message_size_limit versus prepended header

[Jeroen Scheerder]

L.S.,

I ran into a little something.  I have separated my main smtp service (tcp/25) 
and smtps/submission services (tcp/465, tcp/587).
The smtps/submission services have a few extra virtual aliases, but they also 
(don't ask) add a header:

% cat on2it-header-checks
/^Received:/i PREPEND X-ON2IT-Claimer: This message may contain 
confidential or privileged information.

(Since you probably do wonder 
anyway, this is how I preemptively struck out
 against having to insert 
foolish disclaimers into message bodies.)

My message_size_limit is set:

message_size_limit = 1024

The main smtp as well as the smtps/submission services report that size after 
the EHLO:

250-SIZE 1024

Sane clients respect that size limit and refuse to send messages exceeding it.  
But since the message size will grow (by 82 bytes) after prepending a header, 
it is entirely possible that this will push a message slightly below the limit 
over the edge.  Such a message will get sent by the client, only to receive a 
"5.3.4 Error: message file too big" (and the cleanup process logs "queue file 
size limit exceeded").

This has two disadvantageous consequences:

a) Clients send (large) messages in vain
b) Some clients handle the SMTP error poorly (we've seen this mainly 
for Android phones)

This got me thinking.  Would it be possible to have

message_size_limit = 1024

but have my smtps/submission services announce slightly less:

250-SIZE 10239918

?

It's icing on the cake, I know, but is this at all doable?

Regards, Jeroen

 Snip 

My config (main/master) is:

% echo "## main.cf ##"; postconf -n; echo "## master.cf ##"; postconf -P
## main.cf ##
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
lmtp_header_checks =
lmtp_mime_header_checks =
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
msa_alias_maps = btree:/usr/local/etc/postfix/on2it-aliases-override 
btree:/usr/local/etc/postfix/on2it-aliases-users 
btree:/usr/local/etc/postfix/on2it-aliases-public 
btree:/usr/local/etc/postfix/on2it-aliases-private 
pcre:/usr/local/etc/postfix/on2it-regex-aliases
msa_body_checks =
msa_cleanup_service_name = msa_cleanup
msa_header_checks = pcre://usr/local/etc/postfix/on2it-header-checks
mydomain = on2it.net
mynetworks = localhost,172.18.8.0/24,172.22.8.0/24
mynetworks_style = host
myorigin = on2it.net
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relayhost = smarthost.on2it.net
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_header_checks = $header_checks
smtp_mime_header_checks = $header_checks
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
reject_unauth_destination reject_unknown_recipient_domain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_service = smtp, lmtp
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/mail.on2it.net.crt
smtpd_tls_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD, SRP, 3DES, eNULL
smtpd_tls_key_file = /usr/local/etc/postfix/private/mail.on2it.net.key
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, ADH, RC4, PSD, SRP, 
3DES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
soft_bounce = no
transport_maps = btree:/usr/local/etc/postfix/on2it-discard 
btree:/usr/local/etc/postfix/on2it-transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
virtual_alias_maps = btree:/usr/local/etc/postfix/on2it-aliases-override 
btree:/usr/local/etc/postfix/on2it-aliases-users 
btree:/usr/local/etc/postfix/on2it-aliases-public 
pcre:/usr/local/etc/postfix/on2it-regex-aliases
virtual_mailbox_domains = on2it.net, on2it.nl, on2it.be, on2it.de
virtual_mailbox_maps = $virtual_alias_maps
virtual_transport = lmtp:unix:private/dovecot-lmtp
## master.cf ##
msa_cleanup/unix/body_checks = $msa_body_checks
msa_cleanup/unix/header_checks = $msa_header_checks
msa_cleanup/unix/virtual_alias_maps = $msa_alias_maps
submission/inet/cleanup_service_name = $msa_cleanup_service_name
submission/inet/smtpd_recipient_restrictions =
submissi

Re: message_size_limit versus prepended header

[martijn.list]

