TLS verification woes
Hello Hope you'll be able to help me again, I'm having problems with a postfix (2.8.5) not being able to send e-mail to a domain because the server certificate is untrusted and the TLS policy is set to "verify". It used to work, but the certificate of the site has changed. The domain in question is sdz-rhein-ruhr.de, its MX hosts are published in the DNS as: - 10 mx16a.antispameurope.com - 20 mx16b.antispameurope.com - 30 mx16c.antispameurope.com - 40 mx16d.antispameurope.com I performed "echo QUIT | openssl s_client \ -connect mx16a.antispameurope.com:25 -starttls smtp \ -showcerts 2>&1 | tee mx16a.antispameurope.com.txt" and extracted the server certificate as well as the intermediate CA certificate (the root CA certificateis not presented by the server). The certificate chain documented by s_client is as follows: Certificate chain 0 s:/C=DE/O=antispameurope GmbH/OU=IT/ST=NDS/L=Hannover/emailAddress=hofm...@antispameurope.com/CN=*.antispameurope.com i:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 1 s:/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 I had neither the intermediate CA certificate nor the root CA certificate in the postfix CA certificate store, so I downloaded the root CA certificate from https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/58-deutsche-telekom-root-ca-2, converted it to PEM format, verified that the intermediate CA certificate verifies against it and stuck both the intermediate CA certificate as well as the root CA certificate into the postfix CApath, then called c_rehash on that directory. An "openssl verify" on the server certificate works: root@host:~# postconf smtp_tls_CApath smtp_tls_CApath = /etc/postfix/cacerts root@host:~# openssl verify -CApath /etc/postfix/cacerts \ mx16a.antispameurope.com.cert.pem mx16a.antispameurope.com.cert.pem: OK But the postfix smtp client fails to verify: postfix/qmgr[4502]: 324F260010: from=, size=627, nrcpt=1 (queue active) postfix/smtp[4535]: setting up TLS connection to mx16a.antispameurope.com[94.100.134.100]:25 postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" postfix/smtp[4535]: looking for session smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL in smtp cache postfix/tlsmgr[4508]: lookup smtp session id=smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=2 verify=1 subject=/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=1 verify=0 subject=/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 postfix/smtp[4535]: CA certificate verification failed for mx16a.antispameurope.com[94.100.134.100]:25: num=7:certificate signature failure postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=1 verify=1 subject=/C=DE/O=T-Systems International GmbH/OU=T-Systems Trust Center/ST=Nordrhein Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. 20/CN=TeleSec ServerPass DE-2 postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=0 verify=0 subject=/C=DE/O=antispameurope GmbH/OU=IT/ST=NDS/L=Hannover/emailAddress=hofm...@antispameurope.com/CN=*.antispameurope.com postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: certificate verification depth=0 verify=1 subject=/C=DE/O=antispameurope GmbH/OU=IT/ST=NDS/L=Hannover/emailAddress=hofm...@antispameurope.com/CN=*.antispameurope.com postfix/smtp[4535]: save session smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL to smtp cache postfix/tlsmgr[4508]: put smtp session id=smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL [data 2276 bytes] postfix/tlsmgr[4508]: write smtp TLS cache entry smtp:94.100.134.100:25:mx-gate28-dus.antispameurope.com&p=1&c=ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL: time=1422952827 [data 2276 bytes] postfix/smtp[4535]: Untrusted TLS connection established to mx16a.antispameurope.com[94.100.134.100]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) postfix/smtp[4535]: 324F260010: Server certificate not trusted Since it's set to "verify", it then attempts
Change sender in php
Hi Guys, I have postfix setup on a Debian system that manages all my mail. However, whenever php is sending mail it sends it under user "www-data". I tried changing the headers in php but it remains the same. Is there someway I can change this to a more friendly name via postfix? It is not a train smash, just curious. Thank You Danny
Re: Change sender in php
On 2015-02-03 13:17, Danny wrote: Hi Guys, I have postfix setup on a Debian system that manages all my mail. However, whenever php is sending mail it sends it under user "www-data". I tried changing the headers in php but it remains the same. Is there someway I can change this to a more friendly name via postfix? It is not a train smash, just curious. Thank You Danny try -f...@bar.org t
Re: Change sender in php
Am 03.02.2015 um 13:17 schrieb Danny: I have postfix setup on a Debian system that manages all my mail. However, whenever php is sending mail it sends it under user "www-data". I tried changing the headers in php but it remains the same. Is there someway I can change this to a more friendly name via postfix? It is not a train smash, just curious the header is you smallest problem the envelope is because if the destination server does sender-verification you www-data@soime-radnom-host likely don't exist just don't use the mail() function in PHP https://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list i never understood why people using that function since we disabled it more than 12 years ago on any server completly ___ http://www.postfix.org/canonical.5.html cat /etc/postfix/canonical # CANONICAL(5) # # NAME #canonical - Postfix canonical table format # # SYNOPSIS #postmap /etc/postfix/canonical # #postmap -q "string" /etc/postfix/canonical # #postmap -q - /etc/postfix/canonical
Re: Change sender in php
> Am 03.02.2015 um 13:17 schrieb Danny : > > Hi Guys, > > I have postfix setup on a Debian system that manages all my mail. However, > whenever php is sending mail it sends it under user "www-data". I tried > changing > the headers in php but it remains the same. > > Is there someway I can change this to a more friendly name via postfix? > > It is not a train smash, just curious. You need to set it in php.ini: That’s what I have configured in my php-fpm config file: php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f foo...@example.org The required parameter for you is -f Christian -- Bachelor of Science Informatik Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Change sender in php
On 3 Feb 2015, at 11:25, Christian Rößner wrote: > > php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f > foo...@example.org Don't put a space between the `-f` and the address, it should be like `-ffoo...@example.org`. On 3 Feb 2015, at 11:26, li...@rhsoft.net wrote: > > just don't use the mail() function in PHP > https://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list Quite right, though PHPMailer moved to github some time ago (I'm the maintainer): https://github.com/PHPMailer/PHPMailer Postfix performance docs suggest that you're better off using SMTP to localhost than calling sendmail anyway. Marcus signature.asc Description: Message signed with OpenPGP using GPGMail
Problems building 3.0 with dynamic module support
I'm trying to build Postfix 3.0.0 with dynamic loadable module support (it builds fine without). When I add shared=yes dynamicmaps=yes to make makefiles I get the following (fpaste of build.log from mock): http://paste.fedoraproject.org/180820/14229612 (http://ur1.ca/jmm0z) Note that the errors in the above paste start after line 906, it looks like there are missing object files in the gcc command to me. Is this a bug in the build process or am I doing something wrong? Thanks, Peter
Re: Problems building 3.0 with dynamic module support
Peter: > I'm trying to build Postfix 3.0.0 with dynamic loadable module support > (it builds fine without). When I add shared=yes dynamicmaps=yes to make > makefiles I get the following (fpaste of build.log from mock): > http://paste.fedoraproject.org/180820/14229612 (http://ur1.ca/jmm0z) > > Note that the errors in the above paste start after line 906, it looks > like there are missing object files in the gcc command to me. > > Is this a bug in the build process or am I doing something wrong? Execute the following commands by themselves, not as part of some insnaly complicated Linux build process. make makefiles make If that works without error, then you made a mistake with the Linux build process. Wietse
Re: Change sender in php
> Am 03.02.2015 um 11:53 schrieb Marcus Bointon :
>
> On 3 Feb 2015, at 11:25, Christian Rößner
> wrote:
>>
>> php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f
>> foo...@example.org
>
> Don't put a space between the `-f` and the address, it should be like
> `-ffoo...@example.org`.
