how force sasl from localhost
Hi folks, I already read about sasl, postfix and other docs. External sasl authentication works, I need force users to authentication from localhost (i.e. CMS joomla and wordpress). inside main.cf: before: mynetworks = 127.0.0.0/8, 192.168.1.0/24 after #mynetworks = 127.0.0.0/8, 192.168.1.0/24 smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous commenting "mynetworks" does not work, so, also explicit put: smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10031 #permit_mynetworks, #permit_inet_interfaces, [...] or also substitute permit_mynetworks with reject_mynetworks, users can sends email from localhost what's wrong? thanks Pol
Re: Send from third-level domain to second-level
Hi, actually the suggestion helped :) I didn’t notice the section: http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client that pointed me in the right direction. By leaving mydestination blank and by setting myorigin to my 2nd level, I can use /etc/postfix/virtual to redirect only root, while getting mail for the other users automatically delivered to the external mailboxes. Or, if I still want to see when a mail is originated from the server and not from a normal mail client, I can set myorigin to the 3rd level and manually (not very beautifully) enter the replacements in /etc/postfix/virtual, so that the sender appears to be user@3rd-level but they are still delivered to user@2nd-level. Regards, Olaf Il giorno 09/feb/2014, alle ore 02:19, Wietse Venema ha scritto: > Olaf Marzocchi: >> - from command line to local users, without any domain: send to >> "u...@marzocchi.net" > ... >> - sender domain should appear to be the 3rd level domain. > > Sorry, Postfix is consistent. If the sender or recipient address > has no domain, then it appends $myorigin, as documented in: > > http://www.postfix.org/BASIC_CONFIGURATION_README.html > > To deliver some recipients locally, see: > > http://www.postfix.org/STANDARD_CONFIGURATION_README.html > > Wietse
Re: how force sasl from localhost
Am 09.02.2014 12:32, schrieb Pol Hallen: > External sasl authentication works, I need force users to authentication > from localhost (i.e. CMS joomla and wordpress). > > inside main.cf: > > before: > > mynetworks = 127.0.0.0/8, 192.168.1.0/24 > > after > > #mynetworks = 127.0.0.0/8, 192.168.1.0/24 re-read the manual: mynetworks (default: see "postconf -d" output) removing the line means fall back to defaults postconf -d | grep mynetworks mynetworks = 127.0.0.0/8 62.178.103.0/24 192.168.2.0/24 192.168.10.0/24 192.168.196.0/24 10.0.0.0/24 however, configure your applications to use port 587 and close 25 on 127.0.0.1 may be the easier way to achieve the goal which is no problem with iptables ___ if you need more help provide the logs of a relevant message until now there is no evidence that whatever message was even sent with SMTP and not pickup (sendmail-command) where smtp-restrictions are completly irrelevant if it is pickup than disable "mail" and a lot of other dangerous PHP functions they will always make it possible to bypass *any* restrictions - below a sane PHP configuration from a production server disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, get_current_user, getmypid, getmyuid, getrusage, highlight_file, link, mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, socket_accept, socket_bind, symlink, syslog, system"
Re: how force sasl from localhost
> however, configure your applications to use port 587 and close 25 > on 127.0.0.1 may be the easier way to achieve the goal which is > no problem with iptables excellent solution! thanks :-) > if it is pickup than disable "mail" and a lot of other dangerous PHP > functions in php.ini I've "only" these: disable_functions = phpinfo,exec,shell_exec,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source so I'll add yours! Is there a complete index of functions that I can check if allow or deny? Many thanks for help! Pol > disable_functions = "apache_child_terminate, chown, dl, exec, fileinode, > get_current_user, getmypid, getmyuid, > getrusage, highlight_file, link, mail, openlog, passthru, pclose, > pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork, > pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority, > pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, > pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, > pcntl_waitpid, pcntl_wexitstatus, > pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, > pcntl_wtermsig, pfsockopen, popen, > posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, > proc_close, proc_get_status, proc_nice, > proc_open, proc_terminate, shell_exec, show_source, socket_accept, > socket_bind, symlink, syslog, system" >
Assistance needed getting Postfix, Mailman and MySQL to work with Virtual Domains
Hello:
Currently I've got Postfix running with virtual domains with a MySQL
database successfully and am trying to get Mailman
to do so as well.
