Re: Convert from basic to virtual
On 10/15/2012 6:06 AM, Dominique wrote:
> Hi list(s),
You asked this last week; the answer is still the same.
http://www.mailinglistarchive.com/html/postfix-users@postfix.org/2012-10/msg00283.html
-- Noel Jones
>
> A few years ago we setup a simple postfix+Cyrus Mail server in the
> office (running on Ubuntu server). Across the years, we configured it to
> send and access our mails from various sources (in the office with tb,
> on the road though webgui, and recently through smartphones). All is
> well in the best of worlds. It is really basic configuration with its
> own certificate with a single domain name.
>
> Recently, we purchased two new domain names for a new project and wanted
> to include them to our mail server. I went on reading the postfix doc
> for virtual domains and got lost. Our mail users are independant from
> the linux users (virtual users) and I found a configuration description
> that looked like what I wanted. It seems the way to go, especially if we
> want to continue to add more domains in the future. However, I am not
> sure how to convert from our basic setup to a virtual domain setup,
> especially since I cannot find where and how to configure certificates
> per domain on a server with a single public IP.
>
> Does anyone have experience in converting from one to the other, and
> willing to give me pointers in my conversion process. Downtime is not a
> problem, but not losing the mailboxes is.
>
> I am cross posting on both Postfix and Cyrus list, since I am not sure
> where to get the answer from.
>
> My current configuration is as follow:
>
> Postconf -n
>
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> config_directory = /etc/postfix
> content_filter = smtp-amavis:[127.0.0.1]:10024
> disable_vrfy_command = yes
> inet_interfaces = all
> mailbox_size_limit = 0
> mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
> message_size_limit = 2048
> mydestination = mail.solipym.com, solipym, localhost.localdomain, localhost
> myhostname = mail.solipym.com
> mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128,192.168.1.0/24
> myorigin = /etc/mailname
> policyd-spf_time_limit = 3600
> readme_directory = no
> recipient_delimiter = +
> relayhost = smtp.movistar.es
> sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
> smtp_cname_overrides_servername = no
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_type = cyrus
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_client_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_client_access hash:/etc/postfix/access
> smtpd_delay_reject = yes
> smtpd_error_sleep_time = 15s
> smtpd_hard_error_limit = 20
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> permit_mynetworks, reject_unauth_destination, reject_invalid_hostname,
> reject_non_fqdn_hostname, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_unauth_pipelining,
> reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
> reject_rbl_client blackholes.easynet.nl, reject_rbl_client
> dnsbl.njabl.org, reject_rbl_client dul.dnsbl.sorbs.net,
> check_policy_service unix:private/policyd-spf
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = smtpd
> smtpd_sender_restrictions = reject_non_fqdn_sender, check_sender_access
> hash:/etc/postfix/access, check_sender_mx_access hash:/etc/postfix/access
> smtpd_soft_error_limit = 10
> smtpd_tls_CAfile = /etc/ssl/certs/root.crt
> smtpd_tls_cert_file = /etc/ssl/certs/server_mail_solipym_com.pem
> smtpd_tls_key_file = /etc/ssl/private/server.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
> virtual_mailbox_domains = mysql:/etc/postfix/mysql-mydestination.cf
> virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual.cf
> virtual_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
>
> Thanks for your help,
>
> Dominique
>
>
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
>
Re: stat=queue and /var/spool/clientmqueue
Il 18/10/2012 17:45, Ralf Hildebrandt ha scritto: * Simone Felici : That's sendmail, not postfix. I know this settings shoud be referred to sendmail and shouldn't have nothing to do with this issue. BTW I'm asking here infos on how manage correctly these mails to postfix. I'm not 100% sure the problem is on /bin/mail, or if postfix simply could be configured to look on this queue too. Maybe you have postfix and sendmail installed side by side and /bin/mail is using the sendmail's sendmail command Hi again, I've found the issue. /bin/mail is by default set-up to use sendmail. I've installed everywhere postfix but on some servers I've the issue the server is logging an outgoing mail with sendmail process, then sent out by postfix. In case of delays sendmail uses it's own queue, not known by postfix. The sendmail binary is a sym-link to /etc/alternatives/mta and this is another sym-link to /usr/sbin/sendmail.sendmail for the servers where I'm registering the issue. On the other servers it links to /usr/sbin/sendmail.postfix. Changink the sym-link now I'm logging postfix/pickup instead sendmail process. In case this could help someone in the future :) Bye Simon
Fwd: Re: Fwd: Re: MX vs A records (SOLVED)
On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. Regards Tom
Re: MX vs A records (SOLVED)
Am 22.10.2012 15:29, schrieb Tom Kinghorn: > > > On 18/10/2012 14:41, Noel Jones wrote: >> On 10/18/2012 5:04 AM, Tom Kinghorn wrote: >>> >>> DO NOT send debug log files unless specifically requested. Normal >>> log files are sufficient. >>> >>> >>> And a friendly reminder that splitting required troubleshooting info >>> up between multiple messages greatly reduces the chance of getting help. >>> >>>-- Noel Jones >>> > > Hi List. > Just to let you know that i had a typo in the main.cf which is why this was > not working. > > Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! signature.asc Description: OpenPGP digital signature
Re: MX vs A records (SOLVED)
On 22/10/2012 15:32, Reindl Harald wrote: Am 22.10.2012 15:29, schrieb Tom Kinghorn: On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) Regards Tom
Re: MX vs A records (SOLVED)
Tom Kinghorn: > > it would be nice having at the end of the thread the example config > > with corrected typo to help others which finding this in the archives! > > > apologies. > > > smtpd_recipient_restrictions = > check_recipient_ns_access > hash:/etc/postfix/recipient_nameserver_host, > check_recipient_access > hash:/etc/postfix/recipient_access_whitelist, > check_recipient_access > hash:/etc/postfix/recipient_access_blacklist, > > > > I checked the config and found that the lines did not end with a comma. > As soon as I added it, the access rule started working and mails were > redirected (i changed REJECT to REDIRECT) What program are you using to edit main.cf? Wietse
Re: MX vs A records (SOLVED)
