postfix tries to send mail to domains with no mx record
Hi, yesterday i noticed an unexpected behaviour. This mail is lingering in the outbound queue on my mailserver: 54086E032F 10413683 Fri Feb 7 14:04:21 some.user@my.domain (lost connection with apple.de[17.149.160.31] while receiving the initial server greeting) pre...@apple.de Searching the postfix log i found out that postfix tries to deliver this email with no effort: Feb 10 13:20:08 mx-50 postfix/qmgr[17611]: 54086E032F: from=, size=10413683, nrcpt=1 (queue active) Feb 10 13:21:22 mx-50 postfix/smtp[17651]: 54086E032F: lost connection with apple.de[17.172.224.31] while receiving the initial server greeting Feb 10 13:22:37 mx-50 postfix/smtp[17651]: 54086E032F: lost connection with apple.de[17.178.96.17] while receiving the initial server greeting Feb 10 13:23:52 mx-50 postfix/smtp[17651]: 54086E032F: to=, relay=apple.de[17.149.160.31]:25, delay=256771, delays=256547/0/225/0, dsn=4.4.2, status=deferred (lost connection with apple.de[17.149.160.31] while receiving the initial server greeting) Feb 10 14:35:08 mx-50 postfix/qmgr[6779]: 54086E032F: from=, size=10413683, nrcpt=1 (queue active) Feb 10 14:36:22 mx-50 postfix/smtp[4114]: 54086E032F: lost connection with apple.de[17.178.96.17] while receiving the initial server greeting Feb 10 14:37:37 mx-50 postfix/smtp[4114]: 54086E032F: lost connection with apple.de[17.172.224.31] while receiving the initial server greeting Feb 10 14:38:52 mx-50 postfix/smtp[4114]: 54086E032F: to=, relay=apple.de[17.149.160.31]:25, delay=261272, delays=261047/0/225/0, dsn=4.4.2, status=deferred (lost connection with apple.de[17.149.160.31] while receiving the initial server greeting) Now the strange thing. There is no mx record for apple.de: root@mx-50:~# host -t mx apple.de apple.de has no MX record So how could postfix determine the mxer for this Domain? Apparently postfix uses the a records: root@mx-50:~# host -t a apple.de apple.de has address 17.178.96.17 apple.de has address 17.149.160.31 apple.de has address 17.172.224.31 Why? these Feature is off by Default and not activated on my mailserver: root@mx-50:~# postconf -d | grep ignore_mx_lookup_error ignore_mx_lookup_error = no root@mx-50:~# postconf -n | grep ignore_mx_lookup_error root@mx-50:~# [no Output] How can i turn this off? TIA, Peter
Re: postfix tries to send mail to domains with no mx record
On Tue, Feb 11, 2014 at 09:48:29AM CET, "Klaffehn, Peter" said: > > Now the strange thing. There is no mx record for apple.de: > > > > root@mx-50:~# host -t mx apple.de > > apple.de has no MX record > > > > So how could postfix determine the mxer for this Domain? Apparently postfix > uses the a records: > > > > root@mx-50:~# host -t a apple.de > > apple.de has address 17.178.96.17 > > apple.de has address 17.149.160.31 > > apple.de has address 17.172.224.31 > > > > Why? these Feature is off by Default and not activated on my mailserver: > > That's the standard : if a right hand side of address has no explicit MX record, but a A record in the DNS, then the A record is an implicit MX.
Re: postfix tries to send mail to domains with no mx record
On 11 Feb 2014, at 09:48, Klaffehn, Peter wrote: > yesterday i noticed an unexpected behaviour. This mail is lingering in the > outbound queue on my mailserver: > > 54086E032F 10413683 Fri Feb 7 14:04:21 some.user@my.domain > (lost connection with apple.de[17.149.160.31] while receiving the initial > server greeting) > pre...@apple.de > > Searching the postfix log i found out that postfix tries to deliver this > email with no effort: > > Feb 10 13:20:08 mx-50 postfix/qmgr[17611]: 54086E032F: > from=, size=10413683, nrcpt=1 (queue active) > Feb 10 13:21:22 mx-50 postfix/smtp[17651]: 54086E032F: lost connection with > apple.de[17.172.224.31] while receiving the initial server greeting > Feb 10 13:22:37 mx-50 postfix/smtp[17651]: 54086E032F: lost connection with > apple.de[17.178.96.17] while receiving the initial server greeting > Feb 10 13:23:52 mx-50 postfix/smtp[17651]: 54086E032F: to=, > relay=apple.de[17.149.160.31]:25, delay=256771, delays=256547/0/225/0, > dsn=4.4.2, status=deferred (lost connection withapple.de[17.149.160.31] while > receiving the initial server greeting) > Feb 10 14:35:08 mx-50 postfix/qmgr[6779]: 54086E032F: > from=, size=10413683, nrcpt=1 (queue active) > Feb 10 14:36:22 mx-50 postfix/smtp[4114]: 54086E032F: lost connection with > apple.de[17.178.96.17] while receiving the initial server greeting > Feb 10 14:37:37 mx-50 postfix/smtp[4114]: 54086E032F: lost connection with > apple.de[17.172.224.31] while receiving the initial server greeting > Feb 10 14:38:52 mx-50 postfix/smtp[4114]: 54086E032F: to=, > relay=apple.de[17.149.160.31]:25, delay=261272, delays=261047/0/225/0, > dsn=4.4.2, status=deferred (lost connection withapple.de[17.149.160.31] while > receiving