


Personally, for inbound mail I prefer to run SA on delivery more or less 
as described in the SA procmail example, and deliver it all (mostly to 
one or another spam folders).



Look up the standard procmailrc example from the SpamAssassin docs, and
adapt as necessary for sieve.


Sieve can not call external programs, therefore I do not know ho to hook
Spamassassin there, and, furthermore, I would like to avoid to have to
setup things for each user.


O_o  News to me.  Maybe there's some option to do this in dovecot-lda? 
Is there a global sieve configuration similar to /etc/procmailrc?  I 
don't use either so I can't really suggest anything else that wouldn't 
be a big change in your mail processing.


-kgd

wrong order cert chain with Thawte * cert?

[eugen]

For some strange reason the party on the other end suddenly
no longer can send mail to us (delivery *from* us succeeds), 
claims that cert chain is in the wrong order.

How can I verify this, for StartTLS? The server is this
one (mail2.infochem.de).

Thanks!

Regards,
Eugen Leitl

Re: wrong order cert chain with Thawte * cert?

[Kamil Raczyński]

On 2011-10-19 16:03, eu...@mail2.infochem.de wrote:
> For some strange reason the party on the other end suddenly
> no longer can send mail to us (delivery *from* us succeeds),
> claims that cert chain is in the wrong order.
>
> How can I verify this, for StartTLS? The server is this
> one (mail2.infochem.de).

Hi,

you can check SMTP over TLS certificate using openssl:
`openssl s_client -connect mail2.infochem.de:25 -starttls smtp`

In this case certificate is not signed by Thawte, but it's self-signed. 
Check if smtpd_tls_cert_file and smtpd_tls_key_file options are pointing 
to the correct certificate/key.


Best Regards
--
Kamil Raczynski

Re: wrong order cert chain with Thawte * cert?

[eugen]

On Wed, Oct 19, 2011 at 04:20:08PM +0200, Kamil Raczyński wrote:
> On 2011-10-19 16:03, eu...@mail2.infochem.de wrote:
> > For some strange reason the party on the other end suddenly
> > no longer can send mail to us (delivery *from* us succeeds),
> > claims that cert chain is in the wrong order.
> >
> > How can I verify this, for StartTLS? The server is this
> > one (mail2.infochem.de).
> 
> Hi,
> 
> you can check SMTP over TLS certificate using openssl:
> `openssl s_client -connect mail2.infochem.de:25 -starttls smtp`

Ah, I missed the -starttls smtp options when trying. Works now.
 
> In this case certificate is not signed by Thawte, but it's
> self-signed. Check if smtpd_tls_cert_file and smtpd_tls_key_file
> options are pointing to the correct certificate/key.

Thanks, Kamil, that was indeed the culprit -- these did point
to stock Debian snake oil certs. Should be fixed now.

Re: wrong order cert chain with Thawte * cert?

[Viktor Dukhovni]

On Wed, Oct 19, 2011 at 04:50:08PM +0200, eu...@mail2.infochem.de wrote:

> > In this case certificate is not signed by Thawte, but it's
> > self-signed. Check if smtpd_tls_cert_file and smtpd_tls_key_file
> > options are pointing to the correct certificate/key.
> 
> Thanks, Kamil, that was indeed the culprit -- these did point
> to stock Debian snake oil certs. Should be fixed now.

Not entirely, you configured only the leaf server cert, and did
not also configure the intermediate CA cert (which should be appended
to your cert.pem file).

The issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
is not a root CA. Probably the missing intermediate is something like:


http://ait.its.psu.edu/services/identity-access-management/identity/webaccess/Thawte-SSL-CA.txt

Here's what I see:

$ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer 
chemische Information mbH, CN = *.infochem.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer 
chemische Information mbH, CN = *.infochem.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer 
chemische Information mbH, CN = *.infochem.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-BEGIN CERTIFICATE-
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-END CERTIFICATE-

-- 
Viktor.