On 10/30/2015 10:04 AM, Jeroen Scheerder wrote:
> L.S.,
> 
> I ran into a little something.  I have separated my main smtp service 
> (tcp/25) and smtps/submission services (tcp/465, tcp/587).
> The smtps/submission services have a few extra virtual aliases, but they also 
> (don't ask) add a header:
> 
>   % cat on2it-header-checks
>   /^Received:/i PREPEND X-ON2IT-Claimer: This message may contain 
> confidential or privileged information.
> 
>   (Since you probably do wonder 
> anyway, this is how I preemptively struck out
>against having to insert 
> foolish disclaimers into message bodies.)
> 
> My message_size_limit is set:
> 
>   message_size_limit = 1024
> 
> The main smtp as well as the smtps/submission services report that size after 
> the EHLO:
> 
>   250-SIZE 1024
> 
> Sane clients respect that size limit and refuse to send messages exceeding 
> it.  But since the message size will grow (by 82 bytes) after prepending a 
> header, it is entirely possible that this will push a message slightly below 
> the limit over the edge.  Such a message will get sent by the client, only to 
> receive a "5.3.4 Error: message file too big" (and the cleanup process logs 
> "queue file size limit exceeded").
> 
> This has two disadvantageous consequences:
> 
>   a) Clients send (large) messages in vain
>   b) Some clients handle the SMTP error poorly (we've seen this mainly 
> for Android phones)
> 
> This got me thinking.  Would it be possible to have
> 
>   message_size_limit = 1024
> 
> but have my smtps/submission services announce slightly less:
> 
>   250-SIZE 10239918

I think you can override the message size limit for the submission port
in master.cf:

submission inet  n   -   -   -   -   smtpd
 -o message_size_limit=10239918

Kind regards,

Martijn Brinkers

-- 
CipherMail email encryption

Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Re: message_size_limit versus prepended header

[Wietse Venema]

martijn.list:
> > This got me thinking.  Would it be possible to have
> > 
> > message_size_limit = 1024
> > 
> > but have my smtps/submission services announce slightly less:
> > 
> > 250-SIZE 10239918
> 
> I think you can override the message size limit for the submission port
> in master.cf:
> 
> submission inet  n   -   -   -   -   smtpd
>  -o message_size_limit=10239918

Correct. You want main.cf message_size_limit to be larger than
"smtpd -o message_size_limit". But you need more than 82 bytes
difference if you want to be precise.

The Postfix message size limit is the size of the queue file. This
includes storage for the envelope sender, envelope recipient, and
some other metadata such as the arrival time, delay warning time,
content filter, and so on.  That adds some 600 bytes of overhead
depending on the number of recipients and the length of email
addresses.

Wietse

Re: message_size_limit versus prepended header

[martijn.list]

On 10/30/2015 12:56 PM, Jeroen Scheerder wrote:
> Quoth Jeroen Scheerder (30 Oct 2015, 12:46):
> 
>> That would result in a
>> 
>> 250-SIZE 1024
>> 
>> helo message, *and* a true size limit of 10239918.
> 
> I obviously omitted the evident edit.  I had meant to write:
> 
> "That would result in a
> 
> 250-SIZE 10239918
> 
> helo message, *and* a true size limit of 10239918."

I probably misunderstand your requirements but is this not what you
want? You want to accept the message and make sure the message is not
refused later on because Postfix added some extra information (headers
etc.). Then the true message size limit for submission should be less
then the global message size limit. You need to make sure that the
message size limit reported by the submission port is small enough to
allow any overhead added by postfix (like the added headers).

Kind regards,

Martijn Brinkers


> 
> Wietse's warning about extra metadata add to this issue.  I'd like to
> prevent clients from sending in messages that will certainly fail to
> be accepted, because they will bump onto size limits a few steps
> further (cleanup).  It's not just my little header, the additional
> 600 bytes of extra bookkeeping should also be subtracted from the
> message_size_limit in the "250-SIZE" banner line.
> 
> But that "250-SIZE" just reports the configured message_size_limit.
> If I'm correct in interpreting Wietse's remark correctly, a message
> within 600 bytes of the size reported in "250-SIZE" will exceed
> message_size_limit, making cleanup fail and eventually resulting in a
> rejected message and a failure notice to the client.  My little
> header just exacerbates this situation, making it happen 82 bytes
> earlier.
> 
> 
> Regards, Jeroen.
> 