I am not sure, but I think it doesn’t matter, if there is a space or not. I
guess, it is getopt parsed:
sendmail.c:
1113 #define OPTIND (optind > 0 ? optind : 1)
…
1141 if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
1142 break;
1143 switch (c) {
…
1226 case 'f':
1227 sender = optarg;
1228 break;
Christian
--
Bachelor of Science Informatik
Erlenwiese 14, 36304 Alsfeld
T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345
USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
Re: TLS verification woes
On Tue, Feb 03, 2015 at 10:07:11AM +0100, Tobias Reckhard wrote: > postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: > certificate verification depth=2 verify=1 subject=/C=DE/O=Deutsche > Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 The constructed chain includes a "Telekom Root CA 2". > postfix/smtp[4535]: mx16a.antispameurope.com[94.100.134.100]:25: > certificate verification depth=1 verify=0 subject=/C=DE/O=T-Systems > International GmbH/OU=T-Systems Trust Center/ST=Nordrhein > Westfalen/postalCode=57250/L=Netphen/streetAddress=Untere Industriestr. > 20/CN=TeleSec ServerPass DE-2 > > postfix/smtp[4535]: CA certificate verification failed for > mx16a.antispameurope.com[94.100.134.100]:25: num=7:certificate signature > failure This signature of this intermediate certificate fails verification via the public key of root from the log entry above. Most likely because the intermediate certificate has an RSA with SHA2-256 signature: Certificate: Data: Version: 3 (0x2) Serial Number: 14365921339544682215 (0xc75e01582ac3bee7) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2 Validity Not Before: Feb 11 14:30:17 2014 GMT Not After : Jul 9 23:59:00 2019 GMT Subject: C=DE, O=T-Systems International GmbH, OU=T-Systems Trust Center, ST=Nordrhein Westfalen/postalCode=57250, L=Netphen/street=Untere Industriestr. 20, CN=TeleSec ServerPass DE-2 ... If your Postfix is old enough, and is linked against OpenSSL 0.9.8, it only supports md5 and sha1. -- Viktor.
Re: Change sender in php
On Tue, Feb 03, 2015 at 11:53:55AM +0100, Marcus Bointon wrote: > On 3 Feb 2015, at 11:25, Christian R??ner > wrote: > > > > php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f > > foo...@example.org > > Don't put a space between the `-f` and the address, it should be like > `-ffoo...@example.org`. Actually, DO put a space in. Some day you'll write a shell script of the form: /usr/sbin/sendmail -f "$sender" ... which will work even when the sender address is empty, the non-space variant will break: /usr/sbin/sendmail -f"$sender" ... -- Viktor.
Re: TLS verification woes
On Tue, Feb 03, 2015 at 04:41:40PM +, Viktor Dukhovni wrote: > If your Postfix is old enough, and is linked against OpenSSL 0.9.8, > it only supports md5 and sha1. "Old enough" means older than these: Date: Thu Sep 5 08:54:24 2013 -0400 postfix-2.7.15 Date: Thu Sep 5 08:55:00 2013 -0400 postfix-2.8.16 Date: Thu Sep 5 08:57:00 2013 -0400 postfix-2.9.8 Date: Sun Sep 1 09:30:00 2013 -0400 postfix-2.10.2-RC1 Date: Sun Jun 16 00:00:00 2013 -0500 postfix-2.11-20130616 -- Viktor.
Re: Change sender in php
On 3 Feb 2015, at 17:48, Viktor Dukhovni wrote: > > Actually, DO put a space in. Some day you'll write a shell script > of the form: > > /usr/sbin/sendmail -f "$sender" ... > > which will work even when the sender address is empty, the non-space > variant will break: > > /usr/sbin/sendmail -f"$sender" ... This isn't a typical shell script - it's called from PHP internals, and I think it escapes the spaces, so it would end up with the sender address given as ' foo...@example.org' (with a leading space) and not just 'foo...@example.org'. I guess in some contexts that would make no difference, but leaving a space certainly used to break PHP mail, which is why most uses of it don't add one (including the PHP docs, drupal, PHPMailer), but I just tested it on PHP 5.6.5 with postfix and it worked with and without, so it may have been fixed. I don't think significant spaces in getopt are that unusual - I know the -p option to mysql does not allow a following space. Marcus signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Change sender in php
Marcus Bointon: Checking application/pgp-signature: FAILURE -- Start of PGP signed section. > On 3 Feb 2015, at 17:48, Viktor Dukhovni wrote: > > > > Actually, DO put a space in. Some day you'll write a shell script > > of the form: > > > > /usr/sbin/sendmail -f "$sender" ... > > > > which will work even when the sender address is empty, the non-space > > variant will break: > > > > /usr/sbin/sendmail -f"$sender" ... > > This isn't a typical shell script - it's called from PHP internals, Email sometimes has the null sender address (delivery status notifications, bounces, delayed mail warnings). With the form: /usr/sbin/sendmail -f"$sender" otherstuff it is exactly as if Postfix was invoked like this: /usr/sbin/sendmail -f otherstuff And that would be wrong. This is why a space is needed between the -f and the sender argument. Wietse
Erros with mailing list expansion
I have to two spearate postfix installations where I have a postfix server that does some initial processing - such as address re-writing, signing, and mailing list expansion. One of them works as expected, and the other fails when doing the mailing list expansion. Specifically: If I send an e-mail to 'm...@gmail.com' it works correctly. If I send an e-mail to 'mail-list' when mail-list is defined in the aliases file as mail-list: m...@gmail.com it does not work and the relay host respones Transaction failed: Missing final '@domain' Here is a copy of the log for both cases: Fails: to mail-list -> m...@gmail.com Feb 3 14:00:45 Falcon postfix/smtpd[10509]: warning: hostname MailServer.Net1.myserver.com does not resolve to address 10.168.1.23: Name or service not known Feb 3 14:00:45 Falcon postfix/smtpd[10509]: connect from unknown[10.168.1.23] Feb 3 14:00:45 Falcon postfix/smtpd[10509]: A450A139221: client=unknown[10.168.1.23] Feb 3 14:00:45 Falcon postfix/cleanup[10511]: A450A139221: message-id=<54d11add.13406.1e4...@editor.wpny.us> Feb 3 14:00:45 Falcon postfix/qmgr[9871]: A450A139221: from=, size=717, nrcpt=1 (queue active) Feb 3 14:00:45 Falcon postfix/smtpd[10509]: disconnect from unknown[10.168.1.23] Feb 3 14:00:45 Falcon postfix/cleanup[10511]: B7B19139238: message-id=<54d11add.13406.1e4...@editor.wpny.us> Feb 3 14:00:45 Falcon postfix/local[10512]: A450A139221: to=, orig_to=, relay=local, delay=0.12, delays=0.08/0.01/0/0.03, dsn=2.0.0, status=sent (forwarded as B7B19139238) Feb 3 14:00:45 Falcon postfix/qmgr[9871]: B7B19139238: from=, size=880, nrcpt=1 (queue active) Feb 3 14:00:45 Falcon postfix/qmgr[9871]: A450A139221: removed Feb 3 14:00:46 Falcon postfix/smtp[10513]: B7B19139238: to=, relay=email-smtp.us-east-1.amazonaws.com[184.73.222.29]:25, delay=0.88, delays=0.03/0.03/0.7/0.12, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[184.73.222.29] said: 554 Transaction failed: Missing final '@domain' (in reply to end of DATA command)) Feb 3 14:00:46 Falcon postfix/cleanup[10511]: E324413923C: message-id=<20150203190046.e3244139...