Re: Using Spamassassin as content filter

[Daniele Nicolodi]

On 19/10/11 16:01, Kris Deugau wrote:
> Daniele Nicolodi wrote:
>> Sieve can not call external programs, therefore I do not know ho to hook
>> Spamassassin there, and, furthermore, I would like to avoid to have to
>> setup things for each user.
> 
> O_o  News to me.  Maybe there's some option to do this in dovecot-lda? 
> Is there a global sieve configuration similar to /etc/procmailrc?  I 
> don't use either so I can't really suggest anything else that wouldn't 
> be a big change in your mail processing.

This is actually a selling point for Sieve: you can make untrusted users
to upload their filtering rules, without worring about security.

Dovecot sieve implementation have the possibility to call some global
filtering rules, but those can not pipe the received messages through
external programs, similarly to the user defined ones.

I'm open to changes in my system. I'm here to learn best practice,
keeping in mind that I'm looking for solutions for a small volume smtp
server, where I do not need virus scanning, and keeping things simple is
highly appreciated.

Cheers,
-- 
Daniele

Re: wrong order cert chain with Thawte * cert?

[eugen]

On Wed, Oct 19, 2011 at 02:56:59PM +, Viktor Dukhovni wrote:
> 
> Not entirely, you configured only the leaf server cert, and did
> not also configure the intermediate CA cert (which should be appended
> to your cert.pem file).

Thanks for catching it -- I obviously don't really know what I'm doing.
I've appended the cert, and now am getting

$ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
CONNECTED(0003)
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-BEGIN CERTIFICATE-
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-END CERTIFICATE-
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-BEGIN CERTIFICATE-
MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw
MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM
WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX
7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD
7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ
pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY
XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB
Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38
1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ
KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en
S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq
2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp
EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y
3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf
huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=
-END CERTIFICATE-
---
Server certificate
subject=/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3082 bytes and written 366 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID: 48039E609473BB327D2C37180D7FD5B69C23D0819EE0E1EF6D9D6046CA75BE18
Session-ID-ctx:
Master-Key: 
9390E8DCF57B06BF51D4E3A4EDF884DE5FB015C2A93B81E3CD103A8C4203A9D962808E1C48082E955C84C39530F3D07D
Key-Arg   : None
Start Time: 1319040752
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 DSN

 
> The issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
> is not a root CA. Probably the missing intermediate is something like:
> 
>   
> http://ait.its.psu.edu/services/identity-access-manage

Re: wrong order cert chain with Thawte * cert?

[Kamil Raczyński]

On 2011-10-19 18:15, eu...@mail2.infochem.de wrote:

Thanks for catching it -- I obviously don't really know what I'm doing.
I've appended the cert, and now am getting

$ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
CONNECTED(0003)
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0


That's because your openssl doesn't know where to look for installed CA 
certs. Debian's default location is /etc/ssl/certs


So try with:
openssl s_client -starttls smtp -CApath /etc/ssl/certs -showcerts 
-connect mail2.infochem.de:25


What I see is:

depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

verify return:1
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify return:1
depth=0 /C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer 
chemische Information mbH/CN=*.infochem.de

verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de

   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 
2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

---
[...]
Verify return code: 0 (ok)
---


br,
Kamil

Re: Using Spamassassin as content filter

[Tom Hendrikx]

On 19-10-11 17:33, Daniele Nicolodi wrote:
> On 19/10/11 16:01, Kris Deugau wrote:
>> Daniele Nicolodi wrote:
>>> Sieve can not call external programs, therefore I do not know ho to hook
>>> Spamassassin there, and, furthermore, I would like to avoid to have to
>>> setup things for each user.
>>
>> O_o  News to me.  Maybe there's some option to do this in dovecot-lda? 
>> Is there a global sieve configuration similar to /etc/procmailrc?  I 
>> don't use either so I can't really suggest anything else that wouldn't 
>> be a big change in your mail processing.
> 
> This is actually a selling point for Sieve: you can make untrusted users
> to upload their filtering rules, without worring about security.
> 
> Dovecot sieve implementation have the possibility to call some global
> filtering rules, but those can not pipe the received messages through
> external programs, similarly to the user defined ones.
> that allows pipe 

Actually, there is an experimental extension for dovecot sieve that
allows piping to external commands, but with a quite secure design
(sysadmin controls which commands are available to the pipe extension).
It works quite nice in the current state, and will probably be included
some day by the dovecot sieve implementation.

