Re: smtpd optional authentication and relay

[W T Riker]

On 7/5/2013 12:27 AM, b...@bitrate.net wrote:
> On Jul 4, 2013, at 20.44, W T Riker  wrote:
>
>> On 7/4/2013 8:36 PM, Wietse Venema wrote:
>>> W T Riker:
 On 7/4/2013 8:01 PM, Wietse Venema wrote:
> gw1500:
>> It is not clear from the documentation if this is possible or how to do
>> it but I want to make authentication optional but if a user does
>> authenticate then I want to permit relaying. Can someone help?
> This is how permit_sasl_authenticated works.
>
> http://www.postfix.org/SASL_README.html#server_sasl_authz
 Thanks for the reply. I already have that much working. Where I am stuck
 is permitting relaying from authenticated users regardless of host while
 prohibiting everything else.
>>> I answered the question how "to make authentication optional".
>>>
>>> Perhaps someone else can figure out what you mean with "permitting
>>> relaying from authenticated users while prohibiting everything else"
>>> when only seconds ago you asked how "to make authentication optional".
>>>
>>> Wietse
>>>
>> Sorry that I was not clear. With this configuration, will any
>> non-authenticated client still be able to deliver mail to a local
>> recipient but not be permitted to relay email to non-local recipients?
> i'd counsel against this.  instead, set up a proper submission service [see 
> the commented out example in master.cf], and use separate streams for mx and 
> submission.  presumably you're asking about providing "relay" service for 
> client [e.g. mua] software.  clients should use submission [port 587], not 
> port 25.  port 25 is for servers to talk to other servers.  setting up 
> separate streams/services allows you to require encryption and authentication 
> for all connections [eg. "clients"] to the submission service, and allows you 
> to avoid offering it unnecessarily on port 25.
>
> -ben
Indeed this is using port 587. I did not realize that that in itself was
sufficient to prevent relaying from non-authenticated clients. Thanks.

Re: smtpd optional authentication and relay

[W T Riker]

On 7/4/2013 11:21 PM, Noel Jones wrote:
> On 7/4/2013 7:44 PM, W T Riker wrote:
>> On 7/4/2013 8:36 PM, Wietse Venema wrote:
>>> W T Riker:
 On 7/4/2013 8:01 PM, Wietse Venema wrote:
> gw1500:
>> It is not clear from the documentation if this is possible or how to do
>> it but I want to make authentication optional but if a user does
>> authenticate then I want to permit relaying. Can someone help?
> This is how permit_sasl_authenticated works.
>
> http://www.postfix.org/SASL_README.html#server_sasl_authz
 Thanks for the reply. I already have that much working. Where I am stuck
 is permitting relaying from authenticated users regardless of host while
 prohibiting everything else.
>>> I answered the question how "to make authentication optional".
>>>
>>> Perhaps someone else can figure out what you mean with "permitting
>>> relaying from authenticated users while prohibiting everything else"
>>> when only seconds ago you asked how "to make authentication optional".
>>>
>>> Wietse
>>>
>> Sorry that I was not clear. With this configuration, will any
>> non-authenticated client still be able to deliver mail to a local
>> recipient but not be permitted to relay email to non-local recipients?
>>
> That's the usual way for it to work, but we don't really know what
> you mean by "this configuration". For a definite answer, we would
> need to see your "postconf -n" settings.
>
>
>
>   -- Noel Jones
Thanks. By "this configuration" I was referring to the section of the
documentation referred to by Wietse.

Forward mail and receive mail to the same domain

[Dotan Cohen]

I need to set up a virtual alias (forwarder) and a virtual mailbox on
the same domain. I'm using Postfix on Ubuntu Server 12.04. Here is my
setup:

$ cat /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

myhostname = awsBeta
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = awsBeta, localhost.localdomain, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_mailbox_domains = someDomain.com
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

virtual_alias_domains = someDomain.com

$ cat /etc/postfix/virtual
forw...@somedomain.com t...@gmail.com

$ cat /etc/postfix/vmailbox
do...@somedomain.com someDomain.com/dotan

$ sudo postmap virtual
$ sudo postmap vmailbox
$ tree /var/mail/vhosts/
/var/mail/vhosts/
└── someDomain.com
└── dotan

When mail is sent to forw...@somedomain.com it is properly forwarded
to t...@gmail.com. However, when mail is sent to do...@somedomain.com
the sending address receives a mail with this error:
Recipient address rejected: User unknown in virtual alias table

This appears in the log:
warning: do not list domain someDomain.com in BOTH
virtual_alias_domains and virtual_mailbox_domains

Of course, I cannot remove the domain from either
virtual_alias_domains or virtual_mailbox_domains because I need to use
bothe of those features. So how might one set up do...@somedomain.com
as a real mailbox (no unix account though), but forw...@somedomain.com
to forward to t...@gmail.com? I've been trolling Google for answers,
but though I thought that this would be easy, I'm stuck!