@maila.myserver.com> Feb 3 14:00:46 Falcon postfix/bounce[10514]: B7B19139238: sender non-delivery notification: E324413923C Feb 3 14:00:46 Falcon postfix/qmgr[9871]: E324413923C: from=<>, size=2967, nrcpt=1 (queue active) Feb 3 14:00:46 Falcon postfix/qmgr[9871]: B7B19139238: removed Feb 3 14:00:47 Falcon postfix/smtp[10513]: E324413923C: to=, relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=0.61, delays=0.04/0/0.56/0.01, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[54.243.69.182] said: 501 Invalid MAIL FROM address provided (in reply to MAIL FROM command)) Feb 3 14:00:47 Falcon postfix/qmgr[9871]: E324413923C: removed Besides the non-delivery notification, the non-delivery notification is not delivered because the from=<> although the original from appears to be set correctly. Works: to: m...@gmail.com Feb 3 14:01:24 Falcon postfix/smtpd[10509]: warning: hostname MailServer.Net1.myserver.com does not resolve to address 10.168.1.23: Name or service not known Feb 3 14:01:24 Falcon postfix/smtpd[10509]: connect from unknown[10.168.1.23] Feb 3 14:01:24 Falcon postfix/smtpd[10509]: 62C4F139221: client=unknown[10.168.1.23] Feb 3 14:01:24 Falcon postfix/cleanup[10511]: 62C4F139221: message-id=<54d11b04.3267.1ed...@editor.wpny.us> Feb 3 14:01:24 Falcon postfix/qmgr[9871]: 62C4F139221: from=, size=745, nrcpt=1 (queue active) Feb 3 14:01:24 Falcon postfix/smtpd[10509]: disconnect from unknown[10.168.1.23] Feb 3 14:01:25 Falcon postfix/smtp[10513]: 62C4F139221: to=, relay=email-smtp.us-east-1.amazonaws.com[107.21.238.216]:25, delay=0.81, delays=0.08/0/0.49/0.24, dsn=2.0.0, status=sent (250 Ok 014b50d18bb8-fc6a1ab8-11c5-4133-b423-16b14685b673-00) Feb 3 14:01:25 Falcon postfix/qmgr[9871]: 62C4F139221: removed Here is my postconf: INTERNAL_USERS = check_sender_access hash:$config_directory/internal_users, reject alias_database = hash:$config_directory/aliases alias_maps = hash:$config_directory/aliases alternate_config_directories = /etc/postfix-amazon, /etc/postfix-in append_at_myorigin = yes append_dot_mydomain = yes biff = no canonical_maps = hash:$config_directory/canonical command_directory = /usr/sbin config_directory = . daemon_directory = /usr/lib/postfix data_directory = /var/spool/postfix-amazon/var/run default_privs = nobody empty_address_recipient = MAILER-DAEMON header_checks = regexp:$config_directory/header_checks.dat html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = localhost, falcon inet_protocols = ipv4 local_maps = hash:$config_directory/local local_recipient_maps = $alias_maps $local_maps mail_name = Falcon mail server mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man message_size_limit = 2048 mydestination = $config_directory/loc
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 01:25 AM, Wietse Venema wrote: > Execute the following commands by themselves, not as part of > some insnaly complicated Linux build process. > > make makefiles > make > > If that works without error, then you made a mistake with the Linux > build process. Still does the same thing. I'm currently in the process of trying to simplify the options passed to make makefiles that causes it (divide and conquer style). Also am testing on CentOS 6 as well (this was on CentOS 5). I'll get back with more details. Peter
Re: Erros with mailing list expansion
System Support: > Feb 3 14:00:45 Falcon postfix/qmgr[9871]: B7B19139238: > from=, size=880, nrcpt=1 (queue active) > Feb 3 14:00:46 Falcon postfix/smtp[10513]: B7B19139238: to=, > relay=email-smtp.us-east-1.amazonaws.com[184.73.222.29]:25, delay=0.88, > delays=0.03/0.03/0.7/0.12, dsn=5.0.0, status=bounced (host > email-smtp.us-east-1.amazonaws.com[184.73.222.29] said: 554 Transaction > failed: Missing final '@domain' (in reply to end of DATA command)) You need to find out why the amazonaws.com server rejects mail from owner-w...@myserver.com to m...@gmail.com. I suspect that you can get the same result without using the mailing list, by using the comand: echo To: m...@gmail.com | /usr/sbin/sendmail -f owner-w...@myserver.com m...@gmail.com > Feb 3 14:00:46 Falcon postfix/qmgr[9871]: E324413923C: from=<>, size=2967, > nrcpt=1 (queue active) > Feb 3 14:00:47 Falcon postfix/smtp[10513]: E324413923C: > to=, > relay=email-smtp.us-east-1.amazonaws.com[54.243.69.182]:25, delay=0.61, > delays=0.04/0/0.56/0.01, dsn=5.0.0, status=bounced (host > email-smtp.us-east-1.amazonaws.com[54.243.69.182] said: 501 Invalid MAIL FROM > address provided (in reply to MAIL FROM command)) The Internet SMTP mail standard (RFC 5321) requires that non-delivery notifications have the null sender address. You need to find out why the amazonaws.com server rejects such email. Wietse
Re: Problems building 3.0 with dynamic module support
Peter: > On 02/04/2015 01:25 AM, Wietse Venema wrote: > > Execute the following commands by themselves, not as part of > > some insnaly complicated Linux build process. > > > > make makefiles > > make > > > > If that works without error, then you made a mistake with the Linux > > build process. > > Still does the same thing. I'm currently in the process of trying to > simplify the options passed to make makefiles that causes it (divide and > conquer style). Also am testing on CentOS 6 as well (this was on CentOS > 5). I'll get back with more details. OK, show the complete "make makefiles" command that you used without the insanely complicated Linux build process. I have a few Linux boxen where I can try that command myself. Wietse
Re: Erros with mailing list expansion
System Support: > Feb 3 14:00:45 Falcon postfix/cleanup[10511]: A450A139221: > message-id=<54d11add.13406.1e4...@editor.wpny.us> > Feb 3 14:00:45 Falcon postfix/qmgr[9871]: A450A139221: > from=, size=717, nrcpt=1 (queue active) > Feb 3 14:00:45 Falcon postfix/local[10512]: A450A139221: > to=, orig_to=, relay=local, delay=0.12, > delays=0.08/0.01/0/0.03, dsn=2.0.0, status=sent (forwarded as B7B19139238) Viktor drew my attention to the "orig_to=" part of the logging. This looks like a bug that I fixed last October (change date: 20141024). Your list manager is configured to send mail to "WPNY" (no domain). If you could change this to send mail to "w...@maila.myserver.com", then that could take care of the "missing @domain" problem. On the other hand, if the problem is with missing domains in the email message content, that will have to be fixed at the source. Wietse
Re: Erros with mailing list expansion
On Tue, Feb 03, 2015 at 03:45:21PM -0500, Wietse Venema wrote: > System Support: > > Feb 3 14:00:45 Falcon postfix/cleanup[10511]: A450A139221: > > message-id=<54d11add.13406.1e4...@editor.wpny.us> > > Feb 3 14:00:45 Falcon postfix/qmgr[9871]: A450A139221: > > from=, size=717, nrcpt=1 (queue active) > > Feb 3 14:00:45 Falcon postfix/local[10512]: A450A139221: > > to=, orig_to=, relay=local, delay=0.12, > > delays=0.08/0.01/0/0.03, dsn=2.0.0, status=sent (forwarded as B7B19139238) > > Viktor drew my attention to the "orig_to=" part of the logging. > > This looks like a bug that I fixed last October (change date: > 20141024). > > Your list manager is configured to send mail to "WPNY" (no domain). > > If you could change this to send mail to "w...@maila.myserver.com", > then that could take care of the "missing @domain" problem. > > On the other hand, if the problem is with missing domains in the > email message content, that will have to be fixed at the source. Perhaps making sure that the sending client matches $local_header_rewrite_clients http://www.postfix.org/postconf.5.html#local_header_rewrite_clients might help, by qualifying the original input address with @$myorigin. Something like: local_header_rewrite_clients = permit_mynetworks or similar, might do the trick. This would address unqualified addresses in message headers, not sure how this interacts with DSN "ORCPT". -- Viktor.