-- 
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Re: message_size_limit versus prepended header

[Wietse Venema]

martijn.list:
[ Charset windows-1252 converted... ]
> On 10/30/2015 12:56 PM, Jeroen Scheerder wrote:
> > Quoth Jeroen Scheerder (30 Oct 2015, 12:46):
> > 
> >> That would result in a
> >> 
> >> 250-SIZE 1024
> >> 
> >> helo message, *and* a true size limit of 10239918.
> > 
> > I obviously omitted the evident edit.  I had meant to write:
> > 
> > "That would result in a
> > 
> > 250-SIZE 10239918
> > 
> > helo message, *and* a true size limit of 10239918."
> 
> I probably misunderstand your requirements but is this not what you
> want? You want to accept the message and make sure the message is not
> refused later on because Postfix added some extra information (headers
> etc.). Then the true message size limit for submission should be less
> then the global message size limit. You need to make sure that the
> message size limit reported by the submission port is small enough to
> allow any overhead added by postfix (like the added headers).

To be safe, have the (submission) smtpd process announce a size limit
that is a few kbytes under the Postfix global size limit.

Wietse

Re: Postfix tls error

[Wietse Venema]

hyndavirap...@bel.co.example:
> 1. error log before adding "smtp_tls_CAfile" param is as follows
> 

I replaced the top-level domain name for privacy reasons.

> postfix/smtp[3525]: certificate verification failed for
> 201.123.80.173[201.123.80.173]:25: untrusted issuer
> /C=EXAMPLE/ST=karnataka/L=bangalore/O=bel/OU=crl/CN=MilitaryMessagingCA/emailAddress=ca_ad...@bel.co.example

The certificate could not be verified because an issuer in the
trust chain was not known.

> postfix/smtp[3525]: 804E8232A0: to=,
> relay=201.123.80.173[201.123.80.173]:25, delay=10, delays=0.13/0.01/10/0,
> dsn=4.7.5, status=deferred (Server certificate not trusted)

You require certificate verification, and thus mail is dederred.

> 2. Error log after adding  following param
> 
> smtp_tls_CAfile = /root/hyndavi/CA_cert.pem
> 
> postfix/smtp[6891]: 17A3F232B1: to=,
> relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0,
> dsn=4.7.5, status=deferred (Server certificate not verified)

Now it knows the issuer, but the name in the certificate does not
match what Postfix expected. The default is to match the next-hop
domain but you can change that per-destination in smtp_tls_policy_maps
with the "match=" attribute, or globally with smtp_tls_secure_cert_match.

Wietse

Re: Postfix tls error

[Viktor Dukhovni]

On Fri, Oct 30, 2015 at 09:20:05AM -0400, Wietse Venema wrote:

> > postfix/smtp[6891]: 17A3F232B1: to=,
> > relay=201.123.80.173[201.123.80.173]:25, delay=337, delays=327/0.02/10/0,
> > dsn=4.7.5, status=deferred (Server certificate not verified)
> 
> Now it knows the issuer, but the name in the certificate does not
> match what Postfix expected. The default is to match the next-hop
> domain but you can change that per-destination in smtp_tls_policy_maps
> with the "match=" attribute, or globally with smtp_tls_secure_cert_match.

Note that with a nexthop relay of [201.123.80.173], default matching
the relay hostname won't work either.  If the recipient domain does
not appear in the peer certificate, then an explicit "match=..."
in the destinatijon policy MUST be specified to match this SMTP server.

-- 
Viktor.

What is needed build postfix for /usr/local (not default location) or do I need to?

[Robert Chalmers]

I have postfix built with the standard configuration it comes with, well, 
everything that is is installed in the “default” places on my Mac. OSX 10.11
Trouble is, that’s the same place that Apple put their own Postfix build. Which 
is not the same as mine, so with every major OS upgrade, I have to rebuild and 
reinstall my own version of postfix. Not a big deal, but a nuisance.

So I figure if I put it all under /usr/local for example ...
and run from there, it won’t get overwritten.