--
Dotan Cohen

http://gibberish.co.il
http://what-is-what.com

Re: Forward mail and receive mail to the same domain

[Viktor Dukhovni]

On Fri, Jul 05, 2013 at 04:19:36PM +0300, Dotan Cohen wrote:

> This appears in the log:
> warning: do not list domain someDomain.com in BOTH
> virtual_alias_domains and virtual_mailbox_domains
> 
> Of course, I cannot remove the domain from either
> virtual_alias_domains or virtual_mailbox_domains because I need to use
> both of those features.

Go ahead and remove the domain from virtual_alias_domains, virtual
alias expansion applies to *all* domains regardless of address
class.

-- 
Viktor.

Re: smtpd optional authentication and relay

[Larry Stone]

On Fri, 5 Jul 2013, W T Riker wrote:


Indeed this is using port 587. I did not realize that that in itself was
sufficient to prevent relaying from non-authenticated clients. Thanks.


It doesn't. If 587 is configured the same as 25, it will behave just like 
port 25. There is nothing special about port 587 other than how YOU 
configure it to be different.


They key to understanding Postfix restrictions is they evaluate in order 
and the first to return a result other than DUNNO is what wins. A 
permit_ restrictions generally returns PERMIT or DUNNO. A reject_ 
restriction generally returns REJECT or DUNNO. So if you have 
permit_sasl_authernticated as the first test in a group of restrictions 
(e.g. smtpd_recipient_restrictions), if the user is SASL authenticated, it 
returns PERMIT and the mail is accepted and, if not destined locally, 
relayed. All remaining tests in that group of restrictions are then 
skipped. If the user is not SASL authenticated, it returns DUNNO and goes 
on to the next restriction in that group. If that next restriction is 
reject_unauth_destination (which in case it's not clear to you is the 
restriction that prevents relaying), an unauthenticated user will not be 
permitted to relay.


So in short, a restriction group that permits authenticated users to send 
anywhere and unauthenticated users to only send to domains for which 
Postfix is configure to accept mail would be: permit_sasl_authenticated, 
reject_unauth_destination. However, don't just do what we suggest; make 
sure you understand it and that it is doing what YOU want.


-- Larry Stone
   lston...@stonejongleux.com

Re: smtpd optional authentication and relay

[W T Riker]

On 7/5/2013 9:51 AM, Larry Stone wrote:
> On Fri, 5 Jul 2013, W T Riker wrote:
>
>> Indeed this is using port 587. I did not realize that that in itself was
>> sufficient to prevent relaying from non-authenticated clients. Thanks.
>
> It doesn't. If 587 is configured the same as 25, it will behave just
> like port 25. There is nothing special about port 587 other than how
> YOU configure it to be different.
>
> They key to understanding Postfix restrictions is they evaluate in
> order and the first to return a result other than DUNNO is what wins.
> A permit_ restrictions generally returns PERMIT or DUNNO. A
> reject_ restriction generally returns REJECT or DUNNO. So if you
> have permit_sasl_authernticated as the first test in a group of
> restrictions (e.g. smtpd_recipient_restrictions), if the user is SASL
> authenticated, it returns PERMIT and the mail is accepted and, if not
> destined locally, relayed. All remaining tests in that group of
> restrictions are then skipped. If the user is not SASL authenticated,
> it returns DUNNO and goes on to the next restriction in that group. If
> that next restriction is reject_unauth_destination (which in case it's
> not clear to you is the restriction that prevents relaying), an
> unauthenticated user will not be permitted to relay.
>
> So in short, a restriction group that permits authenticated users to
> send anywhere and unauthenticated users to only send to domains for
> which Postfix is configure to accept mail would be:
> permit_sasl_authenticated, reject_unauth_destination. However, don't
> just do what we suggest; make sure you understand it and that it is
> doing what YOU want.
>
> -- Larry Stone
>lston...@stonejongleux.com
>
Thanks for that explanation. I think I understand the way it works now
so I modified my restrictions a bit. Does this order pass the sniff test?

smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
reject_unlisted_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_helo_hostname,
reject_unknown_sender_domain,
reject_unknown_recipient_domain

Re: smtpd optional authentication and relay

[Viktor Dukhovni]

On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:

> Thanks for that explanation. I think I understand the way it works now
> so I modified my restrictions a bit. Does this order pass the sniff test?
> 
> smtpd_recipient_restrictions =
> reject_non_fqdn_recipient,
> reject_non_fqdn_sender,
> reject_unlisted_recipient,
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> reject_invalid_helo_hostname,
> reject_unknown_sender_domain,

Fine up to here.

