SSL Renegotiation Attack "Disabling reneotiation"

[Abid Hussain]

Dear All,

I am using postfix 2.6 and currently cannot upgrade it. kindly advise how
renegotiation can be disabled completely.  Probably a command in
configuration file.


regards,
Abid



--
View this message in context: 
http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-Disabling-reneotiation-tp78708.html
Sent from the Postfix Users mailing list archive at Nabble.com.

FW: SSL Renegotiation Attack "Disabling reneotiation"

[L . P . H . van Belle]

Hai, 

As far as i know, no.

Unless you are forceing all clients to use SSLv2 only (since that doesn't 
support renegotiation). 
Are you sure you want to disable it and not just prevent old clients from 
using the vulnerable renegotiation methods? If it's the last
you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds. 

you have 2 problems. 
- One is the vulnerable methods 
- the other is renegotiation is considered a denial of service vulnerability.. 


You really dont have any option to upgrade.. 
Whats the os your running? 

Greetz, 
Louis


>-Oorspronkelijk bericht-
>Van: abid.hussai...@gmail.com 
>[mailto:owner-postfix-us...@postfix.org] Namens Abid Hussain
>Verzonden: dinsdag 18 augustus 2015 10:29
>Aan: postfix-users@postfix.org
>Onderwerp: SSL Renegotiation Attack "Disabling reneotiation"
>
>Dear All,
>
>I am using postfix 2.6 and currently cannot upgrade it. kindly 
>advise how
>renegotiation can be disabled completely.  Probably a command in
>configuration file.
>
>
>regards,
>Abid
>
>
>
>--
>View this message in context: 
>http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-D
>isabling-reneotiation-tp78708.html
>Sent from the Postfix Users mailing list archive at Nabble.com.
>
>

RE: FW: SSL Renegotiation Attack "Disabling reneotiation"

[L . P . H . van Belle]

I dont know if its an option, but i suggest have a look here : 
 
multiple packages for postfix on centos 6
http://pkgs.org/search/postfix?type=name
or 
https://solusipse.net/blog/posts/compiling-postfix-with-postgresql-support-on-centos-7/
 
Not for the postgresql, but just for the upgrade of postfix. 
 
 
Greetz, 
 
Louis
 
 

Van: Abid Hussain [mailto:abid.hussai...@gmail.com] 
Verzonden: dinsdag 18 augustus 2015 10:43
Aan: L.P.H. van Belle
Onderwerp: Re: FW: SSL Renegotiation Attack "Disabling reneotiation"



Thanks for prompt reply


i am using CentOS 6.5. Yes i do not have an option to upgrade it :(. I want to 
stop it for DoS attack as my testing team has 
reported it. falling back to ssl V2 adds many other vulnerabilities :(



Thanks and Regards,

Abid


On Tue, Aug 18, 2015 at 1:36 PM, L.P.H. van Belle  wrote:
Hai,

As far as i know, no.

Unless you are forceing all clients to use SSLv2 only (since that doesn't 
support renegotiation).
Are you sure you want to disable it and not just prevent old clients from
using the vulnerable renegotiation methods? If it's the last
you'll need to upgrade to 2.8+ to get access to tls_disable_workarounds.

you have 2 problems.
- One is the vulnerable methods
- the other is renegotiation is considered a denial of service vulnerability..


You really dont have any option to upgrade..
Whats the os your running?

Greetz,
Louis


>-Oorspronkelijk bericht-
>Van: abid.hussai...@gmail.com
>[mailto:owner-  ] Namens Abid Hussain
>Verzonden: dinsdag 18 augustus 2015 10:29
>Aan: postfix-users@postfix.org
>Onderwerp: SSL Renegotiation Attack "Disabling reneotiation"
>
>Dear All,
>
>I am using postfix 2.6 and currently cannot upgrade it. kindly
>advise how
>renegotiation can be disabled completely.  Probably a command in
>configuration file.
>
>
>regards,
>Abid
>
>
>
>--
>View this message in context:
>http://postfix.1071664.n5.nabble.com/SSL-Renegotiation-Attack-D
>isabling-reneotiation-tp78708.html
>Sent from the Postfix Users mailing list archive at Nabble.com.
>
>

Folder permissions problem, /var/spool/postfix/private

[Robert Senger]

Hi all,

I just upgraded a server from Debian Wheezy to Jessie, and moved the
system partition to a new, bigger harddisk. Now I am having trouble with
the permissions of the /var/spool/postfix/private folder.