the initial server greeting) > > Now the strange thing. There is no mx record for apple.de: > > root@mx-50:~# host -t mx apple.de > apple.de has no MX record > > So how could postfix determine the mxer for this Domain? Apparently postfix > uses the a records: > > root@mx-50:~# host -t a apple.de > apple.de has address 17.178.96.17 > apple.de has address 17.149.160.31 > apple.de has address 17.172.224.31 > > Why? these Feature is off by Default and not activated on my mailserver: > > root@mx-50:~# postconf -d | grep ignore_mx_lookup_error > ignore_mx_lookup_error = no > > root@mx-50:~# postconf -n | grep ignore_mx_lookup_error > root@mx-50:~# [no Output] > > How can i turn this off? This is how it *should* work; it is not unexpected, but *expected* behaviour. You cannot turn it off, as it is part of standards and all that. As for 'ignore_mx_lookup_error', I suggest you read the documentation again; http://www.postfix.org/postconf.5.html#ignore_mx_lookup_error If this happens a lot and fills up your queue, you could set up a 'check_recipient_access' restriction in the right place, and maintain a list of problem domains. We do this for common misspellings like 'homail.com', 'otmail.com', for example. Mvg, Joni
Re: Postfix DNS resolver blindly relying on cached Additional section?
On 2013-10-10 02:18, Viktor Dukhovni wrote: > > It does not fail to find it. It just uses IPv4. See: > > http://www.postfix.org/postconf.5.html#smtp_address_preference > > The documentation for > > http://www.postfix.org/postconf.5.html#inet_protocols > > is sadly I believe out of date. The sentence: > > When both IPv4 and IPv6 support are enabled, the Postfix SMTP > client will attempt to connect via IPv6 before attempting to > use IPv4. Oooh, nice to find this, but documentation isnt updated, and telling me that smtp_address_preference = ipv6 is insecure, is it still insecure tho? im using postfix 2.9.3 and postfix 2.9.6 > is no longer accurate. That is only true when > > smtp_address_preference = ipv6 > > The correct description is: > > When both IPv4 and IPv6 support are enabled, the Postfix SMTP > client, for Postfix versions prior to 2.8, will attempt to > connect via IPv6 before attempting to use IPv4. Starting > with 2.8 protocol preference is controlled via the new > smtp_address_preference parameter. > signature.asc Description: OpenPGP digital signature
Re: Postfix DNS resolver blindly relying on cached Additional section?
Patrik B?t: > > The correct description is: > > > > When both IPv4 and IPv6 support are enabled, the Postfix SMTP > > client, for Postfix versions prior to 2.8, will attempt to > > connect via IPv6 before attempting to use IPv4. Starting > > with 2.8 protocol preference is controlled via the new > > smtp_address_preference parameter. The Postfix 2.11 manpage says: "When both IPv4 and IPv6 support are enabled, the Postfix SMTP client will choose the protocol as specified with the smtp_address_preference parameter. Postfix versions before 2.8 attempt to connect via IPv6 before attempting to use IPv4." That is, it describes current behavior before historical behavior. Wietse
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an error that the server offered no compatible authentication mechanism When i telnet to my exchange server i only get: STARTTLS X-ANONYMOUS TLS AUTH NTLM X-EXPS GSSAPI NTLM Like i said, if i cannot get this to work, i will rely on the virtual smtp server that is located on my webserver, which is what we already use for our website. -- View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65095.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
Am 11.02.2014 13:13, schrieb fleon: > i disabled NTLM with sasl_mechanism_filter = !ntlm but of course now i get an > error that the server offered no compatible authentication mechanism > > When i telnet to my exchange server i only get: > > STARTTLS > X-ANONYMOUS TLS > AUTH NTLM > X-EXPS GSSAPI NTLM > > Like i said, if i cannot get this to work, i will rely on the virtual smtp > server that is located on my webserver, which is what we already use for our > website * we relay to a customer with Microsoft ESMTP MAIL Service because we don't host their email but webservices sending messages with their sender domain as envelope * the exchange machine pretends the same as yours * but SASL auth works for sure 250-SIZE 10485760 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH NTLM 250-8BITMIME 250-BINARYMIME 250 CHUNKING on our postfix relay these packages are installed * no ntlm * no gssapi cyrus-sasl-2.1.26-10.fc19.x86_64 cyrus-sasl-md5-2.1.26-10.fc19.x86_64 cyrus-sasl-lib-2.1.26-10.fc19.x86_64 cyrus-sasl-plain-2.1.26-10.fc19.x86_64
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