So normally one puts such things in to the .make configuration..

So reading the docs if I do this.

|parameter name   |new location|
|_||
|command_directory|/usr/local/sbin |
|_||
|config_directory |/usr/local/etc/postfix|
|_||
|default_database_type| |
|_||
|daemon_directory |/usr/local/libexec/postfix|
|_||
|data_directory   |/var/local/lib/postfix|
|_||
|html_directory   |   |
|_||
|mail_spool_directory |/var/mail   |
|_||
|mailq_path   |/usr/local/bin/mailq  |
|_||
|manpage_directory|/usr/local/man  |
|_||
|meta_directory   |/usr/local/etc/postfix|
|_||
|newaliases_path  |/usr/local/bin/newaliases |
|_||
|queue_directory  |/var/spool/postfix  |
|_||
|readme_directory |   |
|_||
|sendmail_path|/usr/local/sbin/sendmail  |
|_||
|shlib_directory  |/usr/local/lib/postfix|
|_||


I’ll either end up with a broken install, or it will work.

Or the other option, is to move the binaries to a new location 
(command_directory) and point to it in both the plist start up and in the 
main.cf by setting the correct parameter.

The OS updates only replace the binaries - it doesn’t seem to mess with the 
configs. So maybe I only need to move the binaries?

Anyone have any experience with this?
thanks



Robert Chalmers
rob...@chalmers.com .au  Quantum Radio: 
http://tinyurl.com/lwwddov
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB 
Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower 
Bay

build postfix for /usr/local - Solved I think

[Robert Chalmers]

#
# Start of summary of user-configurable 'make makefiles' options.
# CCARGS=-DHAS_MYSQL -I/usr/local/include/mysql -DUSE_TLS -DUSE_SASL_AUTH 
-DUSE_CYRUS_SASL -I/opt/local/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" 
-DHAS_PCRE -I/opt/local/include
# AUXLIBS=-L/opt/local/lib -lsasl2 -lssl -lcrypto -licuuc
# AUXLIBS_PCRE=-L/opt/local/lib -lpcre
# AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm
# shared=
# dynamicmaps=yes
# pie=
# command_directory=/usr/local/sbin
# config_directory=/usr/local/etc/postfix
# daemon_directory=/usr/local/libexec/postfix
# mailq_path=/usr/local/bin/mailq
# meta_directory=/usr/local/etc/postfix
# newaliases_path=/usr/local/bin/newaliases
# sendmail_path=/usr/local/sbin/sendmail
# shlib_directory=/usr/local/lib/postfix
# End of summary of user-configurable 'make makefiles' options.
#———


Robert Chalmers
rob...@chalmers.com .au  Quantum Radio: 
http://tinyurl.com/lwwddov
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB 
Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower 
Bay

Re: build postfix for /usr/local - Solved I think

[Wietse Venema]

Robert Chalmers:
> #
> # Start of summary of user-configurable 'make makefiles' options.
> # CCARGS=-DHAS_MYSQL -I/usr/local/include/mysql -DUSE_TLS -DUSE_SASL_AUTH 
> -DUSE_CYRUS_SASL -I/opt/local/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" 
> -DHAS_PCRE -I/opt/local/include

You need to specify DEF_CONFIG_DIR (using the syntax in the INSTALL file)
if you want the configuration in a different location than /etc/postfix.

Wietse

RE: message_size_limit versus prepended header

[Kevin Miller]

One other consideration is to remember that MIME encoding seems to cause about 
a 25% size increase, so if you report that you'll accept 10 mb (for instance) 
the practical limit for the sender is actually somewhere between a 7.5 and 8 mb 
attachment.  It may be that you want to take that into consideration for any 
messages reported back to the sender. 