> reject_unknown_recipient_domain

This is not a good idea in this context, you've already checked
the message is to one of your own domains.  Unless you've specified
relay_domains (and you have relay_domains listed in
parent_domain_mathes_subdomains) or inherit relay_domains via its
default $mydestination, every domain you accept should be "known",
you just risk deferring mail due to transient DNS lookup errors.

You should generally avoid having subdomain matching in relay_domains,
set parent_domain_matches_subdomains empty or perhaps just:

parent_domain_matches_subdomains = smtpd_access_maps

if your access tables rely on this to match a domain and all its
subdomains.

The backwards compatible default is:

parent_domain_matches_subdomains =
debug_peer_list,
fast_flush_domains,
mynetworks,
permit_mx_backup_networks,
qmqpd_authorized_clients,
relay_domains,
smtpd_access_maps

-- 
Viktor.

Re: smtpd optional authentication and relay

[W T Riker]

Thanks. I fixed it.

On 7/5/2013 10:07 AM, Viktor Dukhovni wrote:
> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
>
>> Thanks for that explanation. I think I understand the way it works now
>> so I modified my restrictions a bit. Does this order pass the sniff test?
>>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_recipient,
>> reject_non_fqdn_sender,
>> reject_unlisted_recipient,
>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_unauth_destination,
>> reject_invalid_helo_hostname,
>> reject_unknown_sender_domain,
> Fine up to here.
>
>> reject_unknown_recipient_domain
> This is not a good idea in this context, you've already checked
> the message is to one of your own domains.  Unless you've specified
> relay_domains (and you have relay_domains listed in
> parent_domain_mathes_subdomains) or inherit relay_domains via its
> default $mydestination, every domain you accept should be "known",
> you just risk deferring mail due to transient DNS lookup errors.
>
> You should generally avoid having subdomain matching in relay_domains,
> set parent_domain_matches_subdomains empty or perhaps just:
>
> parent_domain_matches_subdomains = smtpd_access_maps
>
> if your access tables rely on this to match a domain and all its
> subdomains.
>
> The backwards compatible default is:
>
> parent_domain_matches_subdomains =
>   debug_peer_list,
>   fast_flush_domains,
>   mynetworks,
>   permit_mx_backup_networks,
>   qmqpd_authorized_clients,
>   relay_domains,
>   smtpd_access_maps
>

Re: smtpd optional authentication and relay

[Tom Hendrikx]

On 07/05/2013 04:07 PM, Viktor Dukhovni wrote:
> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
> 
>> Thanks for that explanation. I think I understand the way it works now
>> so I modified my restrictions a bit. Does this order pass the sniff test?
>>
>> smtpd_recipient_restrictions =
>> reject_non_fqdn_recipient,
>> reject_non_fqdn_sender,
>> reject_unlisted_recipient,

I'd say that reject_unlisted_recipient will also reject mail to offsite
recipients, even when it is sent by an authenticated sender (since
permit_sasl_authenticated is specified later).

>> permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_unauth_destination,
>> reject_invalid_helo_hostname,
>> reject_unknown_sender_domain,
> 
> Fine up to here.
> 
>> reject_unknown_recipient_domain
> 
> This is not a good idea in this context, you've already checked
> the message is to one of your own domains.  Unless you've specified
> relay_domains (and you have relay_domains listed in
> parent_domain_mathes_subdomains) or inherit relay_domains via its
> default $mydestination, every domain you accept should be "known",
> you just risk deferring mail due to transient DNS lookup errors.
> 
> You should generally avoid having subdomain matching in relay_domains,
> set parent_domain_matches_subdomains empty or perhaps just:
> 
> parent_domain_matches_subdomains = smtpd_access_maps
> 
> if your access tables rely on this to match a domain and all its
> subdomains.
> 
> The backwards compatible default is:
> 
> parent_domain_matches_subdomains =
>   debug_peer_list,
>   fast_flush_domains,
>   mynetworks,
>   permit_mx_backup_networks,
>   qmqpd_authorized_clients,
>   relay_domains,
>   smtpd_access_maps
> 




signature.asc
Description: OpenPGP digital signature

Re: smtpd optional authentication and relay

[W T Riker]