I can get one domain to work mailt...@netwrx1.org but anything else is
failing as below.
Can someone assist? I've loaded the aliases as shown in to MySQL and the
snip of the mm_cfg.py
is below as well. I've looked at various on-line FAQs and other references
but am still
stuck - have bounced all the relevant items postfix and mailman, apache2,
etc.
I can send out messages to the list and they don't show as bouncing in the
logs below but
I also don't ever see them come back to the list hereone list works -
the first I set up,
one does nothing - no errors that I see just mail never gets to the list.
I'm set for get received notice here in outlook
So I see it got there to the server
Your message has been delivered to the following groups:
skunk-wo...@netwrx1.org
Subject: Test Message
Feb 8 16:12:34 eagle postgrey[16312]: action=pass, reason=triplet found,
client_name=mail-bn1lp0149.outbound.protection.outlook.com,
client_address=207.46.163.
149, sender=gkas...@netwrx1.com, recipient=skunk-wo...@netwrx1.org
Feb 8 16:12:34 eagle postgrey[16312]: action=pass, reason=triplet found,
client_name=mail-bn1lp0149.outbound.protection.outlook.com,
client_address=207.46.163.
149, sender=gkas...@netwrx1.com, recipient=skunk-wo...@netwrx1.org
Feb 8 16:12:37 eagle postfix/pipe[21348]: 44236121652:
to=, orig_to=, relay=spamassassin, delay=30,
delays=27/0.01/0/3.1, dsn=2.0.0, status=sent (delivered via spamassassin
service)
Feb 8 16:12:38 eagle postfix/pipe[21355]: B85CD121CCD:
to=, relay=mailman, delay=0.54,
delays=0.19/0.01/0/0.35, dsn=2.0.0, status=sent (delivered via mailman
service)
Looking at the mailman logs the only one with any activity at the time I
sent
a test message is one called vette
# cat vette
Feb 08 16:12:39 2014 (20887) Message discarded, msgid:
<8ec65c559e294241ba9cb4bfa98b6...@bn1pr05mb188.namprd05.prod.outlook.com>
THe setup I have in MySQL and Postfix is all the setup doc told me to add to
postfix:
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop}
${user}
Which points to
/usr/lib/mailman/bin/postfix-to-mailman.py ->
/etc/mailman/postfix-to-mailman.py
/etc/postfix# cat transport
lists.netwrx1.org mailman:
In MySQL for aliases etc.
This s the mailtest list that works
INSERT INTO aliases (mail,destination) VALUES
('mailt...@netwrx1.org','mailt...@lists.netwrx1.org'),
('mailtest-ad...@netwrx1.org','mailtest-ad...@lists.netwrx1.org'),
('mailtest-boun...@netwrx1.org','mailtest-boun...@lists.netwrx1.org'),
('mailtest-conf...@netwrx1.org','mailtest-conf...@lists.netwrx1.org'),
('mailtest-j...@netwrx1.org','mailtest-j...@lists.netwrx1.org'),
('mailtest-le...@netwrx1.org','mailtest-le...@lists.netwrx1.org'),
('mailtest-ow...@netwrx1.org','mailtest-ow...@lists.netwrx1.org'),
('mailtest-requ...@netwrx1.org','mailtest-requ...@lists.netwrx1.org'),
('mailtest-subscr...@netwrx1.org','mailtest-subscr...@lists.netwrx1.org'),
('mailtest-unsubscr...@netwrx1.org','mailtest-unsubscr...@lists.netwrx1.org'
);
Here is skunk-works that doesn't:
INSERT INTO aliases (mail,destination) VALUES
('mailt...@netwrx1.org','mailt...@lists.netwrx1.org'),
('mailtest-ad...@netwrx1.org','mailtest-ad...@lists.netwrx1.org'),
('mailtest-boun...@netwrx1.org','mailtest-boun...@lists.netwrx1.org'),
('mailtest-conf...@netwrx1.org','mailtest-conf...@lists.netwrx1.org'),
('mailtest-j...@netwrx1.org','mailtest-j...@lists.netwrx1.org'),
('mailtest-le...@netwrx1.org','mailtest-le...@lists.netwrx1.org'),
('mailtest-ow...@netwrx1.org','mailtest-ow...@lists.netwrx1.org'),
('mailtest-requ...@netwrx1.org','mailtest-requ...@lists.netwrx1.org'),
('mailtest-subscr...@netwrx1.org','mailtest-subscr...@lists.netwrx1.org'),
('mailtest-unsubscr...@netwrx1.org','mailtest-unsubscr...@lists.netwrx1.org'
);
Currently the Postfix/Mailman setup is set for MySQL simply because that's
the FAQ I followed - http://flurdy.com/docs/postfix/ - but this is a VERY
small
environment...would I be better served to go the route of hash.db tables and
rebuild this to work that way?