See http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe

Mailutils sieve also has a pipe implementation, which I did not test but
looks (from the documentation) less secure because it allows the user to
call arbitrary commands. I never checked courier or others.

Anyway, the administrator can always simply remove support for the
extension, something that probably lacks when using procmail.

You'd still be better off feeding messages to SA from the MTA, and let
sieve just move messages around based on added headers.

--
Tom

Permission for delivered messages.

[Simone Piccardi]

Hi,

I'm trying to deliver some messages to a "Public" IMAP directory (Public 
in the dovecot namespace meaning).


I tried to use virtual to do this, I created a virtual domain 
shared.folders and then used a virtual_mailbox_maps to define a mapping 
between an address like someaddress@shared.folders to a specific shared 
folder.


I could deliver the messages sent to someaddress@shared.folders to a 
/var/mail/public/.somefolder Maildir, but they were all created with 
permission 0600, so they cannot be read by different users.


I cannot find any option to setup an umask for delivered message 
creation, so I'm asking if there is a way to do this or it's just 
impossible.


Regards
Simone
--
Simone Piccardi Truelite Srl
picca...@truelite.it (email/jabber) Via Monferrato, 6
Tel. +39-347-103243350142 Firenze
http://www.truelite.it  Tel. +39-055-7879597Fax. +39-055-736

Re: Using Spamassassin as content filter

[Daniele Nicolodi]

On 19/10/11 18:46, Tom Hendrikx wrote:
> Actually, there is an experimental extension for dovecot sieve that
> allows piping to external commands, but with a quite secure design
> (sysadmin controls which commands are available to the pipe extension).
> It works quite nice in the current state, and will probably be included
> some day by the dovecot sieve implementation.
> 
> See http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe

Nice to know.

> You'd still be better off feeding messages to SA from the MTA, and let
> sieve just move messages around based on added headers.

I agree and that's exactly my current solution, but I have some
questions regarding how I'm doing that. Without repeating myself, can
you please have a look at my configuration in the mail that originated
this thread and comment on my solution?

Thank you. Cheers,
-- 
Daniele

By Passing RBL for specific domain for specific IP

[Janaka Wickramasinghe]

Hi,

Is there a way to by pass RBL check for a specific domain and receiving
from specific IP,

my main.cf's smtpd_recipient_restrictions looks like this

smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client multi.uribl.com,
...
... more rbls 
...
permit


   I've tried creating a smtpd_restriction_class where I assign
whitelisted_ip and hash list linking the whitelited_ip with domain as below,

/etc/postfix/whitelisted_ips
===
aaa.bbb.ccc.dddpermit
zzz.yyy.ppp.www   reject


/etc/postfix/domain_client_IP_access

my-good.domain.comwhitelisted_ips

and change the main.cf as follows

smtpd_restriction_classes = whitelisted_ips

whitelisted_ips = hash:/etc/postfix/whitelisted_ips

smtpd_recipient_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/domain_client_IP_access
reject_unauth_destination,
reject_rbl_client multi.uribl.com,
...
... more rbls 
...
permit

I checked the rejecting part i.e. sending from zzz.yyy.ppp.www IP but still
going through.. also tried at smtpd_sender_restrictions and
smtpd_client_restrictions but still the same..

Great if you could help me with this..

Thanks in advance...

With Best Regards,
Janaka

Re: Content filter after DKIM proxy

[Steve Jenkins]

>
> I think the hour or less it would take to replace dkimproxy with
> OpenDKIM would be well spent.
>
>
A big +1 on this. I wrestled with DKIM-Proxy for a couple of afternoons
before stumbling upon OpenDKIM. I had it up and running and playing nicely
with Amavis-new in under an hour.

The following isn't one of my normal walkthrough HowTo blog posts, but it
does contain some notes I wrote to myself about things to consider when
deploying OpenDKIM with Amavis-new. I've also got additional stuff there
detailing how to configure OpenDKIM, too (disclosure: I'm the maintainer of
the Fedora / EPEL OpenDKIM package).