On 10/22/2012 8:39 AM, Tom Kinghorn wrote: > On 22/10/2012 15:32, Reindl Harald wrote: >> >> Am 22.10.2012 15:29, schrieb Tom Kinghorn: >>> >>> On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: > DO NOT send debug log files unless specifically requested. Normal > log files are sufficient. > > > And a friendly reminder that splitting required troubleshooting > info > up between multiple messages greatly reduces the chance of > getting help. > > -- Noel Jones > >>> Hi List. >>> Just to let you know that i had a typo in the main.cf which is >>> why this was not working. >>> >>> Thanks to all who replied. >> it would be nice having at the end of the thread the example config >> with corrected typo to help others which finding this in the >> archives! >> > apologies. > > > smtpd_recipient_restrictions = > check_recipient_ns_access > hash:/etc/postfix/recipient_nameserver_host, > check_recipient_access > hash:/etc/postfix/recipient_access_whitelist, > check_recipient_access > hash:/etc/postfix/recipient_access_blacklist, > > > > I checked the config and found that the lines did not end with a comma. > As soon as I added it, the access rule started working and mails > were redirected (i changed REJECT to REDIRECT) FALSE. The commas are not required; adding them should have no effect. Maybe there was some garbage in the file that got removed when you edited it, or maybe you're using some non-text editor that screws up the line endings. -- Noel Jones
Re: MX vs A records (SOLVED)
On 22/10/2012 15:51, Wietse Venema wrote: Tom Kinghorn: it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) What program are you using to edit main.cf? Wietse Hi Wietse. This was an "inherited" system as the previous admin was laid-off. As far as I know, they used VI (as do i, however i used vim) thx Tom
Re: MX vs A records (SOLVED)
On 22/10/2012 15:55, Noel Jones wrote: On 10/22/2012 8:39 AM, Tom Kinghorn wrote: On 22/10/2012 15:32, Reindl Harald wrote: Am 22.10.2012 15:29, schrieb Tom Kinghorn: On 18/10/2012 14:41, Noel Jones wrote: On 10/18/2012 5:04 AM, Tom Kinghorn wrote: DO NOT send debug log files unless specifically requested. Normal log files are sufficient. And a friendly reminder that splitting required troubleshooting info up between multiple messages greatly reduces the chance of getting help. -- Noel Jones Hi List. Just to let you know that i had a typo in the main.cf which is why this was not working. Thanks to all who replied. it would be nice having at the end of the thread the example config with corrected typo to help others which finding this in the archives! apologies. smtpd_recipient_restrictions = check_recipient_ns_access hash:/etc/postfix/recipient_nameserver_host, check_recipient_access hash:/etc/postfix/recipient_access_whitelist, check_recipient_access hash:/etc/postfix/recipient_access_blacklist, I checked the config and found that the lines did not end with a comma. As soon as I added it, the access rule started working and mails were redirected (i changed REJECT to REDIRECT) FALSE. The commas are not required; adding them should have no effect. Maybe there was some garbage in the file that got removed when you edited it, or maybe you're using some non-text editor that screws up the line endings. -- Noel Jones Thanks for the info. I merely posted what was done and the result. I am grateful to know they are not required,
Re: MX vs A records (SOLVED)
Tom Kinghorn: > >> I checked the config and found that the lines did not end with a comma. > >> As soon as I added it, the access rule started working and mails were > >> redirected (i changed REJECT to REDIRECT) > > What program are you using to edit main.cf? > Hi Wietse. > This was an "inherited" system as the previous admin was laid-off. > > As far as I know, they used VI (as do i, however i used vim) I suspect there was garbage at the end of lines. Postfix logs warnings in the maillog file when smtpd_xxx_restrictions contains unrecognized content. Wietse
Re: MX vs A records (SOLVED)
On 22/10/2012 16:09, Wietse Venema wrote: Tom Kinghorn: I suspect there was garbage at the end of lines. Postfix logs warnings in the maillog file when smtpd_xxx_restrictions contains unrecognized content. Wietse Thanks for the response Wietse. Thanks to all who helped. regards Tom
Latest package for RHEL6
Hi all! does anyone know where I can find the latest postfix release (2.9.x) for RHEL 6 x86_64 from some 'trusted' source? unfortunately Simon Mudd didn't post any package for this platform yet. Thanks in advance. LU
Re: Alert of unusually large queue
>> I'm not sure, if sending an e-mail about a "full mailqueue"-condition is >> the best way to go ;-) > depends > > if you have no bulk-mail on your server it will tak enot too long > to find a good value to adjust the "50" and as example if i have > 500 queued messages i like to look if there is soemthing going > wrong What I meant was, that there is a good chance, that you will not receive this notification, because whatever condition causes your mails to stuck in the queue could stop that notification, too ;-) As mentioned by other posters you should set up a real monitoring system, that periodically checks your queue or generates an alert (e.g. snmp trap) on the server which does not rely on the mechanism that you are trying to monitor (here smtp). cheers, jpk
Re: Latest package for RHEL6
On 22.10.2012 16:40, Lima Union wrote: Hi all! does anyone know where I can find the latest postfix release (2.9.x) for RHEL 6 x86_64 from some 'trusted' source? unfortunately Simon Mudd didn't post any package for this platform yet. Thanks in advance. LU Hi, I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Best regards, Morten
Re: Alert of unusually large queue
Jan P. Kessler: > As mentioned by other posters you should set up a real monitoring > system, that periodically checks your queue or generates an alert (e.g. > snmp trap) on the server which does not rely on the mechanism that you > are trying to monitor (here smtp). To monitor an SMTP server, try to send a test message into it, and raise an alarm if that test message is not delivered to mailbox or smtp within some deadline. Wietse
Re: Latest package for RHEL6
On 10/22/2012 04:56 PM, Morten Stevens wrote: [snip] > I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Would you mind making the SRPM also available? Regards, Patrick
Re: Latest package for RHEL6
On 10/22/2012 05:29 PM, Patrick Lists wrote: On 10/22/2012 04:56 PM, Morten Stevens wrote: [snip] > I have backported Postfix 2.9.x for my company and I am also package maintainer for Fedora. Here are my latest builds for el6: http://mstevens.fedorapeople.org/el6/postfix/ Would you mind making the SRPM also available? Please ignore. The SRPM lives in the x86_64 directory while I was looking for the SRPM directory at the i386 & x86_64 level. Regards, Patrick
Re: Latest package for RHEL6
On Mon, Oct 22, 2012 at 11:56 AM, Morten Stevens wrote: > On 22.10.2012 16:40, Lima Union wrote: >> >> Hi all! does anyone know where I can find the latest postfix release >> (2.9.x) for RHEL 6 x86_64 from some 'trusted' source? unfortunately >> Simon Mudd didn't post any package for this platform yet. >> Thanks in advance. >> LU > > > Hi, > > I have backported Postfix 2.9.x for my company and I am also package > maintainer for Fedora. > > Here are my latest builds for el6: > http://mstevens.fedorapeople.org/el6/postfix/ > > Best regards, > > Morten cool!! thank you so much!