Hello, can you please put your relevant main.cf, /etc/postfix/generic, etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf), /etc/aliases and maybe a syslog entry after doing a test with /usr/sbin/sendmail? Please mangle your username, domain and password hashes. Your server seems quite similar to mine, but if you don't have NTLM installed, i think you may be using TLS to connect, and probably would need the syslog entry to confirm. My exchange server is "exchangeserver.ourdomain.com" and it's the 2007 version. Our windows "long" domain name is "ourdomain.com" Our windows "short" domain name is "SEGCAT" I tried using EXCHANGESERVER\myuser, myu...@ourdomain.com and SEGCAT\myuser in the sasl hash file and didn't work. I am using debian 7.3, with apt-get install postfix libsasl2-modules -- View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65097.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
Am 11.02.2014 13:31, schrieb fleon: > Hello, can you please put your relevant main.cf, /etc/postfix/generic, > etc/postfix/sasl/sasl_passwd (or the file you set up in main.cf), > /etc/aliases and maybe a syslog entry after doing a test with > /usr/sbin/sendmail? all database configuration > Please mangle your username, domain and password hashes. > > Your server seems quite similar to mine, but if you don't have NTLM > installed, i think you may be using TLS to connect, and probably would need > the syslog entry to confirm. for sure it uses TLS because we use *everywhere* encryption if it is possible maybe that is the reason why it just works and falls back to PLAIN which you don't see in the outgoing postfix log Trusted TLS connection established to exchange.xx.xx[xx.xx.xx.xx]:25: TLSv1 with cipher AES128-SHA (128/128 bits) you posted your server says "STARTTLS" well, then configure it on the postfix client smtp_use_tls = yes smtp_tls_loglevel = 1 smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_timeout = 3600s smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA, ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-MD5, DES, DES+MD5 > My exchange server is "exchangeserver.ourdomain.com" and it's the 2007 > version. > Our windows "long" domain name is "ourdomain.com" > Our windows "short" domain name is "SEGCAT" > > I tried using EXCHANGESERVER\myuser, myu...@ourdomain.com and SEGCAT\myuser > in the sasl hash file and didn't work there is no valid reason to guess usernames just use the same credentials as you enter in a ordinary MUA
network is unreachable
Hi, All of the sudden, we can't send any email to one particular domain, and below is the error message we got. Does anyone have any idea how to fix this problem? Thanks! Charles This is the mail system at host es1.mydomain.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : connect to xxdomain.com[2607:f220:404:8104::80e7:5a78]:25: Network is unreachable
Re: Email clients timing out. Can you help?
Dear Anthony! You should be ashamed of yourself and the community should be ashamed for allowing you to act this way to new people. Essentially you are insulting someone because he didn't do your homework for you. The link posted by Matthew was a very good starting point for being able doing your homework yourself. That's not exactly the smartest way to get help on a list that is driven by volunteers. thanks for listening, Michael
Re: network is unreachable
Zitat von c cc : Hi, All of the sudden, we can't send any email to one particular domain, and below is the error message we got. Does anyone have any idea how to fix this problem? Thanks! Charles This is the mail system at host es1.mydomain.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : connect to xxdomain.com[2607:f220:404:8104::80e7:5a78]:25: Network is unreachable Looks like your IPv6 connectivity is broken. Works from here: telnet -6 nihcesxway5.hub.nih.gov 25 Trying 2607:f220:404:8104::80e7:5a78... Connected to nihcesxway5.hub.nih.gov. Escape character is '^]'. 220 nihcesxway5.hub.nih.gov ESMTP quit 221 nihcesxway5.hub.nih.gov Connection closed by foreign host. But not really fast, though. Either way there are some other MXs as far as i see so your mail should get through (later). Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Does this have side effects?
On Mon, Feb 10, 2014 at 11:39:10AM -0600, Jay G. Scott wrote: > On Fri, Feb 07, 2014 at 01:55:09PM -0500, Glenn Sieb wrote: > > This will do what you're looking for, much easier. > > > > in main.cf: > > > > mydomain = arlut.utexas.edu > So, eliminating myorigin as a variable. I'm far from an expert, but trivial-rewrite(8) looks like the tool of choice to me, to configure this. Does it also look like it, for people with more glue than me? Cheers -- Michael P. Demelbauer Systemadministration WSR Arsenal, Objekt 20 1030 Wien --- There comes a time in the affairs of a man when he has to take the bull by the tail and face the situation. -- W. C. Fields
Re: Does this have side effects?