The OpenDKIM developer announced the newest beta yesterday, including "An
experimental implementation of a DKIM-based reputation system is present,
and support for it as a reputation client (in the filter) and as a server
are present in the package."

The main reason I'm a fan of using OpenDKIM over Amavis-new's for signing is
that OpenDKIM keeps pace more rapidly with changes to the DKIM standards,
and is looking forward to reputation-based decision making based on DKIM
signatures. Most Postfix admins could get OpenDKIM up and running on their
lunch break, and still have time to eat. :)

SteveJ

Re: Content filter after DKIM proxy

[Steve Jenkins]

On Wed, Oct 19, 2011 at 12:03 PM, Steve Jenkins wrote:

> The following isn't one of my normal walkthrough HowTo blog posts, but it
>> does contain some notes I wrote to myself about things to consider when
>> deploying OpenDKIM with Amavis-new. I've also got additional stuff there
>> detailing how to configure OpenDKIM, too (disclosure: I'm the maintainer of
>> the Fedora / EPEL OpenDKIM package).
>
>
Drat - forgot the link. Sorry. :)

http://stevejenkins.com/blog/2011/02/tips-for-installing-amavis-new-clamav-and-spamassassin-using-postfix-on-fedora-12/

SteveJ

Re: wrong order cert chain with Thawte * cert?

[Viktor Dukhovni]

On Wed, Oct 19, 2011 at 06:15:31PM +0200, eu...@mail2.infochem.de wrote:

> > Not entirely, you configured only the leaf server cert, and did
> > not also configure the intermediate CA cert (which should be appended
> > to your cert.pem file).
> 
> Thanks for catching it -- I obviously don't really know what I'm doing.
> I've appended the cert, and now am getting
> 
> $ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25

Works fine on a system with a large pile of certs in /usr/lib/ssl/certs.
It looks like you're done now.

$ openssl s_client -CApath /usr/lib/ssl/certs -starttls smtp -showcerts 
-connect mail2.infochem.de:25
CONNECTED(0003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify return:1
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify return:1
depth=0 /C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-BEGIN CERTIFICATE-
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-END CERTIFICATE-
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-BEGIN CERTIFICATE-
MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw
MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM
WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX
7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD
7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ
pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY
XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB
Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38
1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ
KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en
S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq
2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp
EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y
3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf
huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=
-END CERTIFICATE-
---
Server certificate
subject=/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische 
Information mbH/CN=*.infochem.de
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3082 bytes and written 366 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID: DB0377BA5DA344D58F6FD40B3AD5C2C4F4759619ED2D339718E26E48AB436280
Session-ID-ctx:
Master

Whitelisting a domain

[N. Yaakov Ziskind]

I'm getting errors like this from one particular sender:

Oct 19 13:54:13 pizza postfix/smtpd[31372]: NOQUEUE: reject: RCPT from
chocolate.egps.com[38.119.130.7]: 450 4.1.8
:
Sender address rejected: Domain not found; from= 
to= proto=ESMTP helo=

where the capitalized domain name has been munged.
I'd like these email to get through.

(Apparently, MYDOMAIN.com is a real domain, but vps.MYDOMAIN.com isn't.)

I tried putting vps.MYDOMAIN.com into DNS in the postfix box, but that
didn't help (perhaps I didn't do it right?)

So, how can I whitelist this domain?

(postconf -n output found at http://www.ziskind.us/postconf.out)

Thanks!

Re: Permission for delivered messages.

[tobi]

On 19.10.2011 18:49, Simone Piccardi wrote:

Hi,

I'm trying to deliver some messages to a "Public" IMAP directory 
(Public in the dovecot namespace meaning).


I tried to use virtual to do this, I created a virtual domain 
shared.folders and then used a virtual_mailbox_maps to define a 
mapping between an address like someaddress@shared.folders to a 
specific shared folder.


I could deliver the messages sent to someaddress@shared.folders to a 
/var/mail/public/.somefolder Maildir, but they were all created with 
permission 0600, so they cannot be read by different users.