Re: Erros with mailing list expansion
Viktor Dukhovni: > On Tue, Feb 03, 2015 at 03:45:21PM -0500, Wietse Venema wrote: > > > System Support: > > > Feb 3 14:00:45 Falcon postfix/cleanup[10511]: A450A139221: > > > message-id=<54d11add.13406.1e4...@editor.wpny.us> > > > Feb 3 14:00:45 Falcon postfix/qmgr[9871]: A450A139221: > > > from=, size=717, nrcpt=1 (queue active) > > > Feb 3 14:00:45 Falcon postfix/local[10512]: A450A139221: > > > to=, orig_to=, relay=local, delay=0.12, > > > delays=0.08/0.01/0/0.03, dsn=2.0.0, status=sent (forwarded as B7B19139238) > > > > Viktor drew my attention to the "orig_to=" part of the logging. > > > > This looks like a bug that I fixed last October (change date: > > 20141024). > > > > Your list manager is configured to send mail to "WPNY" (no domain). > > > > If you could change this to send mail to "w...@maila.myserver.com", > > then that could take care of the "missing @domain" problem. > > > > On the other hand, if the problem is with missing domains in the > > email message content, that will have to be fixed at the source. > > Perhaps making sure that the sending client matches > > $local_header_rewrite_clients > No, it doesn't. orig_to is not subject to address rewriting. Wietse
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 09:16 AM, Wietse Venema wrote: > OK, show the complete "make makefiles" command that you used without > the insanely complicated Linux build process. I have a few Linux > boxen where I can try that command myself. The full "make makefiles" was: make -f Makefile.init makefiles shared=yes dynamicmaps=yes 'CCARGS=-fPIC -DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre -DHAS_MYSQL -I/usr/include/mysql -DHAS_PGSQL -I/usr/include/pgsql -DHAS_SQLITE -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/include/sasl -DUSE_TLS -I/usr/kerberos/include -DDEF_CONFIG_DIR=\"/etc/postfix\" ' 'AUXLIBS= -L/usr/lib64/sasl2 -lsasl2 -L/usr/kerberos/lib64 -lssl -lcrypto -ldl -lz -pie -Wl,-z,relro' 'AUXLIBS_LDAP=-lldap -llber' AUXLIBS_PCRE=-lpcre 'AUXLIBS_MYSQL=-L/usr/lib64/mysql -lmysqlclient -lm' AUXLIBS_PGSQL=-lpq 'AUXLIBS_SQLITE=-lsqlite3 -lpthread' DEBUG= 'OPT=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wno-comment' I simplified it down to this and was still got the error: make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-pie' If I remove the -pie from AUXLIBS (either from the simplified version or the full version) it builds just fine. It also builds just fine if I remove the shared=yes (and dynamicmaps=yes). So it appears that -pie doesn't want to work with shared=yes. I honestly don't know where or why -pie was added in the first place, so I'll remove it for now, I don't know if postfix is supposed to be compatible with that option or not. Peter
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 09:59 AM, Peter wrote: > I simplified it down to this and was still got the error: > make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-pie' > > If I remove the -pie from AUXLIBS (either from the simplified version or > the full version) it builds just fine. It also builds just fine if I > remove the shared=yes (and dynamicmaps=yes). So it appears that -pie > doesn't want to work with shared=yes. > > I honestly don't know where or why -pie was added in the first place, so > I'll remove it for now, I don't know if postfix is supposed to be > compatible with that option or not. A bit of googling shows that it's for security hardening of the code. I also found the fix. If I move -pie from AUXLIBS to CCARGS then it appears to build just fine. I think the issue is that with the new AUXLIBS_X attributes those options specified in AUXLIBS are no longer applied to everything so the linker was trying to link some position-independent code against other code that was not compiled with -pie. Moving -pie to CCARGS forces it to be applied to everything and fixes the issue. Peter
Re: Erros with mailing list expansion
Changinig from WPNY to w...@maila.myserver.com did fix the problem. I have not had to add the domain in the past, but I was not relaying to Amazon, and Amazon does verify the source address, and I guess that they require a fully qualified name. And, based on your other response, I gather that it is not possible to have a rewrite rule to do this automatically. On 3 Feb 2015 at 15:45, Wietse Venema wrote: > System Support: > > Feb 3 14:00:45 Falcon postfix/cleanup[10511]: A450A139221: > > message-id=<54d11add.13406.1e4...@editor.wpny.us> > > Feb 3 14:00:45 Falcon postfix/qmgr[9871]: A450A139221: > > from=, size=717, nrcpt=1 (queue active) > > Feb 3 14:00:45 Falcon postfix/local[10512]: A450A139221: > > to=, orig_to=, relay=local, delay=0.12, > > delays=0.08/0.01/0/0.03, dsn=2.0.0, status=sent (forwarded as B7B19139238) > > Viktor drew my attention to the "orig_to=" part of the logging. > > This looks like a bug that I fixed last October (change date: > 20141024). > > Your list manager is configured to send mail to "WPNY" (no domain). > > If you could change this to send mail to "w...@maila.myserver.com", > then that could take care of the "missing @domain" problem. > > On the other hand, if the problem is with missing domains in the > email message content, that will have to be fixed at the source. > > Wietse > ...don support (at) microtechniques.com
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 09:59:28AM +1300, Peter wrote: > I simplified it down to this and was still got the error: > make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-pie' If you want PIE support, you'll need to use "-fPIE" (upper-case). This makes it possible to enable ASLR for the Postfix binaries and libraries (and any system libraries linked with PIE). -- Viktor.