As far as I can see all folder permissions throughout the whole system
are the same as before on the old harddisk, including postfix's private
directory.

Despite this fact, all milter services that create/use sockets within
the /var/spool/postfix/private folder (OpenDKIM, OpenDMARC, postgrey,
SPF) refuse to start, complaining they cannot create/write their socket
in the private folder.

I already checked all the folder permissions, ran "postfix
set-permissions" and "postfix check", without success.

To get the milters working, I need to set the private folders's
permissions to 777, which is certainly not what we want for a private
folder...

Running "postfix set-permissions" resets the permissions to 700, but
then the milters fail.

Any idea what can be wrong here? Thanks!

Cheers,

Robert


-- 
Robert Senger

Re: Folder permissions problem, /var/spool/postfix/private

[Wietse Venema]

Robert Senger:
> Hi all,
> 
> I just upgraded a server from Debian Wheezy to Jessie, and moved the
> system partition to a new, bigger harddisk. Now I am having trouble with
> the permissions of the /var/spool/postfix/private folder.

To fix Postfix file permissions:

# postfix set-permissions

If that does not fix the problem, then ask your maintainer.

Milters have no reason to access the Postfix private directory. Use
UNIX-domain sockets instead.

Wietse

RE: Folder permissions problem, /var/spool/postfix/private

[L . P . H . van Belle]

for the policy-spf, check this one. 
https://bananasfk.wordpress.com/2015/06/05/policyd-spf-in-debian-8-fix/ 

Greetz, 

Louis
 

>-Oorspronkelijk bericht-
>Van: robert.sen...@lists.microscopium.de 
>[mailto:owner-postfix-us...@postfix.org] Namens Robert Senger
>Verzonden: dinsdag 18 augustus 2015 13:42
>Aan: postfix-users@postfix.org
>Onderwerp: Folder permissions problem, /var/spool/postfix/private
>
>Hi all,
>
>I just upgraded a server from Debian Wheezy to Jessie, and moved the
>system partition to a new, bigger harddisk. Now I am having 
>trouble with
>the permissions of the /var/spool/postfix/private folder.
>
>As far as I can see all folder permissions throughout the whole system
>are the same as before on the old harddisk, including postfix's private
>directory.
>
>Despite this fact, all milter services that create/use sockets within
>the /var/spool/postfix/private folder (OpenDKIM, OpenDMARC, postgrey,
>SPF) refuse to start, complaining they cannot create/write their socket
>in the private folder.
>
>I already checked all the folder permissions, ran "postfix
>set-permissions" and "postfix check", without success.
>
>To get the milters working, I need to set the private folders's
>permissions to 777, which is certainly not what we want for a private
>folder...
>
>Running "postfix set-permissions" resets the permissions to 700, but
>then the milters fail.
>
>Any idea what can be wrong here? Thanks!
>
>Cheers,
>
>Robert
>
>
>-- 
>Robert Senger
>
>
>

Re: Postfix and Mailman 2 virtual alias domain integration

[Tom Browder]

On Sun, Aug 16, 2015 at 3:36 PM, @lbutlr  wrote:
> On 16 Aug 2015, at 10:44 , Tom Browder  wrote:
>> Okay, then I guess I should pick one of the virtual hosts as the domain name 
>> and add some arbitrary host  then. Does that mean it is then a "real" server 
>> and should not be treated as a virtual domain?
>
> You need a reasonable helo name and you need an rDNS that matches.

Okay, let me be more specific:

On a single Apache/Postfix/MM2 server I have domains A.tld ... Z.tld,
each of which I want to have mail delivered to/from.  I will choose
B.tld as the non-virtual server (with FQHN mail.B.tld).  I have a
single IP address, say, 9.9.9.9, to which all domains are mapped.