RE: Alert of unusually large queue
> -Original Message- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Jan P. Kessler > Sent: 22 October 2012 15:44 > To: postfix-users@postfix.org > Subject: Re: Alert of unusually large queue > > > >> I'm not sure, if sending an e-mail about a "full mailqueue"-condition > >> is the best way to go ;-) > > depends > > > > if you have no bulk-mail on your server it will tak enot too long to > > find a good value to adjust the "50" and as example if i have > > 500 queued messages i like to look if there is soemthing going wrong > > > What I meant was, that there is a good chance, that you will not receive > this notification, because whatever condition causes your mails to stuck > in the queue could stop that notification, too ;-) > > As mentioned by other posters you should set up a real monitoring > system, that periodically checks your queue or generates an alert (e.g. > snmp trap) on the server which does not rely on the mechanism that you > are trying to monitor (here smtp). > > cheers, jpk That's a good point, it might be worthwhile looking into something like a php script that interfaces with an SMS API. I've seen that done in the past. Kind regards, James Day (IT Engineer)
Re: Any best practices for stacking filters?
--On Wednesday, October 17, 2012 7:52 PM -0400 Wietse Venema wrote: It's much easier to tell people not to use Milters before a proxy filter... If you use the milter after the proxy server, which is what I'm currently doing, then I result in the following problem: If Amavis is called before OpenDKIM via the filter trigger, then Amavis does DKIM verification on the message before it is actually signed by OpenDKIM. So the message gets delivered without having the signing verified. This only happens for email between users on the server itself. Since the filter regex overrides content_filter, I'm not sure how to force OpenDKIM to execute for signing prior to Amavis executing verification. :/ I.e., I need the OpenDKIM milter to be processed before the proxy filter so that the email is correctly signed before it is passed to the proxy filter. Then Amavis can correctly verify the signature prior to delivery. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > wrote: > > It's much easier to tell people not to use Milters before a proxy > > filter... > > If you use the milter after the proxy server, which is what I'm currently > doing, then I result in the following problem: You just confirmed the limitation that I explained at length, so I won't repeat that diatribe. One suggestion I can make is to avoid mixing mail streams from outside with mail streams from inside, before your mail is signed. For example, - Use before-queue filters for mail from outside so that you can reject mail before it hits the queue. - Use after-queue filters for mail from inside. Then, your mail from "inside" is not affected by the limitation. You can sign it with dkim-milter and the like. I suspect that you could feed both mail streams into the same Amavis content filter. Wietse
ESMTP: keys and passwords
Hello,
I'm trying to configure ESMTP using this guide [1].
$ touch smtpd.key
$ chmod 600 smtpd.key
$ openssl genrsa 4096 > smtpd.key
$ openssl req -new -key smtpd.key -x509 -days 730 -out smtpd.crt
...
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mail.example.com
Email Address []:ad...@example.com
(I'm using example.com as a placeholder.)
$ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem \
-out cacert.pem -days 730
...
-
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mail.example.com
Email Address []:ad...@example.com
The above generated a 1024 bit RSA private key. How to create a 4096 bit key?
I'm going to send messages via Gnus. My .gnus.el:
(setq message-send-mail-function 'smtpmail-send it)
(setq smtpmail-starttls-credentials '(("mail.example.com" 25 nil nil)))
(setq smtpmail-auth-credentioals '(("mail.example.com" 25 "admin" nil)))
(setq smtpmail-default-smtp-server "mail.example.com")
(setq smtpmail-smtp-service 25)
(setq starttls-use-gnutls t)
Docs say that I'll be prompted for a password. Which one should I use?
Should I specify the one for the RSA private key ($ openssl req \
-new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem \
-days 730)?
[1] https://help.ubuntu.com/community/Postfix
Re: ESMTP: keys and passwords
Am 22.10.2012 21:45, schrieb thorso...@lavabit.com: > Hello, > The above generated a 1024 bit RSA private key. How to create a 4096 bit key? the following is for 2048 bit replace 2048 by whatever you want alter the template for your needs (partly german) this is a script/remplate i am using since xears for any http/mail-cert regardless if it is used as self signed o the csr submitted to thawte [root@buildserver:/buildserver/ssl-cert]$ cat generate-cert.sh #!/bin/bash WORKING_DIR="/buildserver/ssl-cert" OUT_DIR="$WORKING_DIR/$1" mkdir $OUT_DIR 2> /dev/null chmod 700 $OUT_DIR if [ "$1" == "" ]; then echo "MISSING SERVERNAME" echo "" exit fi rm -f $OUT_DIR/$1.key rm -f $OUT_DIR/$1.csr rm -f $OUT_DIR/$1.crt rm -f $OUT_DIR/$1.pem sed "s/my_common_name/$1/g" $WORKING_DIR/openssl.conf.template > $WORKING_DIR/openssl.conf openssl genrsa -out $OUT_DIR/$1.key 2048 openssl req -config $WORKING_DIR/openssl.conf -new -key $OUT_DIR/$1.key -out $OUT_DIR/$1.csr openssl x509 -req -days 3650 -in $OUT_DIR/$1.csr -signkey $OUT_DIR/$1.key -out $OUT_DIR/$1.crt cat $OUT_DIR/$1.crt $OUT_DIR/$1.key > $OUT_DIR/$1.pem [root@buildserver:/buildserver/ssl-cert]$ cat openssl.conf.template [ req ] prompt = yes default_bits= 1024 distinguished_name = req_DN string_mask = nombstr [ req_DN ] countryName = "1. Landeskennung " countryName_default = "AT" countryName_min = 2 countryName_max = 2 stateOrProvinceName = "2. Bundesland " stateOrProvinceName_default = "your_province" localityName= "3. Stadt " localityName_default= "your_city" 0.organizationName = "4. Firmenname " 0.organizationName_default = "your_comapny" organizationalUnitName = "5. Abteilung " organizationalUnitName_default = "your_department" commonName = "6. Server-Name " commonName_max = 64 commonName_default = "my_common_name" emailAddress= "7. Mail-Adresse " emailAddress_max= 40 emailAddress_default= "your_email" > Docs say that I'll be prompted for a password. Which one should I use? > Should I specify the one for the RSA private key ($ openssl req \ > -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem \ > -days 730)? you do NOt really want a pssword how sould it be entered in the boot-process? waht sense would it make if it is stored in cleartext on the server? signature.asc Description: OpenPGP digital signature
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 3:33 PM -0400 Wietse Venema
wrote:
One suggestion I can make is to avoid mixing mail streams from
outside with mail streams from inside, before your mail is signed.
