Re: TLS timeout

2013-11-20 Thread bitozoid 
On Tue, Nov 19, 2013 at 1:32 PM, Brian Evans  wrote:
> The smtp client process does not have support for the deprecated smtps
> protocol (465) you are trying to use.

I have another instance of postfix working against other smarthost
(Exchange in this case) via port 465, and it seems not to be a problem
at all.

# rpm -q postfix
postfix-2.6.6-2.2.el6_1.x86_64

Afaik it is better to work with standard port numbers, but it is not a
requirement.

Re: TLS timeout

2013-11-20 Thread li...@rhsoft.net 
Am 20.11.2013 13:55, schrieb bitozoid:
> On Tue, Nov 19, 2013 at 1:32 PM, Brian Evans  wrote:
>> The smtp client process does not have support for the deprecated smtps
>> protocol (465) you are trying to use.
> 
> I have another instance of postfix working against other smarthost
> (Exchange in this case) via port 465, and it seems not to be a problem
> at all

you do not - not with a public relay - period

> Afaik it is better to work with standard port numbers,
> but it is not a requirement

if the other side is your server and you configured 465 wrong with STARTTLS yes
but 587/465 is not only the port, 465 is TLS wrapper mode which means the
initial connection has to be done encrpyted and so it works technically
completly different than STARTTLS
___

http://www.postfix.org/TLS_README.html

Client-side SMTPS support
Although the Postfix SMTP client by itself doesn't support TLS wrapper mode, it 
is relatively easy to forward a
connection through the stunnel program if Postfix needs to deliver mail to some 
legacy system that doesn't support
STARTTLS. Use one of the following two examples, to send only some remote mail, 
or to send all remote mail, to an
SMTPS server.

Re: virtual domains and aliases

2013-11-20 Thread Benny Pedersen 

Pol Hallen skrev den 2013-11-19 22:39:
Hi all :-) I've several virtual domains and I looking for how create 
the

aliases for each domains (aliases like postmaster, root, etc.)

I found this
http://serverfault.com/questions/171616/postfix-how-to-make-aliases-work-for-virtual-domains



link is for virtual alias, not system alias


that says something like this: "putting postmaster, root, etc" to
/etc/aliases:


this file contains:

root: foo

formatted lines


/^(postmaster|root|MAILER-DAEMON|abuse)@/   postmaster
/^(bin|daemon|named|nobody|uucp|www|ftp-bugs|postfix|manager|dumper|operator|decode)@/
 root


this is not supported in /etc/aliases


or use this:

/^postmaster@/ postmaster
/^root@/   postmaster
/^MAILER-DAEMON@/  postmaster


multiple lines does not help in aliases

but it works as virtual alias if using pcre or regexp table in postfix


is this correct way to do this?


no there is just multiple problems :)

Re: virtual domains and aliases

2013-11-20 Thread Benny Pedersen 

Pol Hallen skrev den 2013-11-19 22:54:

Instead, use a script that generates explicit postmas...@example.com
entries etc. when you host a new domain.


thanks for reply. Is there an example of that script? Need I create a
virtual domain or only something that redirect (i.e.
postmas...@example.org) to virtual domain?


maybe http://forums.freebsd.org/showthread.php?t=5654 ?

smtp server load balancing

2013-11-20 Thread Roman Gelfand 
I have created the following smtp load balancing setup

lb1 (keepalived server)  host mx...   ip .249
 ||
 ||
 ||
  
  || ||
  || ||
  || ||
host mx1...  ip .244 (postfix smtp) host mx2... ip .245 (postfix smtp)

On each m1... and mx2... mail servers I added


interfaceces
--
auto lo:(depending on machine 244 or 245)
iface lo:(depending on machine 244 or 245) or  inet static
address 192.168.0.(depending on machine 244 or 245)
netmask 255.255.255.255
broadcast 192.168.0.255
pre-up echo 1 >/proc/sys/net/ipv4/conf/all/arp_ignore; echo 2
>/proc/sys/net/ipv4/conf/all/arp_announce

/etc/sysctl.conf
---

net.ipv6.conf.all.disable_ipv6 = 1

/etc/postfix/main.cf


inet_interfaces = 127.0.0.1, 192.168.0.(depending on machine 244 or 245)
smtp_bind_address = 192.168.0.(depending on machine 244 or 245)
inet_protocols = ipv4
smtp_address_preference = ipv4


so that when I do telnet mx... 25, I should connect to the next
available server either .244 or .245.