I cannot find any option to setup an umask for delivered message 
creation, so I'm asking if there is a way to do this or it's just 
impossible.


Regards
Simone
I'm not sure if there is an option in dovecot to change the chmod of the 
mail files. But you could use virtual Users on dovecot. Then the local 
user always remains the same and it's fine with chmod 0600.  Have a look 
here http://wiki2.dovecot.org/VirtualUsers if virtual users are an 
option for you


tobi

Re: Using Spamassassin as content filter

[Tom Hendrikx]

On 19-10-11 18:54, Daniele Nicolodi wrote:
> On 19/10/11 18:46, Tom Hendrikx wrote:
>> Actually, there is an experimental extension for dovecot sieve that
>> allows piping to external commands, but with a quite secure design
>> (sysadmin controls which commands are available to the pipe extension).
>> It works quite nice in the current state, and will probably be included
>> some day by the dovecot sieve implementation.
>>
>> See http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe
> 
> Nice to know.
> 
>> You'd still be better off feeding messages to SA from the MTA, and let
>> sieve just move messages around based on added headers.
> 
> I agree and that's exactly my current solution, but I have some
> questions regarding how I'm doing that. Without repeating myself, can
> you please have a look at my configuration in the mail that originated
> this thread and comment on my solution?

I don't use SA myself so I have no experience with integrating it with
postfix, but some slacking around on the spamasasin website led me to
http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix, whose
first lines clearly mention the flaws you're system will run into
(generate backscatter, for instance)

My previous attempts in setting up a mailsystem that uses all kinds of
bells and whistles, but also tries to do everything on the smallest
scale possible (such as running content filters under system user
accounts), always failed miserable. In the end I implemented an
ISP-style setup even though my setup is only used by three persons and a
cat. I suggest you try the spampd or the amavisd-new approach.

--
Regards,
Tom

Re: Using Spamassassin as content filter

[tobi]

On 19.10.2011 21:00, Tom Hendrikx wrote:

On 19-10-11 18:54, Daniele Nicolodi wrote:

On 19/10/11 18:46, Tom Hendrikx wrote:

Actually, there is an experimental extension for dovecot sieve that
allows piping to external commands, but with a quite secure design
(sysadmin controls which commands are available to the pipe extension).
It works quite nice in the current state, and will probably be included
some day by the dovecot sieve implementation.

See http://wiki2.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe

Nice to know.


You'd still be better off feeding messages to SA from the MTA, and let
sieve just move messages around based on added headers.

I agree and that's exactly my current solution, but I have some
questions regarding how I'm doing that. Without repeating myself, can
you please have a look at my configuration in the mail that originated
this thread and comment on my solution?

I don't use SA myself so I have no experience with integrating it with
postfix, but some slacking around on the spamasasin website led me to
http://wiki.apache.org/spamassassin/IntegratedSpamdInPostfix, whose
first lines clearly mention the flaws you're system will run into
(generate backscatter, for instance)

My previous attempts in setting up a mailsystem that uses all kinds of
bells and whistles, but also tries to do everything on the smallest
scale possible (such as running content filters under system user
accounts), always failed miserable. In the end I implemented an
ISP-style setup even though my setup is only used by three persons and a
cat. I suggest you try the spampd or the amavisd-new approach.

--
Regards,
Tom
For me a very smooth way to integrate spamassassin into postfix is via 
spamass-milter. An advantage of milter is that it can access the body of 
a mail before the server sends the accept to the  client. It possible to 
deny messages based on score during the smtp session and the job of 
creating a bounce is on the sending side :-)
I use spamass-milter on two postfix servers running on debian-squeeze. 
Works really very nice


tobi

Re: Whitelisting a domain

[/dev/rob0]

On Wednesday 19 October 2011 13:05:58 N. Yaakov Ziskind wrote:
> I'm getting errors like this from one particular sender:
> 
> Oct 19 13:54:13 pizza postfix/smtpd[31372]: NOQUEUE: reject: RCPT
> from chocolate.egps.com[38.119.130.7]: 450 4.1.8
> :
> Sender address rejected: Domain not found;
> from= to= proto=ESMTP
> helo=