It looks like the following docs should cover your needs: http://www.postfix.org/OVERVIEW.html http://www.postfix.org/ADDRESS_REWRITING_README.html Sorry, if you already know and read those. Cheers -- Michael P. Demelbauer Systemadministration WSR Arsenal, Objekt 20 1030 Wien --- There comes a time in the affairs of a man when he has to take the bull by the tail and face the situation. -- W. C. Fields
Re: network is unreachable
c cc: > Andreas, > > Thanks for your quick reply--is there a setting in Postfix that I should > configure to fix this problem? Thanks! Try using his telnet example first. If that doesn't work then no amount of Postfix tweaking will help. Wietse > Charles > > > On Tue, Feb 11, 2014 at 8:18 AM, wrote: > > > > > Zitat von c cc : > > > > > > Hi, > >> > >> All of the sudden, we can't send any email to one particular domain, and > >> > >> below is the error message we got. Does anyone have any idea how to fix > >> > >> this problem? Thanks! > >> > >> Charles > >> > >> > >> This is the mail system at host es1.mydomain.com. > >> > >> I'm sorry to have to inform you that your message could not > >> be delivered to one or more recipients. It's attached below. > >> > >> For further assistance, please send mail to postmaster. > >> > >> If you do so, please include this problem report. You can > >> delete your own text from the attached returned message. > >> > >> > >> The mail system > >> > >> > >> : connect to > >>xxdomain.com[2607:f220:404:8104::80e7:5a78]:25: Network is > >> unreachable > >> > > > > > > Looks like your IPv6 connectivity is broken. Works from here: > > > > telnet -6 nihcesxway5.hub.nih.gov 25 > > Trying 2607:f220:404:8104::80e7:5a78... > > Connected to nihcesxway5.hub.nih.gov. > > Escape character is '^]'. > > 220 nihcesxway5.hub.nih.gov ESMTP > > quit > > 221 nihcesxway5.hub.nih.gov > > Connection closed by foreign host. > > > > But not really fast, though. > > > > Either way there are some other MXs as far as i see so your mail should > > get through (later). > > > > Regards > > > > Andreas > > > > > >
Re: network is unreachable
On Tue, Feb 11, 2014 at 9:34 AM, c cc wrote: > Andreas, > > Thanks for your quick reply--is there a setting in Postfix that I should > configure to fix this problem? Thanks! > Forget about postfix. First validate you have connection to that server. i.e. can you reach that port while in ipv6? Do not continue until you can prove that. > Charles > > > On Tue, Feb 11, 2014 at 8:18 AM, wrote: >> >> >> Zitat von c cc : >> >> >>> Hi, >>> >>> All of the sudden, we can't send any email to one particular domain, and >>> >>> below is the error message we got. Does anyone have any idea how to fix >>> >>> this problem? Thanks! >>> >>> Charles >>> >>> >>> This is the mail system at host es1.mydomain.com. >>> >>> I'm sorry to have to inform you that your message could not >>> be delivered to one or more recipients. It's attached below. >>> >>> For further assistance, please send mail to postmaster. >>> >>> If you do so, please include this problem report. You can >>> delete your own text from the attached returned message. >>> >>> >>> The mail system >>> >>> >>> : connect to >>>xxdomain.com[2607:f220:404:8104::80e7:5a78]:25: Network is >>> unreachable >> >> >> >> Looks like your IPv6 connectivity is broken. Works from here: >> >> telnet -6 nihcesxway5.hub.nih.gov 25 >> Trying 2607:f220:404:8104::80e7:5a78... >> Connected to nihcesxway5.hub.nih.gov. >> Escape character is '^]'. >> 220 nihcesxway5.hub.nih.gov ESMTP >> quit >> 221 nihcesxway5.hub.nih.gov >> Connection closed by foreign host. >> >> But not really fast, though. >> >> Either way there are some other MXs as far as i see so your mail should >> get through (later). >> >> Regards >> >> Andreas >> >> >
Re: network is unreachable
Zitat von c cc : Andreas, Thanks for your quick reply--is there a setting in Postfix that I should configure to fix this problem? Thanks! Charles You might try with IPv4 only with "inet_protocols=ipv4" but you should first check if you can reach them by IPv4 anyway. But to really solve the problem you should check the network path. Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: network is unreachable
Hi all, Thanks for all your help. Since we are using EC2 from Amazon and they don't support ip6 on EC2, they recommended me to force Postfix to send email using ipV4 by changing: inet_protocols = all to inet_protocols = ipv4 and restart or reload Postfix If I change to ipV4, would it create more problems for my Postfix? Once again, thanks for your help. Charles On Tue, Feb 11, 2014 at 8:47 AM, wrote: > > Zitat von c cc : > > Andreas, >> >> Thanks for your quick reply--is there a setting in Postfix that I should >> configure to fix this problem? Thanks! >> >> Charles >> >> >> > > You might try with IPv4 only with "inet_protocols=ipv4" but you should > first check if you can reach them by IPv4 anyway. But to really solve the > problem you should check the network path. > > Regards > > Andreas > > >
Re: network is unreachable
Am 11.02.2014 17:19, schrieb c cc: > f I change to ipV4, would it create more problems for my Postfix no Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: network is unreachable
Zitat von c cc : Hi all, Thanks for all your help. Since we are using EC2 from Amazon and they don't support ip6 on EC2, they recommended me to force Postfix to send email using ipV4 by changing: inet_protocols = all to inet_protocols = ipv4 and restart or reload Postfix If I change to ipV4, would it create more problems for my Postfix? Once again, thanks for your help. Charles You can't reach IPv6 only sites anymore, so no additional problem as of now. But this may change later in the century ;-) Regards Andreas smime.p7s Description: S/MIME Cryptographic Signature
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
I tried to connect with this command: openssl s_client -starttls -smtp -crlf -connect exchangeserver.ourdomain.com:25 It connects, though it says it can't validate certificate (which is expected, our exchange certificate is self signed) After EHLO i now get: AUTH NTLM LOGIN So i tried with login and it requested my username and password in base64. After typing then manually encoded, i got a RENEGOTIATING and finally a handshake failure. Don't know if it's because i typed the username in wrong format or if just it didn't like the certificate. -- View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65116.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
fleon: > I tried to connect with this command: > > openssl s_client -starttls -smtp -crlf -connect > exchangeserver.ourdomain.com:25 ... > After typing then manually encoded, i got a RENEGOTIATING and finally a Openssl s_client will "renegotiate" when you type "R". Try using lowercase characters only. Wietse
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
On Tue, Feb 11, 2014 at 09:48:03AM -0800, fleon wrote: > After EHLO i now get: > AUTH NTLM LOGIN > > So i tried with login and it requested my username and password in base64. > > After typing then manually encoded, i got a RENEGOTIATING and finally a > handshake failure. Don't know if it's because i typed the username in wrong > format or if just it didn't like the certificate. openssl s_client is testing tool, not a netcat replacement. It processes "R" at the beginning of a line as an SSL re-negotiate request. If you enable TLS in Postfix, it should be able to use "LOGIN", and you'll be all set. The username will likely work without any domain, but you can try a few formats if a bare username does not work. -- Viktor.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
I have this in my main.cf (note: i didn't set this up, my guess is that
debian itself did, or maybe when i installed libsasl2-modules, but i don't
think so)
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
This is the rest of the relevant content in main.cf
myhostname = helpdesk.ourdomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = helpdesk.ourdomain.com
relayhost = [exchangeserver.ourdomain.com]
smtp_sasl_security_options =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes
I tried then:
smtp_sasl_tls_security_options
smtp_sasl_mechanism_filter = login
But if i do the last line, then it says NTLM isn't allowed.