So how should the DNS records look?   Can anyone give me the exact
settings for the A, CNAME, MX, and PTR records for A.tld and B.tld
(and any other suggested records)?

Many thanks.

Best,

-Tom

Re: Folder permissions problem, /var/spool/postfix/private

[Wietse Venema]

Wietse Venema:
> Robert Senger:
> > Hi all,
> > 
> > I just upgraded a server from Debian Wheezy to Jessie, and moved the
> > system partition to a new, bigger harddisk. Now I am having trouble with
> > the permissions of the /var/spool/postfix/private folder.
> 
> To fix Postfix file permissions:
> 
> # postfix set-permissions
> 
> If that does not fix the problem, then ask your maintainer.
> 
> Milters have no reason to access the Postfix private directory. Use
> UNIX-domain sockets instead.

The following breaks Postfix security:

- Changing user/group/other ownership/permissions of Postfix files
  or directories

- Running non-Postfix programs with the numeric UID of the "postfix"
  user (or other "security token" with the same effect).

Such usage is explicitly not supported, and that will not change.

Wietse

Re: Postfix and Mailman 2 virtual alias domain integration

[Koko Wijatmoko]

On Tue, 18 Aug 2015 07:55:00 -0500
Tom Browder  wrote:

> So how should the DNS records look?   Can anyone give me the exact
> settings for the A, CNAME, MX, and PTR records for A.tld and B.tld
> (and any other suggested records)?
> 
this is not the best question on this list.
google will guide you how to do it..

Re: Postfix and Mailman 2 virtual alias domain integration

[Ron Wheeler]

This is pretty common.
The DNS does not matter all that much as long as people can find the MX 
server for each domain.
The MX record has to point to an A or CNAME that maps to the actual 
machine where your main service (Postfix) runs.
The A or CNAME can be in a different domain as long as that is 
resolvable to an IP somehow.
Every Domain can have its MX point to smtp.B.tld as long as smtp.B.tld 
resolves to something in the B domain's DNS.
This is probably easiest since you can move all SMTP traffic with a 
single change in the DNS for B.tld.


In the end the foreign SMTP server has to be able to reach someone who 
will take the mail off its hands and the DNS serves that purpose.
Once the mail is transferred to the "right" IP address, the sender 
doesn't care how you organize your domains internally.


Ron

On 18/08/2015 8:55 AM, Tom Browder wrote:

On Sun, Aug 16, 2015 at 3:36 PM, @lbutlr  wrote:

On 16 Aug 2015, at 10:44 , Tom Browder  wrote:

Okay, then I guess I should pick one of the virtual hosts as the domain name and add some 
arbitrary host  then. Does that mean it is then a "real" server and should not 
be treated as a virtual domain?

You need a reasonable helo name and you need an rDNS that matches.

Okay, let me be more specific:

On a single Apache/Postfix/MM2 server I have domains A.tld ... Z.tld,
each of which I want to have mail delivered to/from.  I will choose
B.tld as the non-virtual server (with FQHN mail.B.tld).  I have a
single IP address, say, 9.9.9.9, to which all domains are mapped.

So how should the DNS records look?   Can anyone give me the exact
settings for the A, CNAME, MX, and PTR records for A.tld and B.tld
(and any other suggested records)?

Many thanks.

Best,

-Tom




--
Ron Wheeler
President
Artifact Software Inc
email: rwhee...@artifact-software.com
skype: ronaldmwheeler
phone: 866-970-2435, ext 102

Re: Postfix and Mailman 2 virtual alias domain integration

[Michael Ströder]

Ron Wheeler wrote:
> The MX record has to point to an A or CNAME that maps to the actual machine
> where your main service (Postfix) runs.

IIRC the MX should not point to a CNAME as target host to make proper loop
detection work. Or am I wrong?