I have confirmed that lb1 keepalived server is working.  The problem
is mx1... and mx2... are not accepting connection.

There is one other item that supposedly I should have added.  But
postfix doesn't like when I add this line to master.cf.

192.168.0.249:smtp inet  n   -   n   -   -   smtpd
-o myhostname=mx...
-o smtp_helo_name=mx...

Re: smtp server load balancing

2013-11-20 Thread /dev/rob0 
On Wed, Nov 20, 2013 at 11:34:45AM -0500, Roman Gelfand wrote:
> I have created the following smtp load balancing setup

What kind of load do you wish to balance? Inbound load?

> lb1 (keepalived server)  host mx...   ip .249
>  ||
>  ||
>  ||
>   
>   || ||
>   || ||
>   || ||
> host mx1...  ip .244 (postfix smtp) host mx2... ip .245 (postfix smtp)
> 
> On each m1... and mx2... mail servers I added
[snip irrelevant parts]

> /etc/postfix/main.cf
> 
> 
> inet_interfaces = 127.0.0.1, 192.168.0.(depending on machine 244 or 245)
> smtp_bind_address = 192.168.0.(depending on machine 244 or 245)

Do you need these? Why? Why not defaults?

> inet_protocols = ipv4
> smtp_address_preference = ipv4
> 
> 
> so that when I do telnet mx... 25, I should connect to the next
> available server either .244 or .245.

Ah, you are talking about inbound load, then.

> I have confirmed that lb1 keepalived server is working.  The 
> problem is mx1... and mx2... are not accepting connection.

How did you test this? And they logged ... ?

http://www.postfix.org/DEBUG_README.html#mail

> There is one other item that supposedly I should have added.  But
> postfix doesn't like when I add this line to master.cf.
> 
> 192.168.0.249:smtp inet  n   -   n   -   -   smtpd

Why do you think you need this? What's wrong with the default 
smtpd(8) command line?

> -o myhostname=mx...

myhostname is global. This won't work as you might expect.

> -o smtp_helo_name=mx...

smtp_* settings are only applicable to the smtp(8) client.
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

submission: content_filter and altermime

2013-11-20 Thread Jesus Cordoba Casado 
Hello,

I'm already using amavis as content filter for submission:

submission inet n   -   n   -   -   smtpd
...
-o content_filter=amavis:[127.0.0.1]:10024
...
   
and now I would to add altermime, but can't find the way to do this. I
tried

-o content_filter=amavis:[127.0.0.1]:10024,dfilt:

getting "fatal: garbage after numerical service in server description:
[127.0.0.1]:10024,dfilt"

dfilt: is defined.

dfilt unix-   n   n   -   -   pipe
flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} --
${recipient}

Thank you

Re: smtp server load balancing

2013-11-20 Thread Roman Gelfand 
Actually, I would like to use it as outbound load.  Ah... I see what
you are saying (smtpd).

I guess the master.cf changes are irrelevant.

In any case, to test I issue  telnet 192.168.0.249 25 from a
workstation on this lan.  I am expecting to connect to postfix on
192.168.0.244.

If issue telnet 192.168.0.244 25 or telnet 192.168.0.245 25 from a
workstation on lan or from 192.168.0.249, it works.

Any help is appreciated.


On Wed, Nov 20, 2013 at 11:56 AM, /dev/rob0  wrote:
> On Wed, Nov 20, 2013 at 11:34:45AM -0500, Roman Gelfand wrote:
>> I have created the following smtp load balancing setup
>
> What kind of load do you wish to balance? Inbound load?
>
>> lb1 (keepalived server)  host mx...   ip .249
>>  ||
>>  ||
>>  ||
>>   
>>   || ||
>>   || ||
>>   || ||
>> host mx1...  ip .244 (postfix smtp) host mx2... ip .245 (postfix smtp)
>>
>> On each m1... and mx2... mail servers I added
> [snip irrelevant parts]
>
>> /etc/postfix/main.cf
>> 
>>
>> inet_interfaces = 127.0.0.1, 192.168.0.(depending on machine 244 or 245)
>> smtp_bind_address = 192.168.0.(depending on machine 244 or 245)
>
> Do you need these? Why? Why not defaults?
>
>> inet_protocols = ipv4
>> smtp_address_preference = ipv4
>>
>>
>> so that when I do telnet mx... 25, I should connect to the next
>> available server either .244 or .245.
>
> Ah, you are talking about inbound load, then.
>
>> I have confirmed that lb1 keepalived server is working.  The
>> problem is mx1... and mx2... are not accepting connection.
>
> How did you test this? And they logged ... ?
>
> http://www.postfix.org/DEBUG_README.html#mail
>
>> There is one other item that supposedly I should have added.  But
>> postfix doesn't like when I add this line to master.cf.
>>
>> 192.168.0.249:smtp inet  n   -   n   -   -   smtpd
>
> Why do you think you need this? What's wrong with the default
> smtpd(8) command line?
>
>> -o myhostname=mx...
>
> myhostname is global. This won't work as you might expect.
>
>> -o smtp_helo_name=mx...
>
> smtp_* settings are only applicable to the smtp(8) client.
> --
>   http://rob0.nodns4.us/ -- system administration and consulting
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: submission: content_filter and altermime