What am i missing to enable TLS properly and then be able to use AUTH LOGIN?
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65121.html
Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
On Tue, Feb 11, 2014 at 10:36:54AM -0800, fleon wrote:
> I have this in my main.cf (note: i didn't set this up, my guess is that
> debian itself did, or maybe when i installed libsasl2-modules, but i don't
> think so)
>
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_use_tls = yes
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Server-side TLS enabled. Use "smtpd_tls_security_level = may"
instead of the obsolete "smtpd_use_tls = yes".
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Client-side TLS is not enabled. Enable client-side TLS:
smtp_tls_security_level = may
> What am i missing to enable TLS properly and then be able to use AUTH LOGIN?
See above.
--
Viktor.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
Am 11.02.2014 20:01, schrieb Viktor Dukhovni:
> On Tue, Feb 11, 2014 at 10:36:54AM -0800, fleon wrote:
>
>> I have this in my main.cf (note: i didn't set this up, my guess is that
>> debian itself did, or maybe when i installed libsasl2-modules, but i don't
>> think so)
>>
>> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
>> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
>> smtpd_use_tls = yes
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> Server-side TLS enabled. Use "smtpd_tls_security_level = may"
> instead of the obsolete "smtpd_use_tls = yes".
to say it clear: anything with smtpd_ as prefix has
nothing to do with send a message to another server
>> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
> Client-side TLS is not enabled. Enable client-side TLS:
>
> smtp_tls_security_level = may
>
>> What am i missing to enable TLS properly and then be able to use AUTH LOGIN?
>
> See above
and that is why i hours ago posted the *client* configuration
of the machine happily sends authenticated mail over TLS to
exchange
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA,
ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA,
EDH-RSA-DES-CBC3-MD5, DES, DES+MD5
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
On Tue, Feb 11, 2014 at 08:06:17PM +0100, li...@rhsoft.net wrote:
> and that is why i hours ago posted the *client* configuration
> of the machine happily sends authenticated mail over TLS to
> exchange
>
> smtp_use_tls = yes
Obsolete.
> smtp_tls_loglevel = 1
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Leaving it blank is better. The browser CA bundle has no relevance
to SMTP.
> smtp_tls_security_level = may
Correct.
> smtp_tls_note_starttls_offer = yes
Pointless, since the security level is "may".
> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
Better to use ${data_directory} instead of explicit /var/lib/postfix.
> smtp_tls_exclude_ciphers = DES-CBC3-SHA, DES-CBC3-MD5, ADH-DES-CBC3-SHA,
> ADH-DES-CBC3-MD5, EDH-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-MD5, DES, DES+MD5
If one wants to exclude 3DES and DES, it is far easier to set:
smtp_tls_exclude_ciphers = 3DES DES
which covers all the above much more concisely. I imagine this is
intended to avoid CBC problems with Microsoft Exchange 2003.
--
Viktor.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
FINALLY it worked, but not before i disabled NTLM in the config, because
otherwise it would try it.
So, i had to enable client side TLS and disabling NTLM. It says untrusted
connection in the logs, and i tried modifying the mynetworks variable below
but couldn't fix it. It may be untrusted because of the invalid exchange
certificate.
For reference, here is the the main.cf i used. I am aware of the obsolete
and unneeded entries.