See https://tools.ietf.org/html/rfc5321#section-5.1:

5.1.  Locating the Target Host
   [..]
   When a domain name associated with an MX RR is looked up and the
   associated data field obtained, the data field of that response MUST
   contain a domain name.  That domain name, when queried, MUST return
   at least one address record (e.g., A or  RR) that gives the IP
   address of the SMTP server to which the message should be directed.
   Any other response, specifically including a value that will return a
   CNAME record when queried, lies outside the scope of this Standard.
   The prohibition on labels in the data that resolve to CNAMEs is
   discussed in more detail in RFC 2181, Section 10.3 [38].

This references https://tools.ietf.org/html/rfc2181#section-10.3

10.3. MX and NS records

   The domain name used as the value of a NS resource record, or part of
   the value of a MX resource record must not be an alias.  Not only is
   the specification clear on this point, but using an alias in either
   of these positions neither works as well as might be hoped, nor well
   fulfills the ambition that may have led to this approach.
   [..]

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Postfix and Mailman 2 virtual alias domain integration

[Stephen Satchell]

On 08/18/2015 06:49 AM, Koko Wijatmoko wrote:

On Tue, 18 Aug 2015 07:55:00 -0500
Tom Browder  wrote:


So how should the DNS records look?   Can anyone give me the exact
settings for the A, CNAME, MX, and PTR records for A.tld and B.tld
(and any other suggested records)?


this is not the best question on this list.
google will guide you how to do it..



Specifically, check the news.admin.net-abuse.email archives for the 
"best practice" as it has evolved over the years.  I don't remember if 
the best practice has made it into an RFC, but a search for "best 
practice email rfc" should turn up something.

RE: Postfix and Mailman 2 virtual alias domain integration

[L . P . H . van Belle]

Hai, 

... its all about correct DNS settings, so dont say that does not matter.. 

Best is you read : 
rfc2821 section-3.6 and 4.1.1.1 ( and 10.3 thank you Michael good read, i 
forgot that one.. ) 
rfc5321 section 2.3.5 

in short.. 
make sure your hostname has an A or  record and PTR record. 
make sure your MX point to a correct hostname. 
make sure your mail server ehlo : (smtpd_banner) is set to a resolvable 
hostname, 
requerements for ehlo:  DNS RR of type A is required, and there is no 
requirement 
for the A record to match the client connecting IP address (As per RFC 1123 
Section 5.2.5). 

when a connecting host uses the EHLO command to identify itself and 
where the hostname contains characters that are not one of the following:
"a-z", "A-Z", "0-9", "." and "-" 
Further the hostname should start with a letter of the alphabet. 



Greetz, 

Louis


>-Oorspronkelijk bericht-
>Van: rwhee...@artifact-software.com 
>[mailto:owner-postfix-us...@postfix.org] Namens Ron Wheeler
>Verzonden: dinsdag 18 augustus 2015 16:14
>Aan: postfix-users@postfix.org
>Onderwerp: Re: Postfix and Mailman 2 virtual alias domain integration
>
>This is pretty common.
>The DNS does not matter all that much as long as people can 
>find the MX 
>server for each domain.
>The MX record has to point to an A or CNAME that maps to the actual 
>machine where your main service (Postfix) runs.
>The A or CNAME can be in a different domain as long as that is 
>resolvable to an IP somehow.
>Every Domain can have its MX point to smtp.B.tld as long as smtp.B.tld 
>resolves to something in the B domain's DNS.
>This is probably easiest since you can move all SMTP traffic with a 
>single change in the DNS for B.tld.
>
>In the end the foreign SMTP server has to be able to reach someone who 
>will take the mail off its hands and the DNS serves that purpose.
>Once the mail is transferred to the "right" IP address, the sender 
>doesn't care how you organize your domains internally.
>
>Ron
>
>On 18/08/2015 8:55 AM, Tom Browder wrote:
>> On Sun, Aug 16, 2015 at 3:36 PM, @lbutlr  wrote:
>>> On 16 Aug 2015, at 10:44 , Tom Browder 
> wrote:
 Okay, then I guess I should pick one of the virtual hosts 
>as the domain name and add some arbitrary host  then. Does 
>that mean it is then a "real" server and should not be treated 
>as a virtual domain?
>>> You need a reasonable helo name and you need an rDNS that matches.
>> Okay, let me be more specific:
>>
>> On a single Apache/Postfix/MM2 server I have domains A.tld ... Z.tld,
>> each of which I want to have mail delivered to/from.  I will choose
>> B.tld as the non-virtual server (with FQHN mail.B.tld).  I have a
>> single IP address, say, 9.9.9.9, to which all domains are mapped.
>>
>> So how should the DNS records look?   Can anyone give me the exact
>> settings for the A, CNAME, MX, and PTR records for A.tld and B.tld
>> (and any other suggested records)?
>>
>> Many thanks.
>>
>> Best,
>>
>> -Tom
>>
>
>
>-- 
>Ron Wheeler
>President
>Artifact Software Inc
>email: rwhee...@artifact-software.com
>skype: ronaldmwheeler
>phone: 866-970-2435, ext 102
>
>