Re: Erros with mailing list expansion
System Support: > Changinig from WPNY to w...@maila.myserver.com did fix the problem. > I have not had to add the domain in the past, but I was not relaying > to Amazon, and Amazon does verify the source > address, and I guess that they require a fully qualified name. > And, based on your other response, I gather that it is not possible > to have a rewrite rule to do this automatically. Amazon was objecting to this SMTP command: RCPT TO: ORPT=rfc822;WPNY That is, the problem was not with the recipient address, but with the ORPT parameter for delivery status notifications. The alternative would be to disable Postfix DSN support with: /etc/postfix/main.cf: smtp_discard_ehlo_keywords = dsn, silent_discard so that it would send: RCPT TO: but that would be a blunt tool. Wietse
Re: Erros with mailing list expansion
On Tue, Feb 03, 2015 at 04:13:23PM -0500, System Support wrote: > Changinig from WPNY to w...@maila.myserver.com did fix the problem. I have > not had to add > the domain in the past, but I was not relaying to Amazon, and Amazon does > verify the source > address, and I guess that they require a fully qualified name. And, based > on your other > response, I gather that it is not possible to have a rewrite rule to do this > automatically. That depends on whether Amazon is objecting to "ORCPT" or message headers. If you want to definitively know what the problem is, you'd have to test with messages carefully crafted to have just the "To:" header or just the "RCPT TO" envelope address unqualified. -- Viktor.
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 10:20 AM, Viktor Dukhovni wrote: > On Wed, Feb 04, 2015 at 09:59:28AM +1300, Peter wrote: > >> I simplified it down to this and was still got the error: >> make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-pie' > > If you want PIE support, you'll need to use "-fPIE" (upper-case). > This makes it possible to enable ASLR for the Postfix binaries and > libraries (and any system libraries linked with PIE). If I add -fPIE to CCARGS I get: /usr/bin/ld: attr_print0.o: relocation R_X86_64_PC32 against `attr_print0' can not be used when making a shared object; recompile with -fPIC It works with CCARGS="-fPIC -pie" Peter
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 10:45:23AM +1300, Peter wrote: > On 02/04/2015 10:20 AM, Viktor Dukhovni wrote: > > On Wed, Feb 04, 2015 at 09:59:28AM +1300, Peter wrote: > > > >> I simplified it down to this and was still got the error: > >> make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-pie' > > > > If you want PIE support, you'll need to use "-fPIE" (upper-case). > > This makes it possible to enable ASLR for the Postfix binaries and > > libraries (and any system libraries linked with PIE). > > If I add -fPIE to CCARGS I get: No, not CCARGS, AUXLIBS: make -f Makefile.in shared=yes "AUXLIBS=-fPIE" makefiles make works with the GCC toolchain on my machine. -- Viktor.
Re: Problems building 3.0 with dynamic module support
Viktor Dukhovni: > On Wed, Feb 04, 2015 at 09:59:28AM +1300, Peter wrote: > > > I simplified it down to this and was still got the error: > > make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-pie' > > If you want PIE support, you'll need to use "-fPIE" (upper-case). > This makes it possible to enable ASLR for the Postfix binaries and > libraries (and any system libraries linked with PIE). The -pie is a linker option, so it belongs in AUXLIBS. The gcc manpage says that you also need to specify the -fpie or -fPIE compiler option, so that belongs in CCARGS. Wietse
Re: Erros with mailing list expansion
Viktor Dukhovni: > On Tue, Feb 03, 2015 at 04:13:23PM -0500, System Support wrote: > > > Changinig from WPNY to w...@maila.myserver.com did fix the problem. I have > > not had to add > > the domain in the past, but I was not relaying to Amazon, and Amazon does > > verify the source > > address, and I guess that they require a fully qualified name. And, based > > on your other > > response, I gather that it is not possible to have a rewrite rule to do > > this automatically. > > That depends on whether Amazon is objecting to "ORCPT" or message > headers. If you want to definitively know what the problem is, > you'd have to test with messages carefully crafted to have just > the "To:" header or just the "RCPT TO" envelope address unqualified. Postfix will rewrite the To: header. He has append_at_myorigin=yes. Wietse
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 10:47 AM, Viktor Dukhovni wrote: > No, not CCARGS, AUXLIBS: > > make -f Makefile.in shared=yes "AUXLIBS=-fPIE" makefiles > make > > works with the GCC toolchain on my machine. make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-fPIE -pie' ...fails On 02/04/2015 10:49 AM, Wietse Venema wrote: > The -pie is a linker option, so it belongs in AUXLIBS. > > The gcc manpage says that you also need to specify the -fpie or > -fPIE compiler option, so that belongs in CCARGS. make makefiles shared=yes 'CCARGS=-fPIC -fPIE' 'AUXLIBS=-pie' ...also fails I've also tried: make makefiles shared=yes 'CCARGS=-fPIC -fPIE -pie' ...which fails differently (can give details if wanted) make makefiles shared=yes 'CCARGS=-fPIC -pie' ...which works. According to the gcc docs -pie should be passed through to the linker, so in theory it should work this way, but I don't know for sure. Peter
Re: Errors with mailing list expansion
Thanks. I do not see the ORPT option in my log. Is it implied by one of the other entries? As far as the 'blunt tool', all of the mail processed by this instance will be relayed to Amazon. What are the disadvantages of the smtp_discard_ehlo_keywords that you suggested in that case? On 3 Feb 2015 at 16:41, Wietse Venema wrote: > System Support: > > Changinig from WPNY to w...@maila.myserver.com did fix the problem. > > I have not had to add the domain in the past, but I was not relaying > > to Amazon, and Amazon does verify the source > > address, and I guess that they require a fully qualified name. > > And, based on your other response, I gather that it is not possible > > to have a rewrite rule to do this automatically. > > Amazon was objecting to this SMTP command: > > RCPT TO: ORPT=rfc822;WPNY > > That is, the problem was not with the recipient address, but with > the ORPT parameter for delivery status notifications. > > The alternative would be to disable Postfix DSN support with: > > /etc/postfix/main.cf: > smtp_discard_ehlo_keywords = dsn, silent_discard > > so that it would send: > > RCPT TO: > > but that would be a blunt tool. > > Wietse > ...don support (at) microtechniques.com
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 11:11:43AM +1300, Peter wrote: > On 02/04/2015 10:47 AM, Viktor Dukhovni wrote: > > No, not CCARGS, AUXLIBS: > > > > make -f Makefile.in shared=yes "AUXLIBS=-fPIE" makefiles > > make > > > > works with the GCC toolchain on my machine. > > make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-fPIE -pie' > ...fails Of course it does. You used both "-fPIE" and "-fpie". -- Viktor.