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = helpdesk.seguroscatatumbo.com
relayhost = [mar-exch01.seguroscatatumbo.com]
smtp_sasl_tls_security_options =
smtp_sasl_mechanism_filter = login !ntlm
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes
###
mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 192.168.100.0/24
/etc/aliases contains one modification:
root: myuser
/etc/postfix/generic has one line:
r...@helpdesk.ourdomain.com myu...@ourdomain.com
/etc/postfix/sasl/sasl_passwd has one line:
[exchangeserver.ourdomain.com] DOMAIN\myuser:mypass
Now, a final question that isn't exactly relevant to postfix. Can i make
emails sent to come as "myu...@ourdomain.com" instead of the default
"myu...@helpdesk.ourdomain.com"
I am aware that my linux box is called "helpdesk" and that /etc/hosts says:
127.0.0.1 helpdesk
127.0.0.1 helpdesk.ourdomain.com helpdesk
I tried setting the mydestination in main.cf to ourdomain.com but then
postfix didn't try relay to exchange which i guess it's the right behaviour.
I am aware that when i configure the helpdesk i may try just impersonating
the account as helpd...@ourdomain.com without touching anything else.
--
View this message in context:
http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65126.html
Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
Am 11.02.2014 21:15, schrieb fleon: > FINALLY it worked, but not before i disabled NTLM in the config, because > otherwise it would try it. as said in my first reply "uninstall the NTLM module" as long you have no damned good reason to install it in case of the distributions i work with it is a own sub-apckage with no frther dependencies and so you don't have to bother about configurations i never faced any positive effect in install and configure the NTLM crap except troubles over troubles, be it mail delivery or stupid Apple clients perfer it in their config while from time to time fail to handle NTLM correct > So, i had to enable client side TLS and disabling NTLM. It says untrusted > connection in the logs, and i tried modifying the mynetworks variable below > but couldn't fix it. It may be untrusted because of the invalid exchange > certificate it says untrusted because the certificate on the remote side is not from a trusted CA or postfix doe snot know the CA and that is why i have smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt connections to Google as example are trusted with and Untrusted without http://www.postfix.org/postconf.5.html#smtp_tls_CAfile Am 11.02.2014 20:17, schrieb Viktor Dukhovni: >> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt > > Leaving it blank is better. The browser CA bundle has no relevance to SMTP it has no relevance in case of oppotunistic TLS but it makes a difference
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
On Tue, Feb 11, 2014 at 10:14:10PM +0100, li...@rhsoft.net wrote: > > So, i had to enable client side TLS and disabling NTLM. It says untrusted > > connection in the logs, and i tried modifying the mynetworks variable below > > but couldn't fix it. It may be untrusted because of the invalid exchange > > certificate > > it says untrusted because the certificate on the remote side is > not from a trusted CA or postfix does not know the CA Which is just fine in the majority of cases. > and that is why i have > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt Too many CAs to claim meanigful trust, too few CAs to authenticate everyone. In particular, for the OP the Exchange server's certificate is internally provisioned, and the CA in question is not in the browser ca bundle. The OP may choose the specify the actualy issue for his server cert in CAfile, and to use the policy table or a dedicated transport to make TLS mandatory (perhaps smtp_tls_security_level = "secure") for the destination in question. -- Viktor.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
On 2/11/2014 2:15 PM, fleon wrote: > ... > Now, a final question that isn't exactly relevant to postfix. Can i make > emails sent to come as "myu...@ourdomain.com" instead of the default > "myu...@helpdesk.ourdomain.com" Maybe you're looking for http://www.postfix.org/postconf.5.html#masquerade_domains # main.cf masquerade_domains = ourdomain.com Alternately, this can be done with smtp_generic_maps http://www.postfix.org/postconf.5.html#smtp_generic_maps See the docs for more details. http://www.postfix.org/ADDRESS_REWRITING_README.html http://www.postfix.org/STANDARD_CONFIGURATION_README.html -- Noel Jones
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
I am fine with the end result. The untrusted message is rather cosmetic, i would like to know how to import the certificate or rather trust the server (as i thought the mynetwork variable would do), but it's no biggie. The server is inside our lan and the relay will only be used for our helpdesk, which will be internal. Some would argue that using the virtual smtp server (that asks for no password) is better, since with the current setup i have to make sure the user that will send the mail (which should be static, as they will be automatically sent by the helpdesk) has a password that either doesn't change or keep the password updated in the hash. -- View this message in context: http://postfix.1071664.n5.nabble.com/Exchange-2007-gives-535-5-7-3-Authentication-unsuccessful-tp65072p65129.html Sent from the Postfix Users mailing list archive at Nabble.com.
Re: Exchange 2007 gives 535 5.7.3 Authentication unsuccessful
On Tue, Feb 11, 2014 at 01:37:17PM -0800, fleon wrote: > Some would argue that using the virtual smtp server (that asks for no > password) is better, since with the current setup i have to make sure the > user that will send the mail (which should be static, as they will be > automatically sent by the helpdesk) has a password that either doesn't > change or keep the password updated in the hash. Key management is a bear. Since by day I'm in the Kerberos infrastructure game, I tend to use Kerberos credentials, with a bunch of tooling around automated provisioning of Kerberos tickets and service keytabs. Without a key management infrastructure, you're basically stuck hand managing passwords, or more complicated things are functionally equivalent to passwords. So long as an unuathenticated entry point exists and provides similar performance, there is indeed not much point in using the authenticated entry point, except for educational value. You may not have the choice at some time in the future. -- Viktor.