2013-11-20 Thread /dev/rob0 
On Wed, Nov 20, 2013 at 06:02:54PM +0100, Jesus Cordoba Casado wrote:
> I'm already using amavis as content filter for submission:
> 
> submission inet n   -   n   -   -   smtpd
> ...
> -o content_filter=amavis:[127.0.0.1]:10024
> ...
>
> and now I would to add altermime, but can't find the way to do 
> this. I tried

Perhaps you want to add altermine into amavisd via a policy bank for 
submission?

> -o content_filter=amavis:[127.0.0.1]:10024,dfilt:
> 
> getting "fatal: garbage after numerical service in server 
> description: [127.0.0.1]:10024,dfilt"

Right. This is not proper content_filter syntax.

> dfilt: is defined.

But you cannot make up multiple transport syntax that does not exist. 
You have to use valid syntax in your master.cf file. You can choose 
to send submission mail to amavisd OR to "dfilt", not both.

> dfilt unix-   n   n   -   -   pipe
> flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} --
> ${recipient}
-- 
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: submission: content_filter and altermime

2013-11-20 Thread Jesus Cordoba Casado 
Obviously.

Yes, amavis will do the job.

Thank you

El 20/11/13 18:15, /dev/rob0 escribió:
> On Wed, Nov 20, 2013 at 06:02:54PM +0100, Jesus Cordoba Casado wrote:
>> I'm already using amavis as content filter for submission:
>>
>> submission inet n   -   n   -   -   smtpd
>> ...
>> -o content_filter=amavis:[127.0.0.1]:10024
>> ...
>>
>> and now I would to add altermime, but can't find the way to do 
>> this. I tried
> Perhaps you want to add altermine into amavisd via a policy bank for 
> submission?
>
>> -o content_filter=amavis:[127.0.0.1]:10024,dfilt:
>>
>> getting "fatal: garbage after numerical service in server 
>> description: [127.0.0.1]:10024,dfilt"
> Right. This is not proper content_filter syntax.
>
>> dfilt: is defined.
> But you cannot make up multiple transport syntax that does not exist. 
> You have to use valid syntax in your master.cf file. You can choose 
> to send submission mail to amavisd OR to "dfilt", not both.
>
>> dfilt unix-   n   n   -   -   pipe
>> flags=Rq user=filter argv=/etc/postfix/disclaimer -f ${sender} --
>> ${recipient}

incoming mail errors

2013-11-20 Thread Dave Johnsom 
Hi All

This machine s a new install and I am getting the following error

Nov 20 19:43:13 mail postfix/smtpd[6387]: NOQUEUE: reject: RCPT from
..x[209.97.202.1]: 554 5.7.1 : Recipient
address rejected: Greylisting in effect, sending server blacklisted;
from= to= proto=ESMTP
helo=


Any help please


Regards

Re: incoming mail errors

2013-11-20 Thread Noel Jones 
On 11/20/2013 11:52 AM, Dave Johnsom wrote:
> Hi All
> 
> This machine s a new install and I am getting the following error
> 
> Nov 20 19:43:13 mail postfix/smtpd[6387]: NOQUEUE: reject: RCPT from
> ..x[209.97.202.1]: 554 5.7.1  >: Recipient address rejected: Greylisting
> in effect, sending server blacklisted; from= > to=mailto:petr@soap> co.za>
> proto=ESMTP helo=
> 
> 
> Any help please

This isn't an error. You enabled some third-party greylisting
plugin, and it looks as if it's working.