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357


-Original Message-
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
On Behalf Of Wietse Venema
Sent: Friday, October 30, 2015 5:04 AM
To: Postfix users
Subject: Re: message_size_limit versus prepended header

martijn.list:
[ Charset windows-1252 converted... ]
> On 10/30/2015 12:56 PM, Jeroen Scheerder wrote:
> > Quoth Jeroen Scheerder (30 Oct 2015, 12:46):
> > 
> >> That would result in a
> >> 
> >> 250-SIZE 1024
> >> 
> >> helo message, *and* a true size limit of 10239918.
> > 
> > I obviously omitted the evident edit.  I had meant to write:
> > 
> > "That would result in a
> > 
> > 250-SIZE 10239918
> > 
> > helo message, *and* a true size limit of 10239918."
> 
> I probably misunderstand your requirements but is this not what you 
> want? You want to accept the message and make sure the message is not 
> refused later on because Postfix added some extra information (headers 
> etc.). Then the true message size limit for submission should be less 
> then the global message size limit. You need to make sure that the 
> message size limit reported by the submission port is small enough to 
> allow any overhead added by postfix (like the added headers).

To be safe, have the (submission) smtpd process announce a size limit that is a 
few kbytes under the Postfix global size limit.

Wietse

Re: build postfix for /usr/local - Solved I think

[Robert Chalmers]

Ok, I see that it’s fairly straight forward. Just figuring out where things 
normally go when not in the default directories.

My make line is like this, where I’ve added the directory commands, as per the 
instructions, to the end of the make command;

make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL 
-I/usr/local/include/mysql -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL 
-I/opt/local/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE 
-I/opt/local/include' 'AUXLIBS=-L/opt/local/lib -lsasl2 -lssl -lcrypto -licuuc' 
'AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm' 
'AUXLIBS_PCRE=-L/opt/local/lib -lpcre' makefiles 
command_directory=/usr/local/sbin config_directory=/usr/local/etc/postfix 
meta_directory=/usr/local/etc/postfix 
daemon_directory=/usr/local/libexec/postfix mailq_path=/usr/local/bin/mailq 
newaliases_path=/usr/local/bin/newaliases 
sendmail_path=/usr/local/sbin/sendmail shlib_directory=/usr/local/lib/postfix 

Which seems to achieve the same thing as others have suggested, because the 
Makefile looks like this.


# Do not edit -- this file documents how Postfix was built for your machine.
#
# Start of summary of user-configurable 'make makefiles' options.
# CCARGS=-DHAS_MYSQL -I/usr/local/include/mysql -DUSE_TLS -DUSE_SASL_AUTH 
-DUSE_CYRUS_SASL -I/opt/local/include/sasl -DDEF_SERVER_SASL_TYPE=\"dovecot\" 
-DHAS_PCRE -I/opt/local/include
# AUXLIBS=-L/opt/local/lib -lsasl2 -lssl -lcrypto -licuuc
# AUXLIBS_PCRE=-L/opt/local/lib -lpcre
# AUXLIBS_MYSQL=-L/usr/local/lib -lmysqlclient -lz -lm
# shared=
# dynamicmaps=yes
# pie=
# command_directory=/usr/local/sbin
# config_directory=/usr/local/etc/postfix
# daemon_directory=/usr/local/libexec/postfix
# mailq_path=/usr/local/bin/mailq
# meta_directory=/usr/local/etc/postfix
# newaliases_path=/usr/local/bin/newaliases
# sendmail_path=/usr/local/sbin/sendmail
# shlib_directory=/usr/local/lib/postfix
# End of summary of user-configurable 'make makefiles' options.
#--
# System-dependent settings and compiler/linker overrides.
SYSTYPE = MACOSX
_AR = ar
ARFL= rv
_RANLIB = ranlib
SYSLIBS = -L/opt/local/lib -lsasl2 -lssl -lcrypto -licuuc -flat_namespace 
-lresolv
AUXLIBS_MYSQL = -L/usr/local/lib -lmysqlclient -lz -lm
AUXLIBS_PCRE = -L/opt/local/lib -lpcre
CC  = cc -I. -I../../include -DHAS_MYSQL -I/usr/local/include/mysql 
-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/opt/local/include/sasl 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/opt/local/include 
-DBIND_8_COMPAT -DNO_NETINFO -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" 
-DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_META_DIR=\"/usr/local/etc/postfix\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" 
-DDEF_SHLIB_DIR=\"/usr/local/lib/postfix\" -DUSE_DYNAMIC_LIBS 
-DUSE_DYNAMIC_MAPS $(WARN)
OPT = -O
DEBUG   = -g
AWK = awk
STRCASE =
EXPORT  = CCARGS='-I. -I../../include -DHAS_MYSQL -I/usr/local/include/mysql 
-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/opt/local/include/sasl 
-DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/opt/local/include 
-DBIND_8_COMPAT -DNO_NETINFO -DRESOLVE_H_NEEDS_ARPA_NAMESER_COMPAT_H -DNO_EAI 
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" 
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" 
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" 
-DDEF_MAILQ_PATH=\"/usr/local/bin/mailq\" 
-DDEF_META_DIR=\"/usr/local/etc/postfix\" 
-DDEF_NEWALIAS_PATH=\"/usr/local/bin/newaliases\" 
-DDEF_SENDMAIL_PATH=\"/usr/local/sbin/sendmail\" 
-DDEF_SHLIB_DIR=\"/usr/local/lib/postfix\" -DUSE_DYNAMIC_LIBS 
-DUSE_DYNAMIC_MAPS' OPT='-O' DEBUG='-g'
WARN= -Wall -Wno-comment -Wformat -Wimplicit -Wmissing-prototypes \
-Wparentheses -Wstrict-prototypes -Wswitch -Wuninitialized \
-Wunused -Wno-missing-braces
DEFINED_MAP_TYPES = mysql pcre
MAKE_FIX =
# Switch between Postfix static and dynamically-linked libraries.
AR  = :
RANLIB  = :
LIB_PREFIX = postfix-
LIB_SUFFIX = .dylib
SHLIB_CFLAGS = -fPIC
"Makefile" 229L, 9536C