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 11:31 AM, Viktor Dukhovni wrote: >> make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-fPIE -pie' >> ...fails > > Of course it does. You used both "-fPIE" and "-fpie". No, I used both -fPIE and -pie (without the "f"). Peter
Re: Errors with mailing list expansion
On Tue, Feb 03, 2015 at 05:28:24PM -0500, System Support wrote: > As far as the 'blunt tool', all of the mail processed by this instance will > be relayed to Amazon. > What are the disadvantages of the smtp_discard_ehlo_keywords that you > suggested in that > case? I generally disable DNS at border MTAs. Mail leaving my organization sends any success DSN notices as soon as the message is handed off to the responsible MX host. Mail coming in has the DSN notices sent by the remote MTA. So this can be a reasonable setting. -- Viktor.
Filtering Outgoing mail - Was: [OT - Renaming Attachments]
On Tue, 3 Feb 2015 17:06:14 +1300
Jeremy Bowen wrote:
> From here it looks like I need to initially add the following lines
> to master.cf:
> filterunix - n n - 10 pipe
> flags=Rq user=filter null_sender=
> argv=/usr/local/bin/myscript -f ${sender} -- ${recipient}
I've knocked up a quick-and-dirty solution in the interim but I would
like to improve on this.
I've added the above filter section and replaced the previous content
filter with "-o content_filter=filter:dummy" to my submission service in
master.cf
Outgoing mail is now being processed by my shell script and email is
being sent OK.
However, in implementing this, I've lost the DK signing ability
and I'm also concerned at scalability & performance as alluded to in the
FILTER_README. Also, ALL outgoing email is processed by my script
whether it needs to be or not.
I would really value some recommendations on how to improve this.
Thanks.
Re: Errors with mailing list expansion
System Support: > Thanks. I do not see the ORPT option in my log. Is it implied > by one of the other entries? Postfix normally does not log SMTP commands. That would be alot of logging. > As far as the 'blunt tool', all of the mail processed by this > instance will be relayed to Amazon. What are the disadvantages > of the smtp_discard_ehlo_keywords that you suggested in that > case? You don't have to use it. Leave it alone. Wietse > > On 3 Feb 2015 at 16:41, Wietse Venema wrote: > > > System Support: > > > Changinig from WPNY to w...@maila.myserver.com did fix the problem. > > > I have not had to add the domain in the past, but I was not relaying > > > to Amazon, and Amazon does verify the source > > > address, and I guess that they require a fully qualified name. > > > And, based on your other response, I gather that it is not possible > > > to have a rewrite rule to do this automatically. > > > > Amazon was objecting to this SMTP command: > > > > RCPT TO: ORPT=rfc822;WPNY > > > > That is, the problem was not with the recipient address, but with > > the ORPT parameter for delivery status notifications. > > > > The alternative would be to disable Postfix DSN support with: > > > > /etc/postfix/main.cf: > > smtp_discard_ehlo_keywords = dsn, silent_discard > > > > so that it would send: > > > > RCPT TO: > > > > but that would be a blunt tool. > > > > Wietse > > > > ...don > > support (at) microtechniques.com > >
Re: Erros with mailing list expansion
On Tue, Feb 03, 2015 at 04:51:21PM -0500, Wietse Venema wrote: > > That depends on whether Amazon is objecting to "ORCPT" or message > > headers. If you want to definitively know what the problem is, > > you'd have to test with messages carefully crafted to have just > > the "To:" header or just the "RCPT TO" envelope address unqualified. > > Postfix will rewrite the To: header. He has append_at_myorigin=yes. Even if the client is "remote" (no match in local_header_rewrite_clients)? -- Viktor.
Re: Erros with mailing list expansion
Viktor Dukhovni: > On Tue, Feb 03, 2015 at 04:51:21PM -0500, Wietse Venema wrote: > > > > That depends on whether Amazon is objecting to "ORCPT" or message > > > headers. If you want to definitively know what the problem is, > > > you'd have to test with messages carefully crafted to have just > > > the "To:" header or just the "RCPT TO" envelope address unqualified. > > > > Postfix will rewrite the To: header. He has append_at_myorigin=yes. > > Even if the client is "remote" (no match in local_header_rewrite_clients)? So your idea is the SMTP client sent "RCPT TO:" and "To: WPNY"? Wietse
Re: Problems building 3.0 with dynamic module support
Am 03.02.2015 um 23:35 schrieb Peter: On 02/04/2015 11:31 AM, Viktor Dukhovni wrote: make makefiles shared=yes 'CCARGS=-fPIC' 'AUXLIBS=-fPIE -pie' ...fails Of course it does. You used both "-fPIE" and "-fpie". No, I used both -fPIE and -pie (without the "f") BUT one belongs to CCARGS and the other to AUXLIBS re-read the previous mails in this thread!
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 01:42 PM, li...@rhsoft.net wrote: > BUT one belongs to CCARGS and the other to AUXLIBS > re-read the previous mails in this thread! ...and from one of *my* previous emails: > make makefiles shared=yes 'CCARGS=-fPIC -fPIE' 'AUXLIBS=-pie' > > ...also fails Can you suggest the combination with -pie that is supposed to work and actually *does* work? Peter
Re: Erros with mailing list expansion
On Tue, Feb 03, 2015 at 07:23:09PM -0500, Wietse Venema wrote: > > > Postfix will rewrite the To: header. He has append_at_myorigin=yes. > > > > Even if the client is "remote" (no match in local_header_rewrite_clients)? > > So your idea is the SMTP client sent "RCPT TO:" and "To: WPNY"? Yes, and I don't which caused the problem. -- Viktor.
Re: Problems building 3.0 with dynamic module support
Am 04.02.2015 um 02:31 schrieb Peter:
On 02/04/2015 01:42 PM, li...@rhsoft.net wrote:
BUT one belongs to CCARGS and the other to AUXLIBS
re-read the previous mails in this thread!
...and from one of *my* previous emails:
make makefiles shared=yes 'CCARGS=-fPIC -fPIE' 'AUXLIBS=-pie'
...also fails
Can you suggest the combination with -pie that is supposed to work and
actually *does* work?