If something isn't working as expected, you'll need to explain further.
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones

Re: incoming mail errors

2013-11-20 Thread Dave Johnsom 
How Do I disable te plugin 
root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain,
localhost.$myhostname
mydomain = sdynserver.co.za
myhostname = shelcocpt.dynserver.co.za
mynetworks = 127.0.0.0/8 192.168.0.0/24
mynetworks_style = host
myorigin = mail.shelco.co.za
proxy_read_maps = $canonical_maps $lmtp_generic_maps
$local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps
$recipient_canonical_maps $relay_domains $relay_recipient_maps
$relocated_maps $sender_bcc_maps $sender_canonical_maps
$smtp_generic_maps $smtpd_sender_login_maps $transport_maps
$virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains
$virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps =
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination,
proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = [smtp.saix.net]
sender_bcc_maps =
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:, check_policy_service
inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps =
proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_sender_login_mismatch,
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf,
proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/poroot@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain,
localhost.$myhostname
mydomain = sdynserver.co.za
myhostname = shelcocpt.dynserver.co.za
mynetworks = 127.0.0.0/8 192.168.0.0/24
mynetworks_style = host
myorigin = mail.shelco.co.za
proxy_read_maps = $canonical_maps $lmtp_generic_maps
$local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps
$recipient_canonical_maps $relay_domains $relay_recipient_maps
$relocated_maps $sender_bcc_maps $sender_canonical_maps
$smtp_generic_maps $smtpd_sender_login_maps $transport_maps
$virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains
$virtual_mailbox_maps $smtpd_sender_restric

Re: smtp server load balancing

2013-11-20 Thread Robert Schetterer 


Am 20.11.2013 17:34, schrieb Roman Gelfand:
> I have created the following smtp load balancing setup
> 
> lb1 (keepalived server)  host mx...   ip .249
>  ||
>  ||
>  ||
>   
>   || ||
>   || ||
>   || ||
> host mx1...  ip .244 (postfix smtp) host mx2... ip .245 (postfix smtp)
> 
> On each m1... and mx2... mail servers I added
> 
> 
> interfaceces
> --
> auto lo:(depending on machine 244 or 245)
> iface lo:(depending on machine 244 or 245) or  inet static
> address 192.168.0.(depending on machine 244 or 245)
> netmask 255.255.255.255
> broadcast 192.168.0.255
> pre-up echo 1 >/proc/sys/net/ipv4/conf/all/arp_ignore; echo 2
>> /proc/sys/net/ipv4/conf/all/arp_announce
> 
> /etc/sysctl.conf
> ---
> 
> net.ipv6.conf.all.disable_ipv6 = 1
> 
> /etc/postfix/main.cf
> 
> 
> inet_interfaces = 127.0.0.1, 192.168.0.(depending on machine 244 or 245)
> smtp_bind_address = 192.168.0.(depending on machine 244 or 245)
> inet_protocols = ipv4
> smtp_address_preference = ipv4
> 
> 
> so that when I do telnet mx... 25, I should connect to the next
> available server either .244 or .245.
> 
> I have confirmed that lb1 keepalived server is working.  The problem
> is mx1... and mx2... are not accepting connection.
> 
> There is one other item that supposedly I should have added.  But
> postfix doesn't like when I add this line to master.cf.
> 
> 192.168.0.249:smtp inet  n   -   n   -   -   smtpd
> -o myhostname=mx...
> -o smtp_helo_name=mx...
> 


perhaps comparing helps, but be aware the described setup may different
to yours

http://sys4.de/de/blog/2013/06/10/loadbalancing-mit-keepalived-postfix-dovecot/

sorry only german

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Re: incoming mail errors

2013-11-20 Thread Manuel Bieling 
On 2013.11.20 20:19:50 +0200, Dave Johnsom wrote:
> How Do I disable te plugin 
> smtpd_recipient_restrictions = reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unlisted_recipient,
> check_policy_service inet:127.0.0.1:, check_policy_service
> inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated,
> reject_unauth_destination

The answer to your question is somewhere in 'smtpd_recipient_restrictions'.
To disable the greylisting remove 'check_policy_service ...'.

This will not disable the policy services itself. And this is not a 
adequate solution. Please think what you want to achieve and why the policy
service is triggered.

-- 
Best regards,
Manuel

Re: virtual domains and aliases

2013-11-20 Thread John 
Or, install postfixadmin and change the associated tables to SQL. Which 
makes life considerably simpler.