For example,
- Use before-queue filters for mail from outside so that you can
reject mail before it hits the queue.
- Use after-queue filters for mail from inside. Then, your mail
from "inside" is not affected by the limitation. You can sign it
with dkim-milter and the like.
Hi Wieste,
As I noted in my original mail, I already use the filters to separate out
the streams:
smtpd_sender_restrictions = check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
zimbra@zre-ldap002:~/postfix/conf$ cat tag_as_originating.re
/^/ FILTER smtp-amavis:[127.0.0.1]:10026
zimbra@zre-ldap002:~/postfix/conf$ cat tag_as_foreign.re
/^/ FILTER smtp-amavis:[127.0.0.1]:10024
So I believe I am already, as you said, diverting the mail into different
streams. Both of which go to Amavis. I.e., originating mail gets directed
to amavis on port 10026. Foreign mail goes to amavis on port 10024. Which
gets me into the entire problem I'm having now. Or am I misunderstanding
what you said?
Mail gets re-injected from Amavis to Postfix on port 10025. Then it is
signed. The problem is, at that point, Amavis is already done with the
mail. So again, I think I'm doing what you suggest, but I can't figure out
how to get it to sign the mail via OpenDKIM prior to Amavis processing.
Here's my master.cf again as well:
smtp inet n - n - - smtpd
-o content_filter=scan:[127.0.0.1]:10029
465inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o content_filter=scan:[127.0.0.1]:10029
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_security_level=may
scan unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o disable_mime_output_conversion=yes
-o smtp_generic_maps=
pickupfifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgrunix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounceunix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verifyunix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scacheunix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmailunix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
smtp-amavis unix - - n - 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o virtual_mailbox_maps=
-o virtual_alias_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictio
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 1:03 PM -0700 Quanah Gibson-Mount wrote: Hi Wieste, Wietse even. Sorry. ;) -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > --On Monday, October 22, 2012 3:33 PM -0400 Wietse Venema > wrote: > > > One suggestion I can make is to avoid mixing mail streams from > > outside with mail streams from inside, before your mail is signed. > > > > For example, > > > > - Use before-queue filters for mail from outside so that you can > > reject mail before it hits the queue. > > > > - Use after-queue filters for mail from inside. Then, your mail > > from "inside" is not affected by the limitation. You can sign it > > with dkim-milter and the like. > > As I noted in my original mail, I already use the filters to separate out > the streams: My example CAN sign mail with dkim-milter before it hits the Amavis filter. Your example CANNOT sign mail with dkim-milter before it hits the Amavis filter. Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 4:24 PM -0400 Wietse Venema wrote: My example CAN sign mail with dkim-milter before it hits the Amavis filter. Your example CANNOT sign mail with dkim-milter before it hits the Amavis filter. I believe what you are saying is that I should adjust my originating filter to go to another postfix agent, rather than amavis. That postfix agent triggers signing, and then passes the mail on to amavis on port 10026. Correct? --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > --On Monday, October 22, 2012 4:24 PM -0400 Wietse Venema > wrote: > > > My example CAN sign mail with dkim-milter before it hits the Amavis > > filter. > > > > Your example CANNOT sign mail with dkim-milter before it hits the > > Amavis filter. > > I believe what you are saying is that I should adjust my originating filter > to go to another postfix agent, rather than amavis. That postfix agent > triggers signing, and then passes the mail on to amavis on port 10026. > Correct? 1) Use the before-queue filter for mail from outside: external clients -> smtpd -> Amavis ... 2) Use the after-queue filter for mail from inside: internal clients -> smtpd -> cleanup -> queue -> smtp -> Amavis ... Wietse
Re: local_header_rewrite_clients behaving weird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > But as a matter of fact, both test clients are covered by > permit_inet_interfaces, the default for local_header_rewrite_cients. Plus, > rewrites stopped working without changing Postfix version or config. OK, can it. I got it. http://www.postfix.org/postconf.5.html#local_header_rewrite_clients permit_inet_interfaces Append the domain name in $myorigin or $mydomain when the client IP address matches $inet_interfaces. This is enabled by default. This says everything. However, what happened to that system is a complete mystery to me. The problem began to show within the last two weeks and we sure as hell weren't using Postfix <2.2 before that. Oh well, never mind. - -nik -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQJOBAEBAgA4BQJQhb6YMRpodHRwczovL3d3dy5kb21pbmlrLWdlb3JnZS5kZS9n cGctcG9saWN5LnR4dC5hc2MACgkQx86z/xVBKI4MGA//X9gz/q1g0izpQZPUSAGj TENUJEjCisv4F9pCCCkCE9Zs+c7pZQyi/okPhBEFEhWenA1LA1WkGFYZyJCamzfC 4kj9cnIHeKjf6itw7oS316fbO9hcU4gmhOjkM6twD7QKwv86xvopbd1qgXMIUUI4 sjNh/A6x4fhVghZsjG5V89WfH3Wu7ujYVm6uWzzUYqyJNWqduFejAqlymIQ8jbn7 AUcC6FCsdNqdZA0ks6IsE8RETxVxb3tMiawAkpIOmb7jy1bgRXS83KeYz50NjVTJ TmHou+YGaF4lFQgGlMo1AIz4xfrLDYRW5n0rN6aQTNtnc/1j605bL5ZClUSJzCqm bHOFfxN3kVV5OthaKILJdYzDA0y2dGLip/l/z4E5TCqBfuUi53J2ajWGtkYUuqXB 4t3L5fzScttY254Dcc+hHQD+DeDpVpucYy2moTdYmfYgIWWU0wzrT4WTT4/GeMG6 l68ccOW50HC5Q19/KJnakwdPj/gBD4HzxwVEzCFHNBCsb6+pbBdHd6rkO4bLq3QU uEnj4gxn4758SuHvb5TY/nY2/vHFAsqtgo5Ouu+luysdrZU7qqi6OBrZJVcPjE63 VpfaQQr1wRJSxeU94ueHSCTpp4gUXer+vTR4MWkl0PnPW0JfaimK7pA3wcKgfBKM SzzGspDcux/zgfL9WNEn4ik= =Yf40 -END PGP SIGNATURE-
Re: postfix SMTP AUTH