The HELO resolves:
chocolate.egps.com. 3600IN  A   38.119.130.7
But: Host vps.egps.com. not found: 3(NXDOMAIN)

> where the capitalized domain name has been munged.
> I'd like these email to get through.
> 
> (Apparently, MYDOMAIN.com is a real domain, but vps.MYDOMAIN.com

Don't use real domain names in examples, see http://example.com/

> isn't.)
> 
> I tried putting vps.MYDOMAIN.com into DNS in the postfix box, but
> that didn't help (perhaps I didn't do it right?)

Perhaps not. That IS one of the right solutions. Another one is to 
quit sending mail with bogus sender addresses: use a name that does 
exist in DNS.

> So, how can I whitelist this domain?

You could use a check_sender_access lookup to bypass the 
reject_unknown_sender_domain restriction you are using. But that's 
wrong, you should do one of the two above.

> (postconf -n output found at http://www.ziskind.us/postconf.out)

You should post that inline. In any case, none of your three NS hosts 
are answering queries.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: By Passing RBL for specific domain for specific IP

[Kamil Raczyński]

On 2011-10-19 19:37, Janaka Wickramasinghe wrote:"


 Is there a way to by pass RBL check for a specific domain and
receiving from specific IP,


Yes.


I've tried creating a smtpd_restriction_class where I assign
whitelisted_ip and hash list linking the whitelited_ip with domain as below,


You don't need that. It was designed to create rules for groups of 
*your* users. Besides - you configured it in wrong way - see 
http://www.postfix.org/RESTRICTION_CLASS_README.html


You can use just "check_client_access" option. Use OK for accepting and 
REJECT for rejecting emails from particular clients. Both IP addresses 
and domain names are allowed. See http://www.postfix.org/access.5.html


Postfix is really, really well documented.

Best Regards
--
Kamil Raczynski

perform check after authentication

[Daniel L. Miller]

How can I execute a policy service AFTER successful authentication or 
local sender verification?


--
Daniel

Re: perform check after authentication

[Noel Jones]

On 10/19/2011 3:06 PM, Daniel L. Miller wrote:
> How can I execute a policy service AFTER successful authentication
> or local sender verification?
> 
> -- 
> Daniel


Have your policy service check for existence of sasl_sender or
sasl_username.




-- Noel Jones

Re: perform check after authentication

[Daniel L. Miller]

On 10/19/2011 1:21 PM, Noel Jones wrote:

On 10/19/2011 3:06 PM, Daniel L. Miller wrote:

How can I execute a policy service AFTER successful authentication
or local sender verification?



Have your policy service check for existence of sasl_sender or
sasl_username.

If I use that in smtpd_sender_restrictions - where would I place it?  If 
I place it AFTER "permit_sasl_authenticated" - that would mean my policy 
service is never called?  If I place it BEFORE that check, by the time 
smtpd_sender_restrictions is evaluated, are the 
sasl_sender/sasl_username fields filled?


Is simply having a non-empty sasl_sender/sasl_username confirmation of 
successful sasl authentication - so the policy service doesn't have to 
perform any validation of the value beyond non-empty?  Would sasl_method 
also be a valid test?


What about non-authenticated but valid local sender (via IP range).  
Would I do the check in smtpd_client_restrictions - and have the policy 
service test client_address?  Is there a test I can use to have Postfix 
validate the IP - instead of duplicating the IP check?

--
Daniel

Re: perform check after authentication

[Noel Jones]

On 10/19/2011 3:30 PM, Daniel L. Miller wrote:
> On 10/19/2011 1:21 PM, Noel Jones wrote:
>> On 10/19/2011 3:06 PM, Daniel L. Miller wrote:
>>> How can I execute a policy service AFTER successful authentication
>>> or local sender verification?
>>>
>>
>> Have your policy service check for existence of sasl_sender or
>> sasl_username.
>>
> If I use that in smtpd_sender_restrictions - where would I place
> it?  If I place it AFTER "permit_sasl_authenticated" - that would
> mean my policy service is never called?  If I place it BEFORE that
> check, by the time smtpd_sender_restrictions is evaluated, are the
> sasl_sender/sasl_username fields filled?

the check_policy_service would need to be the first check in some
smtpd_*_restrictions section.  Depending on what you're doing it may
or may not matter which section.