How to block bogus localhost.localdomain/127.0.0.1 (helo_access)
Most of the spam getting in my system is stamped with localhost.localdomain.
I have tried to use the helo_access file from a few sources. The ones I
tried either didn't work or made more of the spam messages get through.
One of the fixes I tried I got from:
http://www.postfix.org/SMTPD_ACCESS_README.html#danger
Another of my attempts is described here:
http://www.unixwiz.net/techtips/postfix-HELO.html
This one makes a lot of sense and would work great if I could get it
working.
This is what I have:
main.cf:
–
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/helo_access,
permit
helo_access file:
–
127.0.0.1 REJECT Please use http://bouncedemail.apollo3.com to resolve
this issue
localhost REJECT Please use http://bouncedemail.apollo3.com to resolve
this issue
apollo3.com REJECT Please use http://bouncedemail.apollo3.com to resolve
this issue
localhost.localdomain REJECT Please use http://bouncedemail.apollo3.com
to resolve this issue
It makes sense, but it doesn't work. I never get the rejection message.
I also have this repeated hundreds of times an hour:
–---
Feb 11 16:40:42 hera5 postfix/smtpd[28038]: 174F71553D7:
client=localhost.localdomain[127.0.0.1]
Feb 11 16:40:42 hera5 postfix/cleanup[32346]: 174F71553D7:
message-id=<20140211214036.74cd51305...@mail.actionmessage.com>
Feb 11 16:40:42 hera5 postfix/smtpd[28038]: disconnect from
localhost.localdomain[127.0.0.1]
Feb 11 16:40:42 hera5 amavis[32622]: (32622-04) Passed CLEAN
{RelayedOpenRelay}, [72.9.103.50]:5850 [72.9.103.50]
-> , Queue-ID: 886561514D8, Message-ID:
<20140211214036.74cd51305...@mail.actionmessage.com>, mail_id:
mf2_uVscaH5z, Hits: -1.901, size: 7991, queued_as: 174F71553D7, 2445 ms
Feb 11 16:40:42 hera5 postfix/smtp[4726]: 886561514D8:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=3.5,
delays=1.1/0.01/0/2.4, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 174F71553D7)
Feb 11 16:40:42 hera5 postfix/qmgr[28029]: 174F71553D7:
from=,
size=8452, nrcpt=1 (queue active)
Feb 11 16:40:42 hera5 postfix/qmgr[28029]: 886561514D8: removed
Feb 11 16:40:42 hera5 postfix/local[4712]: 174F71553D7:
to=, relay=local, delay=0.27,
delays=0.2/0.03/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)
Feb 11 16:40:42 hera5 postfix/qmgr[28029]: 174F71553D7: removed
Hopefully someone can advise me of what I might be missing to make the
configuration work, or some other alternative.
Thanks!
-- L. James
--
L. D. James
lja...@apollo3.com
www.apollo3.com/~ljames
Re: How to block bogus localhost.localdomain/127.0.0.1 (helo_access)
L. D. James: > main.cf: > ? > smtpd_delay_reject = yes > smtpd_helo_required = yes > smtpd_helo_restrictions = > permit_mynetworks, > check_helo_access hash:/etc/postfix/helo_access, > permit You need whitespace at the beginning of the permit_mynetworks and check_helo_access lines. > helo_access file: > ? > 127.0.0.1 REJECT Please use http://bouncedemail.apollo3.com to resolve > this issue > localhost REJECT Please use http://bouncedemail.apollo3.com to resolve > this issue > apollo3.com REJECT Please use http://bouncedemail.apollo3.com to resolve > this issue > localhost.localdomain REJECT Please use http://bouncedemail.apollo3.com > to resolve this issue You can test this with $ postmap -q localhost.localdomain hash:/etc/postfix/helo_access The result should be the full "REJECT Please use http" line. Wietse
Re: How to block bogus localhost.localdomain/127.0.0.1 (helo_access)
On 2/11/2014 4:20 PM, L. D. James wrote: > Most of the spam getting in my system is stamped with > localhost.localdomain. > All the mail that passes through your amavisd-new mail filter passes through localhost.localdomain. If you block localhost you won't receive any mail. You need to trace a message and see where they originally come from. If they really do originate at localhost, your server may be compromised -- the usual culprit is an insecure web script. Or your server could be misconfigured such that external connections appear to be from localhost. This can be caused by a misconfigured NAT firewall or an SMTP proxy. To trace a message... Easy way: - examine the Received: headers from an unwanted message. Note they are in reverse order, so read from the bottom up. You'll be interested in the first Received: header containing "by yoursevername". Harder way: - Pick a Message-ID from your log or from the header of a message. - grep that Message-ID from your log. You should see (at least) two postfix/cleanup entries and an amavis entry. - note the postfix QueueID recorded on the cleanup lines. - search the log for that same QueueID. Note that the QueueID is not unique; there may be unrelated messages with the same ID, but never at the same time. - you'll be interested in the first "postfix/smtpd[ ... client=" entry. -- Noel Jones
Re: network is unreachable