Hi Rob, thanks. I use the reserved adresses because I'm testing the box via local net (my laptop), I have everything setup straight through GoDaddy to my router I just forward the ports when I'm ready. I'll check out the smtpd_sasl_local_domain = $myhostname problem. By the way, do you know of any docs which list and explain the sasl and tls options? this is the result of saslfinger...I'm looking at it now but I forwarded it to you... postfix start postfix/postfix-script: starting the Postfix mail system [root@messenger saslfinger-1.0.3]# saslfinger -s saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.9.4 System: Arch Linux \r (\l) -- smtpd is linked to -- libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7712000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_sasl_type = cyrus smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem smtpd_tls_cert_file = /etc/postfix/smtpd.crt smtpd_tls_key_file = /etc/postfix/smtpdpub.key smtpd_tls_security_level = may -- listing of /usr/lib/sasl2 -- total 604 drwxr-xr-x 2 root root 4096 Oct 19 14:21 . drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf -- content of /usr/lib/sasl2/smtpd.conf -- ##sasl authentication methods### pwcheck_method: auxprop #saslauthd_path: /var/run/saslauthd/mux mech_list: plain login auxprop_plugin: sasldb2 log_level: 7 -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd -v pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scacheunix - - n - 1 scache -- mechanisms on localhost -- 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN -- end of saslfinger output -- [root@messenger saslfinger-1.0.3]# Thanks. On Sun, Oct 21, 2012 at 4:15 PM, /dev/rob0 wrote: > On Sun, Oct 21, 2012 at 03:51:13PM -0400, William Holt wrote: >> hi, new to the forum. I'm running arch and have postfix/cyrus. > > Generally I recommend Dovecot for SASL and IM
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema wrote: 1) Use the before-queue filter for mail from outside: external clients -> smtpd -> Amavis ... 2) Use the after-queue filter for mail from inside: internal clients -> smtpd -> cleanup -> queue -> smtp -> Amavis ... Wietse I'm going to assume you mean something like this then: smtp inet n - n - - smtpd -o smtpd_proxy_filter=[127.0.0.1]:10029 -o smtpd_client_connection_count_limit=10 -o smtpd_proxy_options=speed_adjust I already tried this, and it is not an acceptable solution, because postfix will not accept mail if OpenDKIM is not running. I need Postfix to accept and queue the email in that scenario, rather than reject it. Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: connect from zqa-398.eng.vmware.com[10.137.245.143] Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: warning: access table regexp:/opt/zimbra/postfix/conf/tag_as_originating.re: with smtpd_proxy_filter specified, action FILTER is unavailable Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: NOQUEUE: client=zqa-398.eng.vmware.com[10.137.245.143] Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: connect from localhost[127.0.0.1] Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: warning: connect to Milter service inet:localhost:8465: Connection refused Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: NOQUEUE: milter-reject: CONNECT from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: NOQUEUE: milter-reject: EHLO from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; proto=SMTP helo= Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: NOQUEUE: milter-reject: MAIL from localhost[127.0.0.1]: 451 4.7.1 Service unavailable - try again later; from= proto=ESMTP helo= Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: warning: proxy [127.0.0.1]:10029 rejected "MAIL FROM:": "451 4.7.1 Service unavailable - try again later" Oct 22 14:54:35 zqa-398 postfix/smtpd[2854]: proxy-reject: END-OF-MESSAGE: 451 4.7.1 Service unavailable - try again later; from= to= proto=ESMTP helo= Oct 22 14:54:35 zqa-398 postfix/smtpd[2857]: lost connection after MAIL from localhost[127.0.0.1] --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > --On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema > wrote: > > > 1) Use the before-queue filter for mail from outside: > > > > external clients -> smtpd -> Amavis ... > > > > 2) Use the after-queue filter for mail from inside: > > > > internal clients -> smtpd -> cleanup -> queue -> smtp -> Amavis ... > > > > Wietse > > I already tried this, and it is not an acceptable solution, because postfix > will not accept mail if OpenDKIM is not running. I need Postfix to accept > and queue the email in that scenario, rather than reject it. RTFM http://www.postfix.org/postconf.5.html#milter_default_action Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 6:17 PM -0400 Wietse Venema wrote: Quanah Gibson-Mount: --On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema wrote: > 1) Use the before-queue filter for mail from outside: > >external clients -> smtpd -> Amavis ... > > 2) Use the after-queue filter for mail from inside: > > internal clients -> smtpd -> cleanup -> queue -> smtp -> Amavis ... > >Wietse I already tried this, and it is not an acceptable solution, because postfix will not accept mail if OpenDKIM is not running. I need Postfix to accept and queue the email in that scenario, rather than reject it. RTFM http://www.postfix.org/postconf.5.html#milter_default_action I have read that before. None of the actions it allows are desirable. Changing the action to quarantine requires manual intervention on the admin side to ever get this to deliver. "accept" is not acceptable, because it gets delivered instead of queued. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: postfix SMTP AUTH