So, problem solved I think.

Make works ok. Just haven’t done a make instal yet. That’s for tomorrow…

Thanks folks






> On 30 Oct 2015, at 16:10, Wietse Venema  wrote:
> 
> Robert Chalmers:
>> #
>> # Start of summary of user-configurable 'make makefiles' options.
>> # CCARGS=-DHAS_MYSQL -I/usr/local/include/mysql -DUSE_TLS -DUSE_SASL_AUTH 
>> -DUSE_CYRUS_SASL -I/opt/local/include/sasl 
>> -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/opt/local/include
> 
> You need to specify DEF_CONFIG_DIR (using the syntax in the INSTALL file)
> if you want the configuration in a different location than /etc/postfix.
> 
>   Wietse

Robert Chalmers
rob...@chalmers.com 

Configure Postfix as an email relay - but have one email address when relayed send to /dev/null

[Keegan Jacobson]

Hello,

We use Google Apps as our primary mail server, but our internal servers all
use and relay off of Postfix. Our configuration is fairly bare-bones, it
basically just lets us send mail.

What I'm trying to do - is add these servers to our load balancer, and I
want to check for availability by having the load balancer try to
successfully send email (I have seen this referenced and others have done
it, but not posted exactly how they went about configuring it).

I am looking to have the load balancer when it attempts to send an email,
when it tries to send this email account to simply have the mail go
straight to /dev/null because I am not interested in the contents of the
email or any record of it - it is being used to see if the service is
processing mail and that is it. I am curious how I would go about setting
this up, I did try my hand at working with /etc/aliases and
virtual_alias_maps to no avail (I simply must not know how to configure it
properly).

Here is what my current postconf -n looks like, and I have defaulted my
/etc/aliases file and virtual_alias_maps for the time being because I
couldn't get it to work. Thank you

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = mail.contoso.com, localhost.localdomain, localhost
myhostname = mail.contoso.com
mynetworks = 10.0.0.0/8 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = smtp-relay.gmail.com
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_restrictions = warn_if_reject check_helo_access static:reject
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes

-- 
[CONFIDENTIALITY AND PRIVACY NOTICE]

Information transmitted by this email is proprietary to Physio-Control and 
is intended for use only by the individual or entity to which it is 
addressed, and may contain information that is private, privileged, 
confidential or exempt from disclosure under applicable law. If you are not 
the intended recipient or it appears that this mail has been forwarded to 
you without proper authority, you are notified that any use or 
dissemination of this information in any manner is strictly prohibited. In 
such cases, please delete this mail from your records.
 