pcre matching

[Alex]

Hi,
I'm trying to match a pattern in a header_checks pcre file and can't
figure out why it's not matching. In /etc/postfix/header_checks.pcre,
I have:

/^From:.*exampleuser@gmail\.com$/ REJECT

# postmap -q 'exampleuser' pcre:/etc/postfix/header_checks.pcre
#

postconf -m shows pcre among the available types.

I'd really appreciate some direction on what I'm doing wrong. Is it
the pattern? I'm not very experienced with regexes.

Thanks,
Alex

Re: pcre matching

[nicolas]

El 2015-08-18 16:15, Alex escribió:

Hi,
I'm trying to match a pattern in a header_checks pcre file and can't
figure out why it's not matching. In /etc/postfix/header_checks.pcre,
I have:

/^From:.*exampleuser@gmail\.com$/ REJECT

# postmap -q 'exampleuser' pcre:/etc/postfix/header_checks.pcre
#

postconf -m shows pcre among the available types.

I'd really appreciate some direction on what I'm doing wrong. Is it
the pattern? I'm not very experienced with regexes.

Thanks,
Alex


I assume that you have configured the following in your main.cf file:

header_checks = pcre:/etc/postfix/header_checks.pcre

You should provide the real example of headers to help you better. 
Still, looking at the examples on pcre_table(5) [1], this should work:


/^From: exampleuser@gmail\.com/   REJECT

Regards,

Nicolás

[1] http://www.postfix.org/pcre_table.5.html

Re: pcre matching

[Nicolás]

El 18/08/15 a las 16:15, Alex escribió:

Hi,
I'm trying to match a pattern in a header_checks pcre file and can't
figure out why it's not matching. In /etc/postfix/header_checks.pcre,
I have:

/^From:.*exampleuser@gmail\.com$/ REJECT

# postmap -q 'exampleuser' pcre:/etc/postfix/header_checks.pcre
#

postconf -m shows pcre among the available types.

I'd really appreciate some direction on what I'm doing wrong. Is it
the pattern? I'm not very experienced with regexes.

Thanks,
Alex


If you plan blocking incoming e-mails based on the "From" header, 
probably check_sender_access is more suitable in this case:


main.cf:
smtpd_sender_restrictions =
...
check_sender_access hash:/etc/postfix/bad_senders
...

/etc/postfix/bad_senders:
exampleu...@gmail.comREJECT

(don't forget the postmap bad_senders command)

Check http://www.postfix.org/SMTPD_ACCESS_README.html, especially 
http://www.postfix.org/SMTPD_ACCESS_README.html#danger


Regards,

Nicolás

Re: pcre matching

[Wolfgang Zeikat]

- On 18 Aug, 2015, at 17:15, Alex mysqlstud...@gmail.com wrote:
> I'm trying to match a pattern in a header_checks pcre file and can't
> figure out why it's not matching. In /etc/postfix/header_checks.pcre,
> I have:
> 
> /^From:.*exampleuser@gmail\.com$/ REJECT

That regular expression matches text that starts with 'From:'

exampleuser does not start with 'From:' and does not contain "@gmail.com" or 
even end with that text, so why should the postmap command show a match?

Hope this helps.