See below ... * William Holt : > Hi Rob, thanks. I use the reserved adresses because I'm testing the > box via local net (my laptop), I have everything setup straight > through GoDaddy to my router I just forward the ports when I'm ready. > > I'll check out the smtpd_sasl_local_domain = $myhostname problem. By > the way, do you know of any docs which list and explain the sasl and > tls options? > > this is the result of saslfinger...I'm looking at it now but I > forwarded it to you... > > > postfix start > postfix/postfix-script: starting the Postfix mail system > [root@messenger saslfinger-1.0.3]# saslfinger -s > saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 > version: 1.0.2 > mode: server-side SMTP AUTH > > -- basics -- > Postfix: 2.9.4 > System: Arch Linux \r (\l) > > -- smtpd is linked to -- > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7712000) > > -- active SMTP AUTH and TLS parameters for smtpd -- > broken_sasl_auth_clients = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > smtpd_sasl_type = cyrus > smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem > smtpd_tls_cert_file = /etc/postfix/smtpd.crt > smtpd_tls_key_file = /etc/postfix/smtpdpub.key > smtpd_tls_security_level = may > > > -- listing of /usr/lib/sasl2 -- > total 604 > drwxr-xr-x 2 root root 4096 Oct 19 14:21 . > drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 > -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so > -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 > -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 > -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so > -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 > -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 > -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so > -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 > -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 > -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf > > > > > -- content of /usr/lib/sasl2/smtpd.conf -- > ##sasl authentication methods### > pwcheck_method: auxprop > #saslauthd_path: /var/run/saslauthd/mux > mech_list: plain login > auxprop_plugin: sasldb2 > log_level: 7 Remove '2' at the end of "auxprop_plugin:" and write this: pwcheck_method: auxprop mech_list: plain login auxprop_plugin: sasldb log_level: 7 Make sure you have no trailing garbage at the end of the lines! > -- active services in /etc/postfix/master.cf -- > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (yes) (never) (100) > smtp inet n - n - - smtpd -v ... > -- mechanisms on localhost -- > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > > -- end of saslfinger output -- So far, so good. What do you get if you run 'sasldblistusers2'? Do the accounts have a domainpart you use when you create the authentication string? If not, use an account as given from sasldblistusers2 output and test with that. p@rick -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Re: postfix SMTP AUTH
P.S. I'm sorry I looked quickly and thought your name was Rob, forgive me Patrick. I'm reading your book, I like it. I also use the postfix web site and debian-wiki/arch-wiki. On Mon, Oct 22, 2012 at 5:53 PM, William Holt wrote: > Hi Rob, thanks. I use the reserved adresses because I'm testing the > box via local net (my laptop), I have everything setup straight > through GoDaddy to my router I just forward the ports when I'm ready. > > I'll check out the smtpd_sasl_local_domain = $myhostname problem. By > the way, do you know of any docs which list and explain the sasl and > tls options? > > this is the result of saslfinger...I'm looking at it now but I > forwarded it to you... > > > postfix start > postfix/postfix-script: starting the Postfix mail system > [root@messenger saslfinger-1.0.3]# saslfinger -s > saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 > version: 1.0.2 > mode: server-side SMTP AUTH > > -- basics -- > Postfix: 2.9.4 > System: Arch Linux \r (\l) > > -- smtpd is linked to -- > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7712000) > > -- active SMTP AUTH and TLS parameters for smtpd -- > broken_sasl_auth_clients = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > smtpd_sasl_type = cyrus > smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem > smtpd_tls_cert_file = /etc/postfix/smtpd.crt > smtpd_tls_key_file = /etc/postfix/smtpdpub.key > smtpd_tls_security_level = may > > > -- listing of /usr/lib/sasl2 -- > total 604 > drwxr-xr-x 2 root root 4096 Oct 19 14:21 . > drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 > -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so > -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 > -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 > -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so > -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 > -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 > -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 > -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so > -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 > -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 > -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf > > > > > -- content of /usr/lib/sasl2/smtpd.conf -- > ##sasl authentication methods### > pwcheck_method: auxprop > #saslauthd_path: /var/run/saslauthd/mux > mech_list: plain login > auxprop_plugin: sasldb2 > log_level: 7 > > > > -- active services in /etc/postfix/master.cf -- > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (yes) (never) (100) > smtp inet n - n - - smtpd -v > pickupfifo n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr fifo n - n 300 1 qmgr > tlsmgrunix - - n 1000? 1 tlsmgr > rewrite unix - - n - - trivial-rewrite > bounceunix - - n - 0 bounce > defer unix - - n - 0 bounce > trace unix - - n - 0 bounce > verifyunix - - n - 1 verify > flush unix n - n 1000? 0 flush > proxymap unix - - n - - proxymap > proxywrite unix - - n - 1 proxymap > smtp unix - - n - - smtp > relay unix - - n - - smtp > showq unix n - n - - showq > error unix - - n - - error > retry unix - - n - - error > discard unix - - n - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > anvil unix - - n - 1 anvil > scacheunix -