On 7/5/2013 10:52 AM, Tom Hendrikx wrote:
> On 07/05/2013 04:07 PM, Viktor Dukhovni wrote:
>> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
>>
>>> Thanks for that explanation. I think I understand the way it works now
>>> so I modified my restrictions a bit. Does this order pass the sniff test?
>>>
>>> smtpd_recipient_restrictions =
>>> reject_non_fqdn_recipient,
>>> reject_non_fqdn_sender,
>>> reject_unlisted_recipient,
> I'd say that reject_unlisted_recipient will also reject mail to offsite
> recipients, even when it is sent by an authenticated sender (since
> permit_sasl_authenticated is specified later).
>
>>> permit_mynetworks,
>>> permit_sasl_authenticated,
>>> reject_unauth_destination,
>>> reject_invalid_helo_hostname,
>>> reject_unknown_sender_domain,
>> Fine up to here.
>>
>>> reject_unknown_recipient_domain
>> This is not a good idea in this context, you've already checked
>> the message is to one of your own domains.  Unless you've specified
>> relay_domains (and you have relay_domains listed in
>> parent_domain_mathes_subdomains) or inherit relay_domains via its
>> default $mydestination, every domain you accept should be "known",
>> you just risk deferring mail due to transient DNS lookup errors.
>>
>> You should generally avoid having subdomain matching in relay_domains,
>> set parent_domain_matches_subdomains empty or perhaps just:
>>
>> parent_domain_matches_subdomains = smtpd_access_maps
>>
>> if your access tables rely on this to match a domain and all its
>> subdomains.
>>
>> The backwards compatible default is:
>>
>> parent_domain_matches_subdomains =
>>  debug_peer_list,
>>  fast_flush_domains,
>>  mynetworks,
>>  permit_mx_backup_networks,
>>  qmqpd_authorized_clients,
>>  relay_domains,
>>  smtpd_access_maps
>>
>
Good point. I fixed that too. Thanks.

Re: smtpd optional authentication and relay

[Noel Jones]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 7/5/2013 9:52 AM, Tom Hendrikx wrote:
> On 07/05/2013 04:07 PM, Viktor Dukhovni wrote:
>> On Fri, Jul 05, 2013 at 10:00:02AM -0400, W T Riker wrote:
>> 
>>> Thanks for that explanation. I think I understand the way
>>> it works now so I modified my restrictions a bit. Does this
>>> order pass the sniff test?
>>> 
>>> smtpd_recipient_restrictions = reject_non_fqdn_recipient, 
>>> reject_non_fqdn_sender, reject_unlisted_recipient,
> 
> I'd say that reject_unlisted_recipient will also reject mail to
> offsite recipients, even when it is sent by an authenticated
> sender (since permit_sasl_authenticated is specified later).

Nonsense.  reject_unlisted_recipient does not reject mail offsite.
http://www.postfix.org/postconf.5.html#reject_unlisted_recipient



  -- Noel Jones
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJR1ul5AAoJEJGRUHb5Oh6gufoH/R1F4FLduLJ0Y/+eDBy4IP4V
VVGukAGWAQVVQBta6mZbKLLwTEPJUsfC7O11781nbfSXNe0I4q4T5UOmdO7Bh3F6
dN4JVhEFXSvEWPwHVnnDV7gz5OuVAgaesnHvVCEY940vb4nTeRcvOEbRyt3530Fa
45jLwNYzXXFB4tzZEfTMCF4EBl7zpdEliWNZpxHR7+1EZjrkpVWXkUNXw6rDApv6
4Qr7FMhpz4SvFkOfyDIJ1ZPhysaMcTmMwY1Byjxd0o6kmpNM8ahraQ/jb4i9RgNs
nSNJEWlBnXbg2Za//lnGH57CtowRFk4crqFJrnPQQe90av3r8IJfYXNQlCavnYI=
=kC/H
-END PGP SIGNATURE-

Re: GSSAPI with SMTP client

[Erinn Looney-Triggs]