Regards,

wolfgang

Re: pcre matching

[nicolas]

El 2015-08-18 17:33, Alex escribió:

Hi,

If that is the preferred method, what is the real purpose of
header_checks? Solely for Subject and To?



Even more useful than checking the Subject, I use header_checks to check 
some properties on attachments. In fact, I've picked Wietse's example on 
the header_checks (5) man page [1] and tuned it to my needs. This allows 
one to reject mails based on attachment patterns.


By the way, for the 'To' header, there's an analogous 
smtpd_recipient_restrictions which works with the check_recipient_access 
restriction.


Regards,

Nicolás

[1] http://www.postfix.org/header_checks.5.html

program to read all email-adresses from ms-exchange and novell-groupwise

[Oliver Meißner]

Hello,

I just want to inform you about a program that is able to read all
email-adresses from MS-Exchange or Novell Groupwise and creates 
Postfix lookup tables with those results.
(it uses the LDAP protocol, so it's easy to implement other ldap-based
backends)

It creates following mapfiles:
 relay_recipients_maps
 relay_domains
 transport map

I use it since a couple of years on some Postfix gateways via cron.

here's the link:
http://oss.comlab-computer.de/gitweb/?p=ldapmapper.git;a=summary

let me know if you think it's useful...

Oliver Meissner 

-- 
GnuPG-Fingerprint:
  31F8 1667 712C ED9E EDDC 42D2 EC82 8304 92E2 7B15
  http://www.la-familia-grande.de/keys/92e27b15.txt

Re: pcre matching

[Bill Cole]

On 18 Aug 2015, at 11:43, Nicolás wrote:

If you plan blocking incoming e-mails based on the "From" header, 
probably check_sender_access is more suitable in this case:


This is incorrect.  check_sender_access does not operate on any header, 
it operates on the SMTP envelope sender address.

Re: Postfix and Mailman 2 virtual alias domain integration

[Tom Browder]

On Sun, Aug 16, 2015 at 12:23 PM, Viktor Dukhovni
 wrote:
> On Sun, Aug 16, 2015 at 11:44:03AM -0500, Tom Browder wrote:
>> Okay, then I guess I should pick one of the virtual hosts as the domain
>> name and add some arbitrary host then. Does that mean it is then a "real"
>> server and should not be treated as a virtual domain?
>
> Nothing of the sort.  Just give the machine a sensible hostname
> that will be used as its smtp_helo_name and is the sole name in
> its PTR record.

Okay, now assuming my server IP address is 1.2.3.4, do the following
DNS records appear reasonable?

# begin DNS records for IP 1.2.3.4

A.tld. IN A 1.2.3.4
B.tld. IN A 1.2.3.4

www.A.tld.  IN CNAME A.tld.
www.B.tld.  IN CNAME B.tld.
mail.B.tld.   IN CNAME B.tld.

4.3.2.1.in-addr.arpa. IN PTR A.tld.
4.3.2.1.in-addr.arpa. IN PTR B.tld.

A.tld. IN MX 10 mail.B.tld.
B.tld. IN MX 10 mail.B.tld

# end DNS records for IP 1.2.3.4

Thanks.

-Tom

Re: Postfix and Mailman 2 virtual alias domain integration

[Tom Browder]

On Tue, Aug 18, 2015 at 3:58 PM, Jim Reid  wrote:
> On 18 Aug 2015, at 21:55, Tom Browder  wrote:
>> Okay, now assuming my server IP address is 1.2.3.4, do the following
>> DNS records appear reasonable?
>
> No. There should be just one PTR record for an IP address.

Okay, I assume then that this should be the only PTR record:

4.3.2.1.in-addr.arpa. IN PTR B.tld.

-Tom

Re: Postfix and Mailman 2 virtual alias domain integration

[Jim Reid]

On 18 Aug 2015, at 21:55, Tom Browder  wrote:

> Okay, now assuming my server IP address is 1.2.3.4, do the following
> DNS records appear reasonable?

No. There should be just one PTR record for an IP address.