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > --On Monday, October 22, 2012 6:17 PM -0400 Wietse Venema > wrote: > > > Quanah Gibson-Mount: > >> --On Monday, October 22, 2012 5:09 PM -0400 Wietse Venema > >> wrote: > >> > >> > 1) Use the before-queue filter for mail from outside: > >> > > >> > external clients -> smtpd -> Amavis ... > >> > > >> > 2) Use the after-queue filter for mail from inside: > >> > > >> > internal clients -> smtpd -> cleanup -> queue -> smtp -> Amavis ... > >> > > >> > Wietse > >> > >> I already tried this, and it is not an acceptable solution, because > >> postfix will not accept mail if OpenDKIM is not running. I need > >> Postfix to accept and queue the email in that scenario, rather than > >> reject it. > > > > RTFM http://www.postfix.org/postconf.5.html#milter_default_action > > I have read that before. None of the actions it allows are desirable. > > Changing the action to quarantine requires manual intervention on the admin > side to ever get this to deliver. You had a problem with not being able to sign mail with a Milter before it enters your content filter. I kindly provided an example that allows you to do that. It even works with the same content filter. Now you reject the solution. Not because it would fail to sign mail as promised. Not because it wouldn't work with the filter as promised. There is, and there will not be, a queue between the Postfix SMTP server protocol engine and the Postfix Milter client protocol engine, where email messages wait until a broken Milter server comes back. Not in Postfix, not in Sendmail, not in other MTAs. The Milter protocol is designed for before-queue agents, so that they can inspect the SMTP command stream as it happens. Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 7:09 PM -0400 Wietse Venema wrote: You had a problem with not being able to sign mail with a Milter before it enters your content filter. I kindly provided an example that allows you to do that. It even works with the same content filter. Now you reject the solution. Not because it would fail to sign mail as promised. Not because it wouldn't work with the filter as promised. There is, and there will not be, a queue between the Postfix SMTP server protocol engine and the Postfix Milter client protocol engine, where email messages wait until a broken Milter server comes back. Not in Postfix, not in Sendmail, not in other MTAs. The Milter protocol is designed for before-queue agents, so that they can inspect the SMTP command stream as it happens. Ok. So basically it is impossible to do what I want to do, thanks. Let me go back to the OpenDKIM folks then. ;) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 4:23 PM -0700 Quanah Gibson-Mount wrote: There is, and there will not be, a queue between the Postfix SMTP server protocol engine and the Postfix Milter client protocol engine, where email messages wait until a broken Milter server comes back. By the way, as long as Amavis isn't involved, I can get Postfix to queue mail if the milter is down just fine, by setting things up as a content filter that fronts the milter. I.e., this configuration *does* queue email being sent to the milter: smtp inet n - n - - smtpd -o content_filter=scan:[127.0.0.1]:10029 scan unix - - n - 10 smtp -o smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes -o smtp_generic_maps= [127.0.0.1]:10029 inet n - n - - smtpd -o smtpd_milters=inet:localhost:8465 With this setup, if I stop OpenDKIM, the mail queues until OpenDKIM is restarted, even though OpenDKIM is being called as a milter. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > --On Monday, October 22, 2012 4:23 PM -0700 Quanah Gibson-Mount > wrote: > > > >> There is, and there will not be, a queue between the Postfix SMTP > >> server protocol engine and the Postfix Milter client protocol engine, > >> where email messages wait until a broken Milter server comes back. > > By the way, as long as Amavis isn't involved, I can get Postfix to queue > mail if the milter is down just fine, by setting things up as a content > filter that fronts the milter. There is, however, no milter_default_action ON THE SMTP SERVER SIDE that accepts mail and keeps it queued until the milter comes back. That's what you objected to, and that's what will never exist. Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 7:39 PM -0400 Wietse Venema wrote: There is, however, no milter_default_action ON THE SMTP SERVER SIDE that accepts mail and keeps it queued until the milter comes back. That's what you objected to, and that's what will never exist. All I want is to be able to send an email, have it processed and signed by OpenDKIM, and then handed off to Amavis. It seems to me if this can work without Amavis in the picture, it should be possible to do it with Amavis in the picture too. I understand the milter has to be fronted as a filter. I understand I need the ability to route mail differently through amavis depending on whether or not it is originating or foreign email. What I'm missing is how to get all this to play together the way I want it to. I.e., it is fine with me if "milter" is not how the SMTP server "sees" things, just as it doesn't see it that way using the content filter. So, is setting it up this way truly impossible as well, or is there some way to stack filters (not milters), which was my original question. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: Any best practices for stacking filters?
Quanah Gibson-Mount: > --On Monday, October 22, 2012 7:39 PM -0400 Wietse Venema > wrote: > > > There is, however, no milter_default_action ON THE SMTP SERVER SIDE > > that accepts mail and keeps it queued until the milter comes back. > > That's what you objected to, and that's what will never exist. > > All I want is to be able to send an email, have it processed and signed by > OpenDKIM, and then handed off to Amavis. > > It seems to me if this can work without Amavis in the picture, it should be > possible to do it with Amavis in the picture too. > > I understand the milter has to be fronted as a filter. I understand I need > the ability to route mail differently through amavis depending on whether > or not it is originating or foreign email. What I'm missing is how to get > all this to play together the way I want it to. > > I.e., it is fine with me if "milter" is not how the SMTP server "sees" > things, just as it doesn't see it that way using the content filter. > > So, is setting it up this way truly impossible as well, or is there some > way to stack filters (not milters), which was my original question. Use a before-queue filter for mail from outside. Internet -> smtpd -> Amavis ... Use a Postfix queue BEFORE and AFTER the signing Milter for mail from inside. ... -> queue -> smtp -> smtpd -> cleanup -> queue -> smtp -> Amavis ... || signing milter The part with "smtp -> smtpd" is a "null filter" where the two programs talk directly to each other. Instead of the above you could simply use Amavis's DKIM support to sign the messages. No doubt there will be some other objection, and never a thankyou. Wietse
Re: Any best practices for stacking filters?