> 
> Is simply having a non-empty sasl_sender/sasl_username confirmation
> of successful sasl authentication - so the policy service doesn't
> have to perform any validation of the value beyond non-empty?  Would
> sasl_method also be a valid test?

None of the policy service sasl_* fields will be populated without
successful authentication.

> What about non-authenticated but valid local sender (via IP range). 
> Would I do the check in smtpd_client_restrictions - and have the
> policy service test client_address?  Is there a test I can use to
> have Postfix validate the IP - instead of duplicating the IP check?

While it might be possible to use a check_client_access table,
you're probably better off implementing your "authorized IP" tests
in your policy service.




  -- Noel Jones

Re: Content filter after DKIM proxy

[Simon Brereton]

On 19 October 2011 14:04, Steve Jenkins  wrote:
> On Wed, Oct 19, 2011 at 12:03 PM, Steve Jenkins 
> wrote:
>>>
>>> The following isn't one of my normal walkthrough HowTo blog posts, but it
>>> does contain some notes I wrote to myself about things to consider when
>>> deploying OpenDKIM with Amavis-new. I've also got additional stuff there
>>> detailing how to configure OpenDKIM, too (disclosure: I'm the maintainer of
>>> the Fedora / EPEL OpenDKIM package).
>
> Drat - forgot the link. Sorry. :)
> http://stevejenkins.com/blog/2011/02/tips-for-installing-amavis-new-clamav-and-spamassassin-using-postfix-on-fedora-12/
> SteveJ


Cheers

The biggest issue I had setting up dkimproxy wasn't dkimproxy - it was
getting bind9 to behave.

That said, I enjoyed your site.  Some useful stuff there.

Simon

Re: Content filter after DKIM proxy

[Simon Brereton]

On 18 October 2011 14:27, Noel Jones  wrote:
> On 10/18/2011 1:20 PM, Simon Brereton wrote:
>
>> I already use amavis to do the dkim checking on incoming mails.  I'm
>> using dkimproxy to sign outgoing mails (and I confess I only found out
>> about opendkim after I'd set it up, so I'm not keen to change it at
>> the moment - though of course, your vote carries significant weight.
>
> I think the hour or less it would take to get amavisd-new to sign
> outgoing mail would be well spent.
>
> I think the hour or less it would take to replace dkimproxy with
> OpenDKIM would be well spent.

Awww..  But I just go it working!

Seriously, I will take a look at the amavis idea.  I had no idea
amavis could do that.  However, Steve made a good point - a standalone
package might update and keep pace with standards.  So I might
investigate opendkim when I get the chance (I have a bunch of things
to do with dovecot and procmail first.  And I'd like to implement
dnssec as well).

Thanks for all the advice and feedback Noel.

Simon

Re: By Passing RBL for specific domain for specific IP

[Janaka Wickramasinghe]

Thanks for the reply.. yes I've configured wrong way.. it's working now..
:-)

The IP that we wanted to white-list is actually one of the ISPs relay server
so, it get blacklisted sometime, but we wanted to receive the mails from one
domain which, is also using the same relay server and not wanted to reject
only for that domain even though, the IP is blacklisted.

I also had to put the entry to the smtpd_sender_restriction instead of
smtpd_recipient_restriction since we are doing the access control  based on
the sender.

btw, currently we have the rbl checks at the smtpd_recipient_restriction.
Our access control only works if I shift the rbl checks also to
smtpd_sender_restriction. Should it have a different effect if I move the
rbl checks to the smtpd_sender_restriction ?