not for dynamic build but that below is from my rpmbuilder and it's a
hardened build supporting ASLR
hardening-check /usr/libexec/postfix/master
/usr/libexec/postfix/master:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: yes
.rpmrc:
optflags: x86_64 -m64 -O2 -march=corei7 -mtune=corei7 -fopenmp -mmmx
-msse2 -msse3 -msse4.1 -msse4.2 -maes -mfpmath=sse -pipe
-fomit-frame-pointer -finline-functions -finline-limit=60 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=6 -D_FORTIFY_SOURCE=2
-Wstack-protector -Wformat -Werror=format-security
postfix.spec:
%build
CCARGS="-fPIC -DNO_NIS -DNO_NISPLUS -DNO_EAI -DNO_LMDB -DNO_CDB
-DNO_LDAP -DNO_PGSQL -DNO_SQLITE -DHAS_PCRE -I%{_includedir}/pcre
-DHAS_MYSQL -I%{_includedir}/mysql -DUSE_TLS -DUSE_SASL_AUTH
-DUSE_CYRUS_SASL -I%{_includedir}/sasl
-DDEF_CONFIG_DIR=\\\"%{postfix_config_dir}\\\""
AUXLIBS="-lpcre -L%{_libdir}/mysql -lmysqlclient -lm -L%{_libdir}/sasl2
-lsasl2 -lssl -lcrypto -pie -Wl,-z,now -Wl,-z,relro,-z,noexecstack"
%{__make} %{?_smp_mflags} -f Makefile.init makefiles shared=no
CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}" DEBUG="" OPT="%{optflags}
-Wno-comment -fno-strict-aliasing"
%{__make} %{?_smp_mflags} CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}"
DEBUG="" OPT="%{optflags} -Wno-comment -fno-strict-aliasing"
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 02:31:37PM +1300, Peter wrote: > Can you suggest the combination with -pie that is supposed to work and > actually *does* work? It may be tricky, Postfix applies "AUXLIBS" when building both the final executables, and the shared libraries, but it seems that "-pie" is not appropriate for shared libraries. Additinal "makedefs" and Makefile.in logic would be required to create linker flags that apply to the executables only. -- Viktor.
Postfix authentication with login username instead of sasl_passwd username
I am trying to get a new installation of postfix up and running. The specifics are: Raspbian Wheezy Postfix 2.9.6 All updates are current I have configured it using sasl to connect to an SMTP server via port 587. I have configured the SMTP server and its associated username:password in the sasl_passwd file and run postmap against. If I run: postmap -q [servername]:587 /etc/postfix/sasl_passwd It gives me the correct username:password. However when I attempt to send mail Postfix attempts to authenticate using the login name of the user sending the mail instead of the username specified in sasl_passwd. Any thoughts? Thanks, Jim --- Jim McCorison Orcas Island, WA
Re: Postfix authentication with login username instead of sasl_passwd username
On Tue, Feb 03, 2015 at 05:54:00PM -0800, Jim McCorison wrote: > I am trying to get a new installation of postfix up and running. The > specifics are: > Raspbian Wheezy > Postfix 2.9.6 > All updates are current > > I have configured it using sasl to connect to an SMTP server via port 587. I > have configured the SMTP server and its associated username:password in the > sasl_passwd file and run postmap against. If I run: > > postmap -q [servername]:587 /etc/postfix/sasl_passwd > > It gives me the correct username:password. However when I attempt to send > mail Postfix attempts to authenticate using the login name of the user > sending the mail instead of the username specified in sasl_passwd. > > Any thoughts? 1. http://www.postfix.org/DEBUG_README.html#mail 2. You're mistaken. 3. You've also configured, but failed to mention: smtp_sender_dependent_authentication = yes http://www.postfix.org/SASL_README.html#client_sasl_sender -- Viktor.
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 02:47 PM, Viktor Dukhovni wrote: > It may be tricky, Postfix applies "AUXLIBS" when building both the > final executables, and the shared libraries, but it seems that > "-pie" is not appropriate for shared libraries. Additinal "makedefs" > and Makefile.in logic would be required to create linker flags that > apply to the executables only. Well for now, then I'll just have to remove -pie, but if I can get that in as a feature request to make -pie work with shared=yes, then I would really appreciate it. Not sure if it should be considered a blocker for 3.0.0 or not, though, maybe it could be considered a bugfix to go into 3.0.1? Peter
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 02:46 PM, li...@rhsoft.net wrote:
> not for dynamic build but that below is from my rpmbuilder and it's a
> hardened build supporting ASLR
> AUXLIBS="-lpcre -L%{_libdir}/mysql -lmysqlclient -lm -L%{_libdir}/sasl2
> -lsasl2 -lssl -lcrypto -pie -Wl,-z,now -Wl,-z,relro,-z,noexecstack"
This is pretty similar to what I had before, it craps out as soon as you
add shared=yes to make makefiles.
Peter
Re: Problems building 3.0 with dynamic module support
Am 04.02.2015 um 03:31 schrieb Peter: On 02/04/2015 02:47 PM, Viktor Dukhovni wrote: It may be tricky, Postfix applies "AUXLIBS" when building both the final executables, and the shared libraries, but it seems that "-pie" is not appropriate for shared libraries. Additinal "makedefs" and Makefile.in logic would be required to create linker flags that apply to the executables only. Well for now, then I'll just have to remove -pie, but if I can get that in as a feature request to make -pie work with shared=yes, then I would really appreciate it. Not sure if it should be considered a blocker for 3.0.0 or not, though, maybe it could be considered a bugfix to go into 3.0.1? looks like you don't realize the difference between PIC and PIE PIE = position independent EXECUTABLE PIC = position independent CODE shared libraries (at least on x86_64) are always PIC see the difference between a .so and a executeable below Full RELRO Canary found NX enabledDSO No RPATH No RUNPATH /usr/lib64/mysql/libmysqlclient.so.18.0.0 Full RELRO Canary found NX enabledPIE enabled No RPATH No RUNPATH /usr/libexec/mysqld
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 03:31:03PM +1300, Peter wrote: > Well for now, then I'll just have to remove -pie, but if I can get that > in as a feature request to make -pie work with shared=yes, then I would > really appreciate it. Not sure if it should be considered a blocker for > 3.0.0 or not, though, maybe it could be considered a bugfix to go into > 3.0.1? We've never supported "pie", so if shared libraries don't work with "pie" that's not a bug. Perhaps "pie" support could be considered for 3.1. -- Viktor.