--On Monday, October 22, 2012 8:32 PM -0400 Wietse Venema wrote: No doubt there will be some other objection, and never a thankyou. Actually, I greatly appreciate your time and help with this. So thank you, very much for your patience as well. As for using Amavis to sign via DKIM, that is waiting on Amavisd to be scalable, a feature request I've had open with the Amavis author for several years, and which he is working on. If that gets implemented then yes, I can switch to Amavis entirely, and my life will be much simpler. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
ot: iPhone smtp setup
I have Postfix with smtp-auth, port 587, all works good
I'm having problems setting an iPhone with smtp-auth sending, hoping some
iPhone experts can point me in correct direction
on this iPhone, under SMTP, it has 'primary' SMTP server, correct host,
port 587, SSL;
under 'additional' there are ISP SMTPs (ADSL, cellular) servers, but, all
entries are disabled, only 'primary' is enabled
Emails are retrieved OK {same host as SMTP, IMAP, SSL)
When i tried sending, sending failed, got this error on iPhone:
'copy placed in outbox,sender rejected by server'
There is no apparent log entry at the SMTP server from this attempt;
Later, after iPhone device returned 'home' the outbox email got delivered
over WiFi/ISP's SMTP
So, it seems to me, there is another SMTP entry, of ISP, that takes
precedence??
again, under SMTP, only primary server is enabled (the one i'd like to
use), other SMTP servers are disabled, but, email was delivered via ADSL
ISP's smtp server to my Postfix server
Perplexed,
Voytek
Re: postfix SMTP AUTH
i guessed it was a realm issue so I changed smtpd_sasl_local_domain = $myhostname to smtpd_sasl_local_domain = $mydomain and added a u...@my.org i believe auxprop is using sasldb (which I did change in smtpd.conf from sasldb2 to sasldb) handind it "user" + "realm") correct? and now I have thus new error: 535 5.7.8 Error: authentication failed: another step is needed in authentication I commented out broken_clients On Mon, Oct 22, 2012 at 6:33 PM, Patrick Ben Koetter wrote: > See below ... > > * William Holt : >> Hi Rob, thanks. I use the reserved adresses because I'm testing the >> box via local net (my laptop), I have everything setup straight >> through GoDaddy to my router I just forward the ports when I'm ready. >> >> I'll check out the smtpd_sasl_local_domain = $myhostname problem. By >> the way, do you know of any docs which list and explain the sasl and >> tls options? >> >> this is the result of saslfinger...I'm looking at it now but I >> forwarded it to you... >> >> >> postfix start >> postfix/postfix-script: starting the Postfix mail system >> [root@messenger saslfinger-1.0.3]# saslfinger -s >> saslfinger - postfix Cyrus sasl configuration Mon Oct 22 17:45:14 EDT 2012 >> version: 1.0.2 >> mode: server-side SMTP AUTH >> >> -- basics -- >> Postfix: 2.9.4 >> System: Arch Linux \r (\l) >> >> -- smtpd is linked to -- >> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7712000) >> >> -- active SMTP AUTH and TLS parameters for smtpd -- >> broken_sasl_auth_clients = yes >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_local_domain = $myhostname >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options >> smtpd_sasl_type = cyrus >> smtpd_tls_CAfile = /etc/ssl/private/CA-Messenger-key.pem >> smtpd_tls_cert_file = /etc/postfix/smtpd.crt >> smtpd_tls_key_file = /etc/postfix/smtpdpub.key >> smtpd_tls_security_level = may >> >> >> -- listing of /usr/lib/sasl2 -- >> total 604 >> drwxr-xr-x 2 root root 4096 Oct 19 14:21 . >> drwxr-xr-x 52 root root 20480 Oct 19 14:14 .. >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libanonymous.so.2.0.23 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libcrammd5.so.2.0.23 >> -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so >> -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2 >> -rwxr-xr-x 1 root root 51012 Jan 9 2012 libdigestmd5.so.2.0.23 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 liblogin.so.2.0.23 >> -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so >> -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2 >> -rwxr-xr-x 1 root root 34436 Jan 9 2012 libntlm.so.2.0.23 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2 >> -rwxr-xr-x 1 root root 17956 Jan 9 2012 libplain.so.2.0.23 >> -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so >> -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2 >> -rwxr-xr-x 1 root root 21940 Jan 9 2012 libsasldb.so.2.0.23 >> -rw-r--r-- 1 root root 160 Oct 21 12:42 smtpd.conf >> >> >> >> >> -- content of /usr/lib/sasl2/smtpd.conf -- >> ##sasl authentication methods### >> pwcheck_method: auxprop >> #saslauthd_path: /var/run/saslauthd/mux >> mech_list: plain login >> auxprop_plugin: sasldb2 >> log_level: 7 > > Remove '2' at the end of "auxprop_plugin:" and write this: > > pwcheck_method: auxprop > mech_list: plain login > auxprop_plugin: sasldb > log_level: 7 > > Make sure you have no trailing garbage at the end of the lines! > > >> -- active services in /etc/postfix/master.cf -- >> # service type private unpriv chroot wakeup maxproc command + args >> # (yes) (yes) (yes) (never) (100) >> smtp inet n - n - - smtpd -v > > ... > >> -- mechanisms on localhost -- >> 250-AUTH PLAIN LOGIN >> 250-AUTH=PLAIN LOGIN >> >> -- end of saslfinger output -- > > So far, so good. > > What do you get if you run 'sasldblistusers2'? > Do the accounts have a domainpart you use when you create the authentication > string? If not, use an account as given from sasldblistusers2 output and test > with that. > > p@rick > > > -- > [*] sys4 AG > > http://sys4.de, +49 (89) 30 90 46 64 > Franziskanerstraße 15, 81669 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer > Aufsichtsratsvorsitzender: Joerg Heidrich >
Re: ESMTP: keys and passwords
On Mon, Oct 22, 2012 at 03:45:22PM -0400, thorso...@lavabit.com wrote: > I'm trying to configure ESMTP using this guide [1]. > > $ touch smtpd.key > $ chmod 600 smtpd.key > $ openssl genrsa 4096 > smtpd.key This will generate a 4096 bit key, though you almost certainly should not use a key this long, especially with SMTP. Grudgingly deploy 2048-bit keys per the latest NIST guidelines if you must. Otherwise, your security is just as good with 1024-bit keys, and 1280-bits is actually a good enough step-up if you want a bit of a safety margin without network bloat and prohibitive performance degradation. > $ openssl req -new -key smtpd.key -x509 -days 730 -out smtpd.crt This will use that same key to generate a self-signed certificate. > $ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem \ > -out cacert.pem -days 730 You did not specify a key to use for this operation. This writes a new key to a default file (often privkey.pem) with insecure permissions (0644) (even password protected keys should not be world readable). So use the "-key filename" option for a key you created, and don't go for absurdly long keys that's just silly. If your use-case is purely internal, you can use a 256-bit ECDSA key if 1024-bit RSA is not good enough for you. -- Viktor.