Re: Postfix and Mailman 2 virtual alias domain integration

[Jim Reid]

On 18 Aug 2015, at 22:06, Tom Browder  wrote:

> Okay, I assume then that this should be the only PTR record:
> 
> 4.3.2.1.in-addr.arpa. IN PTR B.tld.

Yes. Provided of course B.tld is The One True Hostname for your server.

BTW, you will get on a lot better if your postings used the actual IP addresses 
and domain names rather than hide these behind nonsense like B.tld and 1.2.3.4. 
Obscuring this information helps nobody, especially yourself.

Re: Postfix and Mailman 2 virtual alias domain integration

[Tom Browder]

On Tue, Aug 18, 2015 at 4:22 PM, Jim Reid  wrote:
>
> On 18 Aug 2015, at 22:06, Tom Browder  wrote:
>
>> Okay, I assume then that this should be the only PTR record:
>>
>> 4.3.2.1.in-addr.arpa. IN PTR B.tld.
>
> Yes. Provided of course B.tld is The One True Hostname for your server.

It is!

> BTW, you will get on a lot better if your postings used the actual
> IP addresses and domain names rather than hide these behind
> nonsense like B.tld and 1.2.3.4. Obscuring this information
> helps nobody, especially yourself.

Good point, but I'm not trying to obscure anything.  I am using the
"nonsense" names because I'm trying to emphasize the generality of the
solution to a very common setup for many users.  The chosen IP of
1.2.3.4 is easy to type and is easy to see when it's been reversed.

If anyone is interested, my current IP address which I use for all my
domains is 142.54.186.2 but I don't have a working mail server there
yet (I'm in the process of transferring it from my old server and want
to have a more robust setup than before--this is all prep work).

Thanks for all the help, Jim.  I'm sure I'll be back later for more
help on tightening up my mail server's security.

Best regards,

-Tom

Restricting what Groups can send mail to off-site destinations

[Ashish Yadav]

Hi,

I have been able to implement feature in the Postfix server so that I can
allow specific group of people to send emails outside the local domain like
gmail.com and other users can not.

My Server's information is given below,

OS - Debian Wheezy
Postfix server version is 2.9.6-2

I have tried below links for implementing above feature but without any
luck,




After that I have also search through the forums to get some help but that
thing also did not work for me.

<
http://postfix.1071664.n5.nabble.com/How-can-I-restrict-some-specific-users-from-sending-email-to-external-domains-td58385.html
>

<
http://serverfault.com/questions/234335/how-can-i-set-up-postfix-so-that-all-email-sent-on-my-dev-box-gets-routed-to-the/234347#234347
>

Every time the restricted user was able to send the email to outside domain
liike gmail.com although after not giving that user access to do so.

Please tell me what I am missing in the above procedure.

--Regards
Ashishkumar S. Yadav

Re: Folder permissions problem, /var/spool/postfix/private

[Robert Senger]

Okay, thanks to all. I moved the milter sockets away from the private/
folder to var/run//.sock, and everything works now with
the correct permissions after "postfix set-permissions".

Robert


Am Dienstag, den 18.08.2015, 13:41 +0200 schrieb Robert Senger:
> Hi all,
> 
> I just upgraded a server from Debian Wheezy to Jessie, and moved the
> system partition to a new, bigger harddisk. Now I am having trouble with
> the permissions of the /var/spool/postfix/private folder.
> 
> As far as I can see all folder permissions throughout the whole system
> are the same as before on the old harddisk, including postfix's private
> directory.
> 
> Despite this fact, all milter services that create/use sockets within
> the /var/spool/postfix/private folder (OpenDKIM, OpenDMARC, postgrey,
> SPF) refuse to start, complaining they cannot create/write their socket
> in the private folder.
> 
> I already checked all the folder permissions, ran "postfix
> set-permissions" and "postfix check", without success.
> 
> To get the milters working, I need to set the private folders's
> permissions to 777, which is certainly not what we want for a private
> folder...
> 
> Running "postfix set-permissions" resets the permissions to 700, but
> then the milters fail.
> 
> Any idea what can be wrong here? Thanks!
> 
> Cheers,
> 
> Robert
> 
> 

-- 
Robert Senger