(I'm not a huge MySQL fan personally for this it seems like overkill) We're
talking 10 lists with maybe 1000 users total between them and about the same
number of 10 virtual domains to handle mail.
In the end what I need for it to do it handle the following MailMan lists
via postfix
somehow
c...@mke-skywarn.org
feath...@netwrx1.org
h...@mke-skywarn.org
m...@mke-skywarn.org
masa...@mke-skywarn.org
muf...@petdiabetes.net
pethea...@netwrx1.org
rainbowbri...@netwrx1.org
skunk-wo...@netwrx1.org
I've currently build it Mailman with Postfix using MySQL as that's the HOWTO
I followed
at: http://freemars.org
problem with postfix-sasl and debian 7: SASL PLAIN authentication failed: no mechanism available
dear all i've got a problem with postfix-sasl and debian7. I've copied the confguration from a debian6 working scenario, postifx is using virtual mysql cnf and sasl is configured to auth users via sql. O the new debian7 server sasl auth fails and i get on mail.log: SASL PLAIN authentication failed: no mechanism available Here some configuration: relevant of /etc/postfix/main.cf smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd my /etc/default/saslauthd START=yes MECHANISMS="pam" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r" my /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: sql sql_hostnames: xxx sql_user:xxx sql_passwd:xxx sql_database:xxx sql_select:select password from mailbox where username = '%u@%r' saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux my /etc/pam.d/smtp auth required pam_mysql.so user=xxx passwd=xxx host=xxx db=xxx table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 verbose=5 account sufficient pam_mysql.so user=xxx passwd=xxx host=xxx db=xxx table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 verbose=5 The strange think is that if i run: testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u xxx -p xxx 0: NO "authentication failed" but, if i run: testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u xxx -p xxx -s smtp 0: OK "Success." So, it seems that postfix doesn't pass the information to saslauthd to use the service smtp, is it correct? Can you help me to figure it out? Thanks -- /*/ nik600 http://www.kumbe.it
[OT] SELinux Policies (port & maildir location)
I have Postfix running on CentOS 6 with SELinux in enforcing targeted
mode. By default, SELinux will block the following two components of
my system:
* A custom smtpd instance listening on the loopback interface on port 10025
* Using Postfix virtual as the delivery agent to maildirs that are not
under the normal local /var/spool/mail
I'm not a SELinux expert, so I wanted to ask if anyone here has a
critique of how I configured SELinux to work. For the non-standard
maildir location, I copied the context of /var/spool/mail like this:
chcon -R -u system_u -r object_r -t mail_spool_t /var/userdata/mail
>From what I understand, this will work unless contexts are rebuilt.
We don't plan to rebuild, but to be safe I'd rather create a SELinux
policy that dictates this location should have the same context as the
system mail spool. Does anyone have a .te file example for doing
that?
For the custom port, I used this to create a new policy module (of
course it has to be compiled and installed), which seems to be all I
need(?)
__
module postfixport 1.0;
require {
type postfix_master_t;
type port_t;
class tcp_socket name_bind;
}
#= postfix_master_t ==
# This avc can be allowed using the boolean allow_ypbind
allow postfix_master_t port_t:tcp_socket name_bind;