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 03:39 PM, Viktor Dukhovni wrote: > We've never supported "pie", so if shared libraries don't work with > "pie" that's not a bug. Perhaps "pie" support could be considered > for 3.1. Ok, I'm fine with that. Peter
Re: Postfix authentication with login username instead of sasl_passwd username
> On Feb 3, 2015, at 6:13 PM, Viktor Dukhovni > wrote: > > On Tue, Feb 03, 2015 at 05:54:00PM -0800, Jim McCorison wrote: > >> I am trying to get a new installation of postfix up and running. The >> specifics are: >> Raspbian Wheezy >> Postfix 2.9.6 >> All updates are current >> >> I have configured it using sasl to connect to an SMTP server via port 587. I >> have configured the SMTP server and its associated username:password in the >> sasl_passwd file and run postmap against. If I run: >> >> postmap -q [servername]:587 /etc/postfix/sasl_passwd >> >> It gives me the correct username:password. However when I attempt to send >> mail Postfix attempts to authenticate using the login name of the user >> sending the mail instead of the username specified in sasl_passwd. >> >> Any thoughts? > >1. http://www.postfix.org/DEBUG_README.html#mail I have starter to work through the debug recommendations above. The easy stuff that they start with doesn’t resolve the issue. I’ll work through the debug and tracing process and see what I come up with. >2. You're mistaken. Feb 3 18:34:06 raspbx postfix/smtp[2912]: E7E6B20A9D: to=, relay=[nnn.nnn.nnn.nnn]:587, delay=1.3, delays=0.05/0.12/0.89/0.22, dsn=5.0.0, status=bounced (host [nnn.nnn.nnn.nnn] said: 550-Verification failed for 550-The mail server could not deliver mail to r...@raspbx.sendinghost.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries. 550 Sender verify failed (in reply to RCPT TO command)) If I read it correctly, postfix is attempting to authenticate with which is not the username specified in the sasl_passwd file. If I login with a user name other than root, which is also not the authenticating username, that login name shows instead of root. I’m not worried about the failure to send the bounce email back to me as I’m only trying to deal with outbound at the moment. >3. You've also configured, but failed to mention: > > smtp_sender_dependent_authentication = yes > > http://www.postfix.org/SASL_README.html#client_sasl_sender Nope, not using sender dependent authentication Thanks for the pointers and your thoughts. Cheers, Jim --- Jim McCorison Orcas Island, WA
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 03:40:51PM +1300, Peter wrote: > On 02/04/2015 03:39 PM, Viktor Dukhovni wrote: > > We've never supported "pie", so if shared libraries don't work with > > "pie" that's not a bug. Perhaps "pie" support could be considered > > for 3.1. > > Ok, I'm fine with that. The low-level details are easy, the hard part is the interface glue. How should users be able to specify such flags, updating the INSTALL documentation, ... For a preview of a brute-force hack that makes it work, apply the patch below: diff --git a/makedefs b/makedefs index f7be08c..c8b7d74 100644 --- a/makedefs +++ b/makedefs @@ -1090,7 +1090,7 @@ SYSTYPE = $SYSTYPE _AR= $_AR ARFL = $ARFL _RANLIB= $_RANLIB -SYSLIBS= $AUXLIBS $SYSLIBS $PLUGIN_AUXLIBS +SYSLIBS= -pie $AUXLIBS $SYSLIBS $PLUGIN_AUXLIBS CC = $CC $CCARGS \$(WARN) OPT= $OPT DEBUG = $DEBUG and configure Postfix with: make -f Makefile.init CCARGS="-fPIC ..." AUXLIBS="..." The "SYSLIBS" flags only get used for linked executable programs, not shared libraries, but now every object file must be PIC, hence the extra CCARGS flag. This is not a user interface, just a proof of concept. To support this properly we'd need to automatically enable -fPIC for all objects when PIE is requested for executables. Note, good luck debugging those (even getting a stack trace) if you ever run into trouble. I've yet to see a gdb that understands PIE executables, perhaps I have not yet been using a sufficiently bleeding-edge toolchain. -- Viktor.
Re: Postfix authentication with login username instead of sasl_passwd username
On Tue, Feb 03, 2015 at 07:00:58PM -0800, Jim McCorison wrote: > >2. You're mistaken. > > Feb 3 18:34:06 raspbx postfix/smtp[2912]: E7E6B20A9D: > to=, relay=[nnn.nnn.nnn.nnn]:587, delay=1.3, > delays=0.05/0.12/0.89/0.22, dsn=5.0.0, status=bounced (host > [nnn.nnn.nnn.nnn] said: 550-Verification failed for > 550-The mail server could not deliver mail to > r...@raspbx.sendinghost.com. The account or domain may not exist, they may > be blacklisted, or missing the proper dns entries. 550 Sender verify failed > (in reply to RCPT TO command)) > > If I read it correctly, postfix is attempting to authenticate with > which is not the username specified in the > sasl_passwd file. If I login with a user name other than root, which is > also not the authenticating username, that login name shows instead of > root. I'm not worried about the failure to send the bounce email back to > me as I'm only trying to deal with outbound at the moment. Yep, you're mistaken. This has nothing to do with SASL. What is failing is sender address verification (SAV). http://www.postfix.org/ADDRESS_VERIFICATION_README.html -- Viktor.
SDBM_README missing
I can't find SDBM_README in the 3.0.0-RC1 files. Peter
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 04:07 PM, Viktor Dukhovni wrote: > The low-level details are easy, the hard part is the interface > glue. How should users be able to specify such flags, updating > the INSTALL documentation, ... > > For a preview of a brute-force hack that makes it work, apply > the patch below: > > diff --git a/makedefs b/makedefs > index f7be08c..c8b7d74 100644 > --- a/makedefs > +++ b/makedefs > @@ -1090,7 +1090,7 @@ SYSTYPE = $SYSTYPE > _AR = $_AR > ARFL = $ARFL > _RANLIB = $_RANLIB > -SYSLIBS = $AUXLIBS $SYSLIBS $PLUGIN_AUXLIBS > +SYSLIBS = -pie $AUXLIBS $SYSLIBS $PLUGIN_AUXLIBS > CC = $CC $CCARGS \$(WARN) > OPT = $OPT > DEBUG= $DEBUG > > and configure Postfix with: > > make -f Makefile.init CCARGS="-fPIC ..." AUXLIBS="..." Thanks, I'll stick that patch in the build and see how it works. > This is not a user interface, just a proof of concept. To support > this properly we'd need to automatically enable -fPIC for all > objects when PIE is requested for executables. > > Note, good luck debugging those (even getting a stack trace) if > you ever run into trouble. I've yet to see a gdb that understands > PIE executables, perhaps I have not yet been using a sufficiently > bleeding-edge toolchain. This is more along the lines of, I'm building 3rd-party postfix packages for CentOS, the current stable postfix packages (sourced from Fedora) have -pie enabled and so I'd like to keep it enabled if at all possible. Peter
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 05:00:40PM +1300, Peter wrote: > This is more along the lines of, I'm building 3rd-party postfix packages > for CentOS, the current stable postfix packages (sourced from Fedora) > have -pie enabled and so I'd like to keep it enabled if at all possible. Yes, but they did not use shared libraries. The compatible thing to do would be a statically linked build. Once you're changing the build, you may as well drop PIE support for now. However, if my quick hack works, let us know, at least we'll know what needs to be done to support this at some point later. -- Viktor.
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 05:36 PM, Viktor Dukhovni wrote: > Yes, but they did not use shared libraries. The compatible thing > to do would be a statically linked build. Once you're changing > the build, you may as well drop PIE support for now. Right, I would not have pursued pie support much further, but if your quick hack works I may as well include the patch until a better solution is offered. It's plenty easy enough to just drop the patch into the src.rpm. > However, if my quick hack works, let us know, at least we'll know > what needs to be done to support this at some point later. Yep, I'll let you know, hopefully soon. Peter
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 05:36 PM, Viktor Dukhovni wrote: > However, if my quick hack works, let us know, at least we'll know > what needs to be done to support this at some point later. It works, hardening check shows all the executables to be position independent. Peter
Re: Problems building 3.0 with dynamic module support
On Wed, Feb 04, 2015 at 06:12:07PM +1300, Peter wrote: > On 02/04/2015 05:36 PM, Viktor Dukhovni wrote: > > However, if my quick hack works, let us know, at least we'll know > > what needs to be done to support this at some point later. > > It works, hardening check shows all the executables to be position > independent. And they still work I hope, ... If you can, please also check that dynamic maps still load. -- Viktor.
Re: Problems building 3.0 with dynamic module support
On 02/04/2015 06:15 PM, Viktor Dukhovni wrote: > And they still work I hope, ... If you can, please also check that > dynamic maps still load. I would hope so but I haven't actually run them yet. I will be pushing them out to my testing repo soon and get some people to test. Peter