2011/10/20 Kamil Raczyński 

> On 2011-10-19 19:37, Janaka Wickramasinghe wrote:"
>
>  Is there a way to by pass RBL check for a specific domain and
>> receiving from specific IP,
>>
>
> Yes.
>
>
> I've tried creating a smtpd_restriction_class where I assign
>> whitelisted_ip and hash list linking the whitelited_ip with domain as
>> below,
>>
>
> You don't need that. It was designed to create rules for groups of *your*
> users. Besides - you configured it in wrong way - see
> http://www.postfix.org/**RESTRICTION_CLASS_README.html
>
> You can use just "check_client_access" option. Use OK for accepting and
> REJECT for rejecting emails from particular clients. Both IP addresses and
> domain names are allowed. See 
> http://www.postfix.org/access.**5.html
>
> Postfix is really, really well documented.
>
> Best Regards
> --
> Kamil Raczynski
>

RE: Content filter after DKIM proxy

[Murray S. Kucherawy]

> -Original Message-
> From: owner-postfix-us...@postfix.org 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Simon Brereton
> Sent: Wednesday, October 19, 2011 2:36 PM
> To: postfix users
> Subject: Re: Content filter after DKIM proxy
> 
> And I'd like to implement
> dnssec as well).

OpenDKIM supports DNSSEC (via libunbound).  You're set!  :-)

Mail Followup Marker Sanitation

[Svoop]

Mail clients such as Outlook breach standards by translating "Re" e.g. to "AW"
(German short for "Antwort"). This results in cascades such as "Re: AW: Re: AW:
Hello World" as a message goes hence and forth. I've written a simple
header_check which sanitizies this madness:

http://www.bitcetera.com/en/techblog/2011/10/18/mail-followup-marker-sanitation/

I'd like to add more translations of "Re" and "Fwd" in other languages. If you
know some, please comment on the above blog article.

Thanks!

AW: Re: Mail Followup Marker Sanitation

[Noel Jones]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/19/2011 9:04 PM, Svoop wrote:
> Mail clients such as Outlook breach standards by translating
> "Re" e.g. to "AW" (German short for "Antwort"). This results in
> cascades such as "Re: AW: Re: AW: Hello World" as a message
> goes hence and forth. I've written a simple header_check which
> sanitizies this madness:
> 
> http://www.bitcetera.com/en/techblog/2011/10/18/mail-followup-marker-sanitation/
>
>  I'd like to add more translations of "Re" and "Fwd" in other
> languages. If you know some, please comment on the above blog
> article.
> 
> Thanks!
> 
> 


While I sympathize, probably not a good idea.

Munging the subject header will break digital signatures eg. DKIM,
OpenPGP, S/MIME.




  -- Noel Jones
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOn6BKAAoJEJGRUHb5Oh6gNmMIAKS21OMq8EajAGrjzprTxMaD
Ng1GSLEsi7SS7G04OA740P3zolnfneYroxyjFXHMYnHjzswdhNeFgHJiz8j/fyT0
sQkoWt0gSp7e0DTJzspswz2B7RrUyclzQlHWQCkTYV1VPxviPNszrA4tzwvMstpM
BlnbdyDixMixV0thJIFKMcA5XVE7u9DnTdQiG1NfaCk3Rw4yHe8wkzz6TTRbJeBL
h8NITxquoHPTguBrjsNTi9k9LhSPdHDFyLrEaQQqV7BhKjQzMo5hdsJJKyEb+Qzv
G0cguFPWr9M4C9SPNZRhx3KIHpcWY9euOW6UgZ3tIr/CPgZ7ZJtmWfmDw8b5JSM=
=Rk4I
-END PGP SIGNATURE-

blocking all attachments

[Ian Masters]

Hi

Is it possible to block all attachments with postfix? I'm using
/etc/postfix/mime_header_checks but I can't seem to block all attachments,
especially ones without file suffixes.

Thanks

Ian

Re: blocking all attachments

[Stan Hoeppner]

On 10/20/2011 12:44 AM, Ian Masters wrote:

> Is it possible to block all attachments with postfix? I'm using
> /etc/postfix/mime_header_checks but I can't seem to block all attachments,
> especially ones without file suffixes.

Do you want to REJECT all emails containing an attachment?  Or do you
want to remove the attachment and let the message go trough?

-- 
Stan