On 2014-02-11 17:19, c cc wrote: Since we are using EC2 from Amazon and they don't support ip6 on EC2, they recommended me to force Postfix to send email using ipV4 by changing: inet_protocols = all to inet_protocols = ipv4 and restart or reload Postfix this will force postfix to only use ipv4 for any domain, this is plain dump :=) real solution is to remove ipv6 from the amazon hosted domain in dns if not possible one can set /etc/gai.conf to prefer ipv4 for distination ip If I change to ipV4, would it create more problems for my Postfix? Once again, thanks for your help. not really other then you cant mix ipv4 and ipv6 with there solution, with dns fix it works out of the box
Re: How to block bogus localhost.localdomain/127.0.0.1 (helo_access)
On 02/11/2014 06:05 PM, Noel Jones wrote: On 2/11/2014 4:20 PM, L. D. James wrote: Most of the spam getting in my system is stamped with localhost.localdomain. All the mail that passes through your amavisd-new mail filter passes through localhost.localdomain. If you block localhost you won't receive any mail. You need to trace a message and see where they originally come from. If they really do originate at localhost, your server may be compromised -- the usual culprit is an insecure web script. Or your server could be misconfigured such that external connections appear to be from localhost. This can be caused by a misconfigured NAT firewall or an SMTP proxy. To trace a message... Easy way: - examine the Received: headers from an unwanted message. Note they are in reverse order, so read from the bottom up. You'll be interested in the first Received: header containing "by yoursevername". Harder way: - Pick a Message-ID from your log or from the header of a message. - grep that Message-ID from your log. You should see (at least) two postfix/cleanup entries and an amavis entry. - note the postfix QueueID recorded on the cleanup lines. - search the log for that same QueueID. Note that the QueueID is not unique; there may be unrelated messages with the same ID, but never at the same time. - you'll be interested in the first "postfix/smtpd[ ... client=" entry. -- Noel Jones Thanks, Noel. I appreciate the attention and input. Please be aware that I have no trouble tracing where the messages come from. I can very easily do that manually. Postfix has features that allow you to configure it to automatically handle the messages. I'm working on implementing this feature. I appreciate your reference that my system might be configured incorrectly. But I believe it's a little beyond that. All systems are subject to some spam. The key is to spend time putting in locks against the spam. In this particular case the culprit is the user is answering a normal helo query (which is totally legal, but I'll say unethical) as my domain rather than their domain. This is because most people will accept mail that is announcing that it's my domain. My system is accepting it by the announcement. It's very easy to tell the remote system is lying. So, of course, I'm trying to figure out where to put the rejection process, where it will reject the connections that are lying. Also, just in case I have it wrong and reject my own messages, I want to have a bounced message to alert the user. -- L. James -- L. D. James lja...@apollo3.com www.apollo3.com/~ljames
Re: How to block bogus localhost.localdomain/127.0.0.1 (helo_access)
On 02/11/2014 05:39 PM, Wietse Venema wrote:
permit_mynetworks,
>check_helo_access hash:/etc/postfix/helo_access,
>permit
Thanks, Wietse.
I had white spaces. I had tried to have it exactly like the example in
the link I posted. I see I made a mistake in my post. But the main.cf
has the spaces. This is the way it is in the main.cf:
I have this in the entry:
-
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/helo_access,
permit
I have this in the log:
-
Feb 11 21:42:41 hera5 postfix/smtpd[4802]: connect from
localhost.localdomain[127.0.0.1]
Feb 11 21:42:41 hera5 postfix/smtpd[4802]: 05AAE155460:
client=localhost.localdomain[127.0.0.1]
Feb 11 21:42:41 hera5 postfix/cleanup[4796]: 05AAE155460:
message-id=<158d61a16c64ab2744f97_9cdff...@993.es>
Feb 11 21:42:41 hera5 postfix/smtpd[4802]: disconnect from
localhost.localdomain[127.0.0.1]
Feb 11 21:42:41 hera5 amavis[17791]: (17791-03) Passed CLEAN
{RelayedOpenRelay}, [216.244.76.231]:8 [216.244.76.231]
-> , Queue-ID: D26D915544D,
Message-ID: <158d61a16c64ab2744f97_9cdff...@993.es>, mail_id:
Z-PG3reqDWKm, Hits: -1.714, size: 14271, queued_as: 05AAE155460, 3852 ms
Feb 11 21:42:41 hera5 postfix/smtp[4797]: D26D915544D:
to=, relay=127.0.0.1[127.0.0.1]:10024, delay=6.2,
delays=2.3/0/0/3.9, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 05AAE155460)
Feb 11 21:42:41 hera5 postfix/qmgr[4593]: 05AAE155460:
from=, size=14750, nrcpt=1 (queue active)
Feb 11 21:42:41 hera5 postfix/qmgr[4593]: D26D915544D: removed
Feb 11 21:42:41 hera5 postfix/local[4803]: 05AAE155460:
to=, relay=local, delay=0.31,
delays=0.23/0.04/0/0.04, dsn=2.0.0, status=sent (delivered to maildir)
I ran the postmap -q test and got the desired output. But I don't get
that output from the postfix server.
It might have something to do with the permit_mynetworks coming before
the check_helo_access function.
Your test parameter and feedback is helping me to believe I'm on the
right track.
-- L. James
--
L. D. James
lja...@apollo3.com
www.apollo3.com/~ljames