To view this notice in other languages you can either select the following 
link or manually copy and paste the link into the address bar of a web 
browser: http://www.physio-control.com/emaildisclaimer/

Re: Configure Postfix as an email relay - but have one email address when relayed send to /dev/null

[Viktor Dukhovni]

On Fri, Oct 30, 2015 at 02:21:21PM -0500, Keegan Jacobson wrote:

> What I'm trying to do - is add these servers to our load balancer, and I
> want to check for availability by having the load balancer try to
> successfully send email (I have seen this referenced and others have done
> it, but not posted exactly how they went about configuring it).
> 
> I am looking to have the load balancer when it attempts to send an email,
> when it tries to send this email account to simply have the mail go
> straight to /dev/null because I am not interested in the contents of the
> email or any record of it - it is being used to see if the service is
> processing mail and that is it. I am curious how I would go about setting
> this up, I did try my hand at working with /etc/aliases and
> virtual_alias_maps to no avail (I simply must not know how to configure it
> properly).

http://www.postfix.org/discard.8.html
http://www.postfix.org/transport.5.html
http://www.postfix.org/virtual.5.html
http://www.postfix.org/postconf.5.html#transport_maps
http://www.postfix.org/postconf.5.html#virtual_alias_maps
http://www.postfix.org/postmap.1.html

transport:
discard.invaliddiscard:silently

virtual:
smtp-pr...@example.com  smtp-probe@discard.invalid

main.cf:
indexed = ${default_database_type}:${config_directory}/
transport_maps = ${indexed}transport
virtual_alias_maps = ${indexed}virtual

-- 
Viktor.

smtp banner for postfix using virtual domains

[yahoogro...@lazygranch.xyz]

Postix 2.11.6 on freebsd 10.1
Configuration is mostly from
http://blog.iandreev.com/?p=1604

I have set up postfix as indicated in the above link. Basically
everything works. Using one of the email server verification services,
it complained about the smtp_banner not being used. I have two (at the
moment) FQDN using one virtual personal server. 

My question is simple, though I can't find an answer from an internet
search. How do I get postfix to use the proper domain name for each
virtual domain in the smtp banner?

Re: smtp banner for postfix using virtual domains

[Viktor Dukhovni]

On Fri, Oct 30, 2015 at 05:40:12PM -0700, yahoogro...@lazygranch.xyz wrote:

> My question is simple, though I can't find an answer from an internet
> search. How do I get postfix to use the proper domain name for each
> virtual domain in the smtp banner?

The answer is simply don't.  This is unnecessary and impossible
without dedicating a separate IP address to each domain.

Anything that warns you about the banner not matching the destination
domain is misguided.

-- 
Viktor.

Re: smtp banner for postfix using virtual domains

[yahoogro...@lazygranch.xyz]

On Sat, 31 Oct 2015 01:38:18 +
Viktor Dukhovni  wrote:

> On Fri, Oct 30, 2015 at 05:40:12PM -0700, yahoogro...@lazygranch.xyz
> wrote:
> 
> > My question is simple, though I can't find an answer from an
> > internet search. How do I get postfix to use the proper domain name
> > for each virtual domain in the smtp banner?
> 
> The answer is simply don't.  This is unnecessary and impossible
> without dedicating a separate IP address to each domain.
> 
> Anything that warns you about the banner not matching the destination
> domain is misguided.
> 

Well that takes care of that. BTW here is the error message:
IMAP Banner Reverse DNS Check:Failed - IMAP Banner/Greeting Does not
contain your hostname

The email checker service is
https://www.unlocktheinbox.com/
in the event the topic crops up again.

I hadn't noticed it was an imap issue, so mkaybe this should have
been a dovecot question. But in any event, if the banner isn't really
required, the question is answered. 

I will admit the "unlocktheinbox" service is very complete, though
prone to false postives unless you read the report carefully. (Hint:
look for the word obsolete.)

In my internet search, I ran into one document that suggested not to
use the smtp banner since it gives a clue (albeit minor in my opinion)
about the email server. You could probably learn more from a bounced
email.