Re: Postfix RPMs

[Nikolaos Milas]

On 28/12/2017 2:34 πμ, Peter wrote:


The sources are also freely available from GhettoForge if you want to
look them over.


I am building my own RPMs too, based on GhettoForge src.rpm packages.

Cheers,
Nick

Outlook 2010 smtp auth probs ?

[Voytek]

this might be off topic, I'm not sure if I have an issue with Postfix
setup - or just end user email client setup:

I have old postfix 2.1 server, migrating to new 3.x, copied over 2.1
/etc/postfix, all seemed OK till now trying to setup an Outlook 2010
client

as I don't have Outlook 2010 to hand, I've installed 2016, tested account
setup, all worked, both IMAP and 587/SMTP auth

the end user in question is remote to me, 2010 seems to have different
options than 2016 I have tested

the Outlook system is remote to me, it's possible end user screwed
something up

on Outlook, the setup for old 2.1 server and new 3.x server is supposedly
identical: SMTP 587 TLS - but I'm not there.

is there some simple Outlook option that I have overlooked ?
or is there something wrong with my server config ??

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
check_helo_access pcre:/etc/postfix/helo_access.pcre

smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks,
check_sasl_access hash:/etc/postfix/sasl_access permit_sasl_authenticated,
reject_unauth_destination, check_policy_service inet:127.0.0.1:10040,
check_recipient_access hash:/etc/postfix/recipient_no_checks,
check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
check_helo_access hash:/etc/postfix/helo_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/client_checks, check_client_access
pcre:/etc/postfix/client_checks.pcre, reject_rbl_client zen.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender
dbl.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client
ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net,

tried with 'port 587 TLS' as well as 'port 587 SSL'

the user can use old 2.1 server, no issues, BUT, when trying to send with
2010, it fails, on the server, I see this:

(Outlook account setup test message)
Dec 29 14:27:44 geko postfix/smtpd[14089]: NOQUEUE: reject: RCPT from
d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107]: 554 5.7.1
: Client host
rejected: Access denied; from= to=
proto=ESMTP helo=

on the old 2.1 server works fine, I see this:
 14:34:08 emu postfix/qmgr[5951]: 30762185383: from=,
size=638, nrcpt=1 (queue active)
Dec 29 14:34:08 emu postfix/pipe[8733]: 30762185383:
to=, relay=dovecot, delay=0.32, delays=0.22/0.01/0/0.1,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 14:34:17 emu postfix/smtpd[8727]: 482B6185383:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=no...@dom.org.au
Dec 29 14:34:17 emu postfix/qmgr[5951]: 482B6185383:
from=, size=638, nrcpt=1 (queue active)
Dec 29 14:34:17 emu postfix/pipe[8733]: 482B6185383:
to=, relay=dovecot, delay=0.23, delays=0.19/0/0/0.05,
dsn=2.0.0, status=sent (delivered via dovecot service)
Dec 29 14:40:04 emu postfix/smtpd[10332]: 83EAC185383:
client=d114-75-83-107.sbr1.nsw.optusnet.com.au[114.75.83.107],
sasl_method=LOGIN, sasl_username=no...@dom.org.au
Dec 29 14:40:05 emu postfix/qmgr[5951]: 83EAC185383:
from=, size=25709, nrcpt=1 (queue active)

Re: report from google relate to failed dkim

[Poliman - Serwis]

But "signing domain" and domain in "From" will never be matched. Server has
own domain s1.domain.net. On this server are hosted few websites. These
have another domains than the server fqdn. In report from google I see fail
in dkim row but for IP of the server. I don't know why there is IP not fqdn.

2017-12-28 8:44 GMT+01:00 Dominic Raferd :

> Please bottom post on this list (and see below)
>
> On 28 December 2017 at 07:05, Poliman - Serwis  wrote:
> > For particular domain from report dkim works well. I checked it here
> > http://dkimcore.org/c/keycheck. Mails from this domain are sent by
> > s1.domain.net server. Should be dkim configured for domain name of the
> > server which corresponds to IP mentioned earlier?
> >
> > 2017-12-28 7:46 GMT+01:00 Poliman - Serwis :
> >>
> >> All is clear but how setup dmarc per IP address of the server if dmarc
> is
> >> based on spf and dkim which are based on particular domain?
> >>
> >> 2017-12-27 10:37 GMT+01:00 Dominic Raferd :
> >>>
> >>> On 27 December 2017 at 07:22, Poliman - Serwis 
> wrote:
> >>> > I configured yesterday spf, dkim, dmarc for example.com. Today I got
> >>> > report
> >>> > in xml on my mailbox. Attached. One from addresses has dkim failed -
> >>> > marked
> >>> > in orange...
>
> Setting spf should not be necessary if you are setting a dkim header
> correctly in all the outgoing emails for the domain in question.
> Indeed I would go further and say that setting an spf DNS record for
> your domain is inadvisable when testing dmarc because it can mask
> underlying dkim problems.
>
> In order to pass dmarc alignment testing, opendkim needs to insert
> into the outgoing email a dkim header with a signing domain (d=)
> matching the domain in the internal 'From:' header. The server name or
> ip that it has come from is irrelevant for dkim.
>
> If your mail passes dkim check-summing and dkim alignment when tested
> at its destination for dmarc, it will pass overall regardless of any
> spf (and vice versa).
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*