On 07/02/2013 12:03 PM, Viktor Dukhovni wrote:
> On Tue, Jul 02, 2013 at 11:25:53AM -0400, Erinn Looney-Triggs wrote:
> 
>> However, it still is not working.
>>
>> Running a debug_peer_list with the verbosity set to 2 against both a
>> thunderbird client working with GSSAPI and the postfix client. It
>> appears that GSSAPI is not even being tried by the postfix client. It
>> negotiates the TLS session, is presented with GSSAPI as an auth option,
>> and then it just attempts to send the message (MAIL FROM etc.). Whereas
>> the thunderbird client does the GSSAPI negotiation (AUTH GSSAPI etc.).
> 
> The destination needs to appear the smtp_sasl_password_maps database,
> even when you're not using a password-based mechanism.  This tells
> Postfix to use SASL for the destination.
> 
>   [smtp.example.com]:587  gssapi:nopassword
> 
> You naturally need to make sure that you've installed the GSSAPI
> plugin for SASL and that smtp_sasl_mechanism_filter is set correctly.
> 

Viktor,
Thanks for the help, after a lot more messing about, and debugging
(Wietse, you the man for putting in debug_peer_list, very helpful) I
finally got this working.

All the constituent parts where there but the syntax for the sasl
password maps database was incorrect (my fault), which client side
debugging revealed as it wasn't matching the mail server host.

I am going to write up a little how to for this and post it on up.
Hopefully it will make folks lives easier if they decide to do this in
the future.

Thanks again,
-Erinn








signature.asc
Description: OpenPGP digital signature

exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Pol Hallen]

Hi all!

I forced postfix to uses smtpd_tls_auth_only = yes

but I need exclude TLS from 127.0.0.1

I known there's a change to do in master.cf but I don't know how resolve

any idea?

thanks!

Pol

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Wietse Venema]

Pol Hallen:
> Hi all!
> 
> I forced postfix to uses smtpd_tls_auth_only = yes
> 
> but I need exclude TLS from 127.0.0.1
> 
> I known there's a change to do in master.cf but I don't know how resolve

To clone the submission service and set "smtpd_tls_auth_only=no"
for connections to 127.0.0.1:

/etc/postfix/master.cf
127.0.0.1:submission ...same stuff as ordinary submission service...
... same stuff as ordinary submission service...
-o smtpd_tls_auth_only=no

The procedure is similar for the "port 25" service.

Wietse

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Viktor Dukhovni]

On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:

> To clone the submission service and set "smtpd_tls_auth_only=no"
> for connections to 127.0.0.1:
> 
> /etc/postfix/master.cf
> 127.0.0.1:submission ...same stuff as ordinary submission service...
>   ... same stuff as ordinary submission service...
>   -o smtpd_tls_auth_only=no

One may then need to make the default submission entry also specify a
specific IP address, as listeners on 0.0.0.0:port exclude listeners on
specific addresses on most systems.

 192.0.2.1:submission ...ordinary submission service...
... ordinary submission service...

 127.0.0.1:submission ...same stuff as ordinary submission service...
... same stuff as ordinary submission service...
-o smtpd_tls_auth_only=no

where 192.0.2.1 is a hypothetical real IP address of the host.

-- 
Viktor.

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Pol Hallen]

Thanks for your reply :-)

I added

127.0.0.1:submission inet n   -   -   -   -   smtpd
-o smtpd_tls_auth_only=no


to master.cf but I've same problem...

thanks

Pol

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Wietse Venema]

Viktor Dukhovni:
> On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
> 
> > To clone the submission service and set "smtpd_tls_auth_only=no"
> > for connections to 127.0.0.1:
> > 
> > /etc/postfix/master.cf
> > 127.0.0.1:submission ...same stuff as ordinary submission service...
> > ... same stuff as ordinary submission service...
> > -o smtpd_tls_auth_only=no
> 
> One may then need to make the default submission entry also specify a
> specific IP address, as listeners on 0.0.0.0:port exclude listeners on
> specific addresses on most systems.

That is not needed. The more specific binding to 127.0.0.1 takes
precedence over the unspecific binding to 0.0.0.0.

Wietse

smtpd_relay postfix version 2.6

[Dejan Doder]

Hi group ,
how can I authenticate to this version of postfix
postfix-2.6.6-2.2 to send mail on port 587?

BR
DEjan

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Viktor Dukhovni]

On Fri, Jul 05, 2013 at 04:00:44PM -0400, Wietse Venema wrote:
> Viktor Dukhovni:
> > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
> > 
> > > To clone the submission service and set "smtpd_tls_auth_only=no"
> > > for connections to 127.0.0.1:
> > > 
> > > /etc/postfix/master.cf
> > > 127.0.0.1:submission ...same stuff as ordinary submission service...
> > >   ... same stuff as ordinary submission service...
> > >   -o smtpd_tls_auth_only=no
> > 
> > One may then need to make the default submission entry also specify a
> > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
> > specific addresses on most systems.
> 
> That is not needed. The more specific binding to 127.0.0.1 takes
> precedence over the unspecific binding to 0.0.0.0.

Linux forbids bindings to 127.0.0.1 when a wildcard binding exists,
you're probably testing on a FreeBSD system.

linux# showsock() { lsof -n -P -i tcp:12345; }; printf "\nBEGIN\n"; 
showsock; for ip in 0.0.0.0 127.0.0.1; do printf "\nIP: $ip\n"; strace -e bind 
perl -e 'use IO::Socket; my $s = IO::Socket::INET->new(Listen=>1, LocalAddr => 
shift(@ARGV), LocalPort => 12345, Reuse => 1) or die "bind: $!\n"; 
select(undef, undef, undef, 5);' $ip & sleep 1; done; printf "\nEND\n"; 
showsock  
BEGIN

IP: 0.0.0.0 
[1] 19129
bind(3, {sa_family=AF_INET, sin_port=htons(12345), 
sin_addr=inet_addr("0.0.0.0")}, 16) = 0

IP: 127.0.0.1
[2] 19132
bind(3, {sa_family=AF_INET, sin_port=htons(12345), 
sin_addr=inet_addr("127.0.0.1")}, 16) = -1 EADDRINUSE (Address already in use)
bind: Address already in use
[2]+  Exit 98 strace -e bind perl -e 'use IO::Socket; my $s 
= IO::Socket::INET->new(Listen=>1, LocalAddr => shift(@ARGV), LocalPort => 
12345, Reuse => 1) or die "bind: $!\n"; select(undef, undef, undef, 5);' $ip

END
COMMAND   PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
perl19131 root3u  IPv4 35552265  0t0  TCP *:12345 (LISTEN)

-- 
Viktor.

Re: smtpd_relay postfix version 2.6

[Viktor Dukhovni]

On Fri, Jul 05, 2013 at 10:18:35PM +0200, Dejan Doder wrote:

> how can I authenticate to this version of postfix
> postfix-2.6.6-2.2 to send mail on port 587?

http://www.postfix.org/SASL_README.html

-- 
Viktor.

Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes

[Wietse Venema]

Viktor Dukhovni:
> On Fri, Jul 05, 2013 at 04:00:44PM -0400, Wietse Venema wrote:
> > Viktor Dukhovni:
> > > On Fri, Jul 05, 2013 at 03:46:46PM -0400, Wietse Venema wrote:
> > > 
> > > > To clone the submission service and set "smtpd_tls_auth_only=no"
> > > > for connections to 127.0.0.1:
> > > > 
> > > > /etc/postfix/master.cf
> > > > 127.0.0.1:submission ...same stuff as ordinary submission service...
> > > > ... same stuff as ordinary submission service...
> > > > -o smtpd_tls_auth_only=no
> > > 
> > > One may then need to make the default submission entry also specify a
> > > specific IP address, as listeners on 0.0.0.0:port exclude listeners on
> > > specific addresses on most systems.
> > 
> > That is not needed. The more specific binding to 127.0.0.1 takes
> > precedence over the unspecific binding to 0.0.0.0.
> 
> Linux forbids bindings to 127.0.0.1 when a wildcard binding exists,
> you're probably testing on a FreeBSD system.

I know that this behavior (a specific bind prevails over a wild-card
bind for all interface addresses) pre-dates FreeBSD by many years.
I see the same behavior on Solaris:

UID   PID  PPID  CSTIME TTY  TIME CMD
...
postfix  1249   352  0 18:16:56 ?0:00 smtpd -n 127.0.0.1:smtp ...
postfix  1254   352  0 18:17:03 ?0:00 smtpd -n smtp ...

Ditto for other interface addresses.

Wietse

two mail servers

[Andrew Ho]

I run into problem of setting this.

I have two mail servers, one for each domain.
I need email to be received for one domain to make a copy and
forwarded to the other mail server of another domain.

Any suggestions?

Re: two mail servers

[Robert Schetterer]

Am 06.07.2013 04:29, schrieb Andrew Ho:
> I run into problem of setting this.
> 
> I have two mail servers, one for each domain.
> I need email to be received for one domain to make a copy and
> forwarded to the other mail server of another domain.
> 
> Any suggestions?
> 
you may read docs on

http://www.postfix.org/postconf.5.html

always_bcc, recipient_bcc_maps,sender_bcc_maps


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein